Table of Contents:
- Who we are
- Purpose of this document
- Useful Definitions
- Whose personal data we process
- The Personal Information that we process
- How we Collect your Personal Data
- How do we use your personal data and our legal basis
- Who or what categories of persons may receive personal data from us
- Using Sub-Processors
- Transfer of personal data outside the European Economic Area (“EEA”)
- For how long we keep your personal data
- Your rights
- Confidentiality and the security of your personal information
- Cookies Policy
- How to contact us
- Linking to other websites
- Updates to this Privacy Statement
FINCAP Advisers Ltd and its affiliated companies and subsidiaries (i.e. FINCAP Fund Solutions Ltd and FINCAP Reporting Solutions Ltd) (hereinafter referred to as “We” (“Us” “Our”) or “Company”) is a boutique financial advisory firm incorporated in the Republic of Cyprus and regulated by ICPAC (E847/E/2016).
We provide turnkey tailored services to regulated entities in an open architecture format offering licensing and post-licensing services (including external and internal audits, compliance and AML compliance, risk management, ICAAP, FATCA/CRS support, corporate advisory, accounting, tax & vat optimization, executive seminars, executive recruitment services and fund administration), across all renowned jurisdictions, aiming to cater to the needs of Investment Firms, Investment Funds (AIFs of all kinds including Hedge Funds, Private Equity Funds, Real Estate PE Funds and UCITS), Payment Institutions, Electronic Money Institutions, Fund Managers (AIFMs as well as non-AIFMD authorizations) Public Authorities, Online/Hi-tech merchants, Reg-tech / Fin-tech entities, Online Gaming companies across multiple jurisdictions.
This Privacy Statement sets out our policy on privacy which we are obliged under law to provide to you.
We are obliged to and committed to protect the privacy and security of your personal data.
This Privacy Statement was issued on the 18/11/2018.
References to “you”, “your” “yours” means the natural person whose personal data we may process as stated below.
This Privacy Statement applies to the persons stated in section 4 below.
Personal data refers to any information relating to you, as an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Where we act as the controller in relation to your personal data, we determine the purposes for which and how we will process of your personal data.
Under certain circumstances, we may act as a processor for your personal data; process your personal data on your behalf and on the basis of your instructions.
Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
This means the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Law on the protection of natural persons against the processing of personal data and the free movement of such data, Law 125(I)/2018 and/or other applicable data protection legislation and/or guidelines.
- Individual clients and individuals who are considering entering into an agreement with us to offer services to them and/or former clients (collectively referred to as the “Individual Clients”);
- Individuals connected to Individual Clients (e.g. authorised representatives and/or agents and/or employees);
- Individuals connected or relevant to non-individual clients such as companies, other corporate clients or other legal or non-legal entities who are considering entering into or who have entered into an agreement with us under the terms of which we will provide services to them (the “Client Entities”). Such persons include shareholders, owners, employees, directors, officers, authorised representatives or agents (g. external legal counsel or external auditors) and other associates.
Individual Clients and Client Entities are hereinafter collectively referred as Clients.
- Other individuals (e.g. staff candidates) that may be in any way connected with the work that we are engaged to provide to our Clients;
- Our employees and other persons working for us;
- Persons applying to us for employment;
- Our Associates (which may include without limitation IT services providers, auditors, other service providers, consultants, insurers, background check providers (collectively referred to as the “Associates”) with whom we may cooperate in offering our services to our Clients (together the “Customers”); and
- Visitors to our Website.
We process various types of personal data relating to you, which may vary according to the circumstances and nature of our engagement with you.
Examples include where you access or apply for our services or where you are our Client and we send our marketing material to you.
We may process:
- personal details such as name, surname, place and date of birth, residential address, email address, telephone number, ID, passport;
- due diligence and know-your-customer information and documentation which we are legally obliged to collect such as passport or other personal identification information, proof of address information, nationality, place and date of birth, country of residence, job, source of wealth, tax reference and background information such as non-bankruptcy records and clean criminal records;
- information relating to professional relationships – this includes (but is not limited to) your financial or other transactions, business dealings, tax information, marital status, history;
- financial details such as bank account, credit card details, bank statements, loan agreements, credit facilities tax reference, information regarding the completion and submission of IR4 and IR7 forms, billing information, payment details;
- employment and professional details such as employment contract, curriculum vitae, academic qualifications, diplomas, references, certificates, information relating to your professional and academic qualifications, work experience, references and other information, social media information, where you may apply to us for employment or for consideration in our recruitment services;
- other personal data which may be provided to us.
Additionally, we do not seek to collect, use or otherwise process special categories of personal data. However, under certain circumstances and in pursuance with our engagement and/or relationship with you, we may need to process your sensitive personal data such as data revealing racial or ethnic origin and biometric data e.g. facial images taken from IDs or passports and dactyloscopic data (i.e. fingerprints).
