PRIVACY POLICY

Introduction

This Privacy Notice sets out the basis on which TMH Audit Services Limited will process personal information provided to us, this information is also referred to as ‘personal data’. TMH Audit Services Limited is referred to throughout as “we”, “us”, “our” and “ours”.

We take our obligations in respect of the privacy of personal data very seriously and we will only process personal information as detailed in this notice; unless we inform you otherwise. In order to ensure that the personal data we hold is accurate and up to date, we request that you inform us of any relevant changes to the personal information we hold about you.

We provide audit, accounting, tax and advisory services to our clients. For the purposes of this Privacy Notice, our commercial activities and services for individuals and businesses are referred to as ‘Services’, and our actual or potential customers are referred to as ‘Clients’.

The person responsible for data protection matters within our organisation is Michalis Anastasiou, Head of Audit, Compliance, and Data Protection Officer who can be contacted via email at m.anastasiou@tmhcy.com.

If you do not wish us to process personal data in accordance with this policy, then please do not provide it to us. Please refer to Section 4 ’Your rights‘, in respect of data that we already hold, or which we receive from third parties.

Section 1: This section applies to individuals wishing to use or using our Services

The personal data we collect or receive include the following as applicable:

  • Contact details (includes names, addresses, email, phone and other contact details)
  • Information required for legal and regulatory requirements including but not limited to anti-money laundering regulation (Date of birth, Passport / Identity card, utility bills, other proof of residential address, sources of funds, sources of wealth)
  • Information provided during the provision of audit, accounting, tax and advisory services (Bank details, Social insurance numbers, tax numbers and other tax related information, contracts, transaction data, title deeds, supplier and customer details, invoices, payroll information, employee details). Please note this list is not exhaustive.
  • Any other information you may provide to us

We may obtain your personal data from the following sources (please note that this list is not exhaustive):

  • You (e.g. a Curriculum Vitae, email, in-person meeting)
  • An associate (e.g. lawyers, administrator service providers)
  • Existing clients
  • The public domain
  • Conversations on the telephone or video conferencing
  • Notes following a conversation or meeting
  • Our contact form on our website

If we have obtained your personal data from a third party such as an associate, it is our policy to advise you of the source when we first communicate with you.

How we will use your personal data:

The processing of your personal information may include:

  • Collecting and storing your personal data, whether in manual or electronic files
  • Processing and storing of your data in accordance with Anti Money Laundering (AML) requirements, Know Your Client (KYC) and Customer Due Diligence (CDD) requirements and other relevant legal and statutory requirements for a minimum of 6 years even after our client relationship ends
  • Submission on your behalf of tax returns, VAT returns and other regulatory, legal or statutory requirements
  • Providing information to your bankers, tax authorities, regulatory authorities or statutory bodies, and legal or other professional advisers
  • To remind you of important tax and other deadline reminders
  • Retaining a record of our correspondence
  • For the purposes of backing up information on our computer systems

Why we process your personal data: 

  1. Entering into and performing a contract with you:

In order to provide our Services, we may enter into a contract with you and/or a third party. In order to enter into a contract, we will need certain information, for example your name and address and contact details. A contract will also contain obligations on both your part and our part and we shall process your data as is necessary for the purpose of those obligations. For example, in order to process post accounting entries with regards to payments your bank statement and other supporting evidence such as invoices, supplier lists will be required. To process payroll entries, social insurance numbers and bank details will be required.

  1. Compliance with legal obligations (regulatory and statutory obligations)

We must comply with a number of statutory, legal and regulatory provisions when providing our Services, which necessitate obtaining and processing of personal data. These include the Companies Law Cap. 113, The Auditors Law of 2017 (L.53(I)/2017), Prevention and Suppression of Money Laundering Activities Law, the EU 4th Anti Money Laundering Directive which amongst other things requires us to obtain, process, review and store personal data for prospective, existing and past clients for a specified period of 5 to 6 years.

