top of page

Privacy Notice (GDPR)
MKS Audit & Consulting Ltd
Original effective date: 25 May 2018 Last updated: 08 December 2025


1. About this notice
This Privacy Notice explains how MKS Audit & Consulting Ltd ("MKS", "we", "us") collects and processes personal data and how we protect the rights of individuals under Regulation (EU) 2016/679 (the General Data Protection Regulation – "GDPR"). It applies to personal data we process in the course of providing professional services, operating our website, recruiting, and running our business.
This notice is provided to meet the transparency requirements in Articles 13 and 14 GDPR. It is not a contract and does not create legal rights or obligations beyond those set out in the GDPR and other applicable law.

​

2. Who we are and how to contact us
Controller (in most cases): MKS Audit & Consulting Ltd Registered number: HE 322959 Registered office: 52 Archiepiskopou Makariou III, Ydrogios Tower, 2nd and 3rd Floor, 6017 Larnaca, Cyprus Telephone: +357 24 823111
Data Protection Officer (DPO) / data protection contact: Email: dpo@mks.cy
 

3. Our role: controller and processor
MKS may act as either a controller or a processor depending on the circumstances:
• Controller: where we determine the purposes and means of processing (for example, when we deal directly with clients and prospects, carry out AML/KYC onboarding, manage our own suppliers, operate our website, run recruitment, issue invoices, and comply with our own legal obligations).
• Processor: where we process personal data on behalf of a client who is the controller (for example, payroll processing, certain accounting/bookkeeping activities, or other services where we act on a client’s documented instructions).
If MKS acts as a processor, the relevant client (controller) is responsible for providing a privacy notice to the individuals concerned. If you contact us to exercise your rights in relation to processing we perform as a processor, we may need to direct you to the relevant controller, or assist the controller in responding, in accordance with our contractual obligations.
 

4. Who this notice covers
This notice may apply to you if you are:
• a client (or a representative, beneficial owner, director, officer, employee, or contact person of a client);
• a prospective client or business contact;
• a supplier, subcontractor, or professional adviser (or their personnel);
• a job applicant or candidate; or
• a visitor to our website or someone who contacts us through our website or other channels.
 

5. Children
Our services and website are not directed to children and we do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at dpo@mks.cy and we will take appropriate steps to delete the information unless we are required or permitted to keep it under applicable law.
 

6. Personal data we collect
Depending on our relationship with you and the services involved, we may collect the following categories of personal data:
• Identity and contact details: name, address, email, phone number, date and place of birth, nationality, identification numbers and copies of identity documents (where required).
• Professional information: employer, job title, role, professional qualifications, and business contact details.
• Financial and transaction data: bank account details, invoices, payments, records necessary for accounting, audit, tax, advisory, or other professional services.
• Client due diligence / AML-KYC data: information required to meet AML/CFT obligations such as identification information, ownership and control information, source of funds/wealth information (where appropriate), and screening results.
• Criminal record certificates (where required): certificates of clean criminal record or equivalent documentation, where needed for acceptance/continuance and AML/KYC screening.
• Website and technical data: IP address, device identifiers, browser type, operating system, referral URLs, usage data, and cookie-related information.
• Communications: correspondence with us (emails, letters, call notes) and information you provide through forms.
• Recruitment data: CVs, employment history, education, references (where provided), interview notes, and information necessary to assess suitability for a role.
Special categories of personal data (Article 9 GDPR). We do not seek to collect special categories of personal data as part of normal business-to-business services. However, depending on the services and circumstances (for example, employment-related matters), we may occasionally process special categories of data where necessary and only with an appropriate legal basis and safeguards.
 

7. Sources of personal data
We may obtain personal data from:
• you directly (for example, when you contact us, engage us, or provide information);
• our clients (where you are a representative/employee/beneficial owner of a client, or where we act as a processor on the client’s instructions);
• publicly available sources (for example, company registries, professional registers, and websites);
• service providers that support our AML/KYC processes and other business operations (where permitted by law); and
• competent authorities and other third parties where required or permitted by law.
Where personal data have not been obtained directly from you, we will provide you with the information required by Article 14 GDPR within the time limits set by the GDPR (generally within one month of obtaining the data, or earlier where required).
 

