Data Protection Information in Accordance with the EU’s General Data Protection Regulation

2. Data sources and their use in the context of business relationships

The Asset Manager processes data that it receives from its clients in the context of the business relationship. These data include, among other items, personal data, e.g., data that directly identify the clients (such as name, address, telephone number, etc.) or data that result in such identification in connection with other information (e.g., an account number). In addition to data that the Asset Manager receives directly from its clients, it also obtains and processes data from publicly available sources (e.g., the Internet, social media, credit reports, land registers, trade- and association registries, press, etc.) or from other companies within Colin&Cie. Groups or authorised third partie.

Relevant personal data in the business initiation phase, after the client initiates a relationship in the course of granting power of attorney (information, general authorisation, etc.) can be: Name, address / other contact details (phone, e-mail), date/place of birth, gender, nationality, marital status, legal status, occupation /salaried / self-employed position, residential status (renter / property owner), credentials (e.g., identification data), authentication data (e.g. signature), tax ID, FATCA status.

When contracting and using services, additional personal data may be collected, processed and stored in addition to the aforementioned data. Essentially, this includes:

Information of knowledge and/or experience with securities (MiFID Status), investment behaviour / strategy / risk tolerance, occupation, financial situation (assets, liabilities, income from independent work / business, spending), foreseeable changes in financial circumstances (e.g., retirement), specific goals / main concerns in the future (e.g., planned purchases, repayment of liabilities), order data (e.g., payments), data from services related to contractual obligations (e.g. payment data), documentation data (e.g., suitability declarations), as well as other forms, with the above-mentioned categories of comparable data.

4. Data access and receivers

Access to personal data is only granted to those persons who need it in order to fulfil their contractual and legal obligations (need-to-know principle). For the same purpose, service providers and agents employed by the Asset Manager process data from you.

With regard to the transfer of data to external recipients, it is first important to note that the Asset Manager is required to maintain secrecy regarding any client-related facts and evaluations of which they become aware (obligatory confidentiality is in accordance with the General Terms and Conditions). Personal data may therefore be transmitted only if statutory provisions so dictate, the client has consented, the Asset Manager is authorised to provide information and/or commissioned processors guarantee rectified compliance with the provisions of the EU's General Data Protection Regulation.

Under these conditions, the recipient of such personal data can be, for example:

– Public authorities and institutions (e.g., regulatory and financial authorities) in the case of legal or regulatory obligation.
– Financial service institutions, similar institutions and processors to whom personal data are transmitted in order to conduct the business relationship. In particular: support/maintenance of computers/IT applications, archiving, document processing, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, client administration, marketing, research, risk control, expenses, payroll, telephony, website management, web hosting, mailing platforms, securities services, fund administration, auditing services, payment transactions.

Other data recipients may be those for whom consent has been given for data transmission, or for which the Asset Manager has been exempted from banking secrecy by agreement or consent.

6. Duration of data storage

The Asset Manager processes and stores personal data as long as it is required for the fulfilment of contractual and legal obligations. It should be noted whether a business relationship forms a continual obligation, which is created over several years. If the data is no longer required for the fulfilment of contractual or legal obligations, it is deleted on a regular basis, unless its temporary processing is necessary for the following purposes:

• Statutory retention periods (e.g., the Money Laundering Act, securities laws). The period for retention and documentation specified in these regulations can range from two to ten years.
• Fulfilment of special rules that oblige the Asset Manager to retain data for an indefinite period of time, for example, in the case of anticipated litigation.

8. Requirement to provide personal data

In the context of our business relationship, you must provide those items of personal data that are necessary for the establishment and implementation of a business relationship and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, the Asset Manager will have to refuse the conclusion of the contract or the execution of the order, or, an existing contract will not be able to move forward, and, if applicable, must be terminated.

In particular, according to money laundering regulations, the Asset Manager is required to identify the client by means of an identity card, for example, prior to the establishment of the business relationship, and to record and save their name, place of birth, date of birth, nationality and address. In order for the Asset Manager to comply with this statutory provision, the client is obliged to provide the necessary information and documents and to report any changes arising in the course of the business relationship without delay. If the necessary information and documents are not provided, the Asset Manager may not commence or continue the desired business relationship.

10. Automated processing (especially "profiling")

The Asset Manager processes personal data, in part, on a semi-automated basis, with the aim of evaluating certain personal aspects (profiling). Profiling is used in the following cases:

• Due to legal requirements, the Asset Manager is obliged to combat money laundering and fraud. Data evaluations (including payment transactions) are also performed. These measures also serve to protect customers.
  
  
• To provide you with targeted information and advice on services, events, and market developments, we use evaluation tools. These enable demand-oriented communication (in e.g., by sending a newsletter or invitations to events) and advertising, including market and opinion research.

Information on your right to object in accordance with Article 21 of the EU General Data Protection Regulation (GDPR)

• Individual right of objection
  You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) GDPR (data processing in the public interest) and Article 6(1)(f) GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
  
  
• Right to object to the processing of data for advertising purposes
  In individual cases, we process your personal data to carry out direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.