Data Subject Rights Policy

Codal Synto Limited

The present Document lists, summarises and explains the Data Subject Rights pursuant to the General Data Protection Regulation 679/2016 of the EU which came into force on 25^th May 2018 (hereinafter referred to as “GDPR”). These rights include:

1. Information (Articles 12-14, and Recitals 58-62).
2. Access to personal data (Articles 12 and 15, and Recital 63).
3. Correction of personal data (Article 16).
4. Erasure of personal data, (“the right to be forgotten”) (Article 17, and Recitals 65 and 66).
5. Restriction of data processing (Article 18).
6. Objection to data processing (Article 21, and Recitals 69 and 70).
7. Receipt of a copy of their personal data or transfer of personal data to another data controller or otherwise known as the Portability of Data Right (Article 20, and Recital 68).
8. Not to be subjected to automated decision-making (Article 22, and Recital 71).
9.  Notification of a data security breach (Article 34, and Recital 86).

This document includes a brief explanation of all the above rights and relevant guidance on steps to be taken by the Data Subject in exercising such rights. 

The present Data Subject Rights document shall be read in conjunction with the Privacy and Cookie policy of Codal, also available at www.codal-synto.com.  

1. Information Right

The data subjects have the right to receive certain information about the data controller’s personal data collection and data processing activities. This is to ensure that Codal Synto Limited processes the personal data in their possession, in a fair and transparent manner. All relevant information can be found in the Privacy & Cookie Policy of the Organisation which is available on the Organisation’s website at www.codal-synto.com. 

Upon request, Codal Synto Limited is prepared to provide the Data Subject with detailed information as to the personal data maintained by the Organisation and how such data is stored, maintained and processed. A request may be made to Codal by filling in and sending the appropriate Request Form, as it shall further be described below and as it is provided in the Privacy & Cookie Policy of Codal.

(a) If the Personal Data are collected from Codal directly from the Data Subject

When Codal collects personal data directly from a data subject, the following apply:  

1. The data controller is Codal Synto Limited, a Cyprus registered company. 
2. The primary point of contact of Codal Synto Ltd is Ms. Eliza Stavrou who the data subjects may contact electronically at info@codal-synto.com or via telephone at +357 25867635.
3. The purposes for which Codal collects and processes any personal data are:

(a) to ensure that all the relevant and appropriate information on its employees is maintained  pursuant to local, EU and international legislations or other provisions or requirements;

(b) to ensure that all the relevant and appropriate information of applicants is maintained;

(c) to ensure that all the relevant and appropriate information of individuals filing complaints and reports relating to pharmacovigilance is maintained;

(d) to improve Codal’s products and services;

(e) to evaluate the market and improve its marketing;

(f) reasons pertaining to the operations, improvement of operations, innovation and marketing of Codal’s business.

1. The legal basis for the processing of some of the above information collected derives from International, European and local legislation and also regulations governing Pharmaceutical businesses and manufacturers. Alternatively, such personal information is collected from the Data Subject and is processed on the basis of a consent by the Data Subject.
2. Codal may transfer such personal data outside of the jurisdiction within which such data is collected, to other companies in the Codal group of companies. Such companies whether, within or outside of the EU, are bound by the present or similar Policy and the Privacy & Cookie Policy of Codal.
3. Details as to the retention period may be found in the Privacy and Cookie Policy of Codal, available at www.codal-synto.com.
4. If information must be provided pursuant to a law, statute, contract, or for another reason, Codal shall inform the data subject accordingly and also for any consequences of not providing the personal data requested.

In the event that Codal shall use the personal data for a purpose different than the one they were originally collected for, Codal shall provide notice of the new purpose to the data subject before processing.

(b) Personal Data Collected From a Third Party

In the event that Codal obtains personal data about a data subject from a third party, then Codal is obliged and shall inform the data subject by giving notice of acquiring these. This notice shall inform the data subject of the categories of personal data Codal collects and the source of the personal data including whether it came from publicly accessible sources.

Codal shall strive to inform the Data Subject of the data obtained within a reasonable time of receiving the said data and the purpose for which such data were obtained. In the event that Codal further wishes to use the data for purposes different than the one initially indicated, then Codal shall contact the Data Subject giving notice of the new purpose of the processing before doing so.  

Codal shall be exempted from the above if:

1. The data subject already has the required information.
2. Providing the information is impossible or requires a disproportionate effort, and the data controller  takes steps to protect data subjects’ rights and makes these steps publicly available.
3. EU or member state law applicable to the data controller requires collecting, processing, or disclosing the personal data, and appropriate measures protect the data subjects’ interests.
4. EU or member state law requires such data to be kept confidential.

