Privacy Policy

PRIVACY POLICY – DATA PROTECTION POLICY

  1. INTRODUCTION

Elympus is strongly committed to protecting the confidentiality of your personal data and safeguarding your privacy. We are devoted to handling any personal data obtained by us properly and responsibly in compliance with the applicable legal and regulatory requirements on data protection.

More specifically, we collect and process personal data in accordance with the provisions of the Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”) and applicable local data protection laws and regulations.

According to the principles relating to personal data processing set out in the GDPR, personal data should be:

  • Processed lawfully, fairly and in a transparent manner;
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the intended purposes;
  • Accurate and, where necessary, kept up to date;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the intended purposes;
  • Processed in a manner that ensures appropriate security of the personal data.
  1. ABOUT THIS POLICY

This Privacy Policy aims to provide you with information with regard to the collection and processing of personal data within the context of offering or providing our professional services. In particular, it describes what personal data we gather, when and how we collect it, how we use such personal data, who we may give personal data to, how we protect personal data, and what data protection rights you have under the current legal and regulatory framework.

The present Policy applies to all member companies of Elympus Group, to the extent that they process personal data.

For the purposes of this Privacy Policy:

personal data” means any information relating to a natural person from which that person can be identified, whether directly or indirectly.

“processing” means any operation which is performed on personal data such as collecting, recording, storing, organizing, altering, using, disclosing, erasing or destroying data.

  1. WHO IS RESPONSIBLE FOR THE PERSONAL DATA PROCESSING?

Elympus is the data controller of any data obtained about you. This means that Elympus determines why and how data concerning you is collected, used and stored.

“Elympus” consists of Elympus Services Ltd (Reg. No. 335536), Elympus Audit Ltd (Reg. No. 338192), the limited liability companies registered in Cyprus, and Elympus Services SRL (Reg. No. 36109743), the limited liability company registered in Romania.

In each case your personal data will be controlled by the Elympus company which provides services to you or a third party which you are associated with, or otherwise has a relationship with you.

All entities and offices within Elympus Group will process personal data in accordance with the provisions of the applicable data protection laws and regulations and will ensure a sufficiently high level of protection of personal data.

  1. WHEN DO WE COLLECT YOUR PERSONAL DATA?

We gather personal data about customers and prospective customers.

To the extent necessary in order to provide our professional services or carry on our work or operation we may collect data about individuals who hold an office or have a certain relationship with a customer or prospective customer, whether natural or legal person (e.g. authorized representatives, agents, directors, officers, employees, partners, shareholders, administrators, trustees, beneficial owners, counterparties, persons involved in transactions, close family members, close associates, etc.).

  1. WHAT PERSONAL DATA WE COLLECT?

The categories of personal data we collect, store and use depend to a large extent on your relationship with Elympus and on the nature of the services requested or provided to you or a third party which you are associated with.

The personal data we collect may include:

  • Identification data, such as name, surname, identity card/passport details, date and place of birth, gender, nationality;
  • Contact data, such as residential address, work address, mailing address, work and personal telephone numbers, e-mail addresses and fax numbers;
  • Socio-demographic data, such as marital status and number of dependents, details about close family members, close associates and other relationships;
  • Biographical data, such as education and academic qualifications, professional background and employment history, positions currently or previously held, employment status, current occupation and employment details, professional activities;
  • Business-related data, such as details about business operations or activities, including type of products or services, places of business, trading names used, business and trading partners, size of operations, and financial information;
  • Financial data, such as details in relation to the property, assets and investments owned, any other financial interests, annual income or earnings, sources of income and sources of wealth, and financial obligations;
  • Tax-related information, such as tax identification number, tax residency, FATCA/CRS information, tax returns and declarations;
  • Transactional data, such as details in relation to transactions carried out, including the transaction amounts, the nature, purpose or type of transactions, and the counterparties;
  • Banking-related data, such as relationships with banks, bank account details and information about bank account activity;
  • Politically exposed persons (PEP) data, such as information in relation to any public positions you or a close family member or close associate of yours hold or have held in the past;
  • Authentication data, such a specimen of your signature;
  • Service-related data, such as details in relation to the services you requested or we provide you with;
  • Data related to any requests, preferences, interests, needs, complaints, etc. that you address to us or that you share with us.

