This Privacy Policy (“Privacy Policy”) is issued by VM VITA MARKETS LTD (‘VM’, the ‘Company’, ‘we’, ‘us’, or ‘our’) and it concerns natural persons who are current or potential customers of VM or act as authorised representatives of legal entities or natural persons which/ who are current or potential customers of VM or are the directors or beneficial owners of legal entities who are current or potential customers of VM (together, ‘you’, ‘Data subject”). This Privacy Policy concerns also natural persons who had such business relationship with VM in the past.

VM respects your privacy and is committed to handling your personal data with transparency and integrity. When processing personal data provided by you, VM is subject to the provisions of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), Cyprus Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018) and any applicable data protection laws or regulations of the Republic of Cyprus. VM acts as a Controller of your personal data under GDPR, which means that it determines solely or jointly with others, the purposes and means of the processing of your personal data. This Privacy Policy provides, inter alia, information on the following key areas: a. the categories of personal data that are collected and processed by VM and the purposes of that processing; b. the legal basis for the processing of your personal data; c. the recipients or categories of recipients of your personal data; d. the principles relating to the processing of your personal data; e. your rights under applicable legislation and an explanation of how those rights can be exercised.

VM is a licensed investment firm, registered in Cyprus with registration number HE 364831 and regulated by the Cyprus Securities and Exchange Commission (‘CySEC’) under license number 373/19 issued on 28 January 2019.

VM’s registered office address is at Markou Botsari, 3, 2nd and 3rd Floor, 3040, Limassol, Cyprus.

If you have any questions or concerns relating to the processing of personal data by VM, you can contact us by:
Email at: info@vita-markets.com
Letter to office address: Pindarou 14, 3095, Limassol, Cyprus
Website: https://vita-markets.com

For the purposes of this Policy, ‘personal data’ means any information relating to you that identifies you, directly or indirectly.

Personal data includes but is not limited to the following types of personal data which may be received on legal basis by the Company from you, third parties or publicly accessible sources in connection to each contractual relationship: data specified in questionnaires and other fill-in forms, photo and video footage of the individual, passport, identification card, address details, CV, IP address, bank account details, data of contracts, data on the opened accounts, data on transactions performed by you or on behalf of you and generally any information which may identify or be identifiable to you.

‘Processing’ means any operation or set of operations which is performed on personal data, such as collection, recording, storage, use, disclosure, erasure or destruction.

Personal data may be processed by automated means or not by automated means.

In order to register for a personal account with VM, the following personal data is required from you:
a. Personal information such as your name, date and place of birth, citizenship, nationality, home address, passport/ ID number, FATCA/ CRS information (tax residency, tax identification number), contact details (telephone, email), bank account details, occupation and information on whether you hold/held a prominent public function (for PEPs);
b. Financial information such as your income, source of funds and investment objectives;
c. Documents and biometric data that verify your identity and residency (e.g. an international passport or national ID and utility bills or bank statements and other relevant acceptable documents, biometric data for face match/liveness check).

We may also collect and process personal data from public sources (e.g. the Department of Registrar of Companies and Official Receiver, the press, the internet) as well as from risk management suites such as the World-Check database.

VM does not provide any services to children, nor processes any personal data in relation to children, where ‘children’ are individuals who are under the age of eighteen (18).

The protection of your privacy and personal information is of great importance to us. Your personal data is processed lawfully, fairly and in a transparent manner on the following bases:

a. For the performance of a contract
The processing of your personal data is necessary for the performance of a contract, namely the trading agreements to which you are party, or in order to take steps at your request prior to entering into a contract. In order to be able to render investment services to you and administer our relationship, we need to collect certain information about your identity, financial background and investment objectives.

b. For compliance with a legal obligation
The processing of your personal data is necessary for compliance with the legal obligations emanating from a number of laws to which VM is subject, e.g. the European Markets in Financial Instruments Directive (‘MiFID II’) and the corresponding Investment Services and Activities and Regulated Markets Law of the Republic of Cyprus, the European and Cyprus legislation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, the Market Abuse Regulation (‘MAR’), the European Market Infrastructure Regulation (‘EMIR’), the Common Reporting Standard (‘CRS’), the Foreign Account Tax Compliance Act (‘FATCA’). Compliance with these legal obligations requires, inter alia, identity verification procedures and processes, anti-money laundering controls, the retention of personal data for a certain period of time, the disclosure of personal data to the supervisory and other regulatory and public authorities, etc.

