Applicability of Privacy Notice
This privacy notice applies to all natural persons who are clients of the Centaur Trust Group and its subsidiaries (hereinafter “Centaur Trust”), as well as any other persons who may have a relationship with, or be connected to, clients of Centaur Trust, and in respect of whom Centaur Trust collects and processes personal data (Data Subjects).
Data Controller
Centaur Trust is the Data Controller and is committed to protecting the personal data it collects and processes, during the course of its business operations, in line with the provisions of the European Union General Data Protection Regulation (GDPR).
Data Protection Officer
The Data Protection Officer of Centaur Trust is Haig Assadourian, who can be contacted as follows:
Email: dpo@centaurtrustgroup.com
Tel: +357 22 499 994
Mobile: +357 99 218 204
Personal Data Collected
Centaur Trust collects personal data in relation to Data Subjects as part of meeting its obligations towards its clients, as well as its legal obligation to carry out proper due diligence in compliance with local and international Anti-Money Laundering Legislation, as applicable.
The data collected includes:
- Full name
- Date and place of birth
- Residential address & contact details
- Curriculum Vitae
- Passport/ID details
- Source of funds/wealth
- Bank reference
- Bank account details
As well as any other information which may be or become required in the future.
In addition, Centaur Trust collects the names and professional contact details of associates it works with, in relation to its clients.
Use of Personal Data
The personal data of Data Subjects is used for the purposes of complying with local and international Anti-Money Laundering Legislation, as applicable, as well as meeting statutory, fiscal and reporting obligations towards various government authorities. Additionally, personal data may also be shared with other service providers, such as banks, lawyers, accountants, auditors, notaries and other similar providers, as part of discharging its duties and responsibilities under the provisions of its appointment by the clients, for the provision of professional services, as governed by the services agreement signed with its clients.
Furthermore, Centaur Trust may from time to time send newsletters, publications, emails or other forms of communication, written or oral, for the purpose of informing clients and other persons related to clients, as well as professional firms and associates of any news or new services it may offer. Such communication will only be sent provided that Centaur Trust has received written and explicit consent from the persons concerned.
Centaur Trust will also communicate with associates it works with, in relation to mutual clients, for the purposes of serving such clients under the terms of the services agreement signed between Centaur Trust and its clients.
Centaur Trust strictly undertakes to process any personal data it has collected purely for the purposes intended, and only for the necessary period of time, so as to be able to fulfil its obligations to its clients, and to comply with any applicable laws and regulations.
CCTV Cameras
Centaur Trust has installed and operates CCTV cameras in all the buildings it owns and operates, in the interests of the safety and security of its clients, employees and all other persons who visit its offices.
Legal Basis for Processing Personal Data
Centaur Trust collects the personal data of Data Subjects in accordance with the following legal bases:
- Legal obligation – to comply with local and international Anti-Money Laundering Regulations, as well as the statutory reporting requirements of the relevant government authorities (Registrar of Companies, the Regulator, the Tax and VAT authorities, the Department of Social Insurance Services)
- Necessary for the performance of a contract – to discharge its duties and responsibilities under the provisions of the Services Agreement signed with clients.
- Vital interests of staff, clients and other visitors – so as to provide a safe and secure environment.
- Consent – to keep clients and other stakeholders, as well as associates and professional contacts informed of new developments via newsletters and announcements.
Transfer of Personal Data to Third Parties (Processors)
During the course of its normal business operations, and in order to meet its contractual obligations under the Services Agreement signed with its clients, Centaur Trust may be required to share the personal data of its clients and any other persons who may have a relationship with, or be connected to, clients of Centaur Trust, with any of the following:
- Banks
- Lawyers
- Accountants
- Auditors
- Notaries
- Registered agents in other jurisdictions
- Other service providers and associates
Such third parties are known as Processors under the provisions of the GDPR.
