1.1 Who are we:
CDMA Services LTD, a managed Information technology (IT) and Information Security (IS) services provider, was founded in March 2011 by a passionate team of professionals, to meet all expectations of their customers. The company’s mission is to protect and enhance the value of your business by building, maintaining and strengthening the structure of your organization. To achieve that, CDMA Services LTD offers a variety of consultancy, professional and managed services, which include voice, networking and security solutions.
Under the EU’s General Data Protection Regulation (GDPR) the following are defined:
2.1 Personal data
It means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State Law.
It means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
It means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
3. Personal Data and Information collected:
3.1 The Personal Data and Information CDMA collects (as the data controller) about you and the way it is collected may vary according to the products and services you use and you have purchased, the relationship you have with us even if you are not a customer and the type of information we have gained from a third party on condition of consensus to share it with us (hereinafter referred to as “Cooperation”).
3.2 In the course of our collaboration, you may be requested to provide CDMA with any personally identifiable data (“Personal Data”) to be kept and submitted by CDMA, such as:
- Name, address, phone number, email address and contact number.
- Billing data and account data, such as billing address, credit or debit card information, bank account number and sort code or other banking information, the invoices issued regarding your services including dates of payment owed and received or any other information related to your account.
- Calling Data (called and calling number, date, time and period of a call). CDMA does not maintain or monitor the content of your telephone conversations.
- Network data, such as IP addresses and MAC addresses.
- Your access codes, which are given by CDMA during the provision of services.
- The level of service you receive, e.g. premium etc.
- The date, time and length of your internet browsing, and your approximate location at the time of browsing.
- Our conversations, such as recording of phone calls with our contact points, letters by e-mail or by mail and any other way of communication.
- We also receive information regarding the use of our products and services, such as:
- The level of services you receive, e.g. network faults and other events that may affect service delivery.
- Information about using a specific product or service that we provide or manage on your behalf, such as applications and processes running, alarms for visiting a restricted website etc.
4. CDMA collects Personal Data and Information in the following ways:
4.1 On a personal basis, during the performance of a contract or during the process of examining a candidate customer’s or employee’s application for the provision of our services and products and for hiring respectively.
4.2 By telephone or in person in our officers during the communication between the candidate customer or employee and CDMA’s employees.
4.3 Through the use of our website and other electronic programmes and social media.
4.4 By post or electronic mail.
4.5 By our remote management and ticketing systems and applications used for providing support services.
4.6 By completing any questionnaires and/or documents, for review and analysis purposes aiming at the improvement of our services.
4.7 By third parties and Public Offices with whom CDMA collaborates.
4.8 When your information is published.
4.9 By signing up for notifications or other services from us.
4.10 By receiving personal information from third parties in other cases permitted by law, such as for exclusion of fraud, bankruptcy register etc.
5. The Personal Data we collect will be used for the following purposes:
5.1 Supply customers goods or services of CDMA.
5.2 Send statements, invoices and payment reminders to customers and collect payments from them.
5.3 Developing, communicating and/or promoting:
- CDMA’s products and services (including discounts, improved services and special promotions that may be of interest to the customer), are similar to those ordered by the customer, with the use of an automated profiling process.
- Personalised offers and recommendations based on how the customer uses CDMA's products and services, the type of the customer, location information and browsing information, with the use of an automated profiling process.
- Third-party products and services (including offers or discounts), in case the customer has consented to be contacted about these. In order to update the customers with any promotions, news or developments, we communicate with them in the form of calls, fax, post or any form of electronic message (including, but not limited to, SMS, MMS, video, email, or apps), provided that the customer has given his prior written consent to CDMA to receive such information.
5.4 Send email notifications that customers have specifically requested.
5.5 Respond to any questions or tickets raised by the customers and/or interested parties regarding CDMA’s network, products and/or services.
5.6 Detect and prevent any possible fraud or other illegal acts, recover debts or trace those who have outstanding balances with CDMA.
5.7 To comply with our fair use obligations as well as to identify and resolve possible fraudulent use of our networks.
5.8 To protect our network and manage volumes of calls and other possible uses of our network.
5.9 CDMA may process the data that will be necessary for the proper provision of services to customers and for the fulfilment of its obligations to all competent bodies.
6. Processing of Personal Data
6.1 We process personal data of our customers, employees or visitors of our website according to the provisions of the General Data Protection Regulation of the EU (Regulation 2016/679), and from the time-to-time applicable national legislation relevant to the protection of personal data.
6.2 The reasons and purposes of the processing of Personal Data are the following:
- Implementing our contractual obligations and providing services to CDMA’s customers and employees.
- For the protection and security of CMDA’s customers and employees.
- For investigating and reporting any illegal actions.
- For the proper conduct of CDMA’s operations.
- For the effective promotion of CDMA’s operations.
- To protect CDMA’s rights.
6.3 The legal basis for processing the Personal Data and Information:
- For the execution of a contract between the Customer and CDMA or during the process of examining a candidate Customer’s application for the provision of our services and products. E.g. in order for you to make calls from your phones, CDMA has to process the numbers you are calling, so we can establish the call. This allows us to issue your account, based on your personal use. CDMA also needs to carry out credit checks when you apply for a product or service.