c. For the purposes of the legitimate interests pursued by VM
The processing of your personal data is necessary for the purposes of the legitimate interests pursued by VM, where those interests do not infringe your interests, fundamental rights and freedoms. These legitimate interests include business or commercial interests and examples of relevant processing activities include: preparing our defense in litigation procedures; preventing fraud and money laundering activities; managing business and further developing and marketing of products and services.

The provision of your personal data is a requirement necessary to enter into a contract with VM and as a client of VM you will have statutory and contractual obligation to provide and keep up to date and accurate the personal data set out in paragraph 7 of this Privacy Policy. Failure to provide such data will not allow us to commence or continue our business relationship, as compliance with our legal obligations will be deemed impossible.

In the course of the performance of our contractual and statutory obligations and for legitimate business purposes, your personal data may be disclosed to:
a. Supervisory and other regulatory and public authorities, upon request or where required. Some examples are the Cyprus Securities and Exchange Commission, the Unit for Combating Money Laundering (MOKAS), criminal prosecution authorities.
b. Auditors, lawyers, consultants and other outside professional advisors of VM, subject to confidentiality agreements.
c. Third party processors such as payment services providers, brokers, custodians, trading venues, banks, market data providers, companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support, file storage and records management companies, or third persons involved in the Data subject’s servicing and marketing with location in both EU and nonEU countries. All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions.

Your personal data may be transferred to third countries (i.e. countries outside the European Economic Area (‘EEA’)), to recipients mentioned above, in connection with the purposes set out in this Privacy Policy. We may transfer your personal data to countries that may have different laws and data protection compliance requirements; however, processors in third countries are obliged to comply with the European data protection standards when processing your personal data.

Pursuant to the GDPR personal data may only be transferred outside the EEA in the context of the following:
a. Where the transfer is made to a third country which affords, in accordance with the European Commission, the same level of protection as that of the GDPR regime. The list of the above mentioned countries can be found by the following link: https://ec.europa.eu/info/law/law-topic/data-protection/internationaldimension-data-protection/adequacy-decisions_en, or
b. Where the recipient of the data has adequate safeguards in place to ensure the same level of protection as specified in the GDPR regime. Examples of how this is achieved is to have in place (i) binding corporate rules within corporate groups, and (ii) adequate data protection clauses in contracts governing the relationship between the Company and third country processors,
c. Where the recipient of the data does not have adequate safeguards in place, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the conditions specified in Article 49 of GDPR.

Where we transfer your personal data to third countries, we may transfer it to service providers which have appropriate safeguards in place.

The appropriate safeguards referred to in previous paragraph may be provided for, without requiring any specific authorisation from a supervisory authority, by:
(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47 of GDPR;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) of GDPR;
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) of GDPR;
(e) an approved code of conduct pursuant to Article 40 of GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
(f) an approved certification mechanism pursuant to Article 42 of GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards Data subjects' rights

We have implemented appropriate technical and organisational measures to ensure appropriate security of your personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. We take reasonable steps to ensure that your personal data that we process are accurate and, where necessary, kept up to date. From time to time we may ask you to confirm the accuracy of your personal data. We take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. We also make sure that all personal data we collect are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The retention of data is closely linked with the lawful basis under which the same is obtained and processed. More specifically, the Company being a regulated investment firm in Cyprus is obliged to retain its records for a period of at least 5 years. We may keep your data for longer if we cannot delete it for legal or regulatory reasons. Personal data retention period is based on the following main regulatory requirements:

