1. Policy Statement & Senior Management Commitment

The Board of Directors of A & C Christofi Ltd (“the Firm”) recognises that the protection of personal data and the maintenance of the highest standards of information security constitute both a legal obligation and a core professional duty under the Institute of Certified Public Accountants of Cyprus (ICPAC) Code of Ethics, the International Federation of Accountants (IFAC) standards, and our contractual commitments to clients.

We are fully committed to compliance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
• Law 125(I)/2018 of the Republic of Cyprus, and EU ePrivacy Directive 2002/58/EC – as transposed into Cyprus law
• Directive (EU) 2022/2555 (NIS-2 Directive) as transposed into Cyprus law
• UK GDPR and Data Protection Act 2018 – where applicable to UK-based clients and representatives
• Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA) – where applicable
• All successor legislation and regulatory guidance

The processing of personal data – of client representatives, employees, and beneficial owners – is also conducted in adherence to other key regulatory frameworks, including but not limited to the Prevention and Suppression of Money Laundering and Terrorist Financing Laws of Cyprus.

This Policy represents the Firm’s binding internal rulebook. Breach of its provisions will be treated as serious misconduct.

Signed: Chris Christofi, Managing Director & Data Protection Officer
Date: 28 December 2025

2. Scope & Applicability

2.1 This Policy applies without exception to:

1. all directors, employees, trainees, seconded staff and contractors;
2. all personal data processed by the Firm irrespective of format (electronic, paper, audio, biometric);
3. all processing activities whether carried out in Cyprus, another EEA state, the UK or third countries;
4. all systems, devices, cloud services, removable media and third-party processors under the Firm’s control or instruction.

2.2

The Policy extends to former staff and third parties for as long as they continue to have access to the Firm’s systems or personal data.

3. Definitions & Interpretation

The following definitions shall apply throughout this Policy:
“Personal Data”, “Special-Category Data”, “Processing”, “pseudonymization”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach” bear the meanings given in Article 4 GDPR.

However:

• “Firm” means A & C Christofi Ltd.
• “DPO” means the appointed Data Protection Officer.
• “Engagement Letter” means the formal contract governing professional services.
• “Record of Processing Activities” (RoPA) means the register required by Article 30 GDPR.
• “Transfer Impact Assessment” (TIA) means the risk assessment required following the Schrems II judgment (C-311/18).

Interpretation shall follow GDPR Recitals and Cyprus Law 125(I)/2018.

4. Governance Structure & Accountability

1. Ultimate responsibility rests with the Board of Directors.
2. Day-to-day oversight is delegated to the Data Protection Steering Committee comprising:
   • Managing Director (Chair)
   • Data Protection Officer
   • IT Manager
   • Compliance & Risk Partner
   • External legal counsel (advisory capacity)
3. The Committee meets quarterly and maintains minutes that are reviewed by the Board annually.
4. Accountability is demonstrated through this Policy, the RoPA, DPIA register, training records, breach register, third-party DPA register and annual management review.
5. All user access rights are reviewed quarterly by the DPO + IT Manager.
6. Access removal for leavers occurs before or at the moment employment ends (zero-lag deactivation).

5. Data Protection Officer – Role & Independence

1. Mr Chris Christofi is appointed DPO pursuant to Articles 37–39 GDPR.
2. The DPO:
   1. reports directly to the Board;
   2. cannot be dismissed or penalised for performing his tasks;
   3. is provided with adequate resources, continuous training and full access to all data processing activities;
   4. acts independently and is not subject to instructions regarding the exercise of his tasks.
3. Contact: dataprotection@acccyp.com (monitored daily).

6. Data Protection by Design & by Default

1. Every new service, system, process or engagement must undergo a Data Protection Threshold Assessment before launch.
2. Default settings shall always be the most privacy-friendly (e.g., pseudonymisation where possible, minimal retention, no non-essential cookies).
3. Privacy Impact Assessments (DPIA) are mandatory for high-risk processing (see Section 17).
4. All client-facing documents (Engagement Letters, proposals, portals) contain a standard Data Protection Schedule referencing this Policy.

The use of unapproved systems (shadow IT), including cloud storage, messaging apps (e.g., WhatsApp for transmitting documents), and personal devices, is strictly prohibited. Violations may lead to disciplinary action.

