This Data Protection Policy (“Policy”) sets out the basis which M. TIMOTHEOU& CO L.L.C a lawyers’ limited liability company established in Cyprus with registration number ΗΕ 270300 and registered in the Registry of Lawyers Companies of the Cyprus Bar Association (also referred to herein as ‘we’, ‘us’, our’, the ‘Firm’’) being a Data Controller, may collect, use, disclose or otherwise process Personal Data of Data Subject in accordance with the law. This Policy applies to all Personal Data in Firm’s possession or under Firm’s control.
M. TIMOTHEOU & CO LLC respects your privacy and is committed to handing your personal data with transparency and integrity. When processing personal data provided by you, the Firm is subject to the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR) and any applicable data protection laws or regulations of the Republic of Cyprus. The Firm acts as a controller of your personal data under GDPR, which means that it determines solely or jointly with others, the purposes and means of the processing of your personal data.
To whom this notice is addressed to:
This privacy notice is addressed to natural persons who may be one or more of the following:
– current and potential customers of our Firm or persons who have had a business relationship with our Firm in the past;
-Authorized representatives or agents of beneficial owners of legal entities administered by the Firm;
-Officers or employees of legal entities to whom we provide services
Aims of this notice
Therefore, this privacy notice aims:
a) To provide information about the nature of the personal data which we may collect and process from you and the purposes of such processing;
b) To inform you about your rights with respect to the data concerning yourself that you communicate to us under the EU General Data Protection Regulation and Cypriot data protection law;
c) To inform you with respect to the instances whereby we may transmit your personal data.
What constitutes ‘personal data’?
Personal data means any information relating to an identified or identifiable natural person. Examples of such personal data are your name, address and identification number, photo, passport, contact details etc and the form of such data may be hard copy, electronic, or other form.
What constitutes ‘processing’ of personal data?
By ‘processing’ of personal data, we refer to any operation which is performed upon them by us, for example their collection, recording, organization, storage, disclosure, transmission, erasure or destruction of such personal data.
What personal data we process and where we collect it from
We collect and process different types of personal data, depending on the type of service that you requested to receive, be it legal, corporate administration or other relevant or ancillary services and our legal and regulatory obligations in the field of anti-money laundering legislation and tax legislation and other applicable national or international legislation.
Personal data may be collected either from the client directly, or from their representatives, employees or agents. We may also collect and process personal data from publicly available sources, such as governmental agencies, the internet, or the press. Also we may collect personal data when you or your organization browse, make an enquiry or otherwise interact on our website.
For the above purposes, the types of personal data that we collect customarily include, but are not limited to the following:
- Identity data such as Name, address, contact details (telephone/email),
- Financial data such as data necessary for processing payments, including credit/debit card numbers, bank account, security code numbers and other related billing information
- Information collected from publicly available resources, integrity data bases and credit agencies where this is relevant to the services offered to you
- Further identity data such as birth date, place of birth, marital status, passport number, photographic identification and gender, CV,
- Other personal data such as source of wealth, tax registration codes/numbers, employment status, information on business activities, data concerning any criminal convictions, information on whether you hold/held a prominent public function, FATCA/CRS information.
Data of minors (children)
We acknowledge that safeguarding the privacy children/minors is of particular importance. Any personal data concerning children will be collected only to the extent necessary depending on the type of service that you requested to receive and provided that we obtained the consent of the parents/guardians of such children or otherwise permitted by applicable law.
Personal data about other people which you provide to us
By becoming a client of our Firm, you thereby consent to the collection, use, processing, transmission and storage of your personal data, in compliance with this Policy, other related internal circulars of our Firm which may be issued, from time to time, and of which you may request a copy, and in accordance with applicable Legislation, Directives, Regulations and Circulars issued by responsible and regulatory authorities.
Why your personal data is collected (Permitted Purposes) and the legal grounds for doing so
It follows from the above, that in order that we may be in a position to provide any of our services to you, you must provide us with such personal data which are necessary in order to enable us to do so, but also in order to abide by the legal obligations which we are bound by, as mentioned above.
Specifically, the legal grounds based on which we may collect and process personal data are determined by the EU General Data Protection Regulation and Cypriot data protection law and may be based on one or more of the following reasons:
1.For the performance of the purpose of our engagement by you, i.e. to provide legal, corporate administration or other relevant or ancillary services as per our engagement and complete our client acceptance/KYC/anti-money laundering procedures.
