In the context of offering its services, certain personal data are collected to facilitate the company’s relationship with the client and to provide the best possible service. The Law Firm as a Data Controller is in a decisive responsibility for all processes that occur and relate to personal data.
In the course of our duty to provide you legal support, we obtain certain personally identifiable information about you, to facilitate our relationship and offer you the best possible service.
2. TYPES AND USAGE OF INFORMATION WE COLLECT
The legal basis for the collection of your data is to establish a stable communication stream and to give you the opportunity to count the possible consequences of refusing to render us any or some of the information required. For this, we will provide you with a client questioner on the lines of the principle of “Know your Client” in which you will have to provide us with all the information required together with your consent for the use of the information given, according to what it is describe bellow.
|Purposes of processing your data||Personal data involved||Possible consequences of failure to provide the personal data||Legal basis for processing your data|
|1||Your Customer Registration/Contract||Personal Identifiers, Contact Details,
Statement of consent/ Pseudonymization, Tax Identifiers, Social Security Identifiers, Connection Information, Location Information, Medical/health information if needed
|Failed registration/Contract||Contract Performance|
|2||Retainer to our firm||Contact Details subject of appointed||Inability to represent a customer||Legal Obligation|
|3||Identity and Contact Details Verification to our electronic and filing record||Personal Identifiers, Connection Information, Localization Information, Record number||Inability to be registered to our records, Refusal to accept||Regulatory/ Legal Obligation|
|4||Monitoring & Assessing Behaviour for Crime Prevention||Personal Identifiers, Contact Details, Criminal Activity, Tax Identifiers, Social Security Identifiers, Financial Information (Bank Reference)||Account suspension/ closure, Unavailability to login, Withdrawal request unavailable||Regulatory/ Legal Obligation|
|5||Informative Communications, Newsletters, circulars and information on matters of general interest||Personal Identifiers, Contact Details||Unavailability of receiving newsletters and materials of general interest||Consent|
|6||Inquiries, Complaints & Troubleshooting||Personal Identifiers, Contact Details, Occupational Activity, Connection Information, Localisation Information,||N/A||Legitimate Interest (Optimal experience for our customers and troubleshooting of issues)|
|7||Reporting to Regulatory/ Law enforcement Authorities||Personal Identifiers, Social Security Information, Connection Information, Localisation Information, Tax Identifiers||Account suspension/ closure, Unavailability to login,||Regulatory/ Legal Obligation|
|8||Quality Assurance and Customer Services Training Through Call Recording||Personal Identifiers, Contact Details, Occupational Activity||Unavailability of Call-back/ Phone Administration Service||Legitimate Interest (Optimal experience for our customers and quality assurance of our customer service)|
“Additional Provisions Applicable to Processing of Personal Information of EEA Residents.” This includes detailed information provided pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of Personal Information and on the free movement of such data, commonly referred to, as the “General Data Protection Regulation” (GDPR) and Law 125(I)/2018 which adopts GDPR as part of Cyprus Legal system.
GDPR Regulation and Cyprus Law provides to every natural person a list of fundamental rights regarding the protection of his/her rights. You may exercise any of your rights in relation to your personal data by written notice to our Data protection Officer at email@example.com in addition to the other methods specified in this section.
You may instruct us to provide you with any personal information we hold about you; provision of such information will be subject to:
(a) your request not being found to be unfounded or excessive, in which case a charge may apply;
(b) the supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a certified officer or bank, plus an original copy of a utility bill showing your current address).
We may withhold personal information that you request, to the extent permitted by law.
We will not process your personal information for marketing purposes, unless we will have your written consent.
In practice, we will ask you to expressly agree in advance to our use of your personal information for marketing purposes and we will provide you with an opportunity to opt out of the use of your personal information for marketing purposes.
The rights you have under data protection regulation sections 7(3), 15 to 21, 77 are:
(a) Your right to access your data.
You have the right to ask us to confirm whether or not we process your personal data and, to have access to the personal data, and any additional information.
