At MERCURY, we value and respect your privacy and prove this through this Policy which demonstrates our compliance with the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “Regulation”) which is directly applicable in the European Economic Area from 25th May 2018, and has introduced new measures aiming to protect your Personal Information and thus your privacy.
MERCURY in the process of receiving and processing your information for the purposes specified hereunder has and takes responsibility as the controller of your Personal Information, meaning that we, as a legal person alone or jointly with others, determine the purposes and means of the processing of the Personal Information we receive.
In this Policy, we explain our practices regarding the collection, use, processing and disclosure of your Personal Information, the purposes for which we use your Personal Information, what kind of Personal Information we collect from you and when we collect them.
Personal Information Collected
“Personal Information” is information that identifies you as an individual or relates to an identifiable individual i.e. through which you may be identified. It always has to do with living people and does not concern legal entities such as companies. The Personal Information which we might collect is the following. We always only collect what is necessary for the purposes defined below depending on the applicable purpose and the category of the data subjects i.e. the individuals whose Personal Information is collected:
Clients (online and offline)
Except as provided otherwise, in relation to this category of data subjects, the provision of the data is necessary for the performance of the contract and / or transaction and/or the conclusion of a contract between us. The collection of the below Personal Information is also necessary to comply with our legal obligations to keep our accounting books in order and our legal obligations under the VAT and income tax laws and regulations. Failure to provide them might render our service impossible or illegal to provide.
b) home and/or work address, P.O box;
c) landline and mobile telephone numbers and email address, fax number;
d) credit and debit card number, other payment card information and generally payment, pricing and bill information in the event of offline purchases;
e) your order history;
f) your reviews and opinions about our services. The collection of this is based on our legitimate interest to improve our services and/or to deal and/or to handle complaints.
This category includes people that have subscribed to our newsletters. The collection of their information is based on a contract formed between us through the application form that they complete and the terms and conditions included therein and/or their consent provided through the application form. If they do not provide the below information they cannot become members.
a) all the above information included under the “Clients” subsection, but without the limitation as to what is necessary for the completion of a contract mentioned in the above sub-section;
b) the names, and gender;
c) e-mail addresses;
d) the sports activities they have done.
These data are obtained under the social security regulations and laws, and/or your consent and/or our legitimate interest in identifying our staff and communicating with them under the employment contract. Failure to provide the following data results in the employment being rendered illegal and / or in an inability to perform the employment contract.
a) CVs, studies, academic titles, past working experience and evidence of the information included on the CV;
b) Name, title, gender and date of birth, identity number and / or passport number and all the information mentioned therein;
c) Contact details: home address, landline and mobile telephone numbers and email address, fax number;
d) health status and history required by social insurance authorities;
e) tax identification number;
f) social security number;
h) Employment contracts and any data recorded on them.
These data are necessary for the selection process and/or for entering into an employment contract with us. Failure to do so makes the process impossible and / or undesirable.
a) Curriculum vitae, studies, academic titles, past working experience and evidence of the information included on the CV; and
b) Name, title, gender and date of birth, identity number and / or passport number;
c) Contact details: e-mail address.
Dealers and their personnel
To the extent that we receive personal information of dealers and/or their personnel such information is either necessary for the performance of the service and/or product agreement and/or transactions with us and/or it is based on your consent and/or our legal obligation to keep our accounting books in order and/or our legitimate interests in facilitating the better communication in the intervals of our business relationship and/or cooperation. Failure to provide this information has a negative impact on the flexibility and ease of our communication and might also render our transactions illegal to the extent that the quality of our bookkeeping activities are affected.
b) VAT numbers;
d) Contact details: address, telephone and / or mobile phone number and e-mail address.
c) Professional position and title
Suppliers and/or service providers and their personnel
The same information that are collected for “Dealers and their personnel” is collected for suppliers and/or our service providers and their personnel as well but in addition the supplier’s IBAN is also collected, to the extent that suppliers are individuals.
The provision of the below information is necessary for the performance of the service and/or product agreement with us and/or it is based on your consent and/or our legal obligation to keep our accounting books in order and/or our legitimate interests in facilitating the better communication in the intervals of our business relationship and/or cooperation.
c) telephone number.
The reception of these data is not done in the process of any contract and/or a legal requirement of Mercury but it is based on our legitimate interest to protect our products and property, the safety of our visitors and to take steps to prevent criminal activity.
a) your image on CCTV in the event that you pass in front of one of its cameras.
