CCHQ Services Limited (referred to as “CCHQ” or “we” or “us “ or “our”) is a company registered in the Republic of Cyprus, under registration number HE 384696 as a limited liability company having its registered office at 121 Prodromou Street, Hadjikiriakio Bldg 1, 1st Floor, 2064, Nicosia, Cyprus.

CCHQ is committed to protecting and respecting your privacy and handling your personal data in an open and transparent manner. We collect and process personal information about our clients daily. We treat such information lawfully and always in compliance with the requirements of the General Data Protection Regulation (“GDPR”) and any national law supplementing or implementing the GDPR (collectively referred to as the “Data Protection Requirements”).

We have the utmost respect for the trust shown to us, and we take our data protection duties seriously. We use personal information appropriately and reliably.

The ways by which CCHQ processes any personal data, are outlined within this policy.

This policy does not form part of any contract and may be amended at any time. CCHQ is responsible for ensuring compliance with the Data Protection Requirements and with this policy.

This Privacy Policy does not apply to websites operated by other organisations and/or third parties.

For the purposes of this privacy policy:

• Personal Data means data (whether stored electronically or in other form) relating to a living individual who can be identified directly or indirectly from that data (or from that data and other information in CCHQ possession).
• Processing is any activity that involves use of personal data. It includes obtaining, recording or holding the data, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
• Sensitive Personal Data includes personal data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, physical or mental health condition, sexual orientation or sexual life. It can also include data about criminal offences or convictions. Sensitive personal data can only be processed under strict conditions, including with the consent of the individual.

We follow GDPR principles relating to the process of personal data. These principles require that personal data are:

1. Processed fairly, lawfully and in a transparent manner.
2. Collected for specified, explicit and legitimate purposes and any further processing is completed for a compatible purpose.
3. Adequate, relevant and limited to what is necessary for the intended purposes.
4. Accurate, and where necessary, kept up to date.
5. Kept in a form which permits identification for no longer than necessary for the intended purposes.
6. Processed in line with the individual’s rights and in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

We collect personal data in two ways: 1) they are given to us (either by the owner or someone else); 2) they are publicly available and 3) data we receive from other sources. We may also collect personal data from regular correspondence with you by phone or e-mail or otherwise.

Depending the type of service, we provide, we might collect the following personal data:

• Contact details: i.e., name, address, telephone number, e-mail address and fax number;
• Identification details: i.e., identification or passport number;
• Biographical and demographic data: i.e., date of birth, age, gender and marital status;
• Education and employment information: including academic and professional background, employment history, current occupation and business activities;
• Financial and tax-related information: i.e., bank account number and account details, source of income and wealth and tax residency;
• Details of any complaints or queries when contacting us;
• Details in relation to any transactions carried out: including the purpose of the transaction, its destination, payee and source details;
• Details in relation to any business activities carried out;
• Details in relation to any public positions hold, or have held in the past: including by a close relative or close associate.

Depending the type of service, we provide, we might collect the following personal data to the extent authorised by the Law, or where we are given an explicit consent:

• Details in relation to nationality;
• Details in relation to criminal convictions and offences.

We may receive information about you from individuals or corporate entities which are subscribers to our service (“Subscribers”) where you are to be designated a user of our service. We may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties and may receive information about you from them, subject to your agreements with them.

A. Personal Data

We process personal data according to the applicable law, usually under the following conditions:

(a) Prior, or at execution of a signed contract
Personal data processing is required for providing our services. We use our processing to:

• evaluate risks, administer, and carry out contracts;
• communicate with interested parties or clients, in order to execute contracts or carry out a business relationship;
• communicate with interested parties and clients regarding any enquiries or complaints that may arise;
• notify about any changes to our products and/or services; and
• recover any payment due to us in respect of the products and/or services we have provided.

In the case where requested personal data is not provided to us, we might be unable to offer our services.

(b) To comply with a legal obligations
We are obligated to comply with certain legal, regulatory, and statutory requirements, which may involve the processing of personal data. The purpose of this processing is to verify an identity, comply with court orders, tax law or other reporting obligations and anti-money laundering controls.

(c) Where we have appropriate legitimate interests to use personal data
We may, at certain cases, process clients’ personal data to pursue legitimate interests of our own or those of third parties. In such situations, clients’ interests and fundamental rights are not overridden by our interests. More specifically, we may process personal data to:

• maintain our accounts and records;
• identify, prevent and investigate fraud and other unlawful activities, unauthorised transactions and other liabilities;
• manage risk exposure and quality;
• safeguard the security of our people, premises and assets and prevent trespassing through video surveillance;
• manage our infrastructure, business operations and comply with internal policies and procedures;
• enhance the security of our network and information systems;
• modify, personalise or otherwise improve our services/communications;
• defend, investigate or prosecute legal claims; and
• receive professional advice (e.g. tax or legal advice).

(d) Where we have obtained the consent
Clients may withdraw their consent at any time. To withdraw your consent, contact admin@cchq.com.cy. Please note that any processing that was carried out before the withdrawal of consent shall not be affected in any way.

