This Policy explains when and why we collect your personal data, how we use it, the conditions under which we may disclose it to others and how we keep it secure as well as your rights in relation to the processing of your personal data.
We may change this Policy from time to time. You are invited to check our website periodically, in order to keep up to date with any changes. In the exceptional case of a substantial change, we may also attempt individual notification. By using our website, you agree to this Policy, as amended from time to time to the extent relating to information, we collect about you in your capacity as a user of our website. As far as information we are collecting about you in the context of conducting our activities, you are welcome to contact our DPO (the details of whom can be found below) in case you have any related concerns.
Name: Dr. Christiana Markou
Email: [email protected]
Tel.: 22377863, Fax: 22377860
Address: 2, Amfipoleos street, Marcou Tower Office 201, 2025 Strovolos Nicosia, Cyprus
Who are we?
When do we collect and process information from you?
We collect information about you:
1. when you submit to us an online Application Form for being a donor,
2. when you undergo the assessment and selection procedure,
3. When you go through the donation process and you are administered as a donor
4. when you submit a complaint, question, query, or request to us,
5. when you follow or interact with us through our Facebook Page or we communicate, for the purpose of you being assisted or supported in relation to an obligation, either yours or ours, arising from the Law or for purposes relating to the conclusion, execution, or administration of the Donor agreement.
What type of personal information is processed and how?
The personal information we process includes your name, username, identity card number or alien registration book, or passport, or driver’s license, date of birth, information about your education, business occupation, telephone number, address, email address, payments made to you and a donor ID we are creating for you. We also collect any other information you provide to us by filling in our online donor application form or by filling in and send email questionnaires. When you follow us on Facebook, we process information that you have made available to us via settings on said social network, your reactions to our posts and your sharing thereof and any comments made to our posts.
We also collect all personal data you are providing to us by filling in and submitting our online donor application form, as well as when you undergo a special assessment and selection procedure and when you are administered as a donor if approved. This includes categories of sensitive (or special category) personal data such as information about your physical and mental health, urine and blood samples resulting in data about your health, data relating to your behavior, personality and emotional intelligence (EQ), race and ethnic origin, genetic data resulting from blood and urine testing, lifestyle and sex life, use of medication or other intoxicants, any tattoos and piercings, hereditary diseases in your family, as well as biological, genetic and laboratory test results and sperm sample. We also collect information such as, your religion, height, weight, hair color, eye color, your photos, voice recording, handwriting and all information provided through a sperm donor profile form, the type of your donor profile (basic or extended), your responses to questions concerning a number of practical matters in connection with you being a donor, all information mainly the aforementioned sensitive information provided through oral communication with our staff and forms such as the sperm donor consent form, donor questionnaire, the clinical examination questionnaire, the change in risk behavior form, the corona virus risk assessment form and consent forms that may be required for distribution of your sperm in other counties, when applicable. We may also collect further identification information such as biometrics, specifically a template of your fingerprint arising from finger scanning and health-related information as above described as necessary to ensure the health and safety of the gametes at all stages.
For a detailed description of the personal data collected about you, how and why as well as where it may be disclosed (in some cases, in non-identifiable form), you can click here and/or contact our DPO for any questions you may need.
How and on what legal basis is your information used?
We use your non-sensitive personal information lawfully, in accordance with,
- Article 6(1)(a), i.e., for purposes you have consented to, if any
- Article 6(1)(b), i.e., as necessary to conclude or perform a contract with you,
- Article 6(1)(c), i.e., to comply with obligations imposed by law and,
- Article 6(1)(f), i.e., as necessary for legitimate interests we pursue as a company.
This relates to the processing of basic identity and contact details necessary to:
- respond to, examine, or satisfy applications, claims and related requests or queries submitted by yourself in the context of discussing, concluding, and performing a donor agreement,
- carry out our obligations arising from our agreement to pay you the compensation you are entitled to.