8. How we use personal data and our lawful bases
We will only process personal data where we have a lawful basis under the GDPR. The main purposes and lawful bases are set out below.
Purpose
Examples of processing
Lawful basis (GDPR Article 6 / where relevant Article 9 or 10)
Provide professional services and manage our engagement
Deliver audit, accounting, tax, advisory, payroll and related services; communicate with you; manage files and working papers.
Performance of a contract or steps before entering a contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) in providing and improving professional services; Legal obligation where required (Art. 6(1)(c)).
Client acceptance and continuance; AML/KYC and compliance screening
Identify and verify clients and beneficial owners; risk assessment; obtain and review supporting documentation; ongoing monitoring where required.
Legal obligation (Art. 6(1)(c)) under AML/CFT and other applicable laws; Legitimate interests (Art. 6(1)(f)) in preventing fraud, protecting our business and reputation. For criminal record certificates and related data: processing is carried out only where authorised/permitted by applicable law for compliance purposes (Art. 10, together with Art. 6(1)(c) and appropriate safeguards).
Operate our business (administration, finance, quality and risk management)
Billing and payments; record keeping; internal reporting; audits of our own business; insurance; IT and security operations.
Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)) in efficient and secure business administration.
Communications and business development
Respond to enquiries; maintain business contact lists; send service updates and invitations.
Legitimate interests (Art. 6(1)(f)) in developing our business and maintaining relationships; Consent (Art. 6(1)(a)) where required by applicable marketing rules.
Recruitment
Assess candidates; arrange interviews; make hiring decisions; keep records of recruitment processes.
Legitimate interests (Art. 6(1)(f)) in recruiting staff; Contract steps (Art. 6(1)(b)) for prospective employment; Legal obligation (Art. 6(1)(c)) where applicable.
Legal claims and compliance
Establish, exercise or defend legal claims; comply with court orders; cooperate with competent authorities.
Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)); and where applicable the legal claims basis for special category data (Art. 9(2)(f)).
Website operation and analytics
Provide website functionality; maintain security; understand website usage.
Legitimate interests (Art. 6(1)(f)) in operating and securing our website; Consent (Art. 6(1)(a)) for non-essential cookies/technologies where required.
Where we rely on legitimate interests, we have considered your rights and interests and put safeguards in place. You have the right to object to processing based on legitimate interests (see Section 12).
 

9. Whether you must provide personal data
In some cases, we must collect personal data to meet legal obligations (for example, AML/KYC requirements) or to enter into or perform a contract with you. If you do not provide information that is necessary for these purposes, we may be unable to provide services or to continue a business relationship, or we may be required to terminate the engagement.
 

10. Who we share personal data with
We may disclose personal data to the following categories of recipients, where necessary for the purposes described in this notice:
• Approved service providers and subcontractors (including IT support, hosting and cloud services, communications providers, cybersecurity, document management, and other providers that support our business operations).
• Service providers that support our AML/KYC procedures (for example, identity verification and screening support providers), where permitted and required.
• Professional advisers and auditors (for example, lawyers, accountants, consultants, insurers).
• Banks and payment service providers (where needed for payments).
• Competent authorities, regulators and law enforcement (including tax authorities, supervisory authorities, and other public bodies) where required or permitted by law.
• Courts, tribunals, and parties to legal proceedings where necessary.
Where we use service providers/subcontractors to process personal data on our behalf, we require them to keep the data confidential, implement appropriate security measures, and only process the data in accordance with our instructions and applicable law.
 

11. International transfers
We generally process and store personal data within the European Economic Area (EEA). If, in limited circumstances, personal data needs to be transferred outside the EEA, we will only do so in accordance with Chapter V GDPR (for example, using an adequacy decision, Standard Contractual Clauses, or another appropriate transfer mechanism), and we will provide information about the safeguards upon request. If we become aware of any material change to our transfer practices, we will update this notice accordingly.
 

