This Privacy Notice is dated April 2021.
Aramis Capital (Europe) Ltd (C 77471) of 19/14, Vincenti Buildings, Strait Street, Valletta, Malta (“Aramis ”, “the Company” “we”, “us” or “our”) and its associated entities respect your privacy and are wholly committed to protecting your personal data.
Aramis is duly licensed and authorised by the Malta Financial Services Authority (“MFSA”) to:
· provide investment advice in regard financial instruments (our Services).
Particularly, our licence allows and authorises us to provide those Services to professional clients and eligible counterparties.
Additionally, the Company also engages in the marketing of Collective Investment Schemes in the European Union and the United Kingdom.
In that regard, this Privacy Notice (the “Notice”) explains how we process personal data about individuals:
· who apply for and/or receive any of our Services, including any related products; and/or
· who form part of or are otherwise included in our Marketing network (as explained below in this Notice); and/or
· who visit our website.
Where the client or applicant for our Services is a corporate entity (i.e. not a natural person), then we will also request and collect personal data about its directors, representatives, officers, authorised signatories, shareholders and ultimate beneficial owners (“UBOs”) (namely for AML, due diligence and other vetting requirements). This Notice also explains how we process personal data about those individuals.
In this Notice, “you” is used to refer toany natural person:
· in our Marketing Network;
· receiving or interacting with us in relation to our Services:
· in the case of applicants or clients that are corporate entities, their directors, representatives, officers, authorised signatories, shareholders and UBOs; and/or
· Website users
This cookie notice applies to the use by Aramis of cookies and similar technologies on our website. This notice does not apply to any domains or websites that we do not control.
This Notice is being provided to you since you, the professional client or the Eligible Counterparty whom you represent or act for, forms part of the Company’s Marketing network or has applied for or requested to be provided with our Services.
In that context, we are the controller of your personal data. We process your data in an appropriate and lawful manner, in accordance with the Data Protection Act, Chapter 586 of the laws of Malta (the “Act”) and the General Data Protection Regulation (Regulation (EU) 2016/679) (the “Regulation” or the “GDPR”).
This Notice aims to ensure that you are fully informed on how we, Aramis, will collect and process your personal data. It informs you about the items of personal data which we will collect about you and describes how we will handle it (regardless of the way you interact with us, whether by email, phone, through an intermediary or other third party or otherwise), and in turn, also tells you about (i) our obligations in regard to processing your personal data responsibly, (ii) your data protection rights as a data subject and (iii) how the law protects you.
It is important that you read this Notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data.
This Notice supplements the other notices and is not intended to override them.
If you have any questions relating to this Notice, including any requests to exercise your legal rights (which are outlined in Section 12), please contact us, by email or in writing, using the contact details set out below.
Full name of legal entity: ARAMIS CAPITAL (EUROPE) LTD (C 77471)
Email address: email@example.com
Postal address: 19/14, VINCENTI BUILDINGS, STRAIT STREET, VALLETTA, MALTA
Contact details: +356 2099 6997
Please use the words ‘Data Protection Matter’ in the subject line.
3. Some key definitions
Set out below are key definitions of certain data protection terms which appear in, and apply to, this Notice.
“data subjects” a living, identified or identifiable individual about whom we hold Personal Data (i.e. the definition does not extend to legal persons). Data Subjects may be nationals or residents of any country and have legal rights regarding their Personal Data.;
“data controller” or “controller” the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. The Company is the Data Controller of all Personal Data relating to The Company’s Personnel and Personal Data used in The Company’s business for The Company’s own determined, commercial purposes (including the data relating to our customers).
