This Privacy Notice sets out how we, Nicholas Ktenas & Co LLC (“NKC”/ “we”/ “us”), collect and process personal data of visitors to our website, job applicants, potential clients and/ or clients to who we may provide services pursuant to an Engagement Letter signed and/ or instructions received by email, telephone or in any other way by which an attorney-client relationship is considered to be established (“Engagement”), (“you”/ “your”).
This Privacy Notice includes all the information NKC must provide to you as “data subject” under the GDPR and applicable law, in relation to the collection, use and disclosure of your personal data by NKC in the context of the lawyer-client relationship established under our relevant Engagement with you, or in any other context you may decide to contact us (whether via our website, by email, in person or over the phone) by explaining:
This Privacy Notice applies only where and to the extent that NKC may be considered as “controller” in relation to the processing of your personal data under the provisions of Regulation (EU) 2016/679 (“GDPR”) and applicable law, including Law 125(I)/2018 and any relevant guidelines issued by the Office of the Commissioner for Personal Data Protection in Cyprus.
If you are visiting or using our website (www.cylegal.com), please note that NKC has no control over and is not responsible for any third-party websites, plug-ins or applications which may be accessible through links from our website. Clicking on those links may allow third parties to collect or share data about you. Third party websites are responsible for providing their own privacy policies and notices which you will need to consider before you submit any personal data to such third-party websites.
By providing your personal data to us, you agree to the processing of your personal data in accordance with this Privacy Notice.
NKC is a boutique law firm registered as a lawyers’ limited liability company (LLC) in Cyprus and based in Nicosia, consisting of lawyers who have the experience, skills and knowledge of a top tier international law firm while maintaining the benefits and attentiveness of a small local practice, offering a value-for-money service of the highest quality and a competitive advantage to all our clients.
We are based in Nicosia and our offices are situated at 15 Vyzantiou Street, 1st Floor, Office 105, 2064 Strovolos, Nicosia, Cyprus.
We recognise and value the trust that individuals place in us when they provide us with their personal data, and we are committed to ensuring the confidentiality and protection of any personal data entrusted to us. All our partners, associates and employees are provided with the appropriate training for handling personal data securely and in accordance with the law. We also ensure that all business partners and external service providers we work with comply with their respective legal obligations and apply the same high standards when it comes to the protection of personal data and privacy.
2. What personal data we collect about you
Depending on the scope of our Engagement, we may collect different types of personal data that is necessary for the purpose of providing our services to you. These include:
In certain circumstances, we may have to process certain personal data relevant to you, which is considered Special Category Data under the GDPR, such as information which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning your sex life or sexual orientation or data relating to your criminal record or alleged criminal activity.
We will only process such Special Category Data in accordance with the relevant requirements of the GDPR, including but not limited to obtaining your explicit consent (e.g. where you have specifically provided such data to us for any of the purposes stated in paragraph 4 below) and/ or where this is necessary for the purposes of carrying out our contractual obligations towards you.
We will process all your personal information lawfully, fairly and in a transparent manner at all times.
We do not take any decisions concerning you based solely on automated decision-making processes or profiling.
At your request, we may also collect and process personal data concerning your employees, any other third parties to who you provide services and/ or who provide services to you and/ or with who you are affiliated and/ or associated and/ or the representatives of such third parties who are natural persons (employees, consultants, business partners, etc). We will only collect and process such data as instructed by you, as processors, on your behalf and for the purposes of complying with our contractual obligations towards you. In respect of any such personal data, you are the controller according to the GDPR and you may have an obligation to inform the data subjects and/ or obtain their prior consent where this is required under the GDPR and/ or applicable law.
3. How we collect your personal data
We may collect or receive your personal data in a number of different ways:
4. How we use your personal data
We collect and process your personal data only for the purposes that we are permitted to do so by applicable law and in particular (depending on our relationship with you):
To establish a lawyer-client relationship and to provide our services to you as agreed under our Engagement with you.
To fulfil our legal, regulatory, or risk management obligations, including compliance with obligations regarding KYC/ AML, sanctions, fraud prevention, identifying conflicts of interests, statutory reporting requirements, etc.
