1. What Personal Data do we collect and process, and when?
By “personal data”, we refer to any personal information (a) you may provide to us directly (b) that we may collect in the course of our business or employer-employee (current or prospective) relationship, and (c) that we may collect from you through your use of our website at http://www.erotocritou.com/en/ (“Website”) or when you subscribe with us to receive newsletters and updates published on the Website. Depending on the circumstances, this can include things such as:
- your name, your place of work and your title or position;
- contact information, such as your postal address, email address and phone number;
- financial information, such as payment-related information;
- your specimen signature;
- technical information, such as information relating to your visits to the Website;
- identification and background information provided by you or collected by us as part of our business acceptance processes and practices, including, without limitation, any data revealing your ethnic or religious background (such as a copy of your passport or identity card) or data relating to criminal convictions or health or other data of a sensitive nature;
- your CV, previous employment experience and academic qualifications; and/or
- Any other information relating to you and your request which you may provide to us or that we may collect.
Even though our client base primarily consists of juridical persons and not natural persons, in certain circumstances we may, where we have a business relationship with a client that is a juridical person (e.g. a company established in Cyprus or abroad), process the personal data of persons that relate to our client (e.g. they may be a shareholder, officer, employee, agent, associate, representative, ultimate beneficial owner, advisor, supplier and/or customer of our client) or have a dispute with our client. It may also be the case that we process personal data of other persons instructed by you or other by persons or companies involved with us in providing the requested services, including, without limitation, accountants, banks, auditors, other law firms (in Cyprus or abroad) or other advisors.
2. Why do we collect and process personal data?
We collect and process your personal data as follows:
- to be able to assess your request, whether for provision of legal services or otherwise, and/or fulfil such request;
- in order to improve the services we provide (e.g. to improve our delivery of legal services, the content and functionality of the Website and/or otherwise); and/or for business administration purposes; and/or to protect and/or enforce our interests and rights; and/or in order to perform our obligations under a transaction to which we are a party to such as sale of business, merger or restructuring;
- to comply with a legal obligation to which we are subject to (e.g. comply with local anti-money laundering laws and regulations);
- to perform our obligations towards our employees in our capacity as employer; and/or
- to assess and evaluate the performance of our employees, provide equal opportunities, and award them.
3. Legal basis for collecting and processing personal data
We collect and process personal data on the following legal bases:
- in order to perform our obligations in accordance with any contract that we may have with you or in order to take steps to enter into a contract with you; and/or
- that it is in our legitimate interest or in a third party's legitimate interest to process your personal data in such a way to ensure that we provide our services in the best way that we can; and/or
- it is our legal obligation to process your personal information to comply with any legal obligations imposed upon us; and/or
- where we have your consent to do so; and/or
- in reliance on any other applicable legal basis provided under applicable laws and regulations.
It may be a case that more than one legal basis may apply to your circumstances.
4. How and where is your personal data stored?
Once your personal data is collected, it is stored in a secure and updated system of data storage and management. This system allows the supply, on request, of details of the data held and maintains a record of how it has been used. The data is processed in a manner that ensures appropriate security of personal Data, including, without limitation, protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. In addition, we have implemented and maintain suitable physical and managerial procedures to safeguard the security and confidentiality of your personal data. More specifically, the servers we store personal data in are kept in a secure physical environment and we undertake to take reasonable precautions to ensure its security on our systems. From time to time, we review our security procedures in order to consider appropriate new methods available and ensure that we continuously use accepted industry standards to protect your personal data provided to us.
Where personal data is included and/or provided to us in paper form, the relevant documents are securely stored in a designated space within our premises where no unauthorised access is permitted.
We maintain a strict policy with regard to confidentiality and security and we require all our staff, advisors and data processors to do the same.
5. How long do we keep your personal data?
We can only keep the data we collect from you for so long as it is necessary for one of the purposes listed above. Accordingly, your Personal Data will be retained in accordance with the appropriate retention period for each category of data and in strict compliance with applicable law. Those periods are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used, taking into account legal and regulatory requirements to retain the information for a minimum period, limitation periods for taking legal action, good practice and A.G. Erotocritou LLC business purposes. In particular, where we collect your data to:
- perform our contractual obligations towards you as a service provider, the retention period shall, subject to any further lawful processing (including, without limitation, requirement to retain personal information for compliance with a legal requirement to which we are subject to), be at least six years from the date of our last interaction with you;
- perform our contractual obligations towards you as an employer, the retention period shall, subject to any further lawful processing (including, without limitation, requirement to retain personal information for compliance with a legal requirement to which we are subject to), personal information of employees will be retained for a period equal to the relevant limitation period of actionable claims prescribed under applicable law;
- evaluate your application to work with us, your personal data shall, subject to any further lawful processing (including, without limitation, your consent to us to retain such information, and/or requirement to retain personal information for compliance with a legal requirement to which we are subject to), be securely deleted or destroyed following an unsuccessful application for employment; and
- satisfy a request relating to the Website that you have filed with us (i.e. where you subscribed with us to receive newsletters and updates published on the Website), your personal data shall, subject to any further lawful processing (including, without limitation, your consent to us to retain such information, and/or where we have a legitimate interest to do so), be retained until you withdraw the consent you have provided us with.
