It is a new law which came into force on the 25th of May 2018, designed to enable individuals to better control their personal data. Personal data is defined as any information which identifies individuals directly or indirectly. In relation to clients’ personal data, CPF can either act as a Data Controller, by controlling the storage and usage of personal data by determining the purposes and the means by which the personal data is processed, or as a Data Processor, by maintaining a record of data processing activities, acting on behalf of another Controller.
One of the requirements of GDPR is to inform each client how personal data is processed. The processing includes obtaining, recording, storing and carrying any tasks by using personal data. This notice also describes data protection rights.
Cyprofund Administration Services Limited, will act as the Data Controller of personal data provided. Personal data includes name, address, email, telephone number, mobile number, temporary residential address, employment address, name of employer, personal status, i.e. identity card number, passport number, marital status, occupation, country of taxation, source of wealth, size of wealth, ownerships and directorships, accompanied by all the required supporting documentation.
Personal data shall be processed for several different purposes:
- For providing the services requested from us as those are
stipulated within CPF engagement letters;
- For reporting on provided services to the client;
- For verifying client’s identity and carrying out regulatory
checks;
- For complying with various laws and regulations to which CPF is
obliged:
(i) the Republic of Cyprus Anti Money Laundering laws and
regulations (i.e. Law 196 (I) 2012 consolidated with L109 (I) 2013
regulating companies providing Administrative Services and related
matters of 2012, The Prevention and Suppression of Money Laundering
and Terrorist Financing laws of 2007 and 2010)
(ii) The Cyprus and Securities Exchanging Commission Directive
DI144-2007-08 of 2012 for the prevention of Money Laundering and
Terrorist financing, being our Regulators
- CPF will not collect any personal data which is not required for
providing and oversee requested services.
- For understanding the client’s needs in order to provide a better
service; For arranging meetings with the client and/or other events
which may be of interest to the client; and
- For obtaining information in relation to your use of our
website.
Furthermore, CPF became a member of a Network of Independent
Licensed firms around the world, distinguished in their areas of
practice in their country, offering a wide range of services, named
“Delphi Alliance”. The objective of “Delphi Alliance” is the linking
of professionals from eleven different lines of services around the
world and creating synergies and opportunities for its member firms.
“Delphi Alliance” will be able to store and use clients’ personal
data strictly for the purpose of monitoring and documenting CPF’s
compliance with the Alliance’s Bylaws and Rulebook only.
All the personal data obtained is processed by CPF staff in Cyprus
and for the purposes of IT hosting and maintenance this information
it is stored in servers located within the European Union. The third
parties have not any access to client’s personal data and CPF does
not share client’s personal data with the third parties unless:
(a) this is required for the purpose of providing a client with the
services requested from CPF through agents/banks etc. on whose
services CPF relies in order to be able to provide with the services
stipulated within engagement letters concluded between CPF and the
client
(b) the law requires such disclosure i.e. to regulatory authorities
or
(c) the client provided with authorization to disclose personal data
by a specific consent letter provided to CPF in writing
The third parties whose services CPF use may also transfer client’s
personal data to other third parties who in turn provide services to
us. CPF requires such third parties to put appropriate safe guards
in place if it involves a transfer of personal data outside the
EU.
CPF follows Data Protection regime to oversee the effective and
secure processing of client’s personal data. More information on
this framework can be found on CPF website.
A consent is required in cases where the client has engaged another provider e.g. auditors, tax advisors, legal associates, etc. who request client’s personal data from CPF, in order to provide with their services.
CPF is obliged, under the Cyprus Laws and Regulations, to keep and update client’s personal data for as long as CPF provides its services to the particular client. Upon the termination of business relationship, client’s personal data shall be kept for a minimum of 5 years. After legally required period lapses, client’s personal data shall be destroyed.
No.
These are as follows:
- The processing is necessary for the performance of terms and
conditions set in engagement letter/contract between CPF and the
client.
- The processing is necessary for compliance with a legal
obligation
- The processing is necessary for the purpose of CPF’s legitimate
interests Client’s consent to the processing
- “Legitimate interests” is a heading that covers a number of
different reasons why CPF might need to process client’s personal
data which may not be covered by other headings, such as –
- To comply with regulation or regulatory guidance
- To prevent fraud or financial crime
- To provide a better service
- To build mutual relationship with the client by inviting the
client to events in which the client might be interested To transfer
personal data between group entities for
internal administrative purposes or
- For the purposes of network or information security
GDPR gives a number of rights over client’s data, subject to certain
criteria are met.
These are:
- Right of access - a right to obtain a copy of the data CPF holds
about the client as well as some supplementary information on that
data
- Right to rectification - a right to require CPF to correct the
data about the client
- Right to data portability - a right to require CPF to transfer
personal data provided
Right to object - a right to object the processing of personal data
on the basis of CPF legitimate interests and or the processing of
personal data for direct marketing purposes
- Right to erasure - a right to require CPF to erase personal data
that about the client If the client wishes to exercise any of these
rights, he/she shall contact usual CPF contact/administrator who
will provide with further information regarding how to exercise
these rights.
If the client wishes to raise a complaint on how CPF has handled
personal data, the client shall contact CPF Data Protection officer
who will investigate the matter.
If the client is not satisfied with CPF response or believe CPF is
processing client’s personal data not in accordance with the law,
the client may file a complaint to the Office of the Commissioner
for personal data protection.
CPF Data Protection Officer is Elena Chrysanthou and the client may
contact her at: DPO@cpm.com.cy
There may be updates to this notice from time to time in order to reflect changes in the way CPF processes clients’ personal data or to clarify information provided in this notice. Each client will be notified about these changes when CPF is legally required to do so.