Last Updated: 04/05/2020
At GBC, we value and respect your privacy and prove this through this Policy which demonstrates our compliance with the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “Regulation”) which is directly applicable in the European Economic Area from 25th May 2018, and has introduced new measures aiming to protect your Personal Information and thus your privacy.
GBC in the process of receiving and processing your information for the purposes specified hereunder has and takes responsibility as the controller of your Personal Information, meaning that we, as a legal person alone or jointly with others, determine the purposes and means of the processing of the Personal Data we receive.
In this Policy, we explain our practices regarding the collection, use, processing and disclosure of your Personal Information, what kind of Personal Information we collect from you and when we collect them.
Personal Information Collected
“Personal Information” is information that identifies you as an individual or relates to an identifiable individual i.e. through which you may be identified. It always has to do with living people and does not concern legal entities such as companies. The Personal Information which we might collect is the following, but we always only collect what is necessary for the purposes defined below depending on the applicable purpose:
b) home and/or work address, P.O box
d) landline and mobile telephone numbers and email address, fax number
e) your business title,
f) date and place of birth,
h) ID, passport, visa or other government-issued identification information, and any information provided thereon;
i) debit and credit card numbers, other card information, IBAN and generally payment, billing and account information;
j) tax identification numbers
k) employer or other relevant details if you are an employee of a corporate entity, a vendor or other type of business partner (e.g.real estate agent, or meeting/event planner);
l) personal characteristics, nationality, income, passport number and date and place of issue;
m) your reviews and opinions about our services;
n) profile picture;
p) social media account ID or user ID;
q) your image on CCTV and door TV;
r) CV’s; s) details and information regarding your financial status, size of your wealth, source of your wealth and income;
t) any other publicly available Personal Information, including information that is published on websites and any which you have shared via a publicly available platform such as your or LinkedIn pages, WhatsApp, Viber, WeChat, Facebook, Twitter and others; and/or
u) any other type of information which you may choose to provide to us or we may obtain about you through third parties with whom we do business during the execution of the below purposes.
Ways Personal Information is Collected
We and our service providers and/or agents and/or affiliates and/or sub-contractors may collect Personal Information either:
a) directly from you (i.e. face-to-face contact or e-mail or fax or courier sent from you or from any online platform);
b) indirectly from you (i.e. a person/body acting on your behalf);
c) through or with the assistance of a third party who have first obtained your permission to share this information with us (e.g. a person/body providing information in the course of services provided to you or in the course of their legal obligations, your employer, our and/or your associates, introducers and other third parties); a publicly available source (e.g. the Land Registry website and the Registrar of Companies); and/or
d) another source whether these are provided in writing or verbally and in providing any part of our services.
The methods used for the collection of your personal data are the following:
a) requests and/or messages sent to our website and/or registrations done through our website;
b) when you communicate with us and/or with any member of our staff over the phone or via online chat-texting services or a social media service which may include Viber, WhatsApp, LinkedIn, WeChat, Messenger, Facebook, or other online social media services when you sign up;
c) when you visit our offices and/or when you have a meeting with any person of our staff whether in our offices or in another location; and/or
d) from publicly available databases and websites
In the event that we receive information from third parties, as opposed to directly from you, provided that they are lawfully entitled to share your Personal Information with us, we will use and/or disclose and/or share this information for the purposes described below in this Policy. Also in the event that your Personal Information is collected in this way, then we will bring to your attention the information included in this Policy along with the source from which the Personal Information originate, and if applicable, whether it came from publicly accessible sources. This information shall be provided to you within a reasonable period after obtaining the Personal Information, but at the latest within one (1) month, except where the Personal Information is to be used for communication with you, in which case we will provide you with the above information at the latest at the time of the first communication with you. However, if the above information is envisaged to be disclosed to another recipient then the above information shall be disclosed the latest when the Personal Information are first disclosed to the new recipient, despite the fact that none of the previous deadlines has passed.