2. Personal Data Access Right

Pursuant to Article 15 and Recital 63 of the GDPR, data subjects have the right to:

1. Obtain confirmation from the data controller that it is processing their personal data.
2. Access their processed personal data, including receiving a copy on request, unless providing a copy adversely affects the rights and freedoms of others.
3. Obtain certain information about the data controller’s processing, including:
4. purposes of data processing;
5. categories of personal data processed;
6. recipients or categories of recipients who receive personal data from the data controller;
7. how long the data controller stores the personal data, or the criteria the data controller uses to determine retention periods;
8. information on the personal data’s source if the data controller does not collect it directly from the data subject;
9. information on the safeguards used to secure cross-border data transfers, if applicable; and
10. whether the data controller uses automated decision-making, including profiling, the auto-decision logic used, and the consequences of this processing for the data subject.

As detailed in the present Data Subject Rights Statement the data subject, in light of the above information, may: 

1. request rectification or erasure of personal data;
2. restrict or object to certain types of personal data processing; or
3. make a complaint with the local supervisory authority.

The Data Subject has the right to request a copy of the data maintained by Codal Synto Ltd. In the event that such a request is made electronically, the Data Controller shall be obliged to provide the information in an electronic form that may be accessible by the Data Subject. 

If the data subject’s requests are unfounded or excessive, the data controller may, pursuant to Article 12(5) of the GDPR charge a reasonable fee to provide the information or take the requested action.  It is possible that Codal refuse to act on the request if there are legitimate or legal or otherwise reasons preventing them from doing so, or if the requests are excessive.  

Such requests for the provision of information from Codal may be filed using Codal’s Data Subject Access Request Form. 

3. Personal Data Rectification Right

As per Article 5(1)(d) of the GDPR Codal shall ensure that the data is accurate and reasonably updated, otherwise the Data Controller is under an obligation to rectify such data. 

To reinforce those requirements, and to ensure that the data subject can amend such inaccurate data, the  GDPR specifically grants data subjects, under Article 16 of the Regulation, the right to:

1. Correct inaccurate personal data held by the data controller; 
2. Complete any incomplete personal data held by the data controller.

Such request for rectification of Data maintained by Codal may be filed using Codal’s Data Subject Rectification Request Form.

4. Personal Data Erasure Right (“Right to be Forgotten”)

Data subjects have the right to request the erasure of the personal data that Codal holds about them, also known as “the Right to be Forgotten”, provided for in Article 17(1) of the Regulation. A data subject has the right to request erasure of their personal data if one of the following applies:

1. The personal data is no longer necessary for the purpose the data controller collected it.
2. The data subject withdrew his consent to the data controller’s processing activities and no other legal justification for processing applies.
3. The data subject objected to processing that is either:
4.   necessary for the data controller to perform a task in the public interest or in the exercise of official authority vested in the data controller; or
5.   necessary to pursue the data controller’s or a third party’s legitimate interests; or
6.   no other compelling legitimate grounds to process personal data apply.

4. The data subject objects to processing for direct marketing purposes.
5. The data controller unlawfully processed the personal data.
6. European Union or member state law requires erasure to comply with a legal obligation that applies to the data controller.
7. The data controller collected the personal data in the context of offering online services to children as per GDPR, if any of the activities of the data controller are interpreted as such. 

Once a data subject requests erasure for one of the statutory reasons, Codal shall erase it without delay unless continued retention is necessary for:

1. Exercising the right of freedom of expression and information.
2. Complying with a legal obligation under EU or member state law.
3. The performance of a task carried out in the public interest.
4. Exercising official authority vested in the data controller.
5. Public health reasons consistent with the exceptions for processing special categories of personal data such as health information, as outlined in GDPR Articles 9(2)(h) and (i) and 9(3).
6. Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances.
7. The establishment, exercise, or defence of legal claims.

In the unlikely event that Codal has made the data subject’s right public or has shared such data with third parties or within the Organisation, Codal shall immediately inform any such third party data controllers who are processing the data, about the data subject’s erasure request. This includes removing any links to this personal data, as well as, any copies of this personal data.

Such request for Erasure of Data may be filed using Codal’s Data Subject Erasure Request Form. 

5. Data Processing Restriction Right

Pursuant to Article 18 of the GDPR data subjects have the right to restrict the processing of their personal data under certain circumstances. Data subjects may restrict the processing of their personal data when:

1. The data subject contests the accuracy of the personal data. The data controller must restrict processing of the contested data until it can verify its accuracy.
2. The processing is unlawful. Instead of requesting erasure, the data subject can request that the data controller restricts use of the unlawfully processed personal data.
3. The data controller no longer needs to process the personal data but the data subject needs the personal data for the establishment, exercise, or defence of legal claims.
4. The data subject objects to processing that relies on the public interest or the data controller’s or a third party’s legitimate interests as the lawful processing grounds under Article 6(1) (e) or (f) of the GDPR. In this event Codal must restrict the challenged processing activity pending verification of whether the data controller’s or third party’s legitimate interests override the data subject’s interests.

When a data subject requests a data processing restriction under Article 18(1), Codal can continue to store the personal data, but may only process it:

1. With the data subject’s consent;
2. To establish, exercise, or defend legal claims;
3. To protect the rights of another individual or legal entity; or
4. For important public interest reasons.