Furthermore, in order to comply with local and international Anti-Money Laundering Regulations, as well as statutory reporting requirements, Centaur Trust may be required to share the personal data of its clients and any other persons who may have a relationship with, or be connected to, clients of Centaur Trust, with any of the following:
- The Registrar of Companies
- The Tax Department
- Department of Social Insurance Services
- The Regulatory Authority (CySEC, MFSA, etc)
- Other government departments, as applicable
In all such cases, the transfer of personal data will be in accordance with Centaur Trust’s Privacy Policies, and in compliance with the GDPR. Any transfer of personal data to non-governmental organisations will only be effected subject to a Data Processing Agreement.
Furthermore, in cases where personal data is transferred outside the European Union, this will be effected in full compliance with the procedures required by the relevant authority, and in compliance with the provisions of GDPR.
Personal Data Retention Period
Centaur Trust will retain the personal data of Data Subjects for a minimum of five years following the termination of the relationship with the client, as provided for by international Anti-Money Laundering Regulations. At the end of the five-year period, following termination of the relationship, all personal data relating to the clients or any other related persons will be deleted/destroyed, with the exception of:
- Information required by the tax office
- Any other information which may be required by law
In so far as such deletion/destruction of data will not be in contravention of any other legal requirements which may be in force at the time.
Data Subjects’ Rights
Under the provisions of the GDPR, Data Subjects have the following rights, with regards to their personal data:
- The right to be informed – about the collection and use of their personal data
- The right of access – to their personal data
- The right to rectification – to have inaccurate personal data corrected, or incomplete data to be completed
- The right to erasure – to have personal data erased (so called “right to be forgotten”)
- The right to restrict processing – right to request the restriction or suppression of personal data
- The right to data portability – to obtain and reuse their personal data and to transfer it easily from one IT environment to another in a safe and secure way
- The right to object – to processing of personal data
- Rights in relation to automated decision making and profiling – right to request that in cases where personal data is used for automated decision making or profiling, the final decision is taken by a physical person
- The right to withdraw consent – where the processing of personal data requires or is based on the consent of the Data Subject
- The right to complain – if any persons have any concerns with the way in which their personal data has been processed, they may contact the Data Protection Officer in the first instance. If they are still not satisfied, they have the right to contact the relevant data protection authority
Security of Personal Data
Centaur Trust takes all the necessary steps to ensure that all personal data that it has collected is processed, shared, stored and deleted in a safe and secure way. All reasonable steps are taken to protect the IT infrastructure of the Centaur Trust Group against unauthorised access or loss of data. This includes hardware and software security measures, restriction of access to data via user rights, data encryption, regular software updates and back-ups, and use of the full Microsoft Office 365 suite. Apart from using our own dedicated file server for the storage of client sensitive data, Microsoft Office 365 allows us to keep all data securely, as per Microsoft’s standards, with high availability geo-redundant data centres.
Centaur Trust works with outside security specialists to perform regular penetration testing of all its IT systems, and takes all the necessary measures to rectify any shortcomings identified during such tests. In case of any breach of security, or loss of any device (PC, laptop, mobile, storage device), the Chief Technology Officer is informed immediately, followed by the Data Protection Officer, so that appropriate damage limitation measures are taken.
Applicability of Employee Privacy Notice
This privacy notice applies to employees of the Centaur Trust Group and its subsidiaries (hereinafter “Centaur Trust”), as well as persons who may apply for employment from time to time (Data Subjects).
Data Controller
Centaur Trust is the Data Controller and is committed to protecting the personal data it collects and processes during the course of its business operations, in line with the provisions of the European Union General Data Protection Regulation (GDPR).
