The protection of natural person in relation to the processing of personal data is a fundamental right. The right to the protection of personal data must be considered in relation to its function in society and be balanced to other fundamental rights in accordance with the principle of proportionality.
Nowadays, rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of the collection and sharing personal data has increased significantly. Natural persons increasingly make personal information available publicly and globally.
The regulation 2016/679 was voted on the 27/04/2016 and it will be in full force on the 25/05/2018 in all Member States. It has been approved as a unite Legal framework, abolishing the older legislation.
The establishment of the united legal framework, sets a series of obligations and restrictions in the organisations relevant to:

  1. Processing of the personal data in all the time of their living
  2. Possibility of transferring them in other countries
  3. Protection of the rights of the natural persons
  4. The security (confidentiality, availability, and integrity) of the personal data.
  5. The disclosure actions that the organisation is obliged to implement in cases of infringement.

The new regulation increases the obligations of the organisations and at the same time gives the size of the penalties and fines (up to 20 million euros or the 4% of the worldwide turnover).
The government organisations, the public and private companies which concentrate, collect, process and handle in general, the personal data which are related to customers, clients, employees, associates, or other natural persons are covered by the regulation which also covers all the organisations established within and out of the European Union provided that the data are related to E.U. Citizens.
The organisations and companies that are under the scope of the regulation must:

  1. Comply and obey the basic principles of the protection of the personal data and therefore to collect these data for specific reason and as many of them are required as important.
  2. It is forbidden the in a incompatible way- extra processing of the data, under the reason of the updating.
  3. To implement electronic tools relating to the prompt and free of charge response on requests regarding data;
  4. To keep records and communicate every infringement to the Authority of Protection of Personal Data within 72 hours. The communication shall be done also to the natural persons directly, or within a public announcement.
  5. To transfer the data outside the Union, under certain circumstances. The transfer could take place only if, subject to the other provisions of the Regulation, the conditions laid down in the provision of the Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
  6. To store them for the minimum required term, receiving ad hoc the consent of the of the natural persons.
  7. To approve sufficiently that all the requirement of the Regulation are satisfied.

Companies that are covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
Under the GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator.
The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. The regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union Institutions and bodies and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium sized enterprises in the application of the Regulation.

The protection afforded by the Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. The Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of the Regulation are met. In order to be able to demonstrate compliance with the Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Therefore, a strong and more coherent data protection framework is required. The regulation, in order to ensure a consistent and high-level of protection of natural persons and to remove the obstacles to flows of personal data the level of protection of the rights and freedom shall be equivalent.
The scope of strengthen and set out in details of the rights of data subjects seems an effective protection. Simultaneously those who process and determine the processing of personal data shall be obliged to comply with the requirements of the regulation giving a continuing monitoring and compliance in order to reduce as much as possible the infringements.

Country by Country Reporting (CbC)

The Ministry of Finance in late December 2016 issued a decree to align provisions of Cypriot tax law with the requirements of EU Council Directive (EU) 2016/881 adopting the recommendations of the OECD base erosion and profit shifting (BEPS) Action Plan 13 on country-by-country (CbC) reporting.

Cyprus CbCR requirements took effect on 1 January 2016. The Cyprus CbCR requirements require certain Cyprus parented groups, and in specific instances, domestic subsidiaries of foreign parented groups, to report data on revenues, profits, taxes paid/accrued, capital, accumulated earnings and employee numbers, along with other data on a CbC basis for the group to the Cyprus Tax Department (the Tax Department).

The Decree also includes an obligation for Cypriot constituent entities to make an annual notification confirming the identity and jurisdiction of tax residence of the CbC reporting entity.

The deadline for the notification for the year 2016 has been extended to 20 October 2017 and requires Cypriot companies to notify the Tax Department electronically to confirm the name, identity and tax residence of the CbC reporting entity.