Generally, to ensure the security of our staff and premises, for internal training purposes, following up on enquiries and complaints, promotion and marketing (i.e. newsletters), to ensure IT recovery and business continuity, to proceed with a reorganisation of our business (as part of any due diligence process or business transfer), etc.
If you are a client, to notify you about changes to our General Terms and Conditions of Service for legal services or to this Privacy notice, to ensure the quality of our services, to ensure that we receive payment for our services, for the establishment, exercise or defence of legal claims, etc.
If you are a website visitor and/ or user – to facilitate your use of our website, to respond to requests for information or enquiries from you and to ensure that our website content is relevant and is presented to you in the most effective manner, etc.
If you are a job applicant, to enable us to process your employment application and to assess your suitability for any position for which you may apply at NKC.
Where your prior consent is required under applicable law, you will be presented with a relevant consent form in relation to any such use and you may withdraw your consent at any time.
You do not have an obligation to provide us with your personal data. If, however, you do not do so we may not be able to provide you with our services.
5. How we protect your personal data
We process your personal data mainly from our head offices in Nicosia (15 Vyzantiou Street, 1st Floor, Office 105, Strovolos, 2064 Nicosia, Cyprus), where they are kept and stored in physical form.
We use third parties who provide Secure Document and Records Management services to us for the storage of physical records and files which may contain personal information.
We also use third parties who provide Information Technology services to us which are relevant to the electronic storage of and access of your data, including recovery and business continuity services, to the extent this is necessary for the purpose of allowing us to provide our services to you without disruption (i.e. working remotely) and generally to ensure that our legitimate interests are duly protected.
While we recognise that the storage and transmission of information, especially over the internet, cannot be guaranteed to be secure from intrusion by third parties, for the storage and security of your personal data the Company takes all the necessary physical, technical and organisational measures to protect personal data from unauthorised access, use, disclosure, alteration or destruction and to ensure that the processing is carried out in accordance with the law and the GDPR (access control, antivirus, firewalls, encryption, etc).
Information stored on our service providers’ secure premises and/ or servers is only accessed and used subject to strict security policies and standards agreed with them, to ensure the confidentiality of personal data.
6. Who can access your personal data
Within NKC, your personal data is accessible only to those who need to access it for the purposes specified in paragraph 5 above, with a duty of confidentiality.
Outside NKC, recipients of your personal data may include subcontractors, agents and third-party service providers, including business partners and organisations who provide professional services to us such as:
For the purposes of compliance with our legal or regulatory requirements external recipients of your personal data may also include:
We choose our associates and external service providers very carefully, after carrying out all necessary checks and obtaining sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this GDPR and applicable law.
We keep your personal data only for as long as necessary to fulfil the purposes for which it was collected or any other relevant permitted purpose (subject to legitimate interest or regulatory requirements), or-in the case of consent-until you withdraw your consent.
After this period, your personal data will be irreparably destroyed.
8. Transfers to third countries
If your personal data will be transferred to entities or other third parties whose headquarters or place of business is not located in the European Union (EU) or the European Economic Area (EEA), we ensure before forwarding the data, that outside of legally permitted exceptional cases pertaining to the recipient (reasons of public interest or recipient’s consent), an appropriate level of data protection exists (e.g. through an adequacy decision of the European Commission or through the use of Standard Contractual Clauses approved by the European Commission for these purposes, after due assessment of the law and the practice of the third country).
In accordance with the GDPR and applicable data protection laws, you may have the following rights in relation to the personal data that we hold about you:
You may exercise any of the above rights by contacting us by email at firstname.lastname@example.org or by calling us at +357 22 510 197.
If you wish to complain about the way we may have handled your personal information, you may contact us at the above email address and telephone number. We will examine your complaint and contact you to try and resolve the matter.
If you still fee that your personal information has not been handled appropriately according to the law, you can submit your complaint with the Office of the Commissioner for Personal Data Protection in Cyprus.
This Privacy notice was last updated in July 2021.