Privacy Policy

Updated 1 September 2021

Privacy Policy

At Clerides, Anastassiou, Neophytou LLC we care about the privacy and security of your personal information and we take measures to ensure that your personal information is properly handled while in our possession in the context of serving you in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “General Data Protection Regulation” or the “Regulation”).

This Policy mainly explains when and why we collect personal information about visitors to our website and about natural persons in general we are offering services to, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

We may change this Policy from time to time. When we do so in relation to an important matter, we will notify you by, for example, displaying a relevant notice on our homepage. Importantly, by using our website, you agree to this Policy as amended from time to time to the extent relating to information we collect about you in your capacity as a user of our website. As for information about you we collect in the context of conducting our business through our offices, you are welcome to contact our DPO (see immediately below), in case you are not happy with the content of or any change to this Privacy Policy.

In compliance with the EU General Data Protection Regulation, our company has appointed a Data Protection Officer (DPO). In case you have any questions with regards to this Privacy Policy or any question or complain with regards to how your personal data is handled, you can contact our DPO as follows:

Name: Christiana Markou

Email: dpo@cyplaw.com

Tel.: 22377863

Fax: 22377860

Address: 2, Amfipoleos street, Marcou Tower Office 201, 2025 Strovolos, Nicosia.

Who are we?

Clerides, Anastassiou, Neophytou LLC (ΗΕ 224964)

Address: Chrisorrogiatissis & Kolokotroni Corner 3040 P.O Box 56220, 3305 Limassol Cyprus

Tel: +357 25 274050

Fax: +357 25 370704

Email: info@cyplaw.com

Website: https://www.cyplaw.com

Nature of business: Provision of legal and corporate services, as well as company formation and management consulting and international tax planning.

How do we collect information from you?

We obtain information about you when you use our website, particularly, when you contact us with a request, query or complaint through an online form or by email or other means of distance communication.

We may also record information about you while you browse through our website by clicking on links displayed on our website. Such information is automatically recorded in the server logs of the website and/or through cookies as explained below in this Privacy Policy. Your activity on our Facebook page, Twitter and LinkedIn Profile, is also recorded in a similar manner and we also collect information about you when you like, share or comment on our Facebook page, Twitter and LinkedIn Profile or send us a message on Facebook, Twitter or LinkedIn, or any other means of distance communication.

We also collect information about you through email or through our hard-copy forms sent by email or handed over in person, when you visit our offices or contact us requesting information about our services, when you request a quotation, when you submit an order or request the provision of a service or submit to us information about you and/or on behalf of your company(ies) during the course of providing a service to you and/or your company(ies) and when you pay us for services rendered or to be rendered.

Finally, we record information about you when you ask us to perform payments or other financial transactions on behalf of your companies or yourself.

What type of information is collected from you?

The personal information we collect is only information that we need in order to provide you with our services, to respond to your queries and to comply with our legal or regulatory duties in relation to those services. Accordingly, the provision of such information is mandatory, in the sense that we will be unable to provide you with our services if we do not have the said information. If we seek additional information, we will inform you of the purpose and if necessary, seek your consent.

The personal information we collect may include:

-your name,

-date of birth,

-passport or identity card number,

-telephone number,

-address and email address,

-CV,

-IBAN number,

-copies of identity and proof of address documents, such as a utility bill, passport or identity card,

-bank reference letters,

-banking security credentials, when applicable,

-your payees’ names and bank account details, when applicable,

-any contract or other document you furnish us in the context of requesting or receiving our services,

- source of funds and related information,

-your business relations such as other shareholders in your company or other service providers you have a co-operation with, when necessary or the beneficiaries, trustees or settlors of a trust, when applicable;

- your image captured by any CCTV system that may be installed and/or operating when you visit our premises;

-all other information appearing on or requested through our KYC form.

We collect information about you in your capacity as a visitor of our website, specifically, your IP address as well as information regarding what pages on our website you have accessed and when; these are automatically recorded in our server logs as part of how the internet works and through cookies as explained in our cookie policy.

We also collect any other information you provide to us by filling in and submitting web forms on our website, sending us emails, calling us or more generally, contacting us by any means of communication.

