Privacy - Personal Data Protection Policy


The General Data Protection Regulation (hereinafter “GDPR”) is a new EU Regulation on data protection which was approved by the EU Parliament on 14 April 2016; its date of effect has been set as at 25 May 2018 and all EU Member-States, including the Republic of Cyprus, must comply with its provisions. It replaces the previous EU Data Protection Directive no. 95/46 EC.

Its main target and core principle is obviously to enhance personal data protection (to safeguard the rights of EU data subjects) and regulate all areas of personal data collection, use, storage, archiving, processing, access, destruction, transmission etc.

Its further aim, in our opinion, is to enhance and ease the flow of personal data among the 28 EU Member-States, harmonize EU data protection legislation among its EU Members and contribute to a “Single Digital Europe” as it is often referred to in various scholarly articles.


The GDPR Regulation covers all organizations established in the EU, as well as organizations located outside the EU which provide good or services / monitor the behavior of EU residents – the so-called “data subjects”.

Our law firm is based / established in Nicosia, in the Republic of Cyprus, an EU Member-State, hence it is definitely caught under the ambit of this new EU Regulation.


“Personal data” has a pretty wide definition under this new Regulation, and includes all data which is used to identify, whether directly or indirectly, a physical person; it includes, among other, names, a passport no., date of birth, photo, passport copies, contact details, residential address, email addresses, posts on social networks etc.


“Processing” is a very wide definition which includes the collection, storage, filing, structuring, transmission, consultation, use etc. of data, and even includes destruction of such personal data.


“Controller” is the person / organization which collects personal data of data subjects and controls / decides how they are processed. A “Processor”, on the other hand, acts on behalf of the Controller and processes such data (eg. a law firm is a “Controller” and the responsible IT department may be its “Processor”).

In our case, Yiola Stavraki LLC would be deemed as the “Controller” and also “Processor” in certain cases.

Current Legislation on Personal Data Protection

When collecting, processing and storing personal data provided by a client, Yiola Stavraki LLC is currently subject to the provisions of the Processing of Personal Data (Protection of Individuals) Law of 2001, Law No. 138(I)/2001 of the Republic of Cyprus, as amended by the Processing of Personal Data (Protection of Individuals) (Amendment) Law of 2003, Law No. 37(I)/2003, and the Processing of Personal Data (Protection of Individuals) (Amendment) Law of 2012, Law No. 105(I)/2012, which implemented Directive 95/46/EC of the European Parliament and of the Council, on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The above EU Directive is soon to be replaced by the GDPR to enter into effect on the 25th of May 2018, as aforesaid.

Collection, storage, archive, use, processing and transmission of personal data

By becoming a client of our law firm, you thereby automatically consent to the collection, storage, archive, use, processing and possibly transmission of your personal data.

Your personal data is collected, archived, stored, processed, managed and used for specific, explicit and legitimate purposes and as required to be able to provide quality legal services to you, whether following a contract entered with you as client or otherwise, to deal with your requests to provide you with a fee quote and initial advice as necessary to provide a service to you, and as authorized by or in order to comply with applicable legislation, such as the Cyprus AML Laws, EU Regulations and Directives, Tax Laws, as well as Directives and Circulars issued, from time to time, by the Cyprus Bar Association (the governing and supervisory body which regulates all law firms in Cyprus). We also process, manage and store information for which you have provided your written consent to such use or in case we consider such use of your information as not detrimental to you, within your reasonable expectations, having a minimal impact on your privacy, and necessary to fulfil our legitimate interests. Finally, we may also manage, process and keep such personal data to establish, exercise or defend legal rights / legal claims or proceedings.