Of course, no such information would need to be provided:
a) where you already have this information;
b) where the provision of this information, for some reason, proves impossible or would involve disproportionate effort to obtain;
c) obtaining or disclosure is expressly laid down by Union or Member State to which we are subject, and which provide measures to protect your legitimate interest; and/or
d) in the event where the Personal Information must remain confidential subject to an obligation of professional secrecy.
We may use and/or disclose and/or transfer Personal Information only to the extent that is necessary and proportionate to the purposes:
a) for the provision of services you request from us, whether or not we are the ones who will provide the service.
b) to correspond with you;
c) to associate and communicate with you in the event of cooperation for the provision of any of the above services to third parties;
d) to respond to your requests;
e) for our business purposes, such as data analysis, audits, security and fraud monitoring and prevention (including through the use of closed circuit television, card keys, and other security systems), enhancing, improving or modifying our services to ensure that get high quality services, and expanding our business activities;
f) to generate usage statistics of our website;
g) to generate statistics in relation to the types and volumes of clients to whom we provide services during the year;
h) to gather information about potential employees and member of staff candidates;
i) to comply with our legal and regulatory obligations, which may involve but is no limited to valid legal processes, VAT and other taxes, and social insurance reporting duties, to respond to governmental inquiries or requests from public authorities when we are obliged to do so;
j) to provide electronic receipts;
k) to verify your identity in the event that you wish to access our offices and/or in case we wish to perform security checks and/or to ensure that we speak to our clients in the intervals of providing our above services which involves the communication of confidential information;
l) to permit us to pursue available remedies or limit the damages that we may sustain;
m) to enforce our websites’ terms and conditions;
n) respond to an emergency which sets the physical integrity and health of a person at risk; and
o) to act upon any other legitimate interest permitted under the Regulation.
In the event that we decide to further process your Personal Information for a purpose other than the above information in relation to which your Personal Information was obtained, we shall provide you prior to that further processing with information on that other purpose and with any relevant further information which the General Data Protection Regulation requires and seek your consent in relation to such use.
Disclosure, Sharing and Transfer of Personal Information
Your Personal Information may be shared with the below entities and/or people, which may involve cross-border transfer of information to third parties in countries outside the European Economic Area:
a) authorised personnel at our offices or to our external partners and/or sub-contractors, who are appropriately and regularly trained for the processing of Personal Information;
b) affiliates and subsidiary companies of GBC for the purposes stated above;
c) your auditors and/or accountants with who you have an Engagement Letter or to whom you instruct us to transfer your Personal Data;
d) your legal consultants and/or advocates and/or solicitors and/or barristers and/or lawyers with whom you have an Engagement letter and/or agreement or to whom you instruct us to transfer your Personal Data;
e) your architects and/or civil engineers and/or consultants with whom you have an Engagement letter and/or agreement or to whom you instruct us to transfer your Personal Data;
f) banking institutions;
g) Government departments and authorities
h) service providers who assist us in the provision of the above services and/or the storage of the Personal Data and/or the functioning of our offices, such as our IT and server providers;
i) any other associates and/or agents and/or any other physical and/or legal person and/or body to whom you instruct us to transfer your Personal Information;
j) physical and/or legal person and/or body to whom you have assigned any of your rights, but solely for matters concerning them;
k) in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), we may share your Personal Information to a third party for the purposes of the aforementioned event;
l) if you visit any of our properties for the purpose of an event and/or meetingand/or seminar, then the Personal Information collected for the meeting and/or event and/or seminar may be shared with (1) the organisers of that event and/or meeting and/or seminar, and (2) where appropriate, the guests who participate in the event and/or meeting and/or seminar.
Where your Personal Information is transferred by GBC to a country outside the European Economic Area (EEA), GBC shall ensure that the country which the Personal Information is transmitted and the recipient of the Personal Information keeps satisfactory level of data protection measures.
Where there is no confirmation from the European Commission that a particular country, which is outside the EEA, keeps satisfactory level of protection, then the standard contractual clause which have been approved by the European Commission will be used for the purpose of data. If this is not possible then the other means of lawful transfer which are provided by the Regulation will be used.
