GDPR Privacy Notice
The below key terms used in this privacy notice (the “Privacy Notice”) have the following meaning:
- Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- Personal Data: any information relating to an identified or identifiable natural person;
- Data Subject: the identified or identifiable natural person to whom personal data relates;
- Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed.
The General Partner acting on behalf of the Fund, acting as controller (the “Controller”), where processing personal data for the purposes outlined below, has prepared this Privacy Notice to comply with (i) the EU Regulation n°2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) and (ii) any applicable national data protection laws (including but not limited to the Luxembourg law of 1st August 2018 on the organisation of the National Data Protection Commission and the general data protection framework, as amended from time to time) (collectively hereinafter the “Data Protection Laws”).
Table of contents
1 - What are the categories of Data Subjects?
2 - What Personal Data does the Controller collect?
3 - From which sources will Personal Data be collected?
4 - For what purposes are Personal Data processed and upon which legal bases?
5 - With whom will Personal Data be shared?
6 - Where will Personal Data be transferred?
7 - How long will Personal Data be retained?
8 - Commitments
9 - The Data Subjects’ rights
10 - Changes to this Privacy Notice
11 - Contact information
1 - What are the categories of Data Subjects?
The Controller collects personal data related to the following identified or identifiable natural person (the “Data Subject(s)”):
Where the investor or prospective investor is a natural person: | the investor and/or prospective investor himself/herself and the natural person related to him/her such as his/her representatives. |
Where the investor or prospective investor is a legal entity: | any natural person related to it such as its contact person(s), employee(s), trustee(s), nominee(s), agent(s), representative(s) and/or beneficial owner(s). |
2 - What Personal Data does the Controller collect?
The Controller collects the following categories of personal data (the “Personal Data”):
Identification data: | name, age, gender, date and place of birth, nationality, passport/ID number, identity card with photo, civil status, profession, signature. |
Contact data: | e-mail, address, proof of address, phone number, fax number. |
Bank account data: | IBAN and BIC codes and other bank account information. |
Tax related data: | Taxpayer identifying/identification number(s), country(ies) of tax residency, tax status and tax certificates. |
Interest related data: | number of Interest and any information regarding the dealing in Interest (subscription, conversion, redemption and transfer as well as balance or value at year-end and total gross amount paid or credited in relation to the Interest, including redemption proceeds). |
AML/KYC related data: | income, sources of wealth and funds, power of attorney, related parties, special categories of personal data (criminal convictions and offences, political opinions). |
Communication data | client communications via electronic or other means. |
The Data Subjects may, at their discretion, refuse to communicate the Personal Data to the Controller. In this event however, the Controller may reject their request for subscription for Interest in the Fund if the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to the subscription or holding of such Interest (e.g., certain Personal Data are legally required for FATCA and CRS purposes).
In addition, the Data Subjects should refrain from supplying additional Personal Data which are not requested by the Controller or any other entity acting on its behalf. Unless provided otherwise by applicable law, the Controller shall not be liable for any damage caused by the processing of such Personal Data provided by the Data Subjects without being requested by the Controller.
3 - From which sources will Personal Data be collected?
The Personal Data are collected from various sources, namely:
Directly from the Data Subject;
From third parties representing the Investor;
From third parties representing the Controller;
From the Controller’s service providers;
from public registers/platforms;
from public agencies/authorities.
4 - For what purposes are Personal Data processed and upon which legal bases?
In order for a data processing activity to take place lawfully, the latter first needs to be legitimate and thus to be based on inter alia one of the grounds set out in article 6 of the GDPR, inter alia:
the Data Subject has given his/her consent to the processing of his or her Personal Data for one or more specific purposes;
processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the Controller is subject;
processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.
For the avoidance of doubt, where consent is given by the Data Subjects, such consent shall be construed distinctly from any consent given in the context of confidentiality and/or professional secrecy compliance obligations.
In the case at hand, the purposes for which the Personal Data are collected and the legal bases upon which the Controller relies are further specified in Appendix A. Where the Controller’s purposes change over time or where the latter wants to use Personal Data for new purposes, the Controller will inform the Investor of such new processing in accordance with the Data Protection Laws. Nevertheless, where the Controller has collected the Personal Data based on consent or following a legal obligation, no further processing is allowed beyond what is covered by the original consent or the provisions of the law.
5 - With whom will Personal Data be shared?
The Controller may disclose Personal Data to other persons or entities (the “Recipients”) which, in the context of the purposes mentioned in the Privacy Notice, refer to:
the Controller’s affiliates;
other prospective or existing investors;
the Controller’s and/or the Fund’s service providers including, without limitation, the AIFM, the depositary, the Administrator, registrar and transfer agent, the Investment Manager, the auditor, the legal advisor(s), compliance firm, any lender to the Fund;
Credit institutions;
Any third party that acquires, or is interested in acquiring or securitizing, all or part of the Controller’s assets or Interest, or that succeeds to it in carrying on all or a part of its businesses, or services provided to it, whether by merger, acquisition, financing, reorganization or otherwise;
Any other third party supporting the activities of the Controller;
Public authorities: governmental, judicial, prosecution or regulatory agencies and/or authorities; and
Official national and international registers.
