Introduction
Sophia for Children (“Sophia for Children”, “we” “us” or “our”) is committed to protect all personal data it collects in accordance with the provisions of the EU General Data Protection Regulation 2016/679 (“GDPR”), effective as of 25.05.2018, and the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data Law 125(I)/2018, as amended (the “Cyprus Personal Data Law”), effective as of 31.07.2018.
This privacy policy (the “Privacy Policy“) explains how we handle and treat personal data of the persons (“you”, “your” or “yours”) who access our website at www.sophiaforchildren.com and/or www.sophia-foundation.com (the “Website”) and use the web-applications “Volunteering Application”, “Adopt a Child Application” and “Email Registration Application” (the “Web-Applications”), for participating in our available, from time to time, programmes (the “Programmes”) or receiving updates and newsletters from us.
Sophia for Children values your privacy and with this Privacy Policy we inform you on the way we handle and treat your personal data, including, inter alia, the nature of the personal data we collect and process, the purpose of the processing, the recipients of your personal data, how long we keep your personal data, how we secure your personal data, as well as the rights you have in respect of your personal data held by us.
It is important that you read this Privacy Policy carefully. By completing and submitting any of the Web-Applications uploaded in the Website, you are deemed to have read and understood this Privacy Policy.
This Privacy Policy should be read together with our Terms & Conditions and our Cookie Policy.
Who is responsible for your Personal Data (Data Controller)
Sophia for Children is the owner of the Website and the data controller of your personal data. We have the responsibility of the collection, management, handling and processing of your personal data collected through your visit to the Website.
What Personal Data we collect
When you complete and submit any of the Web-Applications uploaded in our Website, we may collect and process the following personal data, depending on the Web-Application you submit:
Information about you: name, surname, occupation, date of birth and number of children you wish to adopt.
Information to contact you: email address, mobile phone and residential address in Cyprus or abroad.
When you are under 18 years old, we may collect and process the following additional personal data:
Information to contact your parents or legal guardians: your parents’ or legal guardians’ name, surname, email address and mobile phone.
We do not collect any “special categories” of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic or biometric data) or any information about criminal convictions and offences.
Children under the age of 18
For the purposes of this Privacy Policy, “children” are individuals who are under the age of 18.
We understand the importance of protecting children’s privacy. We may collect personal data in relation to children only provided that we have first obtained their parents’ or legal guardians’ consent or unless otherwise permitted under applicable law. We do not provide any online services to children but we may allow children, subject to their parents’ or legal guardians’ consent, to declare their volunteering by submitting the “Volunteering Application”.
What legal bases we use & the purposes of processing your Personal Data
Your personal data is collected and processed based on the following legal bases and for the following purposes:
For the purposes of allowing you to get in touch with us, carrying out and performing any task, enquiry and request of yours, where you have declared your intention to participate to any Programme by submitting a “Volunteering Application” or an “Adopt a Child Application” and/or for contacting you regarding the foregoing, including, in the case of adoption, sending you informative emails, at least once annually, with news regarding your adopted child such as his/her school conditions and recent photos (article 6 (b) GDPR).
For the purposes of complying with any requirements of a regulatory authority and/or applicable law (article 6 (1) (c) of the GDPR).
For the purposes of sending you information, notifications, updates and newsletters, where you have declared your consent (opt-in) by ticking the box in any of the “Volunteering Application”, the “Adopt a Child Application” or the “Email Registration Application” (article 6 (1) (a) of the GDPR). You have the right to revoke your consent (unsubscribe / opt-out) at any time, however, any processing of personal data prior to the receipt of your revocation will not be affected.
Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.
How we process your Personal Data
We collect your personal data through the following methods:
When you access, visit and browse our Website, we automatically collect data by using cookies. Please visit our Cookie Policy for further details.
When you complete and submit any of the Web-Applications, we collect and process the personal data you have voluntarily and directly submitted to us using various software tools.
We do not use your personal data for any commercial purposes.
With whom we share your Personal Data
We may disclose and share the personal data we collect or you share with us with third party recipients, if (a) we are legally required to do so, or (b) we are authorised under our statutory obligations, or (c) we are authorised under our contractual obligations, or (d) you have given us your consent.
We may, if so required, appoint sub-contractors data processors such as, without limitation, IT systems or software providers, IT support service providers, document and information storage providers, who will process personal information on our behalf.