The reception of the below data is not done in the process of a contract and/or a legal requirement and/or legal obligation of MERCURY. It is done based on our legitimate interest to improve the goods and services we offer to clients and the public and to understand towards which direction the demand trends tend to move, to customize the content of our website and/or based on the cookies notice and/or your consent to the cookies notice which appears in our website and the provision of information on our part as to how to disable them.
a) The IP address of your device;
b) Your movements and/or behavior in our website;
c) Cookies information.
Social Media Page Visitors/Users
The reception of the below data is not done based on a legal requirement of MERCURY ro a contract with MERCURY. It is done based on our legitimate interest to improve our social media page, to understand towards which direction the demand trends tend to move and to customise the content of our social media page and/or your consent that you have provided to the provider of the social media (such as Facebook and Instagram) which we both use and based on which they bring us together.
a) Your account username;
b) In the event that you use a social media account to access our social media page, your profile username, (inevitably) your photograph and any Personal Information that are available on your profile;
c) Your movements and/or behaviour when you enter our social media page.
People who communicate with us
These data are not needed in the process of a contract or as part of a statutory requirement of MERCURY but they serve as a means to respond to any inquiry or issue in relation to which you contact us:
a) your correspondence and communications with MERCURY;
c) your contact information e.g. e-mail address and / or telephone number.
We may also collect the following which are not based on any contractual with or legal obligation of MERCURY:
a) any other publicly available Personal Information, including information that is published on websites and any which you have shared via a publicly available platform such as your Linked In pages, WhatsApp, Viber, WeChat, Facebook, Twitter or other online social media services when you sign up; and/or
b) any other type of information which you may choose to provide to us or we may obtain about you through third parties with whom we do business during the execution of the below purposes.
Ways Personal Information is Collected
We and our service providers and/or agents and/or affiliates may collect Personal Information either:
a) directly from you (i.e. face-to-face contact or e-mail or fax or courier sent from you);
b) indirectly from you (i.e. a person/body acting on your behalf);
c) through or with the assistance of a third party who has first obtained your permission to share this information with us (e.g. a person/body providing information in the course of services provided to you or in the course of their legal obligations, your employer, our and/or your associates, introducers and other third parties);
d) a publicly available source (e.g. a directory); and/or
e) another source whether these are provided in writing or verbally and in providing any part of our services.
The methods used for the collection of your personal data are the following:
a) requests and/or messages sent to our website and/or registrations done through our website;
b) when you communicate with us and/or with any member of our staff over the phone or via online chat-texting services or a social media service which may include Viber, WhatsApp, Linked in, WeChat, Messenger, Facebook, or other online social media services when you sign up;
c) when you visit our offices and/or when you have a meeting with any person of our staff whether in our offices or in another location; and/or
d) when you visit or use our website; and/or
e) from publicly available databases and websites.
In the event that we receive information from third parties, as opposed to directly from you, provided that they are lawfully entitled to share your Personal Information with us, we will use and/or disclose and/or share this information for the purposes described below in this Policy. Also in the event that your Personal Information is collected in this way, then we will bring to your attention the information included in this Policy along with the source from which the Personal Information originate, and if applicable, whether it came from publicly accessible sources. This information shall be provided to you within a reasonable period after obtaining the Personal Information, but at the latest within 1 month, except where the Personal Information is to be used for communication with you, in which case we will provide you with the above information at the latest at the time of the first communication with you. However, if the above information is envisaged to be disclosed to another recipient then the above information shall be disclosed the latest when the Personal Information are first disclosed to the new recipient, despite the fact that none of the previous deadlines has passed. Of course, no such information would need to be provided:
a) where you already have this information; and/or
b) where the provision of this information, for some reason, proves impossible or would involve disproportionate effort to obtain; and/or
c) obtaining or disclosure is expressly laid down by Union or Member State to which we are subject, and which provide measures to protect your legitimate interest; and/or
d) in the event where the Personal Information must remain confidential subject to an obligation of professional secrecy.
We may use and/or disclose and/or transfer Personal Information only to the extent that is necessary for and proportionate to the execution of the below purposes and depending on the category of data subjects:
Generally in relation to all of the below
a) for our business purposes, such as data analysis, audits, security and fraud monitoring and prevention (including through the use of closed circuit television), enhancing, improving or modifying our services to ensure that you get high quality services, and expanding our business activities;
b) to identify all the below data subjects and to verify their identity and/or to perform security checks and/or to ensure that we speak to the correct individuals in the intervals of providing our services to them, especially when communicating confidential and/or Personal Information;
c) to respond to an emergency which sets the physical integrity and health of a person at risk;
d) to permit us to pursue available remedies or limit the damages that we may sustain and/or defend our case in the course of court proceedings against any of the below;
e) to act upon any legitimate interest permitted under the Regulation.
