Privacy Policy – Index

I – Introduction

II – Data collected and processed

III – How the data is being collected

IV – Purpose of processing the personal data

V – Recipients of Data

VI – Personal Data of other person

VII – Failure to provide personal information

VIII – Rights of Client

IX – Update of Personal Data

X –  Complains Procedure

XII -Changes to Privacy Policy

 

Privacy Policy

I. Introduction

This document consists of the Firm’s Privacy Policy on how the client’s and/or affiliates and/or associates data is collected and processed. The Privacy Policy has been prepared in accordance with the Regulation (EU) 2016/679 (the ‘GDPR Regulation’) and Law 125(I)/2018).

II. Data collected and processed

The Company and the affiliated companies shall request and obtain data in the context of providing legal and other services to clients. The categories of data, according to the particulars of each case include (but are not limited to):

a – Contact details (including names, surnames, postal addresses, email addresses, telephone and fax numbers)

b – Information required by the Company to meet legal and regulatory requirements, in particular in respect of anti-money laundering legislation, including but not limited to information on source of funds and source of wealth, Marital status, Tax Residency, Employment information, Identification documentation, Proof of Residence, criminal records, non-bankruptcy, information of dual nationality, records of Politically Exposed Persons, etc.

c – Information provided in the course of the provision of legal, corporate, fiduciary, financial, banking, regulatory, accounting, payroll, tax, administrative, advisory (non-exhaustive list) (for example, information on professional relationships and background, financial wealth and assets held, transactions entered into, tax status, disputes and court proceedings engaged in)

d – Financial information, such as payment related information

e – Meetings attended and visits to the Company’s offices

f – Any other information relating to the enablement of services

III. How the data is being collected

It is the Company’s practice to request some or all of the above personal information: a – once our clients seek legal advice or any other legal and/or corporate and administrative service, b – in case where our prospective clients browse, make an online enquiry or otherwise interact via the Company’s website, c – in the event where third party persons (individuals or legal persons) provide services to the Company and/or the clients.

It is noted that in some circumstances, the Company collects personal data from a third party.

IV. Purpose of processing the personal data

The Company may process personal data for the following purposes:

a – To enter into a client-relationship and for the provision of services: Where an individual has been provided with this privacy notice and provides personal data thereafter, the processing may be carried out on the basis of consent. Consent may be withdrawn at any given time by writing to dpo@agplaw.com . It is in the legitimate interest of the Company as a provider of legal, corporate, fiduciary, financial, banking, accounting, payroll, tax, administrative, advisory (non-exhaustive list) to collect and process certain personal data in the context of provision of these services. The processing of this data is necessary for the aforementioned proceedings or to establish, exercise or defend the rights of the client with relation to these proceedings.

b – For identity verification, record keeping and maintenance of correspondence details: Processing of such data is necessary for compliance with the legal and regulatory obligations to which the Company needs to abide.

c – To ensure the security of the Company’s systems, members of staff and premises (including the use of CCTV equipment in the public areas of the premises): It is in the legitimate interest of the Company to protect its business environment, members of staff and premises, and to ensure smooth business operations without unauthorized interruption. By entering the Company’s premises, any individual automatically consents to the use of CCTV monitoring purposes and to abide by the internal health and safety procedures of the Company.

d – To meet all legal, regulatory and ethical obligations applicable to the Company: Processing is necessary for compliance with all legal obligations to which the Company is subject or for the exercise of functions with public authorities both locally and internationally.

e – For the purposes of internal know-how and training: It is in the legitimate interests of the Company as a provider of services to process data for internal know how and staff training.

f – To follow up on comments, enquiries, requests and complaints: In cases where an individual has been provided with the privacy notice and provides personal data thereafter, the processing may be carried out on the basis of consent. Consent may be withdrawn at any time by writing to compliance@agplaw.com . It is in the legitimate interests of the Company to collect and process certain personal data to enable it follow up on comments, enquiries, requests and complains in order to enhance client/user experience with the services of the Company.

