PRIVACY NOTICE

16/05/2018

Introduction

This Privacy Notice will inform you as to how Elena Argyropoulou & Associates LLC and any affiliated and/or subsidiary companies thereof (referred to as ‘we’, ‘us’, ‘our’, ‘our firm’, the ‘Firm’ or “Argyropoulou & Associates”) process data, whether on individuals (including personal data in respect of individuals who are clients, intermediaries or other third parties which whom Argyropoulou & Associates interact with, or any individual who is connected to those parties) or otherwise, as well as when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you. 

This Privacy Notice is mainly directed to natural persons who are either current or potential customers of Argyropoulou & Associates, or are authorised representatives/agents or beneficial owners of legal entities or of natural persons who are current or potential clients of the Firm as well as to natural persons who had such a business relationship with the Firm in the past.

Where the data held are on individuals, this document also sets out the rights of those individuals in respect of the said personal data.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice.  

If you have any questions about this privacy notice, including any requests to exercise your legal rights, please direct them for the attention of our DPO at dpo@argyropouloullc.com in the first instance.  

 

Who we are  

Elena Argyropoulou & Associates LLC is a newly established boutique law firm based in Limassol, Cyprus, committed to protecting your privacy and handling your data in an open and transparent manner. 

The Firm is incorporated in accordance with the laws of the Republic of Cyprus, complies with local and European standards and is duly regulated and licensed by the Cyprus Bar Association. 

  
The type of data we may collect and hold  

Argyropoulou & Associates processes data in order to provide legal and governance services. 

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). 

The type of data we may collect, use, store and transfer includes:  

  • Contact details (i.e. first, maiden and last names, postal/delivery addresses, billing addresses, email addresses and telephone/fax numbers).
  • Information required for Argyropoulou & Associates to meet its legal and regulatory requirements, in particular pertaining to anti-money laundering legislation, including copies of passports or National Identification/Driving License Cards and information on marital status, title, date and place of birth and gender, source of funds and source of wealth, whether the relevant natural person holds/held a prominent public function (for PEPs), FATCA / CRS info, authentication data (i.e. signature) etc.
  • Information provided in the course of the provision of legal and governance services (for example, information on professional relationships and background, financial wealth and assets held, transactions entered into, tax status, disputes and court proceedings engaged in).
  • Financial information, such as payment related information including bank account and payment card details.
  • Transaction data including details about payments to and from you and other third parties with whom you intend to enter into a transaction.
  • Technical data which might include internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our firm’s website.
  • Usage Data including information about how you use our website, products and services.
  • Marketing and Communications data including your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Under very special circumstances, subject to the nature of our engagement, personal data collected and processed may include “Special Categories of Personal Data” about you (this includes details about your race or ethnicity, religious or philosophical beliefs, data on a person's sex life or sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data processed for the purpose of uniquely identifying a natural person or data relating to a person's criminal record or alleged criminal activity).
  • Finally, we may collect personal data in relation to children only provided that we have first obtained their parents’ or legal guardian’s consent or unless otherwise permitted under law. For the purposes of this privacy notice, “children” are individuals who are under the age of eighteen (18). 
  • Professional interests and events attended.
  • Meetings attended and visits to our offices. 
  • Any other information you may provide to us.

If you fail to provide Personal Data   

Unless we are provided with some of the mentioned personal data, especially data which we are legally reprimanded to collect and under given circumstances even prior to signing our Terms of Engagement and/or offering any services to you in line with applicable money laundering laws and codes of conduct, we shall be unable to commence or continue any business relationship with you since we will be unable to perform our legal and statutory obligations.  

 

How is your personal data collected? 

The sources of data collected by us may include clients, intermediaries, data subjects directly, third parties connected to the Data Subject (for example, their employer or another service provider who provides services to the Data Subject) or open-source material. 