Further, we may, depending on the circumstances (e.g. if you declare your participation to any Programme) appoint external data controllers where necessary or other third party experts. When sharing your personal data with third parties, we comply with our legal and regulatory obligations in relation to your personal data, including, without limitation, ensuring that all third party recipients have access to your personal data on a strictly need to know basis so that they can fulfil the obligations they have undertaken against and properly provide their services to us, that such third party providers process your personal data exclusively on our behalf and according to our instructions, that such persons will comply with the GDPR and the Cyprus Personal Data Law and, where applicable, maintain appropriate safeguards in place by entering into “data processing agreements ” pursuant to article 28 of the GDPR.
Your personal data may be shared with / transmitted to the following, including, without limitation, recipients:
(a) natural persons working and/or collaborating with us e.g. employees, external service providers and administrative assistants;
(b) legal persons involved with us e.g. external service providers and collaborators;
(c) supervisory and other regulatory authorities who have power to request information from us;
(d) service providers/agents assisting in our day to day business;
(e) service providers assisting in implementation of our procedures e.g. IT services;
(f) External legal, tax, VAT and business advisors;
The above is a non-exhaustive list of persons and entities with whom we might (depending on the circumstances) share your personal data with. There may be other instances and persons to whom we may disclose your personal data as applicable.
When doing any of the above, we will comply with our legal and regulatory obligations in relation to your personal data, including, without limitation, maintaining appropriate safeguards in place.
Transfer of your Personal Data outside the EEA
We do not transfer your personal data to countries outside the EEA (European Economic Area).
Exceptionally, your personal data may be transferred to countries outside the EEA if:
(a) this is required for fulling your requests such as declaring your participation to any Programme;
(b) you have granted us your consent;
(c) this is required by law.
Processors in countries outside the EEA, which are not considered ensuring an adequate level of protection of personal data by the EU Commission or a national data protection authority (the so called “Unsafe Third Countries”) are obliged to comply with the data protection level in Europe and provide appropriate safeguards in relation to the transfer of your personal data in accordance with article 46 of the GDPR. Where we use agents/service providers located in such Unsafe Third Countries we will ensure that they will provide such safeguards. Any transfers outside the EEA will be in line with the GDPR and the Cyprus Personal Data Law. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Cookies
You can control or delete cookies by changing the settings in the web browser you are using. If you disable or refuse cookies, please note that some parts of this Website may become inaccessible or not function properly.
For information relating to cookies kindly refer to our Cookie Policy.
For how long we keep Personal Data (Retention Period)
When you access, visit and browse our Website: we will retain information collected via cookies in accordance with our Cookie Policy.
When you complete and submit a “Volunteering Application” or an “Adopt a Child Application”: the personal data submitted with any of the above Web-Applications, as well as any other personal data we may request from you from time to time during your participation in and in connection with any of the above Programmes, will be retained and securely stored by us during the period of your participation to the Programme and for an extended period of seven (7) years after your participation has expired or terminated or ended or not-renewed. If you have ticked the box, in any of the above Web-Applications, for receiving general information, notifications, updates and newsletters, the personal data submitted with the above Web-Application will be retained and securely stored by us until we receive a request from you to unsubscribe/opt-out from such processing (revoke your consent) through sending an e-mail at [email protected] or by ticking the “unsubscribe” button in the occasion of each email. Once we receive an unsubscribe/opt-out request from you (revocation of your consent), your personal data submitted with the respective Web-Application, will be removed, deleted and destroyed for the purposes of receiving information, notifications, updates and newsletters. We may keep your data for longer than seven (7) years or after we have received your unsubscribe/opt-out request, respectively, if this is required by applicable law to, inter alia, meet our statutory obligations or defend our legitimate interests for purposes of, inter alia, complying to any audits, and/or defending or initiating any claims and/or achieving the purposes for which they have been collected. In these cases your personal data will be removed, deleted and destroyed at the latest after this reason has ceased to exist.
When you complete and submit an “Email Registration Application”: the personal data submitted with the above Web-Application will be retained and securely stored by us until we receive a request from you to unsubscribe/opt-out from such processing (revoke your consent) through sending an e-mail at [email protected]. Once we receive an unsubscribe/opt-out request from you (revocation of your consent), your personal data submitted with the respective Web-Application, will be removed, deleted and destroyed for the purposes of receiving information, notifications, updates and newsletters. We may keep your data after your unsubscribe/opt-out request if this is required by applicable law to, inter alia, meet our statutory obligations or defend our legitimate interests for purposes of, inter alia, complying to any audits, and/or defending or initiating any claims and/or achieving the purposes for which they have been collected. In these cases your personal data will be removed, deleted and destroyed at the latest after this reason has ceased to exist.
Where we no longer require your personal data, or where you exercise your right of erasure (please refer below), we will ensure that it is either securely deleted or destroyed or stored in a way which means it will no longer be used by us.