Sensitive Personal Data

We do not collect sensitive personal data (referred to as special categories of personal data in the GDPR), such as data relating to your health, ethnicity, religious or political beliefs, unless you have given us your explicit consent to do so or the collection and processing of such data is otherwise required or permitted by law.

We may be legally obliged to keep a copy of your ID and/or passport. Such personal identification documents may reveal racial or ethnic origin and possibly contain biometric data.

Sensitive personal data may be communicated to us by you in the course of a professional engagement. For example, documentary evidence submitted to us for accounting and/or tax purposes may contain payment receipts that reveal affiliations to political parties or trade unions.

Information about Criminal Convictions and Offences

Depending on the services requested or provided we may collect, to the extent permitted by law or with your explicit consent, information in relation to criminal convictions and offences.

Family and Children’s Data

We only collect details about family members and children if its necessary to do so under an engagement to provide professional services. Any data concerning minors will only be gathered and processed with the prior express consent of the parents or legal guardians or as otherwise required or permitted by law.

  1. WHERE WE COLLECT PERSONAL DATA FROM?

Generally, we collect personal data directly from our customers or from third parties acting on behalf of customers in the context of our business relationship.

To the extent necessary in order to provide our professional services or carry on our work or operation, personal data may also be obtained from other third parties we cooperate, interact or have a relationship with and from publicly available sources such as public registers or databases (e.g. commercial registers, debtor registers and land registers), sanctions’ lists, the press, media and the internet.

Engagements for professional services may involve obtaining and processing personal data that is under the customers’ control (e.g. family members, employees, directors, shareholders, beneficial owners, customers, counterparties). Thus, we may obtain personal data about individuals with whom we have no direct business/contractual relationship from a customer who has engaged us or wishes to engage us to provide services. In such cases, the customers or the persons who disclose any such personal data to us must ensure that they are entitled to do so and that the individuals whose personal data is disclosed to us have been informed of our identity, our services and the matters discussed in this Privacy Policy.

  1. FOR WHAT PURPOSES AND ON WHAT LEGAL BASIS DO WE PROCESS YOUR PERSONAL DATA?

We only use your personal data for legitimate purposes. Generally, we use personal data for one or more of the following reasons:

(a) For the entering into or for the performance of a contract

The processing of your personal data is necessary in order for us to be able to enter into a contract for provision of professional services and to provide our services pursuant to such contract. More specifically, we may use your personal data for the following purposes:

  • Due diligence and customer acceptance procedures;
  • Evaluation and management of risks;
  • Service delivery and execution of customer instructions or orders;
  • Administration, billing and collections;
  • Management of customer relationships, monitoring and review;
  • Communication and notifications.

The scope and extent of data processing depends largely on the nature of the services requested or provided and the requirements of the specific engagement.

(b) For compliance with legal obligations

Elympus is subject to various legal obligations and regulatory requirements (e.g. anti-money laundering laws and regulations, tax laws). Compliance with such obligations and requirements may require the processing of personal data.

(c) For safeguarding our legitimate interests

Where necessary we may process your personal data to pursue or safeguard our legitimate interests.

For example, we may process your personal data in order to:

  • Maintain and/or enhance the security of our IT systems and networks;
  • Administer, manage and improve the operation of our IT systems and applications;
  • Prevent, detect and investigate fraud and other crimes or unlawful activities;
  • Administer, manage and develop our business and services;
  • Maintain our books and records;
  • Manage the risks associated with our business and operations;
  • Monitor and assess compliance with our internal policies, procedures and standards;
  • Safeguard the security of our people, premises and assets;
  • Obtain expert or professional advice (e.g. tax or legal advice);
  • Establish, exercise, support or defend legal claims or rights;
  • Provide you with information in relation to our services and other information that we believe might be of interest to you, such as newsletters, updates, market insights and invitations to events, provided that you have not objected to the processing of your personal data for such purposes.

