TFI Markets Ltd (the ‘Company’) is a licensed Payment Institution, regulated by the Central Bank of Cyprus (License No. 188.8.131.52/2018) and licensed Investment Firm, regulated by the Cyprus Securities and Exchange Commission (License No. 117/10).
Collection of personal data
In order to apply for an account with TFI Markets, the following personal data might be required from natural persons:
- Personal information: Full Name, date and place of birth, nationality, residence address, passport/ID number, FATCA/CRS information (tax residency, tax identification number), contact details (email, telephone, mobile phone, fax), bank account details, employment details (Name of employer and position), information on politically exposed persons (whether the persons holds or held a prominent public function)
- Financial Information: Income, Size of Wealth, Source of Funds
- Documents: ID/Passport and utility bills or bank statements, CV or other relevant experience information
Data may also be collected from other public and non-public sources such as the Registrar of Companies or third party databases used for mitigation of risk, such as World-Check.
The Company does not process personal data in relation to persons who are under the age of eighteen (18), unless there is a legal requirement, only after approval from the legal guardian.
The Company takes a number of measures to keep personal data safe and secure. Some of these include:
- data encryption and digital signatures to ensure the protection and integrity of data; firewalls, intrusion detection systems, 24/7 physical protection of facilities where the data is stored; background checks for personnel that access physical facilities; and strong security procedures across all service operations.
- The Company encrypts the transmission and storage of personal data using the highest standards of security technologies and procedures.
Legal basis for the collection and processing of personal data
Personal data is processed based on the following:
- For the fulfilment of contractual obligations: For the execution of transactions either under a Payment Services contract or Investment Services contract. In order to be able to provide services to clients, the Company is required to collect information about the client’s identity and financial information.
- For compliance with legal obligations: Processing of personal data is necessary for compliance of legal obligations arising from various laws such as the European Markets in Financial Instruments Directive (‘MiFID II’) and the relevant Investment Services and Activities and Regulated Markets Law of the Republic of Cyprus, European and Cyprus Laws, Directives and Regulations for the Prevention of Money Laundering and Terrorist Financing, the Common Reporting Standard (‘CRS’), the European Market Infrastructure Regulation (‘EMIR’), the Foreign Account Tax Compliance (‘FATCA’), the Payment Services law and Directive. In order to comply with these laws, the Company is required to follow identity verification procedures and anti-money laundering controls, retain data for certain periods of time and disclose data to supervisory, regulatory and other public authorities.
- For other legitimate reasons, such as for developing and improving the Company’s products and services and for defending the Company in litigation procedures.
- Personal data might also be processed in order to send informational or marketing material to natural persons who are currently or potentially Clients, after giving their explicit consent.
Clients are obliged to provide us with their personal data and update them where required, in order for the Company to be able to begin or maintain a business relationship. Failure to provide such information will prevent the Company to comply with its legal obligations and thus may result to the rejection of an application for an account or the closure of an existing account.
Recipients or categories of recipients of personal data
During the course of business and in order to fulfil the Company’s contractual and legal obligations, personal data may be disclosed to:
- The Company’s Auditors, Lawyers, Bankers, Consultants, subject to confidentiality agreements
- Supervisory, regulatory and other public authorities, upon request or where required.
- Third party processors such as companies offering technological solutions and support, file storage and records management companies.
All data processors appointed by us to process personal data on our behalf are bound by contract or other Confidentiality or Non-Disclosure Agreement to comply with the GDPR provisions.
International transfer of personal data
Period for which personal data are stored
Personal data are kept for the duration of the business relationship and for further five (5) years after the termination of the business relationship, unless otherwise instructed by a competent authority. Data may be kept longer where legal proceedings or investigations by public authorities are pending.
Clients have the following rights with respect to their personal data the Company controls and processes:
- The right to request and get copies of, their personal data
- The right to request the correction of inaccurate personal data
- The right to request erasure of their personal data, where the Company’s other legal and/or regulatory obligations allow it
- The right of their data portability to another data controller
- The right to object to the processing of their personal data. In such case, the Company shall no longer process the specific personal data, unless it demonstrates on compelling legitimate grounds for the processing. Clients can also object at any time to processing of their personal data for direct marketing purposes.
- The right to request restriction of processing of their personal data where one of the following applies
- the accuracy of their personal data is contested, for a period of time, until the Company verifies their accuracy
- the processing is unlawful and the client opposes the erasure of their personal data and requests restriction of their use instead
- the Company no longer needs their personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
- the data subject has objected to processing and is expecting verification from the Company whether legitimate grounds of the controller override those of the data subject
Automated decision making and profiling
The Company is not using automated decision making and profiling to take the decision to establish a business relationship with a potential client. The Company may process some of the current Clients’ personal data automatically during data analysis for the purpose of fraud and money laundering detection which is part of the Company’s legal obligations. This automated processing protects the interests of the Company’s Clients as well.
Our Data Protection Officer can answer questions and provide information on how the Company uses personal information. The contact details of the DPO are: 178 Athalassas Avenue, ‘Irene Tower’ 2nd Floor, 2025 Nicosia, Cyprus, email: firstname.lastname@example.org.