top of page

Privacy Policy


In the European Union, the General Data Protection Regulation – EU Regulation 2016/679 (hereinafter "GDPR") applies as of May 25, 2018. For the text of the Regulation you can select the

This Privacy Policy (hereinafter the "Data Policy") concerns the Organization under the name "Pafos Transport Organisation" and distinctive title "OSYPA" (hereinafter "OSYPA"), with registered office in Paphos, Mesogi Industrial Area Street, 10 Michalaki Savvides Street, T. Box 62136, 8061 Mesogi, Paphos.

OSYPA is the creator and beneficiary of all rights of the following websites with domain names:

OSYPA attaches particular importance to the protection of the personal data of its customers and executives, as well as of any persons visiting the websites and/or local offices of the Organization.

For this reason, it has prepared this Data Protection Policy in order to inform the above persons about how we collect, use and disclose their personal data.

This website may include links to other websites, which are under the responsibility of third parties (natural or legal persons). Additional websites may be added in the future, for the terms of protection and management of personal data, for which OSYPA is in no way responsible.

Definitions of personal data

(Note: The definitions follow Article 4 GDPR)

"Personal Data": any information through which a natural person is or can be identified ("Data Subject").

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, in this case OASA.

'Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

"Personal Data Subject": the natural persons for whom the controller collects and processes personal data (in this Data Policy, Data Subjects are the users of OASA's websites and the services provided by the Organization and all interested parties in general and third parties – visitors of the websites).

'recipient' means a natural or legal person, public authority, agency or other body, to whom personal data are disclosed, whether a third party or not.

Collection of personal data

When the visitor / user visits the websites and / or the local offices of OSYPA and if

interacts with them, or

completes template web pages and/or contact documents (forms); or

applies for a multiple-ticket card, or certain information may be collected, such as:

name, surname, month and year of birth, address, category of beneficiary, etc.

Furthermore, in an automated manner in relation to the website, information may be collected such as:

the internet address of the user (IP address), which is determined by the provider of the connection through which the visitor / user has access to the internet and then to the website and is maintained only under the conditions of the law, the type of browser) and the operating system, the websites and links it selects (by "clicking") within the page, basic connection information to the server, information collected through software such as HTML cookies, Flash cookies, web beacons and the like,


Purpose of processing personal data

The personal data collected are used solely for reasons related to the fulfillment of the purpose of OSYPA's activity, namely the provision of transport services by public transport in the area of competence of the Organization and for statistical purposes and improvement of the services – information provided and may not be used by any third party.

In particular, the Personal Data collected by the websites and/or local offices of the Controller and stored in the relevant database are intended to be used for the purposes mentioned, namely:

  1. the issuance of electronic cards for buses in the wider area of Pafos.

  2. be able to study anonymized statistical data by OSYPA and third parties, but in a way that they cannot identify the subject of personal data

  3. be able to manage websites and all forms of communication

  4. be able to send updates or notifications upon prior choice of users


For the legal basis for processing under (1) is the contract with the customer-passenger/card applicant.

For the purposes of (2) and (3) the legal basis for the processing is compliance with a legal obligation of OSYPA, the fulfillment of a duty related to the exercise of public authority entrusted to OSYPA and the legitimate interest of OSYPA.

For the legal basis under (4) of the processing is the consent of the Subject during any registration of the data. OSYPA will ensure that, in this limited case, this consent meets the terms of consent in the context of the application of the GDPR and the legislation.

According to OSYPA's General Privacy Policy, the data of users who have contacted OSYPA are kept on the Organization's servers for a period of two (2) years or for any other period required by the Ministry of Communications, Transport and Works.

Recipients of the data and purpose of transfer

The personal data of the users of OSYPA's websites are transmitted to OSYPA's partners and / or subcontractors but always under conditions that fully ensure that the personal data of the


Data Subjects do not undergo any unlawful processing, i.e. other than the purpose of transmission.

Especially the processing of personalised card data

In the context of the Personalised Card, the identification of the Data Subject is required. The aim is to:


  • provide for the use of unlimited travel products (monthly, annual cards, etc.),

  • provide the right to discount to the categories of passengers entitled to it (e.g. discount due to the issuance of a monthly card, student status, etc.),

  • not to issue multiple cards per person,

  • allow users to request the cancellation of a lost or stolen card;

  • to deal more effectively with the avoidance of boarding a means of transport without paying the prescribed fare;


For the access to the personal data of users of OSYPA's websites and local offices, OSYPA competent executives have been appointed, who are committed to maintaining confidentiality and confidentiality, while unauthorised access is prohibited.

OSYPA will not make available for sale or otherwise transmit or disclose personal information of visitors/users of its websites or at the local offices of the organisation to third parties, other than the above-mentioned recipients, without the consent of the visitor/user, with the exception of the application of relevant legal requirements and only to the competent Authorities.

