International Privacy Statement_checked

International Privacy Statement – A & C Christofi Ltd (ACC CY)

Effective Date: 1 December 2025

1. Introduction and Scope

A & C Christofi Ltd (“ACC CY,” “we,” “us,” or “our”) is committed to protecting the privacy and security of personal information for all users globally. This International Privacy Statement applies specifically to individuals and entities located outside Cyprus, the European Union/EEA, and the United Kingdom when accessing our website (www.acccyp.com), mobile applications, client portals, or using our professional accounting, audit, tax, and advisory services.

This Statement supplements our Privacy Policy and provides the highest common standard of protection worldwide, exceeding the requirements of most non-EU/UK privacy regimes while remaining fully compliant with Cyprus and EU law.

2. Information Collection and Processing

2.1. Categories of Personal Data

We collect and process personal data from international users to deliver professional services, including:

  • Personal Identification Data: Full name, address, contact information, identification documents, passport details
  • Financial Information: Income details, asset information, tax data, banking details, financial statements
  • Compliance & Identity Verification Data: Utility bills, business registration documents, ownership structures
  • Professional Information: Employment details, business activities, professional qualifications
  • Technical and Usage Data: IP addresses, device information, browser type, interaction logs, cookie data
  • Special Category Data: Only when strictly necessary and with explicit consent, such as health information for payroll processing

2.2. Lawful Bases for Processing

We process personal data under the following legal bases:

  • Contractual Necessity: To provide professional services under engagement agreements
  • Legal Obligations: To comply with international laws, including anti-money laundering requirements, tax information exchange agreements, and cross-border regulatory compliance
  • Legitimate Interests: For service improvement, fraud prevention, security enhancement, and business operations, always balanced against individual rights
  • Consent: For marketing communications, non-essential cookies, and specific processing activities where required by local law

3. International Data Transfers and Safeguards

3.1. Transfer Destinations

Your personal data may be transferred to and processed in jurisdictions outside your local country, including:

  • Cyprus: Where ACC CY is headquartered and conducts primary processing operations
  • EU/EEA Countries: For client service delivery, regulatory compliance, and professional oversight
  • United Kingdom: For UK-related business activities, client services, and regulatory reporting
  • United States: For specific service providers, cloud infrastructure, and specialized software platforms
  • Other Jurisdictions: As required for specific client engagements, legal obligations, or professional requirements

3.2. Transfer Safeguards

We implement comprehensive safeguards for international data transfers, including:

  • Standard Contractual Clauses (SCCs): EU Commission and UK ICO-approved clauses, supplemented with additional safeguards where required
  • Binding Corporate Rules: For intra-organizational transfers where applicable
  • Additional Security Measures: Encryption (in transit and rest), access controls, audit trails, and security certifications
  • Transfer Impact Assessments: Regular evaluation of destination country laws and practices
  • Data Minimization: Limiting transfers to essential purposes only, aligned with professional service requirements

4. User Rights and Regional Compliance

4.1. Available Rights

International users may exercise rights similar to those granted under major privacy frameworks, including:

  • Access Rights: To obtain information about the categories of personal data processed, purposes and recipients.
  • Correction Rights: To rectify inaccurate or incomplete personal data.
  • Deletion Rights: To request erasure of personal data under specific conditions.
  • Restriction Rights: To limit processing in certain circumstances.
  • Objection Rights: To object to processing based on legitimate interests.
  • Portability Rights: To receive data in a structured, machine-readable format where technically feasible and applicable.
  • Consent Withdrawal: To withdraw previously given consent at any time.
  • Non-Discrimination: Right not to be discriminated against for exercising privacy rights.

4.2. Regional Adaptations

We respect and comply with local privacy laws in jurisdictions including, but not limited to:

  • United States: California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other state-specific regulations, to the extent applicable
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Australia: Privacy Act 1988 and Australian Privacy Principles
  • Switzerland: Swiss Federal Act on Data Protection (revFADP), including associated ordinances and guidance
  • Other Jurisdictions: Local privacy laws where we operate or have clients, with particular attention to financial and professional services regulations

Compliance is maintained to the extent these laws are applicable to our operations or client relationships.

5. Data Security Measures

5.1. Technical and Organizational Measures

We implement appropriate security measures to protect personal data, including:

  • Encryption: Data encryption in transit (TLS 1.3) and at rest (AES-256) for all sensitive information
  • Access Controls: Role-based access permissions, multi-factor authentication, and the principle of least privilege
  • Network Security: Enterprise firewalls, intrusion detection systems, regular security updates, and vulnerability management
  • Physical Security: Secure facilities, access control systems, and visitor management procedures
  • Staff Training: Regular privacy and security awareness programs specific to accounting professional requirements

5.2. Professional Standards Compliance

Our security measures align with:

  • ICPAC Requirements: Cyprus Institute of Certified Public Accountants security standards
  • IFAC Guidelines: International Federation of Accountants security recommendations
  • Industry Best Practices: Recognized accounting and audit security standards, including alignment with ISO 27001 where applicable
  • Continuous Improvement: Regular security assessments and updates to maintain effective protection of personal data

Personal Data means any information relating to an identified or identifiable natural person, including data defined as ‘personal information’ or ‘sensitive information’ under applicable laws.

