Contact Information of the Data Controller
The Board collects, maintains and further processes the consumer data in accordance with the provisions of the current legislation, issued under The Water Supply (Municipal & Other Areas) Law (Cap 350). In other words, it has as a legal basis the compliance with the provisions of the law for the majority of the processing on consumer personal data. In particular, data is collected and maintained through applications submitted by applicants either in person or electronically for any issue such as:
- The water supply of premises
- The change of tenant/owner through the last account of the previous consumer
- The payment in installments of the consumer account
- The pricing with a special household charge
- The disconnection of consumer premises
- The discount from the Board to a Consumer due to high consumption
- The invoicing and charging of premises
The data collected in these cases (Full Name, Telephone Number, Home Address, Ownership of Property Share, Invoice Delivery Address, Property Title, Signature, Identification Number, Sale Agreement/Land Registry Receipt) are necessary information for the proper billing and for identifying the correct location of the premises. Furthermore, based on the Regulatory Administrative Act K.D.P. 290/2017 the Board collects the consumption data of the premises from the water meter, in order to charge and send the bill to the contact address of the Consumer.
Furthermore, the Board acts as the Data Processor for the Larnaca Sewerage and Drainage Board as it is in its responsibilities to issue the sewerage fee. In addition, the Board does not transmit the data to third parties, other than those mentioned herein, Processors or common associates which are joint processors, unless it has an obligation under the law of the European Union or a Member State and always in accordance with Article 23 of Regulation (EU) 2016/679. The Board, in order to ensure compliance with Regulation (EU) 2016/679 as regards the relevant data transfers, has made all the necessary guarantees and is examining them on a case-by-case basis.
Additional processing carried out by the Board under the provisions of the applicable law is the power of the Board President to inspect himself in person or through a person authorized by them any of the premises of the Board in order to determine compliance with the provisions of CAP.350 or any regulations issued under it. This activity has as its sole purpose the exercise of the powers and the fulfillment of the duties defined in CAP.350 or any regulations issued under it and no other action can be performed through this authorization.
The Board may, with the consent of the Consumer, collect the necessary data for the purpose of sending an invoice by electronic means and the Consumer has the right to demand the cancellation of this request and return to the sending of a hardcopy invoice, at any time.
At the choice and at the request of the Consumer with a legal basis for processing being the execution of the contract, i.e. Article 6 (1)(b) of Regulation (EU) 2016/679, it is possible to pay the bill by direct order to the Consumer’s Bank and the cancellation of the request respectively. The Consumer gives only the data necessary for the execution of their requests (Name, Address, Bank, Account Number, Account Holder, Signature) and the Board processes them for the sole purpose of executing the relevant request.
For security purposes, the Board uses a CCTV system at the entrance of the building of its main offices and its external facilities for which it has posted the necessary signs. Furthermore, the Board uses a third-party associate who is selected through a public tender and acts as the Data Processor in charge of issuing and sending the bill to the Consumer. The data that the Data Processor company receives from the Board are Name, Full Contact Information, Consumption Data and Charges which are then recorded in the Consumer account.
The Board in full compliance with Regulation (EU) 2016/679 will adopt deletion and/or anonymisation procedures for the data it collects, processes and maintains. In any case, the data is deleted upon request for correction in the event they are outdated or erroneous or due to the fulfillment of a valid deletion request.
Data Protection System
The Board takes all the necessary technical and organizational measures to ensure the integrity, authenticity, confidentiality and accessibility of the data it maintains and processes, as it implements an integrated system for the protection and security of personal data and ensures the protection of both its physical and electronic environment. It also ensures that its system is kept up-to-date through regular internal audits and reviews to ensure the continuity of its system and therefore the continuous protection of personal data by adapting its system according to technological developments, changes in legislation and its needs. Finally, it selects its associates including its information technology service providers based on the guarantees the associates provide in the handling of data they will receive.
Data Subject Rights
Consumers under Regulation (EU) 2016/679 have the right to exercise a number of rights directly before the Controller. Specifically, they have the following rights:
Right of access: The right to receive confirmation from the Board in relation to whether the Data Subject’s data is being processed and the right of access to it and indicative information relating to: (a) the purposes of the processing, (b) the relevant categories of personal data; (c) the recipients or categories of recipients to whom personal data have been disclosed or will be disclosed, in particular recipients in third countries or international organizations, etc.
Right of correction: The right to demand from the Board, without undue delay, the correction of inaccurate personal data concerning the Data Subject.
Right of Deletion: The right to request the Board to delete personal data concerning the Data Subject under certain conditions.
Right to Restrict Processing: The right to request, under certain conditions, from the Board to restrict the processing rights.
Right to Data Mobility: The right to request and receive from the Board a copy of the rights reserved by the Board for that particular consumer.
Right of Objection: The right to object to a processing by the Board.
Right to Report Violation: The Board undertakes to inform Consumers of any breach of their data without delay. The manner of notification (for example, via individual email or by posting on its website) will depend on the type of violation and the number of Consumers it affects, as well as the ability to identify them.
In the event the above-mentioned Rights Request Form is completed, the applicant fill- in their data and specifically (a) Full Name (b) ID Number (c) Email (d) Home address, which are necessary for the correct identification of the Data Subject in order to avoid mistakes pertaining to synonymy of Data Subjects. The email and home address are collected so that the Larnaka Water Board can reply to the applicant. The applicant also chooses the method of sending a reply. If the applicant does not fill-in the relevant field, the Board’s reply will be sent to the Data Subject by mail or email.
The Form applicant needs to select from the list of the relevant Form the Right or Rights that they wish to exercise with their request. In order for a request to be evaluated, a statement is required from the applicant who can complete any other item they consider important. Finally, the applicant needs to sign the Form and submit it either to the Board employee who the Data Subject is in communication with, or electronically to the address mentioned above. The decision of the Board is notified to the applicant within one (1) month or if there is going to be a delay, the applicant is informed within one (1) month about the reason for the delay and the period of the expected delay.
In the event of a right being exercised, the Board undertakes to evaluate and respond within a reasonable time. However, if the Consumer still feels that their rights are not being met, they can contact the Office of the Commissioner for Personal Data Protection at dataprotection.gov.cy and submit a further complaint under the suggestions they will find on the official website of the Office of the Commissioner for Personal Data Protection.