g – For marketing purposes which includes but is not limited to: the sending of updates on important legal, corporate, fiduciary, financial, banking, accounting, payroll, tax, administrative developments, Company developments and/or events: In cases where an individual has been provided with the privacy notice and provides personal data thereafter, the processing may be carried out on the basis of consent. Consent may be withdrawn at any time by writing to dpo@agplaw.com or by unsubscribing by following the appropriate procedure which can be found in the relevant marketing material (e.g. by selecting the “unsubscribe” option in the email).

h – For the purpose of provision of IT- related services such as cloud storage, data encryption, Data Leakage Prevention and File- auditing (non-exhaustive list): It is in the legitimate interests of the Company to implement the necessary measures for safeguarding the data as mentioned prior. For enablement of such IT-related safety measures, the Company will provide access to a third-party IT Company for provision of such safety measures.

i – Any other purpose(s) which has been agreed or notified to the data subject

V. Recipients of Data

The Company may share client’s personal data in the following circumstances (non-exhaustive list):

a – Employees of the Company

b – Other service providers (for example, legal firms, government authorities or otherwise, such as banks, financial institutions etc. in the course of the services provided or to be provided)

c – Any affiliates or subsidiaries providing services

d – Other lawyers, other legal specialists

e – Companies providing services for money laundering checks, credit risk reduction and other fraud and crime prevention purposes regulatory bodies with whom such personal data is shared

f – Courts, law enforcement authorities, regulators or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process

g – Where relevant instructions and/or permission is provided from clients, in case required by applicable laws and/or regulations and/or judicial and/or official requests to do so,

h – In case of investigations of actual or suspected fraudulent or criminal activities

VI. Personal Data of other persons

In the event where the client provides the Company personal data of other persons, (for example, directors, employees, associates, etc.), the clients must ensure that they are authorised to proceed with such disclosures, the third persons have provided their unconditional consent for such action, and that the third persons are aware that the Company shall collect and process their data without any further permission from the third person. Under no circumstances shall the Company be held liable for absence of consent of the third persons.

VII. Failure to provide personal information

The client should provide the Company with their personal data voluntarily. In case where the client refuses to provide consent or to provide the personal data, the Company may not be able or may refuse to provide any services since the collection of certain data may be required for the fulfilment of regulatory and compliance obligations and/or is necessary for the provision of services and/or execution of instructions. In such event, the Company shall inform the client accordingly.

VIII. Rights of Clients

Data subjects/Clients/prospective clients have a number of rights in respect of the treatment of their personal data. Any data subject/client/prospective client wishing to exercise such rights, should address their request to the Company’s Data Protection Officer as follows:

Name: Mrs. Andrea

Surname: Hadjigeorgiou

Email: dpo@agplaw.com

Tel: +35725731000

The rights can be summarized below:

1. Transparency and modalities

The Company shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the client, the information may be provided orally, provided that the identity of the client is proven by other means. The Company shall provide information on action taken to the client without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

The Company shall inform the client of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the client makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the client. Where the Company has reasonable doubts concerning the identity of the natural person making the request the Company may request the provision of additional information necessary to confirm the identity of the client.

2. Information and access to personal data

Where personal data relating to a client are collected from the latter, the Company shall, at the time when personal data are obtained, provide the data subject with all the following information:

  • The identity and the contact details of the Company and, where applicable, of the Company’s representative
  • The contact details of the data protection officer, where applicable
  • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
  • Where the processing is based on ‘Legitimate Interests’, the respective interests must be explained
  • The recipients or categories of recipients of the personal data, if any
  • Where applicable, the fact that the Company intends to transfer personal data to a third country or international organisation

In addition to the information above, the Company shall, at the time when personal data are obtained, provide the client with the following further information necessary to ensure fair and transparent processing:

  • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
  • The existence of the right to request from the Company access to and rectification or erasure of personal data or restriction of processing concerning the client or to object to processing as well as the right to data portability
  • Where the processing is based on explicit consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
  • The right to lodge a complaint (to the Data Protection Commissionaire)
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter a contract, as well as whether the client/prospective client is obliged to provide the personal data and of the possible consequences of failure to provide such data
  • The existence of automated decision-making.

