CLIENT’S PERSONAL DATA
General Data Protection regulation (GDPR)
This regulatory notice is solely for informative purposes.
What is GDPR?
It is a new law that came into force on the 25th of May 2018, designed to enable individuals to better control their personal data. Personal data is defined as any information which identifies individuals directly or indirectly. In relation to clients’ personal data, CPM can either act as a Data Controller, by controlling the storage and usage of personal data by determining the purposes and the means by which the personal data is processed, or as a Data Processor, by maintaining a record of data processing activities, acting on behalf of another Controller.
Why shall the client be informed?
One of the requirements of GDPR is to inform each client how personal data is processed. The processing includes obtaining, recording, storing, and carrying out any tasks by using personal data. This notice also describes data protection rights.
What are the requirements?
Cyproman Services Limited will act as the Data Controller of personal data provided. Personal data includes name, address, email, telephone number, mobile number, temporary residential address, employment address, name of employer, personal status, i.e. identity card number, passport number, marital status, occupation, country of taxation, source of wealth, size of wealth, ownerships and directorships, accompanied by all the required supporting documentation.
For what purposes will the client’s personal data be processed?
Personal data shall be processed for several different purposes:
- For providing the services requested from us as those are stipulated within CPM engagement letters;
- For reporting on provided services to the client;
- For verifying client’s identity and carrying out regulatory checks;
- For complying with various laws and regulations that apply to CPM including:
(i) The Law Regulating Companies Providing Administrative Services and Related Matters of 2012 (i.e. Law 196 (I) 2012) as in force
(ii) The Prevention and Supervision of Money Laundering and Terrorist Financing Laws of 2007-2018
(iii)The Cyprus and Securities Exchanging Commission Directive for the Prevention of Money Laundering and Terrorist Financing (DI144-2007-08 of 2012);
- For accommodating the client’s needs in order to provide a better service; For arranging meetings with the client and/or other events which may be of interest to the client;
- For obtaining information in relation to your use of our website.
Furthermore, CPM became a member of a Network of Independent Licensed firms around the world, distinguished in their areas of practice in their country, offering a wide range of services, named “Delphi Alliance”. The objective of “Delphi Alliance” is the linking of professionals from eleven different lines of services around the world and creating synergies and opportunities for its member firms. “Delphi Alliance” will be able to store and use clients’ personal data strictly for the purpose of monitoring and documenting CPM’s compliance with the Alliance’s Bylaws and Rulebook only.
Please note that CPM will not collect any personal data which is not required for providing and overseeing requested services.
All the personal data obtained is processed by CPM staff in Cyprus. For IT hosting and maintenance purposes, this information is stored in servers located within the European Union. Third parties do not have access to clients’ personal data and CPM does not share clients’ personal data with third parties unless:
- This is required for providing a client with the services requested from CPM through agents/banks etc. (CPM relies on those in order to provide the services stipulated within the engagement letters agreed between CPM and the client);
- The law requires such disclosure i.e. to regulatory authorities,
- The client provides authorization to disclose personal data with a specific consent letter provided to CPM in writing
Any third parties, whose services CPM uses, may also transfer clients’ personal data to other third parties who in turn provide services to us. CPM requires such third parties to put appropriate safeguards in place if a transfer of personal data outside the EU is involved.
In which case is the client’s consent is required?
CPM follows a data protection regime to oversee the effective and secure processing of clients’ personal data.
Consent is required in cases where the client has engaged another provider e.g. auditors, tax advisors, legal associates, etc. who request the client’s personal data from CPM, in order to provide their services.
How long shall the client’s personal data be kept in CPM records?
CPM is obliged, under the Cyprus Laws and Regulations, to keep and update a client’s personal data for as long as CPM provides its services to that client. Upon the termination of the business relationship, the client’s personal data shall be kept for a minimum of 5 years. After the legally required period lapses, the client’s personal data shall be destroyed.
Do you subject my personal data to any automated decision-making?
What are the legal grounds on which CPM relies to process a client’s personal data?
These are the following:
- The processing is necessary for the performance of the terms and conditions set in the engagement letter/contract between CPM and the client;
- The processing is necessary for the compliance with a legal obligation;
- The processing is necessary in accordance to CPM’s legitimate interests;
- Client’s consent to the processing;
“Legitimate interests” is a heading that covers several different reasons why CPM may need to process a client’s personal data which may not be covered by other headings, such as:
What rights does the client have over their personal data?
- To comply with a regulation or regulatory guidance
- To prevent fraud or financial crime
- To provide a better service
- To build a mutual relationship with the client by inviting the client to events in which the client might be interested
- To transfer personal data between group entities for internal administrative purposes,
- For the purposes of network or information security
- GDPR gives several rights concerning the client’s data, subject to certain criteria. These are:
- Right of access - a right to obtain a copy of the data CPM holds about the client as well as some supplementary information on that data
- Right to rectification - a right to require CPM to correct the client data
- Right to data portability - a right to require CPM to transfer the personal data provided
- Right to object - a right to object to the processing of personal data based on CPM’s legitimate interests and/or the processing of personal data for direct marketing purposes
- Right to erasure - a right to require CPM to erase a client’s personal data
If the client wishes to exercise any of these rights, he/she shall contact the usual CPM contact/administrator who will provide further information on how to exercise these rights.
Right to lodge a complaint
If the client wishes to raise a complaint about how CPM has handled personal data, the client shall contact the CPM Data Protection Officer who will investigate the matter.
Updates to this notice
If the client is not satisfied with CPM’s response or believes CPM is not processing the client’s personal data in accordance with the law, the client may file a complaint to the Office of the Commissioner for Personal Data Protection.
CPM’s Data Protection Officer is Elena Chrysanthou and the client may contact her at: email@example.com.
There may be updates to this notice to reflect changes in the way CPM processes the clients’ personal data or to clarify information provided in this notice. Each client will be notified about these changes when CPM is legally required to do so.
Date: 28th May 2021