REMU Privacy Statement

We at Real Estate Management Unit [referred to as ‘REMU’, ‘we’, ‘us’, ‘our’]of Bank of Cyprus Public Company Limited [referred to as the ‘Bank’ or ‘Bank of Cyprus’], are committed to protecting your privacy and handling your data in an open, fair and transparent manner.

This privacy statement sets out general information about how we manage your personal information and how you can contact us about this privacy statement or the personal information that we hold.

REMU’s privacy statement:

  • is addressed to natural persons who are customers or prospective customers of REMU, i.e. buyers, tenants, bidders of property owned by the Bank [or its Special Purposes Vehicles (‘SPVs’)] and managed by REMU, or authorised representatives/officers/agents or legal or beneficial owners of legal entities or of natural persons who are customers or prospective customers of REMU.
  • is addressed to natural persons who directly or indirectly have any other form of business or administrative relationship with REMU or who had such a relationship with REMU in the past.
  • contains information about when we share your personal data with other members of the Bank of Cyprus group and other third parties [for example, our service providers or suppliers].
  • provides an overview of how we collect and process your personal data and outlines your rights under the local data protection law and the EU General Data Protection Regulation 2016/679 (‘GDPR’).

In this privacy statement, your data is sometimes called “personal data” or “personal information”. We may also sometimes collectively refer to handling, collecting, protecting and storing your personal data or any such action as “processing” such personal data.

For the purposes of this statement, personal data shall mean any information relating to you which identifies or may identify you and which includes, for example, your name, address, identification number, telephone number.

Please note that if you are a customer of the Bank for banking and/or investment services, for further information with respect to how your personal data is processed in the context of your banking and/or investment relationship with the Bank, please refer to the Bank’s privacy statement which is available on the Bank’s website at www.bankofcyprus.com.cy/en-gb/contact_us/privacy-notice/

1.Who we are

REMU is a specialised unit of Bank of Cyprus , a licensed credit institution registered in Cyprus under registration number HE165 as a public limited liability company, having its registered office and head offices at 51 Stassinos Street, Strovolos, P.O.Box 21472, 1599 Nicosia.

REMU was set up to effectively manage the Bank’s and its subsidiaries’ non-core properties (including properties held by SPVs owned by the Bank). REMU holds a wide range of properties, including land and commercial assets, residential and offices which are available for sale across Cyprus.

2.How we collect your personal data

The personal data that we collect and process depends on the nature of your business relationship with REMU. We obtain your personal data through the following channels:

a)From information you provide to us directly, examples include:

  • When you visit our website or subscribe to our newsletter
  • When you submit written inquiries on our website
  • When you submit a tender form

b) From information lawfully provided by third parties, examples include,

  • your authorised and/or legal representatives
  • estate agents
  • property owners that introduce you to us
  • tenants of property the Bank or its SPVs has acquired or intends to acquire
  • your legal representatives
  • other entities within the Bank of Cyprus group
  • public authorities

c)From publicly available sources from which we lawfully obtain and process personal data

  • Department of Registrar of Companies
  • The Land Registry
  • Commercial registers
  • The press, media and the Internet

d) From your responsible banker/branch if you are an existing customer of the Bank

3.What personal data we process

The personal data collected, handled and processed by us may include:

  • Contact details such as your name, address, telephone number, email address and fax number;
  • Identification details such as a copy of your identification card or passport number;
  • Biographical and demographic data such as your date of birth, age, gender, marital status, occupation details, or if you hold/held a prominent public function/position and details in this regard;
  • Financial information such as employment, annual income, source of income, proof of income, property ownership and investment income, other banking relationship details such as bank account number and account details, tax residence, tax and VAT Id, credit reference agency data (e.g. Infocredit, World check), residence or work permit in case of non-EU nationals, employment position (e.g. as per corporate certificates of directors/shareholders), copies of rental agreements;

4. Whether you have an obligation to provide us with your personal data

In order that we may be in a position to proceed with the establishment of a business relationship with you, you must provide your personal data to us which are necessary for the required commencement and execution of a business relationship and the performance of our contractual obligations. We are furthermore obligated to collect such personal data given the provisions of the ‘know-your –customer’ and anti-money laundering law which require that we verify your identity before we enter into a contract or a business relationship with you or the legal entity for which you are the authorised representative / agent, legal or beneficial owner.