This relates to the processing of identity documents, such as your national ID and all information collected through the aforementioned forms and questionnaires for the purpose of assessing your suitability as a donor, registering you as one if approved and securing spouse/partner consent and in the processing of data associated with the collection and storing of the gametes to ensure their safety and traceability as well as bookkeeping information such as payments made to you and the expenses involved in the donation necessary to:
- comply with or respond to requirements or demands by regulatory authorities and ensure compliance with the Medically Assisted Reproduction Law of 2015 (Law 69(I)/2015), mainly Sections 32, 33 and 35, the Standards of Quality and Safety (donation, procurement, testing, processing, preservation, storage and distribution) of Human Tissues, Cells and Derivative Products Law of 2007 (Law 187(I)/2007), mainly Sections 28, 35, 38, 39 and Appendix III, the Regulations adopted pursuant to these laws requiring us to reliably verify your identity, keep a donor identification register, assess the history of your behavior, maintain a file for every donor and ensure traceability of sperm from donor to recipient and vice versa as well as with tax legislation.
This relates to the processing of your personal data as necessary to:
- carry out donor satisfaction surveys and statistics with anonymized data,
- organize our business efficiently, create your basic donor profile, secure required consents to enable the distribution of the gametes and establish our presence as a tissue establishment, for example, by receiving necessary services from third parties and making content available on social media for users who have chosen to follow us or cooperating with other company members of the Cryos Group.
This relates to the collection of the gametes and the processing of the information you provide through the initial donor application form, on the phone to our staff or as a result of an initial sperm test, and to the processing inherent in creating your extended profile, sending you communications to inform you about the outcome of the examination of your donor application if applicable, or regarding our activities, services and/or events.
We use your sensitive or special category personal data, such as data relating to your health, ethnicity, or sex life, lawfully, for the above purposes, additionally in accordance with,
- Article 9(2)(a), i.e., on the ground that you have given us your explicit consent. This legal condition applies to the collection of the gametes and the processing of any sensitive data provided through the initial donor application form and consent form and in the context of assessing your suitability as a donor, and registering you as one if approved, to the extent not covered by Article 9(2)(i) below as well as in the context of building your donor profile including you taking an EQ test and distributing your sperm to foreign countries.
- Article 9(2)(i), i.e., on the ground that processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law. This legal condition applies to the processing of your sensitive data, such as data relating to health provided in the context of assessing your suitability as a donor and/or approving and registering you as one through the aforementioned questionnaires and forms as well as blood, urine and sperm samples and the results produced out of their testing and collecting and storing the gametes. It also applies to the processing of your biometric data in order to accurately verify your identity every time you donate sperm. More specifically, your sensitive or special category personal information is used to unambiguously confirm your identity, enable accurate traceability, investigation and reporting of undesirable events relating to the health and safe of the gametes, keeping of donor files and registers and ensure your suitability as a donor and ultimately high standards of health, quality and safety of the sperm as required by law, mainly the Standards of Quality and Safety (donation, procurement, testing, processing, preservation, storage and distribution) of Human Tissues, Cells and Derivative Products Law of 2007 (Law 187(I)/2007), mainly Sections 28, 31, 35-38, 39 and the Appendixes referred to therein and the Regulations issued in the context of said Laws, namely Regulation 438 / 2008 Annex I, Part E, Annex V, Articles 6 και 7 και Annex III & IV as well as the Medically Assisted Human Reproduction Law of 2015, Law 69(I) of 2015, mainly Sections 33 and 35. After your gametes are used in IVF, the retention of your data is only based on Article 6(1)(c) & Article 9(2)(i) and not consent.
- Article 9(2)(f), i.e., where necessary for the exercising, defending, and pursuing of legal claims if a relevant dispute arises.
- Article 10, which relates to data relating to whether you have spent time in a correctional facility, processing which is relevant to comply with our legal obligation to assess the history of your behavior under the Standards of Quality and Safety (donation, procurement, testing, processing, preservation, storage, and distribution) of Human Tissues, Cells and Derivative Products Law of 2007 (Law 187(I)/2007), Section 38 and Appendix III.
Where and how long we retain your information for?
Your information is stored in physical files in our premises in Cyprus and also in electronic form in servers located in the EU.
We generally keep information for as long as it is necessary for us to perform our obligations or to comply with legal obligations to which we are subject in accordance with above-stated legislation or as necessary for the purpose of the processing.