3. Information to be provided where personal data have not been obtained from the data subject/client

Where personal data have not been obtained from the client, the Company shall provide the client with the following information:

  • The identity and the contact details of the Company and, where applicable, of the Company’s representative
  • The contact details of the data protection officer, where applicable
  • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
  • The categories of personal data concerned
  • The recipients or categories of recipients of the personal data, if any
  • Where applicable, that the Company intends to transfer personal data to a recipient in a third country or international organisation
  • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
  • Where the processing is based on the legitimate interests, the legitimate interests pursued by the controller or by a third party
  • The existence of the right to request from the Company access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability
  • Where processing is based on explicit consent the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
  • The right to lodge a complaint (Data Protection Commissionaire)
  • The source which the personal data originate, and if applicable, whether it came from publicly accessible sources
  • The existence of automated decision-making.

4. Right of access by the data subject

The client shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients or categories of recipient to whom the personal data have been or will be disclosed
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the client or to object to such processing
  • The right to lodge a complaint
  • Where the personal data are not collected from the client, any available information as to their source
  • The existence of automated decision-making, including profiling

5. Right to erasure (‘right to be forgotten’)

The client shall have the right to request the erasure of personal data concerning him or her without undue delay and the Company shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  • The client withdraws consent on which the processing is based or where there is legitimate interest and where there is no other legal ground for the processing
  • The client objects to the processing and there are no overriding legitimate grounds for the processing, or the client objects to the processing
  • The personal data have been unlawfully processed
  • The personal data must be erased for compliance with a legal obligation in the EU
  • The personal data have been collected in relation to the offer of information society services

Where the Company has made the personal data public and is obliged to erase the personal data, the Company, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the client has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The above will not apply to the extent that processing is necessary:

a – For exercising the right of freedom of expression and information

b – For compliance with any legal obligation which requires processing to which the Company is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company

c – For reasons of public interest in the area of public health

d – For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

e – For the establishment, exercise or defence of legal claims.

6. Right to restriction of processing

The client shall have the right to obtain restriction of processing where one of the following applies:

a – The accuracy of the personal data is contested by the client, for a period enabling the Company to verify the accuracy of the personal data

b – The processing is unlawful, and the client opposes the erasure of the personal data and requests the restriction of their use instead

c – The client no longer needs the personal data for the purposes of the processing, but they are required by the client for the establishment, exercise or defence of legal claims

d – The client has objected to processing pending the verification whether the legitimate grounds of the Company override those of the data subject

7. Right to data portability

The client shall have the right to receive the personal data concerning him or her, which he or she has provided in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided, where:

a – The processing is based on consent

b – The processing is carried out by automated means.

8. Right to object and automated individual decision-making

The client shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him. The Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the client or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the client shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the client objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

IX. Update of Personal Data

If any of the personal data provided is being amended, outdated or is inaccurate, clients may contact the Company at the following email address: dpo@agplaw.com

The Company shall not be held liable or responsible for any loss arising from inaccurate incomplete or false personal data provided by clients.

X. Complains Procedure

The Company has appointed a Data Protection Officer and all enquiries in respect of this Privacy Notice or any requests to exercise any of the rights set out above should be directed to the Data Protection Officer via email at: dpo@agplaw.com

If the clients believe that their personal data has not been handled appropriately, they may contact the Office of the Commissioner for Personal Data Protection, at:

15, Kypranoros

Nicosia 1061, Cyprus,

Tel: +357 22818456

Fax: +357 22304565

Email: commissioner@dataprotection.gov.cy

XI. Changes to Privacy Policy

The Company keeps this Privacy Notice under review in order to ensure that it is in line with any changes to the laws relating to privacy and personal data. The clients and/or prospective clients are kindly requested to regularly visit the Company’s official website at https://www.agplaw.com/ and read more about AGPLAW Cookie Policy & AGPLAW Disclaimer

This Privacy Notice was last updated in June 2025.