6. Data Retention Practices

6.1. Retention Principles

We retain personal data only:

  • As long as necessary for service delivery and professional obligations
  • To comply with legal and regulatory requirements across jurisdictions
  • To fulfill contractual obligations and business needs
  • Based on legitimate business interests, where appropriate
  • In accordance with professional accounting and audit standards

6.2. Specific Retention Periods

Retention periods vary depending on the nature of the service, applicable laws, and professional obligations, including:

  • Accounting Services: Minimum of 10 years
  • Audit Engagements: Minimum of 7 years
  • Tax Compliance Services: Minimum of 10 years
  • Advisory Services: Typically 6 years, unless extended due to contractual, regulatory, or legal requirements
  • Legal Requirements: Jurisdiction-specific retention mandates and professional standards
  • Business Needs: Ongoing client relationships and service delivery requirements
  • Professional Standards: ICPAC and international accounting body requirements

7. Third-Party Websites and Services

7.1. External Links and Resources

Our website may contain links to third-party websites, services, or resources. ACC CY:

  • Does not control external content, services, or privacy practices and is not responsible for the privacy practices of third-party sites
  • Recommends users review third-party privacy policies before engagement
  • Provides transparency about integrated third-party services

7.2. Integrated Professional Services

Where we integrate or engage with third-party service providers essential for professional service delivery, we:

  • Conduct thorough due diligence on their privacy and information security practices
  • Implement appropriate contractual safeguards and data processing agreements
  • Limit data sharing to necessary purposes only for professional service delivery
  • Provide clear information about third-party relationships to clients

8. Professional Services Considerations

8.1. Accounting and Audit Specific Protections

Our privacy and security framework specifically addresses:

  • Client Financial Data: Enhanced protection for sensitive financial information
  • Audit Documentation: Secure handling of audit working papers and evidence in accordance with applicable professional standards, including International Standards on Auditing (ISA)
  • Tax Information: Protected processing of tax data and compliance information, subject to strict confidentiality obligations
  • Professional Confidentiality: Maintenance of client confidentiality obligations internationally in accordance with ICPAC regulations, IFAC Code of Ethics, and applicable laws, including in cross-border contexts

8.2. Cross-Border Service Delivery

Our international privacy practices support:

  • Global Client Engagements: Secure service delivery across jurisdictions
  • Regulatory Compliance: Meeting multiple jurisdiction requirements
  • Professional Standards: Maintaining ICPAC regulations and IFAC ethical requirements globally
  • Client Trust: Building confidence in our international capabilities

9. Contact Information and Inquiries

9.1. Privacy Inquiries and Rights Requests

Data Protection Team
A & C Christofi Ltd
Email: dataprotection@acccyp.com
Telephone: +357 25 000000
Address: 37 Nicou and Despinas Pattichi Avenue, Evi Court, 3rd Floor, Offices 302–303, Limassol, CY-3071, Cyprus

9.2. Service Commitments

We are committed to:

  • Acknowledging all privacy inquiries within 3 business days
  • Responding to complete rights requests within 30 calendar days
  • Providing clear, transparent information about our privacy practices
  • Resolving privacy concerns promptly and fairly
  • Maintaining professional confidentiality throughout all interactions

10. Policy Updates and Governance

10.1. Regular Review and Updates

This International Privacy Statement is:

  • Reviewed annually or as needed for significant legal or regulatory changes
  • Updated to reflect evolving international privacy practices and regulations
  • Communicated to users through platform notifications and client communications
  • Maintained with version control and complete change history

10.2. Continued Use and Acceptance

By continuing to use our services after updates, you acknowledge:

  • Acceptance of the updated International Privacy Statement
  • Understanding of our international privacy practices as described
  • Agreement to our data processing activities as outlined
  • Recognition of our commitment to protecting your privacy rights

10.3. Professional Oversight

This Statement operates under:

  • Board-Level Oversight: Regular review by company leadership
  • Professional Compliance: Adherence to accounting profession standards
  • Legal Alignment: Consistency with applicable international laws
  • Continuous Improvement: Ongoing enhancement of privacy practices

Our services are not directed at individuals under 18. We do not knowingly collect personal data from minors.

This International Privacy Statement was formally adopted on October 11, 2024, and becomes effective December 1, 2025. It supplements our main Privacy Policy and addresses specific considerations for international users outside Cyprus, the EU, and the UK. Replace +357 25 000000 with your official business telephone number before publication and implementation.