We use different methods to collect data from and about you including through: 

  • Direct interactions. You may give us your Identity, Contact and Financial Data (as above described) by filling in forms or by corresponding with us by post, phone, email or otherwise. 
  • Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data (as above described) about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. 
  • Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources (i.e. the Department of Registrar of Companies and Official Receiver, the Land Registry, the Bankruptcy Archive, commercial registers, the press, media and the Internet) which we lawfully obtain and we are permitted to process. 

The provision of data to one employee of Argyropoulou & Associates may result in that data being accessible by all other members of the Firm. 

Reasonable endeavours are made to ensure that data is only accessible by those with a need for access to fulfil the purposes set our below and above.  

Requests for access to be restricted in any particular manner should be made to dpo@argyropouloullc.com and will be considered and, where possible with reference to legal and regulatory obligations, actioned. 

 

How we use your Personal Data 

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract, we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to “Special Categories of Personal Data” or sending third party direct marketing communications to you via any of our communication channels.  


Purposes of processing and lawful basis 

We use data (including personal data of individuals) for the following purposes (the below also confirming the lawful basis we are relying on in each case): 


To enter into client relationships and provide legal and governance services 

Any one or more of the following:  

  • The legitimate interest of Argyropoulou & Associates as a provider of legal and governance services to process personal data for the purpose of providing those services.
  • In instances where an individual has been provided with this Privacy Notice and provides personal data thereafter, the processing may be carried out on the basis of consent.
  • Consent may be withdrawn at any time by writing to:  dpo@argyropouloullc.com
  • The processing is necessary for legal proceedings, the obtaining of legal advice or establishing, exercising or defending legal rights.
  • Where the client is an individual: to fulfil the terms of the relevant contractual arrangement we have entered into with the individual to provide legal and/or governance services.

To manage our client, intermediary and other business relationships 

The legitimate interests of Argyropoulou & Associates to seek to ensure its business is conducted efficiently and with a view to enhancing client service.

 

To ensure the security of the Firm’s systems, staff and premises (including the use of CCTV equipment)

The legitimate interests of the Firm in protecting its systems, staff and premises from being misused or the victim of any criminal activity.

 

To provide access to our website 

The legitimate interests of the Firm and the user of the website for the communication and storage of relevant material.

 

To provide our contacts with marketing material and to invite contacts to events which may be of interest to them, and to manage such mailings and events 

The legitimate interests of the Firm as a provider of legal and governance services to process personal data to communicate with persons on topics and events which may be of interest to those individuals.  

The right of those individuals to unsubscribe from mailings and/or manage preferences will be noted within all mailings and any requests to unsubscribe may be made via links available in the mailings or by writing to dpo@argyropouloullc.com.

 

To meet all legal, regulatory and ethical obligations applicable to the Firm (including in respect of managing potential conflicts of interest) 

The legitimate interests of Argyropoulou & Associates as a provider of legal and governance services to process data to the extent necessary to ensure it meets all legal, regulatory and ethical obligations incumbent on it.
  
In certain instances, the processing of data may also be necessary for the exercise of functions of public authorities and/or necessary for compliance with a legal obligation to which the Firm is subject to.

 

For the purposes of internal know- how and training

The legitimate interests of the Firm as a provider of legal and governance services to process data for the purposes of internal know-how and staff training. The Firm will use reasonable endeavours to ensure any personal data contained in the material which is not integral to the understanding of the material is redacted.

 

In instances where we collect and process, personal data which include “Special Categories of Personal Data” the legal basis for processing that data may include explicit consent (where the Special Category Data has been provided to the Firm by the Data Subject for any of the above-listed purposes) or the processing being necessary for compliance with a legal obligation or the purposes of legal proceedings or legal advice. 

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 


Where your consent has been provided 

Provided that you have given us your specific consent for processing (other than for the reasons set out hereinabove) then the lawfulness of such processing is based on that consent. You have the right to revoke consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected. 


