Investor Privacy Notice
The below key terms used in this privacy notice (the “Privacy Notice”) have the following meaning:
-
controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
-
processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
-
personal data: any information relating to an identified or identifiable natural person;
-
data subject: the identified or identifiable natural person to whom personal data relates;
-
recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed.
In accordance with the provisions of the EU Regulation n°2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR") and any applicable national data protection laws (including but not limited to the Luxembourg law of 1st August 2018 organizing the National Commission for Data Protection (Commission Nationale pour la Protection des Données, the "CNPD") and the general system on data protection, as amended from time to time) (collectively hereinafter the "Data Protection Laws"), the Fund acting as controller (the " Controller"), collects stores and processes by electronic or other means the data supplied by investors and/or prospective investors (or if the investor and/or the prospective investor is a legal person, any natural person related to it such as its contact person(s), employee(s), trustee(s), nominee(s), agent(s), representative(s) and/or beneficial owner(s)) (the "Data Subjects") prior to, or at the time of their subscription for the purposes outlined below.
Table of contents
1. What are the categories of Data Subjects?
2. What Personal Data does the Controller collect?
3. From which sources will Personal Data be collected?
4. Commitments
5. For what purposes are Personal Data processed and upon which legal bases?
6. With whom will Personal Data be shared?
7. Where will Personal Data be transferred?
8. Data Subjects’ rights
9. How long will Personal Data be retained?
10. Changes to this Privacy Notice
11. Contact information
1. What are the categories of Data Subjects?
The Controller collects personal data related to the following identified or identifiable natural person (the “Data Subject(s)”):
Where the investor or prospective investor is a natural person:
the investor and/or prospective investor himself/herself and the natural person related to him/her such as his/her representatives.
Where the investor or prospective investor is a legal entity:
any natural person related to it such as its contact person(s), employee(s), trustee(s), nominee(s), agent(s), representative(s) and/or beneficial owner(s).
2. What Personal Data does the Controller collect?
The Controller collects the following categories of personal data (the “Personal Data”):
Identification data:
name, age, gender, date and place of birth, nationality, passport/ID number, identity card with photo, civil status, profession, signature, salutation, base currency preferences
Contact data:
e-mail, address, proof of address, phone number, fax number, previous contact details, contact preferences
Bank account data:
IBAN and BIC codes and other bank account information.
Tax related data:
Taxpayer identifying/identification number(s), country(ies) of tax residency, tax status and tax certificates.
Shares related data:
number of shares and any information regarding the dealing in shares (subscription, conversion, redemption and transfer as well as balance or value at year-end and total gross amount paid or credited in relation to the shares, including redemption proceeds).
AML/KYC related data:
income, sources of wealth and funds, purpose of investment, power of attorney, joint holders, beneficial owners, interested parties, related parties, special categories of personal data (criminal convictions and offences, political opinions).
Communication data
client communications via electronic or other means.
The Data Subjects may, at their discretion, refuse to communicate the Personal Data to the Data Controller. In this event however the Data Controller may reject their request for subscription for Shares in the Fund if the relevant Personal Data is necessary to such subscription and/or holding of Shares (e.g. certain Personal Data are legally required for FATCA and CRS purposes). In addition, the Data Subjects should refrain from supplying additional Personal Data which are not requested by the Controller or any other entity acting on its behalf. Unless provided otherwise by applicable law, the Controller shall not be liable for any damage caused by the processing of such Personal Data provided by the Data Subjects without being requested by the Controller.
3. From which sources will Personal Data be collected?
The Personal Data are collected from various sources, namely:
-
directly from the Data Subject;
-
from third parties representing the Investor;
-
from third parties representing the Controller;
-
from the Controller’s service providers;
-
from public registers/platforms;
-
from public agencies/authorities.
4. Commitments
Investors and/or prospective investors who are legal persons undertake and guarantee to process Personal Data and to supply such Personal Data to the Data Controller in compliance with the Data Protection Laws, including, where appropriate, informing the relevant Data Subjects of the contents of the present section, in accordance with Articles 12, 13 and/or 14 of the GDPR. In addition, the investors and/or prospective investors undertake to ensure the accuracy of the Personal Data provided and promptly inform the Controller where such Personal Data is not up to date.
5. For what purposes are Personal Data processed and upon which legal bases?
In order for a data processing activity to take place lawfully, the latter first needs to be legitimate and thus to be based on inter alia one of the grounds set out in article 6 of the GDPR, inter alia:
-
the Data Subject has given his/her consent to the processing of his or her Personal Data for one or more specific purposes;
-
processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
-
processing is necessary for compliance with a legal obligation to which the Controller is subject;
-
processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.
For the avoidance of doubt, where consent is given by the Data Subjects, such consent shall be construed distinctly from any consent given in the context of confidentiality and/or professional secrecy compliance obligations. In the case at hand, the purposes for which the Personal Data are collected and the legal bases upon which the Controller relies are further specified in Appendix A-1. Where the Controller’s purposes change over time or where the latter wants to use Personal Data for new purposes, the Controller will inform the Investor of such new processing in accordance with the Data Protection Laws. Nevertheless, where the Controller has collected the Personal Data based on consent or following a legal obligation, no further processing is allowed beyond what is covered by the original consent or the provisions of the law.
