At Chambers & Co, we are committed to the privacy of every person. We recognise that our clients, employees and people we work with, entrust important non-public personal data (as defined in the General Data Protect Regulation – GDPR, regulation 2016/679 of the European Parliament and Council of the 27 April 2016).
Our long-standing privacy policies and practices covering non-public personal data (herein also referred to as personal data or personal information) are described below.
1. Who are We?
Chambers & Co is a Cyprus based law firm operating locally internationally and providing legal, tax, personal and business consultancy.
Our company follow and adhere to appropriate safeguards in line with EU law for the processing of non-public personal data.
2. What Data We Collect and How do we Use it
The non-public personal data that we collect and the processing of such information will vary on the basis of the purpose and scope of the particular use or engagement.
2.1 Visitors to our Websites
This information is processed to improve website use, for our internal purposes including the administration of our website, market research, data analytics and compliance with our legal obligations, policies and procedures.
2.2 People who Request to Receive Updates and Information from Us
Chambers & Co frequently shares updates on legal developments and solutions that might affect you or your business through various means including mail, email and social media. If you consent to receive such updates, we will collect your name contact details and keep a record of the information we have sent you as well as any interactions related to such information sent to you. If you do not provide such information, we will not be able to provide you with updates.
The information so collected is used and processed to:
- enter into, or perform, a contract with you;
- remember your preferences or specific interests; and
- for our internal purposes including the administration of the flow of such information, market research and data analytics, internal record keeping and/or to improve our services.
2.3 People who Send us a Request for Information
Our websites provide for functions that allow users to request information about our services. The information collected through the request for information function on our websites is the following:
- information you provide in the fields of the online form;
- IP address;
- date, time and data of our website/s access; and
- identification data of the used browser.
You can also contact us through email, phone, or social media to request information. We will, therefore, be collecting any information you provide to us or available on the relative media used. We will also collect any correspondence in furtherance of the request. This information is necessary for us to be able to respond to your request. General and preliminary information will be provided to you without the requirement of any other additional personal information. An identification document and other personal information will be requested in order to comply with anti-money laundering rules and to be able to provide you detailed and specific information to your request.
If you are not able or unwilling to provide us such information, we will not be able to provide any additional information.
Any personal information that you provide to us through these processes will be used and processed to:
- provide you with the information you requested;
- follow up with you on such request;
- comply with any legal or regulatory requirement including compliance with anti-money laundering rules; and
- for our internal purposes including the administration of the flow of such information, market research and data analytics, internal record keeping and/or to improve our products.
2.4 People who Use our Services
When a client is being provided a service, we collect information as required by statutory obligations, principally information required by anti-money laundering rules and regulations, and information required to be able to provide the services. If you are not able or unwilling to provide us such information, we may not be able to provide the service/s.
The information collected varies depending on the service/s being provided. By way of example, for succession planning, we will typically collect all relevant data, including information about our client’s personal assets, goals and preferences.
Any personal information so collected will be used:
- to provide you the relative service/s; and
- to comply with any legal duty including compliance with anti-money laundering rules.
2.5 Prospective Employees
If you apply with us for a post we will collect the following information on you:
- name and contact details;
- your previous experiences and details of your previous jobs;
- education details and transcripts;
- referees names and contact details; and
- answers to questions made to you during the recruitment process.
You are not obliged to provide this information although your application may be affected. We work with various recruitment agency and such information may be obtained from agencies you would have applied with. The information we collect will be used:
- to progress your application;
- to assess your suitability for employment;
- to contact you on the progress of your application; and
- comply with any legal or regulatory requirement.
We may request you to allow us to process your personal information to contact you for any other vacancy that may arise. Should you consent, we will contact you whenever a suitable vacancy will arise.
On acceptance of an employment offer of an employee, we may collect the following information:
- identification document;
- police conduct certificate or equivalent; and
- health Information to ensure you are fit to work and to cater for any special conditions.
This additional information collected is processed to undertake pre-employment checks. This information is necessary to finalize you employment and onboarding process.
2.7 Collaborators and Suppliers
We pride in choosing collaborators and suppliers that share our standards and commit to our level of privacy policies and practices.
On collaborators we work with and suppliers that provide us a service, we collect information as required by statutory obligations, principally information required by anti-money laundering rules and regulations and information required for the collaboration or the provision of the service by the supplier to us. If you as a collaborator or supplier are not able or unwilling to provide us such information, we will not be able to collaborate with you or use your services.
Any personal non-public information so collected will be used:
- to contact you in furtherance of the collaboration or supply of service;
- for our internal purposes including the administration of the flow of such information, data analytics, internal record keeping, financial and market research; and to comply with any legal duty including compliance with anti-money laundering rules.
3. Legal basis for Processing
In line with the principle of data minimization and data economy, we only collect personal data and processes it on the following legal basis:
When you request our services or you are an employee, a collaborator or a supplier, our legal basis for collecting and processing information is based on and the requirements for the performance of a contract or to take steps to enter into a contract and/or legal regulations, mainly anti-money laundering regulations;
our legal basis for collecting and processing your personal data when you opt-in to receive information for us, or to participate in a conference, workshop is based on your consent.