2. For compliance with a legal obligation(such as record keeping obligation), screening or recording obligation(i.e. for anti – money laundering, financial and credit check, fraud and crime prevention and detection purposes): As a lawyers limited liability company and the provider of legal corporate administration or other relevant or ancillary services to local and international clients, we are bound to abide by several pieces of legislation, including but not limited to the Anti-Money Laundering Law, Tax Laws, Cyprus Banking Law and other pieces of legislation which are directly relevant to our activities. We are also licensed and supervised by the Cyprus Bar Association and as such we are obliged to adhere strictly to its guidelines on several matters pertaining to our business.
The above impose on us necessary data processing activities concerning our clients and their agents/representatives such as KYC/due diligence obligations, tax laws, reporting obligations and compliance with directives and court-orders.
3. For the safeguard of our legitimate interests such as initiating legal claims or assistance in connection therewith, preparation of our defence in litigation procedures, internal management of systems and organization of our work, prevention of anti-money laundering.
4. You have provided us with your specific consent for such processing other than for any of the reasons set out above, in which case your consent constitutes the lawful ground of processing of personal data. You have the right to revoke such consent at any time.
5. To comply with Court Orders and exercises and/or defend our legal rights.
6. For any purpose related and/or ancillary to any of the above or any other purpose for which your personal data was provided to us.
Who may be recipients of your data/ transfers of data outside European Union
We may transmit your personal data in the context of us providing the agreed services to you or in accordance with statutory obligations imposed on ourselves and/or the third-party recipients.
For example, we may transmit your data to certain service providers and vendors or government authorities such as:
-The Cyprus Registrar of Companies;
The Cyprus Commissioner of Taxation;
-The Civil Registry and Immigration Department;
-Accountants and Auditors;
-Credit institutions in Cyprus and abroad where you requested the opening of bank accounts/provision of banking facilities or that need to be provided with information in the context of a transaction relating to yourselves personally or companies owned legally and/or beneficially by you;
-Company agents in foreign jurisdictions who maintain records of companies owned legally and/or beneficially by you
– Other lawyers, other legal specialists, consultants or experts duly engaged with your instructions in you matter;
– With companies providing services for money laundering checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies and regulatory bodies with whom such personal data is shared
-With Courts, law enforcement authorities, regulators or lawyers or other parties where is is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim or for the purposes of a confidential alternative dispute resolution process.
Additionally, we may transmit your data as necessary to abide by any court order or as otherwise legally required.
In the context of the above, we may transfer your personal data to countries outside the European Union for the purposes mentioned above, if required by law, or if you have given us your consent to do so. Recipients located in countries which are deemed not to afford an adequate level of protection of personal data are obligated to maintain appropriate safeguards in relation to the transfer of your data to them as per the relevant provisions of the EU General Data Protection Regulation.
We will take appropriate technical and organisational measures to keep your personal data confidential and secure in accordance with our internal procedures covering the storage, disclosure of and access to personal data. Personal data may be kept on our personal data technology systems or in paper files.
Retention of Personal Data
We will keep your personal data for as long as we maintain a business relationship with you and we provide you with services.
Once our business relationship stops and we cease to provide you with any services, then the data shall be kept for a period of 5 years from such cessation, as per the relevant anti-money laundering legislation.
You have certain rights (which may be subject to limitations or restrictions) under the applicable legal framework such as:
-The right to request access to and rectification or erasure of the personal data we hold about you;
-The right to obtain restriction of processing or to object to the processing of the personal data we hold about you; and
-The right to receive a copy of the personal data we hold about you.
– The right to request the transfer of personal date to a third party.
-The right to lodge a complaint about the processing of your personal data to your local data protection authority.
Where the Firm is legally required by law to process such data then such legal obligation imposed upon the Firm will override your rights, and the Firm hereby reserves all its rights under applicable law.
If you wish to do any of the above please send an email to email@example.com. We may request that you prove your identity by certain acts (e.g. by providing us with a copy of a valid means of identification) in order for us to comply with our security obligations and to prevent unauthorised disclosure of data. We reserve the right to charge you a reasonable administrative fee for any manifestly unfounded or excessive requests concerning your access to your data, and for any additional copies of the personal data you request from us.
We will consider any requests or complaints which we receive and provide you with a response in a timely manner. If you feel that your personal data has been processed in a way that does not meet the General Data Protection Regulation (GDPR), you have a specific right to lodge a complaint with the relevant supervisory authority, the Data Protection Commissioner Office, the Republic of Cyprus’ supervisory authority at:
1 Iasonos Street,1082 Nicosia, Cyprus
Tel.: +357 22 818 456, Fax: +357 22 304565
Amendments to this Notice
Any enquiries, requests or concerns regarding this Notice or relating to the processing of your personal data should be addressed to firstname.lastname@example.org (telephone: + 357 26953852).