1 Purpose and legal Framework
1.1 The purpose of this information notice (the “Notice”) is to provide information regarding how the applicable entity as defined in clause 2.1.2 (“Data Controller”) collects, processes and shares personal data relating to current investors (the “Investors”), ultimate beneficial owners, directors, authorised representatives, or designated as contact persons of Investors (together with Investors, the “Data Subjects” or “you”). The Notice also provides information about the Data Subjects’ rights in relation to the processing of their personal data.
1.2 In accordance with the provisions of the Luxembourg law of 1 August 2018 on the organization of the National Data Protection Commission and implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), any law, circular or regulation in the context of the GDPR, or any other applicable law, e.g. the Personal Data Protection Act of 2012 of Singapore (“PDPA”) or the Swiss Federal Act on Data Protection (“FADP”), circular or regulation, personal data may be collected and further processed by the Data Controller and its data processors.
1.3 The following information must, in accordance with articles 13 and 14 of the GDPR or any other applicable law, be provided by the Data Controller, acting as data controller or joint data controllers, to the Data Subjects, depending on the contractual relationships in place.
2 General Requirements
2.1 Who is the Data Controller and who to contact?
2.1.1 The Data Controller collects, stores and processes by electronic or other means the personal data supplied by Investors at the time of their onboarding via the relevant forms (the “Personal Data”), or in other forms, correspondence and conversations, for the purpose of fulfilling the services required by the Investors and complying with their legal obligations and specifically in compliance with the provisions of the GDPR, PDPA, FADP or any other applicable law.
2.1.2 Depending on the contractual relationships the Investor has in place, the Data Controller that is responsible to ensure that your personal data is being processed in a correct manner and in accordance with applicable legislation, is a different entity, as defined in the following:
a) For investors investing in Luxembourg bonds or notes, the Data Controller is jointly:
Corecam Capital Partners Pte Ltd (acting as “Arranger”), 80 Raffles Place, #59-02, Singapore 048624, firstname.lastname@example.org, and Select Securities Europe S.à. r.l. (securitization platform), acting in respect of its compartments (the “Issuer”), 22-24 Boulevard Royal, L-2449 Luxembourg, email@example.com
The Arranger might process Personal Data by communicating part of it to the Issuer for the purpose of setting up the Investors’ investments.
b) For shareholders of Singapore based special purpose vehicles that invest in immovable assets, the Data Controller is:
Corecam Capital Partners Pte Ltd (acting as manager), 80 Raffles Place, #59-02, Singapore 048624, firstname.lastname@example.org
c) For shareholders of Singapore based special purpose vehicles that do not invest in immovable assets and investors with direct agreements with Corecam Pte Ltd, the Data Controller is:
Corecam Pte Ltd (acting as manager), 80 Raffles Place, #59-02, Singapore 048624, email@example.com
d) For investors with direct agreements with Corecam AG the Data Controller is:
Corecam AG, Tödistrasse 5, 8002 Zurich, firstname.lastname@example.org
2.1.3. If you would like further information about your data protection rights, including rights about access to data and correction of inaccurate data, please contact the Data Controller that is in control of your data as stated above.
2.1.4 The Data Controller has appointed a “Data Protection Officer” where required.
2.2 What kind of Personal Data is processed?
2.2.1 Personal Data includes, but it is not limited to, the name, address, passport or identification card details, bank account details and invested amount of each Data Subject.
2.2.2 In particular the Personal Data processed includes:
a) identification data (e.g. name, e-mail, postal address, telephone number, country of residence, passport, identity card, driving licence, tax identification number, bank account details and invested amount of each Investor);
b) images and sound (e.g. copies of identifications documents); and
c) advertisement and sales data (e.g. potential interesting products for the Data Subject).
d) electronic identification data (e.g. IP addressed, cookies, traffic data);
e) personal characteristics (e.g. date of birth, marital status);
f) communications (e.g. exchange of letters, emails);
g) banking and financial data (e.g. financial identification, financial situation, risk profile, investment objectives and preferences);
h) employment and occupation (e.g. employer, function, title, place of work, specialisation);
i) tax-related data, contract data;
2.3 For which purposes and on what legal basis does the Data Controller process your Personal Data?
2.3.1 For the performance of a contractual obligation
220.127.116.11 The Data Controller process your Personal Data for you to make certain investments as agreed with the Data Controller.
18.104.22.168 In this regard Personal Data may be processed for the following purposes:
a) maintaining the register of security holders if any;
b) processing subscriptions and redemptions of securities;
c) administer, manage and set up your Investor relationship(s) to allow you to purchase your holding of interest in our vehicles;
d) meet the resulting contractual obligations the Data Controller has to you;
e) facilitate the continuation or termination of the contractual relationship;
f) facilitate the transfer of funds, and administering and facilitating any other transaction;
g) complying with applicable anti-money laundering rules and any regulatory requirements applicable to the Data Controller or any of their affiliates;
h) marketing, and
i) more generally providing other services in relation to the investments you have made or will make.