(d) Due your consent

If you give your explicit consent to the processing of your personal data for specific purposes, the legal basis for the processing of your personal data is your consent.

Please note that you can withdraw any such consent at any time by contacting us. The withdrawal of consent shall not affect the lawfulness of any processing carried out based on the consent prior to its withdrawal.

We do not generally process personal data based on consent, as we can usually rely on another legal basis. We may, however, request your consent to process your personal data for marketing purposes.

  1. WHO WE SHARE YOUR PERSONAL DATA WITH?

Data about you will not be disclosed to anyone, except where such disclosure is required or permitted by law.

More specifically, personal data may be disclosed to third parties under the following circumstances:

  • Where it is necessary to do so in order to provide our services or satisfy our contractual obligations towards a customer;
  • Where we are legally compelled to do so;
  • Where it is necessary to do so in order to safeguard our legitimate interests;
  • Where we are required to do so in order to fulfil our statutory and regulatory obligations.

Within Elympus

Personal data may be shared between companies within the Elympus Group where this is necessary for the purpose of providing our services, as well as for regulatory, administrative, risk management and other business purposes.

Outside Elympus

Personal data may also be disclosed to certain third parties such as:

  • Service providers that support our operations, such as companies providing IT and telecommunication systems, solutions and support, file storage companies, archiving and record-keeping companies, and data back-up or cloud storage companies;
  • Courier and mailing service providers;
  • Consultants and professional advisors, including lawyers or legal consultants, financial and business advisors, tax advisors, property valuators and surveyors;
  • Accountants, auditors and other licensed service providers;
  • Banks, other financial institutions and payment service providers;
  • Competent governmental, regulatory and law enforcement authorities, agencies or bodies and other third parties, to the extent that we are under a statutory or regulatory obligation to do so or to the extent that is necessary to do so in order to establish, exercise, support or defend our legal rights;
  • Insurance companies or agencies;
  • Notaries and apostille offices;
  • Potential and actual buyers or transferees of any part of Elympus business or assets;
  • Credit reference agencies and KYC/AML service provides;
  • Any other parties we may have to share personal data with in order to carry out a customer’s orders or execute a contract with a customer or provide the services requested by a customer.

Moreover, other recipients of your personal data may be:

  • Any persons linked with you or acting on your behalf;
  • Any persons you request us or give us your express consent to share your personal data with.

Service providers and suppliers that process personal data on our behalf provide sufficient assurances or guarantees with regard to the protection of personal data transferred to them and are required to comply with professional secrecy, confidentiality and data protection obligations according to the applicable data protection laws and regulations.

Where strictly necessary, under the circumstances mentioned above, personal data may be transferred to parties located in countries outside the European Economic Area (“third countries”). Data controllers or processors in third countries are obligated to comply with the European data protection and privacy standards and have in place appropriate safeguards in relation to the transfer and use of personal data.

In any case any personal data transmitted to third parties is the minimum possible for the intended purpose.

Elympus will not transfer personal data to any third parties for their own direct marketing use without the express consent of the persons concerned.

  1. HOW LONG WE KEEP YOUR PERSONAL DATA FOR?

We are only allowed to keep your personal data for as long as is considered necessary for the purposes for which it was collected.

Generally, we will keep your personal data for as long as we have a business/contractual relationship with you or a third party which you are associated with.

After the said relationship ends, we may retain your personal data for the envisaged retention period set out in our retention policy which is in line with legal and regulatory requirements relating to retention.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons. If we do so, we will ensure that your privacy is protected and that your personal data is only used for those purposes.