“data processor” or “processor” means any entity or individual that processes data on our behalf and on our instructions (we, Aramis , being the data controller);
“legitimate interest” means our interest to conduct and manage our business affairs appropriately and responsibly, to protect the reputation of our business, and to provide our applicants and customers with the best possible service. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at the following email address: firstname.lastname@example.org;
“performance of a contract” means processing your personal data where it is necessary for the performance of a contract to which you or your respective entity (in case of professional clients/eligible counterparty) are a party, or to take steps at your request before entering into such a contract;
“personal data” means any information identifying a Data Subject or information relating to a Data Subject that The Company can identify (directly or indirectly) from that data alone or in combination with other identifiers that The Company possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour. Personal Data specifically includes, but is not limited to, personal information about individuals (name, surname, address and so on) and personal information about the individuals that work at The Company’s business clients and customers (for example, directors, managers and points of contact).
“processing” means any activity that involves use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties;
“sensitive personal data” or “special categories of personal data” includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
“comply with a legal obligation” means processing your personal data where it is necessary to comply with a legal or regulatory obligation to which we are subject to;
Note that personal data does not include information relating to a legal person. Information such as a company name, its company number, registered address or registered office and VAT number does not amount to personal data under applicable data protection legislation, including the GDPR.
Consequently, the collection, use and processing of information relating to a legal person does not give rise to ‘controller obligations’ at law. We will still naturally treat any and all such information in a confidential manner, in accordance with our standard applicant and customer practices and obligations at law.
4. The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Where you are an applicant or client, we may collect, use, store and disclose different kinds of personal data about you, which we have grouped together as follows:
Identity Data: includes your name, surname, title, address, marital status, date of birth and age, gender, nationality, identity card and/or passport number;
Contact Data: includes your personal and business contact details (both electronic and mailing), including your work and residential address, phone number and e-mail;
Compliance (KYC and AML) Data: includes copies of your passport or national identification documents, proofs of name, address or authority to act (verification), source of funds and source of wealth and assets information (including solvency), bank references letters and certificates of good standing;
General Due Diligence Data: includes due diligence information on you collected from third-party and publicly available sources at point of application. This would primarily relate to creditworthiness and the existence of any Court orders, judicial acts or pending litigation against the prospective client;
Services Data: includes the following information: (i) records of your instructions and the services provided to or otherwise requested by you, (ii) account statements and details about payments made by you, (iii) your client history with us and generally (iv) data stemming from the performance of our contractual obligations; and
Marketing and Communications Data includes your preferences in receiving marketing from us and our business partners and your communication preferences.
In relation to our , we generally process the following information about the individuals included in it (called recipients):
Recipient Identity Data: includes your name and surname;
Recipient Contact Data: includes your business contact details, including your work address, work phone number and work e-mail;
Recipient Organisation Data: includes the identity of your organisation and your current role or position; and
Recipient Marketing and Communications Data includes your preferences in receiving marketing from us and our business partners and your communication preferences in relation to third party products to which we provide marketing services.
We also collect, use and share Aggregate Data such as statistical or demographic data for any purpose. Aggregate Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregate Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Notice.
If you fail to provide personal data
Where we need to collect personal data about you by law, or pursuant to our terms of business, and you fail to provide that data when requested, we may not be able to (i) accept you or your respective entity as a client or otherwise, or (ii) continue the business relationship (if already commenced).
We will duly inform and notify you if this is the case at the time.
Sensitive Personal Data
We will not seek to collect or otherwise process your sensitive personal data; save for instances where we receive personal data relating to your political affiliations as part of the politically-exposed-persons (PEP) and/or sanctions checks which we carry out on applicants and clients. We will only process such sensitive personal data to the extent necessary for reasons of substantial public interest, on the basis of an applicable law that is proportionate to the aim pursued and which provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
There may be other occasions where we may need to process your sensitive personal data, namely where:
the processing is necessary for the detection or prevention of crime (including the prevention of fraud) to the extent permitted by applicable law or regulation;
the processing is necessary for the establishment, exercise or defence of legal rights.
We will only process information about your criminal convictions and offences (actual or alleged) in exceptional circumstances, and only to the extent required and permitted by applicable law.
This does not apply to those individuals who are only part of our marketing network, and we do not collect or process any such sensitive personal information about them.