GBC will not, in any way and in any event, directly or indirectly, sell any of your Personal Information to any third party. Any information supplied will be confidential and will be handled in accordance with the applicable laws and regulations.
Confidentiality and Personal Information
GBC must employ suitable personnel and take appropriate organizational and technical measures for the processing of Personal Information, their security and protection from accidental or unlawful destruction, accidental loss, alteration, unauthorized dissemination or access or any other form of unlawful processing.
GBC carries out checks and/or uses contractual terms to ensure that any party to whom my Personal Information are transferred and/or who has access to Personal Information and who processes Personal Information on behalf of GBC complies with the principles of confidentiality, the instructions and security procedures specified by GBC, the Regulation and the law in general. Where any recipient determines the way in which the Personal Information will be processed and the purpose for which they will be processed, the due diligence will take place in relation to that recipient to ensure that they carry out checks and/or have contractual terms and/or binding agreements in place to ensure that Personal Information is processed in accordance to the Regulation.
Any information related to you shall not be disclosed to third parties except in the cases allowed and/or mandated under the provisions of the Regulation and the law in general.
Legal grounds for collection and processing of Personal Information
We would like to inform you that the legal grounds for receiving and handling your Personal Information are:
a) that processing is necessary for the provision of the services from and/or any other contractual agreement you have with GBC (Regulation, Art. 1(b));
b) to the extent that the collection and processing is not covered by a) then the legal ground will be your explicit consent to the processing of your Personal Information for the above specific purposes (Regulation, Art. 1(a)). You may withdraw your consent at any time by sending us written notice of your wish to withdraw. This may be done in any written format including e-mail and fax and
c) that processing is necessary for compliance with our legal obligations (Regulation, Art. 1(c));
d) that processing is necessary in order to protect your vital interests or those of another individual (Regulation, Art. 1(d));
e) that processing is necessary for the legitimate interests pursued by us except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child (Regulation, Art. 1(d)).
Under the Regulation, you have the following rights:
a. to check whether and what kind of Personal Information we hold about you and to access or to request copies of such data;
b. to be explained clearly and simply the information contained in this Policy;
c. to request correction, supplementation or deletion of Personal Information about you that is inaccurate or processed in non-compliance with applicable legal requirements;
d. to instruct the erasure of your Personal Information from our archives and/or servers and/or back-ups where:
i. it is no longer necessary for the purposes mentioned in this Policy;
ii. where you withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
iii. where you object at any time to the processing of your Personal Information in accordance to point (f) and (g) below;
iv. your Personal Information has been unlawfully processed;
v. your Personal Information has to be erased in order for us to comply with our legal and/or regulatory obligations.
e. to obtain a restriction to the collection, processing or use of Personal Information about you where:
i. the accuracy of your Personal Information is contested by you to allow us to verify the accuracy of your Personal Information;
ii. the processing is unlawful but you do not wish us to erase your Personal Information from our archives;
iii. we no longer need your Personal Information for the purposes of processing, but they are required by you for the establishment, exercise or defence of legal claims; or
iv. you object to the processing of your information which is based on your consent, subject to limited exceptions such as the establishment, exercise or defence of legal claims;
f. to object to processing of your Personal Information on grounds, relating to your personal situation, which have been obtained based on the necessity for the legitimate interests pursued by us, and to have us no longer process your personal data unless either we demonstrate to you compelling legitimate grounds for the processing which override your interest, right and freedoms, or the Personal Information is needed for the establishment, exercise or defence of legal claims;
g. to object at any time to processing or your data for direct marketing;
h. to the extent that your data is processed on the legal ground of your consent or the processing is carried out by automated means, to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from our part;
i. to know the identities of third parties to which your personal data is transferred;
j. to provide instructions on how your data must be handled after your death when relevant;
k. to lodge a complaint with the competent data protection authority, in Cyprus i.e. the Office of the Commissioner for the Protection of Personal Data;
l. to withdraw your consent at any time. If, following the provision of the consent, you then no longer wish to receive from us on a going-forward basis alerts, informative material etc, you may opt-out by emailing us to firstname.lastname@example.org or following the instructions in any such email you receive from us or by sending us a fax at + 357 25 58 16 80
m. to request us to transmit your Personal Information to another controller without hindrance from our part.