  1. YOUR DATA PROTECTION RIGHTS

Under the GDPR you have certain rights with regard to your personal data. In particular, you have the following rights:

  • Right to access information. You have the right to ask us to verify whether we are processing personal data about you, and if so, request access to your personal data and information about how it is processed.
  • Right to rectification. If any data we hold about you is incorrect, inaccurate or incomplete, you have the right to ask us to rectify it.
  • Right to erasure. You have the right to ask us to delete or remove personal data concerning you where there is no valid reason for us to continue processing it. Note, however, that we may not be able to satisfy your request of erasure due to the existence of specific legitimate reasons.
  • Right to object to processing. You have the right to object, at any time, to the processing of your personal data for reasons related to your particular situation where the processing of your personal data is carried out for the purposes of pursuing our legitimate interests. Please note that we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so.
  • Right to object to direct marketing. As mentioned above, you can object, at any time, to the processing of your personal data for direct marketing purposes. If you exercise this right, we will no longer process your personal data for such purposes.
  • Right to restriction of processing. You have the right to request restriction of processing of your personal data in the following circumstances:
    • Where you believe that personal data concerning you is not accurate, for a period enabling us to verify the accuracy of the personal data;
    • Where you contest the lawfulness of the processing of your personal data;
    • Where you need us to hold your personal data even if we no longer need it, for the establishment, exercise or defence of legal claims;
    • Where you have objected to us processing your personal data, for a period enabling us to ascertain whether we have legitimate grounds to continue to use the personal data concerned.
  • Right to withdraw consent. Where you have given us your explicit consent to process your personal data for specific purposes, you have the right to withdraw such consent at any time. Once you revoke your consent, we will no longer process your data for those purposes, unless we have other legitimate reasons for doing so. The said revocation shall not affect the lawfulness of any processing carried out based on the consent prior to its revocation.
  • Right to portability. You have the right to receive a copy of the personal data concerning you that you have provided to us or to request us to transmit such data to a third party.
  • Right to lodge a complaint. If you have any concerns about the way in which we have used or are using your personal data or if you are not satisfied with the way we have responded to any request you have made in relation to your personal data you have the right to submit a complain to us.

In any case, you also have the right to file a complaint with the competent data protection supervisory authority.

We will make all reasonable and practical efforts to respond to and adequately address any complaints, inquires or requests as quickly as possible.

  1. ARE YOU OBLIGED TO PROVIDE US WITH YOUR PERSONAL DATA?

There is certain personal information that we must collect in order to be in a position to enter into a contract for provision of professional services and to provide our services pursuant to such contract, including information that we are obliged to collect and hold in order to fulfil our legal and regulatory obligations. Without this data we will not be able to provide or continue to provide our services.

  1. DATA SECURITY

We may keep your personal data in our electronic systems and/or paper files.

All entities within Elympus Group will ensure an adequate level of protection for your personal data at all times, in accordance with the applicable legal and regulatory requirements concerning data privacy and security.

We will implement appropriate technical and organisational measures to protect the confidentiality and integrity of personal data, and ensure the availability of personal data for authorised or permitted purposes.

In particular, we will ensure that adequate safeguards, security measures and mechanisms are in place in order to prevent any unlawful or unauthorised disclosure or use of personal data and protect personal data from accidental or unlawful destruction, damage, loss or alteration.

Our internal procedures aim to ensure that any access to personal data is limited only to those who need to access the relevant personal data, as necessary for authorised purposes. Those individuals who are authorised to access and use personal data are required to maintain the confidentiality of such data and protect the privacy of data subjects.

  1. CONTACT US

If you have any questions regarding this Privacy Policy or want more details about how and why we use your personal data or if you wish to exercise any of your rights, you can contact our Data Protection Officer at:

Address: 22F, Evanthous Street, 1101 Nicosia, Cyprus

Telephone: +357 22780300

Email: dpo@elympus.eu

  1. CHANGES TO THIS PRIVACY POLICY

This Privacy Policy may be amended, revised or updated from time to time in order to remain compliant with the legal and regulatory framework and to reflect any changes to our business processes and practices. The new version of this Privacy Policy will be available on our website (www.elympus.eu). In case of significant changes to this Privacy Policy we will notify you appropriately.

Date: 25/05/2018