GDPR : We protect your data

Transcription

1 GDPR : We protect your data Dear customer, From the 25th May 2018 the new law of Personal Data Protection (GDPR) will enter into force. At Almagest Wealth Management S.A., we understand your need to be informed about the protection of your personal data. This is why our teams are currently working on compliance with the EU General Data Protection Regulation (GDPR) in order to propose an amendment related to data handling. We invite you to read the attached statement on this topic which our Compliance off would like to share with you. We remain at your entire disposal for any additional information. Best regards, Almagest Wealth Management S.A.

2 SCHEDULE PROTECTION OF PERSONAL DATA (the Schedule ) Capitalized terms used in this Schedule shall have the meaning ascribed to them in Section 1 below or the Agreement. 1. DEFINITIONS Controller: any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data that may be performed as part of this Agreement. Co Controlled Personal Data: Personal Data which originates from the Customer and which may be shared with AWM as an independent Co Controller in the course of the provision of services. Data Protection Regulation: the personal data protection law of the country where the Controller is established. For Controller established in a Member State of the European Union (hereafter the EU Controller ), the Applicable Data Protection Law shall mean the GDPR, and all additional regulations and rules in force in the relevant Member State(s) of the European Union applicable to the Processing. Data Subject: any identified or identifiable natural person from whom Personal Data is collected. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th, 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC. Personal Data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data Breach or Breach: any suspected or actual security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed. Processing or Processed: every operation or set of operations which is performed with regard to Personal Data, including without limitation the collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combining, linking to other data, blocking, erasure or destruction of Customer Personal Data.

3 2. PROTECTION OF PERSONAL DATA 2.1 RELATIONSHIP TO THE DATA AWM and the Customer hereby agree to act as independent Co Controllers, as follows: The Customer will be responsible as Controller under applicable Data Protection Regulation and security laws for the Processing of Personal Data that the Customer discloses to AWM in connection with the Services. AWM is not responsible for the accuracy of such Personal Data, or for any privacy, data protection or security compliance pertaining to such Personal Data, up to the point that it receives it from the Customer. AWM is responsible as Controller under applicable Data Protection Regulation and security laws for the Personal Data received from the Customer or the Data Subjects who may benefit from the Services or otherwise processed in connection with the Services. 2.2 GENERAL COMPLIANCE Both Parties shall, at its own cost, comply with its obligations under the applicable Data Protection Regulation, process Personal Data only in compliance with applicable requirements, and not knowingly perform its obligations under this Schedule in such a way as to cause the other Party to breach any applicable requirement under Data Protection Regulation. 2.3 SECURITY & PERSONAL DATA INCIDENT Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons to whom the Personal Data relates, AWM will implement appropriate physical, technical and organizational measures to ensure a level of security for Personal Data appropriate to the risk. If a Personal Data Breach is detected by AWM involving Personal Data of any Data Subjects in an employeremployee relationship with the Customer, AWM will inform the Customer without undue delay thereof. AWM will provide the Customer with information available regarding the Breach and information. Should AWM be of the opinion it is required to inform the Data Subjects concerned of the Breach, AWM will inform the Customer thereof.

4 2.4 DATA SUBJECT ACCESS REQUESTS, COMMUNICATIONS & OTHER OBLIGATIONS Should one party receive a complaint or a data subject s request regarding the Processing for which the other party is responsible, it shall promptly inform the latter. 2.5 DATA QUALITY, RETRIEVAL & DESTRUCTION AWM will ensure that the Co Controlled Personal Data is accurate, relevant and limited to what is necessary and shall retain Co Controlled Personal Data for no longer than necessary. 2.6 INTERNATIONAL TRANSFERS OF PERSONAL DATA AWM will not transfer the Co Controlled Personal Data across international borders in violation of the Data Protection Regulation. In case of international transfers of Co Controlled Personal Data outside the EU/EEA, AWM will do it in compliance with one of the valid transfer mechanisms under the Data Protection Regulation: Adequacy: The Processing of Personal Data is only carried out in jurisdictions deemed to have adequate protections for personal data as defined in the Data Protection Regulation. Controller Binding Corporate Rules: the recipient of Personal Data has adopted Controller Binding Corporate Rules that cover the Co Controlled Personal Data it Processes and warrants that it will maintain its Controller Binding Corporate Rules. EU Model Contract: the parties execute the Model Clauses hereby incorporated into this Schedule and ensure that its processors and sub processors comply with the obligations of a data importer (as defined in the EU Model Contract). To the extent there is any conflict between the terms of this Schedule and the EU Model Contract, the terms of the EU Model Contract shall prevail. 2.7 SUB PROCESSING To the extent the AWM engages third parties for the Processing of the Co Controlled Personal Data, AWM agrees to do so in compliance with applicable Data Protection Regulation.

5 2.8 PERMITTED DISCLOSURES OF SHARED PERSONAL DATA On receipt of a legally binding request for disclosure of the Co Controlled Personal Data by a law enforcement authority or a state security body, AWM may disclose Co Controlled Personal Data to the extent such data is required to be disclosed by law, by any government or regulatory authority, or by a court of other authority of competent jurisdiction provided that such disclosure is not prohibited under the Data Protection Regulation. 2.9 LIABILITY Each party is responsible within the limits of its Processing of Personal data in accordance with the applicable Data Protection Regulation and security laws. 22/05/2018