22.214.171.124 Personal Data required by the Data Controller is necessary to make the investments or services agreed. Failure to provide such Personal Data will imply rejection of your(s) investment(s) or service(s).
2.3.2 For compliance with laws and regulations
126.96.36.199 The Data Controller is subject to various legal obligations pursuant to statutory (e.g. laws of the financial sector, anti-money laundering and combatting the financing of terrorism laws, tax laws) and regulatory requirements (e.g. requirements of any regulatory authority).
188.8.131.52 This covers our processing of your Personal Data for compliance with applicable laws such as the applicable legislation on know-your-Customer (“KYC”) and anti-money laundering and combatting the financing of terrorism (“AML/CFT”), compliance with requests from or requirements of local or foreign regulatory enforcement authorities, tax identification and reporting (where appropriate) notably under Council Directive 2011/16/EU on administrative cooperation in the field of taxation (as amended by Council Directive 2014/107/EU) and Singapore law, the OECD’s standard for automatic exchange of financial account information commonly referred to as the Common Reporting Standard or “CRS”), for Foreign Account Tax and Compliance Act (“FATCA”) purposes, for the Automatic Exchange of Information (“AEI”) and any other exchange of information regime to which the Data Controller may be subject to from time to time.
184.108.40.206 The processing of your Personal Data to comply with the regulatory provisions is mandatory and your consent is not required.
220.127.116.11 Your Personal Data may be shared with foreign tax authorities (or with service providers for the purpose of effecting the reporting on our behalf and failure to provide correct information to us or to respond may result in incorrect or double reporting).
18.104.22.168 If you fail to provide certain information when requested, the Data Controller may not be able to enter into a contract with you / perform the contract the Data Controller have entered into with you, or the Data Controller may be prevented from complying with our legal obligations.
2.3.3 For the legitimate interest of the Data Controller
a) Arrange, manage and/or administer your holding in any vehicles in which you are invested, and any related relationships on an ongoing basis;
b) Assess and process any applications or requests made by you;
c) Open, maintain or close relationships in connection with your investment in, or withdrawal from, related vehicles;
d) Send updates, information and notices or otherwise correspond with you in connection with your investment;
e) Address or investigate any complaints, claims, proceedings or disputes;
f) Provide you with, and inform you about, our investment products and services;
g) Keep our internal records;
h) Prepare reports on incidents/accidents;
i) Protect our business against fraud, breach of confidence, theft of proprietary materials, and other financial or business crimes (to the extent that this is not required of us by law);
j) Analyse and manage commercial risks.
The Data Controller only rely on these interests where it has considered that, on balance, the legitimate interests of the Data Controller are not overridden by your interests, fundamental rights or freedoms.
2.4 Methods of processing and disclosure of Personal Data
2.4.1 The processing of Personal Data will be carried out using appropriate tools to ensure security and confidentiality and may be carried out with the help of manual, computerised and electronic tools for storing, managing and transmitting Personal Data.
2.4.2 To achieve the purposes indicated above, it might be necessary for the Data Controller to communicate your Personal Data to the following categories of recipients:
a) Third parties: any third parties acting on the Data Controller’s behalf (such as service providers), including their respective advisers, auditors, delegates, agents and service providers; persons acting on behalf of investors, such as payment recipients, beneficiaries, account nominees, intermediaries, correspondent and agent banks, clearing houses, clearing or settlement systems, etc. The aforementioned third parties have been appointed as Data Processors, according to article 28 GDPR.
b) Authority: as may be required or authorized by law (including but not limited to public administrative bodies and local or foreign public and judicial authorities, including any competent regulators).
2.4.3 When the Data Controller uses processors it shall ensure that such processors provide sufficient guarantees to implement appropriate technical and organisational measures and that such processing on behalf of the Data Controller meets the requirements of GDPR, PDPA and FADP and ensures the protection of the rights of the Data Subjects.
2.4.4 When information is not collected directly from the Data Subject, the investor shall ensure to inform any other Data Subject about processing of its Personal Data and its related rights. The investor shall transfer the information described in this information notice to the relevant Data Subject so it can properly exercise its rights.
2.4.5 In the case of nominees, the Personal Data may be collected by the nominee. In those cases, the nominee will be acting as independent data controller in accordance with the provisions of GDPR, PDPA and FADP. Investors subscribing through a nominee should consult the data privacy notice of the nominee, when available.
3 For how long does the Data Controller keep your Personal Data?
As far as necessary, Personal Data will be kept for the duration of the investments agreed for the length of time required by applicable law. The respective law relating to anti-money laundering requires that documents be retained for a period of five or ten years (depending of the specific processing) after the relationship has come to an end and as advisable in light of an applicable statute of limitations.
