Privacy Policy - Nobel Trust

Nobel Trust Limited considers issues relating to Personal Data to be of utmost importance. Our Privacy Policy lays down rules and dictates how we handle information in relation to the following:

what information we collect or receive about you;
what the purpose of collection is;
what the lawful basis of processing data is;
who we may share your information with;
what the retention period for data is;
how we keep your information safe;
your rights regarding the personal information you provide to us;
who you can contact if you have questions or complaints about how we process your information.

The lawful basis of processing, the means of collection, disclosure and retention periods may differ depending on the purpose of processing as set out below.

‘We’ refers to Nobel Trust Limited a limited liability company registered with the Department of the Registrar of Companies under registration number HE248831, having its registered office at 17-19 Themistokli Dervi Street, The City House, CY-1066 Nicosia, Cyprus as well as other subsidiaries or affiliated companies of ours as (1) they may act as a service provider following a contractual agreement with us or (2) have a role or relationship with.

The term ‘Personal Data’ means any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories of Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed.

The term ‘Data Subject’ means a living, identified or identifiable individual about whom we hold Personal Data.

The term ‘Special Categories of Personal Data’ refers to information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

References to ‘you’ or ‘your’, relate to the relevant individual who is the subject of the Personal Data.

Various Categories of Data

INDIVIDUAL CLIENTS’ PERSONAL DATA

COLLECTION OF PERSONAL DATA WITH REGARD TO CORPORATE OR UNINCORPORATED ENTITIES

CAREER APPLICANTS

EMPLOYEES

PERSONS WHO GET IN TOUCH WITH US

VISITORS TO OUR WEBSITE

We generally collect Personal Data from our clients or from a third party acting on the instructions of the relevant client. Where individual clients are required to provide us with Personal Data of other Data Subjects, which are also required for the purposes of our engagement, we ask such clients to inform other Data Subjects concerned, such as family members, of the particulars of this policy.

Types of Data

– Personal Data processed may include all or any of the following data types, subject to the particulars of the specific services which we’re requested to provide:

Personal details (including name, age/date of birth, gender, marital status, country of residence) of client and of other individuals associated with the client and the case at hand, whether in a business or private nature and provided that such individuals are relevant to our engagement; contact details (e.g. email address, contact number, postal address)
Financial details (e.g. salary and other income and investments, benefits, tax status)
Job details (e.g. role, grade, experience and performance information)
Banking details, information in relation to past and future litigation, general information regarding business dealings or regarding the particulars of the case which we are called to assist on, investments and other financial interests, other data considered necessary for the purposes of the engagement.

-Depending on the particulars of our engagement we may also collect Special Categories of Personal Data.

Purpose of processing

Any personal data supplied to us by you may be used for the express purposes for which that information is provided to us, to provide advice and deliverables, for compliance with our legal obligations, to analyse and improve our services and communications to you, for insurance purposes, to identify persons authorized to represent our clients, to comply with court orders and/or defend our legal rights, to process invoices to and payments from you and for any purposes related to or ancillary to the above or as deemed necessary for the purpose of carrying out and/or providing services under any other engagement agreement or other agreement entered between us and/or pursuant to your instructions.

We may from time to time use the contact details you and your authorized representatives have provided to us to send invitations, marketing materials, legal updates or other publications that we feel may be of interest and to organise associated events as well as business meetings. Such contact details may include any information you or your representatives have made available to us to assist us in such purposes. Should any individuals not wish to receive marketing communications, please notify your contact at Nobel Trust Limited or press the unsubscribe button on the relevant correspondence.

Legal basis for processing data

The legal basis for processing personal data vary depending on the purpose of processing. Personal data may be processed on one or more of the following legal grounds:

for the performance of our management agreement or client instruction or other agreement with you
to comply with our legal obligations (e.g. for compliance with the Prevention of Money Laundering and Terrorist Financing (AML) legislation applicable from time to time)
to comply with court orders and exercises and/or defend our legal rights
for legitimate interests pursued by us in providing professional services and running an effective business
on the basis of your consent where you have expressly provided such to us
where we process special categories of Personal Data, we rely on the collection of such data being authorized by European Union or Cyprus law, on a relevant public interest condition, or on express consent.

Data retention

In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services to you is 10 years.