12. How long we keep personal data
We keep personal data only for as long as necessary for the purposes described in this notice, taking into account the nature of the data, the purposes of processing, legal and regulatory requirements, and limitation periods.
Category / context
Typical retention period (subject to legal requirements and case-specific factors)
Client files and engagement records (including working papers)
For the duration of the engagement and thereafter for a period required by applicable law and professional/regulatory obligations, and to manage legal claims. Retention may vary by service line and file type.
AML/KYC and CDD records (including identification documents and screening records, and where required criminal record certificates)
Typically 5 years after the end of the business relationship or completion of an occasional transaction; in limited cases where reasonably justified, records may be kept for up to an additional 5 years (maximum 10 years).
Invoices, accounting and tax records of MKS
As required by applicable accounting and tax laws.
Business communications and correspondence
As long as necessary to manage the relationship and for record-keeping and legal purposes.
Recruitment records
For the duration of the recruitment process and for a limited period afterwards to deal with queries and legal claims; if you consent to keep your details for future opportunities, we will retain them for the period stated at the time of consent.
Website logs and security records
Typically for a limited period required for security, troubleshooting and analytics, unless an incident requires longer retention.
We may retain personal data for longer where required by law, where we need it to establish, exercise or defend legal claims, or where it is needed for ongoing investigations or regulatory requests.
 

13. Your rights
Subject to applicable conditions and exceptions, you have the following rights under the GDPR:
• Right of access – to request confirmation of whether we process your personal data and receive a copy.
• Right to rectification – to request correction of inaccurate or incomplete data.
• Right to erasure – to request deletion of your personal data in certain circumstances.
• Right to restriction – to request that we limit processing in certain circumstances.
• Right to data portability – to receive certain data in a structured, commonly used and machine-readable format and transmit it to another controller where applicable.
• Right to object – to object to processing based on legitimate interests and to object to direct marketing at any time.
• Right to withdraw consent – where processing is based on consent, you may withdraw consent at any time (withdrawal does not affect the lawfulness of processing before withdrawal).
 

14. Automated decision-making
MKS does not carry out solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.
 

15. How to exercise your rights and contact us
To exercise your rights or ask questions about this notice, please contact our DPO at dpo@mks.cy. We may need to verify your identity before responding. We will respond within the time limits required by the GDPR.
 

16. Right to complain
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the supervisory authority in Cyprus:
Office of the Commissioner for Personal Data Protection

Office address: Kypranoros 15, 1061 Nicosia, Cyprus

Postal address: P.O. Box 23378, 1682 Nicosia, Cyprus

Telephone: +357 22 818456 Fax: +357 22 304565

Email: commissioner@dataprotection.gov.cy
Website: www.dataprotection.gov.cy
We would, however, appreciate the opportunity to address your concerns first.

Please contact us at dpo@mks.cy.
 

17. How we protect personal data
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures may include access controls, staff confidentiality and training, encryption where appropriate, backups, and physical security controls. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
 

18. Cookies and similar technologies
Our website may use cookies or similar technologies. Where required by law, we will obtain your consent for non-essential cookies. You can manage your cookie preferences through your browser settings and any cookie preference tools made available on our website.
 

19. Changes to this notice
We may update this notice from time to time to reflect changes in legal requirements, our processing activities, or our services. The "Last updated" date at the top of this notice indicates when it was most recently revised.
 

20. Additional notices
In some contexts we may provide additional or more specific privacy information (for example, a candidate privacy notice for recruitment, or service-specific notices where we act as a processor). Where such notices are provided, they should be read together with this Privacy Notice.
Our website may also provide a separate Cookie Notice/Policy describing cookies and similar technologies in more detail.
 

21. Definitions
• EEA means the European Economic Area (the EU plus Iceland, Liechtenstein and Norway).
• Personal data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on personal data, such as collection, use, storage, disclosure or deletion.
• Controller means the person or organisation that determines the purposes and means of processing personal data.
• Processor means the person or organisation that processes personal data on behalf of a controller.

bottom of page