Client’s Personal Data
General Data Protection regulation (GDPR)
This regulatory notice is solely for informative purposes.
What is GDPR?
It is a new law which came into force on the 25th of May 2018, designed to enable individuals to better control their personal data. Personal data is defined as any information which identifies individuals directly or indirectly. In relation to clients’ personal data, PanAudit can either act as a Data Controller, by controlling the storage and usage of personal data by determining the purposes and the means by which the personal data is processed, or as a Data Processor, by maintaining a record of data processing activities, acting on behalf of another Controller.
Why shall the client be informed?
One of the requirements of GDPR is to inform each client how personal data is processed. The processing includes obtaining, recording, storing and carrying any tasks by using personal data. This notice also describes data protection rights.
What are the requirements?
PanAudit Konnaris Limited will act as the Data Controller of personal data provided. Personal data includes name, address, email, telephone number, mobile number, temporary residential address, employment address, name of employer, personal status, i.e. identity card number, passport number, marital status, occupation, country of taxation, source of wealth, size of wealth, ownerships and directorships, accompanied by all the required supporting documentation.
For what purposes will the client’s personal data be processed?
Personal data shall be processed for several different purposes:
- For providing the services requested from us as those are stipulated within PanAudit engagement letters;
- For reporting on provided services to the client;
- For verifying client’s identity and carrying out regulatory checks;
- For complying with various laws and regulations that apply to PanAudit including:
- The Law Regulating Companies Providing Administrative Services and Related Matters of 2012 (i.e. Law 196 (I) 2012) as in force
- The Prevention and Supervision of Money Laundering and Terrorist Financing Laws of 2007-2018
- The Cyprus and Securities Exchanging Commission Directive for the Prevention of Money Laundering and Terrorist Financing (DI144-2007-08 of 2012);
- For accommodating the client’s needs in order to provide a better service; For arranging meetings with the client and/or other events which may be of interest to the client;
- For obtaining information in relation to your use of our website.
Please note that PanAudit will not collect any personal data which is not required for providing and oversee requested services.
All the personal data obtained is processed by PanAudit staff in Cyprus. For IT hosting and maintenance purposes, this information is stored in servers located within the European Union. Third parties do not have access to clients’ personal data and PanAudit does not share clients’ personal data with third parties unless :
- this is required for providing a client with the services requested from PanAudit through agents / banks etc. on whose services PanAudit relies in order to provide the services stipulated within the engagement letters agreed between PanAudit and the client;
- the law requires such disclosure i.e. to regulatory authorities, or
- the client provided with authorization to disclose personal data by a specific consent letter provided to PanAudit in writing
Any third parties, whose services PanAudit uses, may also transfer clients’ personal data to other third parties who in turn provide services to us. PanAudit requires such third parties to put appropriate safeguards in place if a transfer of personal data outside the EU is involved.
PanAudit follows Data Protection regime to oversee the effective and secure processing of clients’ personal data.
In which cases the client’s consent is required?
A consent is required in cases where the client has engaged another provider e.g. auditors, tax advisors, legal associates, etc. who request the client’s personal data from PanAudit , in order to provide their services.
How long the client’s personal data shall be kept in PanAudit records?
PanAudit is obliged, under the Cyprus Laws and Regulations, to keep and update a client’s personal data for as long as PanAudit provides its services to that client. Upon the termination of the business relationship, the client’s personal data shall be kept for a minimum of 5 years. After the legally required period lapses, the client’s personal data shall be destroyed.
Do you subject my personal data to any automated decision making?
What are the legal grounds on which PanAudit relies to process a client’s personal data?
These are the following:
- The processing is necessary for the performance of the terms and conditions set in the engagement letter/contract between PanAudit and the client;
- The processing is necessary for the compliance with a legal obligation;
- The processing is necessary in accordance to PanAudit’s legitimate interests;
- Client’s consent to the processing;
“Legitimate interests” is a heading that covers several different reasons why PanAudit may need to process client’s personal data which may not be covered by other headings, such as:
- To comply with regulation or regulatory guidance
- To prevent fraud or financial crime
- To provide a better service
- To build mutual relationship with the client by inviting the client to events in which the client might be interested
- To transfer personal data between group entities for internal administrative purposes, or
- For the purposes of network or information security
What rights does the client have over its personal data?
- GDPR gives several rights over the client’s data, subject to certain criteria. These are:
- Right of access – a right to obtain a copy of the data PanAudit holds about the client as well as some supplementary information on that data
- Right to rectification – a right to require PanAudit to correct the client data
- Right to data portability – a right to require PanAudit to transfer the personal data provided
- Right to object – a right to object the processing of personal data based on PanAudit legitimate interests and/or the processing of personal data for direct marketing purposes
- Right to erasure – a right to require PanAudit to erase a client’s personal data
If the client wishes to exercise any of these rights, he/she shall contact the usual PanAudit contact/administrator who will provide with further information on how to exercise these rights.
Right to lodge a complaint
If the client wishes to raise a complaint on how PanAudit has handled personal data, the client shall contact PanAudit Data Protection officer who will investigate the matter.
If the client is not satisfied with PanAudit’s response or believes PanAudit is not processing the client’s personal data in accordance with the law, the client may file a complaint to the Office of the Commissioner for Personal Data Protection.
Updates to this notice
There may be updates to this notice to reflect changes in the way PanAudit processes the clients’ personal data or to clarify information provided in this notice. Each client will be notified about these changes when PanAudit is legally required to do so.