This Privacy Notice Policy (hereinafter referred to as the “Privacy Notice”) describes how we collect and use personal data about you, in compliance with the requirements and/or obligations and/or duties introduced by the EU General Data Protection Regulation 2016/679 (hereinafter referred to as the “GDPR”), as amended and replaced from time to time, as well as the relevant implementing legislation adopted in the Republic of Cyprus in relation to all processing activities carried out by the Company in respect of your Personal Data.

Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

Paul & Co Audit Limited ("we", “us”, “our” and “ours”), is a limited liability Company incorporated and registered under the Laws of the Republic of Cyprus, with registration number HE420632, having its registered place of business at 8 Adamantiou Korai Street, Lakatamia, 2321 Nicosia, Cyprus (hereinafter referred to as the “Company”).

For the purpose of the General Data Protection Regulation and this Privacy Notice, the Company is generally a “Data Controller” for processing of the Personal Data, however, we may provide some services as processors. This means that we are responsible for deciding how we hold and use personal data about you. We are required under the GDPR to notify you of the information contained in this privacy notice.

Should you wish to contact our Data Protection Point of Contact you can do so using the contact details noted below.

The Company respects individuals’ rights to privacy and the protection of Personal Data. The scope of this Privacy Notice is to explain and elaborate on how we collect, use, process and store your Personal Data in the course of our business.

“Personal Data” or “Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The Company may update the Privacy Notice from time to time. When we make any updates, we will communicate such updates to you and publish the updated Privacy Notice on our website, http://www.paulco.com.cy.

We may amend or update this Privacy Notice from time to time. All amendments or updates will be posted on our website and/or in our standard terms of business and/or in any other appropriate communication or document exchanged between us. Thus, we would encourage you to visit our website regularly to stay informed about the purposes of processing of your Personal Data and your rights to control how we collect, use or process of your Personal Data.

We obtain personal data about you:

• when you request a proposal from us in respect of the services we provide;
• when you, your employer, organisations with whom you have dealings (including but not limited to banks and other professional service providers), or our clients engage us to provide our services;
• when you contact us by email, telephone, post or social media (for example when you have a query about our services); or
• when you submit an application for employment through our website or email or other communication;
• from credit reference and fraud prevention agencies, banks or other financial institutions, third authentication service providers and the providers of public registers;
• from third parties who provide services to you established or located within and/or outside the EEA and/or publicly available resources (for example, from representatives of our clients, your employer or from the Registrar of Companies).

It is your duty and responsibility to provide us with updates as to the Personal Data provided in order for such Data to remain current, accurate and correct and you acknowledge that we rely on the Personal Data provided to us in carrying out our obligations, under the law and our business relationship with you.

Where you are a corporate entity providing to us Personal Data of any individual or where you are an individual providing us with Personal Data of any individual other than yourself, you hereby undertake and represent that such individual, whose Personal Data is collected, used, processed and stored in accordance with this Privacy Notice, has been fully informed of and clearly consented in writing to such collection, use, processing and store of his/her Personal Data under this Privacy Notice and that he/she has been informed of his/her rights in relation to the Personal Data which is  collected, used, processed and stored, under this Privacy Notice.

Should your personal information change, please notify us of any changes of which we need to be made aware by contacting us, using the contact details below.

The information we hold about you may include the following:

• your personal details (including, but not limited to, your name, residential address, telephone, email etc.);
• information we are legally required to collect for compliance purposes, such as ‘know your client’ information (such as your ID number and/or passport number, CV, reference letters)
• financial status information including but not limited to source of income, gross income, net worth, transactional history, deposits and withdrawal requests, financial needs and goals;
• purpose and reason of account including but not limited to the nature of the transactions;
• details of contact we have had with you in relation to the provision, or the proposed provision, of our services;
• details of bank accounts, including but not limited to IBAN number, SWIFT code, account number and Sort Code (where applicable).
• details of any services you have received from us;
• our correspondence and communications with you;
• information about any complaints and enquiries you make to us;
• details provided as part of an application for employment;
• information from research, surveys, and marketing activities obtained in compliance with the GDPR;
• Information we receive from other sources, such as publicly available information, information provided by your employer,
• organisations with whom you have dealings, our clients or information from our member network firms.

