DATA PROTECTION

1. What is the GDPR?

GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679). The new European Union Regulation is set to replace the current Data Protection Directive (95/46/EC) as well as the Cyprus Data Protection Law of 2001 [and amendments of 2003]. The aim of the Regulation is to ease and safeguard the flow of personal data across the 28 EU Member States. Being an EU Regulation, it is directly applicable to each Member State’s national law.

2. When will the GDPR come into effect?

The GDPR has been approved by the EU Parliament on April 14th 2016 and will come into effect on May 25th 2018.

3. Who does the GDPR affect?

The new legal framework mainly affects businesses offering goods or services or performs monitoring of EU-based individuals, be it these are customers, prospects, contractors or employees. It also affects any businesses located outside the EU, which hold or process personal data of individuals residing within the EU.

4. What we mean by personal data and special categories of personal data?

Personal data are any information relating to an individual, whether it relates to his or her private, professional or public life. It can be a name, an address, a telephone number, an email address, BKMS details, or an IP address or a combination of them.
 
Special categories of personal data, also known as sensitive personal data, which uniquely identify a person, are classified in the GDPR as sensitive data, like genetic and biometric information. Sensitive data are under very strict processing restrictions, like the stricter handling of that data such as the need to provide explicit consent.

5. What does "processing" mean?

Processing means anything that is done to, or with, personal data (including simply collecting, storing or deleting those data). This definition is significant because it clarifies that the EU data protection law is likely to apply wherever an organisation does anything that involves or affects personal data.

6. What are the key principles that each businesses should follow when processing personal data?

  • Personal data should be processed lawfully, fairly and in a transparent way.
  • Collection of personal data should be relied on an explicit reason for being collected
  • The requested data must be only limited to what is necessary for the specific service to be carried out.
  • Personal data should be accurate and updated at regular intervals.
  • Personal data should not be kept for longer than necessary.
  • Data should be processed in a manner that safeguards the security of the personal data.


 7. What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data. The controller is the one who collects the data from the data subject.

The processor is an entity which processes personal data on behalf or upon the request of the controller.

However, if you are a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

For example, a BKMS is a controller while an external vendor of the BKMS, such as an IT company, is a processor.

8. What rights will individuals have under GDPR?

One of the key ways the GDPR issue affects all organisations is the new extended set of rights granted to individuals, as outlined below:

Right to be informed - Organisations need to be clear and transparent on how they use personal data, which would typically be displayed through the organisation’s Privacy statement.

Right of access - Individuals are entitled to know what information is held about them and how it’s processed. They should be able to gain unlimited access to this information.

Right of rectification - Individuals are entitled to have their personal data corrected in case they are inaccurate or incomplete.

Right to erasure (also known as the right to be forgotten) - Individuals have the right to request the removal of personal data where there is no compelling reason for its continuing with their processing.
 
Right to restrict processing - Individuals have a right to request to block or suppress processing of their personal data. This however may be declined by the organisation on a number of grounds.

Right to data portability - The right to data portability allows individuals to receive a copy of their personal data and transfer them from one IT environment to another, safely and securely.

Right to object - Individuals have the right to object to the use of their personal information in certain circumstances.

Right to not be subject to automated decision making - In specific circumstances, individuals have the right not to be the subject of a decision which has either a legal bearing on them, and is based on automated processing. This however may be declined by the BKMS on a number of grounds.

Right to lodge a complaint - If individuals have exercised any or all of their data protection rights and still feel that their concerns about how the organisation uses their personal data have not been adequately addressed by the organisation, they have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection at http://www.dataprotection.gov.cy/.

The BKMS enables individuals to address their data protection concerns by submitting a complaint at www.bkmsgroup.com

 9. What are the penalties in case of non- compliance?


For infringements relating to transparency of information and communication, or data processing organizations could be fined up to EUR10M or 2% global turnover, whichever is higher. For infringements relating to data processing, consent, data subject rights and actual data breaches, organizations could be fined up to EUR20M or 4% of global turnover, whichever is higher.

10. What is a Privacy statement?

If an organisation holds information on individuals, they must provide a detailed explanation on these, like what information they hold on them, how their data is processed and where it is kept. This can be done through a Privacy statement which should be made publicly available to them. The GDPR accordingly states that this statement should be clear, easy to access and free of charge.

The Privacy statement for the BKMS can be found at our website www.bkmsgroup.com and also or in the due diligence documents of BKMS.