6. With whom will Personal Data be shared?
The Personal Data may also be processed by other persons or entities (the "Recipients ") which, in the context of the above-mentioned purposes, refer to :
-
the Controller’s service providers: the AIFM, the Depositary, the Administrator, the Paying Agent, the Auditor, the Legal Advisor(s), the Transfer Agent, the Investment Manager, the Auditor;
-
Credit institutions;
-
Any third party that acquires, or is interested in acquiring or securitizing, all or part of the Controller’s assets or shares, or that succeeds to it in carrying on all or a part of its businesses, or services provided to it, whether by merger, acquisition, financing, reorganization or otherwise
-
Any other third party supporting the activities of the Controller;
-
Public authorities: governmental, judicial, prosecution or regulatory agencies and/or authorities;
-
Official national and international registers.
In particular, in compliance with the Foreign Tax Compliance Act (FATCA) and Common Reporting Standard (CRS), Personal Data may be disclosed to the Luxembourg tax authorities, which in turn may, acting as data controller, disclose the same to foreign tax authorities. In addition, in compliance with the Luxembourg register of beneficial owners law of 13 January 2019 as amended, the Controller is also required to collect Personal Data of beneficial owners of the Fund (i.e. any natural person(s) who ultimately own(s) or control(s) the Fund or any natural person(s) on whose behalf a transaction or activity is being conducted) and make mandatory registrations with the Luxembourg register of beneficial owners. The Recipients may, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the "Sub-Recipients"), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to the Data Controller and/or assisting the Recipients in fulfilling their own legal obligations. The Recipients and Sub-Recipients may, as the case may be, process the Personal Data as data processors (when processing the Personal Data on behalf and upon instructions of the Data Controller and/or the Recipients), or as distinct data controllers (when processing the Personal Data for their own purposes, namely fulfilling their own legal obligations).
7. Where will Personal Data be transferred?
The Controller does not intend to transfer Personal Data to Recipients located outside the European Economic Area (the “EEA”). In any case, where the Recipients are located in a country outside the EEA which benefits from an adequacy decision of the European Commission, the Personal Data will be transferred to the Recipients upon such adequacy decision. Where the Recipients are located outside the EEA in a country which does not ensure an adequate level of protection for Personal Data, the Controller will enter, prior to such transfer, into legally binding transfer agreements with the relevant Recipients in the form of the European Commission approved standard contractual clauses or any other appropriate safeguards pursuant to the GDPR, as well as, if necessary, supplementary measures. In this respect, the Data Subjects have a right to request copies of the relevant document for enabling the Personal Data transfer(s) towards such countries by writing to the Controller at the address referred to in the Section 11 (“Contact Information”). The countries to which Personal Data may be transferred are further specified in Appendix A-2.
8. The Data Subjects’ rights
In accordance with the conditions and limitations laid down by the Data Protection Laws, the Data Subjects acknowledge their right to:
Access their Personal Data:
To obtain from the Controller confirmation as to whether or not Personal Data concerning them are being processed, and, where that is the case, access to the Personal Data.
Rectify their Personal Data:
To obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning them. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
Object to the processing of their Personal Data (including for commercial prospection purposes):
To object, on grounds relating to his or her particular situation, at any time to processing of Personal Data concerning them which is based on the performance of a task carried out in the public interest or the legitimate interests pursued by the Controller or by a third party. The Controller shall no longer process the Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Where Personal Data are processed for commercial prospection purposes, the Data Subject shall have the right to object at any time to processing of Personal Data concerning them for such commercial prospection, which includes profiling to the extent that it is related to such direct commercial prospection.
Restrict the use of their Personal Data:
To obtain from the Controller restriction of processing, in some circumstances.
Where processing has been restricted under the above paragraph, such Personal Data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Have their Personal Data erased:
To obtain from the Controller the erasure of Personal Data concerning them without undue delay and the Controller shall have the obligation to erase Personal Data without undue delay, except in certain limited scenarios set out in the GDPR.
Withdraw their consent:
To withdraw their consent easily and at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Ask for Personal Data portability:
To receive the Personal Data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the Personal Data have been provided, where (i) the processing is based on consent pursuant or on a contract and (ii) the processing is carried out by automated means.
The Data Subjects may exercise their above rights by writing to the Controller at the address referred to in Section 11 (“Contact Information”).
The Data Subjects also acknowledge the existence of their right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”) at the following address: 15, Boulevard du Jazz, L-4370 Belvaux, Grand Duchy of Luxembourg; or with any competent data protection supervisory authority of their EU Member State of residence.
9. How long will Personal Data be retained?
The Controller will retain the Personal Data for the duration of the contract between the Controller and the investor and thereafter for a period of ten (10) years, unless longer or shorter statutory limitation periods apply. Once the Controller no longer requires the Personal Data for the purposes for which it was collected, it will securely destroy the Personal Data in accordance with applicable laws and regulations. The principal retention periods applied by the Controller are further specified in Appendix A-3. In some circumstances the Personal Data may be anonymised so that it can no longer be associated with the Data Subjects, in which case documents having been anonymised can be kept for an unlimited period of time.