We may collect and process information for legitimate interest, primarily to protect us from legal action or claims from third parties, including you and/or to protect our legal rights and/or those of our employees.
4. Recipients of Personal Data
We may disclose personal information legally in the following scenarios:
- for the performance of a contract or to take steps to enter into a contract; and
- to collaborating entities/persons that are required for the provision of services to you or with your consent.
- group entities, including non-EU entities part of the group based on contractual terms issued by the European Commission (refer to section 6);
- when there is a legal requirement to do so;
- if we are requested to do so by a governmental or regulatory authority or by a court of competent jurisdiction;
- to enforce our contractual terms;
- in cases or merger or acquisition of our business or parts of it to the new owners;
- to protect us and our employees from legal action or claims from third parties, including you.
5. Intra-Group Transfers of Data Within the EU/EEA
The free exchange of personal data between Member States is a fundamental aspect of the EU’s basic principles. This principle is also reflected in the GDPR, which excludes the restriction or prohibition of the free movement of personal data within the EU or EEA.
GDPR therefore allows for the transfer between EU/EEA companies subject to the legal basis as provided above in section 3 of this policy.
6. Transfers Outside the EU/EEA
The personal non-public data we collect from you may be collected stored or processed by or transferred between group entities, including our entities established outside the EU/EEA. To date, the European Commission has not determined the non-EU countries we are established in to have an adequate level of protection of personal data within the terms of article 45 of the GDPR.
In the absence of an Adequacy Decision, the GDPR provides that a transfer can take place through the provision of appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for individuals. Such appropriate safeguards include contractual arrangements with the recipient of the personal data, using, the standard contractual clauses approved by the European Commission.
For this purpose, contractual arrangements based on contractual provisions as approved by the European Commission are in place to ensure effective legal remedies to you in relation to the processing of personal non-public data by our company outside the EU/EEA.
7. How Long do we Retain the Data
We retain the personal information that we collect from you only for as long as required for statutory, business, tax or legitimate interest purposes. Your information is retained in electronic or paper format or both. When it is no longer required, it will be deleted or destroyed.
Should you wish to obtain information on the specific retention period of any personal information we hold on you, please contact us on firstname.lastname@example.org
8. Automated Individual Decision Making, Including Profiling
We do not undertake fully automated individual decision-making, including profiling, that has a legal or similarly significant effect.
9. Systems we Use
We maintain physical, electronic and procedural safeguards to protect personal non-public data.
Data transmitted to us through the contact forms on websites are transmitted in an encrypted form. Transmission of personal data via the internet is made at your own risk. We attempt to protect your personal data from unauthorized access by third parties by means of precautions such as pseudonymization, data minimization and observing deletion periods. Despite these protective measures, however, we cannot completely rule out unlawful processing by third parties.
Additionally, we herein outline programmes and systems we use in our collection, processing and storing of data:
- we use an online portal managed and operated by us online to store and process information, data and details;
- we use reCAPTCHA to detect any improperly use of our websites by automated mechanical processing. Certain personal data, including IP address, is thus transmitted to “Google”;
we use third party HR systems for the collection, processing and storing of information on prospective employees and employees. All third party systems we use are GDPR compliant;
- we use industry standard tools in order to monitor and collect information on our website/s users’ needs and to optimize the use of our websites. The information collected does not identify the individual users;
Please contact email@example.com should you require more information on the GDPR compliance of such systems.
10. Links to Other Websites
11. Your Rights
Your principal rights under data protection law are:
- right to be informed about the personal non-public data we collect and how we process it – this policy aims at providing you with this information;
- right to access – you have the right to obtain confirmation that your personal non-public data is being processed and have the ability to access it;
- right to modification – you have the right to request the modification of any personal non-public data we hold on you if it is incorrect or incomplete;
- right of portability – you may ask us to forward to you the personal data we hold on you and which is portable at law in a structured, commonly used and machine-readable format or to transmit that data to another data controller, where it is technically feasible to do so
- right to erasure – you have the right to request the removal of your personal data, which shall be deleted, unless there is a legal requirement or reason for us to continue processing or storing it;
- right to restrict processing – you have a right to restrict or withdraw consent to the processing of your personal data. In such cases we are permitted to store your data, but not to process it further unless there is a legal requirement or reason for us to continue processing it;
- right to object to processing for specific reasons at law, being the following: processing based on legitimate interests or the performance of a task in the public interest or in the exercise of official authority, direct marketing, including profiling to the extent that it is related to such marketing activities, processing for scientific or historical research purposes or for the purpose of statistics; and you have the right to file a complaint with supervisory authorities if your information has not been processed in compliance with GDPR.
For any requests in furtherance to the above, please contact us on firstname.lastname@example.org . We shall endeavor to reply at the very earliest and deal with your request by not later than 30 days from receipt by us of your request.