Information Letter 

  • We at A.CHR.THEOPHILOU LLC, ANDREAS THEOPHILOU LLC, THEOSERVICES SECRETARIAL LIMITED, THEOSERVICES NOMINEES LTD, THEOSERVICES LTD and DENCHRI LIMITED, (The TSG Group) value and protect and keep confidential any information received from or for our clients in the course of providing our services.

Because of drastic changes during the last 10 years in the rules and regulations relating to “Anti Money Laundering” and “Anti Terrorist Finance” we are obliged to collect sensitive personal information from our clients which we keep confidential in our records.

Nevertheless, there are rules and regulations that professionals like ourselves must comply with.

It is therefore important for us and our clients to set out in writing our PRIVACY POLICY and the GDPR rules that we follow with our clients’ written consent

  • We address matters in a practical manner, straight forward and give you full confidentiality, within the parameters of the EU relevant GDPR Directives and regulations, in the sense of which we are Data Processors.

Our Data Controllers follow and abide by our own duties and liabilities under the applicable GDPR rules. We maintain a register of any processing activity of Personal Data carried out on behalf of the Data Controller in accordance with the obligations specified under the GDPR.

The Personal Data will be processed exclusively within a Member State of the EU or with a Member State of the EEA. Any Transfer of Personal Data to a Country that is not a Member State of either the EU or the EEA requires the prior written consent of the Data Controller and is subject to compliance with the special requirements on transfers of Personal Data to countries outside the EU or EEA.

  • Confidentiality

The Data Processor shall treat all the Personal Data  as strictly confidential information. The Personal Data must not be copied, transferred or otherwise processed in conflict with the instructions given by the Data Controller unless the Data Controller has agreed in writing otherwise and has provided that is permissible under the Applicable Data Protection Laws.

The Data Processor’s assisting employees are also subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data with strict confidentiality and they are aware of the Data Processor’s duties and personal obligations as a Data Processor under the GDPR and this Policy.

  • Qualitative Assurance

The Data Processor has appointed a Data Protection officer (DPO) who shall perform such duties in compliance with the Applicable Data Protection Laws and shall keep Personal Data logically separate to data processed on behalf of any other party.

Access to the Personal Data is restricted to adequately trained employees to whom such access  is necessary and relevant in order to process the Personal Data and shall keep such Personal Data strictly private and confidential and shall minimize disclosure of the Personal Data to third parties to the fullest extent possible. Access to the Personal Data will strictly be permitted on a need to know basis and we are using appropriate “access controls” to ensure these requirements are satisfied. Any recipients of the Personal Data must be subject to a binding duty of confidentiality in relation to such data.

The Processor, shall support the Data Controller if the Data Controller is subject to an inspection by the Supervisory and/or other Competent Authority, or is subject to an administrative or summary offence or criminal procedure or to a liability claim by a Data Subject or by any third party or any claim in connection with our Agreement.

The Processor will permit the Data Controller to monitor compliance with the terms of this Agreement and the Applicable Data Protection Laws.

The Data Processor shall be subject to and will contribute to audits and inspections carried out by the Data Controller.

  • Rights of the Client

If the Data Controller receives a request from a client who wishes to exercise his/her rights under the GDPR, same shall be dealt with the assistance of the Data Processor, by providing the necessary information and documentation within reasonable time and in accordance with the provisions of the GDPR.

If the Data Processor receives a request from a client for the exercise of his/her rights or from the Supervisory Authority and/or other Competent Authority under the Applicable Data Protections Laws, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the client or Supervisory Authority and/or other Competent Authority directly or to any third party, subject only to any legal prohibitions or obligations to report.

  • We always maintain clients’ Personal Data within our premises and we do not transfer them anywhere without the Data Controller’s prior written consent unless required to do so by law. In any event, the Data Processor must inform the Data Controller of their intention to transfer the Personal Data before such transfer takes places (unless relevant legislations prohibits the Data Controller from being notified due to important public interest reasons) and always in compliance to Articles 45 and/or 46 and/or 49 of the applicable GDPR.
  • The Data Processor is liable for losses of any kind including but not limited to loss of revenue, profit opportunity and/or goodwill as a consequence of the Data Processors fraud, negligence or willful misconduct and/or failure by the Data Processor, its employees, sub-processors or agents to comply with any of its obligations under the Agreement.
  • GDPR applies to:
  • Personal data that is processed wholly or partly by automated means.
  • Personal data that is part of a filing system or intended to be.
  • The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. It does not cover Personal Data used in the course of an activity outside of EU law.
  • It applies to controllers not in the EU, but where Member State law applies and where a Processor or data subject from EU is involved.
  • “The protection afforded by GDPR Regulations apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”.
  • It applies to processing activities that are related to:
    • Goods or services, irrespective of whether payment is required.
    • The monitoring of data subjects’ behavior within the EU.


  • Basic Rules: 
  • Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Every data subject has the right to launch a complaint with
  • a supervisory authority:
  • Member State of habitual residence;
  • Place of work; or
  • Place of alleged infringement.

Complaints are sent to the company’s DPO which should be accessible to data subjects.

Details of DPO at each time are accessible through:

  • this privacy policy of the company on its website, and/or
  • the contracts signed, and/or
  • consent forms signed.

Our present DPO is Andreas Theophilou for corporate matters and Constantinos Theophilou for legal and other matters.

  • Company has 72 hours to respond and remedy the infringement.

If company does not respond data subject complains to the data protection commissioner

If Commissioner does not respond data subject can go to court and claim damages.

Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor.

  • The controller shall be liable for damage caused by processing.
  • The processor is liable only for damage caused by processing or where it has acted contrary to lawful instructions of the controller.
  • Joint and several liability to ensure effective compensation
  • The Appendix titled “INFORMATION SECURITY POLICY “attached hereto forms integral part of our Group’s PRIVACY POLICY-Please read it too.
  • In order for any of our above Companies to start/continue cooperating with clients, any existing and/or new client will have to sign an agreement title “CLIENT’s CONSENT FORM” with details of our GDPR policy which is incorporating this Privacy Policy rules of our