The retained personal data may be disclosed to the competent judicial, police and other administrative authorities, upon their lawful request and in accordance with the applicable legal provisions. In addition, in case of a lawful order of a prosecutorial or other Authority, or of conducting a regular investigation or preliminary examination, OSYPA is obliged to make the relevant data available to the requesting Authority.

OSYPA will not transfer users' personal data to a third country or international organization.

The websites may offer the possibility of sharing on Social Networks and other related tools that allow the sharing of user actions within the Website / Application with other applications, websites or mass media, and vice versa. The use of such features allows the exchange of information with users' friends or the general public, depending on the settings they have specified in their personal profile. Users / visitors are kindly requested to refer to the privacy policies of the individual social networking services for more information on how they handle their data.

User's consent

Users by accepting this Privacy Policy, in accordance with the procedure below, acknowledge that:

Processing related to acts leading to fraud: The Data Subject has been informed and consents that, in case of sufficient indications and if required by the specific circumstance, OSYPA will have the right to collect, process and use personal data necessary for the

disclosure of acts leading to fraud, as well as details of any other illegal or unconventional use of its websites.

Transfer by law: The Data Subject has been informed and consents to the possible transfer of his or her personal data to law enforcement and supervisory authorities for the necessary protection against risks to state and public security as well as for the prosecution of criminal acts.

Transfer and storage of personal data

Any transfer or transmission of the personal data of the Data Subjects is carried out through electronic systems and the data is transferred encrypted.

The data are stored on OSYPA's servers located at the Organization's facilities and on the servers of contractors – recipients installed at OSYPA's facilities.

Rights of data subjects

OSYPA, fully complying with the provisions of the GDPR, satisfies and facilitates the exercise of the following rights of the Subjects:


Right of access

Data Subjects have the right to receive, at any time, information from OSYPA on whether it processes their personal data and, if so, to request to be informed about the purpose of processing, the type of Data processed, to whom it transmits them, how long it stores them, whether automated decision-making takes place. In addition, Subjects will be given access to such personal data without undue delay.

Right to rectification

The Data Subject has the right to request from OSYPA the correction of inaccurate or outdated personal data concerning him/her. It also has the right to require incomplete personal data to be completed, including by means of a supplementary statement. Furthermore, OSYPA undertakes to communicate any correction of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. OSYPA undertakes to inform the Data Subject about these recipients, if requested.

Right to erasure

The Data Subject has the right to request from OSYPA the erasure of personal data concerning him or her if they are no longer necessary for the above-mentioned processing purposes and under the conditions of art. 17 GDPR.

Right to restriction of processing

The Data Subject is entitled to request from OSYPA the restriction of the processing of personal data concerning him/her. If the processing of personal data is restricted, those personal data, other than storage, shall only be processed where specific exceptions apply.

Right to data portability

The Data Subject has the right, under the conditions of art. 20 GDPR to receive the personal data concerning him and which he has provided to OSYPA in a structured, commonly used and machine-readable format.

Right to object

The Data Subject is entitled to object at any time and on grounds relating to his or her particular situation to the processing of personal data concerning him/her, under the conditions set out in art. 21 GDPR. Once the right to object has been exercised, personal data will no longer be processed, unless it is demonstrated that there are legitimate and compelling grounds for the processing, which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. OSYPA guarantees that, if the Data Subject objects to the processing of data concerning him or her, he will no longer process such data, unless he proves that there are compelling legitimate grounds for the processing, which override the interests and rights of the Data Subject.

Automated individual decision-making, including profiling

OSYPA does not currently proceed to automated individual decision-making. In any case, however, and if in the future he decides to proceed with automated individual decision-making, the Data Subject has the right to object to a decision taken solely on the basis of automated processing, including profiling, when this decision produces legal effects concerning him or her or significantly affects him.

Satisfaction of rights

Overall, OSYPA ensures that:

Procedures are in place to allow the easy exercise of the rights of Data Subjects, so that all required actions can be initiated immediately.

It will respond to a request submitted by the Data Subject without undue delay and in any case not later than thirty (30) calendar days.

In case it cannot satisfy a right exercised by the Data Subject, OSYPA will ensure that specific, adequate and complete justification is provided.

Except in cases of manifestly unfounded or excessive requests, all actions relating to the satisfaction of the rights of the Data Subjects will be provided free of charge for the Data Subjects.

OSYPA Data Protection Officer

OSYPA's Data Protection Officer, based in Paphos, Mesogi Industrial Area Street, 10 Michalaki Savvidi Street, T. Box 62136, 8061 Mesogi, Paphos. email address: and visitors/users of OSYPA's websites and local offices may contact him/her for questions regarding this Privacy Policy as well as for any issue related to the processing of their data and the exercising their rights.

In the event that Data Subjects consider that the processing of their Personal Data violates the applicable regulatory framework for the protection of personal data, they have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection on website

bottom of page