How you can exercise your right?
If you would like to review, correct, update, suppress or delete Personal Information that you have previously provided to us, you may contact us at email@example.com or:
140C, Iris House, 8, J.F. Kennedy Street,Kanika Enaerios,
3306 Limassol, Cyprus
Tel: + 357 25 87 57 32
Fax: + 357 25 58 16 80
We only accept requests for the exercise of your rights that are in a written form (even if it is in an electronic form) and we also request proof of your identity.
For your protection, we may only implement requests with respect to the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.
Reasonable organisational, technical and administrative measures are in place to protect your Personal Information from unauthorized access, disclosure, alteration or destruction, while the Personal Information is stored in our archives and/or servers. Among the things used to ensure the protection of your data are the following:
a. encryption for our servers and computer systems;
b. the minimisation of people who have access the server rooms and the staff’s personal data, and the payment data for clients and associates;
c. use of automatic locks on the entrance doors of our offices;
d. CCTV in relation to entrances and corridors;
e. no removable external storage devices policy;
f. clean desk policy; and
g. use of passwords in relation to computers.
We also carry out checks to ensure that our affiliates, service providers and sub-contractors, with whom we share personal information, have reasonable measures in place to provide an adequate level of data protection and to maintain the confidentiality and protection of your Personal Information.
We will not contact you by mobile/text messaging or email to ask for your confidential personal information or payment card details. If you receive this type of request, you should not respond to it. We also ask that you please notify us at firstname.lastname@example.org
If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security has been compromised), please immediately notify us at email@example.com.
Special category of Personal Information
“Special Category of Personal information” amount to such information the processing of which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
We do not generally collect Special Category information and we ask that, unless there is a regulatory or other serious need for you and/or another client and/or a third party, you do not send us, and you do not disclose, any Special Category Personal Information to us.
We do not knowingly collect personal information from individuals who are under 18 years of age. As a parent or legal guardian, please do not allow your children to submit personal information without your permission. By providing us with the personal information of your children, you represent that authority has been given by both parents for the provision of this information.
Unless, we hear otherwise from you or a longer retention period is required or permitted by the applicable law or unless we have serious reason to believe that the maintenance of your files is required, or there is a continuous contractual and/or service relationship between you and GBC, your Personal Information will be subject to our seven (7) year retention policy. This retention period is in our opinion necessary to fulfil the purposes outlined in this Statement.
However, CV’s which are received by GBC for the purposes of employment, will only be retained for one (1) year.
You Personal Information shall be destroyed as early as practicable, from both our short-term system and our back-ups so that restoration and/or reconstruction of the data are no longer possible. This also involves the secure destruction of any printed paper through methods such as cross-shredding or incinerating the paper documents.
Updates to this Privacy Statement
Where the need arises for the further protection of your Personal Information and for the purposes of your information, we may change and/or modify this Privacy Statement from time to time. Where we make material changes to this Statement we will post a link to the revised Statement of the homepage of the website of GBC at www.elemecgbc.com and where you have consented to the processing of your Personal Information based on a previous version of this Statement you may also be informed through a communication channel that you have provided.
It is possible to recognise when this Statement has been last updated by looking at the date at the top of the Statement. Any changes become effective from the date on which they were posted on the website of GBC. Use of the website, any of our products and services, and/or providing consent to the updated Statement following such changes constitutes your acceptance of the revised Statement then in effect.
In the event that you have any questions about this Privacy Statement or you want to exercise any of your rights regarding your Personal Information please contact us at firstname.lastname@example.org or:
140C, Iris House, 8, J.F. Kennedy Street, Kanika Enaerios,
3306 Limassol, Cyprus
Tel: + 357 25 87 57 32
Fax: + 357 25 58 16 80
Because email communication is not always secure, please do not include credit card or other sensitive information in your emails to us.