GDPR PRIVACY NOTICE
Client’s Personal Data
General Data Protection Regulation (GDPR)
This regulatory notice is solely for informative purposes.
What is GDPR?
It is a new law coming into force on the 25th of May 2018, designed to enable individuals to better control their personal data. Personal data is defined as any information which identifies individuals directly or indirectly. In relation to clients’ personal data which is held in CPM’s records, CPM can either act as the Data Controller, controlling the storage and usage of personal data, or the Data Processor, processing it to external associates, or both.
Why shall the client be informed?
One of the requirements of GDPR is to inform each client how personal data is processed. The processing includes obtaining, recording, storing and carrying any tasks by using personal data. This notice also describes data protection rights.
What are the requirements?
Cyproman Services Limited will act as the Data Controller of personal data provided. Personal data includes name, address, email, telephone number, mobile number, temporary residential address, employment address, name of employer, personal status, i.e. identity card number, passport number, marital status, occupation, country of taxation, source of wealth, size of wealth, ownerships and directorships, accompanied by all the required supporting documentation.
For what purposes will the client’s personal data be processed?
Personal data shall be processed for several different purposes:
(i) the Republic of Cyprus Anti Money Laundering laws and regulations (i.e. Law 196 (I) 2012 consolidated with L109 (I) 2013 regulating companies providing Administrative Services and related matters of 2012, The Prevention and Suppression of Money Laundering and Terrorist Financing laws of 2007 and 2010)
(ii) The Cyprus Securities and Exchange Commission Directive DI144-2007-08 of 2012 for the prevention of Money Laundering and Terrorist financing;
Please note that CPM will not collect any personal data which is not required for providing and oversee requested services.
All the personal data obtained is processed by CPM staff in Cyprus. For IT hosting and maintenance purposes, this information is stored in servers located within the European Union. Third parties do not have access to clients’ personal data and CPM does not share clients’ personal data with third parties unless:
a) this is required for providing a client with the services requested from CPM through agents/banks etc. on whose services CPM relies in order to provide the services stipulated within the engagement letters agreed between CPM and the client;
b) the law requires such disclosure i.e. to regulatory authorities, or
c) the client provided with authorization to disclose personal data by a specific consent letter provided to CPM in writing
Any third parties, whose services CPM uses, may also transfer clients’ personal data to other third parties who in turn provide services to us. CPM requires such third parties to put appropriate safeguards in place if a transfer of personal data outside the EU is involved.
CPM follows Data Protection regime to oversee the effective and secure processing of clients’ personal data.
In which cases the client’s consent is required?
A consent is required in cases where the client has engaged another provider e.g. auditors, tax advisors, legal associates, etc. who request the client’s personal data from CPM, in order to provide their services.
How long the client’s personal data shall be kept in CPM records?
CPM is obliged, under the Cyprus Laws and Regulations, to keep and update a client’s personal data for as long as CPM provides its services to that client. Upon the termination of the business relationship, the client’s personal data shall be kept for a minimum of 5 years. After the legally required period lapses, the client’s personal data shall be destroyed.
Do you subject the client’s personal data to any automated decision making?
What are the legal grounds on which CPM relies to process a client’s personal data?
These are the following:
“Legitimate interests” is a heading that covers several different reasons why CPM may need to process a client’s personal data which may not be covered by other headings, such as:
What rights does the client have over its personal data?
If the client wishes to exercise any of these rights, he/she shall contact the usual CPM contact/administrator who will provide with further information on how to exercise these rights.
Right to lodge a complaint
If the client wishes to raise a complaint on how CPM has handled personal data, the client shall contact CPM Data Protection officer who will investigate the matter.
If the client is not satisfied with CPM’s response or believes CPM is not processing the client’s personal data in accordance with the law, the client may file a complaint to the Office of the Commissioner for Personal Data Protection.
CPM’s Data Protection Officer is Elena Chrysanthou and the client may contact her at: firstname.lastname@example.org
Updates to this notice
There may be updates to this notice to reflect changes in the way CPM processes the clients’ personal data or to clarify information provided in this notice. Each client will be notified about these changes when CPM is legally required to do so.
Nicosia, 15th May 2018