TFI Markets Ltd (the ‘Company’) is a licensed Payment Institution, regulated by the Central Bank of Cyprus (License No. 126.96.36.199/2018) and licensed Investment Firm, regulated by the Cyprus Securities and Exchange Commission (License No. 117/10).
Collection of personal data
In order to apply for an account with TFI Markets, the following personal data might be required from natural persons:
Personal information: Full Name, date and place of birth, nationality, residence address, passport/ID number, FATCA/CRS information (tax residency, tax identification number), contact details (email, telephone, mobile phone, fax), bank account details, employment details (Name of employer and position), information on politically exposed persons (whether the persons holds or held a prominent public function)
Financial Information: Income, Size of Wealth, Source of Funds
c. Documents: ID/Passport and utility bills or bank statements, CV or other relevant experience information
Data may also be collected from other public and non-public sources such as the Registrar of Companies or third party databases used for mitigation of risk, such as World-Check.
The Company does not process personal data in relation to persons who are under the age of eighteen (18), unless there is a legal requirement, only after approval from the legal guardian.
Legal basis for the collection and processing of personal data
Personal data is processed based on the following:
For the fulfilment of contractual obligations: For the execution of transactions either under a Payment Services contract or Investment Services contract. In order to be able to provide services to clients, we are required to collect information about the client’s identity and financial information.
For compliance with legal obligations: Processing of personal data is necessary for compliance of legal obligations arising from various laws such as the European Markets in Financial Instruments Directive (‘MiFID II’) and the relevant Investment Services and Activities and Regulated Markets Law of the Republic of Cyprus, European and Cyprus Laws, Directives and Regulations for the Prevention of Money Laundering and Terrorist Financing, the Common Reporting Standard (‘CRS’), the European Market Infrastructure Regulation (‘EMIR’), the Foreign Account Tax Compliance (‘FATCA’), the Payment Services law and Directive. In order to comply with these laws, the Company is required to follow identity verification procedures and anti-money laundering controls, retain data for certain periods of time and disclose data to supervisory, regulatory and other public authorities.
For other legitimate reasons, such as for developing and marketing the Company’s products and services and for defending the Company in litigation procedures.
Clients are obliged to provide us with their personal data and update them where required, in order for the Company to be able to begin or maintain a business relationship. Failure to provide such information will prevent the Company to comply with its legal obligations and thus may result to the rejection of an application for an account or the closure of an existing account.
Recipients or categories of recipients of personal data
During the course of business and in order to fulfil the Company’s contractual and legal obligations, personal data may be disclosed to:
The Company’s Auditors, Lawyers, Bankers, Consultants, subject to confidentiality agreements
Supervisory, regulatory and other public authorities, upon request or where required.
Third party processors such as companies offering technological solutions and support, file storage and records management companies.
All data processors appointed by us to process personal data on our behalf are bound by contract or other Confidentiality or Non-Disclosure Agreement to comply with the GDPR provisions.
International transfer of personal data
Period for which personal data are stored
Personal data are kept for the duration of the business relationship and for further five (5) years after the termination of the business relationship, unless otherwise instructed by a competent authority. Data may be kept longer where legal proceedings or investigations by public authorities are pending.
Clients have the following rights with respect to their personal data the Company controls and processes:
The right to request and get copies of, their personal data
The right to request the correction of inaccurate personal data
The right to request erasure of their personal data, where the Company’s other legal obligations allow it
The right of their data portability to another data controller
The right to object to the processing of their personal data. In such case, the Company shall no longer process the specific personal data, unless it demonstrates on compelling legitimate grounds for the processing. Clients can also object at any time to processing of their personal data for direct marketing purposes.
The right to request restriction of processing of their personal data where one of the following applies
the accuracy of their personal data is contested, for a period of time, until the Company verifies their accuracy
the processing is unlawful and the client opposes the erasure of their personal data and requests restriction of their use instead
the Company no longer needs their personal data for the purposes of the processing , but they are required by the data subject for the establishment, exercise or defence of legal claims
the data subject has objected to processing and is expecting verification from the Company whether legitimate grounds of the controller override those of the data subject
Automated decision making and profiling
The decision to establish a business relationship with a potential client is not based on automated processing of personal data.