We also collect any other information you provide to us by filling in and submitting web forms on our Facebook Page, or Twitter or LinkedIn profiles, such as a query, an order, rating, comment, request or complaint. If you have liked our Facebook Page, follow us on Twitter or connect with us through LinkedIn, we collect your Facebook, Twitter or LinkedIn name as well as any likes, views or comments you make on our Facebook, or LinkedIn posts, as well as anonymized statistics regarding how users engage with our page and profiles as provided by Facebook, Twitter and LinkedIn.

We may also collect information about you, not directly from you, but from third parties, mainly databases of information such as Lexis-Nexis and similar databases. This information may consist of your professional activity, history, disputes you may have been involved or news, publications in which you may have appeared. Other such third parties may be your lawyers or bankers who are authorized to provide us with information of the type listed above on your behalf or other persons intended to be shareholders or beneficial owners of a company together with yourself or other corporate service providers who are authorized by you to disclose to us relevant information in order to enable us to serve you.

How is your information used?

We use your information lawfully in accordance with Article 6(1)(a), i.e. for purposes you have consented to, Article 6(1)(b)i.e. as necessary to conclude or perform a contract with you, Article 6(1)(c) i.e. to comply with obligations imposed by law (such as tax and anti-money laundering legislation), Article 6(1)(f), i.e., as necessary for legitimate interests we pursue as a business and as far as sensitive data such as political opinions or prominent public positions is concerned in accordance with Article 6(1)(c) and Article 9(2)(g), i.e. as necessary for reasons of substantial public interest, on the basis of European Union or national law such as anti-money laundering legislation. In relation to data relating to criminal records processing is based in accordance with Article 6(1)(a) or (c) and Article 10, i.e. with your consent or to the extent permitted or required by national anti-money laundering legislation.

We provide more details immediately below to help you understand how exactly we use your information:

We may use your information in order to:

Article 6(1)(b)

-respond to your orders for services, requests or queries or communicate with you in relation to concluding or performing a contract of services with you;

-process or examine service requests submitted by you;

-carry out all of our obligations arising from the contract between you and our company or take steps to enter into such contract;

-register and administer a company as per your request including providing you with nominee services or provide you with requested expert advice or set up a trust as part of our services;

-to register you or your company with the tax authorities;

-effect financial transactions on your behalf and arrange for the opening of bank accounts for you or your company as per your request in the context of providing the services contracted for;

-receive or request payment from you or your company;

Article 6(1)(c)

-comply with or responding to reporting requirements or demands by regulatory authorities or as specified by the Cyprus law;

-confirm your identity and residence address;

-build up your economic profile and assessing the money-laundering risk associated with a trust or your registered or requested-to-be registered company or any other service associated with a money-laundering risk provided to you;

-monitor transactions and activity for the purposes of preventing and reporting fraud or money laundering, assessing money-laundering risk.;

- comply with our obligations derived from tax legislation with regard to issuing and retain payment-related documentation for bookkeeping and auditing purposes.

Article 6 1 (f)

-notify you of changes to our services or our privacy policy or the law if affecting you;

-carry out customer research, surveys and statistics having previously anonymized relevant data, if applicable;

- pursue legitimate interests, such as respond to your queries outside a contract between us, secure payment of unpaid invoices by contacting you for this purpose, operating pages on social media and communicate with persons who follows us or if applicable, operate a CCTV to protect our people, assets and premises.

Article 6 1 (a)

-provide you with information about promotional offers and our products and services, where you have consented to such communications;

- process additional information about you such as a clean criminal record to the extent not covered by Article 6(1)(c) above.

You can withdraw previously-given consent at any time by contacting our DPO, the details of whom are stated at the beginning of this Privacy Policy. In this case, we will stop processing your data for the relevant purpose but the legality of the processing that preceded your consent withdrawal will not be affected.

In case, we do contact you without previously expressly securing your consent, it is because you are an existing client of ours or we believe we have a legitimate interest in keeping in touch with our clients. We will do so without intruding disproportionately on your privacy and we will provide you with a clear opportunity to object, in which case we will stop sending you any relevant messages.

