Employee Privacy Policy

M.C.T. ENTERPRISES LTD, and its subsidiaries (hereinafter "we", "us", or "our") is committed to protecting the privacy and security of your personal information, and handling your data in an open and transparent manner.

This privacy policy applies to all employees and describes how we collect and use personal information about you during and  after  your  working  relationship  with  us,  in accordance  with  the  EU  General  Data Protection Regulation (‘GDPR’) and local data protection law.

This policy does not form part of any contract of employment or other contract to provide services.   We may update this policy at any time.

 

  • DATA PROTECTION PRINCIPLES

 

In relation to your personal data, we will comply with GDPR and local data protection law and regulations, and thus we will:

  • use it lawfully, fairly and in a transparent way;

 

  • collect and use it only for valid purposes that we have clearly explained to you;
  • collect and use information relevant to the purpose we have told you about and limit it only to those purposes;

 

  • ensure that it is accurate and up-to-date;
  • keep it only for as long as necessary for the purposes communicated to you;

 

  • keep it securely;
  • respect individual privacy.

 

  • PERSONAL DATA WE HOLD ABOUT YOU

 

Personal data, or personal information, means any information about an individual from which that person can be identified.  It does not include data where the identity has been removed (anonymous data).  There are also ‘special categories’ of more sensitive personal data which require a higher level of protection.

We collect, store and use different types of personal data about you. Most common examples include, but are not limited to, the following:

  • Name, gender, home address and telephone number, personal email address, date of birth, marital status and dependents, employee identification number, next of kin and emergency contact information;

 

  • Your CV, previous work experience, professional and other work-related licenses and memberships, permits and certifications held, language and other relevant skills, employment preferences, willingness to relocate, education, transcripts, or other information you provide to us in support of an application and/or the recruitment process;
  • References and interview notes (from any interviews you may have had with us);

 

  • Date of hire, date(s) of promotions(s), work history, location of workplace, job titles, working hours, professional certifications and memberships, training records;
  • Letters of offer and acceptance of employment;

 

  • Nationality and passport information;
  • Social security or other taxpayer/government identification number;

 

  • Payroll records, Company account details and tax status information;
  • Salary, annual leave, other types of absences, pension and benefits information;

 

  • Performance information including performance appraisals;
  • Photographs;

 

  • Disciplinary and grievance information;
  • e-mails, correspondence, documents, and other work product and communications created, stored or transmitted using our networks, applications, devices, computers or communications equipment;

 

  • CCTV footage and other information obtained through electronic means such as swipe card records;
  • Date and reason of resignation or termination, information relating to administering termination of employment.

 

We may also collect, store and use the following ‘special categories’ of more sensitive personal information:

  • Trade union membership;

 

  • Information about your health, including any medical condition, health and sickness records.

We do not require, but you may also voluntarily choose to provide, other relevant information as part of your application. We would prefer that you avoid submitting the following sensitive information, except where such information is legally required, or needed for us to comply with our legal obligations and internal policies relating to diversity and anti-discrimination: sexual orientation, race, ethnic origin, religion, beliefs, disability, marital status, creed, nationality, national origin, color and/or age.

 

  • HOW WE COLLECT YOUR PERSONAL DATA

Employee personal data is collected in a number of ways, including:

  • Directly from the employee through the application and recruitment process;

 

  • From third parties such as recruitment agencies that may administer the employment application process on behalf of the Company or from former employers;
  • Where permitted or required by applicable law or regulatory requirements.

 

We will collect additional personal information in the course of job related activities throughout the period you work for us, e.g. through the use of work equipment such as telephone equipment, company owned devices (mobile phones, tablets) and software (including electronic messaging, e-mail and internet applications).

 

  • WHY WE PROCESS YOUR PERSONAL DATA AND ON WHAT LEGAL BASIS

As mentioned earlier we are committed to protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in accordance with the GDPR and the local data protection law for one or more of the following reasons:

A.   For the performance of a contract

We process personal data in order to perform the employment contract we have entered into with you.

