Upscale Msdn Co. LTD (hereafter “the Company”, “we”, “us” or “our”) is a limited liability company which operates the domain www.tuning24.org (hereafter the “Website”). The Company is incorporated under the laws of the Republic of Cyprus with Company Registration Number HE 414751 and having its registered / business office at Giannou Kranidioti 30, Orphanides Bld., Suite 2, 3rd Floor, office 301-302, 6045 Larnaca, Cyprus.
Data Subject (hereinafter as “you,” or “your”) stands for an identified or identifiable natural person, whose personal data the Company processes in course of conducting business, regardless the personal data were obtained from this person directly or from the third parties.
Personal data means any information relating to an identifiable natural person (i.e. using information and data in order to directly or indirectly identify a specific person).
Processing means any operation(s) which is performed on personal data (or on sets of personal data) whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.
2. Scope and Applicability
As part of the Company’s daily operations, it is necessary to collect personal data from existing and prospective clients in order to be able to provide them with our products and services. This Policy describes how the Company collects, processes, uses, maintains, stores and discloses your personal information and data.
Any personal data the Company collects about the client will only be used for the purposes we have collected it for, or as allowed under the applicable legislation, and to perform our contractual obligations in relation to the products and services offered. This Policy covers the Company’s official corporate website www.tuning24.org, all its related sub-domains that are registered and operated by the Company as well as the payment gateways and any other software solutions used by the Company.
This Policy is applicable to the processing of personal data regardless of the form/environment that the personal data is provided (e.g. on paper, electronically, by phone or otherwise) and whether or not the Company process it by automated means of manually.
Moreover, this Policy applies to former, existing or prospective clients, applicants and visitors on the Company’s website(s) (hereafter “the client” for convenience). The Company strives to protect the privacy, confidentiality and security of all personal data obtained from our clients during the course of the business relationship and their dealings with the Company, including information obtained during their visits to the Company’s website(s).
At the Company, we treat all individual visitors that enter our corporate website(s) as well as all private individuals that represent our corporate clients (i.e. authorized representatives, proxies etc.) and all our private individual clients as Data Subjects in the sense of the GDPR Regulation.
3. Our Commitment to You
At the Company, we fully understand the importance of maintaining the confidentiality and privacy of your personal data. The Company respects your privacy and to this end, we are committed to taking all reasonable steps in order to protect and safeguard the privacy, confidentiality, security and integrity of your personal data.
4. How do we collect your Personal Data?
In order for a natural person to become our client, (s)he must complete and submit the account opening application form. During this process, the prospective Client is requested to provide certain personal information, data and identification documents as well as acknowledge his/her willingness to share this private information with the Company for the purpose of evaluating the client’s request to open a payment account with the Company and to comply with the Laws and Regulations governing the provision of payment instruments, services and products offered by the Company.
Apart from the personal data collected during the account opening process, the Company may collect personal data in a number of ways, including but not limited to, the following:
- Through the provision and use of our products and services;
- Through the use of the Company’s website(s), mobile apps;
- Through the completion of any forms;
- By subscribing to our blogs, newsletters and/or news updates;
- By taking part in online discussions, surveys or promotions;
- By participating in any offers, campaigns or by entering a competition;
- Information provided by any person during correspondence with the Company, both online and offline;
- During the provision of customer service or support in any form;
- Information through publicly available sources and social media;
- When you contact us for any other reason.
The Company may, from time to time, request further information from you to help us improve our services & products under the Client Agreement or to comply with the applicable laws and regulations.
5. What Personal Data do we collect?
The list of personal data that we may collect from you is not exhaustive. The list below specifies the main categories of personal data, which the Company collects and processes:
- Personal details (i.e. name, surname, passport/ID number, date and place of birth, gender, nationality, citizenship). Personal data may also include sensitive data like your race, ethnic origin, etc.;
- Contact details (i.e. actual place of residence, registered place of residence, email address, mobile number, landline and fax number, identifier on telecommunication systems etc.);
- Identification Documents necessary to: (a) verify your identity such as a passport or national identity card and (b) to verify your permanent residence such as utility bills, banks statements;
- Account information (i.e. username, password, account number, account balance, trading activity and history, charges, fees and commissions charged etc.);
- Technical Information (i.e. internet protocol (IP) address used, unique device identifier, your location, login information, browser type and version, time-zone setting, operating system and platforms, type of device or browser used, network information server logs etc.);
- Location if your location services is switched on the device used to access your customer account then we can track your location via GPS.
