1. Introduction
Company (“we,” “our,” “us”) values your privacy and is committed to safeguarding your personal data in compliance with the General Data Protection Regulation (GDPR) and the Cyprus Data Protection Law. This privacy policy explains how we collect, process, store, and protect your personal data and sets out your rights.
Company adheres to the highest standards of data protection and employs advanced security measures to ensure your personal data is safe, both from a technological and organizational perspective. We continuously monitor and update our practices to ensure compliance with the GDPR and any relevant local and international legal frameworks.
2. Scope of the Policy
This privacy policy applies to all personal data collected by Company through our website, services, and related interactions. It covers data collected from clients, website visitors, business partners, and employees where applicable.
3. Data We Collect and Process
Company processes various types of personal data, including but not limited to:
Personal Identification Data: Full name, identification numbers, passport/ID numbers, tax numbers.
Financial Data: Credit/debit card information, bank account details, and payment transaction records.
Communication Data: Correspondence, emails, contact forms, and any other communication made through our website or services.
Technical Data: IP address, device details, browser type, geolocation, operating system, login data, and behavioral tracking data from cookies (if consented).
Special Categories of Personal Data: Health information or other sensitive data that may be relevant to specific cases, processed under explicit consent only and in accordance with Article 9 of the GDPR.
We ensure that the collection of personal data is proportionate and limited to what is necessary for the stated purposes.
4. Legal Bases for Processing
Company processes personal data under the following legal grounds:
Consent: When you provide explicit consent for the processing of your data, particularly where special categories of data are involved.
Contractual Necessity: When processing is required to fulfill a contract between you and Company or to take pre-contractual steps at your request.
Legal Obligation: To comply with legal and regulatory requirements such as Anti-Money Laundering (AML), Know Your Customer (KYC), and Tax Laws. (Relevant legal frameworks include: GDPR, Cyprus Data Protection Law, Cyprus AML Laws)
Legitimate Interests: Where the processing of data is necessary for the legitimate interests pursued by Company or third parties, provided such interests are not overridden by the rights and freedoms of the data subjects.
5. Data Retention Policy
Company retains personal data only as long as necessary to fulfill the purposes for which it was collected and in compliance with legal obligations. Data may be retained for longer periods where necessary for regulatory, legal, or security purposes, particularly in relation to potential litigation.
Once personal data is no longer required, it is securely deleted or anonymized in a manner consistent with GDPR regulations. Our retention schedule takes into account specific statutory requirements, including for tax and anti-money laundering purposes, which may mandate longer retention periods.
6. Data Sharing and Disclosure
Company may share your personal data with third parties in the following scenarios:
Service Providers and Partners: We may share data with trusted third-party service providers who assist us in delivering services such as cloud hosting, payment processing, IT services, or other operational functions. These third parties are bound by strict confidentiality agreements and GDPR-compliant data protection clauses.
Legal and Regulatory Authorities: Company may disclose personal data to law enforcement, regulatory bodies, or judicial authorities when required to comply with legal obligations or to protect our legal interests. This includes but is not limited to compliance with CySEC regulations (CySEC Regulations) and AML obligations (AML Directive).
Corporate Transactions: In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner, provided that the new entity continues to ensure the same level of data protection required by GDPR.
We implement stringent vetting processes to ensure that any third parties handling personal data for Company maintain the same high standards of data protection.
7. International Data Transfers
Company may transfer your personal data outside the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place:
Transfers are subject to the Standard Contractual Clauses (SCCs) approved by the European Commission (SCCs).
Transfers are made to countries that have been recognized by the European Commission as having an adequate level of data protection.
In the absence of adequacy decisions, data transfers are subject to strict contractual obligations and security measures, as required under GDPR.
8. Data Security Measures
We take data security seriously and employ multi-layered security measures to protect your data:
Encryption: All data is encrypted in transit and at rest using AES-256 encryption, ensuring the highest standard of security.
Multi-Factor Authentication (MFA): Access to systems that store or process personal data is restricted by MFA, ensuring only authorized personnel can access sensitive data.
Regular Security Audits: Company conducts regular audits, penetration testing, and vulnerability assessments to proactively identify and address potential threats. Independent auditors may be engaged for critical systems to ensure compliance with global security standards.
Incident Response and Breach Notification: In compliance with Article 33 of the GDPR, Company has implemented a breach notification policy, whereby any security breach that affects your personal data will be reported to the relevant supervisory authority within 72 hours. Affected individuals will also be notified where the breach poses a high risk to their rights and freedoms. (Breach Notification Requirements)
Additionally, Company maintains comprehensive cyber insurance to mitigate risks arising from data breaches or cyberattacks.
9. Data Protection Impact Assessments (DPIA)
Company conducts Data Protection Impact Assessments (DPIA) for processing activities that are deemed high-risk to data subjects. This includes any large-scale processing of special categories of data, profiling activities, or cross-border data transfers that involve a significant risk to individual privacy.
For more on DPIAs, visit: DPIA Guidelines.
10. Your Rights as a Data Subject
Under the GDPR, you have the following rights regarding your personal data:
Right of Access: You have the right to request access to the personal data we hold about you, including details of how we process it.
Right to Rectification: You may request the correction of any inaccuracies in your personal data.
Right to Erasure (“Right to be Forgotten”): In certain cases, you can request that we delete your personal data, provided it is no longer necessary for the purposes for which it was collected, or if you withdraw your consent.
Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data under specific conditions.
Right to Data Portability: You may request that we transfer your data to another service provider in a structured, commonly used, and machine-readable format.
Right to Object: You can object to our processing of your personal data, particularly where we rely on legitimate interests as a basis for processing.
Right to Withdraw Consent: You have the right to withdraw consent at any time, where processing is based on consent.
To exercise your rights, please contact our Data Protection Officer (DPO) at [email address].
11. Cookies and Tracking Technologies
Company uses cookies and other tracking technologies on our website to enhance user experience, analyze traffic, and tailor content to your preferences. Our use of cookies complies with the ePrivacy Directive and GDPR’s consent requirements. For more details, please refer to our [Cookie Policy].
12. Data Breach Response Plan
In the event of a data breach, Company has implemented a detailed incident response protocol that includes:
Immediate Containment: All affected systems will be isolated, and investigations will begin immediately.
Assessment and Notification: A full assessment will be conducted to determine the scope and potential harm of the breach, followed by the necessary notifications to the Cyprus Data Protection Commissioner and affected individuals within 72 hours.
Post-Incident Review: We will perform a thorough review of our security practices to ensure that such incidents are prevented in the future.
For more on breach reporting, visit: GDPR Breach Notification.
13. International Corporate Structure
Company operates globally through subsidiaries and affiliates. All personal data shared within our group is handled with strict compliance to GDPR and this privacy policy. International data transfers within our group are governed by Binding Corporate Rules (BCRs).
14. Updates to This Policy
Company reserves the right to modify or update this policy as necessary to reflect legal, regulatory, or operational changes. Any significant changes will be communicated through our website or via email.
15. Contact Us
If you have any questions about this privacy policy or how Company handles your personal data, please contact:
Wonder Food Public Company Limited
Business Address: 30 Chytron Street, Office A31, Third floor, 1075 Nicosia, Cyprus
info@wonderfood.cy
You may also file a complaint with the Cyprus Data Protection Commissioner if you believe we are in violation of your rights under GDPR:
Cyprus Data Protection Commissioner