BR-NAS GERMAN MITTELSTAND PROPERTIES SLP, SICAV-RAIF (THE FUND) DATA
DATA PROTECTION PRIVACY NOTICE
The GDPR comes into force across the EU on 25 May 2018. The GDPR establishes a single set of data protection rules in the EU, impacts current national data protection legislation and is also expected to be implemented in the EEA with effect from the same date. The GDPR significantly changes the EU/EEA data protection landscape, including strengthening of individuals’ rights, stricter requirements on companies Processing Personal Data.
The Notice is provided to enable you to better understand our Processing of your Personal Data and prove our commitment to Process your Personal Data in accordance with the GDPR, the 2002 Law and any applicable e-privacy laws, regulations and standards in Luxembourg.
NOTICE OWNER: BR-NAS General Partner S.à r.l.
Confidentiality is intrinsic to the Fund’s business and we take data protection very seriously. For the purpose of compliance with the GDPR, this Notice sets out how your Personal Data is Processed. It also informs you of your rights regarding your Personal Data.
“2002 Law” means the Luxembourg law of 2 August 2002 on the protection of persons with regard to the processing of personal data, as amended, repealed and replaced.
“CNPD” means the National commission for Data Protection (Commission Nationale pour la Protection des Données).
“EEA” means the European Economic Area.
“EU” means the European Union.
“Data Protection Laws” means the 2002 Law, the GDPR and any subsequent re-enactment, replacement or amendment of the GDPR and any data protection law enacted which is applicable.
“GDPR” means the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
“Notice” means this data protection privacy notice.
“Third Party(ies)” means any third party providing (i) services to the Fund including but not limited to the manager, administrator, independent valuer, depositary, global distributor, sub-distributor, auditors, property advisor, property manager, information technology providers, lawyer, consultant, tax advisor, (ii) any underlying investment (in or through which the Fund intends or does invest), (iii) any lender to the Fund (iv), including without limitation such Third Parties respective general partner or management company/investment manager and service providers, and any of the foregoing respective agents, delegates, affiliates, subcontractors and/or their successors and assigns generally.
The terms “Controller”, “Personal Data”, “Processing”, “Processor” used in this Notice have the meaning assigned to them in the GDPR. In order to facilitate the reading of the Notice, the following definitions are:
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
BR-NAS General Partner S.à r.l.
58, rue Charles Martel
Grand-Duchy of Luxembourg
Attention: Ronny Pifko
Purposes of Processing
The general partner may process the Personal Data in accordance with Data Protections Laws and solely for one or more necessary legal purposes (as described below).
In particular, the data supplied by you is Processed for the purpose of (i) maintaining the register of partnership interests, (ii) client’s identification, (iii) Processing subscriptions, redemptions (where permitted) and conversions of LP Interests and payments of dividends to the limited partners, (iv) performing controls on late trading and market timing practices, (v) complying with applicable anti- money laundering rules, (vi) performing legal requirements under FATCA, the Common Reporting Standard (CRS) or similar laws and regulations (e.g. at the OECD or EU level), (vii) account administration, (viii) fulfilling the Fund’s contractual obligations with Third Parties; (ix) communicating with you by way of notice pursuant to applicable legislation or the limited partnership agreement, (x) responding to or evaluating any queries or complaints in relation to your investment in the Fund, (xi) internal and external audits and, where necessary, investigations, (xii) establishing, exercising or defending legal claims, and (xiii) the legitimate interests pursued by the Fund, or by the Third Parties.
The above purposes are based on at least one of the following legal basis: (i) the Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, (ii) the Processing is necessary for compliance with a legal or regulatory obligation to which Fund is subject, (iii) the Processing is necessary for the purposes of the legitimate interests pursued by the Fund such as the better administration of its business (e.g. protection of our facilities), so long as the rights of data subjects are not overridden, (iv) the data subjects have given their explicit consent (this basis is used only exceptionally).
Categories of Personal Data Processed and Categories of data subjects
The general partner may Process the following categories of Personal Data: (i) identification data (e.g. name, surname, addresses, alias, place and date of birth, professional information, proof of identity (such as passport, photograph, identity card) and proof of address, results of fraud, criminal record checks, sanction screening, numeric data including tax identification numbers, bank details, signature, contact information, social security details and FATCA/CRS details, politically exposed persons checks and any other checks required by anti-money laundering and counter terrorist regulations on the investor and the relevant person(s)); (ii) professional data (e.g. position, company); (iii) administrative data (e.g. language, tax identification numbers, bank details, signature, contact information, social security details); (iv) financial data (e.g. tax data, FATCA/CRS details, transactional data, investment preferences, investment history).