Kindly note that if you do not provide us with the required data, then we will not be able to commence or continue our business relationship either with you as an individual or with the legal entity of which you may be an authorised representative/agent or legal or beneficial owner.

5.Why we process your personal data and on what legal basis

We process your personal data in accordance with the GDPR and the local data protection law for one or more of the following reasons:

A. For the performance of a contract

We process personal data in order to be able to primarily complete our acceptance procedure so as to enter into a contract with you and proceed so as to conclude a property sales or tenancy agreement with you or a contract for the provision of services with you.

B. For compliance with a legal obligation

There are a number of legal obligations emanating from the relevant laws to which we are subject as well as statutory requirements, e.g. the Anti-Money Laundering Law, the Cyprus Investment Services Law, Tax laws. There are also various supervisory authorities whose laws and regulations we are subject to e.g. the European Central Bank, the European Banking Supervisory Authority, the Cyprus Central Bank, the Cyprus and Securities Exchange Commission. Such obligations and requirements impose on us necessary personal data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls.

C. For the purposes of safeguarding legitimate interests

We process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. Examples of such processing activities include:

  • Initiating legal claims and preparing our defence in litigation procedures.
  • Means and processes we undertake to provide for our IT and system security, preventing potential crime, asset security, admittance controls and anti-trespassing measures.
  • Setting up CCTV systems, for the prevention of crime or fraud.
  • Measures to manage business and for further developing products and services.
  • Sharing your personal data within the Bank of Cyprus group for the purpose of complying with the relevant anti-money laundering framework.
  • Bank of Cyprus group risk management.
  • The transfer, assignment (whether outright or as security for obligations) and/or sale to one or more persons (including the Cyprus Central Bank) of and/or charge and/or encumbrance over, any or all of the Bank’s benefits, rights, title or interest under any agreement between the customer and the Bank.

D. You have provided your consent

Provided that you have given us your specific consent for processing (other than for the reasons set out hereinabove) then the lawfulness of such processing is based on that consent. You have the right to revoke consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected.

6.Who receives your personal data?

In the course of the performance of our contractual and statutory obligations your personal data may be provided to various departments of the Bank but also to other companies of the group. Various service providers and suppliers may also receive your personal data so that we may perform our obligations. Such service providers and suppliers enter into contractual agreements with us by which they observe confidentiality and data protection according to the data protection law and the GDPR.

It must be noted that we may disclose data about you for any of the reasons set out hereinabove, or if we are legally required to do so, or if we are authorised under our contractual and statutory obligations or if you have given your consent.

All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions.

Under the circumstances referred to above, recipients of personal data may be, for example:

  • Supervisory and other regulatory authorities, inasmuch as a statutory obligation exists. Some examples are the Central Bank of Cyprus, European Central Bank,
  • The Cyprus land registries, income tax and VAT government authorities, e.g. for tax clearance certificates, memo releases,
  • Architects, civil engineers and contractors, estate agents, engineers, maintenance and other contractors.
  • Public Authorities/Municipalities/Local Authorities,
  • Valuators and surveyors, e.g. for property valuations, construction and municipal permits, land registry reports and technical due diligence reports,
  • For our anti-money laundering process, such as Infocredit, World Check,
  • External legal consultants,
  • Insurance companies, e.g. the General Insurance Company Ltd of the Bank of Cyprus Group,
  • Financial and business advisors and associates, e.g. for Land Registry transfers, tax due diligence reports,
  • Potential buyers of properties which are promoted for sale by REMU, which may be rented by data subjects,
  • Auditors and accountants,
  • Other banking institutions, e.g. the banking institutions of sellers or buyers,
  • Marketing companies and market research companies,
  • Fraud prevention agencies,
  • File storage companies, archiving and/or records management companies, cloud storage companies,
  • Companies who assist us with the effective provision of our services to you by offering technological expertise, maintenance and management services, solutions and support,
  • Purchasing and procurement and website and advertising agencies,
  • Administrative committees of apartment buildings and of other properties,
  • Potential or actual purchasers and/or transferees and/or assignees and/or chargees (including the Cyprus Central Bank of Cyprus) of any of the Bank’s benefits, rights, title or interest under any agreement between the customer and the Bank, and their professional advisors, service providers, suppliers and financiers.

