The information available on this website is intended as a guide only and every reasonable effort shall be made to keep it current and accurate. It does not however purport to be a legal interpretation.

In the event of any discrepancy between the version of a document obtained from this website and the designated official version, the designated official version is the authoritative one.

Links to external sites are provided for the user’s convenience and do not constitute or imply their endorsement, recommendation or favouring.

The Department of Agriculture (DA) takes seriously the protection of the privacy of employees and citizens, applying the DA Privacy Policy, which ensures and respects the current legislative framework (General Regulation for the Protection of Personal Data (GDPR) 2016) /679 and Law 125(I)2018).

The Personal Data (PID) collected by DA is limited to what is absolutely necessary for its compliance with any legal obligation or the fulfillment of its duties, performed in the public interest or the exercise of the public authority assigned to it. Collection and processing of PID by the DA is governed by the principles of proportionality and confidentiality in order to safeguard privacy and citizen rights.

Any processing of personal data by the DA is governed by the principles clearly described in article 5 of the GDPR. The personal data provided are not further processed in a manner incompatible with the purposes for which they are collected. These purposes are defined, explicit and legitimate, in the context of its operation and the provision of services to citizens ("purpose limitation").

The goal of DA is that the collected personal data is accurate and updated, if and when necessary, taking all reasonable measures to immediately correct or delete inaccurate data, taking into account the intended purposes of the processing.

PID is kept in physical or digital files for as long as necessary for the purposes of processing. This period is determined on a case-by-case basis.

Definitions

1. "Personal Data (PID)" is any information that refers to a natural person who is alive and whose identity is known or can be ascertained directly or indirectly based on one or more elements characterizing his status,

2. "Processing personal data" means any act or series of acts on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association, combination, limitation , deletion or destruction,

3. "Controller" is the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data,

4. "Processor" is the natural or legal person, public authority, agency or other entity that processes personal data on behalf of the data controller,

5. "Data Protection Officer" is the person responsible for monitoring the organization's compliance with the General Regulation on GDPR protection. His role is advisory and is the point of contact between the organization and the Commissioner.

Personal data that may be collected

Personal data collected varies depending on the user's activities. In the context of performing its obligations, the DA may collect and process the following data:

· Full name (name and surname) address and contact informations

· Date of Birth.

· Information related to the services provided.

· Information regarding the implementation of legislation falling withing the scope of competences of the DA, i.e. land and species of crops cultivated, number and species of animals bred by a farmer.

· Information withing the scope of competences of the DA.

· Data regarding users’ accounts, such as user name, connection data etc.

Appropriate security measures have been taken, such as encoding, controlled access and delegation of duties, are tacken in order to prevent loss, unfair use on unauthorised access to PID. Access to PID files is limited only to authorized employees for the purpose of their specific tasks.
PID controllers process users’ data after the necessary authorization has been obtained. In addition, confidentiality is maintained. In the event of a suspected violation of the security of the PID of a user, the DA is responsible for notifying the affected parties and the relevant supervisory authority, as long as there is a legal obligation for such action.
The purpose of processing the personal data of each user is one or more of the following:

· To fulfill the tasks performed by the DA.

· To comply with a legal obligation.

· When consent of the data subject is provided.

· For other purposes that fall within the responsibilities of the DA.


Depending on the type of personal data being processed, the following legal bases are used, on which the DA can rely depending on the PID and the reason for its processing:

· Consent: There is consent to process personal data for a specific purpose.

· Contract: It is deemed necessary to use PID for the execution of a contract that the user has concluded with the DA or specific measures have been requested by the DA before entering into a contract.

· Legal obligation: The processing of the PID of each user becomes mandatory for compliance with the law (apart from contractual obligations).

· Exercise of authority: When PID processing is necessary for the performance of a task that serves the public interest or for the exercise of public authority delegated to the controller.

· Legitimate interests: When the use of PID of each respective user is necessary to serve the legal interests of the DA or the legal interests of third parties (unless there is a good reason for the protection of the PID of the respective user, which overrides the legal interests interests of the DA).

Data Recipients

The Department of Agriculture may transfer to third parties the personal data it has collected only if it is obliged to and it is determined that such action is necessary for legal purposes.

