| ORESTIS LAOS LLC & ORKOLA SERVICES LTD
CLIENT PRIVACY POLICY

We take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or the Cyprus supervisory authorities in the event you have a complaint.

When we use your personal data we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union and the Protection of individuals with regard to the processing of personal data and the free movement of such data Law of 2018 (L.125(Ι)/2018) (Data Protection Law) which applies in Cyprus. Our use of your personal data is subject to your instructions, the GDPR, the Data Protection Law, other relevant Cyprus and EU legislation and any professional duty of confidentiality. Please also refer to our Cookie Policy, which explains the use of cookies and other web tracking devices via our website, and should be read alongside this policy.

This policy is in addition to, and does not relieve, remove or replace, our rights and responsibilities under applicable laws. In case of a conflict between a provision or requirement of an applicable law and a provision of this notice, the former shall take precedence.

Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

1. Key terms

It would be helpful to start by explaining some key terms used in this policy:

We, us, our	Orestis Laos LLC is a Cypriot private company limited by shares (company number HE382785 and VAT registration number 10382785Z), registered as a lawyers’ limited company with the Cyprus Bar Association with registration number 717 and Orkola Services Ltd is a limited liability company incorporated and existing under the laws of Cyprus with registration number HE383081, which is authorised and regulated by the Cyprus Bar Association with registration number 1535 (each an Orestis Entity). Each Orestis Entity’s registered office is at 21 Thessalonikis, Herodotou Court, Floor 2, 3025, Limassol, Cyprus.
personal data	Any information that identifies, or could reasonably be used to identify, a living individual, either on its own or together with other information.
special category personal data	Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership. Genetic and biometric data. Data concerning health, sex life or sexual orientation.

Who decides why and how we process your personal data?

We acting as data controllers

Where an Orestis Entity is a “data controller”, that entity will determine why and how your personal data is processed. Your personal data will controlled by that Orestis Entity which you have given instructions to, or with which you are otherwise dealing with or receiving communications from or our entity which provides services to a third party which you are associated with, for example a company of which you are a director or shareholder.

We acting as data processors

Whilst no Orestis Entity will ordinarily act as data processor, in the event that we are acting for you in respect of an assignment involving the handling of documents (whether hard copy, electronic and whether yours or a third party’s) and we have no knowledge of, or control over, the content of the documents, and those documents contain personal data, subject to any specific data processing agreement entered into at the time, we will act on your behalf as data processor, under your written instructions and your personal data will be handled in accordance with our Terms and Conditions.

By way of example, we may act as data processor in the context of litigation disclosure or a due diligence in a transaction or where you have instructed us to engage third party service providers (for example, couriers, providers of virtual data rooms, document production services, e-discovery providers) to provide hosting, review, scanning, redaction and other document or disclosure management-related services in connection with documents which contain personal data.

Personal data we collect about you

We may collect personal information from you in the course of our business, including through your use of our website, when you contact or request information from us, when you engage our establishment and domiciliation, corporate administration, fiduciary, banking, accounting and bookkeeping, tax compliance and tax administration or other services or as a result of your relationship with one or more of our staff and clients.

The personal information that we process includes:

1. information, such as your name, job title, postal address, residential address, business address, telephone number, mobile number, fax number and email address;
2. identification and background information to enable us to check and verify your identity for compliance purposes, such as ‘know your client’ information (for example your date of birth, residential address or passport details), details relevant to various prohibitions and restrictions relating to terrorism and international trade and economic sanctions and details about litigation, which may be relevant in assessing our ability to act;
3. financial information, such as bank account details and if relevant to your instructions, for example, the source of your funds if you are instructing on a purchase transaction;
4. data about you in connection with any interest or office that you hold in or certain relationships, dealings or arrangements you may have with companies, entities, partnerships, associations and bodies of persons, whether incorporated or unincorporated to which we provide services (each such entity, an Entity of Interest);
5. information relating to the assignment in which you are seeking our advice or representation;
6. information relating to the assignment in which you are seeking any of our services;
7. information collected from publicly available resources,  integrity  databases  and  credit agencies;
8. technical information (including your IP address); such as information from your visits to our website or applications or in relation to materials and communications we send to you;
9. where you provide it, information about your hobbies and interests;
10. details of your visits to our website including traffic data, location data, weblogs and other communication data;
11. images captured by our offices’ CCTV cameras;
12. details of your visit to our premises;
13. information you provide to us for the purposes of attending meetings and events, including any disabilities or special dietary requirements you may have;
14. personal information provided to us by or on behalf of our clients or generated by us in the course or providing services to them, which may include special categories of personal data;
15. to the extent that you apply for a vacancy/position with us you may need to provide personal information (whether stand-alone or in the body of your CV) including name, address, e-mail, education/qualifications/transcripts and/or former employers as well as special categories of personal data; and
16. any other information relating to you which you may provide to us.