4 Automated decision making
Data Subjects should note that the Personal Data may be used for direct marketing subject to the right to object to such use as detailed above. This practice will not include profiling or automated decision making.
5 Rights of the Data Subject
5.1 Each Data Subject has:
a) a right to request the Data Controller access to his/her personal information processed by or on behalf of the Data Controller in accordance with the provisions of article 15 of the GDPR;
b) a right to have the Data Controller rectify his/her Personal Data if they are inaccurate as well as a right to have incomplete personal data completed, including by means of providing a supplementary statement, in accordance with the provisions of article 16 of the GDPR;
c) a right to request the erasure of his/her Personal Data in accordance with the provisions of article 17 of the GDPR including in the following situations (i) where the Personal Data is no longer necessary in relation to the Investor’s subscription, (ii) the Data Subject objects to the processing of its data and there are no overriding legitimate grounds for the processing, (iii) the data has been unlawfully processed, and (iv) the Personal Data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;
d) a right to request a restriction of the processing of his/her data in accordance with the provisions of article 18 of GDPR;
e) a right to object to the processing of his/her data in accordance with the provisions of article 21 of GDPR;
f) a right to lodge a complaint with the Commission Nationale pour la Protection des Données (“CNPD”) in Luxembourg and the relevant authority of the Member State in which the Data Subject resides or works in accordance with the provisions of article 77 of the GDPR;
g) a right to receive the Personal Data concerning him or her or to request that it be transmitted to another data controller, when feasible, in accordance with the provisions of article 20 of GDPR.
5.2 To make any of the above requests you need to put the request in writing addressing it to the Data Controller as set out above.
6 Transfer of Personal Data outside EEA
6.1 Personal Data may be transferred to other companies or entities within the Data Controller’s group of affiliates under common control in certain cases or to sub-processors, including to the following countries outside the European Economic Area (the "EEA"): Singapore or Switzerland where such transfer is necessary for the maintenance of records, administration or provision of services to the Data Controller. In certain cases, data may be transferred to a country, which does not have equivalent data protection to that of the EEA.
6.2 In such cases, the Data Controller shall ensure that data transfer is done in accordance with all applicable data protection laws and the agreement between, or other data processing agreements within, the group of affiliates.
7.1 Navigating on the Data Controller’s website may result in the installation of cookies on the user’s computer. These are small text files that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.
7.2 The Data Controller may use session cookies to keep information about your navigation on our website for different purposes, namely to facilitate subsequent navigation on the website, to remember your preferences and to allow various visitor figures to be compiled. Some cookies are essential to deliver a better experience on the Data Controller’s website and to understand how people use its website. The Data Controller tracks information like number of visits to the site, which part of the site visitors selects, IP address, domain type, browser type, date and time of the day.
7.3 Cookies present on the website are controlled by the website and are accessed only by the website owner or by people acting on its behalf. Additionally, cookies will not be used for any purpose than the one stated.
7.4 You can control and/or delete cookies at any time. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.
8. The use of tracking technologies
8.1 The use of Google Analytics:
8.1.1 The website may use Google Analytics; web analysis services of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: “Google”). Google Analytics use so-called “Cookies”; text files which are stored on your computer/smartphone and which enable analysis of your use of our Website and Web-App. The information generated by the Cookies about your use of our website and Web-App is generally transmitted to a Google server in the USA and stored there. However, within member states of the European Union or in other parties to the agreement on the European Economic Area, your IP address will be previously shortened by Google on our website and Web-App.
8.1.2 Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. Google will use this information on behalf of the operator of this website/App to evaluate your use of the website, in order to compile reports about the website activities and to render further services to the website operator connected with the website use and internet use. The IP address transmitted by your browser within the framework of Google Analytics will not be merged with other data from Google.
8.1.3 You can prevent the storage of Cookies by configuring your browser software accordingly. However, the Data Controller hereby points out that in this case you may not be able to use all functions of our website fully. Furthermore, you can prevent the collection of the data generated by the Cookie related to your use of our Website (incl. IP address) by Google as well as the processing of these data by Google, by downloading and installing the browser plugin available via the following link: http://tools.google.com/dlpage/gaoptout
8.1.4 You can find more detailed information about this at: http://google.com/intl/de/analytics/privacyoverview.html
9. Changes to the Notice
The Data Controller may decide to change this Notice. If the change is indicative of a fundamental change to the nature of the processing or a change which may not be fundamental in terms of the processing operation but which may be relevant to and impact upon you, then the updated Notice will be provided to you well in advance of the change actually taking effect. The Data Controller will send them to you via e-mail or publish it on their website so that you will be aware of the changes. When notifying you of such changes, the Data Controller will also explain what the likely impact of those changes on you will be, if any.
This data privacy notice was last updated on 1 June 2019.