All software or portal changes follow formal change-management: peer review, staging environment testing, rollback plan, vulnerability scan before release.

7. Lawful Bases & Special Category Data Framework

7.1 The Firm relies on the following lawful bases (documented in the RoPA):

7.2 The processing of Special Category Data (health, biometric, etc.) always executed under specific condition arising Article 9(2). In line with the Firm’s B2B practice, such processing may occur only where strictly necessary for;

• The establishment, exercise, or defence of legal claims – Article 9(2)(f) GDPR
• Reasons of substantial public interest, based on Cyprus Law which provides the necessary condition for processing under Article 9(2)(g) GDPR, specifically for compliance with statutory AML and CFT obligations
• For internal HR purposes, processing of employee Special Category Data conducted under Article 9(2)(b) GDPR in connection with Employment and Social Security Law.

8. Data Minimisation & Purpose Limitation Procedures

1. Engagement teams must complete a Data Mapping Checklist at kick-off identifying exactly which data items are required.
2. Clients are requested to provide only necessary documents; excess data is returned or securely destroyed.
3. Purpose limitation is enforced via folder-level access controls and audit-log tagging.

Data Classification Levels

All data is classified into the following categories:

• Public – approved for external publication
• Internal – non-sensitive Firm information
• Confidential – client data, internal financials, regulatory correspondence
• Highly Confidential / Restricted – passports, tax IDs, AML files, audit evidence, special-category data

Each classification has mandatory handling rules (storage, access, transmission, logging).

9. Accuracy & Up-to-Date Obligations

1. Clients are contractually required (via Engagement Letter) to notify us of material changes within 14 days.
2. Annual client verification letters are sent to corporate clients requesting confirmation of continued accuracy of KYC data.
3. Errors discovered internally trigger immediate rectification and, where necessary, notification to competent authorities.

10. Retention, Archiving & Secure Destruction Schedule

The following schedule is mandatory and audited annually:

1. 10.1 Destruction is performed by licensed contractor with certificate issued.
2. 10.2 Archived data is encrypted and access-restricted to DPO and Managing Director only.

11. Technical Security Controls

1. The Firm operates a zero-trust architecture: no user or device is trusted by default.
2. Mandatory controls include:
   • Encryption of data at rest (e.g., AES-256) and in transit (e.g., TLS 1.3), including full-disk encryption (e.g., BitLocker) and file-level data protection solutions
   • Multi-factor authentication (MFA) with hardware keys for all cloud and remote access
   • Data Loss Prevention (DLP) policies blocking exfiltration of tax IDs, passports
   • Security Information & Event Management (SIEM) system with 24/7 alerting
   • Endpoint Detection & Response (EDR) on every workstation and laptop
   • Regular (at least quarterly) penetration testing and vulnerability scanning by ISO-27001-certified provider
   • Patch management SLA: critical patches within 48 hours
   • Privileged Access Management (PAM) with just-in-time elevation and session recording
3. Mobile devices are centrally managed; personal devices are prohibited from storing client data.
4. All users must comply with acceptable-use requirements covering:
   • prohibition of unapproved software
   • no use of personal email for work
   • mandatory use of VPN for remote access
   • restrictions on use of AI tools for client data unless expressly approved
   • prohibition on storing client data on local drives
   Violations constitute misconduct under Section 20.
5. Backups (daily incremental, weekly full) are tested quarterly for integrity and restorability. Disaster recovery testing is conducted annually.
6. Encryption keys are stored in a Hardware Security Module (HSM), rotated annually or immediately upon compromise, and subject to strict role-based access control.
7. Users are prohibited from exporting data to non-approved countries, downloading data onto local devices, or transferring any personal data using consumer-grade tools. Violations constitute a breach under Section 20.

