PRIVACY POLICY

 

  • This Privacy Policy is issued by SPA Financial Services Ltd (together, ‘SPAFS’, the ‘Company’, ‘we’, ‘us’, or ‘our’) and it concerns natural persons who are current or potential customers of SPAFS or act as authorised representatives of legal entities or natural persons which/ who are current or potential customers of SPAFS or are the directors or beneficial owners of legal entities who are current or potential customers of SPAFS (together, ‘you’, ‘your’). This Privacy Policy concerns also natural persons who had such business relationship with SPAFS in the past.

 

  • SPAFS respects your privacy and is committed to handling your personal data with transparency and integrity. When processing personal data provided by you, SPAFS is subject to the provisions of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and any applicable data protection laws or regulations of the Republic of Cyprus. SPAFS acts as a controller of your personal data under GDPR, which means that it determines solely or jointly with others, the purposes and means of the processing of your personal data.

 

  • This Privacy Policy provides, inter alia, information on the following key areas:
    1. the categories of personal data that are collected and processed by SPAFS and the purposes of that processing;
    2. the legal basis for the processing of your personal data;
    3. the recipients or categories of recipients of your personal data;
    4. the principles relating to the processing of your personal data;
    5. your rights under applicable legislation and an explanation of how those rights can be exercised.

 

  • For the purposes of this Policy, ‘personal data’ means any information relating to you that identifies you, directly or indirectly. ‘Processing’ means any operation or set of operations which is performed on personal data, such as collection, recording, storage, use, disclosure, erasure or destruction.

Who is SPA Financial Services Ltd

 

  • SPAFS is a licensed investment firm, registered in Cyprus under registration number HE270133 and regulated by the Cyprus Securities and Exchange Commission (‘CySEC’) under license number 141/11. SPAFS’s registered office address is at Karpenisiou 30, 1077, Nicosia, Cyprus.

 

  • SPAFS is authorised by CySEC to perform certain investment business in Greece through SPA Financial Services Ltd Greek Branch (SPAFSG). This Privacy Policy is also applicable to SPAFSG.

 

  • If you have any questions or concerns relating to the processing of personal data by SPAFS, you can contact our Data Protection Officer by email at: info@spafs.com or by letter The Business Forum, Karpenisiou 30, 1077 Nicosia, Cyprus.

 

Collection of personal data

 

  • In order to register for a personal account with SPAFS, the following personal data is required from you:
    1. Personal information such as your name, date and place of birth, citizenship, nationality, home address, family status, circumstances and relevant information, passport/ ID number, FATCA/ CRS information (tax residency, tax identification number), contact details (telephone, email), bank account details, occupation and information on whether you hold/held a prominent public function (for PEPs);
    2. Financial information such as your income, source of wealth / funds and investment objectives;
    3. Documents that verify your identity and residency such as an international passport or national ID and utility bills or bank statements.

 

  • We may also collect and process personal data from public sources (e.g. the Department of Registrar of Companies and Official Receiver, the press, the internet) as well as from risk management suites such as the World-Check database or World Compliance database.
  • In order to comply with our legal obligations, we may record calls made on company landlines.
  • SPAFS does not provide any services to children but collects information from clients with regards to family status and names/ages of dependents for more appropriate investment advisory services. The provision of this information is voluntary, and we deem it made by the person(s) holding parental responsibility for the child per article 5 of Law 216/1990.
  • Sensitive Personal Information” is Personal Information concerning an individual’s (i) racial or ethnic origin, (ii) political opinions, (iii) religious beliefs or other beliefs of a similar nature, (iv) membership of a trade union, (v) physical or mental health or condition, (vi) sexual life or orientation, (vii) commission or alleged commission of any offence or any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings.

You may provide us with Sensitive Personal Information from time to time in connection with your application to invest with us, our provision of investment services to you, where you apply for a job with us or otherwise. In such cases, the provision of this information is entirely voluntary and subject to your express consent, however, we may be unable to carry out some activities necessary to process your application, instructions or other requests without the provision of such information, including that we may be unable to process shareholder application forms or similar requests. Where necessary, we may also process such information in the establishment, exercise or defence of legal claims.

