OAM is acting as data controller in accordance with Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) as such legislation and guidance may be amended, replaced or repealed from time to time. The terms “personal data”, “data subject”, “data controller” and “processor” shall have their meanings given to them as set out in the GDPR.
This Privacy Notice is separate from and not intended to override the terms of any contract we may have with you or your rights under data protection laws.
When and how are personal data collected?
We will only collect the personal data that we need. We collect personal information when you contact us (e.g. in application forms, through phone calls and emails or via our website). We further collect personal data in connection with our activities, for example if you:
- invest in an OAM product;
- work with us as a supplier or service provider;
- visit an office or register to attend an OAM event;
- are introduced to us by third parties for legitimate marketing purposes.
We will ask for personal information from you or from persons who are authorised to represent you or act on your behalf. Where you share with us personal data about another individual or an individual related to you, we expect you to undertake to inform them about (i) the processing of personal data for the below mentioned purposes and (ii) their rights stemming from applicable data protection laws.
Where we invest in properties, we will collect information about the person(s) to whom any such property is or may be leased or who reside in the property (or, where the tenant is an organisation, about key members of that organisation such as its directors or partners).
What personal data are processed?
We may process the following categories of personal data:
- Identification data such as first name, last name, phone number, fax number, e-mail address;
- Personal characteristics such as date of birth and country of birth;
- Identifiers issued by public bodies, such as passport, identification card, tax identification number, national insurance number, social security number;
- Financial information, such as financial and credit history information, source of the wealth/funds for an investment, bank details;
- Transaction / investment data, such as current and historic investments, investment profile, investment preferences and invested amount, number and value of shares held, role in a transaction (seller / acquirer of shares), transaction details.
Do you have the obligation to provide the data?
Where such data is not fully received, your account may not be opened, you may not be able to receive distributions or redemption proceeds, we may not be able to provide you the desired service or enter into a business relationship with you.
For what purpose is Personal Data being processed?
We process your personal data for the following purposes:
- for the purposes of entering into or performing a contract with you: this includes, e.g. to on board a customer or business relationship, to arrange or administer our products in accordance with the agreed terms, the provision of the necessary investor-related services and more generally the processing of requests of the investor;
- for compliance with legal and regulatory obligations: this includes legal obligations such as the applicable Company Law, accounting obligations, Know-Your-Customer, Anti-Money Laundering Laws and Regulations, the Common Reporting Standard, FATCA or the AEOI Laws as amended from time to time.
- for the purposes of the legitimate interests: this includes, e.g. the processing of your personal data for risk management and fraud prevention purposes, the exercise or defence of legal claims or the protection of rights of another natural or legal person.
We may use personal information to send reasonable and proportionate marketing communications about our products and our related services which we believe may be of legitimate interest or relevance to you, based on the information we have about you. This may be in the form of email, post, SMS or telephone. You can always opt-out of receiving marketing communication by asking us in writing to stop the activity at any time.
We may process your personal data for other purposes only when you have given your freely and expressly consent. Your consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
With whom may Personal Data be shared?
We may disclose your personal data to the depositary, the portfolio manager, the administrative, domiciliary and registrar agent, the auditors, the legal advisors, including their respective advisers, auditors, delegates, agents and service providers and any other subsidiary or affiliated company to perform the processing on our behalf and to third parties such as banks, counterparties, public administrations, local or foreign public and judicial authorities.
We will undertake identity checks on you, using the personal data you have provided. This will involve disclosing your personal information to credit reference agencies, which carry out searches relating to you on our behalf. We work with reputable anti-fraud and credit reference agencies to detect and prevent fraudulent practices and fight financial crime to meet our regulatory responsibilities.
Where is personal data transferred to?
Transfers of such data may be made to or from countries located in or outside of the EEA. Certain countries to which personal data may be transferred may not have the same level of protection as the one afforded in the European Union. Personal Data transferred to countries outside of the EEA will be protected by appropriate safeguards such as standard contractual clauses approved by the European Commission or by other appropriate technical or organizational measures that you may obtain a copy of by contacting us. We are not required to share details of these safeguards where sharing such details would affect our commercial position, or create a security risk.
How we keep your personal data secure
We are committed to keeping your personal data secure. We maintain appropriate organisational and technical security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We limit access to your personal data to those employees and other third parties who have a business need to have such access. All such people are subject to a contractual duty of confidentiality.
We have put in place procedures to deal with any actual or suspected personal data breach (leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data). In the event of any such breach, we have systems in place to work with applicable regulators. In addition, in certain circumstances (e.g., where we are legally required to do so) we will take reasonable efforts to notify you without undue delay by appropriate means of a breach affecting your personal data.
You are granted with the following rights in relation to your personal data:
- access to and reception of a copy of information we hold about you. We will not ask for a fee, unless we think your request is unfounded, repetitive or excessive. Where a fee is necessary, we will inform you before proceeding with your request;
- rectify any personal data held about you that is inaccurate and the completion of incomplete data. Please let us know if your information changes as it is important that the information we hold about you is accurate and up to date;
- request the deletion of personal data, when it is no longer necessary for the purposes described above, or where the processing is not or no longer lawful. You can also ask that we erase your personal information if you have either withdrawn your original consent to us using your information, or objected to further legitimate use of your information. We may not always be able to comply with your request, for example where we need to keep using your personal information in order to comply with a legal obligation or where we need to use your personal information to establish, exercise or defend legal claims;
- request the restriction of processing where the accuracy of the personal data is contested, the processing is unlawful, or where you have objected to the processing of your personal data;
- object to processing of your personal data which is based on the legitimate interests pursued by us or by a third party. In such a case we will no longer process your personal data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims;
- the right to data portability where the processing is based on the execution of a contract or consent, is performed by automated means and where the data has been provided by you. You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller (e.g. another company).
You can exercise your rights at any time by contacting us at the above address or at email@example.com.
We may ask you for proof of identity when making a request to exercise any of these rights. We do this to ensure that we only disclose information or change account details with the right individual.
We aim to respond to all valid requests within one month. It may however take us longer if the request is particularly complicated or you have made several requests. We will always let you know if we think a response will take longer than one month. To speed up our response, we may ask you to provide more detail about what you want to receive or are concerned about.
Should you wish to make a complaint about how we process your personal data, please contact us first at the email address indicated above and we will endeavour to deal with your request as soon as possible. This is without prejudice to your right to file a complaint with the Luxembourg data protection authority, the Commission nationale pour la protection des données – https://cnpd.public.lu/en.html, or the competent data protection authority in the EU member state in which you reside.
For how long is Personal data retained?
We generally only keep personal information for as long as is reasonably required for the reasons explained in this Privacy Notice.
We will retain your personal data relating to KYC and AML checks for 5 years after the end of the contractual relationship with us. Personal data that is relevant for accounting purposes and data relating to the contract with us will be retained for 10 years after the closing of the end of the financial year to which they relate.
Notwithstanding the foregoing, personal data may be retained for a longer period of time as may be imposed or permitted by law, in consideration of the purposes for which they have been collected and the legal limitation periods (including for litigation purposes).
Amendment of this privacy notice
We may amend this Privacy Notice from time to time to ensure that you are fully informed about all processing activities and our compliance with applicable data protection laws. If there will be any significant change made to the use of your personal data, we will notify you by appropriate means. Also, please regularly check these pages for the latest updates.