- Marketing information or any other information received as a result of your visit and usage to the Company’s website(s) (i.e. the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time), referrer URL, products and services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page, any phone number used to call our customer service number etc.);
6. How do we use and process your Personal Data?
The Company will only collect, use, process, disclose, transfer and store your personal data in accordance with the GDPR Regulation, the local Cypriot legislation on data protection & practises, and the Client Agreement based on one or more of the following legal bases and purposes:
- To perform our contractual obligations and to provide you with the services & products you have requested, or to provide you with information regarding our products & services that may be of interest to you, or to keep you updated on the issues that are relevant to your business relationship with us;
- To create an account for you and to set-up and operate the customer account / profile you have with us as well as to provide you with technical or customer support;
- To process your transactions and to send you information about transactions executed;
- To administer & improve our website(s) in relation to any technical issues faced, troubleshooting, errors, maintenance, support, data analysis, testing etc.;
- To protect the security of our website(s) through detecting and preventing any type of security breaches, hacking, fraud or other malicious, illegal or criminal activities as well as to prevent any unjustified risks to its commercial operations;
- To perform research or to conduct data analysis which will help us to improve our products & services as well as to provide you with better products & services in the future and/or to suggest to you products & services that may be of interest to you. In such a case, we will combine your personal data with the personal data of other clients on an aggregate base and create impersonalized data. The Company may provide this research or analysis to third parties solely for statistical and/or marketing purposes to the extent allowed under the Client Agreement already accepted by you. Under no circumstances will you be able to be identified from this data analysis, you will remain anonymous;
- To investigate any grievances or complaints and settle any disputes;
- To enable you to participate in surveys, competitions, campaigns etc that might be of your interest, where you have consented to be contacted for such purposes;
- To send you marketing communications and/or promotional material in the agreed forms (i.e. by email, telephone or social media). Please note that we will not disclose your personal data to any third parties for the purpose of allowing them to directly market to you;
- To notify you about any changes to our products and services, Client Agreement, Terms & Conditions, our Policies or other legal documents which form part of the agreement between us, or to keep you updated with news on our products and services, or to provide you with any legal notifications in relation to other important matters relating to your use of our services and products;
- To comply with the applicable laws & regulations, including requests from the regulator or other competent authorities, court orders, police investigations, preparation of regulatory reporting or any other legal and regulatory requirements to which the Company is subject to such as anti-money laundering laws, market abuse laws, financial services laws, privacy laws and tax laws;
- To safeguard our legitimate interests, whether this is pursued by us or by another third party. In such a case, the Company must have a sound business or commercial reason to use your personal data and must not go unfairly against your best interests.
If it is necessary to use your personal data and data for any other reason which is not outlined above, then you will be duly informed (i.e. via a pop-up message, push notification, email or otherwise) and also if there are any additional terms and conditions which will apply. You will be asked to confirm whether you agree to these additional terms and conditions before we can proceed.
Please note that you can control what and how you receive communications or information from us. If you do not wish to receive electronic communications from us (including marketing and advertising communications, promotional material, market research analysis, news, updates, newsletters etc.) then please send an email to [email protected] to unsubscribe from future correspondence and we will stop sending you this information.
Please note that even if you unsubscribe from marketing communications, you will still continue to receive communications from us that are necessary for the operation of your account.
7. Contacting You
The Company or its affiliates, business partners, associates or other agents may, from time to time, contact clients by telephone, fax, email, post or otherwise, for the purposes of offering them further information about the Company’s products and services, or to inform them of promotional offerings, or for marketing purposes or to conduct market research.
If the client wishes to opt-out of any further contact at any time and for whatever reason, (s)he is entitled to do so by contacting the Company’s back-office department via email and requesting in writing that the client wishes no further contact in relation to the above reasons.
8. Disclosure and Transfer of your Personal Data
Any personal data or other confidential information (including recordings, documents of a confidential nature, payment details and personal details) that you provide to the Company will be treated as confidential and it will not be disclosed to any third parties, except when necessary to provide you with our services & products, fulfil our contractual obligations and conduct our business operations as described herein.