12. Physical & Environmental Security

1. Office premises are protected by:
   • Electronic access control with individual PIN + proximity card
   • 24/7 CCTV (90-day retention) covering entrances, server room and archive area
   • Server room with biometric lock, fire suppression and environmental monitoring
   • Clean-desk and clear-screen policy strictly enforced
   • Locked fire-proof cabinets for paper archive accessible only to authorised personnel
   • Visitor badges, escort requirement and sign-in register
2. Off-site backups are stored in two geographically separate Tier-IV data centers.
3. The Firm maintains a tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) covering:
   • maximum tolerable downtime (MTD) of 24 hours
   • recovery time objective (RTO) of 8 hours
   • recovery point objective (RPO) of 24 hours
   • alternate workspace / remote working fallback
   • annual testing and Board approval

13. Organisational & Human-Factors Measures

1. All staff receive:
   • Mandatory onboarding and annual refresher data-protection training (certificate required)
   • Quarterly phishing simulation exercises (failure → immediate retraining)
   • Signed lifetime confidentiality undertaking
2. Disciplinary sanctions for breaches:

13.3 Whistle-blower channel (anonymous, managed by external law firm) for reporting concerns without fear of retaliation.

14. Third-Party & Processor Management

1. No processor is engaged without:
   • Pre-engagement due-diligence questionnaire and on-site or remote audit where high-risk
   • Signed Data Processing Agreement incorporating EU Standard Contractual Clauses (SCCs) 2021/914, Modules 2 and 3, along with the UK Addendum.
   • Annual review and re-certification
2. Current approved processors are listed in the restricted-access Processor Register maintained by the DPO.

15. International Data Transfers & Transfer Impact Assessments

1. Transfers outside the EEA/UK are restricted to:
   • Countries with adequacy decision (UK, Switzerland, Japan, Canada, etc.)
   • Recipients bound by SCCs + documented TIA (template stored in Compliance Drive)
2. The Firm maintains a prohibited/high-risk country list (currently: Russia, China mainland, Belarus). No transfers permitted without Board approval and exceptional safeguards.
3. All TIAs are reviewed annually or upon material change in destination-country law.

16. Data Subject Rights – Operational Procedure

1. Requests are received exclusively via dataprotection@acccyp.com.
2. Workflow: Day 0 → auto-acknowledgement + identity verification request; Day 1–3 → verification completed; Day 4–25 → compilation and internal legal review; Day ≤30 → response (extension notice if required).
3. No charge except where requests are manifestly unfounded or excessive (>4 per year).
4. Full audit trail maintained in the DSAR Register.

17. Data Protection Impact Assessments (DPIA)

1. Mandatory for:
   • New client portal features
   • Introduction of AI-assisted audit tools
   • Processing of health data for payroll clients exceeding 50 employees
   • Any processing likely to result in high risk (EDPB list)
2. DPIA template follows Cyprus Commissioner guidelines and is reviewed by the Steering Committee before implementation.
3. Any use of AI-for-audit, anomaly detection or data extraction must:
   • undergo a DPIA,
   • avoid transfer of personal data to AI models with unknown training provenance,
   • use Firm-approved AI tools only,
   • log all automated analysis used as audit evidence.

18. Personal Data Breach Response Protocol

1. 72-hour incident response flowchart displayed in every office and intranet homepage.
2. Breach Register maintained by DPO (encrypted, access).
3. Notification obligations:
   • Cyprus Commissioner ≤72 hours if risk to rights & freedoms
   • UK ICO ≤72 hours where UK GDPR applies
   • Data subjects without undue delay if high risk
   • ICPAC notification within 5 days for breaches affecting professional privilege
4. Post-breach root-cause analysis and lessons-learned review mandatory.

19. Monitoring, Audit & Continuous Improvement

1. Annual programme:
   • Internal audit of RoPA, DPIAs, processor compliance (Q1)
   • External ISO-27001-style audit by independent firm (Q3)
   • Management review meeting with Board (December)
   • Policy refresh and staff re-certification
2. Key performance indicators tracked monthly: training completion rate, open high-risk findings, breach incidents (target = 0).

20. Violations, Disciplinary Measures & Contact Details

1. Any violation of this Policy is treated as serious professional misconduct and may lead to sanctions listed in Section 13.2 and, where appropriate, referral to ICPAC disciplinary proceedings.
2. Queries, reports or requests for advice:
   Data Protection Officer: Chris Christofi
   Email: dataprotection@acccyp.com (monitored 24/7)
   Telephone: +357 25 332 177
   Postal: 37 Nicou & Despinas Pattichi Avenue, Evi Court, 3rd Floor, Offices 302–303, CY-3071 Limassol, Cyprus