For more on this right of yours to object to the processing of personal data, see below in this Privacy Policy.

Where and how long do we retain your information for?

Your information is mainly stored in physical files and computer servers in our premises in Cyprus.

We only keep information for as long as it is necessary for us to service you and as required to comply with legal or regulatory obligations to which we are subject, more specifically, those arising from tax legislation (six years from the end of the financial year to which they refer according to the Assessment and Collection of Taxes Law of 1978 (L.4/1978), Section 30) and anti-money laundering legislation (five years from the end of the business relationship with the client or from as the case may be, from a single transaction according to the Prevention and Suppression of Money Laundering Activities Laws of 2007, Section 68) as well as to be able to defend or institute any legal actions against or in the name of our company (the limitation period for contractual disputes is six years according to the statute of limitations and to be able to keep a record of denied or terminated client relationship on the grounds of fraud, money-laundering or bad credit history. This data retention period is a maximum of 7 years from the end or termination of our contractual relationship. Your personal data may be retained for longer if there is any suspicion for money laundering or tax-related offences.

We retain information we collect about you in your capacity as a mere visitor to our website for one year, as this is the time that said data approximately remains in the server logs of our website.

Six months is generally the retention period applying to information we have collected as a result of yourself addressing a query or a comment to us through email or otherwise, when we have never had a contract with you.

The data processed through our social media pages, is deleted when the post is deleted, or when you choose to withdraw your reaction to our posts (like, sharing etc.). Private messages, if any, are deleted when the communication and its subject is over.

In case of a maximum retention period specified by the Data Protection Commissioner applying to the domain of our services, we will immediately adhere to any such specified maximum retention period.

After the lapse of the aforementioned periods of retention, we remove it from our systems by deleting it or we fully anonymize it so that you can no longer be identified from it. In this latter case, we do not delete all of the information but only those pieces of information such as your name, address, email address that reveal that the said information belongs to you.

Who may have access to your information?

We will not sell or rent your information to third parties and we will not share it with third parties for marketing purposes.

We may pass your information to third party service providers as necessary to serve you, conduct our business or comply with legal or regulatory duties. Such third parties may be technical service providers providing us with the software systems or technical facilities (or their maintenance) necessary to conduct administrative tasks inherent in the provision of our services to you or the management of our company, and messengers or delivery companies we use to deliver or receive correspondence. These also include our affiliated company, Ergoserve, which provides us with compliance and other administrative as well as technical system and software services. We only disclose to them the personal information that is absolutely necessary to deliver the service or perform the said task and when required by the Regulation, we have a contract in place that requires them to keep your information secure and in accordance with the principles and rules of the General Data Protection Regulation and not to use it for their own direct marketing purposes or for any purposes other than to provide the service or complete the task as explained above.

Your information submitted or recorded by our Facebook Page, our Twitter or LinkedIn profiles is also passed to Facebook, Twitter and LinkedIn, providing us with the service enabling us to make available and administer a Facebook Page, or an Twitter or LinkedIn profile. The said providers are also data controllers and bound by all of the obligations of the GDPR. You can view their own privacy policies on their websites.

We may also pass your information to our lawyers and accountants/auditors to the extent necessary to defend or institute legal claims and to comply with legal obligations with regard to financial accounts and tax reasons respectively.

If you would like more information about these third parties, you can contact us at the details given at the beginning of this Privacy Policy and we will provide you with the identity of any parties to whom your information has been disclosed, if you do not already have the said information.

We may also transfer personal information to the banks in particular when you pay us by cheque or when and as part of providing banking assistance services to you. Banks within the EU are controllers of personal data themselves and are bound by all of the obligations of the General Data Protection Regulation and must have their own privacy policies which you should consult.

We may transfer your personal information to a third party as part of a sale of some or all of our business and assets or sale of any ownership interest in our company to any third party or as part of any business restructuring or reorganization in which case we will take measures to ensure that all data protection principles and related rights as derived by the General Data Protection Regulation are fully complied with.

We may disclose your information to public, tax, regulatory, filing, supervisory or other authorities, if disclosure is required by law or an order issued by a court of law or as part of compliance with our licensing conditions imposed by such authorities.

Finally, we may disclose your information to your lawyers, accountants, auditors or other professional advisers, banks or other financial institutions or payment service providers you are co-operating with, if requested by you or as necessary to provide you with requested services. Provided the aforesaid professionals and service providers are within the EU they are controllers of personal data themselves bound by all of the obligations of the General Data Protection Regulation and must have their own privacy policies which you should consult.

Other than the above, the recipients of personal data will be the authorized members of our staff which are contractually bound by confidentiality and security obligations and have been informed to handle your personal data in accordance with the rules and principles of the General Data Protection Regulation.

What are your rights?

You may at any time send us any of the following requests and we will meet them the earliest possible and in any case, within 1 (one) month from the date of receipt of your request and inform you about the action we have taken. If your request is for any reason complex to examine or meet, we will inform you of an extension of a maximum of another two months before the aforementioned one-month period expires.

If we have legitimate reasons to refuse to satisfy your request, we will inform you accordingly and in this case if you believe that our decision is unjustified as well as in any other case you may believe that your personal data is not handled by our company legitimately, you have the right to submit a relevant complaint to the Cyprus data protection authority, namely, the Data Protection Commissioner, http://www.dataprotection.gov.cy/.

These are the requests you can submit to us:

A request that we permanently delete all or some of your information from our records (right to be forgotten or to erasure), for example when we no longer have reasons to retain it.

A request for you to access your information that we keep in our records (right of access).

A request that we provide you with a copy of your information that exists in our records, in digital or hard copy form. If you require more than one copy, we may charge you a maximum of EUR100,00 as administrative costs (right to a copy).

A request that we update or correct your information that we keep in our records (right to rectification), for example, in case it is outdated or contains errors or inaccuracies.

A request that we provide you with information of yours we keep in our records in a structured, commonly used and machine-readable format or forward it in such form to another provider of your choice, if such forwarding or transfer is technically possible (right to portability). Please note that this right applies only in relation to data that you yourself has provided to us with and which we process by electronic means in the context of a contract between you and our company or because you have consented to us doing so.

A request that we stop doing anything with your information without however deleting it from our records (right to restriction of processing). In this case, we will restrict access to your data.

A request that we stop processing your information for direct marketing purposes or on the basis of legitimate interests pursued by our company in accordance with Article 6(1)(f), GDPR as explained under the fourth question of this Privacy Policy or in the name of the public interest (right to object). In the case of direct marketing, we will stop processing your information. In the rest of the cases, we will do the same unless we have compelling reasons to refuse to do so.

If you wish to exercise any of the above rights you will be able to do so by contacting our DPO at any of the contact details stated above in this Privacy Policy, preferably by email specifying the type of right you seek to exercise.

Please note that before acting upon any of your above requests, we may require you to prove your identity, if we are in doubt about your true or correct identity. If we cannot identify you, i.e., we do not hold personal data belonging to the person you are saying you are, we will inform you accordingly and we will not act upon your request.

The personal data relating to the handling of any of your requests will be retained up to nine (9) months after the completion of any procedure relating to the request.

What security measures do we apply to protect your information?

When you give us personal information, we take organizational and technical measures to ensure to keep it secure and protected against unauthorized disclosure, alteration, accidental loss or other violation. We list herein below some of the technical and organization measures we apply:

We take reasonable endeavors to avoid a situation whereby files or documents containing personal data are allowed on open view without reason. All such documents/files are securely kept in fireproof and locked file cabinets in areas to which access is monitored, recorded and limited to authorized personnel of our company.

We apply a strict permission policy according to which our personnel have access only to such parts of our software or systems as strictly necessary to perform their work tasks and duties. We have specified all relevant roles and permissions in a written security policy and we follow procedures through which access is interrupted or blocked should the need arises, such as when a personnel member leaves our company.

We follow an effective procedure of data destruction ensuring that all documents no longer necessary are effectively destroyed.

We do not engage into an excessive or unnecessary use of the function of email copying (cc).

Our personnel save all documents and work directly on our servers, thereby ensuring that no personal data remains on the disks of our computers.

