CISCO's Privacy Statement

30/11/2025

The Cyprus Investment and Securities Corporation Ltd (referred to herein as ‘we’, ‘us’, ‘our’, ‘CISCO’ or the ‘Company’) is committed to protecting your privacy and handling your data in an open and transparent manner.  The personal data that we collect, and process, depends on the product or service requested and agreed in each case.

This privacy statement:

  • provides an overview of how CISCO collects and processes your personal data and informs you about your rights under the local data protection law and the EU General Data Protection Regulation (herein ‘GDPR’),
  • is directed to natural persons (‘data subjects’) who are either existing or potential customers of the Company, or are authorised representatives/agents or beneficial owners of legal entities or of natural persons who are current or potential customers of the Company,
  • is directed to natural persons who now have or who had such a business relationship with the Company in the past,
  • is directed to any other natural persons whose personal data has or may in the future be lawfully obtained by the Company in the normal course of its business,
  • contains information about when we share your personal data with other members of the Bank of Cyprus Group and other third parties (for example, our service providers or suppliers).

In this privacy statement, your data is sometimes called “personal data” or “personal information”.  We may also sometimes collectively refer to handling, collecting, protecting, and storing your personal data or any such action as “processing” such personal data.

For the purposes of this statement, personal data shall mean any information relating to you which identifies or may identify you and which includes, for example, your name, address, identification number etc. 

  1. Who we are

CISCO is a Cyprus Investment Firm (“CIF”) which is regulated by the Cyprus Securities and Exchange Commission (CIF license no. 003/03).  CISCO is a member of the Cyprus Stock Exchange (“CSE”) and a remote member of the Securities Market of the Athens Exchange (“ATHEX”).  CISCO is registered in Cyprus under registration number HE18558 as a limited liability company having its registered office and head offices at 1 Agiou Prokopiou and Posidonos, 1st Floor, 2406 Engomi, Nicosia, P.O. Box 20597, 1660 Nicosia.

If you have any questions, or want more details about how we use your personal information, you can contact our Data Protection Officer at 1 Agiou Prokopiou and Posidonos, 1st Floor, 2406 Engomi, Nicosia, P.O.Box 20597, 1660 Nicosia, email: Cisco.DPO@bankofcyprus.com. 

  1. Other entities of the Bank of Cyprus Group

CISCO, a wholly owned subsidiary of Bank of Cyprus Holdings PLC, is a member of the Bank of Cyprus Group (“The Group”).  Each entity of the Group has its own separate privacy statement and maintains its own website.  If you are interested in learning about how those entities process your personal data, please refer to their corresponding privacy statements which may be found on their relevant websites.

  1. What personal data we process and where do we collect it from

We collect and process different types of personal data which we receive from data subjects, in person or via our tied agents or via their authorised representative or via our website in the context of our business relationship.

We may also collect and process personal data which we lawfully obtain not only from you but from other entities within the Bank of Cyprus Group, or other third parties [e.g. public authorities and credit reference agencies data i.e. Worldcheck].  We may also collect and process personal data from publicly available sources [e.g. the Department of Registrar of Companies and Official Receiver, the press, media, and the Internet], which we lawfully obtain, and we are permitted to process.

If you are a prospective customer, or an authorised representative/agent or beneficial owner of a legal entity or of a natural person who is a prospective customer, the relevant personal data which we collect may include:

Name, Surname, residential address, contact details (telephone, email), nationality, identification data, account identification, birth date, place of birth (city and country), marital status, employed/self-employed, profession, if you hold/held a prominent public function (for PEPs), FATCA / CRS info (Foreign Account Tax Compliance Act /Common Reporting Standard), authentication data [e.g., signature].

When we agree to provide products and services to you or another person (for example, a legal entity for which you are the authorized representative / agent or beneficial owner) then additional personal data may be collected and processed which may include:

In the context of providing Investment services of Reception Transmission and Execution of Orders, Discretionary Portfolio Management, Investment Advice and or Fund Services [e.g. Administration] Investment Banking services and other Ancillary Services:

work address,  profession and name of employer, number of dependent children, ,, residence or work permit in case of non-EU nationals, tax residency and tax identification data, source of funds, annual income and value of assets, knowledge and experience in the investment sector, and credit worthiness in case of opening a Margin Account, knowledge and experience with investment products such as shares/funds [e.g. for MiFID services], personal investment objectives, economic and financial background, , investment strategy and scope, personal investment portfolio, due diligence watchlist eg. Worldcheck or eNamechecker, employment position, personal data which are necessary for the required commencement and execution of a business relationship and the performance of our contractual obligations [e.g. company’s share registry, which it may include names, addresses, phone numbers, number of shares, stock exchange operators and other personal data of the shareholders].