Personal Data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights. Personal Data may also be held for longer periods where clients expressly require us to retain / store their records for extended periods of time.

Types of data

The types of Personal Data processed by us in relation to the services provided to corporate or unincorporated entities may include all or any of the following with regard to the authorized representatives, directors, employees (as applicable), individual shareholders and ultimate beneficial owners:

– Personal details (including name, age/date of birth, gender, marital status, country of residence); contact details (e.g. email address, contact number, postal address);

– Financial details (e.g. salary and other income and investments, benefits, tax status); job details (e.g. role, grade, experience and performance information);

– Other data considered necessary for the purposes of the engagement.

– Depending on the particulars of our engagement we may also collect special categories of Personal Data.

Purpose of processing

Any personal data supplied to us by you may be used for the express purposes for which that information is provided to us, to provide advice and deliverable, for compliance with our legal obligations, to analyse and improve our services and communications to you, for insurance purposes, to identify persons authorized to represent our clients, to comply with court orders and/or defend our legal rights, to process invoices to and payments from you and for any purposes related to or ancillary to the above or as deemed necessary for the purpose of carrying out and/or providing services under any other engagement agreement or other agreement entered between us and/or pursuant to your instructions.

Legal Basis for processing

The legal basis for processing personal data vary depending on the purpose of processing. Personal data may be processed on one or more of the following legal grounds:

for the performance of our management agreement or client instruction or other agreement with you
to comply with our legal obligations (e.g. for compliance with the Prevention of Money Laundering and Terrorist Financing (AML) legislation applicable from time to time)
to comply with court orders and exercises and/or defend our legal rights
for legitimate interests pursued by us in providing professional services and running an effective business
on the basis of your consent where you have expressly provided such to us
where we process special categories of Personal Data, we rely on the collection of such data being authorized by European Union or Cyprus law, on a relevant public interest condition, or on express consent.

Data retention

Types of data

The types of Personal Data processed by us in relation to career applicants generally include any Personal Data voluntarily provided to us by the applicant by way of the applicant’s curriculum vitae and through any professional references attached or accompanying such applicants curriculum vitae or provided during interviews and assessments.

In general, the data processed include contact details of the applicant (name, surname, email and telephone number), experience, education and professional qualifications, information provided as part of interviews and assessments, social mobility data, assessment and interview results and feedback, offer details.

Purpose of processing

The collection of Personal Data from us shall be restricted to the collection of Personal Data necessary or deemed necessary for the purpose of considering your career application with us.

Legal Basis for Processing Personal Data of Career Applicants

We process Personal Data of career applicants for our legitimate interests, for securing the best applicants to work for us and help us in running our business more efficiently.

Data Retention

We retain the Personal Data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records of unsuccessful career applicants is approximately 6 months from the date when of submission of such Personal Data to us. Personal Data of successful career applicants will be retained as part of such person’s employee data.

Types of Data

Types of Personal Data processed by us in relation to Our employees, including existing employees and individuals who have been employed by us in the past, may include all or any of the following:

– Full name and surname of the employee, date of birth of the aforementioned persons, contact details (including phone, fax, email), residential address, identity card number, passport number, social insurance number, tax identification number, record of promotions, record of income, bank account details.

– any Personal Data voluntarily provided to us by the employee by way of the employee’s curriculum vitae and through any professional references attached or accompanying such employee’s curriculum vitae or provided during interviews and assessments. This may include the employee’s experience, education and professional qualifications, social mobility data, assessment and interview results and feedback, offer details.

– any records and information in relation to the professional licensing and qualifications of the employee, memberships in professional bodies.

– any records and information collected in the context of the Investors In People programme, including evaluation forms.

– we may also process Special Categories of Personal Data, including medical history information and records, social insurance applications for medical leave or maternity/paternity leave.

Purpose of processing

The processing of Personal Data by us shall be restricted to the collection of Personal Data necessary or deemed necessary for the purpose of carrying out our obligations under the employment agreement which the employee is a party to, including the evaluation of the employees and the granting of various benefits, and/or for to enable us to comply with our legal obligations. We may also process employee data in providing and pursuing professional services, for the purpose of processing payments to employees and for defending our legal rights.

