Effective Date: 3rd July 2020
(1) Introduction
This Privacy Policy applies to EXSUS OFFICES LTD, EXSUS TRUST LTD, EXSUS AUDIT LTD, EXSUS UK LTD, EXSUS DIGITAL LIMITED, EXSUS GROUP LTD, EXSUS INVESTMENTS LTD, EXSUS INTERNATIONAL CORPORATE SERVICES PROVIDERS L.L.C – UAE (hereinafter referred to as, “us”, or “we”, or “our”, or “the Group” in this Privacy Policy) and explains how the Group collects, uses and discloses your personal data, and your privacy rights in relation to the personal data it holds.
(2) Data controller
We are the data controller of your personal data and subject to the EU General Data Protection Regulation 2016/679 (the “GDPR”). This means that we are responsible to you in regards to how we hold and use your personal information. Under data protection law, we are required to notify you of all the information contained in this Privacy Policy.
Please send any questions relating to this Privacy Policy to the following email and it is our aim to respond within 30 days from the date we receive privacy-related communications.
In any event, you always have the right to contact the regulator in charge of protecting personal information, at the Office of the Commissioner for Personal Data Protection.
Our Privacy and Data Compliance Officer’s contact details are:
E-mail – [email protected]
This Privacy Policy replaces any previous Privacy Policy or equivalent, which you may have been provided with prior to the Effective Date stated above.
(3) Your rights
Your data protection rights are highlighted here. To submit a data request please send us an email at [email protected].
- Access – You can ask us to verify whether we are processing personal data about you and if so, to provide information that is more specific.
- Correction – You can ask us to correct our records if you believe they contain incorrect or incomplete information about you.
- Erasure – You can ask us to erase (delete) your personal data after you withdraw your consent to processing or when we no longer need it for the purpose, it was originally collected.
- Processing restrictions – You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict its use rather than having us erase it, or need us to preserve it for you to establish, exercise, or defend a legal claim. A temporary restriction may apply while verifying whether we have overriding legitimate grounds to process it. You can ask us to inform you before we lift that temporary processing restriction.
- Data portability – In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another company if is technically feasible.
- Right to Object to Direct Marketing including Profiling – You can object to our use of your personal data for direct marketing purposes, including profiling. We may need to keep some minimal information to comply with your request to cease marketing to you.
- Right to Withdraw Consent – You can withdraw the consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly repetitive, unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
Please note that the above rights are not absolute, and we may be titled to refuse requests where exceptions apply.
You may find out more about your rights at the website of the Office of the Commissioner for Personal Data Protection at www.dataprotection.gov.cy, or by contacting us.
(4) How we collect your personal data?
We collect your personal data in multiple ways, for example:
- Directly. We obtain personal data directly from you in many ways:When you communicate with us by telephone, fax, email or other forms of electronic communication. In this respect, we may monitor, record and store any such communication.When providing us with your business card, visit our offices, or attend meetings or events. We may also obtain personal data directly when, for example, we are establishing a business relationship, performing professional services through a contract.When you complete (or we complete on your behalf) client engagement forms or any other forms.
- Indirectly. We obtain personal data indirectly from you from many sources, including:Public sources – Personal data may be obtained from public registers (such as Registrar of Companies), LinkedIn, and Internet searches.From our clients and our other affiliated companies.From your agents, advisers and intermediaries.Business clients – Our business clients may engage us to perform professional services, which involve sharing personal data they control as part of that engagement.Recruitment services. We may also obtain personal data about candidates from other parties including former employers.
(5) What categories of personal data do we collect?
We collect the following categories of personal data about you:
- Contact details (e.g., name, company name, job title, work and mobile telephone numbers, work and personal email, fax number and postal address).
- Professional details (e.g., job and career history, educational background and professional memberships).
- Biographical information which may confirm your identity including your date of birth, tax identification number, VAT number, reference letters, CV, ARC, passport number, driver’s license or national identity card details, marital status, country of domicile and/or your nationality.
- Financial information (e.g., taxes, payroll, investment interests, pensions, assets, bank details).
- Sensitive personal data. We typically do not collect sensitive or special categories of personal data about individuals. When we do need to process sensitive personal data, it is with the consent of the individual unless it is obtained indirectly for legitimate purposes. Examples of sensitive personal data we may obtain include:
- Personal identification documents that may reveal race or ethnic origin, and possibly biometric data of private individuals, beneficial owners of corporate entities, or applicants;
- Expense receipts submitted for individual tax or accounting advice that reveal affiliations with trade unions or political opinions;
- Adverse information about potential or existing clients and applicants that may reveal criminal convictions or offences information. Also, information to assess whether you may be characterised as a politically exposed person or a person involved in terrorist financing/ money laundering
(6) Legal bases of our processing and Sharing of your personal data with third parties
We may rely on the following lawful reasons when we collect and use personal data to operate our business and provide our services:
A. Consent
We may rely on your freely given consent at the time you provided your personal data to us.
