2. ACC respects your privacy and is committed to handling your personal data with transparency and integrity. When processing personal data provided by you, ACC is subject to the provisions of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and any applicable data protection laws or regulations of the Republic of Cyprus. ACC acts as a controller of your personal data under GDPR, which means that it determines solely or jointly with others, the purposes and means of the processing of your personal data.
- a. the categories of personal data that are collected and processed by ACC and the purposes of that processing;
- b. the legal basis for the processing of your personal data;
- c. the recipients or categories of recipients of your personal data;
- d. the principles relating to the processing of your personal data;
- e. your rights under applicable legislation and an explanation of how those rights can be exercised.
4. For the purposes of this Policy, ‘personal data’ means any information relating to you that identifies you, directly or indirectly. ‘Processing’ means any operation or set of operations which is performed on personal data, such as collection, recording, storage, use, disclosure, erasure or destruction.
Who we are
5. ACC is a licensed investment firm, registered in Cyprus under registration number HE78416 and regulated by the Cyprus Securities and Exchange Commission (‘CySEC’) under license number 025/04. ACC’s registered office address is at 5, Themistokli Dervi, Elenion Building, 2nd floor, 1066, Nicosia, Cyprus.
7. If you have any questions or concerns relating to the processing of personal data by ACC, you can contact our Data Protection Officer by email at: GDPR_dpo@alfacapital.com.cy or by letter to 3, Themistoklis Dervis Street, Julia House, 4th floor, 1066, Nicosia, Cyprus.
Collection of personal data
8. In order to register for a personal account with ACC, the following personal data is required from you:
- a. Personal information such as your name, date and place of birth, citizenship, nationality, home address, passport/ ID number, FATCA/ CRS information (tax residency, tax identification number), contact details (telephone, email), bank account details, occupation and information on whether you hold/held a prominent public function (for PEPs);
- b. Financial information such as your income, source of funds and investment objectives;
- c. Documents that verify your identity and residency such as an international passport or national ID and utility bills or bank statements.
9. We may also collect and process personal data from public sources (e.g. the Department of Registrar of Companies and Official Receiver, the press, the internet) as well as from risk management suites such as the World-Check database.
10. ACC does not provide any services to children, nor processes any personal data in relation to children, where ‘children’ are individuals who are under the age of eighteen (18).
Legal basis for the processing of your personal data
11. The protection of your privacy and personal information is of great importance to us. Your personal data is processed lawfully, fairly and in a transparent manner on the following bases:
- a. For the performance of a contract
- The processing of your personal data is necessary for the performance of a contract, namely the trading agreements to which you are party, or in order to take steps at your request prior to entering into a contract. In order to be able to render investment services to you and administer our relationship, we need to collect certain information about your identity, financial background and investment objectives.
- b. For compliance with a legal obligation
- The processing of your personal data is necessary for compliance with the legal obligations emanating from a number of laws to which ACC is subject, e.g. the European Markets in Financial Instruments Directive (‘MiFID II’) and the corresponding Investment Services and Activities and Regulated Markets Law of the Republic of Cyprus, the European and Cyprus legislation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, the Common Reporting Standard (‘CRS’), the Market Abuse Regulation (‘MAR’), the European Market Infrastructure Regulation (‘EMIR’), the Foreign Account Tax Compliance Act (FATCA). Compliance with these legal obligations requires, inter alia, identity verification procedures and processes, anti-money laundering controls, the retention of personal data for a certain period of time, the disclosure of personal data to the supervisory and other regulatory and public authorities, etc.
- с. For the purposes of the legitimate interests pursued by ACC
The processing of your personal data is necessary for the purposes of the legitimate interests pursued by ACC, where those interests do not infringe your interests, fundamental rights and freedoms. These legitimate interests include business or commercial interests and examples of relevant processing activities include: preparing our defence in litigation procedures; preventing fraud and money laundering activities; managing business and further developing and marketing of products and services.
Your obligation to provide us with your personal data
Recipients or categories of recipients of your personal data
13. In the course of the performance of our contractual and statutory obligations and for legitimate business purposes, your personal data may be disclosed to:
- a. Supervisory and other regulatory and public authorities, upon request or where required. Some examples are the Cyprus Securities and Exchange Commission, the Unit for Combating Money Laundering (MOKAS), criminal prosecution authorities.
- b. To other entities within the Alfa Group.