The processing of the Special Categories of Personal Data by us, shall be restricted to the processing of such data necessary or deemed necessary for the purpose of providing employees with private medical insurance or as otherwise expressly consented by employees.

Legal basis for processing data

The processing is necessary for

the performance of a contract to which the Data Subject is party and
for compliance with a legal obligation to which we are subject
for compliance with court orders and exercises and/or defend our legal rights
for legitimate interests pursued by us in providing professional services and running an effective business
on the basis of your consent where you have expressly provided such to us.

Data retention

We retain the Personal Data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 7 years following the termination of employment.

Types of Personal Data processed in relation to individuals who get in touch with us with a question, complaint, comment or feedback, including prospective clients, may include, subject to the particulars of the relevant correspondence, all or any of the following:

– Full name and surname of the individual contacting us, name and surname of other individuals associated with the Data Subject, whether on a business or private nature and provided that such individuals are relevant to our correspondence with the Data Subject, contact details (including phone, fax, email), residential address, description of the business activities or of the specifics and nature of the Data Subject’s inquiry.

Purpose of processing

The collection of Personal Data by us shall be restricted to the collection of Personal Data necessary or deemed necessary for the purpose of responding to the inquiry of the Data Subject.

Legal basis for processing data

The processing is necessary in order to take steps at the request of the Data Subject prior to entering into a contract for the provision of services requested of us.

Data retention

We retain the Personal Data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 10 years. In relation to the data of persons who get in touch with us with whom we do not eventually enter into a business relationship, will be retained for 6 months.

Personal Data of visitors to our webpage are automatically collected via the use of cookies and analytics tools on our website. Please refer to the Cookies section within our policy for further information on what data we collect automatically when you visit our page.

Any further Personal Data collected by us is collected via its voluntary submission by you. Such may include name, title, company address, email address, and telephone and fax numbers from website visitors; for example, when an individual registers to our newsletters and updates.

Visitors are also able to send an email to us through the website. Their messages will contain the user’s screen name and email address, as well as any additional information the user may wish to include in the message.

We ask that you do not provide Special Categories of Personal Data to us when using our website.

Purpose of processing

When you provide Personal Data to us, we may use it for any of the purposes described in this privacy statement or as stated at the point of collection (or as obvious from the context of collection), including the provision of newsletters and updates on our business (where such was the purpose at the point of collection). Should visitors subsequently choose to unsubscribe from mailing lists or any registrations, we will provide instructions on the appropriate webpage, in our communication to the individual, or the individual may contact us by email at dataprotection@nobeltrust.com; to administer and manage our website, including to confirm and authenticate your identity and prevent unauthorized access to restricted areas of the site or premium content; to communicate with you in order to distribute requested materials or ask for further information; to sort and analyze user data (such as determining how many users from the same organization have subscribed to or are using our websites); to develop our businesses and services, including aggregating data for website analytics and improvements; aggregating data to conduct benchmarking and data analysis including, for example, regarding usage of our websites; to conduct quality and risk management reviews; to understand how people use the features and functions of our websites in order to improve the user experience; to monitor and enforce compliance with our terms, including acceptable use policies; and any other purposes for which you provided the information to us (such as to subscribe you to our updates and newsletters).

Data retention

Personal Data collected via our websites will be retained by us for as long as it is necessary (e.g. for as long as we have a relationship with the relevant individual).

Security

Once we have received your information, we will take appropriate technical and organizational measures to safeguard your Personal Data against loss, theft and unauthorized use, access or modification. We adhere to policies and procedures and our staff is trained to provide services with outmost care and confidentiality. The organizational and technical measures adhered to are regularly reviewed and updated as required.

Cookies

Our website my use cookies. Where cookies are used, a statement will be sent to your browser explaining the use of cookies. To learn more, please refer to our cookie policy.

Your Rights regarding Personal Data submitted to us

Your rights in relation to the personal information we hold about you, are detailed below. Some of these only apply in certain circumstances as set out below. Information on how such rights may be exercised is also included in the table below. Prior to responding to any of your requests please be advised that we may require you to verify your identity. We must respond to a request by you to exercise those rights without undue delay and at least within one month (although this may be extended by a further two months in certain circumstances).

