MHAIDAR LAW

Privacy Policy

Website Legal Compliance Draft | Cyprus | EU/GDPR

Important notice

This Privacy Policy is drafted for use on the website of MHAIDAR LAW. It should be completed with the final business address, registration/licence details, regulator details, telephone number, email address, website URL, hosting provider, analytics tools, cookie tools, and any third-party processors actually used on the website.

This document is designed to reflect the level of detail typically seen on established law firm websites, including data controller information, categories of personal data, purposes of processing, lawful bases, special category data, legal claims, AML/KYC, retention, data sharing, international transfers, security, rights, complaints and cookie references.

1. Who we are and controller information

MHAIDAR LAW is a Cyprus-based legal practice providing legal representation and legal advisory services. For the purposes of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), MHAIDAR LAW acts as a data controller in respect of personal data processed through this website and in connection with enquiries, consultations, client onboarding and legal services.

Controller: MHAIDAR LAW Founder / Contact Person: Maria Haidar Address: Nicosia, Cyprus Telephone: +35799965450 Email: info@mhaidarlaw.com Website: https://mhaidarlaw.com

For privacy-related enquiries, requests, or complaints, you may contact us at: info@mhaidarlaw.com.

2. Applicable legal framework

This Privacy Policy is prepared with reference to, among others:

Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR);

Law 125(I)/2018 of the Republic of Cyprus, the national law providing for the protection of natural persons with regard to the processing of personal data and the free movement of such data, as amended;

Directive 2002/58/EC concerning privacy and electronic communications, as amended by Directive 2009/136/EC, particularly in relation to cookies and similar technologies;

Law 188(I)/2007 of the Republic of Cyprus on the Prevention and Suppression of Money Laundering and Terrorist Financing, as amended, where applicable to legal services;

Applicable rules and professional obligations relating to advocates and legal professionals in the Republic of Cyprus.

3. Meaning of personal data

Personal data means any information relating to an identified or identifiable natural person, as defined under Article 4(1) GDPR. Processing means any operation performed on personal data, including collection, recording, storage, use, disclosure, erasure or destruction, as defined under Article 4(2) GDPR.

4. Personal data we may collect

Depending on how you interact with us, we may collect and process the following categories of personal data:

Identity data: name, surname, title, identity/passport details where required for client onboarding or AML/KYC checks.

Contact data: email address, telephone number, postal address, communication preferences.

Enquiry data: information submitted through website forms, emails, telephone calls, WhatsApp messages or consultation requests.

Client matter data: information provided in relation to legal advice, disputes, immigration matters, criminal matters, corporate matters, contracts, real estate matters, inheritance matters or other instructions.

Corporate data: company name, registration number, directors, shareholders, UBO details, corporate documents and authority documents.

Financial and billing data: invoices, payment details, billing address, transaction references and related accounting records.

Technical data: IP address, browser type, device information, operating system, time zone, referral source, pages visited and website usage information.

Marketing data: preferences regarding legal updates, newsletters, event invitations or communications.

Special category data: health data, biometric data, racial or ethnic origin, religious beliefs or other special categories under Article 9 GDPR, only where necessary for legal services or where you provide such data voluntarily.

Criminal offence data: information relating to criminal allegations, offences, proceedings, investigations or convictions, where relevant to criminal law representation, legal claims or legal advice.

5. How we collect personal data

We may collect personal data directly from you when you contact us, complete a website form, request a consultation, provide documents, instruct us, communicate with us, subscribe to updates or visit the website.

We may also receive personal data from third parties, including public registers, courts, governmental authorities, corporate service providers, banks, accountants, professional advisors, counterparties, employers, family members, witnesses, agents, translators, notaries or publicly available sources, where relevant to a legal matter.

6. Purposes of processing

We may process personal data for the following purposes:

responding to enquiries and consultation requests;

conflict checks and client acceptance procedures;

providing legal advice and legal representation;

drafting, reviewing and negotiating legal documents;

handling corporate, criminal, immigration, real estate, inheritance and contractual matters;

conducting AML/KYC, sanctions screening and source of funds checks where required;

communicating with clients, courts, authorities, registries, counterparties and advisors;

preparing invoices and managing payments;

complying with legal, regulatory, professional and tax obligations;

maintaining records, file management and document retention;

protecting legal rights, establishing, exercising or defending legal claims;

improving website functionality, security and user experience;

sending marketing or legal updates where consent or another lawful basis applies.

7. Lawful bases under Article 6 GDPR

We process personal data only where a lawful basis applies under Article 6 GDPR. The relevant lawful bases may include:

Article 6(1)(a) GDPR - consent, for example where you consent to receive marketing communications or accept non-essential cookies.

Article 6(1)(b) GDPR - processing necessary for the performance of a contract or to take steps before entering into a contract, for example responding to a consultation request or providing legal services.

Article 6(1)(c) GDPR - processing necessary for compliance with a legal obligation, including AML/KYC, tax, accounting, regulatory and professional obligations.

Article 6(1)(f) GDPR - legitimate interests, including managing the legal practice, responding to enquiries, maintaining records, improving the website, ensuring security, preventing fraud and protecting legal rights, provided such interests are not overridden by your rights and freedoms.