Below are the cases under which we may disclose your personal data and why:
- The Company Group: to any member of our group, meaning any branch, subsidiary company, sister company, holding company and its respective employees in order to provide the services & products requested by the client, to fulfil our contractual obligations under the Client Agreement and to provide technical & customer support. It should be noted that all the group entities and our employees are required to follow our privacy and security protocols when handling personal data;
- Third party service providers: including but not limited to legal advisors, professional or expert advisors, internal auditors, external auditors, service providers who have been contracted to provide us with software and hardware systems; payment gateways; platforms; support; administrative; financial; legal; accounting; auditing; taxation; compliance; record-keeping; website; cloudhosting; IT; research; marketing; advertising; email transmission or messaging services; data storage; or other services which are necessary to be able to execute client transactions, instructions, order or payments, or to complete our contractual obligations, or to provide the services & products requested by our clients, or for purposes which are ancillary to the provision of our services & products to you as our Client. It should be noted that our third-party providers are permitted to use your personal data only for the provided the services contracted for and may not use or otherwise share your personal data;
- Credit reference agencies, fraud prevention agencies, third authentication service providers, banks, payment service providers, other financial institutions: to conduct credit checking, anti-money laundering checks, identity verification checks, sanction checks, fraud & fraud prevention checks, risk assessment, payments processing or customer due diligence checks. In order to do so, these organizations will check the client’s details supplied against any details held on any database (public or otherwise) to which they have access to. These organizations may store your information in order to comply with their legal and regulatory obligations. A record of the search conducted by these organizations will be retained by us;
- Our affiliates, business partners, agents, associates and business introducers: with whom we have a mutual business relationship and they have directed you to us;
- Police, courts, regulatory authorities, governmental agencies, public authorities and law enforcement authorities: having control or jurisdiction over the company or companies of the Company group, our clients, our associates or in whose territory we have clients or providers, as applicable. In such a case, we will share your personal data only when it is required to comply with the applicable laws, rules and regulations, or to comply with a court order of a competent Court, or to comply with investigations, administrative, judicial or legal proceedings and/or to respond to official requests from these authorities. This may include authorities outside the client’s country of residence or the Company’s country of operations;
- Other third parties: we may share personal data in the event of a merger, sale, restructure, acquisition, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including bankruptcy/liquidation proceedings or equivalent);
- Where necessary to secure the Company’s legitimate business interests and to defend, protect and/or exercise its legal rights in front of any court, tribunal, arbitrator, the Financial Ombudsman or any other regulatory or governmental authority, as the case may be;
- at your request or with your consent;
- to any person(s) authorised by you.
9. Safeguard Measures
The Company has implemented physical, technical & organizational measures to secure and protect your personal data from unauthorized access, use or disclosure, unlawful breach or from accidental destruction, loss or damage. The personal data you provide to us is protected in many ways as follows:
- Your personal data are stored in secure servers and back-up servers.
- Access to your personal data is limited only to those employees or partners that need to know the information in order to enable the carrying out of the Client Agreement and have access via a username and password.
- The Company uses encryption, tokenisation and takes all reasonable technical security measures to prevent unauthorized parties from viewing, using or processing any such information. This information is accessible only to authorized personnel.
- We train our employees regularly regarding the importance of maintaining, safeguarding and respecting your personal data and security.
- Potential breaches of individuals’ privacy are taken very seriously. The Company will impose appropriate disciplinary measures to its employees in such a case and it could even involve a dismissal from employment.
- Our business partners, affiliates, agents, associates, service providers and employees sign a confidentiality and non-disclosure agreement in order to maintain the confidentiality of your personal data.
- The Company tests and monitors the effectiveness of security measures frequently.
- We have appointed a Data Protection Officer (DPO) to ensure that the Company obtains, manages, processes and discloses your personal data in accordance with this Policy and the applicable legislative and regulatory framework.
- In the unlikely event of a data breach, as soon as the Company become aware of a breach of personal data protection, and without undue delay, the Company notifies the regulatory body in accordance with the provisions of the GDPR Regulation. In case that a breach of personal data protection could pose a high risk to the rights and liberties of persons, without undue delay, the Company will notify the person about the personal data breach.
While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the transmission of information via the internet is not entirely secure and for this reason we cannot ensure or guarantee the confidentiality, security or integrity of any personal data transferred from you to us, or from us to you via the internet.
This Company shall not be responsible or liable (whether in civil, criminal or otherwise) under any circumstances for any amount or kind of loss or damage (including without limitation, any direct, indirect, punitive or consequential loss or damages, or any anticipated loss of profit, loss of profit, loss of opportunity, loss of data, costs and fines and/or any special or incidental damages of any kind) that may result to you or arising from or connected in any way to cyber-attacks, computer viruses, system failures or malfunctions which may occur in connection with your use of the Company’s products, services, websites, devices, mobile applications, payment channels or any other method.
10. Storage and Retention Period of your Personal Data
Under the applicable laws and regulations (including anti-money laundering laws), the Company is required to retain all types of records containing client personal data for at least five (5) years after the termination of the business relationship between us and/or as long as one of the following criteria is valid:
- until the contract concluded with the client is in force;
- as long as according to the legislation and regulations, the Company and the client can realize their legal (legitimate) interests;
- as long as the Data Subject’s consent is in force for the appropriate processing of personal data, if there is no other legal basis for processing the data.