B. Performance of a contract with you
We process your personal data in the course of the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
In this respect, we use your personal data for the following:
- To prepare a quotation for you with respect to the services we offer;
- To provide you with the services as set out in our Engagement Letter with you or as otherwise agreed with you from time to time;
- To deal with any complaints or feedback you may have.
For any other purpose for which you provide us with your personal data. In this respect, we may share your personal data with or transfer it to the following:
- Your agents, advisers, intermediaries, and custodians of your assets who you tell us about;
- Third parties whom we engage to assist in delivering the services to you, including other affiliated companies of the Group;
- The Group, where necessary for administrative purposes and to provide professional services to our clients (e.g., when providing services involving advice from the Group in different territories);
- Our professional consultants where it is necessary for us to obtain their advice or assistance, including lawyers, accountants, or IT;
- Other third parties such as intermediaries who we introduce to you. We will wherever possible tell you who they are before we introduce you.
C. Legal obligations
We also process your personal data for our compliance with a legal obligation which we are under. In this respect, we will use your personal data for the following:
- To meet our compliance and regulatory obligations, such as compliance with anti-money laundering and anti-terrorist financing laws;
- As required by tax authorities or any competent court or legal authority.
In this respect, we will share your personal data with the following:
- Law enforcement or other government and regulatory agencies (e.g., MOKAS, CySEC) or to other third parties as required by, and in accordance with, applicable law or regulation.
D. Legitimate interests
We also process your personal data because it is necessary for our legitimate interests, or sometimes where it is necessary for the legitimate interests of another person.
In this respect, we use your personal data for the following:
- For delivering the professional services that our clients have engaged us to provide;
- For the administration and management of our business, including recovering money you owe to us, and archiving or statistical analysis;
- Parties that support us as we provide our services (e.g., providers of telecommunication systems, mailroom support, IT system support, archiving services, document production services and cloud-based software services);
- For direct marketing – To deliver timely market insights and specialty knowledge we believe is welcomed by our business clients, subscribers and individuals who have interacted with us, promoting our professional services, products and capabilities to existing and prospective business clients;
- For meeting regulatory and public interest obligations or mandates;
- For seeking advice on our rights and obligations, such as where we require our own legal advice;
- A potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger/acquisition of part or all of our business or assets, or any associated rights or interests.
In this respect we will share your personal data with the following:
- Our professional advisers or agents, including lawyers, auditors, insurers, marketing services providers, payment services providers, and recruitment services providers;
- With third parties and their advisers where those third parties are acquiring, or considering acquiring, all or part of our business;
- Our consultants where it is necessary for us to obtain their advice or assistance.
(7) Marketing Information
We may send you marketing information about services and products we provide, as well as those of the Group, including any other information in the form of e-mails, invitations to events, relevant publications, industry newsletters, and special offers, which we believe, might be of interest to you.
We may communicate this to you in a number of ways including by telephone or email.
If you have agreed to receive marketing, you may always opt-out at a later date.
You have the right at any time to stop us from contacting you for marketing purposes.
If you no longer wish to be contacted for marketing purposes, please contact us by email to [email protected]
(8) Transfer and processing of your personal data outside the European Union
We store personal data on servers located in the European Economic Area (EEA). We may transfer personal data to the Group, and reputable third party organisations situated inside or outside the EEA when we have a business reason to engage these organisations. Each organisation is required to safeguard personal data in accordance with our contractual obligations and data protection legislation.
(9) How long do we retain your personal data?
We retain personal data to provide our services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to. We retain personal data for as long as we have a legitimate business purpose to do so and where a specific legal, regulatory or contractual requirement applies. We will dispose of personal data in a secure manner when we no longer need it.
(10) Changes to our Privacy Policy
The Privacy Policy will be updated with any changes we may make in the future. Please check back with us for any updates or changes to this Privacy Policy.
(11) Complaints
If you are not satisfied with how we are processing your personal data, please contact us at [email protected]. Additionally, you have the right to make a complaint to the Office of the Commissioner for Personal Data Protection in Cyprus. For further details, visit www.dataprotection.gov.cy and select ‘Lodge a complaint’.