Reporting entity of MNE Group
The CbC report must be prepared and submitted to the Tax Department for the year starting on 1 January 2016, if the annual consolidated group revenue exceeds €750 million by:

  • Ultimate Parent Entity (UPE) of an MNE Group which is tax resident in Cyprus.
  • Surrogate Parent Entity (SPE) of an MNE Group which is tax resident in Cyprus and has been appointed by the MNE Group as the reporting entity for CbCR.

The deadline to file the CbC report with the Tax Department is 12 months from the end of the relevant accounting period (e.g., for groups with year-end 31 December 2016, the reporting deadline is by 31 December 2017).

Maintenance of books and records
The Decree provides that the Tax Department may request books and records from the Reporting Entity explaining and supporting the information disclosed in the CbC report, no matter if the records are kept in Cyprus or outside Cyprus. The Reporting Entity is required to maintain the books and records for a period of six years.

Electronic submission
The submission of both the notification and the CbC report shall be completed annually in the English language and submitted electronically via Ariadne. Detailed guidance regarding the electronic submission of the notification and of the CbC report is expected to be issued shortly by the Tax Department.

Penalties
Penalties will introduce in Cyprus Companies with respect to non-compliance with CbCR.

Contact
Financial Controller
Andreas Avgousti
Andreas.Avgousti@aretilaw.com

A new market called the Emerging Companies Market (“ECM”) of the Cyprus Stock Exchange (“CSE”) benefits from a simplified regulatory regime specifically designed for small and emerging companies. ECM of CSE is considered as a Multilateral Trading Facility (MTF) according to “the provision of Investment Services, the exercise of investment activities, the operation of regulated markets and other related matters” Law 144(I)/ 2007, and is aimed at:

  • Private companies seeking funding and easy access to the secondary market;
  • Investors seeking a new type of investment;
  • Public companies reluctant to incur the higher costs of regulated markets.

When the decision to float has been taken, a critical appraisal of the company’s business is required, to identify whether it meets the ECM admission requirements, as follows:

  • General suitability – preparation and planning;
  • Eligibility for admission;
  • Continuing obligations and filing requirements.

A Nominated Advisor (“NOMAD”) is the Legal Entity appointed by you, and which must be retained at all times to advise you and to ensure that your company complies with the relevant ECM rules on an ongoing basis.

 

We can offer you the following NOMAD services:

1.During the admission procedure

  • facilitating the company’s admission to ECM;
  • appraising the appropriateness of the company for listing to the CSE;
  • ensuring compliance with the ECM rules;
  • preparing the admission document; and
  • project management of the overall process leading to a listing.

 

2.After the admission procedure

  • evaluating and presenting you to the CSE ensuring that the listing requirements are fulfilled;
  • representing the issuer through the listing procedure;
  • advising you in respect of the compliance of the continuous obligations:

    • Monitoring and assisting you according to the rules and regulations of the ECM in fulfilling your obligations;
    • Advising you in respect of your obligations and taking any appropriate measures for the fulfilment of these obligations;
    • If you do not comply with your obligations, the NOMAD will take any necessary actions in order to remedy any failure, while informing the CSE on the nature of the failure and the measures that you have undertaken.
  • assisting with comfort letters and related procedures;
  • risk management advice; and
  • market practice input.

As of 1st July 2017, the tax treatment of intra-group financing arrangements has been amended in Cyprus. Intra-group financing transactions refers to finance activities between related parties (as defined in Section 33 of the Income Tax Law), including permanent establishments in Cyprus. Based on the Interpretative Circular issued by the Cyprus Tax Department, intra-group financing arrangements must be taxed from 1st July 2017 onwards under the arm’s length principals (transfer pricing rules).

For the purposes of the transactions under the scope of the Circular issued, it must be determined for each intra-group transaction whether it complies with the arm’s length principles. A comparability analysis must be performed in order to determine whether the transaction between independent entities is comparable to transactions between related entities.

The comparability analysis mentioned above should consist of the two following parts:

  • Identification of the commercial financial relationship between entities and determining the conditions and economically relevant circumstances attached to those relations in order to accurately delineate the controlled transaction.
  • Comparison of the accurately delineated conditions and economically relevant circumstances of the controlled transaction with those of the comparable transactions between independent entities.