5. How is Your Personal Data Collected?
The personal data that we process about you, as listed above, is collected and generated from a variety of sources, in accordance with applicable laws and regulations, as follows:
i) when you provide us with your personal data, including through direct interactions or in an application form, declaration form, questionnaire or in other documents that we may (from time to time) require you to complete and submit to us (as part of our application process or at other times), by email, meetings, phone or otherwise;
ii) when you submit the Compliance (KYC and AML) Data which we request due to our legal obligations;
iii) in the course of managing and administering our relationship with you. This might include the history of our service provision to you, changes to the information provided as part of the application process, and records of our interactions with you (including copies of communications exchanged between you and us);
iv) we also receive General Due Diligence Data about you from third parties, such as your advisors and from publicly available sources such as public court documents, the Malta Business Registry, company house and company registers of other jurisdictions, and from electronic data searches, online KYC search tools (which may be subscription or license based), anti-fraud databases and other third-party databases, sanctions lists and general searches carried out via search engines (e.g. Google). This generally relates to information which we obtain for the purposes of our “know-your-client” procedures (which includes AML procedures, CTF procedures, politically-exposed-persons checks, sanctions checks, amongst others). We term this General Due Diligence Data.
6. How We Use Your Personal Data
We have set out below, in table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely upon to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data pursuant to more than one lawful ground or basis, depending on the specific purpose for which we are using your data.
In relation to recipients, we will use all or any of their data categories (Identity, Contact, Organisation and Marketing and Communications Data) in order to:
assess and determine what products or services we feel may be of interest to you or your organisation;
send tailored marketing communications to you about such products or services; and
update you on the performance or characteristics of those products or services.
Please contact the General Manager if you need details or wish to enquire about the specific lawful basis we are relying on to process your personal data where more than one lawful basis has been set out in the table below.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose, or we are obliged to process your data by applicable laws or court or regulatory orders.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact the General Manager at email@example.com
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without the need to obtain your consent, in compliance with the above rules, where this is required or permitted by law.
In relation to clients, you may receive marketing communications from us (which may consist but not limited to Fund Fact Sheets, Fund Presentation and subscription documents,) where:
you or your respective entity have entered into a business relationship with us; and
provided you have not opted out of receiving marketing from us (see your right to object below).
We also regularly send marketing communications to those individuals included in the Marketing network (and to do so, we rely on our legitimate (business) interests and your legitimate expectations). An “unsubscribe” or “opt-out” option” is however included in each marketing communication that we send, and we regularly review our mailing and marketing lists to ensure that it is current, up to date and does not include any individuals who have unsubscribed.
Where the above does not apply to you, we will only send you our marketing communications where you have expressly consented to receive them from us.
8. Disclosures of your personal data
to facilitate and administer your business relationship with us;
as part of our regular reporting activities on company performances;
to consolidate our reporting and accounting procedures;
to ensure business efficiency (all of the above being part of our legitimate interests), and/or
where necessary to achieve or further any of the purposes in Section 5 above.
In addition, we may also have to grant access to, disclose or share your personal data with the parties set out below, including your submitted applications, questionnaires and declaration forms, for the purposes in Section 5 above:
Suppliers and external agencies that we engage to process information on our or your behalf, including to provide you with the information and/or materials which you may have requested;
To any relevant party in connection with our anti-money laundering, anti-bribery, anti-fraud or ‘KYC’ requirements or policies (including third party service providers which carry out sanctions checks on our behalf);
Third-party payment processors, such payment services providers and banks;
Our professional advisers (such as our auditors, accountants, financial advisers, Marketing Executives and legal counsel);
To regulators, government bodies and tax authorities (local and overseas) when required by applicable laws and/or regulations);
To any relevant party, claimant, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims in accordance with applicable law and regulation;
To any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences in accordance with applicable law and regulation; and
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets (successors in title). Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal data in the same way as set out in this Notice.
require all third parties to respect the security of your personal data and to treat it in accordance with the law.