- That additional information includes the purposes for which we process your data, the categories of personal data we hold and the recipients of that personal data.
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
- You may request a copy of your personal data.
The first copy will be provided free of charge, but we may charge a reasonable fee for additional copies
(b) Your right to rectification.
If we hold any inaccurate personal data about you, you have the right to have these inaccuracies rectified. For the purposes of the processing, where necessary, you also have the right to have any incomplete personal data about you, completed.
(c) Your right to erasure.
In certain circumstances you have the right to have personal data that we hold about you erased. This will be done without undue delay. These circumstances include the following:
- it is no longer necessary for us to hold those personal data in relation to the purposes for which they were originally collected or otherwise processed;
- you withdraw your consent to any processing which requires consent;
- the processing is for direct marketing purposes; and
- the personal data have been unlawfully processed.
However, we will only process it for other reasons:
- with your consent;
- in relation to a legal claim;
- for the protection of the rights of another natural or legal person; or
- for reasons of important public interest.
(d) Your right to restrict processing.
In certain circumstances you have the right for the processing of your personal data to be restricted. This is the case where:
- you do not think that the personal data we hold about you is accurate;
- your data is being processed unlawfully, but you do not want your data to be erased;
- it is no longer necessary for us to hold your personal data for the purposes of our processing, but you still require that personal data in relation to a legal claim; and
- you have objected to processing, and are waiting for that objection to be verified.
Where processing has been restricted for one of these reasons, we may continue to store your personal data.
However, we will only process it for other reasons:
- with your consent;
- in relation to a legal claim;
- for the protection of the rights of another natural or legal person; or
- for reasons of important public interest.
(e) Your right to object to processing.
You can object to us processing your personal data on grounds relating to your particular situation, but only as far as our legal basis for the processing is that it is necessary for:
- the performance of a task carried out in the public interest, or in the exercise of any official authority vested in us; or
- the purposes of our legitimate interests or those of a third party.
If you make an objection, we will stop processing your personal information unless we are able to:
- demonstrate compelling legitimate grounds for the processing, and that these legitimate grounds override your interests, rights and freedoms; or
- the processing is in relation to a legal claim.
(f) Your right to object to direct marketing.
You can object to us processing your personal data for direct marketing purposes. If you make an objection, we will immediately stop processing your personal data for this purpose.
(g) Automated data processing.
To the extent that the legal basis we are relying on for processing your personal data is consent, and where the processing is automated, you are entitled to receive your personal data from us in a structured, commonly used and machine-readable format. However, you may not have this right if it would adversely affect the rights and freedoms of others.
(h) Your right of complaining to a supervisory authority.
If you think that our processing of your personal data infringes data protection laws, you can lodge a complaint with a supervisory authority responsible for data protection. You may do this in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
(i) Your right to withdraw consent.
To the extent that the legal basis we are relying on for processing your personal data is consent, you are entitled to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
The personal data we hold for Staff
Personal data that we may collect, use, store and share (when appropriate) about staff includes, but is not restricted to:
- Contact details
- Date of birth and gender
- Next of kin and emergency contact numbers
- Salary, annual leave, pension and benefits information
- Bank account details, payroll records, National Insurance number and tax status information
- Recruitment information, including copies of right to work documentation, annual licenses from the competent authorities, if needed, references and other information included in a CV or cover letter or as part of the application process
- Qualifications and employment records, including work history, job titles, working hours, training records and professional memberships
- Outcomes of any disciplinary and/or grievance procedures
- Annual absence leaves and sick leaves as from the date of employment in our firm
- Copy of driving licence
- Data about the personnel’s use of the business’s information and communications system.