Subject to applicable law, the Company may process Personal Data about criminal convictions or offences and/or alleged offences for specific and limited activities and purposes including but not limited to perform checks to prevent and detect crime and comply with the Law relating to anti-money laundering and terrorist financing, fraud, bribery, corruption and international sanctions. It may involve investigating and gathering intelligence on suspected financial crimes, fraud and threats and sharing Data with financial organisations, competent or other authorities including non-governmental authorities in any jurisdiction within or outside the European Economic Area (hereinafter referred to as the “EEA”). Where we are required to do so under the anti-money laundering framework to which we are subject, your Personal Data will be reported to the money laundering combat unit in Cyprus (MOKAS).

We may process your personal data for the purposes of responding to requests for services and/or other enquiries including in relation to performance of our contract with you (for example, in relation to accounting, audit, consultancy and/or administration services we may provide) , your employer, organisations with whom you have dealings  or to comply with our legal obligations.

We may process your personal data for the purpose of performing our contract with our clients. This may include processing your personal data where you are an employee, subcontractor, supplier or customer of our client.

We may process your personal data for the purpose of compliance with regulations, professional rules and laws applicable to us (such as Anti-Money Laundering Laws and Tax Laws) that we are subject to.

We may also process your personal data to comply with court orders, orders from any regulatory body to which we are subject and/or to defend our legal rights.

We may process your personal data for the purposes of our own legitimate interests provided that those interests do not override any of your own interests, rights and freedoms which require the protection of personal data. This includes processing for marketing, business development, statistical and management purposes always in accordance with the GDPR.

We may process your personal data for certain additional purposes with your consent, and in these limited circumstances where your consent is required for the processing of your personal data then you have the right to withdraw your consent to processing for such specific purposes.

Please note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data.

We may use your personal data in order to:

• carry out our obligations arising from any agreements entered into (between you, your employer, organisations with whom you have dealings and us) which will most usually be for the provision of our services;
• carry out our obligations arising from any agreements entered into between our clients and us (which will most usually be for the provision of our services where you may be a subcontractor, supplier or customer of our client);
• provide you with information related to our services and our events and activities that you request from us or which we feel may interest you, provided you have consented to be contacted for such purposes;
• seek your feedback on the services we provide; and
• notify you about any changes to our services.

In some circumstances we may anonymise or pseudonymise the personal data so that it can no longer be associated with you, in which case we may use it without further notice to you.

If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations.

We may also process your personal data without your knowledge or consent, in accordance with this notice, where we are legally required or permitted to do so.

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected, as required and/or as required under any legal provision to which we are subject and/or for such other periods as can be lawfully justified in each case.

When assessing what retention period is appropriate for your personal data, we take into consideration:

• the requirements of our business and the services provided;
• any statutory, regulatory or legal obligations;
• the purposes for which we originally collected the personal data;
• the lawful grounds on which we based our processing;
• the types of personal data we have collected;
• the amount and categories of your personal data; and
• whether the purpose of the processing could reasonably be fulfilled by other means.

Under the laws of the Republic of Cyprus, accounting records and documentation supporting these must be maintained for a period of 6 years. In the absence of any other specific legal, regulatory or contractual requirements, our baseline retention period for such records and other documentary evidence created in the provision of our services is 7 years.

Documentation gathered by us in accordance with our obligations under the relevant money laundering legislation to which we are subject is maintained for a period of 7 years after the termination of our business relationship or a one-off transaction. Such records will be retained for such period as is required under the relevant money laundering legislation to which we are subject, as this may be amended from time to time.

Personal data may be held for longer periods where extended retention periods are required by the Law or regulations and/or in order to establish, exercise or defend our legal rights before a Court or tribunal or Arbitral tribunal whatsoever.

Where we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal data where that reason is compatible with the original purpose.

Should it be necessary to use your personal data for a new purpose, we will notify you and communicate the legal basis which allows us to do so before starting any new processing.

We may share your Personal Data with the following recipients and categories of recipients:

• Third party organisations that provide applications, data processing or IT services to the Company including cloud-based software, identity management, web-hosting, data analysis, security and storage services.
• Other third-party service providers and processors, including file storage services and companies providing background checks.
• Insurers and professional advisors including legal advisors
• Law enforcement and other government and regulatory agencies and other third parties as required under applicable law.