This data may be provided directly by you or, as the case may be subscription services, other third party data sources or, through your authorised intermediaries, directors, officers, individual representatives (including, without limitation, legal representatives), trustees, settlors, signatories, shareholders, unitholders, investors, nominees or employees. The general partner may also collate and hold data found from the results of internet searches and other sources in the public domain in the course of the client due diligence process and in providing the services that the general partner engaged to provide. The general partner generates an internal number specific to you. The general partner Processes the following documents that may also contain your Personal Data: trust deeds, employment history, bank references, register of members, register of directors, financial statements, controlling persons list, authorised signatories lists, notarial deeds, minutes and resolutions. Information regarding source of funds may also contain your Personal Data. In the course of your dealings with the Fund you may provide us with further information; all of this information will be kept securely by us.
Personal Data will also relate to individuals connected with corporate investors and other investor entities or potential investors and entities related to them or controlled by them (including without limitation the directors, officers, individual representatives, legal representatives, trustees, settlors, signatories, shareholders, unitholders, investors, nominees, employees, beneficial owners, and/or any relevant person(s)).
The general partner will also Process Personal Data relating to business contacts, staff of the Fund’s service providers/ underlying investments and their service providers, authorised signatory lists, personnel employed by or who may become involved in a transaction/contract with the Fund.
When the general partner does not collect Personal Data directly from you, it must tell you the categories of Personal Data that it Processes which have been collected from other sources. The general partner Processes the following categories of your Personal Data that are not collected directly from you (i) account numbers provided by banks and/or auditors (ii) identity/address and other information from sanctions screening, fraud prevention agencies or credit reference agencies.
The general partner will notify you should any further Personal Data be collected from Third Parties.
Personal Data provided to Third Parties
The manner in which the Fund operates requires us to share, disclose or provide Personal Data to Third Parties to perform our contracts with third party service providers or at other times at your request (e.g. sharing of KYC) or may be necessary for legal/regulatory reasons, such as anti- money laundering and counter terrorist financing laws and regulations.
A non-exhaustive list of potential disclosures includes: (i) collecting and sending documents when making an underlying investment, (ii) collecting and sending documents for external audits, (iii) collecting and sending documents for external audits of third party service providers, (iv) publications onto the public record, such as companies registries or beneficial ownership registers, (v) publications with regulators, (vi) FATCA/CRS filings onto approved external platforms, (vii) sending information to external parties such as depositaries, notaries, administrators, domiciliation agents, banks, consultants, distributors, managers and other advisors (including, but not limited to, legal advisors) and other financial intermediaries and professionals of the financial sector service providers acting on behalf of the Fund and providing services, supervisory or governmental bodies.
Third Parties and their respective service providers, directors or management bodies and general partners may require information on you for their own due diligence assessment and to comply with relevant laws and regulations, therefore we and our Processors may share the information you provide to us with them for this purpose.
Summary of processing of Personal Data by Third Parties
Your Personal Data may be Processed by any Third Party and their sub-processors located, inside EU/EEA, where there are agreements in place between us to protect your data to GDPR compliant standards. Should you require further information please contact us as provided above.
Further, the general partner may disclose Personal Data to any Third Parties and their sub-processors located outside the EU/EEA in a country that has equivalent data protection laws to those of the EU/EEA, or that is subject to an adequacy decision of the European Commission, or in the absence of an adequacy decision, the Controller or the Processor has provided appropriate safeguards, or in the absence of appropriate safeguards you have given explicit consent to the proposed transfer
Additionally, your data may be Processed by our third party service providers’ sub-processors. In such cases, where data is Processed outside of the EU/EEA, the appropriate safeguards are in place. It may also be provided externally to banks, regulators, auditors, advisors (including, but not limited to, legal advisors), supervisory or governmental bodies.
Following the transfer of Personal Data to Third Parties, your rights remain enforceable and effective legal remedies are ensured.