We may also collect, store and use information about the personnel that falls into “special categories” of more sensitive personal data. This includes information about:
- Trade union membership
- Health, including any medical conditions, and sickness records, which are absolutely necessary for the exercise of their jobs
Why we use this Staff data
The purpose of processing this data is to help us run the business, including to:
- Enable them to be paid
- Facilitate safe recruitment, as part of our safeguarding obligations towards our clients
- Support effective performance management
- Inform our recruitment and retention policies
- Allow better financial modelling and planning
- Enable disability monitoring
- Improve the management of workforce data across the sector
Our lawful basis for using this Staff data
We only collect and use personal information about staff when the law allows us to do that. Most commonly, we use it where we need to:
- Fulfil the employment contracts we have entered into
- Comply with a legal obligation
- Carry out a task in the public interest
Less commonly, we may also use personal information about staff where:
- The employee has given us consent to use it in a certain way
- We need to protect his/her vital interests (or someone else’s interests)
- We have legitimate interests in processing the data – for example, where:
The employee has applied for another position and references are required as part of safer recruitment
Where the employee has provided us with consent to use the above mention data, he/she may freely withdraw this consent at any time. We will make this clear when requesting the consent, we will insure that the consent has been freely provided and explain how the employee can withdraw the consent if he/she wishes to do so.
Some of the reasons listed above for collecting and using personal information about the staff overlap, and there may be several grounds which justify the business’s use of this data.
Collecting this Staff information
While the majority of information we collect from the staff is mandatory, there is some information that the personnel can freely choose whether or not to provide to the firm.
Whenever we seek to collect information, we make it clear whether the employee must provide this information (and if so, what the possible consequences are of not complying), or whether he/she has a choice.
How we store this Staff data
We create and maintain an employment file for each staff member. The information contained in this file is kept secure and is only used for purposes directly relevant to his/her employment. A separate file containing the information on annual and sick leaves of the personnel is kept. The staff files are kept within a locked cupboard in the Director’s office. You are able to have access to your file at any time to ensure that all information about you is up to date.
Once your employment with us has ended, we will retain this file and delete the information in it in accordance with our retention policy which currently states that we will keep it for two years for reasons such as: fulfilling a reference request.
|What we store||How/Where it is stored|
|Personnel files||Hard copies are kept securely within the Director’s office in a locked cupboard.
You can request to see your personnel files at any time through the head or deputy
|Performance management documentation||Electronically on the server and data system
Hard copies are kept within the Director’s office
You can request to see your performance management at any time through the head or deputy
|Attendance information||Electronically on the server and data system
It is sent to backup link via a secure link
Hard copies are kept within the Director’s office
You can request to see your attendance information at any time through the Director
Staff Data sharing
We do not share information about staff with any third party without his/her consent, unless the law and our policies allow us to do so.
Where it is legally required or necessary (and it complies with data protection law) we may share personal information about you with:
- Our local authority
to meet our legal obligations to share certain information with it, such as safeguarding concerns and information about staff performance and staff dismissals
- The Department for Education
to meet our legal obligations to share information linked to performance data.
- Your family or representatives
to carry out our public task in the event of an emergency
- Other staff members
to carry out our public tasks, for example having access to your business email address so that information can be shared effectively.
- Suppliers and service providers
to enable them to provide the service we have contracted them for, such as payroll, as per a contract signed with them
- Central and local government
to complete the legal obligation for things such as the workforce census
coming under a legal obligation, or when it may be asked from auditors about financial information related to business.
- Survey and research organisations
to meet our legal obligation in relation to ‘freedom of information’ requests
- Trade unions and associations
to carry out our public task in light of any key discussions within business linked to disciplinary/capability procedures or for events such as redundancy.
- Security organisations
in order to keep our business secure and under the lawful basis of public task, we pass on certain staff member information so that they can be contacted if necessary (such as the Operations Manager).
- Health and social welfare organisations
to carry out our public task in line with our attendance management policy with organisations such as occupational health
- Police forces, courts, tribunals
to meet our legal obligations to share certain information with it, such as safeguarding concerns or to carry out our public task in relation to a tribunal.
- Employment and recruitment agencies
to meet the public task of supplying requested references.
- The Directors
to carry out our public task within the business and remain accountable to them for finance and personnel issues.
