Hadjianastassiou, Ioannides LLC Privacy Statement
Last Revised: 17 September 2018
Hadjianastassiou, Ioannides LLC (hereinafter referred to as the “Firm” or “we” or “us” or “our”) is committed to protecting the privacy and security of the personal data it receives from its clients in an open and transparent manner. The personal data that the Firm, as a data controller, collects and processes will vary depending on the services provided to you.
This privacy statement (“Privacy Statement”):
- sets out the types of personal data we collect, how we collect and process that personal data, including special categories of personal data (as defined below), who we may share it with and why, and how you can exercise your privacy rights under the EU General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and any laws or regulations supplementing or implementing the GDPR, including the Protection of Natural Persons with Regard to the Processing of Personal Data and the Free Flow of Such Data Law of 2018 (N. 125(I)/2018) as amended, replaced or superseded from time to time (together with the GDPR, the “Applicable Data Protection Legislation”); and
- relates to personal data collected from clients or the clients’ representatives, whether such data concern them directly or relate to third parties who are natural persons.
For the purposes of this Privacy Statement:
- when we refer to “personal data” or “personal information” we mean data which identifies or may identify you and which may include, for instance, your name, address, identification number, telephone number, date of birth, occupation and family status;
- when we refer to “processing” we mean the handling of your personal data by us, including collecting, protecting and storing your personal data;
- when we refer to “special categories of personal data” we mean information revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, physical or mental health, sex life or sexual orientation as well as genetic and biometric data.
1. Who we are
Hadjianastassiou, Ioannides LLC is a private lawyers’ limited liability company registered in Cyprus with registration number HE227297, regulated by the Cyprus Legal Council and the Cyprus Bar Association (CBA Reg. No. 22), having its registered office at 23 Themistokli Dervis Street, STADYL House, 1066 Nicosia, Cyprus.
The Firm is an affiliate firm of Deloitte Limited, a private company, registered in Cyprus with registration number HE162812.
2. Other websites
3. Personal Data we collect
Depending on the service that we provide to you, we may collect and process the following personal data from you:
- Biographical and Identification Data, including your name, date and place of birth, email, passport or identity number, your gender and your signature;
- Contact Data, including your address, phone number, fax number and email address;
- Financial and Payment Data, including your bank account number and other data necessary for processing payments;
- Professional History and other Employment Information, including your current occupation and employer, your employment address, your employment history and details on whether you hold any directorships and/or ownerships of shares equal to or over 25% of total share ownership;
- Additional “know-your-customer” (KYC) information, including your tax jurisdiction, your income tax number, your VAT number, your source of wealth and source of funds, your economic activities and references from third parties including your bank;
- Information pertinent to fulfilling our services to you, including information provided in the course of the contractual or client relationship between you and your organisation and the Firm, or otherwise voluntarily provided by you or your organisation;
- Physical access data i.e. CCTV images of your visits at our premises;
- Special categories of personal data. We will only process such personal data in limited circumstances, as described in section 7 of this Privacy Statement, and
- Criminal record data. We will collect such data where permitted by law, for example when we represent you in a criminal case and we need to collect information about the alleged offences and any related criminal history.
We may process children’s personal data when we act for you in relation to certain private matters (for instance, when we are advising you regarding inheritance matters). We process such personal data only where necessary for the specific client services we are providing.
5. Personal data about other people
On certain occasions, in the course of our client services, you may provide us with personal data of individuals who are not aware of our involvement or of our processing of their personal data (such as family members, customers, counterparties, employees, directors, shareholders or beneficial owners). In such cases, we are likely to not have direct contact with individuals whose personal data we are processing or, it may for other reasons (such as, for example, to maintain confidentiality) not be appropriate for us to provide them with a privacy notice setting out how we handle their personal data. Before you disclose any such personal data to us, you must ensure that the relevant individuals have received this Privacy Statement or have otherwise been informed of our client services.
6. If you fail to provide personal data
Where we need to collect personal data by law in order to process your instructions (for instance in relation to anti-money laundering or other KYC checks) or perform a contract we have with you and you fail to provide that data when requested, we may not be able to carry out your instructions or perform the contract we have or are trying to enter into with you. In this case, we may have to cancel our engagement with you, but we will notify you if this is the case at the time.