10. Changes to this Privacy Notice
The Controller reserves the right to update this Privacy Notice at any time. An up-to-date version will be made available to the investors on the Controller’s website at www.tidancapital.com. In case of substantial updates to the present Privacy Notice, investors will be notified through the Controller’s website at www.tidancapital.com or other means of communication.
11. Contact Information
Further information on the privacy policy may be obtained from the AIFM upon request. The Data Subjects may exercise their above rights by writing to the Controller at the following address: datacontroller@tidancapital.com/ Tidan Capital AB, Nybrogatan 34, 2nd Floor, SE-114 39 Stockholm, Sweden; +46 709905436.
Appendix A-1
Purposes and legal bases
The Personal Data are processed by the Controller for the following purposes and legal bases:
(i) Compliance with applicable legal obligations
Identification data and shares related data:
Maintaining the register of shareholders.
Identification data and shares related data:
Mandatory registration with registers including among others the Luxembourg register of beneficial owners.
Identification data, contact data, tax related data and AML/KYC related data:
Carrying out anti-money laundering checks and related actions considered appropriate to meet any legal obligations relating to the prevention of fraud, money laundering, terrorist financing, bribery, corruption, tax fraud and evasion and the provision of financial and other services to persons who may be subject to economic or trade sanctions, on an on-going basis.
Special categories of personal data, in particular political opinions of Data Subjects having a public political exposure will be processed by the Controller on the basis of article 9, (2), e) and/or g) of the GDPR (i.e., respectively the personal data have manifestly been made public by the data subject and/or the personal data is necessary for reasons of substantial public interest).
Identification data, tax related data, shares related data and AML/KYC related data:
Reporting tax related information to tax authorities under Luxembourg or foreign laws and regulations (including, but not limited to, laws and regulations relating to FATCA or CRS).
(ii) Necessity to execute the contract between the investor and the Controller or in order to take steps at the request of the data subjects prior to entering into the contract
Identification data, contact data, bank account data and tax related data:
Processing subscriptions, holding redemptions and conversions of shares and payments of dividends or interests to investors (including entering into financing agreements).
Identification data, bank account data and shares related data:
Account administration.
(iii) The legitimate interests of the Controller or of relevant third parties
Identification data, contact data, bank account data, tax related data, shares related data, AML/KYC related data and communication data:
A due diligence carried out by any third party that:
-
acquires, or is interested in acquiring or securitizing, all or part of the Controller’s assets or shares;
-
succeeds to the Controller in carrying on all or a part of its businesses, or services provided to it, whether by merger, acquisition, financing, reorganization or otherwise; or
-
intends to onboard the Controller as a client or a co-investor or otherwise.
Identification data and contact data:
Investor relationship management.
Identification data, contact data, bank account data, tax related data, shares related data, ALM/KYC related data and communication data:
Establishing, exercising, or defending legal claims and providing proof, in the event of a dispute, of a transaction or any commercial communication.
Identification data, contact data, bank account data, tax related data, shares related data, AML/KYC related data and communication data:
Complying with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority.
Identification data, contact data, bank account data, tax related data, shares related data, AML/KYC related data and communication data:
Risk management.
Identification data and contact data:
Commercial prospection.
Identification data and contact data:
Processing Personal Data of employees or other representatives of investors which are legal persons.
Identification data and shares related data:
Disclosing the list of existing investors to prospective investors in compliance with their investment policies.
Appendix A-2
Recipients and countries of establishment
The Controller transfers Personal Data to the below categories of recipients and their countries of establishment:
AIFM:
Tidan Capital AB, Sweden.
Depositary:
State Street Bank International GmbH, Luxembourg.
Administrator:
State Street Bank International GmbH, Luxembourg.
Registrar and Transfer Agent:
State Street Bank International GmbH, Luxembourg.
Investment Manager:
Tidan Capital AB, Sweden.
Auditor:
Pricewaterhouse Coopers. Luxembourg.
Legal Advisor(s):
Arendt & Medernach S.A., Luxembourg.
Appendix A-3
Retention Periods
The Controller undertakes to ensure that necessary records and documents are adequately protected and maintained and that records that are no longer needed or are of no value are deleted or destroyed in compliance with the provisions of the GDPR.
In this respect, unless longer or shorter statutory limitation periods apply, the principal retention periods implemented by the Controller are specified below:
Contracts:
10 years from the end of the contractual relationship to which the documents relate.
Business correspondence (letters, emails, faxes, etc.):
10 years from the end of the accounting year in which the document was sent or received.
Accounting related documents:
10 years from the latest of either the end of the accounting year.
Corporate related documents:
5 years from the date of the closing of the liquidation of the Controller.
AML/KYC related documents:
5 years or 10 years from the end of the contractual relationship to which the documents relate.
Beneficial owners related documents:
5 years from the radiation of the Controller from the Luxembourg trade and companies register.
©2023 Tidan Capital.