However, please note that we may keep your personal data for longer than five (5) years in case for example a dispute arises between the client and the Company, or due to legal / regulatory reasons requiring us to do so. In any case, we will not keep your personal information for any longer than is required. As soon as the purpose has been fulfilled, the Company erases the data or destroys the information carriers on which the data is recorded (e.g. documents in the Company format).
Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time. When personal data is no longer necessary for the purpose for which it was collected, we will securely destroy the records.
11. Transfer of Personal Data outside the EEA
EU data protection rules apply to the European Economic Area (EEA) which includes all the EU countries and non-EU countries: Iceland, Liechtenstein and Norway. If necessary, the Company may transfer your personal data to a country outside the EEA, for storage and/or for processing by staff operating outside the EEA who work for the Company Group and/or to our suppliers, business partners, associates, affiliates, agents, business introducers or service providers who are engaged on our behalf to fulfil our contractual obligations under the Client Agreement. Moreover, personal data we collect from you may be stored or processed in a jurisdiction that is different to the country in which the specific entity you are dealing with is registered and established. Therefore, by entering into the Client Agreement with the Company and submitting your personal data, you agree to the transmittal, storing and processing of your personal data outside the EEA.
Nonetheless, when your personal data is transferred outside the EEA, the Company will take all steps reasonably necessary to ensure that the transfer is lawful, that the organization to whom your data are send provides data protection at an adequate level, or provided that receiving Company undertakes sufficient guarantees in accordance with the provisions of the GDPR regulation to ensure that your personal data are treated securely.
Where this is not possible and we are required to disclose your personal data (i.e. because we are required by law or by virtue of a court order in place) we will do this as per the applicable legal and regulatory obligations.
The Company will only send personal data outside the EU/EEA to a country, in relation to which the European Commission has not made a decision regarding the adequacy of its security level and which does not provide the corresponding guarantees, if:
- The person has clearly agreed to the proposed transfer, having received information from the Company about the potential risks that such a transfer could pose to the person;
- Transfer is necessary in order to fulfil the contract between the client and Company or to implement measures after the conclusion of the contract, which were approved at the client’s request;
- Transfer is necessary for conclusion of an agreement between the Company and another private individual or legal entity, in the interests of the client or for the fulfilment of such a contract;
- Transfer is necessary if there are important reasons of public interest;
- Transfer is necessary in order to raise, fulfil or defend legal requirements, or
- Transfer is necessary in order to protect the vitally important interests of persons if the client is physically or legally incapable of giving its consent.
12. Cookies and Links
The Company’s data collection procedures include the placement of cookies for the purpose of gathering information and data about the manner in which our clients interact with the Company’s website(s) in order to provide our clients with a better experience and present our services and products according to your needs and preferences. Cookies are small pieces of data files send from our website(s) to your browser that is stored on the client’s computer when using our website(s) and may include a unique identification number. A cookie in no way gives us access to your computer or any other information about you, other than the information you choose to share with us.
13. Monitoring and Recordings
The Company will, as required by law, monitor and record any form of communication between the Client and the Company, including but not limited to, electronic correspondence (i.e. chats/emails), video calls, fax, postage, telephone conversations, in person or otherwise, in relation to the provision of our services & products and our business relationship with you. The Client accepts such recordings as conclusive evidence of the orders, instructions, requests or conversations so recorded.
14. Your Rights regarding your Personal Data
In line with the provisions and requirements of the GDPR Regulation (679/16) on the protection of personal data, you have the following rights in relation to your personal data:
- Access to your Personal Data: you have the right to acccess your personal data, to review all the personal data that is related to you and which was collected for the duration of the business relationship, update your file and to check the accuracy of your personal data at any time, which is related to you individually.
- Rectification: if the personal data we hold about you is inaccurate or incomplete, you are entitled to make rectifications, amendments and update it with your current personal circumstances. In such a case, the Company may request supporting documents or evidence to justify the correction of the data.
- Changes: you may inform the Company at any time regarding any changes to your personal data by emailing us at [email protected]. The Company will change your personal data according to your instructions. Please note that in order to proceed with such requests, the Company may require supporting documents from you as proof.
- Deletion: you have the right to request us to delete your personal data (partly or wholly) when there is no good reason for us to continue processing it, except to the extent that we are required to hold it for legal or regulatory purposes as well as to maintain adequate records in accordance with anti-money laundering requirements. Please note that if you request to delete your personal data, this will lead to the automatic closure of your customer account.