8. Special category data and criminal offence data

Where we process special category data, we rely on Article 9 GDPR where applicable, including:

Article 9(2)(a) GDPR - explicit consent;

Article 9(2)(f) GDPR - processing necessary for the establishment, exercise or defence of legal claims;

Article 9(2)(g) GDPR - substantial public interest, where applicable under EU or Cyprus law;

Article 9(2)(h) GDPR - where relevant in limited circumstances involving health-related matters and lawful professional obligations.

Where we process data relating to criminal convictions and offences, such processing is carried out where necessary for legal services, legal claims, court proceedings, criminal defence, regulatory obligations or where authorized by EU or Cyprus law, having regard to Article 10 GDPR.

9. Confidentiality and legal professional privilege

As a legal practice, we treat client information with strict confidentiality. Information provided in the context of legal advice may also be subject to legal professional privilege, professional secrecy and other applicable duties. These obligations may affect how information is used, disclosed or retained and may also limit the circumstances in which certain data subject rights can be exercised.

10. Data sharing

We may share personal data where necessary and lawful with:

courts, tribunals, public authorities, registries and regulators;

Cyprus Bar Association or competent professional bodies where applicable;

accountants, auditors, insurers, bankers and professional advisors;

translators, notaries, experts, consultants and investigators;

IT service providers, website hosting providers, email providers, cloud storage providers and practice management systems;

payment processors and banks;

counterparties, opposing counsel, corporate service providers and agents where necessary for a matter;

law enforcement authorities where required by law;

third parties where you have instructed us or consented to the disclosure.

All disclosures are limited to what is necessary and subject to confidentiality, professional secrecy, contractual protections or legal obligations where applicable.

11. Processors and Article 28 GDPR

Where MHAIDAR LAW uses service providers that process personal data on its behalf, such providers act as processors within the meaning of Article 4(8) GDPR. Appropriate data processing arrangements shall be used where required by Article 28 GDPR, including obligations relating to confidentiality, security, sub-processors, assistance with data subject rights, breach notification and return or deletion of data.

12. International transfers

Where personal data is transferred outside the European Economic Area, MHAIDAR LAW will ensure that such transfer complies with Chapter V GDPR, including Articles 44 to 49 GDPR. Where required, safeguards may include adequacy decisions under Article 45 GDPR, standard contractual clauses under Article 46 GDPR, or derogations under Article 49 GDPR, for example where a transfer is necessary for the establishment, exercise or defence of legal claims.

13. Data retention

In accordance with Article 5(1)(e) GDPR, personal data is kept only for as long as necessary for the purposes for which it was collected, including legal, professional, regulatory, tax, accounting, AML/KYC, litigation and record-keeping purposes.

Indicative retention periods may include: • Website enquiries: up to 24 months unless a client relationship begins or a longer period is necessary. • Client files: for the period required under applicable legal, professional, limitation, AML/KYC and regulatory obligations. • AML/KYC records: for the period required under applicable AML legislation. • Accounting and invoice records: in accordance with applicable tax and accounting requirements. • Marketing data: until consent is withdrawn or the communication is no longer required. • Cookie data: according to the retention period stated in the Cookies Policy.

The above periods may be extended where necessary for legal claims, regulatory investigations or professional obligations.

14. Data security

Pursuant to Article 32 GDPR, MHAIDAR LAW implements appropriate technical and organizational measures to protect personal data, including access controls, secure storage, password protection, confidentiality obligations, restricted access to files, use of trusted providers and reasonable safeguards against unauthorized access, disclosure, alteration, loss or destruction.

No electronic transmission or storage system is completely secure. Users should avoid sending highly sensitive information through unsecured website forms unless requested through appropriate channels.

15. Data breach notification

Where a personal data breach occurs, MHAIDAR LAW will assess the risk to individuals and, where required, notify the competent supervisory authority in accordance with Article 33 GDPR. Where a breach is likely to result in a high risk to individuals, affected individuals may also be notified in accordance with Article 34 GDPR.

16. Your rights under the GDPR

Subject to applicable legal limitations, you may have the following rights:

Right to be informed - Articles 12 to 14 GDPR.

Right of access - Article 15 GDPR.

Right to rectification - Article 16 GDPR.

Right to erasure - Article 17 GDPR.

Right to restriction of processing - Article 18 GDPR.

Right to notification regarding rectification, erasure or restriction - Article 19 GDPR.

Right to data portability - Article 20 GDPR.

Right to object - Article 21 GDPR.

Rights relating to automated decision-making and profiling - Article 22 GDPR.

Right to withdraw consent - Article 7(3) GDPR.

Right to lodge a complaint - Article 77 GDPR.

Some rights may be limited where personal data is required for legal claims, legal professional privilege, professional secrecy, AML/KYC obligations, regulatory obligations or other legal requirements.

17. Supervisory authority

You have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus.

Office of the Commissioner for Personal Data Protection Website: www.dataprotection.gov.cy Address: [insert latest official address before publication]

18. Marketing communications

We will only send marketing communications, legal updates or newsletters where permitted by law. You may opt out at any time by using the unsubscribe method provided or by contacting us. Withdrawal of marketing consent does not affect the lawfulness of processing carried out before withdrawal.

19. Cookies

The website uses cookies and similar technologies. Essential cookies may be used for site functionality. Non-essential cookies, including analytics cookies, shall be used only where appropriate consent has been obtained. Further information is set out in the Cookies Policy.

20. Updates

This Privacy Policy may be updated from time to time. The latest version should be published on the website with an effective date.

MHAIDAR LAW | Draft website compliance document | To be reviewed before publication