Access to all computer terminals of our company is protected by a strong-security password known only by the member of our personnel to whom a given working station is assigned and there is in place a policy for a period change of all passwords. Computer terminals are locked after three failed passport attempts. An automated locking system is applied to all computer terminals.

Access to all software of our company and to email is password-protected, all passwords are kept securely and are updated periodically.

We apply effective anti-virus and firewall software and we engage in systematic updates of the said security software.

We obtain back-up copies of all of the data we store and process daily and we store the said copies in a secure environment at a location different from where the primary data exists. We also make back-up copies of the software we use for data processing following the guidelines of the provider.

The support service of our data processing software is offered on site under supervision or remotely through a secure VPN.

Access to the Internet through our computers has been limited so that the possibility of access to unsecure or illegal websites presenting a risk to the security of our systems is reduced.

Access to our data processing software is not possible remotely, except by specific members of the management of the company through secure VPN with systematically updated passwords.

Activity on our data processing software is restricted so that only specified members of the personnel can edit or delete data.

Remote access to corporate email through personal devices of our personnel is possible but we are notified every time a new device has gained access to email so that we can readily verify that it belongs to authorized personnel. In the event that a personal device is lost or stolen, we have taken measures enabling us to remotely disable or prevent access to corporate email from the said device or delete all content, in the event it appears that contrary to our policy, the personal device has been used to store personal data of our customers. Webmail is disabled so that email is not accessible from anywhere.

The possibility of using external data transfer and storage devices such as USBs and external disks has been disabled on the computers of our company, save a few designated exceptions.

We have a fire protection system in operation on our premises aiming at protecting the physical files with personal data we maintain.

The servers supporting our systems and databases are not used as working stations and are situated in a server room to which access is restricted.

When you use the forms on our websites to submit personal data to us, your information is encrypted and protected through the use of 128 Bit encryption on SSL. This means that what you send and receive from the website is encrypted, which makes it difficult for anyone else to see, read or take possession of this data. You know that your information is encrypted, when you see a lock icon appearing in address bar of your web browser before the URL of the web page you are on.

We have trained our personnel with regards to how they should handle personal data in accordance with the requirements of the General Data Protection Regulation and we have signed contracts with the parties who process data together with us or on our behalf which oblige the said parties to keep your data private and secure and process it in accordance with the requirements of the General Data Protection Regulation.

In the event of a data breach concerning your personal data or a relevant allegation, the personal data relating to its handling will be retained up to twelve (12) months after the completion of any procedure relating to the breach.

Use of Cookies

Please click here to read our Cookies Policy.

Profiling

We engage in company and less frequently, individual profiling too in order to be able to assess the anti-money laundering risk associated with your prospective company and take decisions regarding the extent of the said risk as required by relevant laws and regulations. Though in this exercise we are assisted by software to which we input information as explained above in this Privacy Policy, the relevant decision is not automated as it involves our own (human) input and involvement. Furthermore, this profiling is required by anti-money laundering legislation in order to decide whether you are a low, medium or high risk client. As a result, you do not have the right to object to such profiling or automated decision-making in accordance with Article 21 and 22 of the Regulation respectively.

Transferring your information outside the European Union

We may transfer your personal information to a country that is not a Member State of the EU only if you are based in one such country or to the extent that as explained above, we use third party cloud services such as Microsoft email and hosting services for our webpages or if strictly necessary to provide requested services to you such as the registration of a foreign company. Such parties may be lawyers, accountants, auditors, intermediaries offering corporate and/or fiduciaries services, agents, banks, other financial institutions or payment service providers. The data protection laws of such countries are not the same with those applying in the EU and the level of data protection may be lower, however, when this is a country in relation to which there is not a European Commission decision on the sufficiency of its legal data protection regime as per Article 45 of the Regulation, we ensure that your personal data will be given analogous and/or appropriate respect and protection, specifically by signing with parties based outside the EU, relevant data sharing agreements using standard contractual clauses approved by the European Commission, in accordance with Article 46 of the Regulation. You are entitled to request details of these contractual arrangements with such parties and if applicable to your case, we will provide them to you.