Retention and destruction of Personal Data
Your Personal Data will be kept securely by the general partner. Your Personal Data will be held for the period stated in applicable law and/or for as long as is required to perform our contract with you after which it will be securely destroyed. We may keep it longer where: (i) there is litigation or an investigation; (ii) where we are obliged to by any applicable law or regulation (iii) it may be required to assist with the mitigation of any future tax or regulatory query or enquiry into the transactions or other affairs undertaken by the Fund (iv) at your request (in which case there may be a charge).
As a data subject you have further specific rights set out below, which you may choose to exercise.
Right of access
You have the right to obtain confirmation that your Personal Data is being Processed, what categories of Personal Data we Process, where and to whom your data is transferred and why we Process it. On request we will provide a copy of the Personal Data we hold on you free of charge. For subsequent requests we may charge a fee based on the administrative costs of providing the information. Where requests are deemed to be manifestly unfounded or excessive (for example where requests are repetitive) we are entitled to either refuse the request or charge a reasonable fee based on the administrative costs of providing the information.
Right to restrict processing
You have the right to restrict the Processing of your Personal Data where one of the following applies:
- You contest the accuracy of your Personal Data while we investigate the inaccuracy/update the data.
- The Processing is unlawful and you oppose the erasure of your Personal Data and request the restriction of its use instead.
- You have objected to Processing pending the verification whether the legitimate grounds of the controller override those of your own.
- You may also request that we do not delete/destroy your Personal Data, even once we no longer need it, should you require it for the establishment, exercise or defense of legal claims.
Right to rectification
You have the right to have your Personal Data rectified if it is inaccurate or incomplete.
Rights in relation to automated decision making and profiling
You have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning you or significant effects that harm you unless it is necessary for entering into, or performance of, a contract between you and us:
- It is authorised by EU or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests. or
- You explicitly consent.
We do not utilise automated Processing which produces legal effects for data subjects.
Right to object
You have the right to object, on grounds relating to your particular situation, to the following Processing activities:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). Unless we can demonstrate compelling legitimate grounds for the Processing which override your interests, rights and freedoms or, except where the Processing is necessary for the establishment, exercise or defence of a legal claim we must cease to Process your Personal Data.
- Direct marketing (including profiling).
- Processing for purposes of scientific/historical research and statistics.
- “Profiling” is the automated Processing of your Personal Data to evaluate certain things about you.
Right to data portability
You may request us to either send you a copy or to transfer your Personal Data from one IT environment to another in a safe, easily usable and secure way. This right only applies where the Processing is based either on consent or on the performance of a contract and the Processing is carried out by automated means.
Right to erasure
This right is also sometimes known as “the right to be forgotten”. You have a right to request the deletion or removal of your Personal Data where there is no compelling reason for its continued Processing. It is not an absolute right and can be used in specific circumstances such as:
- Where the Personal Data is no longer necessary in relation to the purpose for which it was originally collected/Processed and there is no legal obligation on the Controller to keep it.
- Where you as the data subject withdraw consent where the sole basis for Processing was consent.
- Where you object to the Processing and there is no overriding legitimate interest for continuing the Processing.
- The Personal Data was unlawfully Processed.
- The Personal Data has to be erased in order to comply with a legal obligation.
Making a complaint to a regulatory authority
As a data subject you have a right to lodge a complaint within a supervisory authority in:
- The place of your residence.
- Your place of work.
- The place of the alleged infringement.
You may also lodge a complaint with the CNPD.
The general partner, as data Controller, has undertaken all the necessary organisational and technical standards in order to protect your Personal Data. Nevertheless, should a privacy breach occur we will notify you directly as soon as possible following identification of the breach.
This notification will include:
- Date of the Personal Data breach.
- Description of nature of the Personal Data breach comprising a general description of what happened.
- Description of the information inappropriately accessed, collected, used or disclosed.
- The steps taken so far to address the Personal Data breach and to control or reduce the harm.
- Future steps planned to prevent further Personal Data breaches.
- Steps you might consider taking to mitigate the possible adverse effects of the Personal Data breach.
- Contact details of the CNPD.
- Our contact details where additional information may be obtained.
Governing law and jurisdiction
This Notice will be governed by and interpreted according to the law of Luxembourg. All disputes arising under the note will be subject to the exclusive jurisdiction in Luxembourg.
Change to the Notice
We may update this Notice to reflect changes in the law or our privacy practice. Should you require further information please contact the Controller as set out above.