Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

Transcription

1 Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy Contents Definitions.. 2 The Product... 2 Fund Board Governance... 2 Delegation of the Processing of Personal Data... 2 Data Protection Officer ( DPO ) / Data Protection Compliance Consultant ( DPCC )... 3 Principles Relating to Processing of Personal Data and Lawfulness of Processing... 3 Rights of Data Subjects... 4 Data Subject Requests... 4 Transfer of Personal Data to Third Countries... 5 Processing of Special Categories of Personal Data... 5 Data Protection Impact Assessments... 5 Reporting of Personal Data Breaches... 5 Review of the Fund s Data Protection Policy... 6 Aegon Investment Management B.V. Data Protection Policy.. 6 1

2 Definitions Personal Data: Any information relating to an identifiable natural person ('data subject'); Data Controller: Natural or legal person which determines the purposes and means of the Processing of Personal Data; Data Processor: Natural or legal person which Processes Personal Data on behalf of the Data Controller; Processing: Any operation which is performed on Personal Data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The Product The Fund is a collective investment scheme, and processes the Personal Data of: Investors/related parties Directors of the Fund Designated Persons of the Fund The Fund is a Data Controller as defined in Regulation EU 2016/679, the General Data Protection Regulation ( GDPR ), and as such must ensure that Personal Data processed by, or on behalf of, the Fund is processed in a manner which complies with the requirements and obligations prescribed by GDPR. GDPR applies to the processing of Personal Data in the context of the activities of an establishment of a Data Controller or Data Processor in the EU, regardless of whether the processing takes place in the EU or not. Fund Board Governance The board of directors (the Board ) is ultimately responsible for compliance with GDPR, and will seek assurances from Data Processors that the processing of Personal Data carried out on behalf of the Fund complies with GDPR. Delegation of the Processing of Personal Data The Fund has delegated certain activities which require the processing of personal data to the following service providers ( Data Processors ): Administrator: Citibank Europe PLC Depositary: Citi Depositary Services Ireland Limited Company Secretary: Goodbody Secretarial Limited Designated Person(s): KB Associates Investment Manager and Distributor: Aegon Investment Management B.V. Money Laundering Reporting Officer ( MLRO ): KB Associates Payroll Service Provider: Deloitte Ireland 2

3 The Fund has conducted a data inventory and a gap analysis to understand how personal data is processed by the Data Processors. The Board is satisfied that the Data Processors have implemented appropriate technical and organizational measures to ensure that processing meets the requirements of GDPR and ensures the protection of the rights of the Data Subjects. In all cases, processing is governed by a contract between the Fund and the Data Processor. Data Protection Officer ( DPO ) / Data Protection Compliance Consultant ( DPCC ) An analysis has been conducted to determine whether a Data Protection Officer must be designated pursuant to Article 37 of GDPR. A DPO must be designated where: (a) the processing is carried out by a public authority or body; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data. After considering these criteria, it has been determined that the Fund is not required to appoint a DPO. However, best practice dictates that an individual be appointed to carry out many of the duties of a DPO, principally to ensure ongoing compliance with GDPR. Alice Oliveira has been appointed to carry out the role of DPCC in respect of the Fund. Alice Oliveira is an employee of KB Associates, and is a qualified lawyer. The DPCC can be contacted by at DataProtection@KBAssociates.ie or by phone at The DPCC is responsible for ensuring that the processing of personal data is carried out in accordance with the requirements of GDPR. The DPCC has sufficient knowledge of the Fund and the requirements of GDPR to perform the role. The DPCC performs the following tasks on behalf of the Fund: Reports data breaches to the Office of the Data Protection Commissioner ( ODPC ) where required within the statutory time limit; Obtains confirmations from service providers to the Fund of their compliance with GDPR; Carries out privacy impact assessments where processing activities change and are likely to result in a high risk to the rights and freedoms of natural persons; Addresses any requests from data subjects to rectify inaccurate personal data, erase personal data, restrict processing of personal data or receive copies of personal data being held within the statutory time limit; Reports to the Board on an annual basis on the following issues: o GDPR compliance status of the Fund; o GDPR compliance status of service providers to the Fund; o Records of any data protection breaches, and whether they were reported to the ODPC (to be reported to the board at the end of the quarter in which such breaches occur); o Records of any data requests received from data subjects and information about how such requests were addressed (to be reported to the board at the end of the quarter in which such data subject requests occur). Principles Relating to Processing of Personal Data and Lawfulness of Processing 3