To whom we might need to disclose your personal data 

In the course of the performance of our contractual and statutory obligations your personal data may be provided to various departments within the Firm but also to other affiliated and/or subsidiary companies of the Firm. Various service providers and suppliers may also receive your personal data so that we may perform our obligations. Such service providers and suppliers enter into contractual agreements with the Firm by which they observe confidentiality and data protection according to the data protection law and GDPR. 

It must be noted that we may disclose data about you for any of the reasons set out hereinabove, or if we are legally required to do so, or if we are authorized under our contractual and statutory obligations or if you have given your consent. All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions. 

The following is a list of potential recipients of data (in each case including respective employees, directors and officers): 

  • Other professional advisers or providers of services acting as processors or joint controllers (including lawyers, legal consultants, banks or other financial institutions, auditors/accountants, financial or business advisors, Valuators and/or surveyors and insurers providing services in relation to any matter on which Argyropoulou & Associates is instructed) where disclosure to that provider of services is considered necessary to fulfil the purposes set out above;
  • Any sub-contractors, agents or service providers of Argyropoulou & Associates (including couriers etc.);
  • Third parties with whom Argyropoulou & Associates engages for the hosting of events or other marketing initiatives and including website and advertising agencies;
  • Law enforcement agencies where considered necessary for Argyropoulou & Associates to fulfil legal obligations applicable to it (i.e. the Cyprus Bar Association, the income tax authorities, criminal prosecution authorities, Unit for Combating Money Laundering (MOKAS), etc.);
  • Regulators or other governmental or supervisory bodies with a legal right to the material or a legitimate interest in any material;
  • Any registrar of a public register where the data is to be included in a public or restricted access registry;
  • Third parties to whom Argyropoulou & Associates may choose to sell, transfer, or merge parts of its business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice;
  • Share and stock investment and management companies;
  • Debt collection agencies;
  • Fraud prevention agencies;
  • File storage companies, archiving and/or records management companies, cloud storage companies;
  • Companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support and facilitating payments.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

 

Automated decision-making/Profiling

In establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with you, in the following cases: 

  • Data assessments are carried out in the context of combating money laundering and fraud.

 

How we treat your personal data for marketing activities and whether profiling is used for such activities

We may process your personal data to tell you about products, services and offers that may be of interest to you or your business.

The personal data that we process for this purpose consists of information you provide to us and data we collect and/or infer when you use our services, such as information on your transactions. We study all such information to form a view on what we think you may need or what may interest you. In some cases, profiling is used, i.e. we process your data automatically with the aim of evaluating certain personal aspects in order to provide you with targeted marketing information on products. 

We can only use your personal data to promote our products and services to you if we have your explicit consent to do so or, in certain cases, if we consider that it is in your legitimate interest to do so. 

You have the right to object at any time to the processing of your personal data for marketing purposes, which includes profiling, by contacting at any time your main point of contact within our firm or the firm’s Director either in person or in writing. 

International Transfers

Many of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA. 

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • the non-European Union country has Data Protection laws similar to the laws in the European Union and/or has been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries; or
  • the recipient/service provider used has agreed through use specific contracts approved by the European Commission which give personal data the same protection it has in Europe and will seek to be reasonably satisfied that the third party has measures in place to protect data against unauthorised or accidental use, access, disclosure, damage, loss or destruction. For further details, see European Commission: Model contracts for the transfer of personal data to third countries; or
  • we have obtained your explicit consent to proceed with the said transfer; or
  • if transferred to providers based in the United States of America, the transfer is made only subject to them being part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield; or
  • if the data transfer is required by a governmental authority and we are legally obliged to provide it (i.e. reporting obligation under Tax law) in which case the Commissioner of Personal Data Protection in Cyprus will be notified in advance of the transfer for her confirmation.

 

Please Contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. 

 

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

 

Rights of Data Subjects  

Data Subjects in the European Union (or any jurisdiction with equivalent legislation to the European Union General Data Protection Regulation) have certain rights in respect of their personal data.  