Where we do receive Sensitive Personal Information, we will only keep such information for as long as strictly necessary in order to comply with our obligations under the law.

 

What we do with your personal data

 

  • The protection of your privacy and personal information is of great importance to us. Your personal data is processed lawfully on the following bases:
  1. For the performance of a contract, including per article 6(1)(b) of the Regulation

The processing of your personal data is necessary for the performance of a contract, namely the trading agreements to which you are party, or in order to take steps at your request prior to entering into a contract. In order to be able to render investment services to you and administer our relationship, we need to collect certain information about your identity, financial background and investment objectives.

  1. For compliance with a legal obligation, including per article 6(1)(c) of the Regulation

The processing of your personal data is necessary for compliance with the legal obligations emanating from a number of laws to which SPAFS is subject, e.g. the European Markets in Financial Instruments Directive (‘MiFID II’) and the corresponding Investment Services and Activities and Regulated Markets Law of the Republic of Cyprus, the European and Cyprus legislation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, the Common Reporting Standard (‘CRS’), the Market Abuse Regulation (‘MAR’), the European Market Infrastructure Regulation (‘EMIR’), the Foreign Account Tax Compliance Act (FATCA). Compliance with these legal obligations requires, inter alia, identity verification procedures and processes, anti-money laundering controls, the retention of personal data for a certain period of time, the disclosure of personal data to the supervisory and other regulatory and public authorities, etc.

  1. For the purposes of the legitimate interests pursued by SPAFS, including per article 6(1)(f) of the Regulation

The processing of your personal data is necessary for the purposes of the legitimate interests pursued by SPAFS, where those interests do not infringe your interests, fundamental rights and freedoms. These legitimate interests include business or commercial interests and examples of relevant processing activities include: preparing our defence in litigation procedures; preventing fraud and money laundering activities; managing business and further developing and marketing of products and services.

Your obligation to provide us with your personal data

 

  • The provision of your personal data is a requirement necessary to enter into a contract with SPAFS and as a client of SPAFS you will have statutory and contractual obligation to provide and keep up to date and accurate the personal data set out in paragraph 7 of this Privacy Policy. Failure to provide such data will not allow us to commence or continue our business relationship, as compliance with our legal obligations will be deemed impossible.

How we may share your personal data

 

  • In the course of the performance of our contractual and statutory obligations and for legitimate business purposes, your personal data may be disclosed to:
  1. Supervisory and other regulatory and public authorities, upon request or where required. Some examples are the Cyprus Securities and Exchange Commission, the Unit for Combating Money Laundering (MOKAS), criminal prosecution authorities.
  2. To other entities within our
  3. Auditors, lawyers, consultants and other outside professional advisors of SPAFS, subject to confidentiality agreements.
  4. Third party processors such as product or service providers (such as fund managers or administrators, financial services counterparties or financial institutions (such as banks, payment services providers), persons or companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support, file storage and records management companies.

We take all reasonable steps so that all data processors appointed by us to process personal data on our behalf comply with GDPR provisions.

International transfer of personal data

 

  • Your personal data may be transferred to third countries (i.e. countries outside the European Economic Area), to recipients mentioned in paragraph 15 above, in connection with the purposes set out in this Privacy Policy. We may transfer your personal data to countries that may have different laws and data protection compliance requirements; however processors in third countries are expected to comply with the European data protection standards when processing your personal data. Where we transfer your personal data to third countries, we do it on the basis of standard contractual clauses adopted by the European Commission copies of which are available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

Principles relating to the processing of your personal data

 

  • We collect and process your personal data in a lawful way, processing the same solely for the purposes of providing you with our services. We also make sure that we process your personal data with integrity and confidentiality thus we have implemented appropriate technical and organisational measures to ensure appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. We take reasonable steps to ensure that your personal data that we process are accurate and, where necessary, kept up to date. From time to time we may ask you to confirm the accuracy of your personal data. We take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. We also make sure that all personal data we collect are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Period for which your personal data will be stored

 

  • We will keep your personal data for the duration of our business relationship and for at least five (5) years after the termination of our business relationship, unless otherwise requested by a competent authority, in line with the provisions of the applicable European and Cyprus legislation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (“AML”), the Markets in Financial Instruments Directive (‘MiFID II’), the corresponding Investment Services and Activities and Regulated Markets Law and the taxation laws and regulations of the Republic of Cyprus. We may keep your data for longer if we cannot delete it for legal, tax or regulatory reasons, or if deletion is disproportionate due to integration in databases, or part of archive(s) or backup system(s). In addition, the retention of data is not limited in time in the case of pending legal proceedings or an investigation initiated by a public authority, provided that in each case the Company has been informed of the pending legal proceedings or the investigation initiated by a public authority within the retention period described hereinabove.

