CING Data Privacy Policy

This Privacy Policy explains how and why, the Cyprus Institute of Neurology and Genetics (“we”) collect personal data and what we do with it. It also explains the data subject rights under the General Data Protection Regulation (“GDPR”). In legal terms, we are the data controller, as we determine the means and/or purposes of the processing of the personal data held by us. We might be the data processors in the case that we are performing medical examinations or any other process on behalf of another legal entity that is defining the means and/or purpose of the processing. Whether we are the controller or the processors, the personal data stored and processed within the Cyprus Institute of Neurology and Genetics follows the current policy.
The GDPR governs how we take care of the data we hold about data subjects. The first principle of the Regulation is that the data subjects’ personal data must be processed fairly and transparently. We have an obligation to let all data subjects know how we will take care of the data we hold about them and what we will use it for.
Why do we collect and use personal data?
We might need to keep records about patient healthcare and treatment, and we may keep information needed to contact patients for information about their examination results or to arrange appointments. This will allow us to provide patients with the best possible care and support.
We might hold health or genetics data on people who participate in research programs governed by the CING and others.
We might hold general contact information about people who act as next of kin for our patients and data on legal guardians to allow us contact with them in case of emergency.
We might hold the necessary data about employees and collaborators to execute the employment or other contracts.
We might hold data on candidates for recruitment.
We might hold data on visitors to the Institute to monitor security on the premises. We might collect data for volunteers for charity events and initiatives.
We might hold data on members of the public who have consented to be contacted for events and conferences.
We might hold financial related data of employees and collaborators pursuant to the applicable tax laws in Cyprus.
We collect and use personal data under the following lawful bases:
  • where we have the data subject’s consent;
  • where necessary to execute a contract with the data subject;
  • where it is necessary for compliance with a legal obligation;
  • where processing is necessary to protect the vital interests of the data subject or of another person;
  • where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • where it is justified by the legitimate interest of the Institute, of data subject’s legitimate interest or of other’s.


Where the personal data we collect is sensitive personal data, such as health, genetic profile or biometrical data, we will only process it where:


  • we have explicit consent;
  • processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;
  • processing is necessary for reasons of substantial public interest, on the basis of European Union law or Cyprus law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • processing is executed for medical diagnosis, the provision of health or social care or treatment
  • on the basis of European Union or Cyprus law or pursuant to contract with us and the patient for the provision of such services.
The personal data that we collect, hold and share may include:
For visitors, volunteers to any of our charity initiatives, members of the public, people that are next of kin to a patient:
  • Basic details such as name, address, date of birth;
  • ID number.
  • Contact information (phone number, e-mail etc.)
  • Images of the CCTV system we have installed in our premises.
For patients:
  • The personal data that the patients disclose when appointments are being arranged;
  • Sensitive data such as genetic profile, medical conditions, ethnicity, nationality;
  • Notes and reports about patients physical or mental health and any treatment, any care or support the patients need and receive;
  • Results of patients tests and diagnosis;
  • Relevant information from other professionals such as from the social services;
  • Information on medicines, side effects and allergies;
  • Patient experience feedback and treatment outcome information;
  • Images of the CCTV system we have installed in our premises.
  • Financial information such as payment details.
For employees or collaborators:
  • Basic details such as name, address, date of birth;
  • Contact information (phone number, e-mail etc.)
  • Curriculum vitae.
  • ID number, social insurance number, IBAN number and other financial information.
  • Images of the CCTV system we have installed in our premises.
For candidates for recruitment
  • CV and the corresponding cover letters that candidates share with us.
For research program participants
  • The necessary personal data that we must collect and process are defined by each research program, and are being indicated in the consent forms signed by research program participants.
How long are personal data retained?
Any personal data collected under the lawful basis of the consent, such as contact details for communication purposes will be deleted when the data subject withdraws his/her consent. Data subjects may withdraw their consent at any given time that they desire.
Any personal data collected under the lawful basis of the execution of a contract will be retained only for the period needed to execute that contract and any subsequent requests, claims and/or interests.
Any personal data collected because of a legal obligation will be retained for the period determined by the obligation itself.
Any personal data collected for any other reason will be retained only for the necessary period based on the purpose the data has been provided and not for any longer period.
Who do we share personal data with?
We routinely share patient data with health professionals directly involved with the patient’s care. We may share patient personal data with other health provider organizations or national authority for health care purposes. This may include other providers of healthcare services that operate in other hospitals/clinics, physicians who individually provide care to patients such as general practitioners , laboratories, radiology services providers, ambulance services, and others.
Similarly, we may need to share information from patients’ health records with third parties for the purposes of evaluating the quality of care that we provide. However, we will not disclose any health related data to third parties for such purpose without the patient’s consent unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.
We may also be asked by statutory bodies to share basic information about patients, such as your name and address – but not sensitive information from health records. When this happens, it is normally because we are obliged to share such information that will assist the bodies to carry out their statutory duties.
We may transfer some of the personal data that we hold to financial institutions and/or auditors and/or legal representatives to execute payments or take other actions in order to execute a contract or to be in accordance with the Law.
In any event that we should share personal data with third parties apart from the Public Authorities, we will ensure a Data Processing Agreement is in place. A Data Processing Agreement establishes the rules of such transfers and ensures the security and privacy of the data subjects’ data. We will provide only the minimum amount of personal data necessary to fulfill the purpose for which we are required to share the data.
We do not share personal data about anyone without consent unless the law allows us to do so. Data subjects have the right to refuse/withdraw consent to personal data sharing at any time. Any possible consequences will be fully explained to the data subjects which could include delays in receiving care.
Data subject rights:
Data subjects have the following rights:
  • the right to access personal data and supplementary information
  • the right to have inaccurate personal data rectified, or completed if it is incomplete
  • the right to erasure (to be forgotten) in certain circumstances
  • the right to restrict processing in certain circumstances
  • the right to data portability, which allows the data subject to obtain and reuse  personal data for their own purposes across different services
  • the right to object to processing in certain circumstances
Data subjects can exercise any one and all of their rights by submitting a Rights’ Request form to:

1. The Cyprus Institute of Neurology and Genetics

P.O.Box 23462
1683 Nicosia
For the attention of the Data Protection Officer.
2. By e-mail at:

3. By fax at: 22358238 (for the attention of the Data Protection Officer)

Rights’ Request forms can be requested from the CING General Administration section in person, or from the e-mail
If you need assistance in filling the Rights’ Request form, or for any other relevant queries please contact the CING General Administration section at 22392821 or 22392725.
If you have a concern about the way we are collecting or using your personal information, you should raise your concern with us in the first instance or directly to the office of the Commissioner for the Protection of Private Data. You can be provided the complaint forms for the Commissioner’s office at
Related Articles