To exercise any of your rights, please complete the Data Subject Rights Request Form To exercise any of your rights, please complete the Data Subject Rights Request Form and email the form to our data protection officer at dataprotection@nobeltrust.com

Right of access

You have the right to know whether we process personal information about you, and if we do, to access information we hold about you and certain information about how we use it and who we share it with.

If you require more than one copy of the information we hold about you, we may charge an administration fee. We may not provide you with certain personal information if providing it would interfere with another Data Subject’s rights (e.g. where providing the personal information we hold about you would reveal information about another person) or where another exemption applies.

Right to rectification

The accuracy of the information we hold about you is important to us. Under the GDPR you have the right to access the information we hold about you and have any inaccuracies corrected. Where you request correction, please explain in detail why you believe the Personal Data we hold about you to be inaccurate or incomplete so that we can assess whether a correction is required. Please note that whilst we assess whether the Personal Data we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data as described below.

Right to erasure

This is also known as the “right to be forgotten”.

You may request that we erase the Personal Data we hold about you in the following circumstances:

you believe that it is no longer necessary for us to hold the Personal Data we hold about you;
we are processing the Personal Data we hold about you on the basis of your consent, and you wish to withdraw your consent and there is no other ground under which we can process the Personal Data;
we are processing the Personal Data we hold about you on the basis of our legitimate interest and you object to such processing. Please provide us with details as to your reasoning so that we can assess whether there is an overriding interest for us to retain such Personal Data;
you believe the Personal Data we hold about you is being unlawfully processed by us;
you object to the processing of your Personal Data for direct marketing purposes; or
deletion of your Personal Data is sought for the purpose of complying with a legal obligation to which we are subject.

Also note that you may exercise your right to restrict our processing the data whilst we consider your request as described below.

Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure. Please note, however, that we may retain the Personal Data if there are valid grounds under law for us to do so (e.g., for the defense of legal claims, where such deletion would obstruct or interfere with the purpose for which your information was collected and processed, where the deletion would impede with our contractual obligations or freedom of expression) but we will let you know if that is the case.

Where you have requested that we erase data that we have made public and there are grounds for erasure, we will use reasonable steps try to tell others that are displaying the data or providing links to the data to erase the data too, however such erasure is not guaranteed nor should it be considered to be up to us.

Right to portability

You have the right to receive a copy of the Personal Data we collect from you in a structured, commonly used and machine-readable format and a right to request that we transfer such Personal Data to another party. To exercise this right please send an email to our data protection officer, details of which appear below. When sending an email we suggest using the subject ‘PORTABILITY REQUEST’.

If you wish for us to transfer the Personal Data to another party, please ensure you detail that party and note that we can only do so where it is technically feasible. We are not responsible for the security of the Personal Data or its processing once received by the third party.

Please be advised that we may not provide you with certain data if providing it would interfere with another’s rights (e.g. where providing the Personal Data we hold about you would reveal information about another person or our trade secrets or intellectual property).

Right to withdraw consent

Where Personal Data based is processed on the basis of consent, individuals have a right to withdraw consent at any time. We do not generally process Personal Data based on consent as we generally rely on alternate legal basis. Please email us at dataprotection@nobeltrust.com to notify us of any consent withdrawals. If you are on our mailing list for the purpose of receiving newsletters and updates then please be advised that by clicking on the unsubscribe link in the relevant email your consent with regard to this type of processing will automatically be considered to have been withdraw and no further email shall be required to be sent.

Restriction of Processing to Storage Only

You have a right to require us to stop processing the Personal Data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the Personal Data, we may use it again if there are valid grounds under data protection law for us to do so (e.g. for the defence of legal claims or for another’s protection).

You may request we stop processing and just store the Personal Data we hold about you where:

you believe the Personal Data is not accurate for the period it takes for us to verify your claim;
we wish to erase the Personal Data as the processing we are doing is unlawful but you want us to retain the Personal Data for storage but not further process it;
we wish to erase the Personal Data as it is no longer necessary for our purposes but you require it to be stored for the establishment, exercise or defense of legal claims; or

you have objected to us processing Personal Data we hold about you on the basis of our legitimate interest, and you wish us to stop processing the Personal Data whilst we determine whether there is an overriding interest in us retaining such Personal Data.

