Wi-Fi Use Privacy Notice

The company, CPT Cyprus Public Transport Services and Operations Limited, with registration number HE 404634 (the “Company”, “CPT” “We”, “Us”), collects and processes personal data on anonymous basis while providing a free wireless high-speed Internet access to the passengers (“you”, “your”) of the busses of CPT, through wireless networking technology that uses radio waves to provide wireless high-speed internet connectivity (the “Wi-Fi Network”).

This Privacy Notice includes all the information the Company, as controller under the law and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), has an obligation to provide you with, as data subject of the data it collects and processes.

1.    What Information we Collect 

When attempting to access and use the Wi-Fi Network you will be directed to a captive portal which prompts you to accept our Terms and Conditions of Wi-Fi Use, provide the below personal data on anonymous basis, and participate in an anonymous, one question, survey by providing your sex (male, female, other etc.) and rate from 1 to 5 the question that will be presented on your screen, (the “CPT Portal”). You will be requested to sign in, as described above, on every occasion thereafter, before granting you access to use the Wi-Fi Network.
The personal information We collect from you, which in any case cannot identify you since they are provided on an anonymous basis, are the following:  
   1)    Age;
   2)    Sex (male, female, other etc.);
   3)    Occupation/Status (employed, student, retired etc.);
(the “Personal Information”)

2.    Purpose of the Collection

We collect the above anonymous Personal Information for statistical and demographical purposes, only. This assist us to evaluate your needs and improve our services to provide you with the best possible experience.  
We do not collect and we do not use any personal data other than that specifically mentioned above without your explicit consent, unless you ask us to do so.
Our Company does not use automated decision-making processes or profiling while processing your personal data.

3.    Our Legal Basis for Processing your Personal Information

When we use your Personal Information we are required to have a legal basis for doing so. There are various different legal bases on which we may rely on, depending on what personal information we process and why.

Our legal basis is Article 6(1)(f) - legitimate interests. In particular, is to pursue our legitimate interest to be able to understand the demographics of our customers in order to be able to improve our services for their benefit. While doing so, we are taking all the appropriate measure to make sure that the interests and fundamental rights and freedoms of our customers are not hindered in any way.

4.    How we Keep your Data

We process your personal information at our head offices, in Nicosia, and then we are using third party cloud services where the information is safely kept and stored.
For the storage and security of your personal data the Company takes all the necessary technical and organizational measures to ensure that the processing is carried out in accordance with the law and the GDPR (access control, firewalls, antivirus, cryptography, anonymous data etc.).

5.    Access to your Data

Within our Company, your personal data is only accessible by the strictly necessary personnel, who is burdened with a duty of confidentiality and only for the purposes mentioned in paragraph 2 above.
Outside our Company, recipients of your personal data may be third parties who provide services to our Company in the context of our business, such as companies who provide technical services information technology services, provision and maintenance of software. We choose our associates very carefully, after the necessary checks have been carried out and sufficient guarantees have been provided to implement appropriate technical and organizational measures in such manner that processing will meet the requirements of the GDPR and the relevant laws and ensure the protection of your rights.   

6.    Retention Period

In accordance with our Company’s policy, your data is kept only for as long as necessary to fulfil the purposes stated in paragraph 2 above.
After this period, your personal data will be irreparably destroyed.

7.    Transfer to Third Countries

We are not transferring personal data outside the EU/EEA. In case your data will be transferred to entities or other third parties whose headquarters or place of data processing is not located in a member state of the European Union or the European Economic Area, we ensure before forwarding the data that, outside of legally permitted exceptional cases pertaining to the recipient, either an appropriate level of data protection exists (e.g. through an adequacy decision of the European Commission or the agreement of EU standard contractual clauses between us and the recipient), or your sufficient consent exists.
We can provide you with an overview of the recipients in third countries and a copy of the specifically agreed regulations to ensure the appropriate level of data protection. To obtain these, please contact us at dpo@publictransport.com.cy.

8.    Your Rights

As a data subject, you can contact us at any time and exercise your rights, which are, the right to:
(a)    receive information about the data processing and a copy of the processed data.
(b)    demand the rectification of inaccurate data or the completion of incomplete data.
(c)    demand the erasure of personal data.
(d)    demand the restriction of the data processing.
(e)    receive the personal data concerning the data subject in a structured, commonly used and machine-readable format and to request the transmittance of these data to another controller in certain situations;
(f)    object to the data processing;
(g)    withdraw a given consent at any time to stop a data processing that is based on your consent;
(h)    complain to a competent supervisory authority.
Should you require to exercise any of your rights or in the event that you wish to complain about how we have handled your personal data or to receive further information about your rights, please contact us (see ‘How to contact us’ below).
If you still feel that your personal data has not been handled appropriately according to the law, you can submit your complaint with the Office of the Commissioner for Personal Data Protection, at 1 Iasonos Street, 2nd Floor, 1082 Nicosia, tel. +357 22 818456, email address commissioner@dataprotection.gov.cy.

9.    How to contact us

You can contact us by post, email or phone, if you have any questions about this Privacy Notice or the information we hold about you, to exercise a right under data protection law or to make a complaint.
Our contact details are shown below:
   Postal address: Thali 4, 2200 Geri, Nicosia, Cyprus
   Email address: dpo@publictransport.com.cy
   Telephone no.: +357 22 221416

10.    Changes to this Privacy Notice

This Privacy Notice was last updated on 11 October 2023.
We may change this Privacy Notice from time to time and when we do so, we will inform you via a notification on our Website or via other means of contact, when this considered necessary.