This Notice is intended to inform volunteers (“you”) about the processing of information that directly or indirectly identifies you (“personal data”, “data”), carried out by the biobank.cy, Center of Excellence in Biobanking and Biomedical Research “Center of Excellence”,”Center”,”we”, “Biobank”). The Center, as the data controller of your personal data, respects your privacy rights and is committed to the protection and security of your personal data.
The processing of your personal data is carried out in a manner consistent with our obligations and your rights under data protection law, including the European General Data Protection Regulation 2016/679 (“GDPR”) and the Cypriot Data Protection legislation L.125(I)2018.
Personal Data we process
The Center processes the following categories of personal data when necessary for specific purposes:
- Identity and contact details such as name, address, email, phone, date of birth
- Biological samples and medical history concerning you or (if necessary) your relatives
- Information about any inquiries or complaints
- Information about your marital status, relatives, dependents
- Information about your physical and/or psychological condition, including any disability, allergy, or food choice or disorder for which the Center should make reasonable adjustments
Why we process your personal data
In order to be able to process your personal data, we first ensure that the processing is based on at least one of the following legal bases (as applicable in each case) in accordance with Articles 6 and 9 of the GDPR:
- You have given specific and informed consent, for the processing of your data (e.g. collection of your explicit consent in the context of your participation in a research study)
- The processing is necessary for the purpose of enforcing an agreement between the Center and you
- The processing is necessary for the purposes of compliance of the Center with legal, regulatory or other obligations (e.g. compliance with existing legislation or regulations governing the research and work of the Center)
- The processing is necessary in emergency situations in order to safeguard your vital interest
- The processing is necessary for the purpose of pursuing the legitimate interests of the Center or a third party, provided that your interests and rights do not override the interests of the Center (e.g. for the purpose of initiating legal proceedings or supporting legal claims, or in case of retention of necessary data in the consent form or withdrawal form for the purposes of archiving, accountability and ensuring the integrity of the Centre’s procedures)
Processing special categories of data
Due to the nature of the work and the research carried out by the Center, special categories of data are being processed, which mainly concern health data (e.g. biological/genetic material). This type of data processing is carried out only with the explicit consent of the volunteers which is collected through a consent form for participation as a volunteer in the Biobank or in a specific research project. Such processing shall also be justified for the purposes of scientific research in accordance with Article 9 (2) (j) and 89 (1) of the GDPR.
Disclosure of data
The Center discloses your personal data to various categories of recipients, including the following, where necessary to comply with the Center’s legal or regulatory obligations under the Center’s terms and conditions, or where appropriate and proportionate for the pursuit of the legitimate interests of the Center:
- Ministry of Health
- State Health Services Organisation (SHSO, ΟΚΥπΥ)
- External medical centers/hospitals/universities/research centers (e.g. in case of a specific research project in collaboration, on the basis of your consent or in a fully anonymous form)
The Center may also disclose or allow access to or otherwise process your personal data, if necessary, to the Center’s advisors or other service providers, e.g. lawyers, security consultants, auditors, debt collection agencies, etc., on the basis of our legal interest or legal obligation.
In all of the cases referred to above, the Centre aims to anonymize the information where necessary.
There are cases where personal data may be transferred to countries outside the European Economic Area (“EEA”) provided that all necessary measures have been taken during the transfer and that the transfer is made on the basis of the necessary safeguards provided by the GDPR, and the relevant provisions of the Cypriot Legislation 125 (I) 2018. Such cases include any transfer of data to health professionals, researchers at other centers or universities, in Cyprus and abroad. In such cases, the Center shall ensure that data transmissions take place anonymously if the purpose of the transfer can be fulfilled by transmitting information which does not identify natural persons.
The Center is committed to always applying the highest standards of data security to ensure the confidentiality, integrity and availability of the data it processes. This is achieved through appropriate risk assessments and the implementation of response measures to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access to personal data (breaches) which may pose a risk on your rights and freedoms. The Centre seeks the timely identification, detection, investigation and treatment of any incidents of security breach, and the minimization of the consequences.
Our personnel are trained on the duty of confidentiality and their responsibilities regarding the security of volunteer/patient information both on and outside our premises. Access to the Centre’s systems that have the personal data of volunteers/patients is only allowed to authorized personnel.
The impact that the processing may have on your rights and freedoms is always assessed and balanced. Where the risk is high, the Center ensures that it prepares an appropriate Data Protection Impact Assessment in which it documents the risks and takes mitigation measures.
The Center will retain personal data for a period that processing is necessary to pursue the purposes as described in this Notice. Also, the retention period will depend on the legal obligations or guidance of the Office of the Commissioner for the Protection of Personal Data to which the Center may be subject, and which impose retention of data for a specific or minimum period.
- Right to be informed and right to access your data
- Right to rectify or correct inaccurate or incomplete data
- Right to delete your data, especially when the purpose of processing no longer exists, where there is no legal basis for processing or when the processing is unlawful
- Right to restrict processing, e.g. for the purpose of verifying the accuracy of the data
- Right to object to processing, especially when we rely on the legitimate interests of the Center or third parties
- Right to receive data (portability) in a structured, commonly used and readable format and right to transfer to another controller
- The right not to be subject to automated decision-making, including profiling
- Right to withdraw consent in cases where the processing is based on consent
- Right to file a complaint to the Office of the Commissioner for the Protection of Personal Data ([email protected])
These rights are not absolute, they are subject to exceptions and apply only under certain circumstances depending on the legal basis on which we rely in each case.
We will attempt to respond to all valid requests as soon as possible and within thirty (30) days or two additional months if the request is complex or disproportionate.
You can contact the Data Protection Officer (DPO) of the Center for any information via email at [email protected], or by phone at +357 2289 2815, or via the contact form on the website https://biobank.cy/contact-us