More specifically, the data processed through our Facebook Page, is deleted when the post is deleted, or when you choose to withdraw your reaction to our posts (like, sharing etc.). Private messages are deleted when the communication and its subject is over.
We retain your information you provided in the context of applying for and being assessed for your suitability as a donor for a period of up to ten (10) years in case we have rejected a donor application submitted to us. This is to enable us to have a relevant history in our files so that we can take this rejection into account in case you re-submit a relevant application to us in the future and to be able to defend ourselves in the event of a dispute.
If you become a donor, Cryos has a legal obligation to ensure traceability of your sperm in all phases, from donation to distribution to the recipient (from the donor to the recipient and vice versa), for at least thirty (30) years from the time of last clinical use or the expiry date. We therefore keep your personal data, including sensitive data, (such as the data concerning your identity and medical health, history, and results) for at least (thirty) 30 years.
If your sperm is provided to a customer in a different country than Cyprus, national rules for ensuring traceability may apply in the receiving country, which necessitate that Cryos keeps your information for a period exceeding 30 years from the last clinical use of your sperm. In such cases and to the extent permitted by applicable laws, the retention period will depend on any requirements in the relevant legislation of the receiving country.
As for as the finger template finger scanning, this is retained for as long as you are an active sperm donor and will be deleted after six months from last donation.
We will store bookkeeping information for six years after the end of the financial year to which they refer pursuant to the rules on documentation in the Cypriot Assessment and Collection of Taxes Law of 1978 (L.4/1978), Article 30 unless the tax authorities instructs us to do so for longer pursuant to the same provision. This data includes any information needed to document our bookkeeping, e.g. documentation of compensation paid to you during your time as a donor.
Blood, urine, and sperm samples will be destroyed as soon as the required tests have been made, at the latest 7-14 days after the sample has been taken.
The gametes are stored for a maximum of ten (10) years as per Article 29, Law 69(I)/2015.
When there are no specified maximum retention periods above, we will retain data relating to health for up to 15 years after the last recording of personal data about you.
Who has access to your information?
We will never sell your information to third parties and we will not share it with third parties for marketing purposes.
We may pass your information to our third party service providers and sub-contractors for the purposes of assisting us in performing our duties and/or providing our services. Such third parties may be technical service providers providing us with the software systems or cloud storage space necessary to contact administrative tasks inherent in the provision of our services to you or in the conducting of our business. We only disclose to them the personal information that is absolutely necessary to deliver the service or perform the task and when legally required, we have a contract in place that requires them to keep your information secure and in accordance with the principles and rules of the General Data Protection Regulation.
Moreover, the recipients of personal data will mainly be companies in the Cryos Group and their employees, who are processing data on behalf of the Company or providing to us administrative and technical and/or web support services, or with whom we collaborate and share systems. To the extent permitted by applicable laws and you have so chosen, the child if he/she requests it when he/she reaches the age of 18. Additional recipients are persons who are interested in receiving and/or receive treatment with your sperm and create a user account on Cryos website in order to access donor profiles, maternity units, IVF clinics, assessors, experts or other independent professionals, such as doctors, clinics, diagnostic centers, laboratories and psychologists who help us evaluate your donor application. We only disclose to them the personal information that is absolutely necessary for them to perform the relevant necessary tasks and when legally required, we have a contract in place that among others, requires them to keep your information secure and in accordance with the principles and rules of the General Data Protection Regulation.
We may also pass your information to our lawyers and accountants/auditors to the extent necessary to defend or institute legal claims and to comply with legal obligations with regards to the preparation of financial accounts and tax reasons, respectively.
We may disclose your information to public and/or regulatory authorities if disclosure is required by law such as to report an undesirable reaction or event, or an order issued by a court of law.
Finally, if applicable, data you submit on our Facebook Page please see also Facebook’s data protection policy.
What are your rights?
You may at any time, send us any of the following requests and we will meet them the earlier possible and, in any case, within a month from the date of receipt of your request and inform you about the action we have taken. If your request is for any reason complex to examine or meet, we will ask you for an extension, before the aforementioned one-month period expires.
