Client’s Personal Data
What is GDPR?

It is a new law which came into force on the 25th of May 2018, designed to enable individuals to better control their personal data. Personal data is defined as any information which identifies individuals directly or indirectly. In relation to clients’ personal data, CPF can either act as a Data Controller, by controlling the storage and usage of personal data by determining the purposes and the means by which the personal data is processed, or as a Data Processor, by maintaining a record of data processing activities, acting on behalf of another Controller.

Why shall the client be informed?

One of the requirements of GDPR is to inform each client how personal data is processed. The processing includes obtaining, recording, storing and carrying any tasks by using personal data. This notice also describes data protection rights.

What are the requirements?

Cyprofund Administration Services Limited, will act as the Data Controller of personal data provided. Personal data includes name, address, email, telephone number, mobile number, temporary residential address, employment address, name of employer, personal status, i.e. identity card number, passport number, marital status, occupation, country of taxation, source of wealth, size of wealth, ownerships and directorships, accompanied by all the required supporting documentation.

For what purposes will client’s personal data be processed?

Personal data shall be processed for several different purposes:

- For providing the services requested from us as those are stipulated within CPF engagement letters;
- For reporting on provided services to the client;
- For verifying client’s identity and carrying out regulatory checks;
- For complying with various laws and regulations to which CPF is obliged:
(i) the Republic of Cyprus Anti Money Laundering laws and regulations (i.e. Law 196 (I) 2012 consolidated with L109 (I) 2013 regulating companies providing Administrative Services and related matters of 2012, The Prevention and Suppression of Money Laundering and Terrorist Financing laws of 2007 and 2010)

(ii) The Cyprus and Securities Exchanging Commission Directive DI144-2007-08 of 2012 for the prevention of Money Laundering and Terrorist financing, being our Regulators
- CPF will not collect any personal data which is not required for providing and oversee requested services.
- For understanding the client’s needs in order to provide a better service; For arranging meetings with the client and/or other events which may be of interest to the client; and
- For obtaining information in relation to your use of our website.

Furthermore, CPF became a member of a Network of Independent Licensed firms around the world, distinguished in their areas of practice in their country, offering a wide range of services, named “Delphi Alliance”. The objective of “Delphi Alliance” is the linking of professionals from eleven different lines of services around the world and creating synergies and opportunities for its member firms. “Delphi Alliance” will be able to store and use clients’ personal data strictly for the purpose of monitoring and documenting CPF’s compliance with the Alliance’s Bylaws and Rulebook only.

All the personal data obtained is processed by CPF staff in Cyprus and for the purposes of IT hosting and maintenance this information it is stored in servers located within the European Union. The third parties have not any access to client’s personal data and CPF does not share client’s personal data with the third parties unless:
(a) this is required for the purpose of providing a client with the services requested from CPF through agents/banks etc. on whose services CPF relies in order to be able to provide with the services stipulated within engagement letters concluded between CPF and the client
(b) the law requires such disclosure i.e. to regulatory authorities or
(c) the client provided with authorization to disclose personal data by a specific consent letter provided to CPF in writing

The third parties whose services CPF use may also transfer client’s personal data to other third parties who in turn provide services to us. CPF requires such third parties to put appropriate safe guards in place if it involves a transfer of personal data outside the EU.

CPF follows Data Protection regime to oversee the effective and secure processing of client’s personal data. More information on this framework can be found on CPF website.

In what cases client’s consent is required?

A consent is required in cases where the client has engaged another provider e.g. auditors, tax advisors, legal associates, etc. who request client’s personal data from CPF, in order to provide with their services.

How long client’s personal data shall be kept in CPF records?

CPF is obliged, under the Cyprus Laws and Regulations, to keep and update client’s personal data for as long as CPF provides its services to the particular client. Upon the termination of business relationship, client’s personal data shall be kept for a minimum of 5 years. After legally required period lapses, client’s personal data shall be destroyed.

Do you subject my personal data to any automated decision making?


What are the legal grounds on which CPF relies to process client’s personal data?

These are as follows:

- The processing is necessary for the performance of terms and conditions set in engagement letter/contract between CPF and the client.
- The processing is necessary for compliance with a legal obligation
- The processing is necessary for the purpose of CPF’s legitimate interests Client’s consent to the processing
- “Legitimate interests” is a heading that covers a number of different reasons why CPF might need to process client’s personal data which may not be covered by other headings, such as –
- To comply with regulation or regulatory guidance
- To prevent fraud or financial crime
- To provide a better service
- To build mutual relationship with the client by inviting the client to events in which the client might be interested To transfer personal data between group entities for
internal administrative purposes or
- For the purposes of network or information security

What rights does the client has over its personal data?

GDPR gives a number of rights over client’s data, subject to certain criteria are met.

These are:

- Right of access - a right to obtain a copy of the data CPF holds about the client as well as some supplementary information on that data
- Right to rectification - a right to require CPF to correct the data about the client
- Right to data portability - a right to require CPF to transfer personal data provided
Right to object - a right to object the processing of personal data on the basis of CPF legitimate interests and or the processing of personal data for direct marketing purposes
- Right to erasure - a right to require CPF to erase personal data that about the client If the client wishes to exercise any of these rights, he/she shall contact usual CPF contact/administrator who will provide with further information regarding how to exercise these rights.

Right to lodge a complaint

If the client wishes to raise a complaint on how CPF has handled personal data, the client shall contact CPF Data Protection officer who will investigate the matter.

If the client is not satisfied with CPF response or believe CPF is processing client’s personal data not in accordance with the law, the client may file a complaint to the Office of the Commissioner for personal data protection.

CPF Data Protection Officer is Elena Chrysanthou and the client may contact her at:

Updates to this notice

There may be updates to this notice from time to time in order to reflect changes in the way CPF processes clients’ personal data or to clarify information provided in this notice. Each client will be notified about these changes when CPF is legally required to do so.

Date: 28th May 2021