4 The Fund is responsible for, and is in a position to demonstrate compliance with, the principles relating to the processing of personal data as set out below. Personal data shall be: Processed lawfully, fairly, and in a transparent manner Collected for a specified, legitimate purpose Adequate, relevant, and limited to what is necessary Accurate and up to date Kept no longer than necessary Processed in a manner that ensures appropriate security Personal data processed by, or on behalf of, the Fund, is processed for the following lawful purposes: For the performance of a contract with investors, member of the Board, and service providers In order to comply with the Fund s legal obligations For the purposes of the legitimate interests pursued by the Fund (where such interests are not overridden by the interests or fundamental rights and freedoms of the data subjects) Rights of Data Subjects Data subjects will be provided with information where required under Articles 13 and 14 of GDPR at the time the personal data is obtained. The Fund will comply with its obligations under GDPR with regard to the rights of data subjects to access and obtain copies, rectify, request erasure, restriction of processing, or object to the processing of their personal data held by or on behalf of the Fund. The DPCC will act as the point of contact for any personal data access requests or complaints, and will ensure that the rights of data subjects whose personal data is being processed by or on behalf of the Fund are upheld in accordance with GDPR. Data Subject Requests Data Subjects, whose personal data is processed by, or on behalf of, the Fund may request access, rectification erasure, or restriction of processing of their Personal Data. The contact details of the Fund and the DPCC are contained in Privacy Notices, which are provided to all investors at initial subscription. Where such a request is received from a Data Subject, the DPCC will, following consultation with the Data Processors, respond to the Data Subject without undue delay, at the latest, within one month, and in accordance with articles of GDPR. In addition to the response to be provided by the DPCC, the Data Processor holding the Personal Data relevant to the request will consult with the DPCC, and will provide copies of Personal Data directly to the Data Subject where required under GDPR. Where the Data Subject has requested 4

5 rectification, erasure, or restriction of processing of Personal Data, the Data Processor will, following consultation with the DPCC, take the appropriate action, and confirm to the Data Subject directly. Where the Fund is unable to comply with the request from the Data Subject, the response will clearly set out the reasons. The Fund reserves the right to charge a fee to cover administrative costs for additional copies requested. In addition, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Fund may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request. The Fund shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. Transfer of Personal Data to Third Countries Data may be transferred for lawful processing to third countries outside of the EEA. Such transfers will be made in compliance with Articles 44 to 49 of the GDPR. Where such transfers are made to countries that do not have an adequacy decision in place, appropriate safeguards such as European Commission approved standard contractual clauses will be put in place or data subject consent will be obtained prior to the transfer. Processing of Special Categories of Personal Data The processing of special categories 1 of Personal Data is prohibited under GDPR, except for in limited circumstances, which do no not apply to the Fund, and therefore the Fund will not process special categories of personal data. Data Protection Impact Assessments Given that the activities of the Fund will not change over time, it is not foreseen that the Fund will engage in any new types of processing of Personal Data, beyond that which is currently undertaken, that would necessitate a data protection impact assessment. However, should the Fund engage in any new processing activity requiring a data protection impact assessment, this will be carried out as per the requirements of article 35 of GDPR. Reporting of Personal Data Breaches The Data Processors have confirmed that they will advise the Board and DPCC without undue delay of any Personal Data breaches which affect the Fund. 1 Special Categories of Personal Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data or the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person s sex life or sexual orientation. 5

6 The DPCC will report Personal Data breaches to the ODPC on behalf of the Fund when required by GDPR, and within 72 hours where feasible. Where the DPCC has been made aware of a data breach affecting the Fund, the following steps will be taken: An assessment is carried out to determine if the Personal Data breach is likely to result in a risk to the rights and freedoms of natural persons. Where the result of the assessment is that the breach is likely to result in a risk to the rights and freedoms of natural persons, the DPCC will make a report to the ODPC and will notify affected Data Subjects without undue delay, and, where feasible, within 72 hours. Where the DPCC is required to make a report, and has not done so within 72 hours of becoming aware of a data breach, the report to the ODPC, when it is made, will be accompanied by reasons for the delay. Where the DPCC s assessment has determined that the Personal Data breach is not likely to result in a risk to the rights and freedoms of natural persons, no reports or notifications are required. The DPCC will maintain a log of all Personal Data breaches, and related assessments in relation to the Fund. The log of Personal Data breaches will contain the following information: Facts relating to the Personal Data breach Effects of the Personal Data breach Remedial action taken, if any Review of the Fund s Data Protection Policy This document is subject to annual review by both the DPCC and the Board. Aegon Investment Management B.V. Data Protection Policy For access to the Aegon Investment Management B.V. Data Protection Policy, please visit the following website: 6