In particular, in compliance with the Foreign Tax Compliance Act (FATCA) and Common Reporting Standard (CRS), Personal Data may be disclosed to the Luxembourg tax authorities, which in turn may, acting as controller, disclose the same to foreign tax authorities.
In addition, in compliance with the Luxembourg register of beneficial owners law of 13 January 2019 as amended, the Controller is also required to collect Personal Data of beneficial owners of the Fund (i.e. any natural person(s) who ultimately own(s) or control(s) the Fund or any natural person(s) on whose behalf a transaction or activity is being conducted) and make mandatory registrations with the Luxembourg register of beneficial owners.
The Recipients may, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the “Sub-Recipients”), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to the Controller and/or assisting the Recipients in fulfilling their own legal obligations.
The Recipients and Sub-Recipients may, as the case may be, process the Personal Data as processors (when processing the Personal Data on behalf and upon instructions of the Controller and/or the Recipients), or as distinct controllers (when processing the Personal Data for their own purposes, namely fulfilling their own legal obligations).
6 - Where will Personal Data be transferred?
The Recipients and Sub-Recipients may be located either inside or outside the European Economic Area (the “EEA”).
In any case, where the Recipients are located in a country outside the EEA which benefits from an adequacy decision of the European Commission, the Personal Data will be transferred to the Recipients upon such adequacy decision.
Where the Recipients are located outside the EEA in a country which does not ensure an adequate level of protection for Personal Data, the Controller will enter, prior to such transfer, into legally binding transfer agreements with the relevant Recipients in the form of the European Commission approved standard contractual clauses or any other appropriate safeguards pursuant to the GDPR, as well as, if necessary, supplementary measures.
In this respect, the Data Subjects have a right to request copies of the relevant document for enabling the Personal Data transfer(s) towards such countries by writing to the Controller at the address referred to in the Section 11 (“Contact Information”).
The countries to which Personal Data may be transferred are further specified in Appendix B.
7 - How long will Personal Data be retained?
The Controller will retain the Personal Data for the duration of the contract between the Controller and the investor and thereafter for a period of ten (10) years, unless longer or shorter statutory limitation periods apply. Once the Controller no longer requires the Personal Data for the purposes for which it was collected, it will securely destroy the Personal Data in accordance with applicable laws and regulations. The principal retention periods applied by the Controller are further specified in Appendix C.
In some circumstances the Personal Data may be anonymised so that it can no longer be associated with the Data Subjects, in which case documents having been anonymised can be kept for an unlimited period of time.
8 - The Data Subjects’ rights
In accordance with the conditions and limitations laid down by the Data Protection Laws, the Data Subjects acknowledge their right to:
Access their Personal Data: | To obtain from the Controller confirmation as to whether or not Personal Data concerning them are being processed, and, where that is the case, access to the Personal Data. |
Rectify their Personal Data: | To obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning them. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement. |
Object to the processing of their Personal Data (including for commercial prospection purposes): | To object, on grounds relating to his or her particular situation, at any time to processing of Personal Data concerning them which is based on the performance of a task carried out in the public interest or the legitimate interests pursued by the Controller or by a third party. The Controller shall no longer process the Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. Where Personal Data are processed for commercial prospection purposes, the Data Subject shall have the right to object at any time to processing of Personal Data concerning them for such commercial prospection, which includes profiling to the extent that it is related to such direct commercial prospection. |
Restrict the use of their Personal Data: | To obtain from the Controller restriction of processing, in some circumstances. Where processing has been restricted under the above paragraph, such Personal Data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. |
Have their Personal Data erased: | To obtain from the Controller the erasure of Personal Data concerning them without undue delay and the Controller shall have the obligation to erase Personal Data without undue delay, except in certain limited scenarios set out in the GDPR. |
Withdraw their consent: | To withdraw their consent easily and at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. |
Ask for Personal Data portability: | To receive the Personal Data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the Personal Data have been provided, where (i) the processing is based on consent pursuant or on a contract and (ii) the processing is carried out by automated means. |
The Data Subjects may exercise their above rights by writing to the Controller at the address referred to in the Contact Information.
The Data Subjects also acknowledge the existence of their right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”) at the following address: 15, Boulevard du Jazz, L-4370 Belvaux, Grand Duchy of Luxembourg; or with any competent data protection supervisory authority of their EU Member State of residence.
9 - Commitments
Investors and/or prospective investors who are legal persons undertake and guarantee to process Personal Data and to supply such Personal Data to the Controller in compliance with the Data Protection Laws, including, where appropriate, informing the relevant Data Subjects of the content of this Privacy Notice and any updated version thereof in accordance with articles 12, 13 and/or 14 of the GDPR.
