Last update on 15/02/2022
This Privacy Statement describes how CYPRUS INTERNATION INSTITUTE OF MANAGEMENT LIMITED (hereafter “CIIM”), collects, uses, and discloses certain personal information obtained through our public website https://www.ciim.ac.cy. This Privacy Statement does not refer to data collection through other sources such as in-person seminars or a manager’s personal contacts.
Who we are?
CYPRUS INTERNATIONAL INSTITUTES OF MANAGEMENT (hereafter “CIIM”) are international business schools, established in 1990 by a group of business leaders and a team of prominent academics representing some of the world’s top business schools. Both schools, (one in Nicosia and one in Limassol), are operated by CIIM Innovations Ltd, a limited liability company, incorporated under the Companies Law of the Republic of Cyprus, Cap. 113, under the given registration number HE 414490. It was incorporated in 2020, having as main activities various aspects of the education industry.
How we collect/obtain your information?
- Directly from you and/or
- Through third parties and/or
- Through this website
Information Collection and Use:
In general, you can visit CIIM Web Site maintaining your anonymity. However, occasionally CIIM may ask you to provide personally identifiable information, such as your name, company, e-mail address, phone number and address (“Personal Information”). The purpose of requesting such information/data may involve, corresponding with and/or contacting you, responding to your requests, or informing you about an optional subscription to a newsletter or publication, or notifying you about events. Where applicable, we will differentiate between personal data fields that are optional and those that are mandatory in order for you to obtain the requested information.
Categories of Personal Information we collect:
- information you provide to the institute by filling in the forms we initially requested from you
- information you provide to the institute when you submit your consent or when you report a problem through the Website
- information provided by you (including email addresses) in case you contact us
Purpose of the prosses and/or use of your Personal Information:
- to provide you with our services – in order to provide you with a service requested by you, we might need to use your personal information;
- to enable you to access and use the Site;
- to provide you any services which you have requested through use of the Site;
- for customer management purposes – to provide you with the customer support including any notice, for example changes about any service we offer;
- compliance- in order to comply with our legal obligations;
- in the context of our business and/or academic relationship;
- advertising – in case you have provide us with a consent, we may communicate with you in order to inform you about services and/or products offered by us or other third parties for which you might be interested. security purposes – in order to detect and/or prevent to actual or potential fraud, illegal activities, or any intellectual property infringement.
NOTE: You will be receiving advertising materials from CIIM, only if you have provided your explicit consent. In the case you feel that you need to revoke this consent, you will be provided with an automated way to opt out (unsubscribe) from that particular communication or from all marketing e-mails sent by CIIM. Please follow the instructions on the e-mail you received to do so. In the unlikely case that you have received unwanted e-mail from our Company, please forward a copy of that e-mail to our Data Protection Officer, to email@example.com
We may share Personal Information among our affiliates for purposes of responding to your requests or otherwise as necessary for the purposes described above.
We may also in limited circumstances share Personal Information with government authorities or others, as this is required in order to protect the interests of CIIM or others, as necessary in connection with the sale or transfer of all or a portion of the business. It may be required by the applicable law or court order. The Individual’s consent will be requested upon establishing the business relationship.
By consenting to supply CIIM with personally identifiable data, such as your name, address, email address and passport details, CIIM will not, in any way, directly or indirectly, sell or transfer any of this information to any third party. Any information supplied will be confidential and will be handled in accordance with the applicable laws and regulation.
Please note that if you reply to CIIM address in one of our advertising e-mails or otherwise correspond with us, your communication will not create a relationship with us. Do not send us any information that you or anyone else considers to be confidential or secret unless we have first agreed to be your service providers in that matter. Any information you send us before we agree to be your service providers cannot be protected from disclosure as a means of company-client confidentiality.
List of recipients we might disclose information
- Affiliate companies – service providers (Law and Accounting Firms for legal, book-keeping and audit purposes).
- Third parties such as Governmental Institutions, Career Promotion Organizations, authorities, agents and administrative personnel in various countries (Tax Authorities, Bank Institutions etc.)
- Legal Successors– we might disclose personal information to a buyer or a successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or sale or transfer of some or all of our assets
Transfer of the data in countries out of the European Economic Area
Unless you, as an individual, have specifically consented to the transfer, we will only transfer personal data outside the European Economic Area (EEA) where:
- we transfer the data to a country or international organisation which the EU Commission has decided ensures an adequate level of protection for your personal data;
- the transfer of your personal data is subject to adequate safeguards, which may include binding corporate rules or standard data protection clauses adopted by the EU Commission; or
- one of the derogations in the GDPR to transfer personal data outside the EEA applies.