Clients (online and offline):
a) for the provision of the products and/or services you request from us;
b) to receive payment;
c) to generate statistics in relation to the types and volumes of clients to whom we provide products and/or services and the products and/or services we have provided during the year; and/or
d) to predict responses to advertising;
e) to comply with our legal and regulatory obligations, which may involve but is not limited to complying with VAT, income tax and other tax laws and regulations, and social insurance reporting duties, to respond to governmental inquiries or requests from public authorities when we are obliged to do so;
f) to provide electronic receipts;
g) to enforce our websites’ terms and conditions;
h) to manage the interactions of our customer service with you;
i) to administer your online account with us and/or maintain your account information;
j) to reserve and/or order products upon your request.
a) to administer the loyalty program;
b) to provide members with the appropriate discounts;
c) to send to the members and/or to bring to the attention of the members promotional and/or marketing material and/or newsletters and/or special and/or promotional offers and/or to better target advertising and/or to predict responses to advertising;
d) to monitor your purchasing behaviour;
e) to combine the information we collect with information collected from other sources to assist with targeting advertisements;
f) to customise our products and/or services and/or advertising to those members’ preferences and behavior.
a) to fulfil our responsibilities under the employment contracts;
b) to administer and organise the personnel;
c) to comply with social security laws, regulations and reporting standards, including accounting and auditing;
d) to identify our personnel;
e) to make payments.
a) to administer the process of interviewing and/or selection of members of the personnel;
b) to make preparations in order to enter into an employment contract;
Dealers, Suppliers and Instructors
a) to associate and communicate with you in the event of cooperation for the provision of any of the above services to you and/or third parties;
b) to carry out our duties in the intervals of a transaction and/or contract and/or to receive and/or make payments.
a) to protect the safety and security of the shop visitors, our personnel, our property, the Personal Information we store and to prevent criminal activity;
b) to assist public authorities in the event of a criminal investigation;
c) to return lost items.
Website users and social media users
a) to generate usage statistics of our website and our social media pages;
b) to improve our website and make it more user-friendly;
c) to improve and customise our services;
d) to carry out marketing promotions;
e) to enforce and/or apply the terms and conditions of our website,
f) to better target advertising.
People who communicate with us
a) to correspond with you in the event that you have contacted us about our products and/or services and/or you have any other enquiry and/or you want to establish a business relationship.
In the event that we decide to further process your Personal Information for a purpose other than the purposes for which the above Personal Information was obtained, we shall only do so to the extent that the processing is compatible with the purposes in relation to which the data was collected.
Disclosure, Sharing and Transfer of Personal Information
Your Personal Information may be shared with the below entities and/or people, which may involve cross-border transfer of information to third parties in countries outside the European Economic Area:
a) authorised personnel at our offices, who are appropriately and regularly trained for the processing of Personal Information;
b) our external business partners, affiliates and subsidiary companies of MERCURY;
c) our auditors and/or accountants;
d) our legal consultants and/or advocates and/or solicitors and/or barristers and/or lawyers;
e) the Commissioner of Taxation in Cyprus, and any other regulators or supervisory authorities;
f) service providers and/or suppliers who assist us in the provision of the above services and/or the storage of the Personal Data and/or the functioning of our offices, such as our software and IT engineer and social media administrator;
g) non-financial companies (including retailers, online and offline advertisers, membership list vendors, direct marketers and publishers);
h) companies that perform marketing services on our behalf;
i) any other associates and/or agents and/or any other physical and/or legal person and/or body to whom you instruct us to transfer your Personal Information;
j) with professional and regulatory organisations such as the Cyprus Chamber of Commerce and Industry, Chamber of Commerce and Industry of Nicosia, Chamber of Commerce and Industry of Athens and the Cyprus Dive Centres Association;
k) in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), we may share your Personal Information to a third party for the purposes of the aforementioned event;
l) we may also disclose information to a third-party who provides substantially similar services as the original service signed up for, if we decide to stop providing such services ourselves;
m) if you visit any of our properties for the purpose of an event and/or meeting and/or seminar, then the Personal Information collected for the meeting and/or event and/or seminar may be shared with (1) the organisers of that event and/or meeting and/or seminar, and (2) where appropriate, the guests who participate in the event and/or meeting and/or seminar.
Where your Personal Information is transferred by MERCURY to a country outside the European Economic Area (EEA), MERCURY shall ensure that the country which the Personal Information is transmitted and the recipient of the Personal Information keeps satisfactory level of data protection measures.