Right to Object

You have the right to object to the processing of your data when the legal basis for the processing of your data is necessary for a legitimate interest pursued by us or a third party or where processing of your personal details is carried out for direct marketing purposes. Should you exercise your right to object we will take appropriate steps to ensure that your request is complied. To object to our processing please email us at dataprotection@nobeltrust.com .

When and how we share Personal Data and locations of processing

Personal Data collected and processed by us will not be sold, leased or rented to any person. We may however share your Personal Data with others, provided that we are legally permitted to do so. Appropriate contractual arrangements and security measures shall be applied in cases where your data is shared so as to protect your data and to maintain compliance with our data protection policy, confidentiality and security standards.

Personal Data held by us may be transferred to the following categories of recipients:

Third parties providing functionality services to us

Third parties are widely used by us for the purpose of providing support to us and to generally help us provide, run and manage our internal IT systems. This includes providers of information technology, cloud-based software, website hosting and management providers, data analysis, data back-up, security and storage services, payment providers including banking institutions. The servers powering and facilitating cloud infrastructure are located in secure data centres in Europe, and Personal Data may be stored in any one of them.

Further details of the majority of this category of service providers is included below. The below list is non-exhaustive:

Name of Recipient /Purpose

SOFT1 / Communication, document management

IZIDOCS / Document storage and management, including a record of emails

GOOGLE mail / Business applications, such as email, documents and calendar

Third party organizations that otherwise assist us in providing goods, services or information

On certain client engagements, we may engage or otherwise work with other professional providers to help carry out the services which we have been engaged to provide. In such case the client will be notified of the name and details of such service provider and will be urged to consider the privacy policy of such professional.

This type of transfer may include or require transfers to countries outside the European Union and/or countries that do not comply to the standard of protection and safety of Personal Data provided by the GDPR. In such cases we shall take steps to ensure all Personal Data is provided to such parties with adequate protection and done lawfully in accordance with the requirements of the GDPR.

Auditors, insurers and professional advisers

Our auditors are Grant Thornton (Cyprus) Ltd. We have a number of business insurance policies in place and we may need to share Personal Data with the insurer, for example, in the event of a claim. We may use other professional advisers, for example, law firms, as necessary to establish, exercise or defend our legal rights and obtain advice in connection with business related operations. Personal Data may be shared with these advisers as necessary in connection with the products and services they have been engaged to provide.

Law enforcement agencies or other public authorities and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation

Occasionally, we may receive requests from law enforcement agencies, regulatory or other public authorities which relate to or require the disclosure of Personal Data and we may proceed with such disclosures in good faith where we deem such disclosure to be reasonably necessary in order to comply with a legal obligation, to detect, prevent, investigate or otherwise address security, alleged crime, fraud or technical issues, to protect our rights, the rights of our partners, employees or as required by law.

Employee personal data to clients / potential clients

Personal Data relating to employees may be transmitted to clients and or potential clients.

Deliverables

For the purposes of our engagement, we may be required to process Personal Data and such Personal Data may be included in our deliverables (e.g. in court documentation or due diligence reports).

Anonymized/ Pseudonymized Sharing

We are members to several legal and professional networks of legal firms. Anonymized or pseudonymized data regarding yourself may be transferred to such other legal or professional networks, or participant firms, in good faith, for statistical purposes.

Queries and Complaints

In the event that you wish to be provided with further information on any of the particulars of this Privacy Policy or where you wish to make a complaint about how we process your Personal Data, please contact us at dataprotection@nobeltrust.com and we will endeavor to deal with your request as soon as possible.

This does not interfere with your right to raise a complaint with the data protection supervisory authority:

Data Protection Commissioner

1 Iasonos street, 1082 Nicosia

P.O. Box 23378, 1682 Nicosia

Tel: +35722919456

Fax: +35722304565

Email: commissioner@dataprotection.gov.cy

Changes to Privacy Notice

Any changes we make to our Privacy Policy in the future will be posted on our website and we will notify our clients accordingly. Please check back frequently to see any updates or changes to our Privacy Notice. Any changes to this Privacy Policy will become effective when we post the revised Privacy Policy on our website, save as otherwise expressly agreed between us. Your use of the website, or continued participation in accordance with the purpose for which your data is being processed, following these changes means that you accept the revised Privacy Notice.

This Privacy Notice was last updated in September 2018.