7. How we collect your personal data
We obtain your personal data mainly through any information you provide directly to us, through information provided by third parties or through publicly available sources, as follows:
Direct interactions with you: We may collect personal data about you through the completion of our KYC forms by you, or by corresponding with us by email, fax or post, by speaking to us in person or over the telephone or whilst visiting our offices. These interactions may include instances when you:
- enquire about our services or ask us to provide you with a quotation;
- seek legal advice from us;
- visit our premises;
- give us personal data necessary for a specific client service we are performing for you, or for the purposes of our KYC procedures; or
- give us your business card in an event or meeting, or otherwise personally give us your personal data.
Third-party sources: We receive personal data about you from third parties when:
- our KYC forms have been completed by your representative or your organisation;
- other parties, including our existing clients, send us your personal data to enable the provision of our services (e.g. in cases where you are an underlying client);
- we conduct our KYC and other background checks, including conflict checks;
- we have been subcontracted by a member firm of the Deloitte network (including the Deloitte Legal network), including Deloitte Limited, to perform legal services;
- you are an existing client of a member firm of the Deloitte network (including the Deloitte Legal network), including Deloitte Limited, and you wish to be engaged separately with us. In such cases we may request KYC documentation already in the possession of the relevant Deloitte member firm for your convenience, provided that we have obtained your prior permission to do so;
- we interact with governmental or regulatory bodies or other authorities in relation to you or on your behalf.
Publicly available sources: We collect personal data concerning you from:
- public registers of companies (for instance, from the Registrar of Companies and Official Receiver);
- public registers of sanctioned persons and entities (such as the Office of Foreign Assets Control of the United States Department of the Treasury); and
- other public sources including any services accessible on the Internet which you are using for professional networking purposes such as, for example, LinkedIn.
8. Why we need your personal data
We will only use and share your information where it is necessary for us to lawfully carry out our business activities. We may process your personal data in connection with any of the purposes set out below on one or more of the following legal grounds:
A. CONTRACTUAL NECESSITY
We may process your information where it is necessary to enter into an engagement with you for the provision of our legal services or to perform our obligations under that engagement. This may include processing to:
- assess and process your request for our services, including checking whether we have a conflict of interests in providing our services to you and carrying out background checks, where permitted;
- take you on as a new client or open a new matter for you;
- administer and manage our relationship with you or your organisation and deliver client services to you;
- communicate with you about the services you receive from us and in order to notify you about any changes to our general terms of business, this Privacy Statement or other policies which may affect you; and
- to manage payments, fees and charges and to collect and recover money owed to us.
Please note that if you do not agree to provide us with the requested information, it may not be possible for us to provide you with our services.
B. LEGAL OBLIGATIONS
We may process your personal data in order to comply with legal and/or regulatory obligations that we are subject to, including any obligations imposed on us by the Cyprus Bar Association and the government Unit for Combating Money Laundering (MOKAS), as well as to keep records of our compliance processes. Such processing may include KYC and anti-money laundering checks as well as politically exposed persons and sanctions screenings.
C. LEGITIMATE INTERESTS
We may process your personal information where it is in our legitimate interests to do so as an organisation and without prejudicing your interests or fundamental rights and freedoms. In particular we may process your personal information:
- in the day-to-day running of our business and financial affairs and to ensure that our processes and systems operate effectively. This may include processing in order to:
(i) monitor, maintain and improve internal business processes, information and data and technology solutions and services;
(ii) ensure business continuity and disaster recovery and respond to information technology and business incidents and emergencies;
(iii) to protect the security of our communications and other systems and to prevent and detect security threats or other malicious activities;
(iv) perform general, financial and regulatory accounting and reporting;
(v) to manage access to our premises for security and crime prevention purposes;
(vi) to exercise or defend our legal rights, or to comply with court orders;
(vii) enable a sale, reorganisation, transfer or other transaction relating to our business.
- to ensure that we provide you with the most appropriate services and that we continually develop and improve as an organisation. This may require processing your personal information in order to:
(i) identify new business opportunities and develop enquiries into proposals for new business and to develop our relationship with you;
(ii) communicate with you to keep you up-to-date on the latest developments, announcements, and other information about our services and solutions (including briefings, newsletters and other information), events and initiatives, and
(iii) assess the quality of our customer services and to provide staff training.
D. ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS
We may process special categories of personal data that you may disclose to us in order to be able to act on your behalf in court proceedings or any administrative or out-of-court procedures.
9. Information about criminal convictions
We may only use information relating to criminal convictions where the law allows us to do so.
We may also use information relating to criminal convictions where it is necessary in relation to legal claims, such as when we are acting on your behalf in criminal proceedings.
