At CONSAVER MANAGEMENT LTD (hereinafter “we”, “us” or “our”) the protection of your personal data is a top priority. Keeping your data secure and private is part of our philosophy for delivering high standards of services.
The new European Union (EU) Data Protection Law, the General Data Protection Regulation (“GDPR”), comes into effect on 25th of May 2018. The GDPR (EU) 2016/679 gives individuals in the EU more control over how their data is used and places certain obligations on businesses that process the information of those individuals.
2. WHO WE ARE
CONSAVER MANAGEMENT LTD is a company registered in Cyprus under registration number HE 331292 with its registered office located at 83 Georgiou A’ Street, Tourist Shopping Center, Office 1, Potamos Germasogeias, 4047, Limassol, Cyprus licensed by the Committee of Supervision and Control for the Cyprus Investment Programme to provide services for Cyprus Investment Programme (Registration number 062). CONSAVER MANAGEMENT LTD is also providing consulting services and rendering of services.
4. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER AND DATA PROTECTION OFFICER.
(A) DATA CONTROLLER
CONSAVER MANAGEMENT LTD, a Cyprus private limited liability company, having registration number HE 331292, is the “Data Controller” pursuant to the GDPR, and related Cyprus Law, and determines how your personal data is kept and processed.
The main establishment and the central administration of the Data Controller is situated at 83 Georgiou A’ Street, Tourist Shopping Center, Office 1, Potamos Germasogeias, 4047, Limassol, Cyprus.
(B) DATA PROTECTION OFFICER («DPO»)
The DPO may be contacted directly with regards to all matters concerning this policy and the processing of your personal data including the enforcement of all applicable and available rights.
Official requests may be made by post at P.O.Box 54781, 3727 Limassol, Cyprus, or electronically at [email protected].
5. HOW DO WE COLLECT PERSONAL DATA?
We collect and process different types of personal data which we receive from our clients in person or via their representatives in the context of our business relationship.
We may also collect and process personal data which we lawfully obtain not only from our clients and their representatives but also from other third parties e.g. other service providers, professionals such as accountants and lawyers or online screening tools.
We may also collect and process personal data from publicly available sources (e.g. the Department of Registrar of Companies and Official Receiver, the Land Registry, the Bankruptcy Archive, commercial registers, the press, media and the Internet) which we lawfully obtain and are permitted to process.
6. WHAT CATEGORIES OF PERSONAL DATA DO WE COLLECT?
We collect and use several types of information the individuals we co-operate with, including information by which you may be personally identified and that is defined as personal data under applicable law such as Due Diligence with your first and last name, address, contact details (telephone, email), identification data (such as passport, driver’s license or ID), birth date, place of birth (city and country), employment status (employed/self-employed), curriculum vitae, taxation and other related financial details, reference letters, whether you hold/held a prominent public function (for PEPs), FATCA / CRS info, authentication data (e.g. signature).
Should there be a need to further process the personal data for a purpose other than that for which they were initially collected, you will be informed in advance about the additional purpose and the relevant details in respect to the further processing.
With your explicit consent we may collect special categories of personal data. Pursuant to the definition given by the GDPR, these data may include racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, trade union membership, the processing of genetic data, biometric data, data concerning health, sex life or sexual orientation and criminal records.
7. WHAT LAWFUL REASONS DO WE HAVE FOR COLLECTING, PROCESSING AND DISCLOSING PERSONAL DATA
In order to proceed with a business relationship our clients must provide their personal data to us which are necessary for the required commencement, execution and continuation of a business relationship. This is a requirement under the relevant Anti-Money Laundering Law and the regulations of our Regulator (ICPAC- Institute of Certified Public Accountants Cyprus).
Failure to provide us with personal data prevents us from commencing or continuing a business relationship with the clients.
In accordance with GDPR we may rely on the following lawful reasons when we collect and process personal data to operate our business and provide our services:
- Compliance with legal obligation: We may process personal data in order to meet legal and regulatory obligations such as Anti-Money Laundering Law, Tax Law and the regulations of various supervisory authorities (e.g. the Institute of Certified Public Accountants Cyprus, IFAC and ACCA) that we are subject to for anti-money laundering purposes and due diligence purposes.
- Contract: We may process personal data for the purposes of providing our services in accordance with our terms and conditions and/ or any other contract that you have with us.
- Consent: We may rely on your freely given consent at the time you provided your personal data to us for a purpose of the process other than for the purposes set out hereinabove, then the lawfulness of such processing is based on that consent. You have the right to withdraw consent at any time. However, any processing of personal data will not be affected prior to the receipt of the withdrawal.
