Data Protection Policy of KM BLUEBRIDGE LIMITED

In this Data Protection Policy we, KM Bluebridge Limited (hereinafter BLUEBRIDGE, we or us), describe how we collect and process personal data. This is not an exhaustive description; where appropriate, other data protection policies or general terms and conditions, conditions of participation and similar documents may apply to specific circumstances. The term “personal data” is here deemed to include all information referring to an identified or identifiable person.

If you provide us with personal data of other persons (e.g. family members or work colleagues), please make sure that these persons are aware of this Data Protection Policy, and provide us with their personal data only if you are allowed to do so and such personal data is correct.

This Data Protection Policy is in line with the EU General Data Protection Regulation (GDPR).

1. Controller / Data Protection Officer / Representative

Unless specifically otherwise indicated, BLUEBRIDGE is the “controller” of data processing carried out by us. If you have data protection related concerns, you can inform us using the following contact details: KM BLUEBRIDGE Limited, Data Protection Officer, 50 Spyrou Kyprianou Avenue, Irida Tower 3, Floor 5, 6057 Larnaca, Cyprus, E-Mail: E. hello@bluebridgelimited.com, Website: https://bluebridgelimited.com (these are also the contact details of our Data Protection Officer in accordance with Art. 37 GDPR).

2. Collection and Processing of Personal Data

We primarily process personal data (such as name, address, date of birth, national insurance number, account numbers, etc.) that we obtain from our clients and other business partners as well as other individuals in the context of our business relationship with them or that we collect from users when operating our websites, apps and other applications.

To such a degree as it is permitted to us, we also obtain certain data from publicly accessible sources (e.g. debt registers, land registries, commercial registers, press, internet) or we may receive such information from affiliated companies of BLUEBRIDGE, from the authorities or other third parties, such as the providers of background checks. Insofar as these third parties are themselves wholly or partly responsible for the processing of these data, their data protection regulations apply additionally (e.g. the data protection regulations of LexisNexis, available at https://www.lexisnexis.com/global/privacy/de/article-14-bis.page).

Apart from data you provided to us directly, the categories of personal data that we receive about you from third parties include, but are not limited to: information from public registers, data received in connection with administrative or court proceedings, information in connection with your professional role and activities (e.g. in order to conclude and carry out contracts with your employer with your assistance), information about you in correspondence and discussions with third parties, credit rating information (where we conduct business activities with you personally), information about you given to us by individuals associated with you (family, consultants, legal representatives, etc.) in order to conclude or process contracts with you or with your involvement (e.g. references, your address for deliveries, powers of attorney), information regarding legal regulations such as anti-money laundering and export restrictions, bank details, information regarding insurances, our distributors and other business partners for the purpose of ordering or delivering services to you or by you (e.g. payments made, previous purchases), information about you found in the media or internet (insofar as indicated in the specific case, e.g. in connection with a job applications, marketing/sales, etc.), your addresses and any interests and other socio-demographic data (for marketing purposes), data in connection with your use of the website (e.g. IP address, MAC address of your smartphone or computers, information about your device and settings, cookies, date and time of your visit, site and content retrieved, applications used, referring website, localisation data).

3. Purpose of Data Processing and Legal Grounds

We primarily use the collected personal data to conclude and process contracts with our clients and business partners, particularly within the framework of business consulting, legal and tax advice compliance services, administration services, Automatic Exchange of Information and the procurement of products and services from our suppliers and sub-contractors, as well as in order to comply with our domestic and foreign legal obligations. You may of course also be affected by our data processing in your capacity as an employee of such a client or business partner.

Furthermore, we also process your personal data and personal data of third parties, where permitted and advisable in our opinion for the following purposes, which are in our (or, as the case may be, any third parties’) legitimate interest, such as:

If you have given us your consent to process your personal data for certain purposes (for example, registering for the receipt of newsletters), we will process your personal data within the scope of and based on this consent, unless we have another legal basis, provided that we require one. Consent given can be withdrawn at any time, but this does not affect any data processing already carried out.

4. Cookies / Tracking and other Techniques Regarding the Use of Our Website

For information relating to data processing via our website, please refer to our online data protection policy.

5. Datatransfer and Transfer of Data Abroad

In the context of our business activities and in line with the purposes of the data processing set out in Section 3, we may transfer data to third parties, insofar as such a transfer is permitted and we deem it appropriate, either in order for them to process data for us, or for their own purposes. In particular, the following categories of recipients may be concerned:

all together Recipients.

