1 INTRODUCTION
ANDERSEN is the tradename of UnityFour Cyprus Ltd, a limited liability company registered in Cyprus, with registered office address at 140 Athalassas Avenue, 2024 – Nicosia, Cyprus (“ANDERSEN”, “We”, “Us”, or “Our”).
ANDERSEN is committed to protecting your Personal Data and will collect, store, use, process and transfer your Personal Data exclusively in compliance with the provisions of the General Data Protection Regulation (EU) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, effective as of 25 May 2018, (the “GDPR”) and the provisions of the Cyprus Law 125 (I) 2018 on the protection of natural persons with regard to the processing of personal data and for the free movement of such data, effective as of 31 July 2018, as amended or supplemented from time to time (the “Cyprus Data Law”).
Personal Data means any information relating to you which identifies or may identify you, including, without limitation, your name, address, passport number, ID number, social insurance number, tax number and bank account details.
2 TO WHOM WE ADDRESS THIS PRIVACY NOTICE
This privacy notice: (a) is addressed to natural persons who are, current or potential, (i) individual clients, (ii) beneficial owners, shareholders, directors or authorised representatives/ agents/ contact persons of legal entities clients, and (iii) employees of Our clients, (b) provides an overview on how and for what reasons ANDERSEN collects, uses, process and transfers your Personal Data, and (c) contains information about, inter alia, the processing of your Personal Data, with whom we may share your Personal Data, about the transfer of your Personal Data outside the European Economic Area (the “EAA”), for how long we may keep your Personal Data, the security of your Personal Data and the rights you are entitled to.
EEA means all EU countries and Iceland, Liechtenstein and Norway and any other countries to be acceded to the EEA.
3 WHY WE ARE OBLIGED TO COLLECT YOUR PERSONAL DATA BEFORE COMMENCING BUSINESS
If you are a beneficial owner, shareholder, director or authorized representative/agent /contact person of a legal entity, you must provide to ANDERSEN your Personal Data, as it is a prerequisite for the commencement of a business relationship between you and ANDERSEN.
ANDERSEN is a regulated and supervised firm under the Institute of Certified Public Accountants of Cyprus (ICPAC), with regards to Anti-Money Laundering and Counter- Terrorist Financing (AML/CTF) and as such We are obliged, prior to entering into any contract or business relationship with you or the legal entity, for which you are the beneficial owner, shareholder, director or authorized representative /agent /contact person, to verify your identity pursuant to the Cyprus AML/CTF laws and regulations and to complete Our internal clients acceptance procedures. If you do not provide Us with the required Personal Data, then We will not be allowed to commence or continue our business relationship either to you as individual or to the legal entity to which you are the beneficial owner, shareholder, director or authorized representative /agent /contact person.
4 FROM WHERE WE COLLECT PERSONAL DATA
ANDERSEN collects different types of Personal Data, depending on your circumstances, which We receive, in the context of our business relationship with you, from you in person or through telecom, correspondence or e-mail correspondence from the following, including, without limitation, sources: (a) from the completion of Our Due Diligence Questionnaire (DDQ) and submission of your Know Your Client (KYC) documents, (b) from your authorised representatives/ agents /contact persons (c) from your employers, (d) from other third parties e.g. companies or individuals that introduce you to Us and (e) from publicly available or other sources such as the Cyprus Department of Registrar of Companies & Official Receiver, the Land Registry, the Tax Department, the Social Insurance Department, the Civil Registry & Migration Department, Credit Reference Data Agencies (e.g. World Compliance), the Press, the Media and the Internet in general, which we lawfully obtain and are permitted to process.
5 WHAT DATA WE COLLECT & PROCESS
The Personal Data that We collect, depending on your circumstances and our business relationship, may include, without limitation, the following: (a) Information about you: Name, title, gender, date and place of birth, marital status, nationality, residence status, taxation residence and tax ID, education level, profession, occupation, working and professional status, employed/self-employed, if you hold/held a prominent public function (PEP), curriculum vitae, reference letters, business card, tax declarations and proof of your address, (b) Information about your siblings: First and last name of your spouse, father and mother. Your spouse profession and occupation and her employer’s details, (c) Information to identify you: Passport, ID and/or driving license, (d) Information to contact you at work or home: Residence and/or correspondence address, residence and/or mobile telephone, fax number, email address, your employer’s name, website and contact details, (e) Information arising from the performance of our contractual obligations: Yours and your spouse’s income, source of yours and your spouse’s income, source of assets and your financial wealth, credit/debit turnover, nature of transactions and (f) Other Information: Salaries, entitlements, tax and/or VAT and/or social insurance numbers, residence or work permit (for non-EU nationals), bank account details, your income & expenses and bank statements.
Some types of information is classified as “sensitive” for the purposes of the GDPR (e.g. ethnic origin) where, except for limited statutory purposes, it is necessary to obtain your explicit consent before we can hold and use such sensitive Personal Data. Based on such exceptions, we may hold and use any sensitive Personal Data, without your consent, for, inter alia, perform Our obligations or exercise Our rights under employment and social insurance laws, for protecting your legitimate interests, for legal claims or in the public interest e.g. for fraud and money laundering prevention purposes. Where We will use your sensitive Personal Data for reasons other than based on the foregoing exceptions, We will obtain your consent at the time of collection.
We shall keep manual or electronic filing systems in which we shall store your Personal Data, including any sensitive Personal Data, submitted or to be submitted during our ongoing business relationship. Depending on your circumstances, during Our client acceptance procedures and in regular periods during our business relationship (in order to confirm your data for fraud and money laundering prevention purposes) we shall collect and store your passport and/or ID and/or driving licenses and/or other personal identification documents.
6 THE PURPOSES FOR WHICH WE COLLECT & PROCESS YOUR PERSONAL DATA
We collect and process your Personal Data, where such processing is reasonably necessary, for and based on the following purposes and legal grounds:
- Compliance with legal obligations: As mentioned under paragraph 3 above, being a regulated for AML/CTF purposes firm, We are subject to various legal obligations and statutory requirements that impose on Us the obligation to process Personal Data activities for identity verification, risk assessment, internal reporting procedures, AML/CTF controls and client acceptance procedures. We process your Personal Data for complying with Our foregoing legal obligations.
- Performance of Contract: We process your Personal Data in order to provide Our services and perform Our contractual obligations based on the services agreement between ANDERSEN and yourselves. The purpose of the process depends on the requirements of each service you requested and agreed to be provided under the services agreement which may include, depending on your circumstances, indicatively but not exhaustively, to fiduciary services, accounting services, business consulting services, tax & VAT services, banking services and payroll services.
- Legitimate interests: We process your Personal Data in order to safeguard legitimate interests pursued by Us or by a third party, including, without limitation: (i) when necessary or reasonably expected by you as a client (ii) updating/ verifying your Personal Data in accordance with the AML/CTF compliance framework, (iii) preventing potential crimes or fraud, (iv) initiating legal claims and preparing our defence in the event of litigation, (v) managing Our business and further developing Our services.
- On the basis of your Consent: Provided you have given Us your consent for processing for certain purpose (other than for the purposes set out herein above), we process your Personal Data based on such consent. You have the right to revoke your consent however any processing prior to the receipt of such revocation will not be affected.
We will only use your Personal Data for the purposes for which we have collected it, unless we reasonably consider that We need to use it for another reason and that reason is compatible with the original purpose. If We need to use your Personal Data for unrelated purposes, We will notify you and We will explain the legal basis which allows Us to do so.
7 WHO RECEIVES YOUR PERSONAL DATA
We may disclose your Personal Data if We are legally required to do so or if We are authorised under our contractual or statutory obligations or if you have given Us your consent. Certain service providers may also receive your Personal Data so that we may perform our contractual obligations e.g. appointed auditors and/or legal advisors and/or credit financial institutions. We will take all reasonable and practical measures to ensure that such service providers will comply with the data protection under the GDPR and the Cyprus Data Law.
Your Personal Data may be shared with the following, including, without limitation, organisations/persons:
(a) Supervisory and other regulatory authorities who have power to request information from Us e.g. ICPAC
(b) Government Departments and Public Authorities e.g. the Tax Department, the Social Insurance Department, the Civil Registry & Migration Department and Criminal Prosecution Authorities
(c) Fraud prevention agencies
(d) Credit and financial institutions
(e) Service providers/agents assisting in providing Our services
(f) Service providers assisting in implementation of our procedures e.g. IT services & AML support
(g) External legal, tax, VAT and business advisors
(h) Companies you ask Us or you have given your consent to share your data with
(i) Other UnityFour entities, holding companies or collaborating firms
(j) File storage companies
We will take all reasonable and practical measures to ensure that data processors appointed by Us to process your Personal Data will comply with the GDPR and the Cyprus Data Law provisions.
We may also share your Personal Data if the structure of ANDERSEN changes in the future. We may choose to sell, transfer or merge parts of our business or our assets or We may choose to acquire other business or merge with them. In any such cases We may share your Personal Data with other parties only if they agree to keep your data safe and private.
8 TRANSFER OF YOUR PERSONAL DATA OUTSIDE THE EEA
Personal Data will only be transferred to countries outside the EEA if:
(a) this is required for fulling our contractual obligations;
(b) you have granted Us your consent;
(c) this is required by law.
Processors in countries outside the EEA, which are not considered ensuring an adequate level of protection of personal data by the EU Commission or a national data protection authority (the so called “Unsafe Third Countries”) are obliged to comply with the data protection level in Europe and provide appropriate safeguards in relation to the transfer of your Personal Data in accordance with article 46 of the GDPR. Where we use agents/service providers located in such Unsafe Third Countries We will ensure that they will provide such safeguards. Any transfers outside the EEA will be in line with the GDPR and the Cyprus Data Law.