11. What are the lawful bases of processing and when is consent required?

Any processing of personal data must be lawful and fair, transparent to data subjects while any information and communication regarding personal data is easily accessible and easy to understand. The organisation identifies below the lawful basis for any processing of personal data when:

They have obtained direct consent from the individual or the data subject, to the processing of his/her personal data;

There is a necessity to perform a contract- processing is needed in order to enter into or perform a contract;

For protecting the vital interests of the individual-it is vital that specific data are processed for matters of life and death;

There are legal obligations of the organisation- the organisation is obliged to process personal data for a legal obligation [ e.g. for compliance to anti money laundering regulations];

There is a necessity for the public interest- processing by public authorities and organisations in the scope of public duties and interest; and

There is a legitimate interest for the organisation- There should be a compelling justification for processing and using personal data or when the organisation uses it in a way people would reasonably expect. It is also important to conduct a legitimate interests’ assessment and keep records of it.

12. When can personal data be transferred outside of the EU?

There are restrictions on the transfer of personal data, outside the EU, to other countries or international organisations, imposed for the protection of individuals and their personal data as provided by the Regulation.
 
Transfers require the approval of the Commissioner for Personal Data Protection while in certain other cases to inform the Commissioner.

The transfer of personal data outside the EU is only allowed, provided certain conditions are met for example:

  • where the European Commission has designated a third country or an international organisation as providing an adequate level of personal data protection; or
  • where model contracts exist based on agreements on transfers made between organisations within a group, called standard data protection clauses or binding corporate rules; or
  • where an approved certification mechanism applies, e.g. EU-US Privacy Shield.
  • In addition, a transfer may be made where the individual has provided specific consent, it is necessary for the performance of a contract between the individual and the organisation if:
  • it is necessary for reasons of public interest,
  • it is necessary for the establishment, exercise or defence of legal claims,
  • it is necessary to protect the vital interests of the data subject or other persons.


13. Does my company need to appoint a Data Protection Officer (DPO)?

Organisations are required to appoint a Data Protection Officer (DPO) if its main activities involve the processing of personal data on a large scale and/or involve continuous monitoring of personal data.


The DPO be an employee of the organisation, only if his duties do not conflict with his role as a DPO, or he can be outsourced.

14. What are the DPO’s responsibilities under GDPR ?

The responsibilities of the DPO, as defined in Article 39, are briefly are as follows:

  • Το inform and advise the organisation and staff about their obligations under the GDPR;
  • Το monitor compliance with the GDPR by the controller or processor;
  • Το advise on data protection impact assessments and monitor their performance; and
  • Cooperate and liaise with the supervisory authority on data processing-related issues.


The contact details of the assigned DPO of BKMS are shown on the Privacy statement for the BKMS and updated on our website at www.bkmsgroup.com

15. What are the rules on security under the GDPR?

GDPR safeguards personal data by ensuring they are processed in a manner that ensures their security, including protection against unauthorised or unlawful processing as well as against accidental loss, destruction or damage.

Organisations should have appropriate technical or organisational measures in place to prevent such personal data leaks or unlawful processing.

Useful links:
For further reference regarding GDPR legislation, please refer to the General Data Protection Regulation at
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN 



1. What is VAT?
 VAT stands for value added tax and is an end-consumer sales tax paid on almost all goods and services in Europe and other countries, too. For businesses it is thus, generally speaking, a deductible or refundable tax. 

2. Why bother recovering VAT?
Because VAT rates typically run between 15% and 25%, and because companies that are registered taxpayers can frequently recover the VAT they have paid. Companies eligible for VAT refunds are currently reclaiming only a fraction of the billions they are paying in European VAT. Since most of these businesses simply book VAT expenses as costs, they are not aware of the real potential of making savings by recovering VAT. 

3. What VAT expenses can be recovered?
You can recover most of your VAT expenses such as those paid on 
-business travel costs (car rentals, hotel accommodation, meals, gas expenses, telephone expenses, etc.) 
-business operating expenses (such as fuel, aircraft handling and maintenance costs, storage etc.) 
-marketing, advertising services and professional advice such as that obtained through business 
-consultancy services, etc. 
-trade-fair expenses and conference costs 
-purchases of goods, machines and equipment 

4. What level of VAT refunds are we talking about?
This may vary widely depending on the type of business and the type of business expense. For example, in the case of a business which has incurred trade-fair expenses abroad this may mean a VAT refund of “only” a few thousand Euros whereas a multi-national company may have VAT refunds that run into their millions.  Our company can tell you what refunds are possible for which country and can help you estimate what you might save in claiming refunds instead of simply booking VAT payments as costs by examining your business records.  We can achieve a maximization of VAT refunds through our experienced handling of your claims which can also mean quicker availability of VAT refunds. 