We collect your personal data:
- directly from you or through our email and telephone correspondence;
- indirectly from our Clients, Client Entities or their representatives, employees and/or our Associates;
- background check agencies (e. World compliance checks);
- employment agencies;
- due diligence investigation;
- internet and social media activity;
- governmental departments/agencies (e. through the website of the registrar of companies and official receiver) and from various public sources; and
- when you visit our website, e.g. personal data is collected when you complete any forms found on our website and we also receive basic information relating to your visit that is being supplied by your browser.
For further information please see our Cookies Policy at http://www.fincap.com/cookies-policy/.
We collect and/or use and/or process your personal information if:
- it is necessary for us to perform our obligations, duties and responsibilities in accordance with our engagement letter and/or our contract with you and/or a Client and/or in order to take steps prior to entering into such a contract.
What is our legal basis?
Processing is necessary for the performance of a contract or in order to take steps at your request prior to entering into a contract.
- it is necessary for (a) business and HR administration and management (g. recruitment purposes and establishing our HR Files and managing medical claims for our employees); (b) legal and regulatory compliance purposes; (c) to comply with our legal obligations (including any Know Your Client or Anti-Money Laundering); and (d) to enforce our legal rights.
What is our legal basis?
Where we process your personal data to enforce our legal rights and, it is our legitimate interest to do so.
For all other purposes, processing of your personal data is necessary for compliance with any legal obligations imposed upon us.
- it is necessary to provide you with information regarding our Company and the range of our services which we feel may be of interest to you or to provide you with any information requested from us, relating to our Company and services.
What is our legal basis?
We have obtained your consent to provide you with the mentioned information.
- it is necessary for other business purposes, such as relationship management, account management, internal financial reporting, provision of IT services (including among others storage, hosting, maintenance, support) and outsourcing services.
What is our legal basis?
It is in our legitimate interest or a third party’s legitimate interest (e.g. third parties with whom we collaborate for the performance of our obligations under our engagement) to collect and/or use and/or process your personal data in such a way to ensure that we perform our contractual obligations effectively and we provide the very best client service we can to you.
Where it becomes necessary to process special categories of personal data concerning you for any reason, we will rely on your prior explicit consent.
Warning: If you fail to provide us with your personal data that we request or you exercise any of the rights, as these are described in section 12 which oblige us to restrict the processing of your personal data, we may be unable to provide some or all of our services to you.
We may transfer your personal data to others where it is required in order to meet of or more of the purposes listed above. When we share personal data, we do so in accordance with data protection legislation and our internal security standards.
Such recipients may include:
- Our employees and other persons working for us and/or offering services to us;
- Our Associates;
- Companies or other organisations that we offer them recruitment services under our engagement;
- Third parties that may be in any way connected with the work that we are engaged to provide to our Clients; and
- Governmental and regulatory authorities to whom we may be legally bound to share your information in pursuance with our engagement with each Client (g. Cyprus Securities and Exchange Commission, Registrar of Companies and Official Receiver, banking institutions, Cyprus Bar Association, ICPAC).
As already mentioned, we may disclose and/or share and/or transfer your personal data with third parties in order to perform certain processing activities on our behalf. Particularly, we may appoint third parties (sub-contractor data processors) if required to perform our legal obligations, duties and responsibilities under our engagement. Moreover, it is our legitimate interest (or a third party’s legitimate interest) to perform such processing activities to ensure that we perform our contractual obligations effectively and in the best way that we can.
When doing so, we conduct an appropriate level of due diligence in order to ensure that our Associates and/or third parties (if applicable) comply with our legal and regulatory obligations related with the security of personal information and we put in place relevant contractual documentation.
During the course of our business and in pursuance with our engagement with each Client, we may need to transfer and/or transmit and/or disclose personal data to third parties situated outside the EEA (i.e. countries not offering the same level of protection of personal data as within the EEA).
We will seek to ensure that transfers outside the EEA comply with all applicable laws and regulations, including having a lawful basis for transferring personal information and implementing appropriate measures and safeguards to ensure an adequate level of protection for the personal data.
We keep your personal data in hard files and/or in electronic secured folders in our Company’s server.
We keep your personal data for no longer than reasonably necessary for the purposes collected it for. It is our policy to retain personal data for at least 10 years. However, we may keep your personal data for longer if:
- we are required to do so according to our regulatory or professional indemnity obligations;
- where we deem it necessary to retain your personal data to protect ourselves from any legal claim or dispute relating to the services we provide to you or our relationship if different, we will keep the data for the relevant limitation or for longer if obliged to do so under a legal obligation;
- where we cannot delete the data for technical reasons; and
- where we use your personal data for our own statistical, scientific or historical purposes.