Rights of the data subject
Each citizen, as a data subject, may exercise at any time his/her rights, as prescribed in the General Data Protection Regulation 679/2016 EU and particularly, in articles 12 until 23 thereof, and the national legislation, and more specifically:

i. the right to receive information and obtain access to the data processed by the DA

ii. the right of correction of his/her personal data

ii. the right of deletion of his/her personal data, in part or in whole, (right to forget), in cases when

1. Data are no longer necessary for the purpose for which it has been collected or submitted for processing.

2. The data subject has exercised his/her right to object, that is to raise objections against the processing of his/her personal data, and there is no further legal base for data processing.

3. When data processing is carried out with the lack of legal basis.

4. When the las foresees the obligatory deletion of PID.

Right to restriction of processing: Every person has the right to request the restriction of the processing of their personal data in the following cases:

1.The accuracy of the data is disputed and until the DA verifies its accuracy

2. When, instead of deletion, the restriction of the processing of personal data is requested.

3. When the DA no longer needs the data, but this data is required by the citizen to establish, exercise or support legal claims.

Right to object: Every person has the right to object to the processing of their PID, unless there are compelling and legitimate reasons for the processing that override the interests, rights and freedoms of the individual, or to establish, exercise or support legal claims of the DA.

Right to withdraw consent: Every person has the right to withdraw their consent at any time for issues related to the protection of simple personal data, with no retroactive effect.

The above rights may be limited due to the obligation to apply another law.


For all of the above and to answer any questions regarding the legislation in force for the protection of PID,
every citizen has the possibility to contact the DG in writing (to the attention of the Data Protection Officer). The DA will respond to the request without delay and, in any case, within one month of receipt of said request, except in exceptional cases where the deadline may be extended for another two months, if deemed necessary, taking into account the complexity of the request or the number of requests.

A person who believes that his/her rights regarding the protection of his/her personal data have been violated, reserves the right to file a complaint with the Personal Data Protection Authority

Security measures
The DA has taken the appropriate technical and organizational measures in order to ensure the application of legislation and the appropriate level of security of users’ personal data. It has properly trained its staff and the entire network of people working with it and has committed all its partners , who act on its behalf as Processors with contracts governed by the guarantees and safeguards of the GDPR.

Access to personal data found in electronic files is limited only to employees authorized for this purpose who are obliged to maintain the confidentiality of this data using, without exception, a unique personal password and access code to the specific file. The system's servers are locked in a secure area to protect stored files and e-mail, and only authorized operators have access to the servers.

The official files of the DA containing personal data are handled on the basis of the Classified Documents Act.

Duration of data retention

The DA maintains personal data only for the period required for the purposes of their processing in the context of the fulfillment of its duties and the exercise of the public authority assigned to it. Also for as long as necessary for the establishment, exercise or support of legal claims.

Social Media Terms of Service (TOS)

The aim of TOS is to create a positive environment on all social media channels run by the DA (Facebook, X, YouTube, Instagram etc.). The DA abides by the TOS of all social media platforms it uses.

By engaging with DA social media platforms users agree with the following terms.

Users are personally liable for content they post online. It is therefore asked that anyone engaging with DA’s social media channels shows respect towards all other users, protects their personal information and abides by the Terms of Service associated with each social media platform.

Comments must not:

• Contain personal data of the user or others.

• Be defamatory of any person, deceive others, be obscene, offensive, threatening, hateful or promote sexually explicit material or violence.

• Promote discrimination based on race, sex, religion, nationality, disability, sexual orientation or age.

• Breach any of the TOS of the social media platforms themselves.

• Contain spam or advertising.

Breach of Terms
Any information posted on the DA’s social media channels is considered public information and may be subject to monitoring, archiving, moderation or disclosure to third parties. The page administrators therefore reserve the right to forward any comments to responsible authorities for investigation as we deem appropriate.

The page administrators reserve the right to delete or mark as spam any and all comments. They also have the right to block access to anyone from posting to DA’s pages.

Amendment to the Privacy Policy
The DA reserves the right to amend its privacy policy without prior notice, at its sole discretion, and any revised policies will be posted on DA’s website.

Contact details of the Data Protection Officer (DPO) of the Department of Agriculture
Andreas Alexandrou, Senior Agricultural Officer

Department of Agriculture, Section of FADN Data Analysis and Documentation

Address: Louki Akrita, 1412 Nicosia

Telephone no.: 22464038

E – mail: aalexandrou@da.moa.gov.cy