Provisions for Individuals that are outside the EU.
CIIM always seeks to comply with the privacy provisions and procedures as these are set out, pursuant to the Russia’s 2006 privacy law – Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” (Personal Data Law), managing and maintaining personal information in the course of its Russian business, which has been amended in December 2020 pursuant to Federal Law of 30 December 2020 No. 519-FZ on Amendments to the Federal Law on Personal Data and various regulatory acts adopted to implement the DPA as well as other laws, including the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection.
In Hong Kong, the main legislation on data protection is the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance). The Ordinance regulates the collection, use and handling of personal data and is based around a set of data protection principles. The Ordinance was enacted in 1996 in response to Directive 95/46/EC (Data Protection Directive). The Ordinance covers much of the same ground as the Data Protection Directive, although with some significant limitations. The Ordinance underwent major reform in 2012, primarily to add specific provisions and restrictions against the use and provision of personal data in direct marketing. Further amendments to the PDPO were introduced in 2021, pursuant to the Personal Data (Privacy) (Amendment) Ordinance 2021 (‘2021 Amendment Ordinance’), which took effect on 8 October 2021. The purpose of these amendments was, primarily, to address the acts of disclosing personal data without consent, i.e., ‘doxing’.
In China, the main legislations on data protection are two laws, which both dealing with data security and privacy and they came into force in the fall of. These two laws — the Data Security Law and the Personal Information Protection Law — provide more specificity about the data localization, data export and data protection requirements that first appeared in the Chinese Cybersecurity Law in 2017. The Personal Information Protection Law (PIPL) is China’s first comprehensive legislation regulating the protection of personal information, and is modelled after the European Union’s General Data Protection Regulation.
The Data Security Law (DSL) sets up a framework that classifies data collected and stored in China based on its potential impact on Chinese national security and regulates its storage and transfer depending on the data’s classification level. The law is generally seen as a response to the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which gives U.S. law enforcement agencies the authority to compel companies falling under U.S. jurisdiction to produce requested data regardless of where the data is stored.
The United Kingdom withdrew from the European Union on 31 January 2020. Prior to the withdrawal and during the transition period, the legislative framework on the protection of personal data in the United Kingdom consisted of the relevant EU legislation (in particular Regulation (EU) 2016/679 and Directive (EU) 2016/680 of the European Parliament and of the Council15) and national legislation, in particular the Data Protection Act 2018 (DPA 2018)16which provided national rules, where allowed by Regulation (EU) 2016/679, specifying and restricting the application of the rules of Regulation (EU) 2016/679 and transposed Directive(EU) 2016/680.
In India, the main legislation on data protection is The Personal Data Protection Bill, which was enacted in 2019, in order to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith.
On 16 December 2021 the JPC submitted its report along with a draft Data Protection Bill, 2021 (New Bill) to the Parliament of India.
The New Bill is expected to be passed into Indian law later this year by the Parliament.
The previous iteration of the New Bill was modelled primarily along the lines of its European Union counterpart, the General Data Protection Regulation (GDPR). However, the New Bill is different from GDPR in material respects and is broader in scope than GDPR, for example it includes non-personal data, regulations on social media platforms, and data localisation.
The Bill is now likely to be passed by Parliament in its next session, beginning in February 2022, and likely will enter into force in the first half of 2022.
CIIM will update this statement upon any new announcement.
Legal bases for the Collection, process, disclosure and use of Personal Information
The collection, disclosure, process and transfer of personal data must meet the below circumstances, which are used in order to establish our legal basis:
- it is necessary in order for us to perform a contract between the individual and the Institute;
- it is necessary in order for us to take measures to enter into a contract with the individual where it has requested us to do so;
- it is necessary for us to establish, exercise or defend legal claims;
- it is necessary for us to be compliant with our legal obligations or
- if none of the conditions listed above apply, the individual has explicitly consented to the overseas transfer.
How long do we store information about you for?