Furthermore, we do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our documented instructions.
We may also disclose your data if we are under a duty to disclose or share your personal data to comply with any legal obligation, judgment or under an order from a court, tribunal or authority. This includes exchanging information with regulatory bodies in Malta or if applicable, overseas, public bodies including the Police and other organisations and may undertake credit or fraud searches with relevant agencies for the purposes of fraud detection and prevention.
We may also transfer your personal data to applicable governmental and regulatory authorities, agencies and other public bodies in order to comply with our legal obligations. In particular, we may transfer your personal data to the Malta Financial Services Authority (“MFSA”), the Malta Business Registry (“MBR”), the Financial Intelligence Analysis Unit (“FIAU”) as well as applicable tax authorities. We may also transfer your personal data when we are required to do so by any judicial body, court order or order issued by a police authority.
We may also disclose your data to enforce our contractual terms with you or your entity, or to protect our rights, property or safety, that of our partners or other applicants or investors. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
9. Other International Transfers
Due to the international nature of our business and service providers, your personal data may be transferred to countries outside of the EEA. Some of these countries may have been deemed by the European Commission to have the same level of protection as countries in respect of which EU data protection law applies.
For any such transfer, we will ensure that at least one of the following safeguards applies or is otherwise implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
In the absence of an adequacy decision, we will use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
Please contact us at firstname.lastname@example.org if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
10. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed (safeguard its integrity and confidentiality). We also regularly review and, where practicable, improve upon these security measures.
Additionally, we have also put in place procedures to deal with any suspected personal data breach and will notify any applicable regulator of a breach where we are legally required to do so.
11. Data Retention
How long will you use my personal data for?
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm to it from unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In regard to clients, we will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, i.e. the performance and management of our business relationship with you (whilst ongoing), and
for the purpose of satisfying any legal, accounting, tax or reporting obligations to which we may be subject; and/or
to the extent that we may also need to retain your personal data in order to be able to assert, exercise or defend possible future legal claims against or otherwise involving you.
By and large though, we generally apply the following retention timeframes:
a two (2) year period for applicants whose applications are not accepted by Aramis (starting from the date when the non-acceptance of that application is communicated); and
upto a ten (10) year period for applicants whose applications are accepted by Aramis and where we enter into a relationship with you as a client or your organisation (starting from the date of expiry/termination of that relationship). This period takes into account applicable prescriptive periods and legal and regulatory obligations to retain accounting, taxation, regulatory and money laundering records for set periods (i.e., record-keeping requirements). Note, however, that not all the data will be retained for the full 10-years and some of your data will be deleted at an earlier stage (such as compliance data which, unless there are exceptional or compelling reasons, will only be kept for 5 years from when the relationship ends).
Note, however, that we may need to retain your personal data, or some of it, for longer period(s), such as in relation to threatened or commenced claims, disputes or litigation, ongoing or pending investigations, requests made by competent authorities or to abide by court orders or as dictated by the nature of the business relationship.
In the case of individuals in our Marketing network, we will generally retain your personal data for the duration of the relationship or until we receive a notification from you that you wish to unsubscribe or opt-out of receiving marketing communications from us, whichever is the earlier of the two.
In the case of an unsubscribe or opt-out, we may however need to retain some of your personal data in order to record this fact and to ensure that we suppress and prevent further marketing communications from being sent to you.
In some circumstances you can ask us to delete your data. See Request erasure below for further information.
Whenever and to the extent possible, we anonymise the data which we hold about you when it is no longer necessary to identify you from the data which we hold about you. In some circumstances, we may even anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
KINDLY CONTACT US AT email@example.com FOR FURTHER DETAILS ABOUT THE RETENTION PERIODS THAT WE APPLY.
12. Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
Request access to your personal data.
Request correction (rectification) of your personal data.
Request erasure of your personal data.
Object to processing of your personal data.
Request restriction of processing your personal data.