6. With whom is your personal data shared?
We shall not disclose or communicate or share your personal data to any third party unless with your prior consent. Having said that, we reserve the right to disclose, communicate and share your personal data in the following instances:
- service providers: we may share your personal data with service providers we have engaged to perform services on our behalf, including, without limitation, recruiting, credit card verification, storage fulfilment, disaster recovery and web-hosting service providers. We always request that our service providers protect your privacy in every possible manner and we prohibit them from using your personal data for their own marketing purposes or otherwise;
- for the purpose you provide it: we may share your personal data to fulfil the purpose for which you provide it;
- to comply with a legal requirement: we may share personal data in order to comply with applicable laws or if we are compelled to do so by a governmental agency, regulation, a court or other legal process. We may also disclose personal data if we believe disclosure is necessary to prevent or investigate a possible crime, such as fraud or identity theft or to protect our own rights or property, or to resolve any problems or inquiries or property, or to protect the rights, property or safety of others;
- violation of our Terms & Conditions: in case we have an indication or believe that your use of the Website has or may potentially violate any law and/or regulation, or our Terms & Conditions;
- to other lawyers: we may share your personal data with other lawyers or affiliates with whom we have a cooperation on a specific project, case or matter; and
- with your consent - we may share personal data for a purpose to which you provide your prior express consent. Save as described above, we refrain from disclosing any information about your visits to the Website or other information which identifies you to any third parties unless we have your prior express consent.
Further and without prejudice to the above, when providing our contractual obligations towards you, we may appoint sub-contractor data processors. We may appoint external data controllers where necessary to deliver our services, including, without limitation, auditors, accountants or other third-party experts.
Indicatively and non-exhaustively, a list of third parties with whom we may share your personal data is set out below:
- banks and other financial services providers;
- public and governmental authorities, including, without limitation, regulatory authorities, tax authorities, and corporate registries; and/or
- IT support services providers;
- experts or other specialist consultants required for the purposes of us delivering our services to you (e.g. expert witnesses in relation to a legal case you are a party to);
- other data controllers engaged or otherwise connected with the provision by us to you of our services; and
- third party postal or courier providers who assist us in delivering our documents related to a matter that concerns you.
At all times, we shall disclose your personal data in accordance with what is stated herein before, and applicable laws and regulations.
7. Transfer of personal data around the world
Where our third-party service providers process personal data outside the EEA in the course of providing services to us, our written agreement with them will include appropriate measures, usually standard contractual clauses.
8. What are your rights regarding your personal data?
At A.G. Erotocritou LLC we want to be fully transparent and clear about the way in which we handle your personal data. We want you to understand the control your have over your data. Accordingly, please note that you have the following rights under applicable laws and regulations:
- access: you are entitled to request details of the data we hold about you and how we process it. If we don’t hold and process any personal data relating to you, we will simply confirm to you that we don’t.
- rectification: you are entitled to obtain from us without undue delay the rectification of inaccurate personal data we hold on you. If you are entitled to rectification and if we have shared your personal information with others, we will let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
- erasure: you are entitled to request the erasure of your personal data and we will be obliged to do so without undue delay. However, we will not be required to satisfy your foregoing request where if, inter alia, processing of your personal data is required for our compliance with a legal obligation that we are subject to and/or for the establishment, exercise or defence of legal claims.
- data portability: you entitled to ask us to provide your personal information in a structured, commonly used and machine readable format and to transmit, where technically feasible, such information to another controller without hindrance, where (i) processing is based on your consent or on the performance of a contract with you; and (ii) such processing is carried out by automated means.
- restriction of processing: you are entitled to ask us to restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
- objection: if you believe your fundamental rights and freedoms outweigh our legitimate interests, you are entitled to object to any processing of your personal data which has our legitimate interests as its legal basis. Once you objected, we will have the opportunity to demonstrate that we have compelling legitimate interests to continue processing your personal data which override your rights and freedoms.
- withdraw consent: If we rely on your consent to process your personal data, you are entitled to withdraw such consent at any time. However, you should be aware that if you choose to do so there may be potential consequences which we will tell you about at that time.
- right to complaint: you are entitled to lodge a complaint with the local supervisory authority, which is the Office of the Data Protection Commissioner in case you are not satisfied with the manner we process your personal data.
We would like to note that certain of the above rights may, depending on the circumstances at hand, be limited where we have an overriding interest or legal obligation to continue to process your personal data or where such data may be exempt from disclosure due to reasons of legal professional privilege or professional secrecy obligations.
9. What happens if personal data we keep is leaked?
Unfortunately, no data transmission can be entirely secured and guaranteed. Still, at A.G. Erotocritou LLC we make every effort to safeguard your personal data and privacy. Notwithstanding any measures we take to protect your persona data, we cannot guarantee that: (i) such security measures will prevent our computers from being accessed illegally, and (ii) the personal data on them being stolen, misused or altered.
You remain solely responsible for the security of your computer at all times and we may not have any responsibility whatsoever for destruction or inappropriate disclosure of your personal data. For your own protection, you are strongly encouraged to: (i) virus-check software when using our Website; (ii) avoid posting or providing to us via the Website, any document which you believe may contain a virus; and (i) virus check any document which you intend to post or provide to us via the Website.
We have set up an internal data breach procedure to be followed in the event that any personal data is destroyed, lost, altered or if there is unauthorised disclosure of (or access to) personal data as a result of a breach of security. Data breaches or leaks which may pose a risk to individuals will be notified to the Office of the Data Protection Commissioner within seventy-two (72) hours. A breach which is likely to result in a high risk to the rights and freedoms of individuals will also trigger an obligation to notify the holders of the personal data directly.
10. Links to other websites
12. Further information and updates
We encourage you to get in touch with us if you have any question or require any clarification or would like to exercise any one of your rights by calling us at +357 25 370101 or by emailing us at email@example.com.
Last update: May 2018