SMPA Advisory Ltd (hereinafter also referred to as “I”/”me”/”my”/”her”) am authorized to provide
accounting services and advice. My practicing address is located at 1, Agias Zonis & Thessalonikis,
Nicolaou Pentadromos Center, Block B, 9th Floor, Office 903B, 3026 Limassol, Cyprus.
personal data may be processed by me, why it is held, how it is protected and what your rights are.
Accordingly, I aspire to comply fully with the European Union’s General Data Protection Regulation
(GDPR), and other relevant legislation protecting privacy rights.
For the purposes of this Policy:
- Data Protection Laws means all applicable laws relating to the processing of personal data,
including the General Data Protection Regulation (Regulation (EU) 2016/679).
- Personal Data means any information that relates to an individual who can be identified from that
- Data Subject means all living identifiable individuals about whom I hold Personal Data.
- Data Controller means SMPA Advisory Ltd, who determines the purposes for which and the means
by which Personal Data is processed.
- Processing means any activity or set of activities which is performed on Personal Data, whether
or not by automated means. It includes obtaining, recording or holding the data, or carrying out
any operation or set of operations on the data including organising, amending, retrieving, using,
disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third
- Data Protection Officer means the person who is responsible for overseeing my data protection
strategy and its implementation to ensure compliance with GDPR requirements.
The purpose of this Policy is to help me achieve my data protection and data security aims by setting out
the rules on data protection and the legal conditions that must be satisfied when I collect, receive, handle,
process, transfer and store Personal Data.
I must comply with this Policy and with the following data protection principles (as these are set out in Article 5
of the GDPR) which require that Personal Data is:
Processed lawfully, fairly and in a transparent manner in relation to individuals. I must always have a lawful basis to
process Personal Data, as set out in the Data Protection Laws. Personal Data may be processed as necessary to perform a contract
with the Data Subject, to comply with a legal obligation which the Data Controller is the subject of, or for the legitimate interest
of the Data Controller or the party to whom the data is disclosed. The Data Subject must be told who controls the information (us),
the purpose(s) for which we are processing the information and to whom it may be disclosed (“lawfulness, fairness and transparency”).
Collected only for specified, explicit and legitimate purposes. Personal Data must not be collected for one purpose and
then used for another. If I want to change the way, I use personal data I must first tell the Data Subject.
Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the initial purposes (“purpose limitation”).
Processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. I will only
collect personal data to the extent required for the specific purpose notified to the Data Subject (“data minimisation”).
Accurate and kept up to date. Checks to Personal Data will be made when collected and regular checks must be made afterwards.
I will make reasonable efforts to rectify or erase inaccurate information (“accuracy”).
Kept only for the period necessary for processing. Information will not be kept longer than it is needed, and we will take all
reasonable steps to delete information when we no longer need it (“storage limitation”).
Secure and processed in a manner that ensures appropriate security of the Personal Data. This includes protection against unauthorised
or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
(“integrity and confidentiality”).
I may process Personal Data belonging to anyone who has expressed an interest in or made contact with me. These may include
(but are not restricted to) the following interested parties (often referred to as ‘you’) – employees, associates, contractors,
consultants, agents, clients, suppliers, directors, beneficiary owners and recruitment candidates.
What information is covered by this Policy
The Personal Data which I process depends upon the nature of the relationship with the interested party concerned,
but is likely to include (but is not restricted to), the following:
Identity Data, meaning personal and contact details (i.e. title, name, job, address, telephone, electronic contact details,
date of birth, gender, passport or ID number, nationality, citizenship, photographic identification, marital status, CV with
employment, experience, education and qualifications records, criminal records and medical data);
Financial Data, meaning data necessary for processing payments (i.e. credit/debit card numbers, bank account, security code numbers,
tax and insurance details and other related billing information); and
Information collected from publicly available resources, integrity databases and credit agencies where this is relevant to the services
offered to you. This Policy applies to all Personal Data created or received in the course of my business in all formats; it may be held
or transmitted in paper, stored electronically or physically in a filing system and/or communicated verbally in conversation or over the
Why is Personal Data processed and how I use your Personal Data
It is important to note the reasons for processing your Personal Data and how we use such information.
The predominant purpose for processing Personal Data is to facilitate, manage and, whenever possible, enhance the services provided by me to my
interested parties. In general, I will use information to carry out my business, to administer your employment or engagement and to deal with any
problems or concerns you may have. More specifically the reasons vary, again dependent upon the nature of your relationship with me, but include
(not restricted to) the following:
- to register you as a new client
- to provide legal advice or deliver other services you may have requested
- to manage and administrate your or your organisation’s business relationship with me
- to enable me to fulfil contractual requirements
- to meet requirements of public interest and management standards
- to comply with legal and regulatory obligations
- to comply with court orders and exercise my legal rights
- to enable me to give you the best service and the best and most secure experience, where it is necessary for my legitimate interests (or those of a third party)
- to ensure that recruitment process is efficient and provides appropriately qualified staff in terms of aptitude and attitude; and
- to facilitate swift responses to the above.