- Some of CDMA’s products, such as cloud services, may contractually (through the terms and conditions of the service) give CDMA the right to undertake the storing and/or otherwise the processing of Personal Data related to natural persons on behalf of the business customer and upon the business, customer’s written instructions. In such a case the business customer remains the Data Controller of its Personal Data and CDMA acts only as a Processor of this Personal Data. CDMA as a Data Processor is committed to maintain the confidentiality of this Personal Data subject to the business customers’ instructions, the terms and conditions of the service ordered, and CDMA’s Information Security Management System.
- Complying with any legal obligation, such as accounting and tax audits, under which retention periods are set, and are subject to rigorous internal policies and procedures.
- Protection of CDMA’s legitimate interests, e.g. prevent possible fraud, maintain the security of our network and services, and improve our services. In this case, we make sure that CDMA’s legitimate interest does not exceed your rights. In addition, in some cases, you reserve the right to object to the processing. For more information, see Article 8.
- Customers’, Employees’ or Visitors’ consent, where CDMA cannot rely on one of the above reasons. All of the previously mentioned groups can revoke consent at any time. For more information see Article 8.
7. Protection of Personal Data and Information
7.1 CDMA will not make your Personal Data and Information available to any third party unless permitted or required to do so by the applicable legislation and it shall not sell or transfer any of this information to any third party.
7.2 In case CDMA processes Personal Data for which the Customer’s, Employee’s and/or Visitors’ consent is required, it shall seek their express or written consent.
7.3 In case CDMA processes Personal Information for the processing of which the authorization of the Commissioner of Personal Data Protection is required, such authorization shall be obtained before any processing takes place.
7.4 CDMA sustains solid information security measures and procedures to safeguard customers’, employees and visitors’ Personal Data, in line with its legal obligations. A comprehensive approach is considered for information security to effectively ensure the confidentiality, integrity and availability of Personal Data. CDMA has already implemented a corporate Information Security Management System (ISMS) based on international standards ISO 27001 and ISO 27002. The ISMS includes amongst others the implementation of a corporate information security policy and procedures that cover e.g. security governance, document security, information management, operations and communications, personnel security, physical security, access to information systems, incident management etc. It also covers the necessary technical and procedural measures to effectively defend against cyber threats (hackers).
8. Your rights as a data subject
8.1 At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights according to the provisions of the General Data Protection Regulation of the EU (Regulation 2016/679) and the applicable local law on your personal data:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances, you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of data portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to withdraw consent – you have the right to withdraw your consent at any time, in the event of any processing is based solely on consent received by you. It is noted that any recall does not affect the lawfulness of the processing that was based on your consent before it was withdrawn by you or any processing is done on any other legitimate basis of processing.
- Right to judicial review – in the event that CDMA Services LTD refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in point 8.3 below.
8.2 All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data (data processor).
8.3 In the event that you wish to make a complaint about how your personal data is being processed by CDMA Services LTD (or third parties) or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and CDMA Services LTD’s data protection representatives Data Protection Officer (DPO). CDMA accepts the following forms of ID when information on your personal data is requested: Passport, ID, birth certificate, utility bill (from last 3 months).
9. Transmission of Personal Data
9.1 During the fulfilling of our contracting and legal obligations, CDMA may transfer your data to third parties such as:
- CDMA's Service Providers, external partners and product suppliers. In the event that CDMA has a contractual relationship with a service provider or other partner or supplier providing services and products on behalf of CDMA and therefore has access to your personal data, CDMA does not authorize the partner to use or to disclose your personal data in any other way beyond the provision of its services.
- Public and regulatory authorities to the extent CDMA is obliged by the Law.
- External consultants, such as legal consultants, auditors, accountants and marketing consultants.
- Third parties to promote joint services. Third parties are responsible for implementing the law.
- Third parties with which we collaborate for promotional purposes, e.g. Facebook.
9.3 Mergers and Acquisition: In the event of acquisition from another organization or reorganization, your personal data will be transferred to this organization.
10. Transmission of Personal Data to Third Countries
10.1 In the event that the transmission of your personal data to a third country will be necessary, the processors in third countries are required to comply with the European Data Protection Obligations and provide all appropriate safeguards for the transmission of personal data. The transmission if and when it should take place will be carried out in accordance with the procedure in article 46 of the General Data Protection Regulation of the EU (Regulation 2016/679).
11. Duration of Personal Data Storage (Retention period)
11.1 CDMA will store and process Personal Data for as long as mandated by the Laws of the Republic of Cyprus and/or throughout the validity period of the customer’s contract or employee’s contract.
11.2 In order to determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
11.3 Candidates’ CV and Employees’ CV are sto red for a period of six (6) months.
11.4 Customer’s data collected are maintained for the duration of the customer’s contract, for services management purposes, payment purposes, responding to complaints/requests or managing possible security issues.
11.5 Certain Personal Data may be stored after the termination of the customer’s contract according to the provisions of the applicable Cyprus legislation. The following data is not erased:
- Data are maintained for law enforcement purposes when lawfully requested to do so by a Court of law (Law 183(I)/2007).
- Data are maintained for the purposes of taxation legislation (Law 95(I)/2000 and Law 4/1978), which are maintained for a period of seven (7) years.
- Data processed for the purposes of legitimate interest (e.g. an action against a customer), which are maintained until the legitimate purpose is completed.
- Payment information refers to SEPA Direct Debit payments and information refers to the corresponding invoices settled which shall be maintained for a period of thirteen (13) months as per the SEPA rules.