Data Protection Officer
The Data Protection Officer of Centaur Trust is Haig Assadourian, who can be contacted as follows:
Email: dpo@centaurtrustgroup.com
Tel: +357 22 499 994
Mobile: +357 99 218 204
Personal Data Collected
Centaur Trust collects personal data in relation to its employees (Data Subjects) as part of the recruitment process, and following employment, such data forms part of the employees’ records and is added to as required, so as to administer the employment of all employees. The data collected includes:
- Full name
- Date and place of birth
- Gender
- Photo
- Residential address & contact details
- Academic & professional qualifications, professional memberships, skills, achievements, awards, CV & work experience
- Passport/ID number
- Tax identification number
- Social insurance number
- Bank account details
Special Categories of Personal Data
In certain cases, Centaur Trust may also collect personal data which, under the provisions of Article 9 of the GDPR, is considered as special personal data (eg racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health or data concerning a person’s sex life or sexual orientation).
Such data will normally be collected subject to the explicit consent of the employee, as evidenced in the applicable consent form, and only in cases where the collected data is required so as to safeguard the best interests and safety of the employee in question, and to enable the Company to take any special measures to accommodate specific requirements, for example dietary or health conditions, disabilities, religious beliefs, or to monitor and counter discrimination.
Such data will be treated in accordance with the requirements of the GDPR, and will be considered as strictly private and confidential, and will only be accessed by the minimum persons necessary within Centaur Trust who administer matters relating to health, employee welfare and other matters relating to the terms and conditions of employment.
Use of Personal Data
The personal data of employees is used for the purposes of administering the employment of the staff, in accordance with the staff employment contract of each employee, as well as payroll administration and meeting legal obligations with regards to tax and social insurance contributions. Some of this information is also used for the purposes of securing health insurance cover for the staff, as well as employer’s liability insurance, professional indemnity insurance, and directors’ liability insurance.
Centaur Trust strictly undertakes to process any personal data it has collected purely for the purposes intended, and only for the necessary period of time, so as to be able to fulfil its obligations to its employees, and to comply with any applicable laws and regulations.
CCTV Cameras, Alarm System and Time & Attendance Monitoring
Centaur Trust has installed and operates CCTV cameras in all the buildings it owns and operates, in the interests of the safety and security of its clients, employees and all other persons who visit its offices.
Furthermore, Centaur Trust has installed and operates the following security and monitoring systems:
- CCTV Cameras – these are installed at all the buildings owned and operated by the Centaur Trust Group for the safety and security of its clients, employees and all other persons who visit its offices.
- Alarm Systems – these are installed at all the buildings owned and operated by the Centaur Trust Group for the safety and security of its clients, employees and all other persons who visit its offices.
- Time & Attendance Monitoring System – these are installed at all the buildings owned and operated by the Centaur Trust Group, so as to be able to administer the payroll and staff holiday entitlement.
Legal Basis for Processing Personal Data
Centaur Trust collects the personal data of employees, as listed above, in accordance with the following legal bases:
- Legal obligation – Centaur Trust is required to submit personal income tax and social insurance contributions on behalf of each employee, and as such must collect their social insurance and tax identification numbers, so as to be able to submit the required contributions.
- Necessary for the performance of a contract – Centaur trust collects the bank account details of its employees, so as to make monthly salary payments, in accordance with the employment contract signed with each employee. Furthermore, it operates a time & attendance system so as to assist in the evaluation of staff performance and administer its holiday policy.
- Legitimate interests – Centaur Trust collects the full name, date of birth, residential address and passport/ID number of each employee, so as to properly identify each person employed by the Company and protect the best interests of the Company, its clients and employees. Furthermore, it collects information relating to the educational & professional qualifications, work experience, skills and other information relevant to the evaluation of the competence and suitability of its employees.
- Safety of employees – Centaur Trust has installed CCTV and alarm systems for the safety and security of its employees, clients and other visitors to its offices. Furthermore, it may collect the contact details of next of kin, so as to contact them in case of an emergency.
- Consent – Centaur Trust collects special categories of personal data, as defined by Article 9 of the GDPR, subject to the consent of the persons concerned, as evidenced by the relevant consent forms.
Transfer of Personal Data to Third Parties (Processors)
During the course of its normal business operations, and in order to meet its contractual obligations under the employment contracts signed with its employees, Centaur Trust discloses the following personal data to third parties:
- Income tax – employee name, salary and tax identification number are provided to the Tax Department.