Legal basis for processing Personal Data
In accordance with GDPR there are six lawful reasons for processing data:
- Legal Obligation
- To protect vital interests
- To meet public interests
- Legitimate interests
How do I source Personal Data
There are three main ways in which I source Personal Data, in a number of circumstances, and all are legal,
transparent and fair:
- Information You Give me. When you seek advice or any other corporate and administrative services from me, or when you offer to provide services to us and/or my clients, you may give me information by completing relevant forms or through my due diligence procedure.
- Information We Collect. When you or your organisation make an enquiry I collect information about you from, email and telephone contacts plus my due diligence procedures.
- Third Parties. We may collect information from third parties – in particular, we may use third party organisations, with whom you have dealings, to conduct background checks and verifications. Additionally, we may use the web and social media sources, all of which are publicly available and strictly open source.
Personal Data storage
The vast majority of Personal Data that is processed by me is stored electronically and access is carefully managed and restricted appropriately. Any hard copies of processed
Personal Data are held in secure cabinets with restricted access. It must be noted that information received over the internet or from personal emails may not always be secure.
I am not liable for corrupted information received from such sources.
Personal Data retention
I will only retain your Personal Data for the minimum time necessary to fulfil my purposes, which will vary but can be defined as follows:
- For as long as I have reasonable business needs, such as managing my relationship with you and managing my operations;
- For as long as I provide goods and/or services to you and then for as long as someone could bring a claim against me; and
- Retention periods in line with legal and regulatory requirements and guidance.
Personal Data sharing
In certain circumstances, I shall share your personal information with:
Accuracy and relevance of Personal Data
I will ensure that any Personal Data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.
I will not process Personal Data obtained for one purpose for any other purpose, unless you agree to this or reasonably expect this. If any of the Personal
Data that you have provided to us changes, or if you which to cancel any request you have made of us, or if you consider that any information held about you is
inaccurate or out of date, please let me know. If I agree that the information is inaccurate or out of date, then I will correct it promptly. If I do not agree
with the correction, then I will note your comments and discuss accordingly. I will not be responsible for any losses arising from any inaccurate, inauthentic,
deficient or incomplete Personal Data that you provide to me.
Personal Data security
I will use appropriate technical and organisation measures to:
Data Subject Rights
I will process all Personal Data in line with Data Subjects’ rights, as these are defined in the GDPR:
- The right to be informed. I need to tell you what data is being collected, how it is being used, how long it will be kept and whether it will be shared with any third parties.
- The right of access. You can submit subject access requests, which oblige me to provide a copy of any Personal Data I hold concerning you.
- The right to rectification. If you discover that the information I hold on you is inaccurate or incomplete, you can request that it shall be updated.
- The right to be forgotten. You can request me to erase your Personal Data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed, or it no longer meets the lawful ground for which it was collected.
- The right to restrict processing. You can request me to limit the way we use Personal Data. It is an alternative to requesting the erasure of data, and might be used when an individual contests the accuracy of his or her Personal Data.
- The right to data portability. You are permitted to obtain and reuse your Personal Data for you own purposes across different services.
The right to object. You can object to the processing of Personal Data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. I must stop processing information unless
I can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defence of legal claims.
- The right to withdraw consent. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Rights related to automated decision-making including profiling. The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses Personal Data to make calculated assumptions about individuals.
There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed. Please note that there may be occasions where you object to,
or ask me to restrict, or stop, processing of your personal information, or erase it, but I shall be unable to comply with such requests for legal reasons. However, I will consider any requests or complaints which we receive and provide you with a response
in a timely manner. If you are not satisfied with my response, you may take your complaint to the Republic of Cyprus’ supervisory authority, the Data Protection Commissioner Office.
SMPA Advisory Ltd, as the Data Controller, is responsible for establishing policies and procedures in order to comply with Data Protection legislation in force from time to time and for implementing the Policy within her business areas.
The Data Protection Officer, under Article 39 of GDPR, is responsible, inter alia, for:
- Training my employees on GDPR compliance requirements;
- Conducting regular assessments and monitoring to ensure GDPR compliance;
- Serving as the point of contact between myself and the relevant supervisory authority;
- Maintaining records of all data processing activities conducted by me;
- Reporting on compliance to me;
- Responding to Data Subjects to inform them about how their Personal Data is being used and what measures I have put in place to protect their data;
- Ensuring that Data Subjects’ requests relating to their Personal Data are fulfilled or responded to, as necessary.
Every person employed by me has responsibility for ensuring data is collected, stored and handled appropriately and must ensure that it is handled and processed in line with this Policy and data protection principles.
Specifically, they must ensure that:
- All Personal Data is kept securely;
- No Personal Data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
- Personal Data is kept in accordance with this Policy’s requirements;
- Any queries regarding data protection and any data protection breaches are swiftly brought to the attention of the Data Protection Officer;
- Assisting the Data Protection Officer in maintaining accurate and up to date records of data processing activities
I reserve the right to amend this Policy from time to time. You are advised to visit this website section periodically in order to keep up to date with any amendments.