Privacy policy concerning data on investors
In this privacy policy we tell how personal data of investors, their representatives and ultimate beneficial owners (all herein “Data Subject”) is processed by Premico Pääomarahastot Oy or its respective affiliate or associated company (each herein “We” or “Premico”) providing management services to the respective fund in Premico’s operations. This privacy policy shall apply to the extent Premico processes personal data as a data controller.
Depending on the situation, Premico can also be regarded as a processor of personal data when it processes personal data of Data Subjects of funds managed by Premico. In such event, policies and instructions of the respective data controller shall apply to the processing of personal data.
1. Controller
Premico Pääomarahastot Oy or its affiliate or associated company set out in the applicable investment agreement or otherwise communicated to the Data Subject
Aleksanterinkatu 11, 00100 Helsinki, Finland
2. Contact person
Data protection matters
c/o Premico Pääomarahastot Oy
Aleksanterinkatu 11, 00100 Helsinki
info@premico.fi
3. What are the grounds for processing and what purposes do we process personal data for?
Processing of personal data described in this policy is necessary for maintaining the contractual relationship between Premico and the Data Subject. In this context, the legal basis for the processing of personal data is the contract between Premico and the Data Subject or, in the absence of such contract, legitimate interest of Premico. In addition, when We inform Data Subjects of our services, provide or maintain our services, request for feedback or provide marketing material related to our services and maintain client relationship, the processing of personal data is based on Premico’s legitimate interest or consent given by the Data Subject.
Processing of personal data in Premico’s operations is also based on Premico’s legal obligations such as accounting and tax related obligations as well as obligations related to legislation on prevention of money laundering and terrorism financing.
To the extent processing of Data Subject’s personal data is required by law or fulfilment of Premico’s contractual obligations, if the Data Subject does not provide the requested personal data Premico may not be able to provide its services to the Data Subject (or the Data Subject’s organisation ) in addition to possible other consequences caused to Premico or Data Subject (or the Data Subject’s organisation) due to non-compliance with contractual or legal obligations.
For example, We process personal data for the following purposes:
- Fulfilling obligations based on contract, law or administrative orders and instructions (e.g. identification of Data Subjects)
- Developing our services and business
- Sending capital calls
- Distributing profits
- Client service, maintaining and improving the client relationship, communications with clients
- Direct marketing
4. What data do we process?
We process the following data concerning Data Subjects:
- Basic information: Name, personal ID, birth date (if no Finnish personal ID);
- Contact details: Address, ZIP code, post office, phone number, fax, email;
- Other data given by the Data Subject: legal form, domicile and country of establishment of the investor;
- Bank account information: Name of the bank, SWIFT, address of the bank, account holder/beneficiary, name of the contact person, email, phone number, fax, name of the person(s) having access right to the account, date of opening the bank account;
- Data regarding the professionalism and experience of the investor: data regarding the professional client referred to in the Act on Investment Services (747/2012) or non-professional client;
- Political exposure: Data regarding political exposure of Data Subject or political exposure of a Data Subject’s family member or business partner;
- Data on ultimate beneficial owners: Name, Business ID, personal ID, nationality, tax residence and tax identification number, address and country, ownership and position;
- Data of representatives or owners of legal entities or private individuals investing directly: Name, birth date, personal ID, passport number or number of a similar ID, copy of passport;
- Tax information: All countries of taxation and tax registration numbers;
- Data on the origin of invested funds;
- Data on purposes of the investment.
5. Where do we collect the data from?
As a rule, we collect personal data directly from the data subjects themselves and, for example, in connection with the investment agreement. As for the purposes of processing personal data described above, We may also collect data with the help of third party services using publicly accessible sources such as services used for identification of Data Subjects and politically exposed persons and performing obligations related to legislation on prevention of money laundering and terrorism financing.
Collecting and updating data is performed manually or by automatic means.
6. Where do we disclose and transfer personal data and do we transfer data outside of the EU or EEA?
We use subcontractors to process personal data. For example, we have outsourced our IT management to a third-party service provider, and personal data is stored in the servers managed and secured by such service provider. Premico may also disclose the above-described personal data to the affiliates and associated companies belonging from time to time to the same group of companies with Premico as well as consultants, clients and other contracting parties of such group or associated companies where the disclosure is required by contractual obligations or other applicable grounds for processing of the personal data.
In addition, to the extent necessary for the purposes of processing or required by applicable legal obligations, personal data may be disclosed to financial institutions and tax or other public authorities for purposes related to exchange of tax information and prevention of money laundering and terrorism financing.
Personal data may be transferred outside of the EU and EEA if it is necessary for the purposes or technical implementation of the processing of personal data. Transfers of personal data to clients, suppliers and other third parties will be subject data processing agreements in accordance with the applicable law such as EU’s General Data Protection Regulation. Transfers of personal data outside of the EU and EEA require compliance with the applicable data protection law and appropriate safeguards such as standard contractual clauses based on the European Commission’s applicable decision.
Premico does not disclose personal data to other than the above-described recipients unless otherwise required by legislation.
7. How do we protect the data and how long do we store the data?
We have implemented and maintain appropriate technical and organizational measures to protect the personal data against accidental or unauthorized access, disclosure, destruction, loss, damage, manipulation and against other unlawful processing. Our data protection practices include physical measures, access management (e.g. user IDs, firewall, digital encryption technologies), logs, anti-virus software, prevention of DoS attacks and other necessary data security measures.
Personal data is processed confidentially in Premico’s operations. Access to personal data is limited to persons who need to access the personal data in order to carry out their work obligations.
We store personal data in an identifiable form only as long as is necessary for the applicable purpose of processing. When the personal data is no longer necessary for such purposes, we erase the data unless the applicable law requires us to store the data for a longer period (for e.g. accounting and reporting purposes) or unless storing the data is necessary for possible legal claims. Data related to identification of clients is stored for a period of at least five years from the end of the client relationship in accordance with the Act on Preventing Money Laundering and Terrorist Financing.
We assess the necessity of storing personal data on a regular basis considering the applicable law. In addition, we take reasonable measures to ensure that no incompatible, obsolete or incorrect personal data is stored considering the purposes of processing. We correct or erase such data without delay.
8. What rights to you have as a data subject?
As a data subject you have the right to
- know whether we process data concerning you and, if so, access it and information on the processing of personal data as required by law;
- require us to correct any inaccurate or incorrect data concerning you and to have incomplete personal data completed;
- obtain the erasure of personal data concerning you in accordance with law (for example, when data is no longer needed and there is no lawful ground to store such data);
- withdraw or amend the consent you have possibly given for the processing of personal data;
- request restriction of processing of your personal data in accordance with law and, for example, when you wait for a response to your request regarding correction of your data;
- object profiling targeted at you and, in accordance with law, other processing of personal data where processing is based on the controller’s legitimate interest;
- have your data transmitted to another system in situations regulated by the applicable law.
A data subject may also file a complaint with the competent supervisory authority if the data controller has not complied with the data protection legislation applicable to its operations. In Finland, compliance with data protection legislation is supervised by the Data Protection Ombudsman. If you want to file a complaint with the Data Protection Ombudsman regarding processing of personal data in Premico’s operations you can contact the Data Protection Ombudsman’s office as instructed in www.tietosuoja.fi.
9. Contact information
Contacts and requests related to processing of personal data in Premico’s operations or this privacy policy shall be sent to Premico’s data protection officer described in Section 2.
10. Changes to the privacy policy
If we make changes to this privacy policy we will describe and date such changes below in this policy. If the changes are significant, we may also inform about them in other ways such as via email.