We may share your Personal Data with third parties in the following cases:

• Where we have your explicit and written consent;
• It is required for your service;
• Where it is requested by any Competent or any other authority having control or jurisdiction over the Company or you or your associates whatsoever or in whose territory the Company has Clients;
• With Competent authorities to investigate or prevent fraud, money laundering or other illegal activity;
• With, third authentication service providers, such as World-check, banks and other financial institutions for credit checking, fraud prevention, anti-money laundering purposes, identification or due diligence checks of the Client. To do so they may check your details supplied against any particulars on any database (public or otherwise) to which they have access. They may also use your details in the future to assist other companies for verification purposes. A record of the search will be retained by the Company;
• With any of the Company’s professional advisors provided that in each case the relevant professional shall be informed about the confidential nature of such Data and commit to the confidentiality obligations herein as well;
• With other service providers who create, maintain or process databases (whether electronic or not), offer record keeping services, email transmission services, messaging services or similar services which aim to assist the Company collect, storage, process and use your Personal Data or get in touch with you;
• With such third parties as we see fit to assist us in enforcing our legal or contractual rights against you including but not limited to debt collection agencies and legal advisors. You acknowledge that any of the persons listed in the previous sentence may be either within or outside the EEA. It is required by the law and by law enforcement agencies, judicial bodies, the financial ombudsman, government entities, tax authorities or regulatory bodies and/or other competent authorities, governmental or not, whatsoever, established or located within or outside the EEA;
• With software, platform support or cloud hosting companies;

Our third-parties to which we share and/or transfer your Personal Data are not allowed to use or disclose or share whatsoever for any other purpose other than the purpose to provide services, as agreed, to us.

We will not disclose to any third party your Personal Data for its own marketing purposes without your consent.

Please note that your Personal Data is shared, transferred, collected, processed and stored in Cyprus.

If you would like a copy of your Personal Data held by the third parties or if you want to receive more details on how your Personal Data is collected, used, processed or stored by the third parties please email our Data Protection Officer at info@paulco.com.cy.

Where we collect your personal information within the EEA, transfer or sharing to Third Parties outside the EEA will be only when:

• the European Commission has decided that the country or the organisation we are sharing your Personal Data with will protect your Data adequately;
• the transfer has been authorised by the relevant data protection authority;
• we have entered into a contract with the organisation with which we are sharing your Personal Data (on terms approved by the European Commission or the Data Protection Commissioner of the Republic of Cyprus) to ensure your Personal Data is adequately protected.

We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality as well as other obligations regarding the security of the personal data they process.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

In the event of any loss or destruction or other form of personal data breach in respect of your Personal Data which is likely to result in a high risk to your rights and freedoms, we will contact you on your email provided during the establishment of the relationship unless you provide us with other contact details in respect of such notifications. Any such contact details should be communicated to the Data Protection Officer (“DPO”) of the Company.

There are signs in our office showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident).  We use the CCTV images for the legitimate purposes of promoting security and safety of our employees and member of a public, preventing and detecting crime and establishing, exercising and defending legal claims. It shall be noted that the Company may disclose CCTV images to law enforcement bodies as per GDPR.

CCTV recordings are typically automatically overwritten after a short period of time unless an issue, such as a crime, is identified that requires investigation.

The Company takes all the appropriate measures to make sure that you are fully informed about your rights in regards with all Personal Data we collect, process, use and store.

Under certain circumstances, by law you have the right to:

• Request access to your personal data. This enables you to receive details of the personal data we hold about you and to check that we are processing it lawfully.
• Request correction of the personal data that we hold about you.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this basis. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal data to you or another data controller if the processing is based on consent, carried out by automated means and this is technically feasible.

In the event you have any queries about how we collect, use, process or store your Personal Data that are not answered in this Privacy Notice, or in the event you want to exercise any of the above rights, please email our Data Protection Officer at info@paulco.com.cy.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us, notifications or updates in regards with corporate or tax matters or notifications about deadlines of submissions of documentation or other information to Companies House or tax authorities as part of the services which we provide to you), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please email us at info@paulco.com.cy.

Once we have received notification that you have withdrawn your consent, we will no longer process your personal information (personal data) for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in accordance with the law.

The Website uses cookies to identify your computer when you are on the Website. A cookie is a file sent by the Website to your computer, and used by the Website to identify you, to improve the site and to deliver a personalised service.

You may configure your browser to refuse or restrict the use of cookies. For example, in Internet Explorer, go to Tools > Internet Options.

Please note that the Website depends on cookies for proper functionality and you may not be able to use the Website properly if your browser is configured not to allow cookies. In particular, if you refuse or restrict the use of cookies, you may be unable to access certain parts of the Website.

If you have any questions regarding this notice or if you would like to speak to us about the manner in which we process your personal data or to raise a complaint, please email us at info@paulco.com.cy or telephone on 22-253986.

You also have the right to make a complaint to the Office of the Commissioner for Personal Data Protection, the Cyprus supervisory authority for data protection issues, at any time. More information can be found at www.dataprotection.gov.cy.