Opening Hours

General Data Protection Regulation (GDPR) Compliance Policy

 

  1. Purpose

This policy aims to outline the procedures and measures implemented by  Paradox Museum Limassol to ensure compliance with the General Data Protection Regulation (GDPR), implemented and transposed by national legislation, when processing personal data in the context of the corporate purpose of  Paradox Museum Limassol.

  1. Scope

This policy applies to all employees, contractors, and third-party service providers processing personal data on behalf of the Company, including all data processing activities conducted by the Company.

  1. Definitions
  • Personal Data: Any information relating to an identified or identifiable natural person (data subject).
  • Sensitive Personal Data: Includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation.
  • Data Subject: An individual whose personal data is processed.
  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, or dissemination.
  1. Principles of Data Protection

Paradox Museum Limassol is committed to adhering to the following principles when processing personal data:

  • Lawfulness, fairness, and transparency: Personal data will be processed lawfully, fairly, and transparently.
  • Purpose limitation: Data will only be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with said purposes.
  • Data minimization: Only the personal data necessary for the intended purposes will be collected and processed. A minimization of requested information is and shall remain the goal of the Company, to the extent that said request adheres to the corporate purpose.
  • Accuracy: Personal data will be kept accurate and up-to-date.
  • Storage limitation: Personal data will not be kept longer than necessary for the purposes for which it was collected and processed.
  • Integrity and confidentiality: Appropriate security measures will be implemented to protect personal data from unauthorized access, loss, or damage.
  1. Lawful Basis for Processing

Personal data will only be processed if one or more of the following lawful bases apply:

  • The data subject has given explicit consent.
  • Processing is necessary for the performance of a contract.
  • Processing is required to comply with a legal obligation.
  • Processing is necessary to protect vital interests.
  • Processing is necessary for the legitimate interests pursued by the company, provided such interests do not override the rights and freedoms of the data subject.
  1. Rights of Data Subjects

Paradox Museum Limassol will ensure that data subjects can exercise their rights under the GDPR, including:

  • Right to Access: The right to access their personal data.
  • Right to Rectification: The right to correct inaccurate or incomplete data.
  • Right to Erasure: The right to request the deletion of their data (“right to be forgotten”).
  • Right to Restriction: The right to restrict processing under certain circumstances.
  • Right to Data Portability: The right to receive their data in a structured, commonly used format.
  • Right to Object: The right to object to processing based on legitimate interests or direct marketing.
  • Right to Withdraw Consent: The right to withdraw consent at any time.
  1. Data Processing Activities

Paradox Museum Limassol processes personal data primarily for the following purposes in the entertainment industry:

  • Ticket sales and event management- minimized on the basis that external service providers carry out the ticketing services.
  • Marketing and promotional communications.
  • Customer service and support.
  • Legal and regulatory compliance.
  1. Record of Processing Activities (RoPA)

Paradox Museum Limassol maintains a detailed Record of Processing Activities, including:

  • Categories of personal data processed.
  • Data subjects involved.
  • Purpose of processing.
  • Legal basis for processing.
  • Data retention periods.
  • Third-party recipients of the data.
  1. Data Transfers

Personal data transferred outside the European Economic Area (EEA) will only occur if appropriate safeguards are in place, such as:

  • Adequacy decisions by the European Commission.
  • Standard Contractual Clauses (SCCs).
  • Binding Corporate Rules (BCRs).
  1. Data Breach Management

In the event of a data breach:

  • The breach will be reported to the Data Protection Officer (DPO) immediately.
  • The relevant supervisory authority will be notified within 72 hours if the breach poses a risk to the rights and freedoms of individuals.
  • Data subjects will be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  1. Third-Party Processors

Paradox Museum Limassol ensures that third-party processors handling personal data on its behalf:

  • Are contractually bound to comply with GDPR requirements.
  • Implement appropriate security measures.
  • Process data only as instructed by PARADOX MUSEUM LTD.
  1. Data Retention Policy

Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Specific retention periods will be defined based on the type of data and legal requirements.

  1. Roles and Responsibilities
  • Employees: Required to follow GDPR policies and attend training sessions on data protection.
  1. Training and Awareness

All employees will receive regular training on GDPR requirements and data protection best practices to ensure compliance with this policy.

  1. Policy Review

This policy will be reviewed annually or whenever there are significant changes to GDPR or other applicable data protection laws.

  1. Contact Information

For questions or concerns related to this policy or GDPR compliance, please contact:

25051758

limassolgm@paradoxmuseumlimassol.com