- Social Insurance – employee name, salary and social insurance number are provided to the Department of Social Insurance.
- Banks – employee name, salary and bank account number are provided to the banks used by the Company’s employees, for the purpose of payment of salaries.
- Auditors – payroll information is included in the accounting information provided to the Company’s auditors
- Insurance Companies – (health, employer’s liability, professional indemnity & directors’ liability) application forms of each insurance company
- Suppliers of Services – (travel agency, hotels) employee name, ID/passport number
Furthermore, for employees who are appointed as officers of companies of the Centaur Trust Group, or client companies, it may be necessary to disclose personal identification data, such as name, address, date of birth, passport/ID details to banks, government authorities within and outside the European Union, law firms, auditors and notaries, during the course of the employees discharging their duties under the terms of their employment.
In all such cases, the transfer of personal data will be in accordance with Centaur Trust’s Privacy Policies, and in compliance with the GDPR. Any transfer of personal data to non-governmental organisations will only be effected subject to a Data Processing Agreement.
Furthermore, in cases where personal data is transferred outside the European Union, this will be effected in full compliance with the procedures required the relevant authority, and in compliance with the provisions of GDPR.
Personal Data Retention Period
Centaur Trust will retain personal data of its employees for the duration of their employment, and thereafter for two years following termination of the employment, so as to allow access to such information if required. At the end of the two-year period, following termination of the employment, all personal data relating to that employee will be deleted/destroyed, with the exception of:
- Information required by the tax office
- Payroll information of the Company, as included in its financial statements
- Any other information which may be required by law
In so far as such deletion/destruction of data will not be in contravention of any other legal requirements which may be in force at the time.
In the case of applicants for employment who are not recruited, Centaur Trust may keep their applications for a period of twelve months from the date of application, subject to their express consent, and to contact them as part of any future recruitment process. Applications may be kept for a further twelve months, with the consent of the applicants, by ticking the appropriate box in the Company’s Job Application Consent Letter. All other applications where consent for retention has not been given will be deleted.
Employee Rights
Under the provisions of the GDPR, employees have the following rights, with regards to their personal data:
- The right to be informed – about the collection and use of their personal data
- The right of access – to their personal data
- The right to rectification – to have inaccurate personal data corrected, or incomplete data to be completed
- The right to erasure – to have personal data erased (so called “right to be forgotten”)
- The right to restrict processing – right to request the restriction or suppression of personal data
- The right to data portability – to obtain and reuse their personal data and to transfer it easily from one IT environment to another in a safe and secure way
- The right to object – to processing of personal data
- Rights in relation to automated decision making and profiling – right to request that in cases where personal data is used for automated decision making or profiling, the final decision is taken by a physical person
- The right to withdraw consent – where the processing of personal data requires or is based on the consent of the employee
- The right to complain – if any employees have any concerns with the way in which their personal data has been processed, they may contact the Data Protection Officer in the first instance. If they are still not satisfied, they have the right to contact the relevant data protection authority, as identified above
Security of Personal Data
Centaur Trust takes all the necessary steps to ensure that all personal data that it has collected is processed, shared, stored and deleted in a safe and secure way. All reasonable steps are taken to protect the IT infrastructure of the Centaur Trust Group against unauthorised access or loss of data. This includes hardware and software security measures, restriction of access to data via user rights, data encryption, regular software updates and back-ups, and use of the full Microsoft Office 365 suite. Apart from using our own dedicated file server for the storage of client sensitive data, Microsoft Office 365 allows us to keep all data securely, as per Microsoft’s standards, with high availability geo-redundant data centres.
Centaur Trust works with outside security specialists to perform regular penetration testing of all its IT systems, and takes all the necessary measures to rectify any shortcomings identified during such tests. In case of any breach of security, or loss of any device (PC, laptop, mobile, storage device), the Chief Technology Officer is informed immediately, followed by the Data Protection Officer, so that appropriate damage limitation measures are taken.