Your rights

 

  • Further to your right of information which is complied with by virtue of the present Privacy Policy, you have the following rights regarding your personal data we control and process, subject always this is in compliance with applicable laws and regulations and in particular our obligations pursuant to AML or MiFID II:
  1. The right to request access to, or copies of, your personal data, together with information regarding the processing of those personal data.
  2. The right to request rectification of any inaccurate personal data concerning you (subject to provision of satisfactory explanations and documentation).
  3. The right to request, on legitimate grounds and where there is no good reason for us continuing to process it, erasure of your personal data.
  4. The right to object, on grounds relating to your particular situation, to the processing of your personal data which is based on a legitimate interest pursued by SPAFS. We shall no longer process your personal data, unless we have legitimate grounds for the processing, which override your interests, rights and freedom or for the establishment, exercise or defence of legal claims. You also have the right to object where your personal data are processed for direct marketing purposes and we shall stop the processing of your personal data for such purposes.
  5. The right to request restriction of processing of your personal data where one of the following applies: i) your personal data is on its face (with provision of relevant documentation and evidence) not accurate and we need to stop processing it until we verify it, ii) your personal data has been used unlawfully, iii) we no longer need your personal data for the purposes of the processing, but you want us to keep it for use in possible legal claims and iv) you have already objected to the processing of your personal data and you are waiting for us to determine whether we have legitimate grounds for the processing of your data.
  6. The right to have your personal data transferred to another controller, to the extent applicable.
  7. The right to withdraw your consent, where we process your personal data on the basis of your consent. Please note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn by you whereas it will not render further processing unlawful if same is executed on any of the other lawful processing grounds provided by the GDPR.
  8. The right to lodge a complaint regarding the processing of your personal data by us. You can lodge your complaint according to our complaints submission procedure (http://www.spafs.com/wp-content/uploads/COMPLAINTS-SUBMISSION-PROCEDURE.pdf /). If you feel that your concerns have not been adequately addressed by us, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus. You can find information about submitting a complaint on their website (http://www.dataprotection.gov.cy).

 

Automated decision-making and profiling

 

  • The decision to establish or maintain a business relationship with you is not based on automated processing of your personal data.

 

Direct marketing

 

  • We may process your personal data to contact you, primarily by email or phone, in order to provide you with information concerning products and services that may be of interest to you. Please note that in accordance with the applicable law, the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest pursued by the Company. However, if you do not wish to receive marketing communications from us, you can opt out at any time by contacting your regular SPAFS contact or by sending an email to our Data Protection Officer. After you unsubscribe, we will not send you further promotional emails, but we will continue to contact you to the extent necessary for the purposes of any services you have requested.

 

Changes to this Privacy Policy

 

  • At any time the Company may amend this Privacy Policy. You will be notified about material changes, however you are encouraged to review this Privacy Policy periodically, so as to be always informed about how we are processing and protecting your personal data.

Cookies

 A cookie is a small piece of information stored on your computer or mobile device by a website you visit. Cookies help you navigate our website efficiently and allow us to understand visitor trends.

 

Third-party cookies but reserve

We work with third party suppliers who may also set cookies on our website. These third party suppliers are responsible for the right cookies they set on our website. If you want further information please go to do so the website for the relevant third party. You will find additional information in the future. table below and the purposes for which we use them:

Third Party Name Explanation
GoogleAnalytics _ga Collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have navigated from to our website and the pages visited.
WordPress wordfence_verifiedHuman

wfvt_

Cookie set by the Wordfence Security WordPress plugin to protect the site against malicious attacks.
WordPress PHPSESSID To store a simple message when a form is submitted that can be displayed on a different page.

No personal information is stored in this cookie.