1. The Markets in Financial Instruments Directive (‘MiFID II’) and the corresponding Cyprus laws for the provision of investment services – five (5) years
2. Investment Services and Activities and Regulated Markets Law of the Republic of Cyprus (L.87(1)/2017) - recording of telephone conversations or electronic communications relating to transactions concluded during the provision of client order services that relate to the reception, transmission and execution of client orders and those that are intended to result in transactions concluded in the provision of client order services, that relate to the reception, transmission and execution of client orders, even if those conversations or communications do not result in the conclusion of such transactions or in the provision of client order services shall be kept for a period of five (5) years and, where requested by the competent authority, for a period of up to seven (7) years.
3. Applicable European and Cyprus legislation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing – five (5) years after the termination of business relationship with the client or since carrying out of the last transaction;
4. FATCA, CRS – collected information must be maintained by the Company for a period of six (6) years from the end of the period in which the territory of the client’s tax residence is identified.
5. The retention of data is not limited in time in the case of pending legal proceedings or an investigation initiated by a public authority, provided that in each case the Company has been informed of the pending legal proceedings or the investigation initiated by a public authority within the retention period described hereinabove.

You have the following rights regarding your personal data we control and process:
a. Right to Access: the right to request access to, or copies of, your personal data, together with information regarding the processing of those personal data.
b. Right to Rectification: the right to request rectification of any inaccurate personal data concerning you.
c. Right to be Forgotten: the right to request, on legitimate grounds and where there is no good reason for us continuing to process it, erasure of your personal data. This right extends to the right of data subjects to withdraw their consent for data processing where controllers and/or processors process your personal data on the basis of your consent and puts an obligation to controllers and/or processors to adhere to this. Please note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn by you.
d. Right to object: you have the right to object on grounds relating to your particular situation, to the processing of your personal data which is based on a legitimate interest pursued by VM. We shall no longer process your personal data, unless we demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedom or for the establishment, exercise or defense of legal claims. You also have the right to object where your personal data are processed for direct marketing purposes, and we shall stop the processing of your personal data for such purposes.
e. Restriction of Processing: the right to request restriction of processing of your personal data where one of the following applies:
i. your personal data is not accurate, and we need to stop processing it until we verify it,
ii. your personal data has been used unlawfully
iii. we no longer need your personal data for the purposes of the processing, but you want us to keep it for use in possible legal claims and
iv. you have already objected to the processing of your personal data and you are waiting for us to confirm if we have legitimate grounds for the processing of your data.
f. Data Portability: VM is placed under obligation to provide the Data subject with all data, concerning him and which he has provided to the Company, in a structured, commonly used and machine-readable format and transmit those data to another controller, where:
i. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
ii. the processing is carried out by automated means.
g. Right to lodge a complaint: you have the right to lodge a complaint regarding the processing of your personal data by us. You can lodge your complaint by completing our complaints form (www.vitamarkets.com).

If you feel that your concerns have not been adequately addressed by us, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus.
You can find information about submitting a complaint on their website (www.dataprotection.gov.cy).

The decision to establish a business relationship with you is not based on automated processing of your personal data. We may process some of your data, in order to assess certain personal aspects relating to you (profiling), which will enable us to perform a contract with you, in the following cases:
a. Appropriateness assessment: Using the answers you provide through our online questionnaire, we assess the appropriateness of services or products based on your knowledge and experience. In case the Company, based on the results of this appropriateness assessment, decides that services or products are not appropriate for you, it may refrain from offering such services or products to you.
b. Suitability assessment: The Company must, when providing the investment service of portfolio management or investment advice, obtain the necessary information regarding the client's or potential client's knowledge, experience, financial status, investment objectives and ability to bear losses so as to be able to recommend the services and products that are suitable to the client’s profile. Using the answers you provide through our online questionnaire, our system and VM officers assess the suitability of particular services and products for you.
c. Monitoring of clients’ accounts and transactions: The information received during the onboarding process is compared with your actual trading activity, deposits and withdrawals. Data assessments, including transaction monitoring, are carried out in the context of combating money laundering and fraud.

At any time, the Company may amend this Privacy Policy by posting the new version of the Privacy Policy on its website: www.vita-markets.com You are encouraged to review this Privacy Policy periodically, so as to be always informed about how we are processing and protecting your personal data.