1. Who we are

Finmatek Ltd (hereinafter referred to as “Finmatek”, “We” (“Us” ,“Our”) or “Company”), is located at Piraeus 24, 3^rd Floor, Office 302 Strovolos, 2023 Nicosia, Cyprus, an innovative RegTech company, offering technologically advanced solutions to business, such as investment firms and banks, helping them fulfil their regulatory reporting obligations.  Finmatek falls under ‘FINCAP Group’, being the subsidiary of Fincap Advisers Ltd and Fincap Reporting Solutions Ltd.

At Finmatek, we take your privacy very seriously. Rules and processes relating to clients’ personal data, as well as measures employed can be found in this Policy, protecting your data from third parties seeking to gain unauthorized access.

Below, detailed management of personal information provided to us is explained.

2. Purpose of this policy

According to Data Protection Law, personal information collected must be used lawfully, fairly, in a transparent way, and collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with the purposes at hand. Furthermore, it must be relevant to the aforementioned purposes, and limited only to those. Accuracy is key, as well as is the constant updating to be kept up to date. Lastly and most importantly, it must be kept securely and kept for the duration which it is deemed appropriate, for the purposes required.

3. Useful Definitions

• Personal Data: Personal data refers to any information relating to you, as an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Special categories of personal data: This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
• Controller: Where we act as the controller in relation to your personal data, we determine the purposes for which and how we will process of your personal data.
• Processor: Under certain circumstances, we may act as a processor for your personal data; process your personal data on your behalf and on the basis of your instructions.
• Processing: Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Data Protection Legislation: This means the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Law on the protection of natural persons against the processing of personal data and the free movement of such data, Law 125(I)/2018 and/or other applicable data protection legislation and/or guidelines.

4. Whose personal data we process:

• Individual clients and individuals who are considering entering into an agreement with us to offer services to them and/or former clients (collectively referred to as the “Individual Clients”);
• Individuals connected to Individual Clients (e.g. authorized representatives and/or agents and/or employees);
• Individuals connected or relevant to non-individual clients such as companies, other corporate clients or other legal or non-legal entities who are considering entering into or who have entered into an agreement with us under the terms of which we will provide services to them (the “Client Entities”). Such persons include shareholders, owners, employees, directors, officers, authorized representatives or agents (g. external legal counsel or external auditors) and other associates.

Individual Clients and Client Entities are hereinafter collectively referred as Clients.

• Other individuals (e.g. staff candidates) that may be in any way connected with the work that we are engaged to provide to our Clients;
• Our employees and other persons working for us;
• Persons applying to us for employment;
• Our Associates (which may include without limitation IT services providers, auditors, other service providers, consultants, insurers, background check providers (collectively referred to as the “Associates”) with whom we may cooperate in offering our services to our Clients (together the “Customers”); and
• Visitors to our Website.

5. The Personal Information that we process:

Finmatek processes various types of personal data relating to you, which may vary according to the circumstances and nature of our engagement with you.

Examples include where you access or apply for our services or where you are our Client and we send our marketing material to you.

We may process:

• personal details such as name, surname, place and date of birth, residential address, email address, telephone number, ID, passport;
• due diligence and know-your-customer information and documentation which we are legally obliged to collect such as passport or other personal identification information, proof of address information, nationality, place and date of birth, country of residence, job, source of wealth, tax reference and background information such as non-bankruptcy records and clean criminal records;
• information relating to professional relationships – this includes (but is not limited to) your financial or other transactions, business dealings, tax information, marital status, history;
• financial details such as bank account, credit card details, bank statements, loan agreements, credit facilities tax reference, information regarding the completion and submission of IR4 and IR7 forms, billing information, payment details;
• employment and professional details such as employment contract, curriculum vitae, academic qualifications, diplomas, references, certificates, information relating to your professional and academic qualifications, work experience, references and other information, social media information, where you may apply to us for employment or for consideration in our recruitment services;
• other personal data which may be provided to us.

Additionally, we do not seek to collect, use or otherwise process special categories of personal data. However, under certain circumstances and in pursuance with our engagement and/or relationship with you, we may need to process your sensitive personal data such as data revealing racial or ethnic origin and biometric data e.g. facial images taken from IDs or passports and dactyloscopic data (i.e. fingerprints).

6. How we collect your personal data

Finmatek collects your personal data:

• directly from you or through our email and telephone correspondence;
• indirectly from our Clients, Client Entities or their representatives, employees and/or our Associates;
• background check agencies (e. World compliance checks);
• employment agencies;
• due diligence investigation;
• internet and social media activity;
• governmental departments/agencies (e. through the website of the registrar of companies and official receiver) and from various public sources; and
• when you visit our website, e.g. personal data is collected when you complete any forms found on our website and we also receive basic information relating to your visit that is being supplied by your browser.

For further information please see our Cookies Policy here.

7. Time of collection of personal data

Personal data may be collected by Finmatek where you or an organisation with which you are related in any capacity (e.g. employee, officer, representative) contact us in relation any services that it may provide. Your data may also be processed if you sign up to receive any informative or marketing material including our Regulatory Alerts. Your data may also be collected when an organisation engages Finmatek to provide services and you are engaged in the organisation in any capacity that is relevant (for example, director, representative, employee of such entity with which the Company Entity deals in providing any services.).