It should be noted that the group financing company should be controlling the risk if it has the decision-making power to enter into a risk-bearing commercial relationship. In order to justify the risk control and further validate that the management and control are exercised in Cyprus, it is essential that the group financing company has an actual presence in Cyprus.

In case of companies with a profile comparable to the entities subject to Regulation (EU) No 5/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) NO 64/2012, a return on equity of 10% after-tax can be observed in the market and be considered as reflecting arm’s length remuneration for the financing and treasure functions in question.

Simplified procedures exist, according to which the transactions of financing companies pursuing a purely intermediary activity are deemed to comply with the arm’s length principle if the company under review receives a minimum return of 2% after tax on assets. In order to benefit from this simplification measure, the use of it should be communicated to the Tax Department.
The above-mentioned percentages are valid as of the date of issuance of the Circular and will be reviewed by the Tax Department based on relevant market analysis and – if required – will be changed accordingly.

Minimum requirements for the transfer pricing analysis exist and are necessary in order for the analysis to be in compliance with the principles of the new circular.

The above changes will have an immediate impact on all Cyprus financing companies with intra-group financing transactions and it is imperative that such structures are examined so as to ensure that their tax treatment is correct and their tax risk exposure is mitigated.

Financial Controller
Andreas Avgousti
Andreas.Avgousti@aretilaw.com

Extension of the deadline for settlement  of Tax arrears

On 29 September 2017, the House of Representatives of Cyprus passed a law extending the deadline for submission of a claim for the payment of tax arrears from 3 October 2017 to 3 January 2018.  The new law limits the time by which tax returns up to the tax year 2015 which have not been filed, may be filed. Now all such tax returns must be filed by 30 June 2018 in order to benefit from the provisions of the law.

The regulation relates to the following tax liabilities:

  • All tax arrears up to and including 31 December 2015, which at the date of the application have been assessed by the Tax Department  and appear as payable, irrespective of the manner in which they are repaid, whether by agreement with the Tax Department or pursuant to a court order.
  • Amounts which become payable as a result of the submission of a self-assessment in respect of tax years up to 31 December 2015, where the tax returns for the relevant tax year have already been submitted by 3 July 2017, but without payment of the tax due.
  • Tax liabilities which are assessed after 3 July 2017 by the Tax Commissioner for the tax years to 31 December 2015, as long as these tax returns [are filed] by 30 June 2018. In such cases, an application for regulation[?] shall be made within three months from the date on which the tax becomes payable, on the basis of the tax assessment which has been issued.

For further information please contact our Financial Controller

Andreas Avgousti
Andreas.Avgousti@aretilaw.com

The Income Tax Law has been amended so that an individual who does not remain in any state for one or more periods which together exceed 183 days in the same tax year and who is not tax resident in any other state for the same tax year, be considered to be a tax resident of Cyprus, provided that they meet the following conditions:

  1. Remain in Cyprus for at least 60 days during the tax year;
  2. Pursue a business in Cyprus and/or work in Cyprus and/or are a director of a company which is tax resident in Cyprus, at any time during the tax year;
  3. Maintain a permanent residence in Cyprus, which can be either owned or rented.

To be considered as Cyprus tax resident in the tax year, the taxable person’s involvement in the business and/or employment in Cyprus and/ or the holding of a post in Cyprus must not have not have ceased.

For the purposes of calculating the days of stay in Cyprus the following rules apply:

  1. the day of departure from Cyprus is considered as a day outside Cyprus;
  2. the day of arrival in Cyprus is considered as a day in Cyprus;
  3. arrival in Cyprus and departure from Cyprus within the same day is counted as one day in Cyprus;
  4. departure from Cyprus and return to Cyprus within the same day is counted as one day outside Cyprus.

Thus, under the new provisions, an incentive is given to an individual who is not a tax resident in any other state for the same tax year to transfer his tax residence to Cyprus and to be taxed only on income from the activities the individual undertakes in Cyprus.