Our company, CPT CYPRUS PUBLIC TRANSPORT SERVICES AND OPERATIONS LIMITED (the “Company”, “We”), provides public transportation services through regular service routes in the geographical area of Nicosia and Larnaca (“Services”) according to the procurement with the Ministry of Transport, Communication and Works (the “Contracting Authority”). We collect and process personal data which are necessary for the purpose of providing our Services to secondary and technical education students (“You”, “Your”,”Student”).


This Privacy Notice includes all the information the Company, as controller under the law and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), has an obligation to provide You with, as data subject of the data it collects and processes.


1.    What Information We Collect 


The personal data We collect from You are the following:


1.      Student’s full name;

2.      Student’s card number;

3.      Residential Address;

4.      Contact number;

5.      Email Address;

6.      Parent’s / Guardian’s / Representative’s personal details (including but not limited to full name and signature)

7.      The rote that each specific student will be taking;

8.      The time frame that the Services will be required by the Student (morning/noon/afternoon);

9.      Any information on disabilities and requests for specific assistance.

Important Notice on Special Category Data

In certain instances, the personal data You provide to us for these purposes may include “Special Category Personal Data” (i.e. information concerning race, ethnic origin, trade union membership, sexual orientation, religion or belief, health data or data relating to a person’s criminal record or alleged criminal activity). Such data will not be processes by us without Your explicit consent.


Children under 14 years old

If You are aged 14 or under, please get Your parent / guardian’s permission before You provide any personal information to Us.


We will need to process personal data relating to parent or guardians in that case – and We may also need to request for verification documentation to ensure that consent is given or authorized by the holder of parental responsibility.


2.    Purpose of the Collection


We collect Your personal data so that We can provide You with our Services and generally for the following purposes:

a)      You or Your parent / guardian representative have consented to the use of Your personal data for one or more specific purposes as explained herein;

b)      Performance of our contractual obligations;

c)      Compliance with legal obligations to which We are subject;

d)      Protection of Your vital interests;

e)      Pursuing a legitimate interest;

We do not collect and We do not use any personal data other than that specifically mentioned above without Your explicit consent unless You ask us to do so.


You do not have an obligation to provide us with Your personal data, but if You don’t We will not be able to provide You with our services.


We don’t use automated decision-making processes or profiling while processing Your personal data.

3.    How We Keep Your Data


We process Your personal data at our offices, in Nicosia, where they are kept and stored.

For the storage and security of Your personal data the Company takes all the necessary technical and organizational measures to ensure that the processing is carried out in accordance with the law and the GDPR (access control, firewalls, antivirus, cryptography, back-up, disaster recovery plans etc). 

4.    Access to Your Data

Within our Company, Your personal data is accessible only to those who need to, with a duty of confidentiality and only for the purposes mentioned in paragraph 2 above.

Outside our Company, recipients of Your personal data may be any subcontractors or third parties who cooperate and/ or provide services to our Company in the context of its business, such as companies who provide payment processing services, data analysis, email services, web hosting services, customer service and marketing services, information technology services, software development and maintenance, insurance companies, banks or other credit institutions etc.

We may disclose Your information to our affiliates, in which case We will require these affiliates to comply with this Privacy Notice. Our affiliates include our parent company and any subsidiaries, the Contracting Authority, joint venture partners or other companies that We control. We may also share Your information with our business partners to offer certain products, services or offers to You.  

We choose our associates very carefully, after the necessary checks have been carried out and sufficient guarantees have been provided to implement appropriate technical and organizational measures in such manner that processing will meet the requirements of the GDPR and the relevant laws and ensure the protection of Your rights. 

The external recipients of Your personal data may also include any other persons, entities or relevant authorities to whom Your data may need to be disclosed for the purposes stated in paragraph 2 and especially for compliance with our legal obligations.

5.    Retention Period

In accordance with Company policy, Your data is kept only for as long as necessary to fulfill the purposes stated in paragraph 2 above, or – in the case of consent – until You withdraw Your consent. In addition, We retain Your personal data for as long as necessary to comply with tax laws, to exercise our legal rights and generally to pursue our legitimate interests. 

After this period, Your personal data will be irreparably destroyed. Any data kept by us for marketing and information purposes will be retained until You inform us that You no longer wish to receive such information.

6.    Transfer to Third Countries

If Your data will be transferred to entities or other third parties whose headquarters or place of data processing is not located in a member state of the European Union or the European Economic Area, We ensure before forwarding the data that, outside of legally permitted exceptional cases pertaining to the recipient, either an appropriate level of data protection exists (e.g., through an adequacy decision of the European Commission, through suitable guarantees, or the agreement of EU standard contractual clauses between us and the recipient), or Your sufficient consent exists.

7.    Your Rights

Should You believe that any personal information We hold on You is incorrect or incomplete, You have the ability to request to see this information, rectify it or have it deleted by contacting us at the email address

In the event that You wish to complain about how We have handled Your personal data, You may contact us at the above email address and telephone number. We will then investigate Your complaint and work with You to resolve the matter.

If You still feel that Your personal data has not been handled appropriately according to the law, You can submit Your complaint with the Office of the Commissioner for Personal Data Protection, at 1 Iasonos Street, 2nd Floor, 1082 Nicosia, tel. +357 22 818456, email address