The personal data collected from you, and stored, archived and processed, is used, among other, for due diligence (KYC) purposes as required by the aforesaid AML Laws and other Regulations, Directives and Circulars, in order, among other, to verify your identity, to confirm your address and contact details, to provide us details on your and your company’s activities / business experience and occupation (through, for instance, copy of your CV), to construct your economic profile (through copy of a bank statement / CV), to provide us with a reliable third party reference on you (such as through a lawyer’s, accountant’s or bank’s reference letter), to determine and justify your source of funds etc. These are required to enable us to comply with our legislative and regulatory duties, especially when registering and administering a Cyprus or foreign Company of which you are the ultimate beneficial owner, shareholder and/or in which you act as a director or other officer and/or, among other, when you carry out certain financial transactions, such as the sale and purchase of property through our law firm, as stipulated under the relevant AML Legislation. Your personal data will need to be stored by our law firm for a minimum period of five (5) years following the termination of the business relationship with you (while the VAT / Tax Legislation in Cyprus also currently provides that such documents should be stored for a minimum of six (6) years even after the termination of such business relationship with the client, which may also apply in your case).

We will disclose your personal data where required to do so by Law or a Court order, under a pending investigation by responsible regulatory or Governmental authorities, or if we believe that such action is necessary to comply with the law and the requests of law enforcement / regulatory / governmental authorities or to protect the security or integrity of our services.

Who may Use, Control and Process your Personal Data

Our law firm, any agents / employees / authorized persons which we may engage and use for the purpose of collecting, storing, archiving, structuring, processing and even destroying personal data and any third parties or associates acting on our or your behalf, may collect, process and store personal data provided by you. This may also include, among other and without limitation, accountants, auditors and bankers chosen by yourself, IT system or software providers, IT support service providers, translators who undertake the translation of your personal data and certifying officers undertaking the certification and/or apostil of your documents, as may be required to comply with AML Laws and Regulations, or as required to perform the relevant legal services etc. This may also include, in certain cases, Courts, tribunals, Government, regulatory or law enforcement authorities.

Clients’ rights

All our clients – data subjects have various rights under the applicable Legislation and GDPR, among other, the right to access and amend / rectify and update their personal data, if they are deemed outdated or incorrect, the right to object to the processing of their data or have them deleted (save as otherwise provided under applicable Legislation, Directives and Regulations, such as AML Laws and Regulations and/or relevant Tax Laws which require us to keep such personal data for a specified period of time) and the right to obtain a copy of and transmit elsewhere such personal data. Clients also have the right to request and receive from our law firm reasonable information regarding their personal data which have been collected, processed, stored and used by our firm. A reasonable fee may be charged by our law firm, if so permitted by applicable laws, in terms of certain of the above actions which may be requested by the client.


By becoming a client of our Company, you thereby consent to the collection, use, processing, transmission and storage of your personal data, in compliance with this Privacy Policy, other related internal circulars of our office which may be issued, from time to time, and of which you may request a copy, and in accordance with applicable Legislation, Directives, Regulations and Circulars issued by responsible and regulatory authorities.

Commitment to Safeguarding your Personal Data

We note that we are deeply committed to protecting your personal data and have taken a series of reasonable organizational and technical steps to safeguard your data, including updating our office privacy – data protection policies, enhancing our IT systems and software etc., however, we note that no security is infallible and by becoming our client you thereby recognize this fact. For instance, among other, any emails sent to our firm could possibly be intercepted or breached, despite all technical measures we have taken to comply with GDPR, and for which you assume the relevant risk and bear full responsibility; you should bear in mind that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. Further, we do not assume and cannot take any responsibility whatsoever for the security of any other links which you may access from our website, and for which you also bear full responsibility.

Policy changes

Our law firm reserves the right to amend, update and/or modify the present Policy at any time whatsoever, whether or not in compliance with recent changes in applicable data protection and privacy laws. You are therefore encouraged to visit our firm’s website from time to time to be informed of any such amendments.


Any queries or concerns which you may have about this Policy should be sent to us in writing via email (to the email address yiola@stavraki-law.com). Our law firm will investigate and attempt to resolve any concerns you may have or complaints regarding the use and disclosure of personal data in accordance with this Policy.


The content of the present Policy is simply for information purposes to all our clients. It may not be deemed or relied upon as direct legal advice to any person or third party whatsoever. It has been prepared for general guidance on matters of interest only, and does not constitute professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, nor is there any direct or indirect liability or responsibility assumed by our law firm in respect thereof.