3. DISCLOSURE OF PERSONAL INFORMATION
We will not sell, disclose, or in any way dispose any personal information entrusted to our office, to any third party/entities in ways different from what is disclosed in this privacy notice. However, we may disclose your personal information to third parties:
3.1 In the event that we sell or buy any business related to the activities of our firm, assets or shares, we may disclose your personal data to the prospective seller or buyer of such business, assets or shares.
3.2 If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation, in order to enforce or apply our terms and conditions, or to protect our rights, property, or safety, or those of our customers or others.
3.3 In order to cooperate with law enforcement agencies to enforce laws, as well as investigate and prosecute unlawful activities such as frauds and scams. We maintain the right to disclose any information about you to law enforcement and other government officials as we, in our sole discretion, believe necessary or appropriate, in connection with any investigation of fraud, scam or other activity that is illegal. In particular, these authorities are:
- Tax Authorities in countries we operate
- Governing bodies
- Anti-Money Laundering / Counter Terrorism Financing (AML/CTF) agencies
- Cyprus Bar Association
- Law enforcement bodies
This includes exchanging information with other companies and organizations (e.g. banks, credit institutions, auditors) within or outside EU for the purposes of fraud protection and credit risk reduction. These entities may then use your personal information to investigate and act on any such breaches in accordance with their procedures.
3.4 Finally, we may disclose certain personal information to unaffiliated third-party service providers, agents or independent contractors to assist us to maintain our website and provide other administrative services to us (including, but not limited to, order processing and fulfillment, providing customer service, maintaining and analyzing data, webmasters, sending customer communications on our behalf, bailiff for the service of any document to third parties, accountants and auditors). We seek to ensure that these unaffiliated third parties will not use the personal information for any other purpose than to provide the administrative services for which they are responsible. We also enter into contracts with these third parties that compel them to meet the privacy standards required by law in handling your personal information, and use the information only for the purposes for which it was conveyed to them.
Aiming to achieve the purposes described under section 2 of the current policy, the following third parties, located in the European Union, may receive your data:
- Payment providers
- AML/CTF and anti-fraud services
- Services providers
4. HOW LONG WE KEEP YOUR DATA
4.1 It is our policy to only retain client information for as long as is necessary for the purpose for which it was originally obtained, in alignment with the Data Minimization and Storage Limitation principles. For all purposes below, your data will be retained for a seven years period, after the termination of the customer relationship. Additionally, we align the retention of your information with potential differentiations arising from the exercising of your data privacy rights (please refer to section 6). However, in some cases some personal information may be retained beyond that time period due to potential legal obligations, legitimate interest purposes, etc. Such reasons would be issues related to:
- Money laundering
- Intellectual property, industrial property, trademarks and patents protection
- Medical matters
- Civil Law
- Penal Law
- Any other legal issues
5. YOUR DATA PRIVACY RIGHTS
5.1 At any point while we are maintaining or processing your data, you have the following rights and can submit a relevant request via your personal account:
- Right of access – you have the right to access the personal data that we hold about you;
- Right of rectification – you have the right to correct data that we hold about you that is inaccurate or incomplete. (Further analyzed in section 7 of the current policy);
- Right to erasure – you can ask for the data we hold about you to be erased from our records and we are obliged to satisfy such request in certain circumstances;
- Right to restriction on processing – you have the right to request to restrict the processing of your personal information and we are obliged to satisfy such request when certain conditions apply;
- Right to data portability – you have the right to have the data we hold about you transferred to another organization;
- Right to object – you have the right to object to particular processing activities, under certain conditions;
5.2 We will assess your request and reply to you regarding the progress and outcome of the request (granting of request, partial granting of request, rejection of request), as soon as possible and in any case in no longer than one month of the request’s submission.
In the event that Rikkos Mappourides & Associates L.L.C refuses your request regarding the aforementioned Data Privacy Rights, we will provide you with a reasoning decision. You have the right to lodge a complaint directly with the Regulatory authority and the DPO (via the means described in paragraph 13 of the current policy).