In the event that Codal shall lift the data processing restriction, notice shall be sent to notify the data subject. 

Such request for Processing Restriction of Data maintained by Codal may be filed using Codal’s Data Subject Processing Restriction Request Form. 

6. Data Processing Objection Right

The GDPR, under Article 21, grants data subjects the right to object to data processing under certain circumstances, including:

1. direct marketing purposes, including profiling related to direct marketing. 
2. scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out in the public interest.
3. processing, including any profiling, based on the following legal grounds:
4. necessary to perform a task in the public interest; or
5. necessary for the data controller’s or a third party’s legitimate interests.

In the event that the data subject objects to the processing Codal shall stop processing this data unless one of the following exceptions apply:

1. Codal demonstrates a compelling legitimate ground for processing the personal data that overrides the data subject’s interests; or 
2. Needs to process the personal data to establish, exercise, or defend legal claims.

Notice of continuation of the processing shall be sent to the data subject by Codal.

Such request for Processing Objection of Data maintained by Codal may be filed using Codal’s Data Subject Processing Objection Form. 

7. Data Portability Right

The GDPR gives data subjects a right to data portability, under Article 20. The right to data portability is distinct from the right to access personal data. The data subject’s right to data portability includes the right to:

1. Receive a copy of the personal data from Codal in a commonly used and machine-readable format and store it for further personal use on a private device;
2. Transmit the personal data to another data controller;
3. Have its personal data transmitted directly from one data controller to another where technically possible.

The right to data portability applies to personal data about the data subject and pseudonymous data that can be clearly linked to a data subject. This includes information provided to Codal by the data subject, such name and contact information, information observed from the data subject’s activities such, as raw data processed by a smart meter, activity logs, history of website usage, or search history. It does not however, include personal data that Codal generates as part of data processing, for example, data derived in the process of profiling from personal data provided by the data subject.

The right to data portability also only applies to automated data processing that is either:

1. Based on a data subject’s consent; or
2. Necessary to perform a contract between the data controller and the data subject.

Codal may refuse to act upon the request of the data subject in the event that such portability may affect the rights and freedoms of third parties.  In the event that the data contains information of third parties, then the recipient data controller, to whom Codal shall transfer the data, has lawful grounds to process such personal data. 

Codal shall retain all the personal data only for the retention period set by their Privacy Policy.

Such request for Data Portability may be filed using Codal’s Data Subject Portability Request Form. 

8. Automated Decision-Making Objection Right.

Data subjects have the right, under Article 22 of the GDPR, not to be subjected to automated decision-making, including profiling, which has legal or other significant effects on the data subject. This right does not apply when the automated decision is:

1. Necessary for entering into or performing a contract with the data subject.
2. Authorized by EU or member state law applicable to the data controller if the law requires suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
3. Based on explicit data subject consent.

Such request for Objection of Automated Decision-Making may be filed using Codal’s Data Subject Automated Decision-Making Objection Request Form. 

9. Breach Notification Right

When a personal data breach is likely to result in a high risk to a data subject’s rights, Codal shall notify the affected Data Subjects of the security breach without undue delay. 

10. Responding to Data Subject Requests

Codal shall respond to any request the latest within one calendar month as from receiving a request from a data subject. In the event that a longer period is needed for the completion of all necessary actions, Codal shall inform the data subject accordingly providing an explanation for the delay. 

In the event that Codal does not act upon a request, they shall inform the data subject of the reasons why no additional actions are taken and provide them information of the supervisory authority to which a complaint may be lodged, in this case the Data Commissioner of the Republic of Cyprus or the equivalent in other jurisdictions. 

In the event of excessive requests by a data subject, Codal may charge a reasonable fee considering the administrative costs of providing the information or taking the requested action, or may even refuse to act on the request.

Upon responding to a request, and in the event that Codal has reasonable doubts about the identity of the person making the request, Codal may require additional information to confirm the identity of the data subject or the individual requesting such information on behalf of the data subject.

Data controllers are not responsible for data processing by the data subject or by another company that receives the personal data in response to a data portability request. Rather, the personal data recipient becomes a data controller subject to the GDPR’s requirements.

11. Codal’s Obligations Relating to Data Subject Rights

Codal understands the significance of the data subjects’ right to handle their personal data. Therefore, we are taking all necessary steps to facilitate all data subjects whose data are being processed by Codal to exercise and express their rights deriving from the application of the GDPR.

Codal undertakes to efficiently communicate with the data subjects and provide all appropriate notices relating to the processing of the personal data and to respond to requests by the data subjects within one month of receiving any type of request. 

Codal strives to keep all data subject information safe, but in the unlikely event of a breach, notice will be given to the data subject as provided for in the GDPR. 

Codal will strive to fully comply with all its obligations deriving from the GDPR and relevant guidance.  The present shall be amended to meet such requirements and obligations and no further notice of its amendment shall be considered necessary.

Codal Synto Limited

 April 2026