We do not knowingly collect information from children or other persons who are under 14 years old. If you are under 14 years old, you may not submit any personal data to us.

4. Would there be any adverse implications if you decline to provide personal data?

Broadly, the personal data collected is required to enable us to provide our services to you. Consequently, if you decline to provide personal data we ask for, it may delay or prevent us from providing services to you. By way of example, we set out below a number of instances where declining to provide personal data will not have any adverse implications:

1. if we have collected any data relating to our business development efforts directly from you, you have absolute discretion over how and what you disclose to us. There will be no adverse implications if you decline to provide such data to us;
2. if you have provided us with personal data in respect of newsletters, services updates, webinars or other similar services, there will be no adverse implications if you decline to provide such data to us. But you would be unable to receive such services unless you provide us with the relevant personal data; or
3. if you have applied for a vacancy/position with us, while there would be no adverse implications if you decline to provide such data to us, it will be impossible to consider your application and will be deemed as withdrawn and closed.

At any rate, we will treat you fairly and so where it is not possible for us to service you or otherwise comply with your request without the relevant personal data, we will notify you accordingly.

5. How your personal data is collected

As a professional services provider firm, we regularly receive personal data as part of our professional activities. We may collect personal data:

1. as part of our business onboarding procedures;
2. when you or your organisation seek, our services i.e. legal advice, our establishment and domiciliation, corporate administration, fiduciary, banking services or other services or employment from us;
3. when you or your organisation make an enquiry through our website, in person, over email or over the telephone;
4. when you browse or interact with our website or use any of our online services;
5. when you email us or provide such data to us in other circumstances, such as when you request details about or attend a firm sponsored event;
6. when you apply for a vacancy/position with us;
7. when an Entity of Interest engages us to provide services and you hold an office or an interest in or have certain relationships with that Entity of Interest;
8. processing through cookies and related means and technologies; or
9. when you or your organisation offer or provide services as our vendor.

We collect most of this information from you direct or through your use of our website. However, we may also collect  data  about  you  from  a  third  party  source,  such  as  other organisations with whom you have dealings including Entities of Interest, government  or  credit  reporting agencies, an information or service provider or from a publicly available record (for example, Registrar of Companies records (or equivalent in any jurisdiction outside Cyprus)). If you apply for a vacancy/position with us, we may, in the context of carrying out pre-employment screening checks, also obtain data from third parties (for example, universities, colleges or academic institutions, previous employers or other references) or public registers (for example, criminal records).

6. How and why we use your personal data

Under data protection law, we can only use your personal data if we have a proper reason for doing so, for example: to comply with our legal and regulatory obligations, for the performance of our contract with you or to take steps at your request before entering into a contract, for our legitimate interests or those of a third party; or where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own interests or fundamental rights and freedoms

We may use your personal data for the following purposes only (Permitted Purposes and each a Permitted Purpose):

1. to provide legal advice, our establishment and domiciliation, corporate administration, fiduciary, banking services or other services or things you may have requested, including online or legal technology services or solutions, as instructed or requested by you or your organisation;
2. to administer, develop and manage your organisation’s or your business relationship with us, including processing payments, accounting, auditing, billing and collection or support services;
3. acting in compliance with our legal obligations (such as record keeping obligations), compliance screening or recording obligations (such as under antitrust laws, export controls, trade sanction and embargo laws, for anti-money laundering, financial and credit check and fraud and crime prevention and detection purposes), which may include automated checks of your contact data or other information you provide about your identity against applicable sanctioned-party lists and contacting you to confirm your identity in case of a potential match or recording interaction with you which may be relevant for compliance purposes and other processing necessary to comply with professional, legal and  regulatory  obligations  that  apply  to  our  business,  for example,  under  health  and  safety regulation or rules issued by our professional regulator;
4. to provide updates, reminders, requests and directions relevant to the role or capacity in which you are interested in an Entity of Interest;
5. to analyse and improve our services and communications to you;
6. to consider whether we can pursue certain business development initiatives;
7. to protect the security of and managing access to our premises, IT and communication systems, online platforms, websites and other systems, preventing and to detect security threats, fraud or other criminal or malicious activities;
8. for insurance purposes;
9. to monitor and assess compliance with our policies and standards;
10. to identify persons authorised to trade on behalf of our clients, customers, suppliers and/or service providers;
11. to comply with our legal and regulatory obligations and requests anywhere in the world, including reporting to and/or being audited by national and international regulatory, law enforcement and tax reporting bodies that have competent jurisdiction over us;
12. on instruction or request from your organisation or a relevant Entity of Interest;
13. with your consent, contact you with current awareness newsletters, bulletins and promotional materials and other information about our services, products and technologies, including client briefings, newsletters, webinars, seminars and other information or events and projects we may organise or host;
14. process and respond to requests, enquiries or complaints received from you;
15. to comply with court orders and establish, exercise and/or defend our legal rights;
16. where you have applied for a vacancy/position with us, to evaluate and select candidates, to set up and conduct interviews and/or as otherwise needed in the recruitment process;
17. administer and improve our website and our products and services;
18. conduct and store site usage analytics, statistical and trend analysis and market research;
19. protect the rights, property, or safety of us, our business, our clients or others;
20. detect, investigate or prevent security or cyber incidents; and
21. for any purpose related and/or ancillary to any of the above or any other purpose for which your personal data was provided to us.