5.3 We reserve the right to reject requests that are unreasonably repetitive, require disproportionate technical efforts or have disproportionate technical consequences, put in risk the privacy of others, or would be extremely impractical.
6. UPDATING YOUR PERSONAL INFORMATION
6.1 Except for exceptional circumstances, you may review, update or delete certain personal information by, (if you are a registered user of the website), logging on and using the tools provided to edit such information. However, certain data that are necessary to check eligibility, such as date of birth or age, cannot be deleted.
6.2 You can obtain a copy of your personal information through your personal account. For your protection, you will be required to provide proof of your identity to obtain such copies. You should include adequate information to identify yourself and such other relevant information that will reasonably assist us in fulfilling your request. If you would like to close your account, you can also contact our administrative services. We will comply with such requests unless we have a legitimate ground to not delete the data.
7.1 Protecting your data is of utmost importance for Rikkos Mappourides & Associates L.L.C and in this regard, we constantly strive to provide all possible means of assuring your personal data’s safekeeping, the restriction of unauthorized access and / or potential alterations. Such means include information security measures consistent with current best practices to protect our customers’ privacy. These measures include technical, procedural, monitoring and tracking steps intended to safeguard data from misuse, unauthorized access or disclosure, loss, alteration or destruction.
8.1 We collect your personal data including transactional behavior, Purchasing activity and practices, cookies and geolocation information, amongst others, in order to provide you with customized and tailored to your preferences views and services. The profiling activity allows us to present you with a personalized view and experience on our website.
8.2 The profiling activity also allows us to detect and report potential fraudulent behavior and violation of our Terms and Conditions potential money laundering practices and responsible spending behavior, in line with our regulatory/ legal obligations of reporting such incidents to the relevant authorities.
To summarize the aforementioned, the profiling activity is deemed necessary for the following purposes:
- Marketing reasons: You can receive announcements, newsletters, circulars and information on matters of general interest,
- Anti-Fraud reasons: If we find out that we have to report any matter to the complains officer of our firm.
- AML/CTF reasons: If, according to your profiling, your activity is deemed suspicious in terms of Money Laundering then, your activity will be reported at the relevant Law enforcement bodies at the countries we operate, according to our Terms and Conditions.
9. DIGITAL MARKETING
9.1 Additionally, and in order to provide to you personalized services and material, we collect your personal data, including cookies and geolocation information, amongst others. Usage of such services is on the sole discretion of you and the separate consent provided upon your registration. You can provide your consent at a later time or revoke an existing consisting consent for such services, through our dedicated consent management portal integrated in your personal account.
10. INTERNET PROTOCOL (IP) ADDRESS
When you visit the Website, we register your device`s IP address and browser settings. Your IP address is a unique address that devices use in order to identify and communicate with each other on a computer network. Browser settings can include the type of browser you use, browser language, and time zone. We collect this information so that we can personalize your experience and trace your device in cases of misuse or unlawful actions in connection with visits to or use of the service. Furthermore, we may use the IP address to approximate your location (at city level).
11.2 You may configure your browser to block all cookies, including cookies associated with our services, or to indicate when a cookie is being set by us. However, it is important to remember that many of our services may not function properly if cookies are disabled. For example, we may not remember your language preferences. Please refer to your browser’s or mobile device’s technical documentation for instructions on how to delete and/or disable cookies.
13. CONTACT US
13.2 For any other matter you can contact us at firstname.lastname@example.org or 0035722024777.
14. REPORTING TO THE COMMISSIONER
You have the right to report to the commissioner any complain or inappropriate action or behavior regarding the infringement of any of your rights protected in this police arising out of actions or missions of the controller (our firm) or any person or body duly appointed by our firm. Before lodging your complaint, you may contact directly the controller (usually the person against whom the complaint is made) to address your concerns. You may also address your concerns to the Data Protection Officer (DPO), you may apply to him in regard to any issue concerning the processing of your personal data and to exercise your rights.
If your concerns are not addressed, you may lodge a complaint with the Commissioner and to complete the relevant complain form.