We are also required to comply with statutory and regulatory obligations relating to business generally, for example tax, bribery and fraud/crime prevention legislation, and co-operating with regulatory authorities such as the Registrar of Companies and ICPAC.

  1. Our legitimate interests (carrying on the commercial activity of our Services):

In providing our Services, we will carry out some processing of personal data which is necessary for the purpose of our legitimate interests, which include:

  • Using your personal data:
    • to contact you regarding our Services (only with your explicit consent)
    • to create a risk profile for compliance with applicable anti-money laundering legislation
    • to continually improve our services offered to you
    • as otherwise necessary to provide our Services and
    • to personalise your experience and our offering, whether via our website or otherwise
  • Retaining records of our dealings and where applicable, use such records for the purposes of:
    • establishing compliance with regulatory, legal and statutory obligations
    • addressing any query or dispute that may arise including establishing, exercising or defending any legal claims
    • protecting our reputation
    • maintaining a backup of our system, solely for the purpose of being able to restore the system to a particular point in the event of a system failure or security breach
    • evaluating quality and compliance including compliance with this Privacy Notice
    • determining staff training and system requirements
  • For our commercial viability and to pursue these legitimate interests, we may continue to process your personal information for as long as we consider reasonably appropriate for these purposes.
  1. Consent

We may process your personal data on the basis that you have consented to us doing so for a specific purpose, for example, if you have provided your contact details in order that we may use these to provide you with details of our services you may have consented to our processing of the data for that purpose. In other cases, you may have provided your written or verbal consent to the use of your data for a specific reason, for example provide information to your personal banker.

You may withdraw your consent to our processing of your personal data for a particular purpose at any stage. However, please note that we may continue to retain, or otherwise use your personal information thereafter where we have a legitimate interest or a legal or contractual obligation to do so. Our processing in that respect will be limited to what is necessary in furtherance of those interests or obligations.  Withdrawal of consent will not have any effect on the lawfulness of any processing based on consent before its withdrawal.

What if we obtain your personal data from a third party?

Part of our business activity involves researching information for the purposes of Know Your Customer and Anti Money Laundering procedures. This may include obtaining personal data from various sources including AML databases, some information being publicly available but others being from sites or providers to which we may subscribe to. We might also obtain information about you from our associates as part of our relevant anti-money laundering procedures and for the provision of our services.

Where information from third party sources is of no use to us we shall discard it, however we may maintain a limited record in order to avoid the duplication of process. Where we consider that information may be of use to us in pursuance of the provision of our Services, any processing will be in accordance with this Privacy Notice. You do have the right to object to processing, please see Section 4 ‘Your rights’.

Sensitive Personal Data (SPD)

Sensitive personal data is information which is intensely personal to you and is usually irrelevant to our dealings with you in respect of our Services. Examples of SPD include information which reveals your political, religious or philosophical beliefs, sexual orientation, race or ethnic origin, or information relating to your health.

Regardless of the basis for your dealings with us, we request that you do not provide us with any sensitive personal data unless absolutely necessary. We do not hold or process sensitive personal data, however, to the extent that you do provide us with any sensitive personal data, such as data which you choose to share with us in conversation, we shall only use that personal data for the purposes of our relationship with you or for the provision of our Services.

Who we share personal data with:

We shall not share your personal data unless we are entitled or authorised to do so. The categories of persons with whom we may share your personal information include:

  • Your personal banker, lawyers and other third parties necessary for the provision of our Services
  • Any regulatory authority or statutory body pursuant to a request for information or any legal obligation which applies to us
  • Parties who may process data on our behalf, which may include
    • associates involved in provision of our Services
    • IT support
    • software vendors for technical support
    • storage service providers including cloud providers
  • Legal and professional advisers

Section 2: This section applies where you are an individual working for a client

We may collect your personal data in the course of our dealings and this may include the following:

  • Your contact information, which may include your full name, job role, contact telephone number and email
  • Information relating to our relationship with you or the party for whom you work including records of any meetings or discussions

We may obtain your personal data from the following sources (please note that this list is not exhaustive):

  • You, including where you have provided us with your contact details or other information for the purposes of using our Services
  • Staff or other representatives of the organisation you represent
  • Conversations, with you or others, on the telephone or in meetings
  • Notes following a conversation, with you or others, or meetings you attend

How we will use your personal data:

We will process your personal data in the context of our dealings with the third party for whom you work and as part of our Services. Processing may include:

  • Collecting and storing your personal data, whether in manual or electronic files
  • Using the data to communicate with you
  • Actions necessary to further any obligation on us pursuant to a contract between ourselves and the third party you work for
  • Providing information to regulatory authorities or statutory bodies and our legal or other professional advisers
  • Retaining records of our dealings with you and the organisation whom you represent

Why we process your personal data:

  1. Compliance with legal obligations (regulatory and statutory obligations)

We must comply with a number of statutory provisions when providing our Services, which necessitate obtaining and processing of personal data. These include the Companies Law Cap. 113, The Auditors Law of 2017 (L.53(I)/2017), Prevention and Suppression of Money Laundering Activities Law, the EU 4th Anti Money Laundering Directive which amongst other things requires us to obtain, process, review and store personal data for prospective, existing and past clients for a specified period of 5 to 6 years.

We are also required to comply with statutory and regulatory obligations relating to business generally, for example tax, bribery and fraud/crime prevention legislation, and co-operating with regulatory authorities such as the Registrar of Companies and ICPAC.

  1. Our legitimate interests (carrying on the commercial activity of Services):

In providing our Services, we will carry out some processing of personal data which is necessary for the purpose of our legitimate interests, which include:

  • Using your personal data:
    • submit tax returns on your behalf in accordance with the instructions of your employer or you in the provision of our Services
    • as part of random testing audit procedures we might need to review and store and perform tests on your personal data
    • as necessary to provide our Services and/or to meet our obligations towards either the party whom you work for
  1. Consent

We may process your personal data on the basis that you have consented to us doing so for a specific purpose, for example, if you have provided your contact details in order that we may use these to provide you with details of our services you may have consented to our processing of the data for that purpose. In other cases, you may have provided your written or verbal consent to the use of your data for a specific reason, for example income tax return submission.

You may withdraw your consent to our processing of your personal data for a particular purpose at any stage. However, please note that we may continue to retain, or otherwise use your personal information thereafter where we have a legitimate interest or a legal or contractual obligation to do so. Our processing in that respect will be limited to what is necessary in furtherance of those interests or obligations.  Withdrawal of consent will not have any effect on the lawfulness of any processing based on consent before its withdrawal.

What if we obtain your personal data from a third party?

We do not obtain employee information from third parties besides the information provided by your employer.

Sensitive Personal Data (SPD)

We do not collect or store any sensitive personal data from your employer. SPD is information which is intensely personal to you and is usually irrelevant to our dealings with you in respect of our Services. Examples of SPD include information which reveals your political, religious or philosophical beliefs, sexual orientation, race or ethnic origin, or information relating to your health.

Regardless of the basis for your dealings with us, we request that you do not provide us with any sensitive personal data unless absolutely necessary. However, to the extent that you do provide us with any sensitive personal data, such as data which you choose to share with us in conversation, we shall only use that personal data for the purposes of our relationship with you or for the provision of our Services.

