Privacy Policy

Last Updated: August 20, 2025

This Privacy Policy (“Policy”) applies to V CHARALAMPOUS LLC, a law firm established in Cyprus and registered under registration number 470047 (“we”, “us”, “our”). We are committed to protecting personal data and complying with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Cyprus legislation.

For the purposes of the GDPR, we act as a data controller when we determine the purposes and means of processing personal data.

1. Personal Data We Collect

We only collect data that is necessary for the purposes described in this Policy. Depending on the engagement, this may include:

• Identification and contact details (name, address, P.O. box, telephone numbers, email, fax).
• Demographic and civil data (date/place of birth, nationality).
• Official identifiers and documents (ID/Passport/Visa details and information shown on them).
• Financial and billing details (IBAN, bank details, payment information, tax numbers).
• Employment and professional information (employer, role/title, CVs, references).
• Matter-related data (contract details, ownership records, property information, corporate filings).
• Images and recordings (CCTV at entrances/common areas, meeting logs where applicable).
• Online identifiers where relevant (professional profiles, public social media IDs).
• Any other information you choose to provide or that we obtain lawfully from third parties or public registers.

If you provide us with personal data about other individuals (including minors), you confirm you have the authority to do so and to permit processing under this Policy.

2. How We Collect Data

• Directly from you: in meetings, by phone, email, forms, or via our website.
• Indirectly: through authorised representatives, introducers or business partners.
• Public sources: registries and databases (e.g., Registrar of Companies, Land Registry).
• Digital channels: professional networks and messaging platforms where you contact us (e.g., LinkedIn, WhatsApp, Viber).

3. Purposes of Processing

We process personal data strictly where necessary and proportionate for:

1. Provision of legal and related services: advocacy and representation, advice and legal opinions, corporate and fiduciary work, drafting and negotiation of contracts, representation before authorities (including Land Registry, Tax Department, Migration), and bank account opening assistance in Cyprus or abroad.
2. Client service and operations: correspondence, file/matter management, conflict checks, data analysis, internal audits, and business continuity.
3. Security and fraud prevention: access control, CCTV at entry/common areas, and IT security monitoring.
4. Recruitment: assessment of candidates and maintaining shortlists.
5. Legal and regulatory compliance: AML/CFT, sanctions screening, tax and corporate filings, responding to authorities and regulators.
6. Legitimate interests: protection of our rights, improving services, and managing risk.

If we intend to use personal data for a new purpose incompatible with the original one, we will notify you in advance and, where required, seek your consent.

4. Lawful Bases

Depending on the context, we rely on one or more of the following legal bases under Article 6 GDPR:

• Contract (Art. 6(1)(b)) — processing necessary to perform or enter into our engagement with you.
• Legal obligation (Art. 6(1)(c)) — compliance with laws (e.g., AML, tax, regulatory duties).
• Legitimate interests (Art. 6(1)(f)) — to operate, secure, and improve our services, balanced against your rights.
• Consent (Art. 6(1)(a)) — where required for specific activities; you may withdraw consent at any time.
• Vital interests (Art. 6(1)(d)) — in emergencies affecting life or physical integrity.

5. Special Categories and Criminal Data

We do not routinely collect special category data (e.g., health, biometrics, beliefs) or criminal conviction data. Where such processing becomes necessary (for example, due to the nature of a legal matter), we will rely on an appropriate Article 9 GDPR condition and applicable Cyprus law, and we will limit access on a strict need-to-know basis.

6. Disclosures and International Transfers

We may share data, under confidentiality and on a need-to-know basis, with:

• Our partners, lawyers, and authorised staff.
• Professional advisors (accountants, auditors, counsel, experts).
• Banks and financial institutions.
• Public bodies and regulators (e.g., Registrar of Companies, Land Registry, Tax Department, courts, law enforcement) where legally required.
• IT, hosting, and administrative service providers bound by contractual safeguards.

We do not sell personal data. Where data is transferred outside the EEA, we will ensure an adequate safeguard is in place (e.g., an EU adequacy decision or Standard Contractual Clauses).

7. Data Security

We implement appropriate technical and organisational measures, including:

• Encryption of servers and protected network architecture.
• Role-based access, physical security of premises, and access control.
• CCTV coverage of entrances and common areas.
• Strong authentication and secure backups.
• “No removable media” and “clean desk” practices.
• Regular reviews of suppliers’ security controls where relevant.

We will never ask for payment card details or other highly sensitive information by unsolicited email or text. If you suspect your data has been compromised, notify us immediately at info@acharalampouslaw.com.

8. Retention

We keep personal data only for as long as necessary for the purposes set out in this Policy or as required by law and professional rules. As a general guideline:

• Client/matter files: typically 7 years from matter closure (or longer if legally required or necessary for establishment, exercise, or defence of legal claims).
• CVs and recruitment records: typically 1 year unless a longer period is agreed or required.

After expiry of retention, data is securely deleted or anonymised (including from backups where practicable).

9. Your Rights

Subject to conditions and exemptions under the GDPR, you may have the right to:

• Access your data and receive a copy.
• Request rectification of inaccurate or incomplete data.
• Request erasure where applicable (“right to be forgotten”).
• Request restriction of processing in certain circumstances.
• Object to processing based on our legitimate interests.
• Object to direct marketing at any time.
• Data portability (where processing is based on consent or contract and carried out by automated means).
• Withdraw consent where processing is based on consent (without affecting prior lawful processing).
• Lodge a complaint with the Office of the Commissioner for Personal Data Protection (Cyprus).

10. How to Exercise Your Rights

Please contact us in writing (email is acceptable) and include sufficient information to verify your identity and locate your data. For your protection, we may only act on requests sent from the email address associated with your engagement or after additional ID verification.

11. Minors

We do not knowingly collect personal data from individuals under 18. If you provide information about minors, you confirm you have appropriate legal authority from the holder(s) of parental responsibility.

12. Updates to This Policy

We may amend this Policy from time to time. The most recent version will always be available on this page and will indicate the effective date above. Continued use of our website or services following changes signifies acceptance of the updated Policy.

13. Contact

If you have questions about this Policy or our data practices, please contact us at: