Client Privacy Policy

N.PAPA.LAW-lawyers-cyprus-legal-services-29
  1. Introduction

We take data privacy seriously and are committed to making sure that your privacy is protected. 

For the purpose of this privacy notice, the terms “personal data” and “personal information” are used to refer to any information relating to a natural person that identifies or may identify such person, such as a name or contract details. The term “processing” is used to collectively refer to actions such as the collection, retention, use, disclosure, transfer, deletion or destruction of personal data.

This privacy notice applies to the processing of personal data by us in connection with any:

a) “client services”: provision of products and services by us to actual and prospective clients; and/or
b) “supplier services”: provision of products and services to us by suppliers or service providers.

References in this privacy notice to “you” or “your” are references to individuals whose personal data we process in connection with client services or supplier services. For the avoidance of doubt:

a) any reference in this privacy notice to our “clients” or “suppliers” includes their employees or other personnel whose personal information we process; and
b) this privacy notice also applies to our processing of personal data of individuals who could be (or could be the employees or personnel of) transaction counterparties or rival bidders to, or litigants in legal proceedings involving, our actual or prospective clients.

It is important that you read this privacy notice together with any other notices we may provide on specific occasions when we are collecting or processing your personal data, so that you are fully aware of how and why we are using your personal data.  This privacy notice supplements the other notices and is not intended to override them.  Even though this privacy notice can be accessed on our website, it does not constitute our website privacy policy or cookie policy.  Our website privacy policy and cookie policy are accessible from the privacy section of our website.

  1. Controller for the personal data processed

A “controller” is a person or an organisation who, alone or jointly with others, determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed.  Unless we notify you otherwise, we are the controller of personal data provided to us for the purposes described in this privacy notice.

  1. Use of personal data

As per the applicable legislation, including, but not limited to, the EU General Data Protection Regulation (GDPR) (“Data Protection Legislation”), we would hereby like to inform you that we process your personal data for various purposes, including as follows:

a) to conduct pre-engagement assessments and formalities such as anti-money laundering checks, conflict checks etc.;
b) to provide our services, perform the tasks entrusted to us and fulfil our engagement by you;
c) for internal administrative or operational purposes;
d) to engage in marketing and business development activity in relation to our services. This may include sending you newsletters, legal updates, marketing communications and other information that may be of interest to you;
e) to comply with legal, regulatory, accounting or reporting obligations that we have to discharge;
f) to establish, exercise or defend our legal rights or for the purpose of legal proceedings;
g) to use it for our legitimate business interests, such as undertaking business research and analysis, managing the operation of our website and our business including improving data security and system maintenance;
h) to manage our relationship with you, which will include notifying you about changes to our terms of business or this notice;
i) to take you on as a supplier;
j) to manage payments, fees and charges and to collect and recover money owed to us; and
k) to look into any complaints or queries you may have.

  1. Sources of collection of personal data

We may collect information about you directly from you e.g. when you fill in forms on our website, correspond with us by email, fax or post, speak to us in person or over the telephone or whilst visiting our offices.  We may also collect information from third parties and/or publicly available sources e.g. public and/or regulatory and/or supervisory authorities (such as the Department of the Registrar of Companies and Official Receiver of the Republic of Cyprus, the Land Registry Offices, the Bankruptcies and Liquidations Registries etc.), lists and databases maintained by other entities including international organisations (such as sanctions lists and politically exposed persons lists), entities providing services and products for KnowYour-Customer (KYC) and due diligence purposes, the media, the press, the internet etc.

  1. Types of personal data processed

The personal data that we process may include, among other:
a) contact details (including name, surname, home, work and correspondence address, telephone number, email address and Skype ID);
b) identification and authentication details (including signature, date of birth, place of birth, place of residence, passport and/or ID details and/or copies, gender, social insurance numbers, utility bills and other information relevant to your identification);
c) personal information (including marital and family status, marriage certificate, information as to family members, photographs, employment status and current profession/position, CV, educational level, academic qualifications, work experience, reference letters and other related information);
d) financial information (including bank account details, tax information such as tax identity number and country of tax residence, annual income, source of wealth and other financial information required for receiving payments and complying with regulatory requirements for anti-money laundering and KYC purposes);
e) services related information i.e. information provided to us in the course of our contractual relationship with you; and/or
f) any other categories of personal data you may provide to us in the course of our business relationship.

We further process data concerning criminal convictions and offences (such as clean criminal record certificates), as well as special categories of data, including the following:
a) personal data revealing racial or ethnic origin (including your nationality/ies, residency and domicile information, birth certificate and other related information);
b) personal data revealing political opinions, religious or philosophical beliefs (including whether you are a politically exposed person);
c) personal data revealing trade union membership; and/or
d) data concerning your health (such as medical certificates, results of medical examinations and other related information).

Our services are neither aimed at nor intended for children. However, in certain cases, we may process personal data relating to a child e.g. when we act for you in relation to certain private matters.  Such processing takes place only where necessary for the specific client services we are providing.  In such cases, we act on behalf of the parent or guardian.