7.Transfer of your personal data to a third country or to an international organisation

Your personal data may be transferred to third countries [i.e. countries outside of the European Economic Area] in such cases as, e.g. if this data transfer is required by law [e.g. reporting obligation under Tax law] or you have given us your consent to do so. Processors in third countries are obligated to comply with the European data protection standards and to provide appropriate safeguards in relation to the transfer of your data in accordance with GDPR Article 46.

8.To what extent there is automated decision-making and whether profiling takes place

In establishing and carrying out a business relationship, we generally do not use any automated decision-making. If we may decide to process your data automatically, with the goal of assessing certain personal aspects (profiling), we shall then inform you accordingly.

9.How we treat your personal data for marketing activities and whether profiling is used for such activities

We may process your personal data to inform you about properties and offers that may be of interest to you or your business via our REMU newsletter.

The personal data that we process for this purpose consists of information you provide to us and data we collect when you use our services. We study all such information to form a view on what we think you may need or what may interest you. We can only use your personal data to promote our services to you if we have your explicit consent to do so or, in certain cases, if we consider that it is in our legitimate interest to do so.

You have the right to object at any time to the processing of your personal data for marketing purposes, by contacting our offices at any time.

10.How long we keep your personal information for

We will keep your personal data for as long as we have a business relationship with you [as an individual or in respect of our dealings with a legal entity you are authorised to represent or are a legal or beneficial owner].

If you are a buyer of property, all personal information with respect to the specific purchase of property such as information relating to tenants of the property, agreements signed with respect to the purchase of property etc., shall be kept for a period of 10 years after the completion of the sale process with respect to the specific property.

If you submitted a bid for the purchase of a specific property but the specific property was sold to another party, all personal information with respect to your bid shall be kept for a period of 5 years after the completion of the sale process with respect to the specific property.

If you expressed an interest to purchase property, all personal information with respect to such interest shall be kept for a period of 6 months from the date you contacted REMU to express such interest.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons. If we do, we will make sure that your privacy is protected and only use it for these purposes.

11.Your data protection rights

Please note that the Bank is the Controller with respect to your personal information.

If you have any questions, or want more details about how we use your personal information, you can contact our Data Protection Officer at 97 Kyrenias Ave. P.O. Box 21472, 2113 Platy Aglantzias, Nicosia, email: dpo@bankofcyprus.com.

You have the following rights in terms of your personal data we hold about you:

  • Obtain access to your personal data. This enables you to e.g. receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction [rectification] of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to erase your personal data [known as the ‘right to be forgotten’] where there is no good reason for us continuing to process it.
  • Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.

You also have the right to object where we are processing your personal data for direct marketing purposes. If you object to processing for direct marketing purposes, then we shall stop the processing of your personal data for such purposes.

  • Request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if:
    • it is not accurate,
    • it has been used unlawfully but you do not wish for us to delete it,
    • it is not relevant any more, but you want us to keep it for use in possible legal claims,
    • you have already asked us to stop using your personal data but you are waiting us to confirm if we have legitimate grounds to use your data.
  • Request to receive a copy of the personal data concerning you in a format that is structured and commonly used and transmit such data to other organisations. You also have the right to have your personal data transmitted directly by ourselves to other organisations you will name [known as the right to data portability].
  • Withdraw the consent that you gave us with regard to the processing of your personal data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you.

To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact our offices or complete the web form through our website (http://www.bankofcyprus.com.cy/en-gb/contact_us).

You can also contact our Data Protection Officer at dpo@bankofcyprus.com.

We endeavour to address all of your requests promptly.

12.How to Complain

If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by completing our on line contact form (http://www.bankofcyprus.com.cy/en-gb/contact_us).

You also have the right to complain to the Office of the Commissioner for Personal Data Protection. Find out on their website how to submit a complaint (http://www.dataprotection.gov.cy).

13.Changes to this privacy statement

We may modify or amend this privacy statement from time to time.

We will notify you appropriately when we make changes to this privacy statement and we will amend the revision date at the top of this page. We do however encourage you to review this statement periodically so as to be always informed about how we are processing and protecting your personal information.

14.Cookies

Our website uses small files known as cookies to make it work better in order to improve your experience.

To find out more about how we use cookies please see our cookie policy.