Who we share personal data with:

We shall not share your personal data unless we are entitled to do so. The categories of persons with whom we may share your personal information include:

  • Any regulatory authority or statutory body pursuant to a request for information or any legal obligation which applies to us
  • Parties who may process data on our behalf, which may include
    • associates involved in provision of our Services
    • IT support
    • software vendors for technical support
    • storage service providers including cloud providers
  • Legal and professional advisers

Section 3: This section applies to all personal data 

Transfer of data to other jurisdictions

In the course of the provision of our Services we may transfer data to countries or international organisations outside of the EEA. This may, for example, be to Banks or other professionals, or third parties who provide software support services to us.  Where information is to be so transferred, it may be to a country in respect of which there is an adequacy decision from the EU Commission. However, if this is not the case, it is our policy to take steps to identify risks and in so far as is reasonably practicable; ensure that appropriate safeguards are in place. We do not currently provide on an ongoing basis to any jurisdiction outside the EEA and our privacy policy will be updated and relevant clients will be informed in such cases.

If you do not wish to provide us with necessary data

There may be circumstances where we require you to provide data which is necessary in order for us to meet statutory or contractual obligations or perform our Services. If you do not wish to provide us with information we request, then please notify us. However, please be aware that as a result we may be unable to provide you or the party who you represent with our Services and in some cases may result in a breach of the contract we have with you or a third party you represent.

Data transfer

In the event of a sale, merger, liquidation, receivership or the transfer of all or part of our assets to a third party, we may need to transfer your information to a third party. Any transfer will be subject to the agreement of the third party to this Privacy Notice and any processing being only in accordance with this Privacy Notice.

Data Security and Confidentiality

It is our policy to ensure, in so far as is reasonably practicable, that our systems and records are secure and not accessible to unauthorised third parties in line with contemporary practice.

Retaining your data

In most circumstances your data will not be retained for more than 6 years from the last point at which we provided any services or otherwise engaged with you and it is our policy to only store your personal data for as long as is reasonably necessary for us to comply with our legal obligations and for our legitimate business interests.  However, we may retain data for longer than a 6-year period where we have a legal or contractual obligation to do so, or we form the view that there is otherwise a continued basis to do so, for example where we are subject to a legal obligation which applies for a longer period.

If, however you believe that we should delete your personal data at an earlier date, please inform us in writing of your reasons.  Please see Section 4 ‘Your Rights’ below.

Changes to this Privacy Notice

This Privacy Notice is regularly reviewed and may be updated from time to time to reflect changes in our business or legal or commercial practice.  Where an update is relevant to our processing of your data, we shall notify you of the same.

Section 4: Your rights

We take the protection of your personal data very seriously and it is important that you know your rights within that context, which include rights to:

  • Request a copy of the personal data that we hold
  • Object to our processing of your data where that processing is based upon legitimate interest and there are no compelling grounds for the continued processing of that data
  • Request that we restrict processing of your data in certain circumstances
  • Request that data is erased where the continued use of that data cannot be justified
  • Object to any decision, which significantly affects you, being taken solely by a computer or via another automated process
  • Withdraw your consent to our processing of your personal data for a particular purpose at any stage. However, please note that we may continue to retain, or otherwise use your personal information thereafter where we have a legitimate interest or a legal or contractual obligation to do so. Our processing in that respect will be limited to what is necessary in furtherance of those interests or obligations
  • Request that inaccurate or incomplete data is rectified
  • Request that data provided directly by you and processed by automated means is transferred to you or another controller; this right only being applicable where our processing of your data is based either on your consent or in performance of a contract
  • Make a complaint to the Office of the Commissioner for Personal Data protection
  • Request that direct marketing by us to you is stopped

Please note that should you exercise your right to request that we erase data or cease any processing activity, we may retain a record of this request and the action taken to both evidence our compliance, and to take steps to minimise the prospect of any data being processed in the future should it be received again from a third-party source.

If you have any questions concerning your rights or should you wish to exercise any of these rights please contact Michalis Anastasiou, Head of Audit, Compliance and Data Protection Officer.

Complaints

If you are dissatisfied about any aspect of the way in which your data is processed you may, in the first instance refer the matter to Michalis Anastasiou, Head of Audit, Compliance and Data Protection Officer.  This does not affect your right to make a complaint to the Office of the Commissioner for Personal Data Protection.