The Notice for the Protection of Personal data concerns the processing of personal data by the Commission for the Protection of Competition (hereinafter referred to as "the Commission") in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, set out on 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR) which came into effect on 25 May 2018 and the Law of the Republic of Cyprus on the Protection of Natural Persons Against the Processing of Personal Data and the Free Movement of such Data (Law 125(I)/2018).
In this context, the Commission has appointed a Data Protection Officer (DPO) as per the provisions of Articles 37-39 of the GDPR.
1. Processing of personal data:
For the purpose of lawfully exercising the Commission's powers in relation to the Protection of Competition Law of 2022, No. 13(I)/2022 (hereinafter the "Law"), the Law on the Control of Business Concentrations of 2014 (Law 83(I)/2014) and the Law of 2018 on Interchange Fees for Card Payment Transactions (Law 77 (Ι)/2018), the Commission processes personal data acquired from legal and natural persons.
The personal data collected and further processed may include names, contact details (e-mail address, office telephone and fax number, but also may occasionally include private contact details), the position and the duties of a person in a company (e.g. General Manager, Marketing Director, etc.) and possibly statements and records of individuals.
Personal data collected which includes information about the race or ethnic background, the health, the sexual orientation, the religion, the philosophical beliefs, the political views, the processing of genetic data, the processing of biometric data for the purpose of unambiguous identification of a person or his/her participation in a trade union, are considered of sensitive nature. The Commission has the ability to collect and process sensitive data by exercising a legal obligation or by performing duties in the public interest or in exercising powers vested upon it by another public authority. The Commission provides this type of personal data with extended protection by setting stricter conditions to their access.
Personal data is collected and processed for a specific, explicit and lawful purpose and is not further processed in any way that is incompatible with this purpose.
2. Purpose and legal basis:
The Commission processes personal data in the context of executing its responsibilities and in particular:
- for the purpose of conducting investigations regarding complaints or ex officio investigations relating to violations of sections 3 and/or 6 of the Law and articles 101 TFEU and/or 102 TFEU, either following a complaint or ex officio or as otherwise stipulated by Regulation (EC) No. 1/2003 and to carry out sector inquiries into particular sectors of the economy or types of agreements.
- for the purpose of enforcing the Control of Concentrations between undertakings Law 83(I)/2014.
- for the purpose of examining the applications submitted in accordance with the Immunity from and reduction of administrative fines in cases of collusions that infringe section 3 of the Protection of Competition Law and /or Article 101 TFEU (Leniency Programme) Regulations of 2022 (PI 442/2022).
- for the purpose of implementing the national law (Ν.77(Ι)/2018) on interchange fees for card-based payment transactions by collecting data and conducting investigations for ensuring compliance with Regulation (EU) 2015/751, or to identify potential violations of the provisions of the said Regulation.
- for the purpose of cooperation with the European Commission, national Competition Authorities of Member States, the national Courts of Justice and other national authorities for the implementation of European and national competition law and for the purpose of the Commission's exercise of powers.
- for the purpose of processing applications for employment, recruitment, appointment or internship at the Commission.
- for the purpose of controlling unauthorized entry into the Commission’s building and facilities and for other security reasons.
- for any other purpose directly or indirectly related to any of the above or for any other purpose for which personal data was handed over to the Commission.
The Commission, in accordance with the Law, has the power to collect information, through requests of information and questionnaires, by receiving official statements, by conducting investigations in undertakings or associations of undertakings, as well as in other business premises and conducting investigations in sectors of the economy or types of agreements.
The Commission's investigation focuses, in the context of the relevant administrative procedure, on undertakings (and associations of undertakings) and not on natural persons. However, all the necessary information collected and further processed by the Commission, in accordance with its powers of inspection and investigation, inevitably may include personal data.
3. Scope of accessibility to and notification of personal data:
Access to personal data is limited to:
- the Commission, the Commission’s Service and its staff,
- the Ministry of Energy, Commerce and Industry to which concentrations are notified.
- the Accountant General’s Office of the Republic, which processes accounting payments relating to matters pertaining to the Service and the Commission.
In addition to the above, certain data may also be made available to other services, departments or authorities of the Republic, based strictly on a "need to know" basis.
The Commission complies with the procedures and takes the necessary actions provided for in Circular No. 1575 of the Department of Public Administration and Personnel, Ministry of Finance. The data may be shared with any authority that has the legal right to conduct audits of the Commission's activities, including the Audit Office of the Republic.
In the event that a complaint is made against an undertaking or an association of undertakings, the personal data included in it may be communicated to the complainants and/or to another competent authority or organization, if this is deemed necessary for the purposes of investigating the complaint and/or to prove suspected violations of the legislation, after having informed the person submitting the complaint.
Based on articles 12 and 28 of Regulation (EC) 1/2003 as well as section 7(I)(c) of national Law 77(I) of 2018, it is possible to disclose information to the European Commission, to competition authorities of member states and to national Courts of Justice under the conditions laid down by the GDPR and by extension by national legislation.
4. Safekeeping of personal data:
Personal data shall be stored electronically and, where necessary, in paper form, in files kept by the Commission.