5. How complex is the task of recovering VAT?

Getting VAT refunds is in principle a highly complex affair, requiring in-depth expertise and firsthand experience of dealing with foreign fiscal authorities. We can make getting your VAT refunds a no-fuss, low-cost, no-refund-no-fee affair by  -identifying which invoices and receipts are eligible for tax refunds  -offering you advice on the required form and nature of invoices and receipts so as to maximize your VAT refund possibilities now and in the future  -execute all correspondence with tax authorities on your behalf, in the native language required, including the drawing up and filing of appropriate VAT refund claims and reviewing tax assessment notices, lodging appeals, etc. 

6. What does our Company charge for its service?
As already stated above, we operate on a no-refund-no-fee basis. Our fees are deducted from successfully recovered VAT refunds on a percentage basis. 

7. What types of documents are needed for VAT claims?
-original records; since originals are required for filing claims, i.e. original invoices (not merely credit card slips or copies of invoices), original import documents, etc., a search of files will need to be carried out, extracting documents and replacing them temporarily with photocopies so as to preserve your filing system; the originals are then returned after processing of the VAT refund. 
-application form(s) signed in the hand of a fully authorized signatory 
-proof of registration as a corporate taxpayer 
-power of attorney granting authority to process your VAT recovery claim 

8. When can VAT claims be made and what deadlines need to be observed?

VAT recovery claims generally must cover at minimum a three month period (an exception is made for claims covering the remaining period of a fiscal year), but not more than a year (Belgium and The Netherlands accept invoices from the past five years). Certain limitations also apply to the minimum amount of VAT reclaimable for certain periods of time.
 
-For EU Companies with invoices issued between 1/1-31/12/2010 the submission deadline is the 30/9/2011 

-For Non-EU companies with UK invoices issued between the 1/7/2010-30/6/2011 the submission deadline is the 31/12/2011  

For us to process and file your claims in a due and proper manner we require that all relevant documents reach us by three months before the above deadlines. 

9. How long does it take for VAT to be refunded and how are refunds paid out?
VAT refunds are generally paid out within 3 to 12 months. VAT refunds we have reclaimed on your behalf flow into a separately account and are paid out to you within 30 days of their receipt.

VAT

1. Requirements for annual audited accounts?
Yes. Shipping companies are exempt.

2. Residential & professional qualification for auditor?
Accounts audited by accountants practicing in Cyprus.

3. Annual audited accounts to be filed at public registry or only with tax authorities?
Audited financial statements have to be submitted to Inland Revenue and the Registrar of Companies.

4. Annual Tax, license fees or duty
12,5 percent of net assessable income which is the lowest in the European Union and 350 euro for the annual Company registrar fees. 

ANNUAL ACCOUNTS AND AUDIT REQUIREMENTS

1. What are the types of companies that can be registered?
(1) Companies Limited private company (CAP. 113 Company Law)
(2) Branch of an overseas company (Section 347 of CAP. 113)
(3) General or Limited Partnership (CAP.116 the partnerships and Business Name Law).

2. The Memorandum of Association i.e. objects for which company was established?
Any lawful object or scope, Amendments are done by order of the court.

3. The Articles of Association, i.e. internal regulation of company?
This can be done by special resolution only.

4. Registered shares or bearer shares?
Registered only. Bearer shares are prohibited

5. Subscribers/Incorporators?
This can be provided

6. What are the (a) Minimum number of shareholders and (b) Maximum number of shareholders?
The minimum number of shareholders is one, and (b) the maximum number of shareholders for a private company is fifty

7. Where is the location of general meetings of shareholders/members?
This can be done anywhere in the world.

8. Can proxies be appointed?
For shareholders, yes.

9. What are the Classes of shares permitted?
(1) Registered shares of par value, (2) Preference shares (3) Redeemable Preference shares (4) Non-voting shares.

10. What is the permitted currency of shares capital?
Euro for all types of companies or any other currency.

11. Capital duties paid on incorporation?
Capital duty of EUR128 is payable on the nominal capital up to EUR8.543, graduating to EUR214 for an authorized capital of EUR17.086 and for nominal capital which exceeds EUR17.086, EUR214 for the first CYP17.086 plus 51.26 cents for each additional amount of EUR170.86.

12. What is the Minimum share capital?
The recommended amount is EUR1708.60

13. Minimum number of directors required?
One

14. The minimum number of officers?
One director and one company secretary. Where there is only one director, the company secretary must be another individual or corporate entity unless the same person is also the shareholder of the company.