How we secure your Personal Data
Sophia for Children is committed to ensuring that your personal data is and remains secure and confidential. In order to prevent unauthorised access, use or disclosure of your personal data, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the personal data that we collect. Our security technologies and procedures are regularly reviewed to ensure that they are up to date and effective. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Policy, the GDPR and the Cyprus Personal Data Law.
The personal data you provide to us is stored on our secure servers and computers and are transmitted securely by using access codes, firewall and encryption for their protection. We use the ESET Endpoint Encryption (Deslock+) to encrypt disks, files, folders and emails. Unfortunately, the transmission of information via the internet is not completely secure and there cannot be assurance of absolute protection. While we take reasonable steps to protect all information submitted to us and/or received by us in accordance with the Privacy Policy, we cannot, in any event, guarantee the security of any personal data transmitted to us via e-mail and, in general, through the internet, and as such any transmission is at your own risk.
In case we keep your personal data in paper form your personal data is stored in designated secure spaces within our premises where no unauthorised access is permitted.
All of our partners, employees, consultants, workers and data processors, who have access to, and are associated with the processing of your personal data, are obliged to respect the confidentiality and security of such personal data and comply with the GDPR and the Cyprus Personal Data Law.
Third Party links
The Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
We do not control these third-party websites and are not responsible for their privacy policy. When you leave our Website, we encourage you to read the privacy policy of every other website you visit.
What rights do you have regarding your Personal Data
You have the following rights exercisable any time free of charge:
Right of Access: You have the right to request access and receive information from us regarding the processing of the personal data we hold about you (article 15 of the GDPR)
Right to Rectification: You have the right to request that we rectify and/or correct and/or complete any of the personal data we hold about you that is incorrect or incomplete (article 16 of the GDPR)
Right to Erasure: You have the right, in the event that the requirements specified in article 17 of the GDPR have been met, to request the erasure of the personal data we hold about you. Accordingly, you may request the erasure of your data, for instance, if it is no longer necessary for the purposes for which it was collected. Furthermore, you can also request erasure if we process your data on the basis of your consent and you withdraw this consent (article 17 of the GDPR)
Right to Restriction of Processing: You have the right to request the restriction of the processing of the personal data we hold about you if the requirements specified under article 18 of the GDPR have been met. This is the case, for example, if you dispute the accuracy of your personal data. You may then request that processing is restricted for as long as it takes to examine the accuracy of your personal data (article 18 of the GDPR).
Right to Data Portability: Provided that the data processing is based on consent or on the fulfilment of a contract and that it is also carried out using automated processing, you have the right to request and receive the personal data we hold about you in a structured, common and machine-readable format and to forward it to another data controller (article 20 of the GDPR).
Right to Object: If processing is based on our legitimate interest, you have the right to object to the processing of the personal data we hold about you. An objection is permissible if processing is either in the public interest or on account of a justified interest of Sophia for Children or a third party (article 21 of the GDPR).
Right to Withdraw Consent: If we rely on your consent (or explicit consent) as our legal basis for processing the personal data we hold about you, you have the right to withdraw that consent at any time. However, the withdrawal of your consent (or explicit consent) shall not affect the lawfulness of processing based on such consent before its withdrawal (article 7 of the GDPR).
Right to Raise Concern: You may exercise your above rights or contact Sophia for Children to raise any concerns or request information on the processing of the personal data we hold about you by contacting us (article 38(4) GDPR).
Right to lodge a Complaint: If at any case, you are of the opinion that we infringe your privacy, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of Cyprus (Iasonos 1, 1082, Nicosia – Tel: +357 228184560), either electronically at the email address: [email protected] or by post to the Office of the Commissioner at: PO Box 23378, 1682 Nicosia or by fax at: +357 22304565. Please find more information at www.dataprotection.gov.cy.
Contact Us
You may contact us for issues related to your personal data in general, for exercising your rights and for filing any complaint at [email protected].
We will endeavour to respond to any request as soon as possible and no longer than 30 calendar days from the receipt of the request. In case where we will not be able to respond to your request within the aforementioned time period or in case your request is rejected, we will inform you accordingly explaining the reasons for any delay or for rejecting your request and inform you that you have the right to submit a complaint with the Office of the Commissioner for Personal Data Protection of Cyprus to the details mentioned above.
Change of this Privacy Policy
We reserve our right to amend this Privacy Policy from time to time and any changes will become effective when we upload the revised Privacy Policy accordingly. We will reasonably endeavour to notify you when we make changes to this Privacy Policy and we will amend the revision date at the bottom of this page. We do however encourage you to review this Privacy Policy periodically so as to always be informed about how we process and protect your personal data.
Version 1:
Last updated [April 2024]