B. Sensitive Data

We will only use sensitive data in the following circumstances:

• where a client gave us the explicit consent to do so, or
• where processing of client’s sensitive data is necessary for the establishment, exercise or defence of legal claims which may relate to the service(s) that we provide to the client; or
• where we need to use sensitive data for reasons of substantial public interest, given that we are allowed by law to do so, such as obtaining details of ethnicity to carry out anti-money laundering checks.

During the execution of our contractual and statutory obligations, we may disclose personal data to various service providers, partners, and suppliers. Such third parties enter into contractual arrangements with CCHQ by which they are required to comply with confidentiality and data protection obligations according to the Data Protection Requirements.

Beyond the reasons set out above, we may disclose data if we are legally required to do so, or if we are required under our contractual or statutory obligations.

Under the circumstances referred to above, recipients of personal data may be:

• any member in our group of companies;
• service providers we have chosen to support us with their expertise in the effective provision of our services;
• auditors and accountants;
• external legal consultants;
• financial and business advisors;
• file storage companies, archiving and/or records management companies, and cloud storage companies;
• governmental and regulatory bodies, including law enforcement authorities, in connection with enquiries, proceedings or investigations by such parties or in order to enable CCHQ to comply with its legal and regulatory obligations;
• credit reference agencies or other organisations that help us make business decisions and mitigate the risk of potential fraud and misconduct;
• third parties who may be involved in a potential or actual sale of all or a portion of CCHQ’ business or assets, and/or
• banks and financial institutions.

In the case where recipients of personal data are located in third countries (i.e. countries outside the European Economic Area), we will ensure that all such recipients comply with applicable Data Protection Requirements and have in place appropriate safeguards in relation to the transfer and use of personal data.

We will usually keep personal data for as long as we have a business relationship with the owner of such data. Once our business relationship ends, we may keep personal data for the longest of the following periods: (i) any retention period set out in our retention policy which is in line with regulatory requirements relating to retention; or (ii) the end of the period in which legal action or investigations might arise in respect of the services provided. We may keep personal data for longer if we cannot delete it for legal, regulatory, or technical reasons. If we do, we will make sure that every client’s, or ex-client’s privacy is protected, and that personal data is only used for those purposes.

Under the GDPR there are several rights regarding personal data. In particular, the following rights are included:

• Request access to one’s own personal data. Receive a copy of the personal data we hold and check that we are lawfully processing it.
• Request correction of one’s personal data that we hold.
• Request erasure of ones’ personal data. This includes the right to ask us to delete or remove personal data where there is no good reason for us continuing to process it. One has also the right to ask us to delete or remove their personal data where they have exercised their right to object to processing.
• Object to processing of one’s personal data where we are relying on a legitimate interest (or those of a third party) and there is something about their situation which makes one want to object to the processing on this ground.
• Request the restriction of processing of one’s personal data. This includes the right to ask us to suspend the processing of one’s personal data, for example wanting us to establish its accuracy or the reason for processing it.
• Request the transfer of one’s data to another party.

Even when we have received consent for the processing of personal data, one has the right to withdraw such consent at any time. Withdrawing consent will not affect the lawfulness of the processing before the consent was withdrawn.

To withdraw your consent, please contact admin@cchq.com.cy. Once we have received notification that you have withdrawn your consent, we will no longer process data for the purpose originally agreed to, unless we have another legitimate basis for doing so.

You have the right to lodge a complaint to the Office of the Commissioner for Personal Data Protection if you have any complaints in relation to the manner CCHQ has handled any request made in relation to your personal data or to how it otherwise handles your personal data.

We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

We will put in place procedures and technologies to maintain the security of all personal data from the point of the determination of the means for processing and point of data collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.

We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

1. Confidentiality means that only people who are authorised to use the data can access it.
2. Integrity means that personal data should be accurate and suitable for the purpose for which they are processed.
3. Availability means that authorised users should be able to access the data if they need it for authorised purposes.

Security procedures include:

1. Entry controls.
2. Secure lockable desks and cupboards. Desks and cupboards are kept locked if they hold confidential information of any kind. CCHQ follows a clean desk policy.
3. Encryption of data.
4. Methods of disposal. Paper documents are shredded. Digital storage devices are physically destroyed when they are no longer required.
5. Equipment. Staff always ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
6. Secure archive infrastructure.  All record keeping areas are protected by appropriate fire detection, automatic firefighting systems, pest control systems and anti-theft systems. Access to such areas is restricted and controlled.

This Privacy Policy will be reviewed as necessary, at our sole discretion to keep pace with any applicable laws and regulations. We may change this Privacy Policy at any time by posting a revised version of it on the website and will be deemed as received by all users and/or clients. We may post the notice of revision on our website and/or send the notice by email. Please check back frequently to see any updates or changes to our privacy policy. As of the effective date of the revised privacy policy, you will be considered as having consented to all changes to the Privacy Policy.

If you have any concerns or questions as to how your personal data is processed or if you wish to exercise any of your rights (set out in paragraph 8 above) you can contact:

Constantinos Constantinides, Data Protection Officer at admin@cchq.com.cy.