- c. Auditors, lawyers, consultants and other outside professional advisors of ACC, subject to confidentiality agreements.
- d. Third party processors such as payment services providers, companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support, file storage and records management companies.
All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions.
International transfer of personal data
Principles relating to the processing of your personal data
15. We have implemented appropriate technical and organisational measures to ensure appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. We take reasonable steps to ensure that your personal data that we process are accurate and, where necessary, kept up to date. From time to time we may ask you to confirm the accuracy of your personal data. We take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. We also make sure that all personal data we collect are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Period for which your personal data will be stored
16. We will keep your personal data for the duration of our business relationship and for five (5) years after the termination of our business relationship, unless otherwise requested by a competent authority, in line with the provisions of the applicable European and Cyprus legislation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, the Markets in Financial Instruments Directive (‘MiFID II’) and the corresponding Investment Services and Activities and Regulated Markets Law of the Republic of Cyprus.We may keep your data for longer if we cannot delete it for legal or regulatory reasons. In particular, the retention of data is not limited in time in the case of pending legal proceedings or an investigation initiated by a public authority, provided that in each case the Company has been informed of the pending legal proceedings or the investigation initiated by a public authority within the retention period described hereinabove.
17. You have the following rights regarding your personal data we control and process:
- a. The right to request access to, or copies of, your personal data, together with information regarding the processing of those personal data.
- b. The right to request rectification of any inaccurate personal data concerning you.
- c. The right to request, on legitimate grounds and where there is no good reason for us continuing to process it, erasure of your personal data.
- d. The right to object, on grounds relating to your particular situation, to the processing of your personal data which is based on a legitimate interest pursued by ACC. We shall no longer process your personal data, unless we demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedom or for the establishment, exercise or defence of legal claims. You also have the right to object where your personal data are processed for direct marketing purposes and we shall stop the processing of your personal data for such purposes.
- e. The right to request restriction of processing of your personal data where one of the following applies: i) your personal data is not accurate and we need to stop processing it until we verify it, ii) your personal data has been used unlawfully, iii) we no longer need your personal data for the purposes of the processing, but you want us to keep it for use in possible legal claims and iv) you have already objected to the processing of your personal data and you are waiting for us to confirm if we have legitimate grounds for the processing of your data.
- f. The right to have your personal data transferred to another controller, to the extent applicable.
- g. The right to withdraw your consent, where we process your personal data on the basis of your consent. Please note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn by you.
- h. The right to lodge a complaint regarding the processing of your personal data by us. You can lodge your complaint by completing our complaints form. If you feel that your concerns have not been adequately addressed by us, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus. You can find information about submitting a complaint on their website (http://www.dataprotection.gov.cy).
Automated decision-making and profiling
18. The decision to establish a business relationship with you is not based on automated processing of your personal data. We may process some of your data automatically, in order to assess certain personal aspects relating to you (profiling), which will enable us to perform a contract with you, in the following cases:
- a. Appropriateness assessment: Using the answers you provide through our online client questionnaire for clients of Alfa-Forex, a brand owned by ACC, our system assesses in an automate way the appropriateness of a service or a product based on your knowledge and experience. In case the Company, based on the results of this appropriateness assessment, decides that the service or product is not appropriate for you, it may refrain from offering this particular service or product to you.
- b. Suitability assessment: The Company must, when providing the investment service of portfolio management or investment advice, obtain the necessary information regarding the client's or potential client's knowledge, experience, financial situation, investment objectives and ability to bear losses so as to be able to recommend the services and products that are suitable to the client’s situation. Using the answers you provide through our online client questionnaire, our system assesses in an automate way the suitability of particular services and products for you.
- c. Monitoring of clients’ accounts and transactions: The information received during the on-boarding process is compared with your actual trading activity, deposits and withdrawals. Data assessments, including transaction monitoring, are carried out in the context of combating money laundering and fraud.
19. We may process your personal data to contact you, primarily by email, in order to provide you with information concerning products and services that may be of interest to you. Please note that in accordance with the applicable law, the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest pursued by the Company. However, if you do not wish to receive marketing communications from us, you can opt out at any time by contacting your regular ACC contact or by sending an email to our Data Protection Officer. After you unsubscribe, we will not send you further promotional emails, but we will continue to contact you to the extent necessary for the purposes of any services you have requested.