CIIM is obliged by the Tax Authorities to keep the data up to 7 years after the ceasing of the business relationship. Although, there are cases in which when the relationship with the client arises, a gap of a long timeframe intrudes. These circumstances require that CIIM stores the data for as long as it is needed to. CIIM wishes to make clear that if a relationship does not arise and/or it arose only once, and for a long time it never had been assigned tasks from the client and/or the student, then CIIM will store these data for 7 years (as the obligation by the Tax Law requires, independently of the fact that the relationship was not ceased written or verbally). Upon termination of the period of 7 years, CIIM will destruct the related data as our legal obligation will not be valid anymore.
We follow a data retention policy, depending on the activity for which the data have been collected. The retention policy determines the retention time of each data and when to destroy information that is no longer needed for legal, regulatory or commercial reasons.
However, this may be longer in some instances, for example when dealing with a claim we may need to hold the information for a period of time relevant to the one the claim is being handled. Furthermore, for academic purposes and in order for us to be able to print and certify transcripts validity and/or issue certificates, we may keep your data for up to 50 years.
For other jurisdictions we will be subject to the requirements of the relevant jurisdiction in question and this may not always reflect those of the Republic of Cyprus.
Overall, the criteria used to establish the period for which personal data will be stored is determined by regulatory or legal requirements. This is also supported by CIIM Data Protection Policy that such information must not be kept for any longer than necessary to fulfil the purposes for which it was collected.
Security of Personal Information:
CIIM takes appropriate security measures to ensure the protection of the Personal Information from any unauthorised access or disclosure. In addition, all employees had been trained on how to use, handle and process personal data, according to the provisions of Personal Data Law. Furthermore, CIIM has upgraded technical measures and has transformed the policies and procedures in order to comply with the General Data Protection Regulation.
Access and Correction
If you wish to access or update the Personal Information you submitted using CIIM website, or to make any inquiries about the processing of your information, please contact us. We provide individuals with access to their Personal Information as required by applicable data protection and privacy laws. In addition, please see below our Data Protection Officer’s contact details.
The Individuals have the following rights:
- Right of access – request access to any personal data we hold about them;
- Right of rectification -have any personal data which we hold about them which is inaccurate or incomplete rectified;
- Right to be forgotten – have personal data erased;
- Right to restriction of processing – have the processing of individual’s personal data restricted;
- Right of portability – To be provided with the personal data that the individual has supplied to us in a portable format that can be transmitted to another organisation without hindrance;
- Right to object – object to certain types of processing, including processing based on legitimate interests, automated processing (which includes profiling) and processing for direct marketing purposes; and
- Right to object to automated processing, including profiling -not be subject to a decision that is based solely on automated processing which produces a legal effect or which has a similar significant effect for the individual.
If the individual wishes to exercise any of the rights set out above, he/she must make the request in writing to the Data Protection Officer, at firstname.lastname@example.org. Please note some of these rights are restricted in some circumstances.
If the individual has provided his/her consent to any of the processing of his/her personal data, he/she has the right to withdraw his/her consent to that processing at any time, where relevant. He/she must contact the Data Protection Officer if he/she wishes to do so.
If he/she objects to processing based on legitimate interests, we must no longer process that personal data unless we can demonstrate compelling legitimate grounds for the processing which override his/her interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.
Online Teaching and Learning
If need further information regarding the processing of the personal data in the courses of Distance Learning programs of study and online examinations, you can read the relevant policy AUDIO & VIDEO RECORDING POLICY..
How you can petition for complaints
It is very important the principles of privacy to be followed and we should take all the appropriate measures to avoid any breach or loss of these data.
We ensure that the personal data you disclosed to us, are saved in a platform which is protected with additional security factors.
Any breach of the GDPR and/or other relevant Data Protection Acts will be taken seriously and if you consider that the data protection principles have not been followed in respect of personal data about yourself or others you have the right to lodge a complaint with the relevant data protection supervisory authority.
Our Protection Supervisory Authority is the Personal Data Protection Bureau (Independent Supervisory Authority for the Protection of Individuals). If you have any issues with our processing of your personal data and would like to make a complaint, you may contact the Personal Data Protection Bureau on (+357) 22 818 456 or at 1 Iasonos, 1082 Nicosia, Cyprus.
Data Protection Officer
CIIM has assigned ARETI CHARIDEMOU & ASSOCIATES L.L.C as the personal Protection Officer. Please see below the contact details.
Areti Charidemou & Associates LLC – Law Firm
21 Vasili Michailidi Street | 3026 Limassol – Cyprus
Postal Address: PO Box 54708 | CY-3727 | Cyprus
D: +357 25 50 82 19| T: +357 25 50 80 00 | F: +357 25 50 80 90