B.   For compliance with a legal obligation

There are a number of legal obligations emanating from the relevant laws to which we are subject as well as statutory requirements, e.g. Social Insurance Contributions Law, Redundancy Law, Income Tax Law. Such obligations and requirements impose on us necessary personal data processing activities such as social security and other tax deductions, providing information to the Human Resources Development Authority etc.

C.   For the purposes of safeguarding legitimate interests

We process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. Examples of such processing activities include:

  • Administering the employment contract we have entered into with you;
  • Communicating with clients, agents, service providers, members of the Hotel group of companies, consultants, insurers, underwriters and other third parties with respect to the services provided by and the activities carried out by us;
  • Initiating legal claims and preparing our defense in litigation procedures;
  • Means and processes we undertake to provide for the Company’s IT and system security, preventing
  • potential crime, asset security, admittance controls and anti-trespassing measures;
  • CCTV surveillance, e.g. at secure entrances, for the prevention of crime or fraud;
  • Monitoring of electronic communications/systems and telephone usage in the workplace, e.g.  in case of complaints, to ensure quality of services, fraud detection and prevention (more information with regards to monitoring will be provided in due course).
  • Setting up disaster and emergency management tools and procedures;
  • Determining eligibility for initial employment, including the verification of qualifications;
  • Administering pay and benefits and deducting social security, tax and other contributions;
  • Making decisions about salary reviews and compensation;
  • Processing employee work-related claims (e.g. insurance claims, etc.);
  • Managing requests for leave including sickness absence and ascertaining your ‘fitness to work’ via requested medical exams;
  • Liaising with the provident fund provider and the employees trade union;
  • Establishing education, training and/or development requirements;
  • Conducting performance reviews and determining performance requirements;
  • Complying with health and safety obligations;
  • To ensure network and information security, including preventing unauthorized access to our computer and electronic communication systems and preventing malicious software distribution;
  • Assessing qualifications for a particular job or task including decisions about promotions;
  • Checking if you are legally entitled to work in the Republic of Cyprus;
  • Gathering evidence for disciplinary action, or termination of employment and assessing such evidence in order to take any relevant decisions;
  • Establishing a contact point in the event of an emergency (such as next of kin);
  • Equal opportunities monitoring, and enforcement of employment policies, such as for the purposes of preventing unfair discrimination, sexual or other harassment etc.

 

D.   You have provided your consent

Provided that you have given us your specific consent for processing (other than for the reasons set out hereinabove) then the lawfulness of such processing is based on that consent. You have the right to revoke such consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected.

 

  • IF YOU FAIL TO PROVIDE PERSONAL INFORMATION

The main reason for processing your data is to perform the employment contract we have entered into with you. If you do not provide us with the data requested for this purpose, we may be unable to perform the contract we have entered into with you or we may be prevented from complying with our legal obligations e.g. to ensure you get paid, safeguard the health and safety of our employees etc.

 

  • HOW WE USE SENSITIVE INFORMATION AND WHETHER YOUR CONSENT IS REQUIRED

Your sensitive personal data will be used in the following ways:

  • We shall use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with social security, employment and other laws;

 

  • We shall use information on your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence, to evaluate possible care and support initiatives and to administer benefits;
  • We will use trade union membership information to pay trade union premiums and comply with employment law obligations.

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law.  In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data.  If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.  You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

 

  • AUTOMATED DECISION MAKING

Automated decision making takes place when an electronic system uses personal data to make a decision without human intervention.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

 

  • SHARING YOUR PERSONAL DATA

M.C.T. ENTERPRISES LTD may disclose/share employee personal data to/with third parties where required by law, where it is necessary to administer the working relationship with you, provide our services, perform our activities or where we have another legitimate interest in doing so.

Such third parties include third-party service providers (including contractors and designated agents, insurers, underwriters), clients, counterparties of M.C.T. ENTERPRISES LTD and other entities within the Group.

