In accordance with the provisions of the EU Regulation n°2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) and any applicable national data protection laws (including but not limited to the Luxembourg law of 1st August 2018 organizing the National Commission for data protection and the general system on data protection, as amended from time to time) (collectively, the “Data Protection Laws”), AVAIO Digital Management, LLC and AVAIO Management LP (collectively, the “Data Controller”) acting as data controller on behalf of AVAIO Digital Partners Europe SCSp, collects, stores and processes by electronic or other means the data supplied by investors and/or prospective investors (or if the investor and/or the prospective investor is a legal person, any natural person related to it such as its contact person(s), employee(s), trustee(s), nominee(s), agent(s), representative(s) and/or beneficial owner(s)) (the “Data Subjects”) at the time of their subscription for the purposes outlined below.
The data processed may include the Data Subject’s name, age, e-mail, address, gender, phone number, fax number, account numbers, date of birth, nationality, citizenship, profession, identity number, passport number, identity card with photo, proof of address, tax identifiers, tax status, tax certificates, source of wealth, source of funds, bank account data, IBAN and BIC codes, PEP status, sanctions status, income, related parties, power of attorney status, client communications and any information regarding the dealing in shares (subscription, conversion, redemption and transfer) (the “Personal Data”). As part of its compliance with legal obligations such as AML/KYC, the Data Controller may be required to process special categories of Personal Data as defined by the GDPR, including Personal Data relating to political opinions as well as criminal convictions and offences. Personal data relating to political opinions of Data Subjects having a public political exposure will be processed by the Data Controller on the basis of article 9, (2), e) of the GDPR (i.e., the personal data have manifestly been made public by the data subject).
The Data Subjects may, at their discretion, refuse to communicate the Personal Data to the Data Controller. As a result, the Data Controller may reject their request for subscription for shares in the Fund if the relevant Personal Data is necessary to the subscription of such shares.
Investors and/or prospective investors who are legal persons undertake and guarantee to process Personal Data and to supply such Personal Data to the Data Controller in compliance with the Data Protection Laws, including, where appropriate, informing the relevant Data Subjects of the contents of the present section, in accordance with Articles 12, 13 and/or 14 of the GDPR.
Personal Data supplied by Data Subjects are processed in order to enter into and execute the subscription in the Fund (i.e., to perform any pre-contractual measures as well as the contract entered into by the Data Subjects), for the legitimate interests of the Data Controller and to comply with the legal obligations imposed on the Data Controller.
In addition, the Personal Data supplied by Data Subjects are processed for the purpose of (i) maintaining the register of investors; (ii) processing subscriptions, redemptions and conversions of shares and payments of dividends or interests to investors; (iii) complying with applicable anti-money laundering rules and any other legal obligations, such as maintaining controls in respect of late trading and market timing practices, CRS/FATCA obligations or mandatory registrations with registers including among other the Luxembourg register of beneficial owners; (iv) account administration; (v) client relationship management and (vi) marketing. In addition, the Data Subjects acknowledge their rights to oppose to the use of Personal Data for marketing by writing to the Data Controller.
The “legitimate interests” of the Data Controller referred to above are:
- the processing purposes described in points (v) and (vi) of the above paragraph of this clause;
- the provision of the proof, in the event of a dispute, of a transaction or any commercial communication as well as in connection with any proposed purchase, merger or acquisition of any part of the Fund’s business;
- compliance with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority;
- risk management;
- processing Personal Data of employees of investors and/or prospective investors which are legal persons; and
- exercising the business of the Fund in accordance with reasonable market standards.
The Personal Data may also be processed by the Data Controller’s data recipients (the “Recipients”) which, in the context of the above mentioned purposes, refer to, other prospective or existing investors, any third party that acquires, or is interested in acquiring or securitizing, all or part of the Fund’s assets or shares, or that succeeds to it in carrying on all or a part of its businesses (whether by merger, acquisition, reorganization or otherwise), or provides services to it as well as any other third party supporting the activities of the Data Controller. The Recipients may, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the “Sub-Recipients”), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to the Data Controller and/or assisting the Recipients in fulfilling their own legal obligations.
The Recipients and Sub-Recipients may be located either inside or outside the European Economic Area (the “EEA”). Where the Recipients and Sub-Recipients are located in a country outside the EEA which benefit from an adequacy decision of the European Commission, the Personal Data are transferred to the Recipients and Sub-Recipients upon such adequacy decision. Where the Recipients and Sub-Recipients are located outside the EEA in a country which does not ensure an adequate level of protection for Personal Data or does not benefit from an adequacy decision of the European Commission, the Data Controller has entered into legally binding transfer agreements with the relevant Recipients in the form of the European Commission approved model clauses or any other appropriate safeguards pursuant to the GDPR. In this respect, the Data Subjects have a right to request copies of the relevant document for enabling the Personal Data transfer(s) towards such countries by writing to the Data Controller.
The Recipients and Sub-Recipients may, as the case may be, process the Personal Data as data processors (when processing the Personal Data on behalf and upon instructions of the Data Controller and/or the Recipients), or as distinct data controllers (when processing the Personal Data for their own purposes, namely fulfilling their own legal obligations).
The Personal Data may also be transferred to third-parties such as governmental, judicial, prosecution or regulatory agencies and/or authorities, including tax authorities, in accordance with applicable laws and regulations. In particular, Personal Data may be disclosed to the Luxembourg tax authorities, which in turn may acting as data controller, disclose the same to foreign tax authorities.
In accordance with the conditions laid down by the Data Protection Laws, the Data Subjects acknowledge their right to:
- access their Personal Data;
- correct their Personal Data where it is inaccurate or incomplete;
- object to the processing of their Personal Data;
- restrict the use of their Personal Data;
- ask for erasure of their Personal Data;
- ask for Personal Data portability.
The Data Subjects may exercise their above rights by writing to the Data Controller at the following address: Four Stamford Plaza, 5th Floor, 107 Elm Street, Suite 501, Stamford, CT 06902.
The Data Subjects also acknowledge the existence of their right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”) at the following address: 15, Boulevard du Jazz, L-4370 Belvaux, Grand Duchy of Luxembourg; or with any competent data protection supervisory authority of their EU Member State of residence.
Personal Data shall not be retained for periods longer than those required for the purpose of their processing subject to any limitation periods imposed by law.