Under such circumstances we determine the appropriate retention period, by taking into account, among others, the amount, nature and sensitivity of the personal data and the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
After such time period, we may destroy such files without further notice or liability, by securely shredding hard copies and deleting electronic files.
Kindly note that under the data protection legislation, you have the following rights:
- Right of access
You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you are entitled to access the personal data and be provided with further information and details regarding the processing by us of your personal data (including details regarding the purposes of processing and the recipients to whom the personal data have been or will be disclosed).
If requested, we will provide you with a copy of that personal data, without cost provided that this will not adversely affect the rights and freedoms of others. However, for any further copies requested, we may need to charge a reasonable fee based on administrative costs.
- Right of Rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right of erasure (“right to be forgotten”)
You have the right to obtain from us the erasure of personal data concerning you without undue delay subject to certain criteria being fulfilled where:
- your personal data are no longer required in relation to the purposes for which they were originally collected or processed;
- we relied on your consent as the basis for processing and you withdraw your consent, if there is no other ground for the processing;
- we processed your personal data unlawfully;
- we are under a legal obligation to erase your personal data;
- you have objected to the processing of your personal data (right of objection) and there are no overriding legitimate grounds for the processing or you object to our processing for direct marketing purposes.
- Right of restriction of processing
You can ask as to restrict the processing of your personal data, under the following circumstances:
- you contest the accuracy of your personal data, for a period enabling to verify the accuracy of your personal data;
- the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
- you have objected to processing (right of objection) pending the verification whether our legitimate grounds override yours.
- Right of objection
You are entitled to object and ask us to stop processing your personal data at any time, and we will do so, if:
- we are relying on our legitimate interests (or those of a third party) to process your personal data, except where we can demonstrate compelling legitimate grounds for such processing, which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims;
- personal data concerning you are processed for direct marketing purposes including profiling to the extent that is related to such direct marketing.
Where you object to our processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
- Right to data portability
You are entitled to receive your personal data which you may have provided to us in a structured, commonly used and machine-readable format and to transmit these elsewhere or to ask us to transfer them, where technically feasible, to a third party of your choice, without hindrance from us, where:
- Our processing is based on your consent; and
- We carry out such processing by automated means.
Kindly note, that under all circumstances, the exercise of your right to data portability shall not, in any circumstances, adversely affect the rights and freedoms of others.
- Right to lodge a complaint
If you have any concern about any aspect of our Privacy Statement or want to file a complaint, please contact us via email at firstname.lastname@example.org, providing us with relevant details.
You also have a right to lodge a complaint with the Cyprus Data Protection Commissioner. For further information on your rights and how to submit a complaint to the Data Protection Commissioner please visit the Office of the Commissioner for Personal Data Protection’s website at www.dataprotection.gov.cy/ .
Automated decision-making including profiling
We do not apply automated decision making and do not decide about you using automated means.
Kindly note, that the rights set out above are subject to certain exemptions and conditions, e.g where we have an overriding interest or legal obligation to continue the processing of your personal data. Under these circumstances, we may not be able to fulfill any of your requests to exercise your rights.
Our employees and/or our Associates and/or other third parties with whom we collaborate in order to fulfill our contractual obligations under our engagement, are and will be obliged to confidentiality and compliance with the data protection legislation.
We are committed to keeping your personal data secured and we have taken all appropriate and suitable technical and/or organizational and/or physical and/or other security measures to safeguard and protect against unauthorized or unlawful processing or accidental disclosure of, or access to your personal data and against accidental loss or destruction of, or damage to and/or to other unlawful forms of processing of your personal data.
For instance, (a) the personal data of staff and/or of prospective employees are held in protected folders in the Company’s Recruitment server; (b) only specific staff members of our Company that deal with recruitment have access to such folders; (c) the Company’s server is protected with antivirus software and firewall in order to prevent any unauthorized access and/or accidental disclosure; (d) flagging system of firewall software enables us to detect and/or identify any data breaches and/or other related risks with any undue delay.
Although we will do our best to protect your personal data, the electronic transmission of information (i.e. via the Internet or email) cannot be guaranteed to be secured or virus or error free and such information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or otherwise be adversely affected or unsafe to use.
If you have any questions or concerns regarding this Privacy Statement or in case you want to exercise your rights set out in this Privacy Statement, please contact us by sending an email to email@example.com;
Our Website may contain links to external sites. In such a case, this Privacy Statement will no longer apply, since we are not responsible for the personal data handling practices followed by third-party sites. We therefore, encourage you to consult the other sites’ privacy policies.
We may update this Privacy Statement from time to time. The updated version of our Privacy Statement will be uploaded in our Website from time to time.