Where there is no confirmation from the European Commission that a particular country, which is outside the EEA, keeps satisfactory level of protection, then the standard contractual clauses which have been approved by the European Commission will be used for the purpose of data. If this is not possible then the other means of lawful transfer which are provided by the Regulation will be used.
MERCURY will not, in any way and in any event, directly or indirectly, sell or rent any of your Personal Information to any third party. Any information supplied will be confidential and will be handled in accordance with the applicable laws and regulations.
Confidentiality and Personal Information
MERCURY must employ suitable personnel and take appropriate organizational and technical measures for the processing of Personal Information, their security and protection from accidental or unlawful destruction, accidental loss, alteration, unauthorized dissemination or access or any other form of unlawful processing.
Also MERCURY carries out checks and/or uses contractual terms to ensure that any party to whom my Personal Information are transferred and/or who has access to Personal Information and who processes Personal Information on behalf of MERCURY complies with the principles of confidentiality, the instructions and security procedures specified by MERCURY, the Regulation and the law in general. Where any recipient determines the way in which the Personal Information will be processed and the purpose for which they will be processed, the due diligence will take place in relation to that recipient to ensure that they carry out checks and/or have contractual terms and/or binding agreements in place to ensure that Personal Information is processed in accordance to the Regulation.
Any information related to you shall not be disclosed to third parties except in the cases allowed and/or mandated under the provisions of the Regulation and the law in general.
Legal grounds for collection and processing of Personal Information
We would like to inform you that the legal grounds for receiving and handling your Personal Information are:
a) that processing is necessary for the provision of the services from and/or any other contractual agreement (e.g. retainer for representation before the court, Engagement Letter, employment contract) you have with MERCURY (Regulation, Art. 1(b));
b) to the extent that the collection and processing is not covered by a) then the legal ground will be your explicit consent to the processing of your Personal Information for the above specific purposes (Regulation, Art. 1(a)). You may withdraw your consent at any time by sending us written notice of your wish to withdraw. This may be done in any written format including e-mail and fax; and
c) that processing is necessary for compliance with our legal obligations (Regulation, Art. 1(c));
d) that processing is necessary in order to protect your vital interests or those of another individual (Regulation, Art. 1(d));
e) that processing is necessary for the legitimate interests pursued by us except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child (Regulation, Art. 1(d)). Direct marketing to existing clients of MERCURY is part of the legitimate interests but they may at any point unsubscribe.
Under the Regulation, you have the following rights:
a) to check whether and what kind of Personal Information we hold about you and to access or to request copies of such data;
b) to be explained clearly and simply the information contained in this Policy;
c) to request correction, supplementation or deletion of Personal Information about you that is inaccurate or processed in non-compliance with applicable legal requirements;
d) to instruct the erasure of your Personal Information from our archives and/or servers and/or back-ups where:
i. it is no longer necessary for the purposes mentioned in this Policy;
ii. where you withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
iii. where you object at any time to the processing of your Personal Information in accordance to point (f) and (g) below;
iv. your Personal Information has been unlawfully processed;
v. your Personal Information has to be erased in order for us to comply with our legal and/or regulatory obligations.
e) to obtain a restriction to the collection, processing or use of Personal Information about you where:
i. the accuracy of your Personal Information is contested by you to allow us to verify the accuracy of your Personal Information;
ii. the processing is unlawful but you do not wish us to erase your Personal Information from our archives;
iii. we no longer need your Personal Information for the purposes of processing, but they are required by you for the establishment, exercise or defence of legal claims; or
iv. you object to the processing of your information which is based on your consent, subject to limited exceptions such as the establishment, exercise or defence of legal claims;
f) to object to processing of your Personal Information on grounds, relating to your personal situation, which have been obtained based on the necessity for the legitimate interests pursued by us, and to have us no longer process your personal data unless either we demonstrate to you compelling legitimate grounds for the processing which override your interest, right and freedoms, or the Personal Information is needed for the establishment, exercise or defence of legal claims;
g) to object at any time to processing or your data for direct marketing;
h) to the extent that your data is processed on the legal ground of your consent or the processing is carried out by automated means, to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from our part;
i) to know the identities of third parties to which your personal data is transferred;
j) to provide instructions on how your data must be handled after your death when relevant;
k) to lodge a complaint with the competent data protection authority, in Cyprus i.e. the Office of the Commissioner for the Protection of Personal Data;
l) to withdraw your consent at any time. If, following the provision of the consent, you then no longer wish to receive from us on a going-forward basis tax and deadline alerts, tax news and/or other informative material about the state of the law and the economy, important business and legal events and developments on both Cyprus and international levels, you may opt-out by emailing us to [email protected] or following the instructions in any such email you receive from us or by sending us a fax at 00357-25564301 or calling us at 00357-25877933;
m) to request us to transmit your Personal Information to another controller without hindrance from our part.