  1. Children’s data

We understand the importance of protecting children's privacy.  We may only collect personal data in relation to children provided that we have first obtained their parents’ or legal guardian’s consent or unless otherwise permitted under law.  For the purposes of this privacy statement, “children” are individuals who are under the age of eighteen (18).

  1. Whether you have an obligation to provide us with your personal data

In order to be in a position to proceed with a business relationship with you or another person (for example, a legal entity for which you are the authorized representative / agent or beneficial owner), you must provide your personal data to us which are necessary for the required commencement and execution of a business relationship and the performance of our contractual obligations.  We are furthermore obligated to collect such personal data given the provisions of the Anti-Money Laundering and MiFID laws which require that we verify your identity before we enter into a contract or a business relationship with you or the legal entity for which you are the authorized representative / agent or beneficial owner.  Depending on the circumstances, you may have to provide us with your identity card/passport, your full name, place of birth (city and country), and your residential address so that we may comply with our statutory obligation as mentioned above.

Kindly note that if you do not provide us with the required data, then we will not be allowed to commence or continue our business relationship either to you as an individual or as the authorized representative/agent or beneficial owner of a legal entity.

  1. Why we process your personal data and on what legal basis

As mentioned earlier we are committed to protecting your privacy and handling your data in an open and transparent manner and as such, we process your personal data in accordance with the GDPR and the local data protection law for one or more of the following reasons:

A. For the performance of a contract

We process personal data in order to provide investment and ancillary services based on contracts with our customers or others but also to be able to complete our acceptance procedure so as to enter into a contract with prospective customers or others.

The purpose of processing personal data depends on the requirements for each product or service, and the contract terms and conditions provide more details of the relevant purposes.

B. For compliance with a legal obligation

There are a number of legal obligations emanating from the relevant laws to which we are subject as well as statutory requirements, e.g. Investment Services and Activities and Regulated Markets Law (Law 87(I)/2017), the Investment Firms Regulation (IFR) and Investment Firms Directive (IFD), the European Market Infrastructure Regulation (EMIR), the Digital Operational Resilience Act (DORA), the EU Anti-Money Laundering Directives (AMLD 4,5 and 6), the Prevention and Suppression of Money Laundering and Terrorist Financing Law, , the Companies Law, the Law for accessibility of products and services, the Market Abuse Law, tax laws, the Safety and Health at Work Law, the EU Directive on Markets in Financial Instruments (MiFID), the EU Directive on the accessibility requirements for products and services, the EU Regulation on prudential requirements for credit institutions and investment firms, the EU Directive on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (CRD), the EU Directive regarding the establishment of a framework for the recovery and resolution of credit institutions and investment firms, The Law on the Encouragement of Long-Term Active Shareholder Engagement of 2021, the EU Directive οf the European Parliament as regards the encouragement of long-term shareholder engagement.

There are also various supervisory authorities whose laws and regulations we are subject to e.g. the European Central Bank (“ECB”), the Central Bank of Cyprus (“CBC”), the Cyprus Securities and Exchange Commission (“CySEC”), the Hellenic Capital Market Commission (“HCMC”), the European Securities and Markets Authority (“ESMA”), the Cyprus Stock Exchange (“CSE”) and Athens Stock Exchange (“ATHEX”), which may issue relevant Directives or Guidelines.  Such obligations and requirements impose on us necessary personal data processing activities for, among others, identity verification, customer complaints handling, creation of various registries and reports, compliance with court orders, tax law or other reporting obligations and anti-money laundering or market abuse controls.

C. For the purposes of safeguarding legitimate interests

We process personal data so as to safeguard the legitimate interests pursued by us or by a third party.  A legitimate interest exists when we have a business or commercial reason to use your information.  But even then, it must not unfairly go against what is right and best for you.  Examples of such processing activities include:

  • Taking all steps necessary for the termination of accounts, recovery of debts and liquidation or enforcement of securities,
  • Initiating legal claims and preparing our defence in litigation procedures,
  • Sharing specific information with other Bank of Cyprus Group entities for anti-money laundering and sanctions’ compliance purposes,
  • Means and processes we undertake to provide for the Company’s systems security and in particular for the prevention of data leakage, potential crime and fraud, asset security, and for the implementation of admittance controls and anti-trespassing measures,
  • Measures, including the usage of specialized tools, in order to manage business more efficiently and for further developing products and services,
  • Measures to determine whether the Company’s quality standards are met and to initiate actions for the improvement of service e.g., performing customer satisfaction surveys,
  • The risk management of CISCO,
  • Utilization of external expert consultants for conducting specialized investigations for internal audit purposes,
  • Sharing specific information with the Company’s regulatory/supervisory authorities such as the CySEC, the CBC, the CSE, the ATHEX following their specific request,
  • Preparation of internal reports within the Company in order to facilitate strategic, management, risk, operational and other decisions that need to be taken in order to evaluate, monitor and enhance the performance of the Company in meeting its obligations and providing its services,
  • Voice recording of telephone communications (i) with existing and/or potential customers and/or other parties such as business Associates, vendors etc for the purpose of monitoring and improving our services, quality control and performance of our systems, and (ii) with customers for the purpose of verifying their instructions received by the Company,
  • Performing enhanced due diligence of existing customers where there is a suspicion that the client’s country of origin or residence is a country subject to sanctions,
  • Processing your personal data for marketing purposes, which might include profiling,
  • Maintaining an internal registry of legal actions filed against the Company Utilisation of external investigative agents and/or other agencies for conducting further investigation e.g. for customers posing increasing money laundering/terrorist financing risk and where enhanced due diligence measures are deemed necessary,
  • Outsourcing to third party service providers communication methods such as calls and/or posting to and email communications with customers on behalf of the Company,
  • Processing and Verification of Shareholder Registers. In the context of compliance with the obligations arising from EU Directive (Shareholders Right Directive II) and relevant national legislation, the processing and verification of shareholder registers is carried out to ensure the correct and timely distribution of dividends. The procedure includes cross-checking data with relevant statements received from the Athens Stock Exchange, the Cyprus Stock Exchange, and issuers, aiming at the accuracy and timeliness of the information.

D. You have provided your consent

Provided that you have given us your specific consent for processing (other than for the reasons set out hereinabove) then the lawfulness of such processing is based on that consent.  You have the right to revoke your consent at any time.  However, any processing of personal data prior to the receipt of your revocation, will not be affected.

  1. Who receives your personal data

in the course of the performance of our contractual and statutory obligations your personal data may be provided to various departments within the Company but also to other companies of the Bank of Cyprus Group.  Various service providers and suppliers may also receive your personal data so that we may perform our obligations and provide our services.  Such service providers and suppliers enter into contractual agreements with the Company by which they provide appropriate safeguards, as far as confidentiality and data protection is concerned, according to the local data protection law and GDPR.

It must be noted that we may disclose data about you for any of the reasons set out hereinabove, or if we are legally required to do so, or if we are authorized under our contractual and statutory obligations or if you have given your consent.  All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions.

Under the circumstances referred to above, recipients of personal data may be, for example:

  • Supervisory and other regulatory and public authorities, in as much as a statutory obligation exists.  Some examples are the Cyprus Securities and Exchange Commission, the Central Bank of Cyprus, , the Hellenic Capital Market Commission, the Cyprus Stock Exchange, ATHEX GROUP, the Income Tax Authorities, criminal prosecution authorities, MOKAS, US Internal Revenue Service (IRS).
  • Your co-account holders or other parties to whom you otherwise grant access to your accounts,
  • Credit and financial institutions,
  • External legal consultants,
  • Financial and business advisors,
  • Internal and external auditors for executing audit functions,
  • File storage companies, archiving and/or records management companies, cloud storage companies,
  • Companies who assist us with the effective provision of our services to you by offering technological expertise, solutions, and support,
  • Purchasing and procurement, and website agencies,
  • Call Centers and/or other service providers which may assist us with large scale and urgent campaigns and/or correspondence relating either to marketing or other obligations of the Company,
  • Any company and/or its representative, whereby the Company is acting as an intermediary, for the purpose of providing information with respect to the companies’ shareholders identities.
  • Share and stock investment and management companies.                                                                                                                                                          
  1. Transfer of your personal data to a third country or to an international organisation

Your personal data may be transferred to third countries [i.e. countries outside of the European Economic Area] in such cases as e.g. to execute your investment orders or if this data transfer is required by law [e.g. reporting obligation under Tax law] or you have given us your consent to do so or where the Company uses service providers for certain tasks which they or their service providers may have their headquarters, parent companies or data centers in a third country.  Controllers or Processors, in third countries, are obligated to comply with the European data protection standards and to provide appropriate safeguards in relation to the transfer of your data in accordance with GDPR Article 46.

  1. To what extent there is automated decision-making and whether profiling takes place

In establishing and carrying out a business relationship, we generally do not use any automated decision-making.  We may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with you or another person (for example, a legal entity for which you are the authorized representative / agent or beneficial owner), in the following cases:

  • Data assessments (including on investment transactions and payment transactions) which are carried out in the context of combating money laundering and fraud.  An account may be detected as being used in a way that is unusual for you or your business.  These measures may also serve to protect you.