5. How personal data is protected:
According to Article 28(1) of Regulation (EC) 1/2003, the information collected may only be used for the purpose for which it was collected.
Access to the file of the case is limited, in accordance to section 42 of the Law, to undertakings and/or associations of undertakings to which a statement of objections has been notified (Article 18) or to which the reasons on whether it is considered that there is a probable violation of the provisions of the Law (section 19) have been notified, subject to the provisions of paragraph 8 of the said article, which provides that:
«(8)(a) The Commission may, pursuant to the provisions of points (e) and (h) of paragraph 1 of Article 23 of Regulation (EU) 2016/679, while respecting the principles of proportionality and necessity, in exercising its powers and responsibilities pursuant to the provisions of paragraphs (a) to (p) of subsection (2) of section 26 and of sections 18 and 19, limit partly or wholly, the right to access, erasure (‘right to be forgotten’) and restriction of processing of the data subjects whose data is being processed, according to the provisions of articles 15, 17 and 18 of Regulation 2016/679 especially for the purpose of safeguarding the means of investigation and methods used, mutual assistance and cooperation with the European Commission and/or the Competition Authorities, pursuant to the provisions of this Law and/or Articles 11 to 16 and 22 of Regulation (EC) No. 1/2003 or the rights and freedoms of other data subjects.
(b) To this end, the Commission documents in writing, the reasons for the restrictions and notifies the data subject concerned, in its response to the request for access, erasure or restriction of processing, of the restrictions applied and the substantial reasons thereof, as well as the possibility for the data subject to file a complaint with the Commissioner of Personal Data Protection or have recourse to the Court:
Provided that, the provision of information relating to the reasons for the restrictions may be omitted, for as long as the purpose of the restrictions is undermined.
(c) Restrictions shall continue to apply for as long as there are reasons to justify them, and when such reasons cease to exist, the Commission shall lift the restrictions and inform the data subject accordingly.»
6. How can the accuracy of your personal data be verified and, if necessary, corrected:
The data subjects have, among other things, based on the Legislation, the right to information, access, amendment and deletion and to limit the processing of the data registered in the files which are subject to processing by the Commission.
However, for the purpose of safeguarding the research techniques and methods used, the cooperation and mutual assistance with the European Commission and/or other competition authorities or the rights and liberties of other subjects of personal data, the Commission, when exercising its powers and authorities, may, in accordance with the provisions of points e) and h) of paragraph 1 of Regulation (EU) 2016/679 (sections 41(9) and 42(8) of the Law) based on the Law, limit the application of the rights and obligations that are provided for in articles 12, 13, 14, 15, 17 and 18 of Regulation (EU) 2016/679, as well as the principle of transparency (article 5(I)(a) of the Regulation), whenever deemed necessary.
7. Duration for which personal data can be stored:
The personal data of data subjects are kept for 10 years, which is the General Rule set out by the Registrar of the State Archives in its Annual Directives to Departmental Officers. Under the State Archives Act 1991 to 1995, as amended, the records of the Commission, as a public authority, form part of the State Archives. Therefore, the recording, transfer and destruction of files in the Commission's archives is determined by the instructions of the Registrar of the State Archives and is subject to his/her approval. Furthermore, it is possible for the Commission to keep data for more than 10 years if this cannot be deleted either for legal or technical reasons, or for statistical or archiving purposes for reasons of public interest.
With regard to data received by the Commission through reports filed by informants under the scope of the Protection of Persons Reporting Violations of EU and National Law 2022 (Law 6(I)/2022), it is noted that any personal data included in these reports is deleted within three (3) months from the date of completion of the procedure. In the event that judicial or disciplinary proceedings have been initiated against the reporting party or the informant, then the personal data shall be retained for the duration of such proceedings, including in the event of an appeal or objection, and, after one (1) year has elapsed from their conclusion, it shall be deleted."
8. Rights of the data subject:
Without prejudice to the provisions of sections 26(4), 41(9), 41(10) and 42(8) of the Law, through which the Commission may limit the application of the rights and obligations provided for in Articles 12 to 14, 15, 17 and 18 of Regulation (EU) 2016/679, as well as the principle of transparency provided for in point (a) of Article 5(1)(a) of that Regulation, the data subject shall have, inter alia, the following rights:
- Submission of a request to the Commission for access to and correction of the data held.
- Withdrawal - where applicable - of the necessity of consent to the processing of personal data.
-Restriction or objection to the processing of data by the data subject provided that it does not act against the public interest.
Anyone wishing to exercise any of the above rights may submit a written request to the following address:
Commission for the Protection of Competition, 53 Strovolos Avenue, Victory Building, 2018 Strovolos, Nicosia, P.O. Box 23467, 1683 Nicosia.
The data subject may submit a complaint with the Commissioner for Personal Data Protection in relation to the application of the legislation with respect to the protection of individuals regarding the processing of personal data.
9. For further information - Contact details of the Data Protection Officer:
In the case of further information needed regarding the processing of personal data, you may contact the Data Protection Officer of the Service by sending an email to: email@example.com
Contact details of the Data Protection Officer:
Tel. No.: +357 22 606634