10.Who we share your personal data with
We may share your personal data with:
- other members firms of the Deloitte network and the Deloitte Legal network, including Deloitte Limited;
- certain service providers we have retained in connection with the legal services we provide, such as consultants, experts and other legal specialists such as law firms for obtaining specialist foreign legal advice;
- if we have collected your personal data in the course of providing legal services to any of our clients, we may disclose it to that client, and where permitted by law to others for the purpose of providing those services;
- with any competent law enforcement body, regulator, government agency, court or other third party where we believe disclosure is necessary as a matter of applicable law or regulation or in order to exercise, establish or defend our legal rights, including the Cyprus Bar Association and the government Unit for Combating Money Laundering (MOKAS);
- suppliers and service providers who support our business including IT and communication suppliers, file storage, archiving and/or records management companies and security solutions companies;
- if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations, and
- to a person you have given us your consent to disclose to.
11. International transfers
From time to time, your personal data may be transferred to and stored at a destination outside the European Economic Area (“EEA”) depending on the nature of the services we provide to you. When such transfer occurs, we will use, share and safeguard that information as described in this Privacy Statement and will ensure that at least one of the following safeguards is implemented:
a) We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
b) If we engage service providers outside the EEA, we may put in place standard contractual clauses approved by the European Commission which give personal data the same protection it has in the European Union.
We may additionally, in rare occasions, transfer your personal data to a party outside the EEA where we have your prior explicit consent to do so or where such transfer is necessary for the provision of our services to you.
12. How long we keep your personal data for
We will keep your personal data for as long as we have a business relationship with you. Once our business relationship with you has ended, we may keep your personal data for the longest of the following periods: (i) any retention period set out in our retention policy which is in line with regulatory requirements relating to retention; or (ii) the end of the period in which any legal action or investigations might arise in respect of the services provided.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from authorised use and whether we can achieve those purposes through other means, and the applicable legal requirements.
We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons. If we do, we will make sure that your privacy is protected and that your personal data are only used for those purposes.
We are committed to ensuring that your personal information is secure with us and with the third parties who act on our behalf.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, processed or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have further been accredited with ISO 27001 which is an international standard in relation to information security management, certifying that we have the relevant procedures in place as well as the software, hardware and physical measures to protect data that are being processed by us. These measures are monitored, reviewed and regularly enhanced in order to meet our professional responsibilities and the needs of our clients.
We have put in place procedures to deal with any incident that may lead to a security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
14. Your data protection rights
We want to make sure you are aware of your rights in relation to the personal data we process about you. We have described those rights and the circumstances in which they apply further below.
You have the following rights in terms of the personal data we hold about you:
- Receive access to your personal data. This enables you to receive access or receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data we hold about you. If you believe that any of the information that we hold about you is inaccurate or incomplete, you have a right to request that we correct the inaccurate personal information.
- Request erasure of your personal information. You may request that we delete your personal information if you believe that:
a) we no longer need to process your information for the purposes for which it was provided;
b) we have requested your permission to process your personal information and you wish to withdraw your consent; or
c) we are not using your information in a lawful manner.
Please note that if you request us to delete your information, we may have to suspend the services we provide to you.
- Object to the processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you exercise your right to object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Depending on the circumstances, we may need to restrict or cease processing your personal data altogether or, where requested, delete your personal information. Please note that if you object to us processing your personal data, we may have to suspend the services we provide to you.
- Request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if:
a) it is not accurate; or
b) it has been used unlawfully but you do not wish for us to delete it; or
c) it is not relevant any more, but you want us to keep it for use in possible legal claims; or
d) you have already asked us to stop using your personal data but you are waiting for us to confirm if we have legitimate grounds to use your data.
Please note that if you request us to restrict processing your personal data, we may have to suspend the services we provide to you.
- Request the transfer of your personal data. Where we have requested your permission to process your personal information or you have provided us with information for the purposes of entering into a contract with us, you have the right to receive the personal information you provided to us in a portable format. You may also request us to provide it directly to a third party, if technically feasible. We are not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.
To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact us at email@example.com.
We will endeavour to address all of your requests promptly.
15. Right to complain
If you have exercised any or all of your data protection rights, or otherwise still feel that your concerns about the use of your personal data have not been adequately addressed by us, you have the right to complain by contacting us at firstname.lastname@example.org.
16. Changes to this privacy statement
We reserve the right to update and change this Privacy Statement from time to time in order to reflect any changes to the way in which we process your personal data or changing legal requirements.
We will notify you by email or otherwise when we make material changes to this Privacy Statement and we will amend the revision date at the top of this page. We do encourage you to review this statement periodically so as to be always informed about how we are processing and protecting your personal data.