How you can exercise your right?:
If you would like to review, correct, update, suppress or delete Personal Information that you have previously provided to us, you may contact us at [email protected] or:
29 Franklin Roosevelt Ave.,
P.O. Box 50469, Limassol 3605
Email: [email protected]
We only accept requests for the exercise of your rights that are in a written form (even if it is in an electronic form) and we also request proof of your identity.
For your protection, we may only implement requests with respect to the Personal Information associated with the particular email address that you use to send us your request. We will try to comply with your request as soon as reasonably practicable.
Reasonable organisational, technical and administrative measures are in place to protect your Personal Information from unauthorized access, disclosure, alteration or destruction, while the Personal Information is stored in our archives and/or servers. Among the things used to ensure the protection of your data are the following:
a. use of PHP technology and MySQL as the database management system;
b. encryption for our servers and computer systems;
c. double back-up of servers;
d. separate back up of data contained in all our computers;
e. a strict internal security policy with respect to the confidentiality of customer and other data, limiting access only to those employees who have a need to know such information for the purpose of effectively delivering mercury.com.cy products and services;
g. alarm; and
h. use of access passwords in relation to computers.
We also carry out checks to ensure that our affiliates and service providers, with whom we share personal information, have reasonable measures in place to provide an adequate level of data protection and to maintain the confidentiality and protection of your Personal Information. For example, confidentiality agreement may be used to protect against further unauthorised disclosure.
We will not contact you by mobile/text messaging or email to ask for your confidential personal information or payment card details. If you receive this type of request, you should not respond to it. We will only ask for payment card details to be given to us via telephone or to be sent to us via fax when you are booking a reservation or promotional package offline. Payments for online purchases are made through Paypal. We also ask that you please notify us at [email protected] in the event that you receive any communication that is contrary to the above.
If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us at [email protected]
Special category of Personal Information
“Special Category of Personal information” amount to such information the processing of which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
We do not generally collect Special Category information and we ask that, unless there is a regulatory or other serious need for you and/or another client and/or a third party , you do not to send us, and you do not disclose, any Special Category Personal Information to us.
We do not knowingly collect personal information from individuals who are under 18 years of age. As a parent or legal guardian, please do not allow your children to submit personal information without your permission. By providing us with the personal information of your children, you represent that authority has been given by both parents for the provision of this information.
Unless, we hear otherwise from you or a longer retention period is required or permitted by the applicable law or unless we have serious reason to believe that the maintenance of your files is required, or there is a continuous contractual and/or service relationship between you and MERCURY, your Personal Information will be subject to our 7-year retention policy following the termination of our relationship and/or our last transaction and/or communication. There is an exception to this in relation to Personal Information of candidate personnel the retention period of which is up to 1 year following the filling of the employment position in relation to which they applied and/or following their receipt in case that it was sent without being related to a specific employment position. This retention period is in our opinion necessary to fulfil the purposes outlined in this Statement.
Your Personal Information shall be destroyed as early as practicable, from both our short-term system and our back-ups so that restoration and/or reconstruction of the data are no longer possible. This also involves the secure destruction of any printed paper through methods such as cross-shredding or incinerating the paper documents.
Updates to this Privacy Statement
Where the need arises for the further protection of your Personal Information and for the purposes of your information, we may change and/or modify this Privacy Statement from time to time. Where we make material changes to this Statement we will post a link to the revised Statement of the homepage of the website of MERCURY at http://www.mercury.com.cy and where you have consented to the processing of your Personal Information based on a previous version of this Statement you may also be informed through a communication channel that you have provided.
It is possible to recognise when this Statement has been last updated by looking at the date at the top of the Statement. Any changes become effective from the date on which they were posted on the website of MERCURY. Use of the website, any of our products and services, and/or providing consent to the updated Statement following such changes constitutes your acceptance of the revised Statement then in effect.
In the event that you have any questions about this Privacy Statement or you want to exercise any of your rights regarding your Personal Information please contact us at [email protected] or:
29 Franklin Roosevelt Ave.,
P.O. Box 50469, Limassol 3605
Email: [email protected]
Because email communication is not always secure, please do not include credit card or other sensitive information in your emails to us.
Managing Director of M.D.I. Mercury Co. Ltd