The following third-parties are examples of parties which may process personal information about you for the following purposes:

  • Other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganization or group restructuring exercise, for system maintenance support and hosting of data;

 

  • Agents or contractors that provide services or products to M.C.T. ENTERPRISES LTD, where such provision of services or products requires the processing of employee personal data;
  • The Deputy Ministry of Tourism in their role as regulators;

 

  • Other authorities where required or permitted by law such as the Human Resources Development Authority, the Tax Department, Social Security Services, the Cyprus courts, etc.;
  • Companies offering quality of performance research activities, remuneration or restructuring consultation and solutions, management and other assessments, training courses;

 

  • Other third parties where necessary to protect the interests of M.C.T. ENTERPRISES LTD and/or its employees, or if there is an emergency situation involving the health & safety of an employee.

How secure is my data with third party service providers and other entities of M.C.T. ENTERPRISES LTD

Our third party service providers (including agents and contractors), as well as other entities of our group are required to take appropriate security measures to protect your personal data in line with our data protection policy. We do not specifically allow third party service providers to use your personal data for their own purposes but only permit them to use your personal data in accordance with our instructions.

 

Transfer of personal data outside the European Union (EU)

We may have to transfer personal data about you to third countries outside the EU in order that we may perform our contract with you, insurance / underwriters and to provide our services and perform our activities. There may be adequacy decisions by the European Commission [i.e. decision by the EC that the specific country maintains data protection policies to the standard of the GDPR] meaning that the country to which we have transferred your data provides an adequate level of protection of your personal data.

However, to ensure that your personal data receives an adequate level of protection, we have put in place appropriate measures to ensure that your personal data is treated by those third parties in a way that is consistent with and which respects the EU and Cyprus data protection laws.

 

  • DATA SECURITY

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.  In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know.  They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

 

  • HOW LONG WE KEEP YOUR PERSONAL DATA

Except as otherwise permitted or required by applicable law or regulatory requirements, we may retain your personal data only for as long as we believe it is necessary to fulfil the purposes for which the personal data was collected (including, for the purpose of meeting any legal, accounting or other reporting requirements or obligations).

We may, in certain circumstances, make your personal data anonymous such that it cannot be associated with or tracked back to you. Once you are no longer an employee of M.C.T. ENTERPRISES LTD we will retain and securely destroy your personal data in accordance with our retention policy as well as applicable laws and regulations.

 

  • YOUR DATA PROTECTION RIGHTS

You have the following rights in terms of your personal data we hold about you:

  • Receive access to your personal data. This enables you to e.g. receive a copy of the personal data we hold about you and to check that we are lawfully processing.  If you want to request access to your personal data, please send an email to dpo@vrissakibeachhotel.com
  • Request correction [rectification] of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.

 

  • Request erasure of your personal information. This enables you to ask us to erase your personal data [known as the ‘right to be forgotten’] where there is no good reason for us continuing to process it.
  • Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.

 

  • Request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if:
    • it is not accurate,
    • it has been used unlawfully but you do not wish for us to delete it,
    • it is not relevant any more, but you want us to keep it for use in possible legal claims,
    • you have already asked us to stop using your personal data but you are waiting us to confirm if we have legitimate grounds to use your data.
  • Request to receive a copy of the personal data concerning you in a format that is structured and commonly used and transmit such data to other organizations. You also have the right to have your personal data transmitted directly by ourselves to other organizations you will name [known as the right to data portability].

 

  • Withdraw the consent that you gave us with regards to the processing of your personal data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you.

To exercise any of your rights, or if you have any other questions about our use of your personal data, you can also contact our Data Protection Officer at dpo@vrissakibeachhotel.com.

We endeavour to address all of your requests promptly.

Right to lodge a complaint

If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by sending an e-mail to dpo@vrissakibeachhotel.com. You also have the right to complain to the Office of the Commissioner for Personal Data Protection (website http://www.dataprotection.gov.cy)

  • CHAGES TO THIS PRIVACY POLICY

 

We reserve the right to update this privacy policy at any time, and we will provide you with a new privacy policy when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

If you have any questions about this privacy policy, please contact the Data Protection Officer Mr. Simos Charalambous at dpo@vrissakibeachhotel.com