9 PERSONAL DATA FOR MARKETING OR INFORMATIVE PURPOSES
In general, We do not use your Personal Data for marketing purposes. In the unlikely event that We will use your Personal Data to promote Our services to you, We can only use your Personal Data if We have obtained your explicit consent to do so. You have the right at any time to object to the processing of your Personal Data for marketing purposes using the contact details in paragraph (15) below.
We may use your Personal Data to send you informative material/ guides/ updates on certain issues that, depending on your circumstances, could be of interest to you e.g. tax law updates.
10 TO WHAT EXTEND WE CARRY DECISION-MAKING & PROFILING
In establishing and carrying out a business relationship we generally do not use automated decision-making. We may process some of your Personal Data automatically with goal of assessing certain personal aspects (profiling) in the context of fraud and money laundering prevention, in order to establish a business relationship with you.
11 HOW LONG WE KEEP YOUR PERSONAL DATA (RETENTION PERIOD)
We will keep your Personal Data for as long as you are a client of ANDERSEN either as individual or in respect of legal entities as beneficial owner, shareholder, director and/or authorized representative/ agent/ contact person.
On termination of our business relationship, We may keep your Personal Data for up to seven (7) years. We may keep your Personal Data for longer than seven (7) years if We cannot delete it for legal and/or regulatory and/or technical reasons.
In cases where you provide us with your Personal Data for the purposes of becoming a client of ANDERSEN (either as individual or in respect of legal entities as beneficial owner, shareholder, director and/or authorized representative / agent/ contact person) but for any reason whatsoever we do not, in accordance with necessary internal procedures, accept you as a client or you do not wish to proceed in business relationship with Us, we will keep your Personal Data up to six (6) months.
12 YOUR DATA PROTECTION RIGHTS
You have the following rights in respect of the Personal Data We hold about you:
(a) Request Access: this gives you the right to receive a copy of your Personal Data and to check whether We are lawfully processing it.
(b) Request Correction (Rectification): this gives you the right to have any incomplete or inaccurate Personal Data corrected.
(c) Request Erasure (Right to be Forgotten): this gives you the right to request from Us to erase/ delete/ remove your Personal Data where there is no good reason for Us to continue processing it. Please note that We may not always be able to comply with such request or erasure for certain legal reasons which We will notify to you, if applicable, at the time of your request. In such a case, your Personal Data will be stored but not processed until expiration of the retention period referenced under paragraph (11) above.
(d) Object to Process: this gives you the right, subject to the legal basis on which the processing activity is based, to object to the processing of your Personal Data. When you file an objection, unless we have compelling legitimate grounds (that override your interests, rights and freedoms) to continue processing your Personal Data which We need to comply with, We will no longer process your Personal Data.
(e) Request Restriction: this gives you the right to request from Us to restrict the processing i.e. to use it only for certain purposes, in the following cases:
- where the Personal Data is inaccurate;
- where We process it unlawfully, but you do not want Us to erase it;
- where your Personal Data is no longer required but you need Us to keep it;
- where you have objected to the processing of your Personal Data, but you are waiting Us to confirm whether we have any compelling legitimate grounds to continue using it.
(f) Request to Receive Copy (Right to Portability): this gives you the right to request to receive copy of your Personal Data in a structured, commonly used and machine-readable format, to be transferred to you or directly to a third party you will name.
(g) Withdraw the Consent: this gives you the right, where the processing of your Personal Data is performed subject to your consent, to withdraw your consent at any time. Please note that any withdrawal of consent shall not affect the lawfulness of any processing carried out based on your consent before such withdrawal.
In order to exercise any of the foregoing rights please use the contact details in paragraph (15) below.
File a Complaint: Where you are unhappy with how We have used your Personal Data, you have the right to file a complaint to ANDERSEN (using the contact details in paragraph (15) below) or to the Office of the Cyprus Commissioner of Personal Data Protection (www.dataprotection.gov.cy).
13 PERSONAL DATA SECURITY
Your Personal Data is stored and transmitted securely using encryption. We use the ESET Endpoint Encryption (Deslock+) to encrypt disks, files, folders and emails. Nevertheless, there can be no assurance of an absolute protection. We secure our websites and other systems by means of technical and organizational measures against loss, destruction, access, alteration and circulation of your data by unauthorized third parties.
14 CHANGES TO OUR PRIVACY NOTICE
We reserve the right to amend this privacy notice from time to time. In such a case We shall publish the amended version on this website.
15 WHO IS RESPONSIBLE & WHO YOU CAN CONTACT
The entity responsible for your Personal Data is:
ANDERSEN
140 ATHALASSAS AVENUE
2024 – NICOSIA
CYPRUS
T: +357 22 456 333
If you have any questions and/or want more details about how We use your Personal Data and/or you wish to exercise any of your rights under paragraph (12) above, you may contact:
Natalie Mourouzidou (natalie.mourouzidou@cy.Andersen.com ).
Privacy Notice Version: V2
Date: 2 April 2019