If we have legitimate reasons to refuse to satisfy your request, we will inform you accordingly and in this case, you have the right to submit a relevant complaint to the Cyprus data protection authority, namely, the Commissioner for Personal Data Protection (http://www.dataprotection.gov.cy/) if you believe that our decision is unjustified.
These are your rights and the relevant requests you can submit to us:
A request that we permanently delete all or some of your information from our records (right to be forgotten or to erasure), for example, in case we no longer have reasons to have it. Please note that there may be cases, especially when your sperm has been used in which we are legally required to retain your data as explained above and in such a case your request for erasure will not be possible to be met.
A request from you to access your information that we keep in our records (right of access)
A request that we provide you with a copy of your information that exists in our records, in digital or hard copy form. If you require additional copies, we may charge you with a maximum of EUR 40,00 per copy, as administrative costs, depending on the volume of the data involved. (right to a copy)
A request that we update or correct personal information that we keep in our records (right to rectification), for example, in case it is outdated or contains errors or inaccuracies.
A request that we provide you with information of yours we keep in our records in a structured, commonly used, and machine-readable format or forward it in such form to another provider of your choice, if such forwarding or transfer is technically possible (right to portability). Please note that this right applies only in relation to data that you yourself has provided to us with and which we process by electronic means, in the context of a contract between you and our Company or because you have consented to us doing so.
A request that we stop doing anything with your information without however deleting it from our records (right to restriction of processing). In this case, we will restrict access to your personal data without deleting it if we are to satisfy your request.
In the case in which the decision as to whether you will be approved as a donor by our Company or not is taken solely on the basis of automated processing, you have the right to express an opinion on and dispute the decision, as well as to request that it be reviewed by a member of our personnel. Please note that for the time being such decisions are not taken solely on the basis of automated processing.
Please note that before acting upon any of your above requests, we may require you to prove your identity, if we are in doubt about your true or correct identity. If we cannot identify you, we will inform you accordingly and we will not act upon your request. The personal data relating to the handling of any of your requests will be retained up to nine (9) months after the completion of any procedure relating to the request.
You have the right to submit a relevant complaint to the Cyprus data protection authority, namely, the Commissioner for Personal Data Protection (http://www.dataprotection.gov.cy/) if you believe that we do not handle your personal data in compliance with the Regulation.
What security measures do we apply to protect your information?
When you give us personal information, we take organizational and technical measures to ensure that it is kept secure and protected against unauthorized disclosure or access, alteration, accidental loss or other violation or unlawful processing. Such measures, amongst others, aim at restricting access to personal information, ensuring secure storage, limiting the risk of viruses and other harmful events, keeping secure back-ups, and effectively destroying unnecessary data. In the event of a data breach or a relevant allegation, the personal data relating to its handling will be retained up to twelve (12) months after the completion of any procedure relating to the breach.
Transferring your information outside European Union
We do not generally transfer your personal information to a country that is not a Member State of the EU except from intra-group transfers in the form of access to some of your data that our US affiliated company (Cryos International USA) may have or because certain service providers we use may use servers outside the EU. We take measures so that your personal information will be given analogous protection to EU standards, specifically by signing with the party based outside the EU,when a country for which there is no adequacy decision by the Commission pursuant to Article 45 GDPR, an agreement with the standard contractual clauses approved by the European Commission as per Article 46 GDPR committing them to affording your personal data sufficient data protection. Your personal data may also be transferred to non-EU countries, specifically to IVF clinics or other similar entities in case your sperm is distributed for use in the context of assisted reproduction on a person based outside the EU. In case that we have to transfer your data to any third country, for which there is no adequacy decision pursuant to Article 45 GDPR we have a procedure for applying the transfer tool ensuring analogous protection and supplementary measures of protection where necessary. Moreover, interested persons based outside the EU who have created a user account on Cryos website will have access to your donor profile, basic or extended. This access may entail data protection risks if the country concerned in one of which there is no adequacy decision to Article 45 GDPR, as there will no appropriate safeguards pursuant to Article 46 GDPR.