You have the following rights in terms of your personal data we hold about you:

  • the right of access to data: enabling you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • to have data corrected, updated, rectified or erased: enabling you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us or to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where there is no good reason for us continuing to process it, where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • to object to any particular processing: enabling you to Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes in which case we shall stop the processing of your personal data for such purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • request restriction of processing of your personal data. enabling you to ask us to restrict the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • request the transfer of your personal data to you or to a third party. enabling you to request to receive a copy of the personal data we keep concerning you to be provided either directly to you, or a third party you have chosen, in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • the right to withdraw any consent to processing previously given: enabling you to withdraw the consent that you gave us at any time with regard to the processing of your personal data where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

And should you wish to exercise your rights under applicable data protection laws please send the request in the first instance to dpo@argyropouloullc.com 

In any case in which a Data Subject chooses not to provide any personal data or where any of the rights set out above are exercised to limit the processing of personal data Argyropoulou & Associates may be unable to provide relevant services, or there may be a restriction on the services which can be provided.  


No Fee Usually Required  

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may need to charge a reasonable fee part of which shall be payable in advance if your request is clearly unfounded, repetitive or excessive. Otherwise, we may refuse to comply with your request in these circumstances.


What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response process.  

  
Time Limit to Respond  

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 


Retention

Argyropoulou & Associates only keeps data for as long as necessary to fulfil the purposes (as set out above) for which we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our policy is to retain data in relation to a Data Subject whether a client directly as a natural person or in respect of our dealings with a legal entity that the said Data Subject is authorized to represent or are beneficial owner) throughout the duration of our business relationship but once our business relationship has been formally terminated we continue to maintain all records for up to ten (10) years following which we (may) destroy the files and documents.  

This is subject to certain exceptions (i.e. if it is considered important to do so for legal, regulatory or technical reasons or in instances where the personal date is relevant to a dispute after closure of the matter) in which case we may need to keep all files and personal data maintained by us for a period longer than as above prescribed. For prospective client personal data (or authorized representatives/agents or beneficial owners of a legal entity prospective client) we shall keep any personal data received during our KYC/due diligence exercise for 6 months from the date of notification of the rejection of the request to provide our services and/or facilities or from the date of withdrawal of such request. 

Any requests for further information in relation to the continued processing of specific data, and requests for destruction of data, should be made to dpo@argyropouloullc.com 

 

Cookies 

Our website uses small files known as cookies to make it work better in order to improve your experience.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.  

To find out more about how we use cookies please see our Cookie Policy.


Third-Party Links 

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit. 
  
Changes to this Privacy Notice and your Duty to Inform us of Changes 

We keep this Privacy Notice under review and we may modify or amend this privacy statement from time to time. Any updates will appear on our website at www.argyropouloullc.com

We will use our very best endeavours to notify you appropriately when we make changes to this privacy statement and we will record accordingly the date on which it has last been updated in this section and at the top page.  

Having mentioned the above, we do encourage you to review our Policy Notice periodically so as to be always informed about how we are processing and protecting your personal information. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if any personal data provided to us by yourselves changes during your relationship with us. 

We last updated this Privacy Notice on 16 May 2018.  


How to contact us  

If you have any questions about this Privacy Notice or any data which we hold about you, please contact: dpo@argyropouloullc.com 

Argyropoulou & Associates has a Data Protection Officer and all enquiries in respect of this Privacy Notice or any request to exercise any of the rights set out above should be directed to the Data Protection Officer via dpo@argyropouloullc.com or by post at: Elena Argyropoulou & Associates LLC, Data Protection Officer, 159 Leontiou Street, Maryvonne Building, 1st Floor, Office 103, 3022 Limassol-Cyprus  

 

Right to file an official complaint 

If you have exercised any or all of your data protection rights as provided in this Policy Notice and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to file a formal complaint with the Office of the Commissioner for Personal Data Protection. 

Please visit their website for more information on how to submit a complaint at http://www.dataprotection.gov.cy.