- Legitimate interests: We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced. A legitimate interest is when we have a business or commercial reason to use our clients’ information. Instances of such processing activities can include, initiating legal claims, preparing our defense in litigation procedures, initiating complaints to our regulator etc.
8. WHY DO WE NEED PERSONAL DATA?
We aspire to be transparent when we collect and use personal data and tell you why we need it, which typically includes:
- Providing the requested services including services for Cyprus Investment Programme. Our services may include reviewing client files for quality assurance purposes, which may involve processing personal data for the relevant client;
- Customer management: to manage your account, to provide you with customer support and with notices about your account, including notices about changes to services we offer or provide through it;
- Administering, maintaining and ensuring the security of our information systems, applications and websites;
- Functionality and security: to detect, prevent, and respond to actual or potential fraud and illegal activities;
- Compliance: to enforce our terms and conditions and to comply with our legal obligations as these derive from the applicable laws or our regulators;
9. DO WE SHARE PERSONAL DATA WITH THIRD PARTIES?
In the course of our business relationship our clients’ personal data may be provided to various departments within our Company.
Furthermore, the following third parties may also be the recipients of the personal data under the certain circumstances:
- Supervisory and other regulatory and public authorities, whereby a statutory obligation exists. Some examples are the Immigration Department, Municipalities, the Income Tax authorities, Criminal Prosecution authorities.
- Credit and financial institutions whereby our clients specifically instruct us.
- Any other service providers or professionals which our clients specifically instruct us to engage with, such as certifying officers, service providers, auditors, lawyers, business consultants etc.
Third parties to whom we may disclose Personal Data may have their own privacy policies which describe how they use and protect Personal Data. If you want to learn more about their privacy practices, we encourage you to visit the websites of those third parties.
10. WHAT ABOUT PERSONAL DATA SECURITY?
We have put in place appropriate technical and organizational measures including physical, electronic and procedural measures to protect personal data from loss, misuse, alteration or destruction. We restrict access to information at our offices so that only officers and/or employees who need to know the information have access to it. Those individuals who have access to the data are required to maintain the confidentiality of such information. In addition, we have trained our employees on how to handle, manage and process personal data, applied upgraded technical measures and transformed our policies and procedures in a way that will comply with the GDPR.
Please be aware that the transmission of data via the Internet is not completely secure. Users should also take care with how they handle and disclose their personal data and should avoid sending personal data through insecure email.
11. HOW LONG DO WE RETAIN PERSONAL DATA?
We will keep our clients’ personal data for as long as we have a business relationship.
Once our business relationship has ended, we will hold your personal data on our systems for the longest of the following periods:
- any retention period that is required by law or professional standards;
- the end of the period in which litigation or investigations might arise in respect of the services or
- as directed by our own internal retention policies or practices, the length of which may vary depending on the nature of the information that is held.
The personal data processed for the purposes of sending newsletters shall be kept with us until you notify us that you no longer wish your personal data to be used for this purpose.
13. WHAT ARE YOUR DATA PROTECTION RIGHTS?
Subject to the provisions of the GDPR, you have certain rights regarding the Personal Data we collect, process or disclose and that is related to you, including the right:
- To receive access to your personal data (right to access).
- To rectify inaccurate personal data concerning you (right to data rectification);
- to request deletion/ erasure of your personal data (right to erasure/deletion, “right to be forgotten”);
- to receive the Personal Data provided by you in a structured, commonly used and machine-readable format and to transmit those Personal Data to another data controller (right to data portability);
- to object to the use of your personal data where such use is based on our legitimate interests or on public interests (right to object);
- in some cases to request the restriction of processing of your personal data (right to restriction of processing);
- To withdraw the consent given to us with regard to the processing of your personal data at any time. Note that any withdrawal of consent will not affect the lawfulness of processing based on consent before it was withdrawn.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
14. HOW TO RAISE A COMPLAINT
To exercise any of the above rights, or for any questions or complaints about our use of your personal data, please contact our Data Protection Officer, either by post at P.O.Box 54781, 3727 Limassol, Cyprus, or electronically at [email protected] email.
Complaints may also be lodged to the supervisory authority in Cyprus (Office of the Commissioner for Personal Data Protection, by post at 1 Iasonos Str. 1082, Nicosia, Cyprus. More information can be found at http://www.dataprotection.gov.cy.