15. What about the transfer of registered shares?
By presentation of a written instrument of transfer signed by the transferor and transferee and subsequent procedures with the Registrar of Companies of registering the transfer with them if the shares are to be transferred to a new registered shareholder.

(a) Transfer of bearer shares?
Bearer shares are prohibited

(b) Meeting of shareholders?
An annual general meeting of the shareholders must be held each calendar year anywhere in the world.

16. Maximum number of directors permitted?
No restrictions, this is Regulated by the Articles of Association. Alternate directors are permitted.

17. When can the Appointment of first directors be done?

Upon incorporation by the subscribers to the Memorandum and Article of Association.

18. Any residential, nationality requirements or professional qualifications required for directors?
No statutory requirements regarding nationality or residence. However in order for the company to be tax resident in Cyprus, the directors or their majority should be Cypriot residents for establishing management and control in Cyprus.

19. Can the company act through a power of attorney?
Yes. With resolution by the board of directors duly signed and signatures certified bearing also the seal of the company.

20. Are corporate directors permitted?

Yes

21. Where must the board of directors’ meeting be held?

Anywhere in the world. However in order for the company to be tax resident in Cyprus, board meetings should be held in Cyprus for establishing management and control in Cyprus.

22. Notice of consent to act as director?

Yes, by notification to the board of directors, company secretary or shareholders.

23. Company secretary required?
Yes, one. Also assistant secretary can be appointed if needed.

TYPES OF LEGAL ENTITIES

COMPANY FORMATION

BKMS Group provides below some typical enquiries and frequently asked questions on the subject of company formation in Cyprus.

1. Are ready made companies available?
Yes, they are called shelf companies and they are ready to be used immediately.

2. What is the time required to obtain a name approval from the registrar’s office for a custom made company?
7 working days unless you require an acceleration fee

3. What is the time required to incorporate custom-made company after receipt of name approval?
30 working days or 3-4 days with acceleration fee.

4. What is the time required to receive documentation after incorporation by the Government?
Immediately from the Registrar’s office or by post or courier.

5. Are consents required prior to incorporation?
None

6. Are any licenses required?
No

7. Is there a disclosure of the beneficial owner to the regulatory authorities?
No if nominee shareholders are to be used.

8. Confidentiality; (a) what is the jurisdiction’s reputation? and (b) Is it provided by law?
(a) the jurisdiction reputation is excellent and (b) Confidentiality is safeguarded by the Advocates Law that prevents the lawyer from disclosing information.

9. Are there any restrictions on names?
Restrictions on names apply on any word that the Registrar considers undesirable. Any name that is identical or similar to an existing company. Any name that implies illegal activity or implies royal or government patronage

10. What are the names that require consent or a license?
“Asset Management” “Asset Manager”, Assurance”, “Bank”, “Banking”, “Broker (s) / Brokerage”, “Capital”, “Credit”, “Currency (ies)”, “Custodian(s)”, “Custody”, “Dealer(s)” “Dealing”, “Deposit(s)”, “Derivative (s)”, “Exchange”, “Fiduciary (ies)”, “Finance”, “Financial”, “Fund (s)”, “Future (s)”, “Insurance”, “Lending”, “Loan(s)”, “Lender(s)”, “Option(s)”, “Pension(s)”, “Portfolio”, “Reserves”, ‘Savings”, “Security(ies)”, “Stock”, “Trust”, Trustees” their foreign language equivalents or any name that the Registrar considers may have a connection with the aforementioned.

11. What is the permitted suffix?
Limited or Ltd is obligatory

12. Is a company seal required?
No mandatory requirement applies but is permitted and generally used.

13. Is a resident agent required?
No. Companies should be registered only by lawyers practicing in Cyprus.

14. Must the Registered Office be in Cyprus?
Yes, the registered office must be in Cyprus.

15. What are the documents maintained at the registrar’s office?

Register, minutes, company seal, certificate of incorporation.

16. What about public inspection of the documents?
The Company’s documents are available for public inspection at the office of the Registrar of Companies. It is possible to obtain absolute secrecy of the identity of the shareholders, either through trust fiduciary agreements or through nominees or through other companies. Also nominee directors can be appointed by the beneficial owners.

17. Can the company trade be within the jurisdiction of incorporation (Cyprus)?
Yes.

18. Are transfers of domicile allowed?
There is no legislation allowing the transfer of domicile for Cyprus companies.

FREQUENT ASKED QUESTIONS

THE multi Family OFfice 

The Multi Family Office