In the rare instances that we process your personal data by solely automated means (including profiling), we shall only process them for such purpose provided we have your explicit consent to do so.

  1. How we treat your personal data for marketing activities and whether profiling is used for such activities or any other related activities

We may process your personal data to inform you about products and services that may be of interest to you or your business. One such example is sending daily updates, via e-mail, regarding stock exchange markets.

The personal data that we process for this purpose consists of information you provide to us and data we collect and/or infer when you use our services, such as information on your transactions.  We study all such information to form a view on what we think you may need, or it may be of interest to you. 

In some cases, profiling is used, i.e., we process your data automatically with the aim of evaluating certain personal aspects in order to provide you with targeted marketing information on products.

We can only use your personal data to promote our products and services to you if we have your explicit consent to do so or, in certain cases, if we consider that it is in our legitimate interest to do so.

You have the right to object at any time to the processing of your personal data for marketing purposes, including profiling, by contacting, at any time, the Customer Service Operations Department, either in person or in writing.

  1. How long do we keep your personal information for

We will keep your personal data for as long as we have a business relationship with you or another person (for example, a legal entity for which you are the authorized representative / agent or beneficial owner) in relation to which we have obtained your personal data.

Once our business relationship with you or that other relevant person has ended, we may keep your data for up to ten (10) years in accordance with the Company’s Data Retention Policy.

We may keep your data for longer than 10 years, if we cannot delete it for legal, regulatory, or technical reasons, or in order to safeguard the legitimate interests pursued by us or by a third party.

For prospective business relationships with you or another person in relation to which we may obtain your personal data, we shall keep your personal data for 6 months from the date of notification of the rejection of your or that other person’s application for investment services / products of CISCO, or from the date of withdrawal of such application, as per the Company’s Data Retention Policy.

  1. Your data protection rights

You have the following rights in terms of your personal data we hold about you:

  • Receive access to your personal data.  This enables you to e.g. receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction [rectification] of the personal data we hold about you.  This enables you to have any incomplete or inaccurate data we hold about you, corrected.
  • Request erasure of your personal information [known as the ‘right to be forgotten’].  This enables you to ask us to erase your personal data where there is no valid reason for us continuing to process it.
  • Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.  If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms.

You also have the right to object where we are processing your personal data, for direct marketing purposes.  This also includes profiling in as much as it is related to direct marketing.

If you object to processing for direct marketing purposes, then we shall stop the processing of your personal data for such purposes.

  • Request the restriction of processing of your personal data.  This enables you to ask us to restrict the processing of your personal data, i.e., use it only for specific circumstances, if:
  • it is not accurate,
  • it has been used unlawfully but you do not wish for us to delete it,
  • it is not relevant anymore, but you want us to keep it for use in possible legal claims,
  • you have already asked us to stop using your personal data, but you are waiting from us to confirm if we have legitimate grounds to use your data. 
  • Request to receive a copy of the personal data concerning you in a format that is structured and commonly used and transmit such data to other organisations.  You also have the right to have your personal data transmitted directly by us to other organisations you will name [known as the right to data portability].
  • Withdraw the consent that you gave us with regard to the processing of your personal data, at any time.  Note that any withdrawal of consent shall not affect the lawfulness of processing based on the consent before it was withdrawn or revoked by you.

To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact the Customer Service Operations Department, or visit our offices, or send an e-mail at ciscoinfo@bankofcyprus.com. 

You can also directly contact our Data Protection Officer at Cisco.DPO@bankofcyprus.com.  

We endeavour to address all your requests promptly.

  1. Right to lodge a complaint

If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to send your complain at, ciscoinfo@bankofcyprus.com .  You also have the right to complain to the Office of the Commissioner for Personal Data Protection.  On their website you may find information on how to submit a complaint (http://www.dataprotection.gov.cy ).

  1. Changes to this privacy statement

We may modify or amend this privacy statement from time to time.

We will reasonably endeavor to notify you appropriately when we make changes to this privacy statement, and we will amend the revision date accordingly.  We do however encourage you, to review this statement periodically to be always informed about how we are processing and protecting your personal information.

  1. Frequently asked questions

To help you understand the basic principles of the data protection law and address some of the common questions that arise regarding the protection of your personal data, please refer to the Frequently Asked Questions available on the Office of the Commissioner for Personal Data Protection’s website (www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/page2m_gr/page2m_gr?opendocument).

  1. Cookies

Our website uses small files known as cookies to make it work better in order to improve your experience. To find out more about how we use cookies please refer to our Cookies Policy available on the Company’s website (www.cisco-online.com.cy ).

Close

You will be redirected to an external web site.

Yes No
Close
OK