Subject to as provided above, the above table does not apply to special category personal data, which we will only process with your explicit consent.

7. Promotional communications

We may use your personal data to send you updates (by email, telephone or post) about legal developments that might be of interest to you and/or information about our services, including exclusive offers, promotions or new services.

We have a legitimate interest in processing your personal data for promotional purposes. This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your personal data with the utmost respect and never sell or share it with other organisations outside ours for promotional purposes without your prior consent.

You have the right to opt out of receiving promotional communications at any time by:

1. contacting us by emailing corporate@laoslegal.eu;
2. using the ‘unsubscribe’ link in emails.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business. We will not use your personal data for taking any automated decisions affecting you or creating profiles other than described above.

8. Lawful basis for processing personal data

Depending on for which of the above Permitted Purposes we use your personal data, we may process your personal data on one or more of the following legal grounds:

1. processing is required for the performance of a contract with you, an Entity of Interest or your organisation;
2. it is necessary in connection with a legal obligation;
3. processing is necessary for purposes of our legitimate interests or those of any third party recipients that receive your personal data, provided that such interests are not overridden by your interests or fundamental rights and freedoms; or
4. we have obtained your express and clear consent to such use or your organisation has obtained your consent to disclose your information to us.

9. Who we share your personal data with

We may share your personal data between entities of our group on a confidential basis where this is required for the purpose of providing legal advice or establishment and domiciliation, corporate administration, fiduciary, banking services or other products and services, as well as for administrative, billing and other business purposes.

We routinely share personal data with:

1. in the event that you are a Orestis Entity client, or you are otherwise contracted by, are an agent of, or otherwise represent a Orestis Entity client, we may disclose your personal data to other professional advisers (including lawyers, mediators, corporate finance advisers, consultants, trademark agents, patent attorneys, medical professionals, accountants, tax advisors or other experts), translators, court officers, or witnesses engaged or otherwise involved in your matter, in Cyprus or abroad as may be relevant;
2. if we have collected your personal data in the course of providing legal services or establishment and domiciliation, corporate administration, fiduciary, banking services or other products and services to any of our clients, we may disclose it to that client, and where permitted by law to others for the purpose of providing those services;
3. other third parties where necessary to carry out your instructions;
4. we may disclose your contact details to third parties for the purposes of collecting your feedback on the firm’s service provision, to help us measure our performance and to improve and promote our services;
5. our insurers, brokers and banks;
6. companies providing services for money laundering checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies and regulatory bodies with whom such personal data is shared;
7. if our business is sold or integrated with another business or our rights or obligations are assigned or novated to a third party, your personal information may be disclosed to our advisers, a prospective buyer/assignee/transferee and their respective advisers and will be disclosed and passed on to the new owners of the business or assignee/transferee, as the case may be;
8. courts, law enforcement authorities or agencies and regulatory bodies to comply with our legal and regulatory obligations;
9. courts, law enforcement authorities or agencies, regulatory bodies or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defence of any claim, or in the context of a confidential alternative dispute resolution process (such as mediation);
10. IT service providers to each of the Orestis Entities (whether based domestically or abroad), for example shared service centres, to process personal data for the Permitted Purposes on our behalf and in accordance with our instructions only;
11. third parties involved in hosting or organising events or seminars (including where we are jointly hosting or organising events or seminars);
12. we may also use aggregated personal data and statistics for the purpose of monitoring website usage in order to help us develop our website and our services.

We only allow our service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on service providers relating to ensure they can only use your personal data to provide services to us and to you.

We may use social media sites such as Facebook, Instagram, LinkedIn and Twitter. If you use these services, you should review their privacy policy for more information on how they deal with your personal information.