- Information on use and processing: you have the right to obtain information on the use and purpose of processing your personal data as well as inform you what information we process and you have the right to request a copy of the personal data we hold about you (except documents) within thirty (30) days from the date of your request free of charge. Taking into account the complexity or number of requests, the Company may extend the response time to two (2) months. If you require additional copies, we may charge a reasonable administrative fee based on actual costs incurred. The Company may decline the client’s request if it is clearly unjustified or excessive, particularly because of their repetition on a regular basis.
- Processing Restrictions: you have the right to request us to limit the processing or to stop the processing altogether of your personal data for one of the following reasons:
- The client disputes the accuracy of the data. In this case, the duration of the restriction cannot be longer than the period during which the Company is checking the accuracy of the data;
- Data processing is unlawful, and the client objects to the erasure of data, requesting the restriction of the use of data instead. In this case, the processing of personal data will be restricted for the period that the person has requested;
- The Company no longer requires the data for processing, but they are required by the client concerned, in order to raise, fulfil or defend lawful requirements. In this case, the restriction will be set for the period that the person has requested and justified;
- The client has objected to processing that is justified by the Company’s legitimate interests. In this case, the duration of restriction will be set for the period during which a check is conducted as to whether the Company’s legitimate interest is more important than the person’s legitimate interest.
This will not stop us however from storing your personal data and may have an effect on the provision of our services rendered to you and/or may result in account closure.
- Choice to opt-out: you may opt-out from receiving commercial, non-commercial newsletters and notifications from the Company by notifying us at [email protected].
- Portability: you have the right, under cetain circumstances, to receive and retain your personal data in order to save it or to re-use it elswhere, or to ask us to transfer them to another Data Controller or Third Party nominated by you. After the fulfilment of the data transfer application, the Company would no longer be responsible for its subsequent processing by the thir party. The data transfer is free of charge.
- Withdrawal: you may withdraw your previously given explicit consent with regards to the collection, use and processing of your personal data at any time by contacting our DPO. In that case subsequent data processing will no longer be carried out however, personal data processing carried out before the withdrawal will remain valid. Withdrawal of consent cannot result in the suspension of personal data processing which is carried out on legal grounds.
You can submit your request to make use of the above rights to your personal data by contacting our Data Protection Officer (DPO) through email at the following address: [email protected].
15. Legal Disclaimer
The client is responsible for keeping their login credential confidential and not to disclose it to any unauthorized third party. If any person gains access to the client’s account and/or personal data, the Company will not be held responsible or liable for any damage that occurs, or any unlawful or unauthorized use of your personal data due to misuse or misplacement of your login credentials, negligent or malicious intervention (or otherwise) by you or due to your acts or omissions or by a person authorized by you (whether or to that authorization is permitted by the terms of our legal relationship with you).
The collection, use and storage of your personal data is based on your consent. By entering into an agreement with the Company, establishing a customer account and accessing the Company’s website(s), portals or payment gateways, you agree and consent to the collection, use and storage (for at least 5 years from the end of the business relationship) of all the personal data that you supply to the Company by the means described herein. In addition, please note that by downloading the Company’s platform(s) and allowing cookie settings in your web browser also constitutes consent of this Policy. You may revoke your consent at any time however, any personal data processed before the receipt of your revocation will not be affected.
17. Data Protection Officer (DPO)
If you have any questions regarding this Policy, wish to make a complaint or exercise any of your rights in relation to your personal data you may contact our DPO as follows:
Via email at: [email protected]
With registered post at: Upscale Msdn Co. Ltd, Data Protection, Giannou Kranidioti 30, Orphanides Bld., Suite 2, 3rd Floor, flat/office 301-302, 6045 Larnaca, Cyprus .
If you are still not satisfied after having spoken to us, or you are unhappy with the outcome of the complaint, you also have the right to lodge a complaint to the Data Protection Commissioner (which is the supervisory authority/regulator for personal data protection issues in the Republic of Cyprus) by visiting this page.
18. Amendments to this Policy
The Company will review this Policy at least annually, or whenever a material change occurs in the law, or in the Company’s internal procedures/arrangements, or whenever the Company deems it necessary for any reason, and will duly notify its clients of such changes by posting an updated version of this Policy on its website(s). If however, we make material changes or significant we will notify you promptly by other means.
The Client hereby accepts that the posting of an updated Policy on the Company’s website will serve as the actual notice of the Company to its clients. The Company encourages its clients to periodically review this Policy so that they are always aware of what information the Company collects, how it uses it and to whom it may disclose it, in accordance with the provisions of this Policy.