ARC IT SERVICES LIMITED – Data Subject Privacy Notice


We, ArcIT Services Ltd (hereafter “ARC”) in accordance with the EU GDPR 2016/679 in force since May 24, 2016 and enforced in May 25, 2018, are bound by EU law to enforce your privacy and security rights consistently across the EU and globally.

We thank you for the trust you place in us when sharing your personal data with us.

Who we are

We, ARC, are a corporate service provider registered under the laws of Cyprus, with offices located in Nicosia, Cyprus reachable at

GDPR (General Data Protection Regulation)

The collection of personal data by ARC, according to Article 13.1 shall provide the data subject with the following information (privacy notice).

  • The identity and contact details of the controller and processor;
  • The recipients of these personal data.
  • The legitimate interests pursued by the controller or third party; The fact that the controller intends to transfer the personal data to a third country and the existence of adequacy conditions;
  • The purpose of processing as well as the legal basis of processing;
  • The legitimate interests pursued by the controller or third party;

Article 13.2:

  • The period of time the data will be stored;
  • The right to lodge a complaint with the supervisory authority;
  • The consequences of breached confidentiality or if the data will be compromised; The right to rectification, erasure, restriction, objection;
  • The existence of automated decision making, including profiling, as well as anticipated consequences for the data subject.

Transfer of personal data to third countries or international organizations

Article 44: General principle for transfers

Any transfer of personal data by the controller or processor shall take place only if certain conditions are complied with:

  • Transfers on the basis of adequacy;
  • subject to the appropriate safeguards;
  • Binding corporate rules apply.

All provisions shall be applied to ensure the protection of natural persons is not undermined.

GDPR enforcement against third countries

Fines to non-EEA controllers or non-EU organizations can be enforced under international treaties. Non-EEA controllers or non-EEA organizations must appoint an EU representative as a first point of contact for any relevant communication.

Responsibility of the controller to notify data subjects in case of breach

It is the responsibility of the controller to notify the data subject and the supervisory authority within 72 hours when personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects. In the case of a third country controller this is done through the appointed representative in the EU.

Security measures

We have appropriate security controls in place to protect the personal data of data subjects. We are continuously assessing risks that can compromise the rights and freedoms of data subjects. Note that we do not however have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information risks that exist and take appropriate measures to safeguard your own information. We accept no liability that occurs beyond our sphere of control.

We give our free, specific, unambiguous, and explicit consent to ARC to collect, store,safe keep and process our personal data in line with the General Data Protection Regulation 2016/679 and in line with the national law as amended from time to time. We have been explicitly informed that ARC will collect,store, safe keep, and process in hard copies or in electronic form our personal data for a period needed for each purpose and as long as we remain a client to this company.  

ARC can process personal data only where it is necessary to protect the vital legitimate interests of itself and our company. We understand fully that we have the following rights with regards to our personal data: the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to portability; the right to object; the right in relation to automated decision making by profiling; the right to report data breaches to the data protection supervisor authority.

ARC must facilitate the exercise of clients’ rights and shall not refuse to act on the request of the client (data subject) to exercise his rights.