10. Personal data about other people which you provide to us

If you provide information to us about another person (for instance one of your employees, consultants, directors or any other person with whom you have a business relationship or dealings), you must ensure that you comply with any legal obligations that may apply to your provision of the information to us, and to allow us, where necessary, without our taking any further steps, to collect, use and disclose that personal data as described in this privacy policy.

11. Where your personal data is held

Information may be held at our offices in Cyprus and those of our group companies in Cyprus, third party agencies, service providers, representatives and agents as described above (see ‘Who we share your personal data with’).

Some of these third parties may be based outside the European Economic Area (EEA). For more information, including on how we safeguard your personal data when this occurs, see below: ‘Transferring your personal data out of the EEA’.

12. How long your personal data will be kept

We will keep your personal data after we have finished advising, providing services or otherwise acting for you. Different retention periods apply for different types of data. Those periods are based on the requirements of applicable data protection laws and regulations and the purpose for which the information is collected and used, taking into account any legal, regulatory, accounting or reporting requirements to hold the information for a minimum period, limitation periods for taking legal action, need to establish, exercise or defend claims and otherwise until the settlement of any such claims (as relevant), our business purposes, client requirements, good practice, the need to respond to any questions, complaints or claims made by you or on your behalf and to show that we treated you fairly.

We will not retain your personal data when it is no longer reasonably required for the Permitted Purposes, or, withdraw your consent for us to do so, provided that we are not otherwise legally permitted or required to hold such personal data. When it is no longer necessary to retain your personal data, we will delete or anonymise it.

13. Transferring your personal data out of the EEA

To deliver services to you and in connection with the Permitted Purposes, it is sometimes necessary for us to share your personal data (irrespective of how we gathered it) outside the EEA. For example, we may need to transfer personal data to third parties based outside the EEA such as foreign lawyers, accountants, experts and other third parties involved in your matters. Non-EEA countries may not have the same data protection laws as Cyprus and EEA.

In the event that we share or transfer your personal data outside the EEA, this will be done pursuant to applicable data protection laws and regulations and will put in place appropriate safeguards in accordance with GDPR, the Data Protection Law or other applicable legislation.

14. Your rights

Subject to certain conditions under applicable legislation, you have the following rights, which you can exercise free of charge:

Access	The right to be provided with a copy of your personal data.
Rectification	The right to require us to correct any mistakes in your personal data.
To be forgotten	The right to require us to delete your personal data—in certain situations.
Restriction of processing	The right to require us to restrict processing of your personal data—in certain circumstances, for example if you contest the accuracy of the data.
Data portability	The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations.
To object	The right to object: ·    at any time to your personal data being processed for direct marketing (including profiling); ·    in certain other situations to our continued processing of your personal data, for example processing carried out for the purpose of our legitimate interests.
Not to be subject to automated individual decision-making	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

If you wish to exercise these rights, please contact corporate@laoslegal.eu. We may request that you prove your identity by furnishing us with a valid form of identification (for example copy of a valid passport) so as we can comply with our security obligations and to thwart unauthorised data disclosure. We retain the right to charge you a reasonable administrative fee for any excessive or manifestly unfounded requests with respect to your access to your data, and for any additional copies of the data you may request from us.

15. Keeping your personal data secure

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. All our directors, partners, staff and third party service providers who have access to confidential information (including personal information) are subject to confidentiality obligations.

However, the transmission of information via the internet is not completely secure.  Although we take appropriate and proportionate steps to manage the risks posed, we cannot guarantee the security of your information transmitted to our online services.

Personal data may be held on our electronic systems, those of our contractors, or in paper files.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

16. How to complain

We hope that we can resolve any query or concern you may raise about our use of your information. If you feel we have not handled your query or concern to your satisfaction you can contact the Office of the Commissioner for Personal Data Protection, the Cyprus supervisory authority for data protection issues at:

1 Iasonos Str., 1082 Nicosia P.O.Box 23378, 1682 Nicosia Tel: +357 22818456

Fax: +357 22304565 Email: commissioner@dataprotection.gov.cy Website: http://www.dataprotection.gov.cy/

17. Changes to this privacy policy

This privacy policy takes effect from 25 May 2018. We reserve the right to change this privacy policy from time to time, when we do we will publish the updated notice on our website and the updated notice will come into force as soon as it is so published on our website.

18. How to contact us

Please contact us by post, email or telephone if you have any questions about this privacy policy or the information we hold about you.

Our contact details are shown below:

T +357 25370800 

E corporate@laoslegal.eu

21 Thessalonikis, Herodotou Court, Floor 2 | 3025, Limassol | Cyprus