In addition, the investors and/or prospective investors undertake to ensure the accuracy of the Personal Data provided and promptly inform the Controller where such Personal Data is not up to date.
10 - Changes to this Privacy Notice
The Controller reserves the right to update this Privacy Notice at any time.
An up-to-date version will be made available to the investors on the Investment Manager’s website at https://fintech.io/. ; In case of substantial updates to the present Privacy Notice, investors will be notified through the Fund’s investor portal or other means of communication.
11 - Contact information
The Data Subjects may exercise their above rights by writing to the Controller at the following address: [email protected].
Appendix A
Purposes and legal bases
The Personal Data are processed by the Controller for the following purposes and legal bases:
(i) - Compliance with applicable legal obligations
Categories of Personal Data | Purposes |
Identification data and Interest related data. | Maintaining the register of shareholders. |
Identification data and Interest related data. | Mandatory registration with registers including among others the Luxembourg register of beneficial owners. |
Identification data, contact data, tax related data and AML/KYC related data. | Carrying out anti-money laundering checks and related actions considered appropriate to meet any legal obligations relating to the prevention of fraud, money laundering, terrorist financing, bribery, corruption, tax fraud and evasion and the provision of financial and other services to persons who may be subject to economic or trade sanctions, on an on-going basis. Special categories of personal data, in particular political opinions of Data Subjects having a public political exposure will be processed by the Controller on the basis of article 9, (2), e) and/or g) of the GDPR (i.e., respectively the personal data have manifestly been made public by the data subject and/or the personal data is necessary for reasons of substantial public interest). |
Identification data, tax related data, Interest related data and AML/KYC related data. | Reporting tax related information to tax authorities under Luxembourg or foreign laws and regulations (including, but not limited to, laws and regulations relating to FATCA or CRS). |
(ii) - Necessity to execute the contract between the investor and the Controller or in order to take steps at the request of the data subjects prior to entering into the contrac
Categories of Personal Data | Purposes |
Identification data, contact data, bank account data and tax related data. | Processing subscriptions, holding redemptions and conversions of Interest and payments of dividends or interests to investors (including entering into financing agreements). |
Identification data, bank account data and Interest related data. | Account administration. |
(iii) -The legitimate interests of the Controller or of relevant third parties
Categories of Personal Data | Purposes |
Identification data, contact data, bank account data, tax related data, Interest related data, AML/KYC related data and communication data. | A due diligence carried out by any third party that:
|
Identification data and contact data. | Investor relationship management. |
Identification data, contact data, bank account data, tax related data, Interest related data, ALM/KYC related data and communication data. | Establishing, exercising, or defending legal claims and providing proof, in the event of a dispute, of a transaction or any commercial communication. |
Identification data, contact data, bank account data, tax related data, Interest related data, AML/KYC related data and communication data. | Complying with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority. |
Identification data, contact data, bank account data, tax related data, Interest related data, AML/KYC related data and communication data. | Risk management. |
Identification data and contact data. | Commercial prospection. |
Identification data and contact data. | Processing Personal Data of employees or other representatives of investors which are legal persons. |
Identification data and Interest related data. | Disclosing the list of existing investors to prospective investors in compliance with their investment policies. |
Appendix B
Recipients and countries of establishment
The Controller transfers Personal Data to the below categories of recipients and their countries of establishment:
Categories of recipients | Name and Country of establishment |
The Controller’s affiliates | FinTech Collective, LLC - USA FinTech Collective Fund IV UGP LLC - USA |
The Controller’s service providers | KPMG Tax and Advisory S.á.r.l. - Luxembourg KPMG Luxembourg - Luxembourg European Depositary Bank SA - Luxembourg Jyske Bank - Denmark |
AIFM | FundRock LIS S.A. - Luxembourg |
Administrator | Apex Fund Services S.A. - Luxembourg |
Investment Manager | FinTech Collective Management, LLC - USA |
Legal advisor(s) | Purrington Moody Weil LLP with respect to U.S. law - USA Arendt & Medernach S.A., with respect to Luxembourg law - Luxembourg |
Appendix C
Retention Periods
The Controller undertakes to ensure that necessary records and documents are adequately protected and maintained and that records that are no longer needed or are of no value are deleted or destroyed in compliance with the provisions of the GDPR.
In this respect, unless longer or shorter statutory limitation periods apply, the principal retention periods implemented by the Controller are specified below:
Type of records | Retention periods |
Contracts | 10 years from the end of the contractual relationship to which the documents relate. |
Business correspondence (letters, emails, faxes, etc.) | 10 years from the end of the accounting year in which the document was sent or received. |
Accounting related documents | 10 years from the latest of either the end of the accounting year. |
Corporate related documents | 5 years from the date of the closing of the liquidation of the Controller. |
AML/KYC related documents | 5 years or 10 years from the end of the contractual relationship to which the documents relate. |
Beneficial owners related documents | 5 years from the radiation of the Controller from the Luxembourg trade and companies register. |