8. Legal ground for personal data processing

Finmatek may process the personal data set out above on one or more of the following:

• You have provided your consent to Finmatek for the specific purpose of processing;
• The processing is necessary for the performance of a contract to which you or a Client Entity are party or in order to take steps at your or a Client Entity ‘s request prior to entering into a contract with Finmatek;
• processing is necessary for compliance with a legal obligation to which Finmatek as the controller is subject;
• processing is necessary in order to protect the significant interests of you or of another natural person;
• processing is necessary for the purposes of the legitimate interests pursued by Finmatek as the controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child. Examples where Finmatek may process personal data on this ground, for fraud detection and prevention as well as credit and KYC checks, inquire in relation to politically exposed persons, product development, communications and marketing, insurance purposes, employment and recruitment purposes, IT purposes (e.g. data loss prevention, information, system, network and cyber-security, employment data processing, general operations and due diligence (e.g. internal customer analysis, reporting and management information).

9. Using of Third Parties/ Sub-Processors

Finmatek may disclose and/or share and/or transfer your personal data with third parties in order to perform certain processing activities on our behalf. Particularly, we may appoint third parties (sub-contractor data processors) if required to perform our legal obligations, duties and responsibilities under our engagement. Moreover, it is our legitimate interest (or a third party’s legitimate interest) to perform such processing activities to ensure that we perform our contractual obligations effectively and in the best way that we can.

When doing so, we conduct an appropriate level of due diligence in order to ensure that our Associates and/or third parties (if applicable) comply with our legal and regulatory obligations related with the security of personal information and we put in place relevant contractual documentation.

10. Personal data provided in relation to other individuals

If a client provides to Finmatek data on behalf of other individuals (i.e. officers, secretary, employees etc.), you are duly entitled to this.

Amidst your duties, it is also represented that the said individual is aware of the relevant protection practises in place, as stated in this Policy, including how to contact Finmatek, as well as the obligation of information to be provided under applicable laws and legislation.

11. Duration of Data Storage

We keep your personal data in hard files and/or in electronic secured folders in our Company’s server.

We keep your personal data for no longer than reasonably necessary for the purposes collected it for. It is our policy to retain personal data for at least 5 years, after the end of the relationship. However, we may keep your personal data for longer if:

• we are required to do so according to our regulatory or professional indemnity obligations;
• where we deem it necessary to retain your personal data to protect ourselves from any legal claim or dispute relating to the services we provide to you or our relationship if different, we will keep the data for the relevant limitation or for longer if obliged to do so under a legal obligation;
• where we cannot delete the data for technical reasons; and
• where we use your personal data for our own statistical, scientific or historical purposes.

Under such circumstances we determine the appropriate retention period, by taking into account, among others, the amount, nature and sensitivity of the personal data and the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

After such time period, we may destroy such files without further notice or liability, by securely shredding hard copies and deleting electronic files.

12. Personal Data transfer to Countries outside the European Economic Area

During the course of our business and in pursuance with our engagement with each Client, we may need to transfer and/or transmit and/or disclose personal data to third parties situated outside the EEA (i.e. countries not offering the same level of protection of personal data as within the EEA).

We will seek to ensure that transfers outside the EEA comply with all applicable laws and regulations, including having a lawful basis for transferring personal information and implementing appropriate measures and safeguards to ensure an adequate level of protection for the personal data.

13. Your Rights

Data protection law gives you a number of rights when it comes to personal information we hold about you. The key rights are set out below.

• Right of Access – right to request a copy of personal data held by Finmatek, acting as your data controller;
• Right of Rectification – right to request from Finmatek the correction of inaccurate or incomplete information;
• Right to be Forgotten (right of erasure) – right to ask from Finmatek to delete or remove personal information where there is no good reason for us continuing to process it (for instance, we may need to continue using your personal data to comply with our legal obligations). You also have the right to ask to delete or remove your personal information where you have exercised your right to object to processing;
• Right to Restriction of Processing – right to ask from Finmatek to suspend the processing of personal information about you, for example if you want Finmatek to establish its accuracy or the reason for processing it.
• Right of Objection – right to object to processing of your personal information where Finmatek relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to us using your information on this basis and we do not have a compelling legitimate basis for doing so which overrides your rights, interests and freedoms (for instance, we may need it to defend a legal claim). You also have the right to object where we are processing your personal information for direct marketing purposes;
• Right of Portability – right to request to have the data held about you transferred to another organisation, where technically feasible, and provided that processing is based on your consent and such processing is carried out by automated means;
• Right to Judicial Review – right that when Finmatek refuses any requests to any rights of access, it will provide you with the reason as to why;
• Right to lodge a complaint – In case you think that we are using your information in a way which breaches data protection law, you have the right to lodge a complaint by contacting us via email at [email protected]. If you are still unsatisfied you may submit a complaint to the Commissioner for the Protection of Personal Data.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, withdraw your consent to the processing of your personal information or request that we transfer a copy of your personal information to another party, please contact us through our website www.finmatek.com

You will not have to pay a fee to access your personal information (or to exercise any of the other rights).  However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us understand the nature of your request, to confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Please consider your request responsibly before submitting it. We will respond to your request as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we will let you know.

14. How to contact us

If you have any questions or concerns regarding this Privacy Policy or in case you want to exercise your rights set out in this Privacy Policy, please contact us by sending an email to [email protected].

15. Cookies

Cookies are used to deliver a better customer experience on website. Further information can be found on the Cookies Policy here.

16. Changes/ Updates to the Privacy Policy

The Company may update this Privacy Policy from time to time. In the event that the Company materially changes this Policy including how it collects, processes or uses clients’ personal information, the revised Privacy Policy will be uploaded in the Company’s website.