  1. Legal basis for processing your personal data

We rely on the following legal grounds to process your personal information, namely:

a) consent – we may (but usually do not) need your consent to use your personal information. You can withdraw your consent by contacting us;

b) performance of a contract – we may need to collect and personal information to enter into a contract with you or to perform our obligations under a contract with you;

c) legitimate interest – we may use your personal information for our (or a third party’s) legitimate interest which is not overridden by your interests or fundamental rights and freedoms, such as marketing; and/or

d) compliance with law or regulation – we may use your personal information as necessary to comply with applicable law/regulation.

  1. Sharing of personal data

In order to process a query, deliver services, or to fulfill any of the purposes set out above, we may disclose your personal data to third parties.  Such third parties may include:

a) couriers;
b) our professional advisers or consultants;
c) accountants, auditors, tax consultants and intermediaries with public authorities; (iv) credit institutions;
d) information technology and telecommunications providers;
e) legal directories;
f) any person or entity to whom we are required or requested to make such disclosure by any court of competent jurisdiction or by any governmental, taxation or other regulatory authority, law enforcement agency or similar body (for example, the Cyprus Bar Association);
g) local or specialist legal counsels; or
h) your other advisors, your counter-parties and their legal counsels in a legal matter and, generally, all those individuals to whom transmission is required for one of the purposes stated above.

Such third parties may be located outside the European Economic Area (the “EEA”).  In the instances where the transfer of personal data from a location within the EEA to outside the EEA is necessary, it will take place in compliance with the Data Protection Legislation.

  1. Consequences of failure to provide your personal data

Your provision of personal data to us (including personal data of third parties) is voluntary.  However, if you refuse to provide any such data, then, depending on the circumstances, we may be unable to provide certain services to you, enter into a contract with you, continue our relationship with you, or execute an instruction.

  1. Processing of personal data relating to other individuals provided by you

In case you provide us with personal data of other individuals, before you pass any such personal data to us, you must ensure that the said individuals understand how their personal data will be used and processed by us.  It is your responsibility to inform the said individuals about the processing, provide them with information about such disclosure and establish a legal basis for sharing the personal data with us, to the extent required by applicable law.

If you are not our client, we may need to process your personal data (which may be provided to us as part of a disclosure process or by another third party) in order to provide client services to our client, including the provision of legal advice.  In these circumstances, we will process your personal data as:

a) this is in our legitimate interests, and/or the legitimate interests of our client and/or of a third party; and/or
b)we may be obliged to process such personal data in order to comply with our legal or regulatory obligations.

  1. Retention of personal data

How long we hold your personal information for will vary and will depend principally on:

a) the purpose for which we are using your personal data – we will need to keep the data for as long as is necessary for the relevant purpose; and
b) legal obligations – laws or regulation may set a minimum period for which we have to keep your personal data.

  1. Security

We protect your personal data and implement appropriate technical and organisational security measures to protect it against any unauthorised or unlawful processing and against any accidental loss, destruction or damage.

  1. Changes to your personal data

Please keep us informed of any changes to your personal data or if you realise that any of the personal data that you have provided is inaccurate or incomplete, as it is important that the personal data we hold about you is accurate and correct.

  1. Your rights

You have a number of legal rights in relation to the personal data that we hold about you.  You can exercise such rights by writing to us at info@npapandreoulaw.com.

These rights include:

– obtaining information regarding the processing of your personal data and access to the personal data which we hold about you. Please note that there may be circumstances in which we are entitled to refuse requests for access to copies of personal data and we may limit or deny access to personal data where permitted by law.  In particular, information that is subject to legal professional privilege will not be disclosed other than to our client and as authorised by our client;

– requesting that we correct your personal data if it is inaccurate or incomplete. Please note that when personally identifiable information is retained, we do not assume responsibility for verifying the ongoing accuracy of the content of personal information;

– requesting that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data but we are legally entitled to retain it;

– objecting to, and requesting that we restrict, our processing of your personal data in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal data but we are legally entitled to refuse that request;

– in some circumstances, receiving some personal data in a structured, commonly used and machine-readable format and/or requesting that we transmit those data to a third party where this is technically feasible. Please note that this right only applies to personal data which you have provided to us;

– withdrawing your consent where the processing is based on your consent. Please note that withdrawal of consent does not affect the lawfulness of processing based on consent before it was withdrawn; and/or

– lodging a complaint with the Commissioner’s Office of Personal Data Protection in Cyprus, if you think that any of your rights have been infringed by us.

When contacting us in connection with any of your rights, as these are described above, you must provide sufficient identifying information before your request can be dealt with.

  1. Changes to this privacy notice

We may modify this privacy notice from time to time in order to reflect our current practices and/or in accordance with any changes in the applicable legal framework.  Our most current privacy policy will govern any personal information we hold on you.  We encourage you to check back periodically to see any updates or changes to our privacy notice.  This privacy notice was last updated on the “as amended on” date (if any) on the cover page of this privacy notice.  Any prior versions of this privacy notice can be obtained by contacting us info@npapandreoulaw.com.