Request transfer of your personal data.
Right to withdraw consent.
If you wish to exercise any of the rights set out above, please contact us at firstname.lastname@example.org
No fee is usually charged
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may simply refuse to comply with your request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within a period of one month from the date of receiving your request. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
YOU HAVE THE RIGHT TO
i) REQUEST ACCESS
You have the right to request access to your personal data (commonly known as a “data subject access request”). This enables you to request information on whether or not your personal data is being processed by us, and to also request a copy of the information that we hold about you (to check, for instance, that we are processing it lawfully).
You may send an email to email@example.com requesting information as the personal data which we process. Generally, you shall receive one copy free of charge via email of the personal data which is undergoing processing. Any further copies of the information processed will typically incur a charge of €10.00.
This right to access your personal data is without prejudice to the integrity and confidentiality of the personal data of other persons. You are only entitled to request access to personal data that relates to you.
ii) RIGHT TO INFORMATION
You have the right to information when collecting and processing personal data about you from publicly accessible or third-party sources. When this take place, we will inform you, within a reasonable and practicable timeframe, about the third party or publicly accessible source from whom we have collected your personal data.
iii) REQUEST CORRECTION (RECTIFICATION)
You have the right to request correction or rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected and/or updated, though we may need to verify the accuracy of the new data you provide to us. As mentioned, it is in your interest to keep informed of any changes or updates to your personal data which may occur during the course of your business relationship with .
iii) REQUEST ERASURE
You have the right to request erasure of your personal data.
This enables you to ask us to delete or remove personal information where:
there is no good reason for us continuing to process it;
you have successfully exercised your right to object to processing (see below);
we may have processed your information unlawfully; or
we are required to erase your personal data to comply with local law.
Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. These may include instances where the retention of your personal data is necessary to:
comply with a legal or regulatory obligation to which we are subject; or
establish, exercise or defend a legal claim (including policy claims).
v) OBJECT TO PROCESSING
You have the right to object to processing of your personal data where we are relying on a legitimate interest or those of a third party, and there is something about your particular situation that makes you want to object to that processing as you feel that it impacts on your fundamental rights and freedoms. Please refer to the table set out in Section 6 to understand those situations where we rely on a legitimate interest in order to process your personal data.
In such cases, we will cease processing your personal data for the ‘objected purposes’, unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms of the data subject, or for the establishment to exercise or defend legal claims.
You also have the right to object where we are processing your personal data for direct marketing purposes (as, for instance, described under the ‘Marketing’ in Section 7 above).
vi) RESTRICTION OF PROCESSING
You have the right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
if you want us to establish the data's accuracy;
where our use of the data is unlawful but you do not want us to erase it;
where you need us to hold onto the data even if we no longer requires it, as you need it to establish, exercise or defend legal claims; or
where you have objected to our use of your personal data, but we need to verify whether we have overriding legitimate grounds to use it.
vii) DATA PORTABILITY
You have the right to request the transfer (data portability) of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
viii) WITHDRAWAL OF CONSENT
You may withdraw your consent at any time where we are relying on consent to process your personal data. This will not however affect the lawfulness of any processing which we carried out before you withdrew your consent. Any processing activities that are not based on your consent will remain unaffected.
Once we have been made aware that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Kindly note that none of these data subject rights are absolute or unreservedly guaranteed, and must generally be weighed against our own legal obligations and legitimate interests. If a decision is taken to override your data subject request, you will be informed of this by our data protection team along with the reasons for our decision.
You have the right to lodge a complaint at any time to a competent supervisory authority on data protection matters, such as in particular the supervisory authority in the place of your habitual residence or your place of work. In the case of Malta, this is the Office of the Information and Data Protection Commissioner (the “IDPC”):
We would, however, appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.
14. Changes / Updates to this Notice
This Notice may be updated from time to time.
If you have any questions regarding this Notice, or if you would like to send us your comments, please contact us using the Contact Details indicated in this Notice.