Certain Recipients may be within the European Union but can be anywhere in the world. In particular, you must anticipate your data to be transferred to all countries in which BLUEBRIDGE may be represented by affiliates, branches or other offices, as well as in other countries in Europe and the USA where we are acting on your behalf or where our service providers (e.g. LexisNexis) are located. If we transfer data to a country without adequate legal data protection, we ensure an appropriate level of protection as legally required by using appropriate contracts (in particular based on the “standard contractual clauses” of the European Commission, which can be accessed at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en) or binding corporate rules or we rely on the statutory exceptions of consent, performance of the contract, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data, or because it is necessary to protect the integrity of the persons concerned. You can obtain a copy of the mentioned contractual guarantees at any time from the contact person named in Section 1 above, if they are not available under the above mentioned link. However, we reserve the right to redact copies for data protection reasons or reasons of secrecy or to provide excerpts only.

We are entitled to transfer your data to a country that does not have adequate legal data protection without implementing one of the above mentioned measures if the transfer of the data is necessary for the conclusion or fulfilment of a contract between you and us, or for the implementation of pre-contractual measures at your request. We are likewise entitled to transfer your data to a country that does not have adequate legal data protection without implementing the above mentioned measures if this is necessary for the conclusion or fulfilment of a contract between us and an individual or legal entity that is in your interest. Where data of third parties, such as e.g. family members, has to be transferred in the above-mentioned cases, you are responsible for obtaining any consent required from these third parties.

6. Retention Periods for your Personal Data

We process and retain your personal data as long as required for the performance of our contractual and national and international legal obligations or for other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, during the performance of the contract until it is terminated) as well as beyond this duration in accordance with legal retention and documentation obligations. It is thus possible that personal data may be retained for the period during which claims can be asserted against our company or insofar as we are otherwise legally obliged to do so, or if legitimate business interests require further retention (e.g. for evidential and documentation purposes). As soon as your personal data are no longer required for the above-mentioned purposes, they will be deleted or anonymised, to the extent possible.

7. Data Security

We have taken appropriate technical and organisational security measures to protect your personal data from unauthorised access and misuse such as issuing instructions, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, inspections.

8. Obligation to Provide Personal Data to Us

In the context of our business relationship you must provide us with any personal data that are necessary for the commencement and carrying out of a business relationship and the performance of the contractual obligations relating to it. Without this data, we will usually not be in a position to enter into or conclude a contract with you (or the office or person that you represent). In addition, the website cannot be used unless certain information to ensure data traffic (e.g. IP address) is disclosed. Where you provide third party data to us which we have to process on your behalf for the conclusion or performance of the contract with you, you bear the responsibility for the existence of an adequate legal basis.

9. No Automated Decision Making

In establishing and carrying out a business relationship, and also in other situations, we generally do not use any fully automated individual decision-making (such as pursuant to Art. 22 GDPR). Should we use such procedures in certain cases, we will inform you separately about this and advise you of your rights in this connection.

10. Your Rights

In accordance with the data protection law applicable to you and as envisaged therein (as in the case of the GDPR), you have the right to information, rectification, erasure, the right to restriction of processing or to object to our data processing, as well as the right to receive certain personal data for transfer to another controller (data portability). Please note however that we reserve the right to enforce statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest in it (insofar as we are permitted to invoke such interest) or need the data for asserting claims. Should you incur costs in exercising such rights, we will notify you thereof in advance. We have already informed you of your right to withdraw consent in Section 3 above. Please note that exercising these rights may come into conflict with contractual agreements and this may have consequences such as the premature termination of the contract or cost implications. If this is the case we will inform you in advance unless it has already been contractually agreed upon.

In general, exercising these rights requires you to clearly prove your identity (e.g. by means of a copy of an identity document, where your identity is otherwise not clear, or cannot be verified in another way). In order to assert these rights, you can contact us at the address given in Section 1.

Furthermore, every data subject has the right to enforce his/her rights through the courts or to lodge a complaint with the competent data protection authority. The competent data protection authority in Cyprus is the Commissioner for the Protection of Personal Data (http://www.dataprotection.gov.cy).

11. Amendments of this Data Protection Policy

We may amend this Data Protection Policy at any time without prior notice. The currently valid version is published on our website. If the Data Protection Policy is part of an agreement with you, we will notify you by e-mail or other appropriate method in case of an amendment.

Version 25.11.2019

Online Data Protection Policy