Terms and conditions of processing personal data
1.1. The purpose of these terms and conditions of processing personal data (hereinafter referred to as the terms and conditions) is to describe how AS Redgate Capital and Redgate Advisory Services OÜ process the personal data of their clients and other persons.
1.2. AS Redgate Capital and Redgate Advisory Services OÜ are fully committed to the confidentiality and protection of client data and ensure that client data are processed in accordance with the law.
1.3. The controller of the personal data of the clients of AS Redgate Capital and natural persons related thereto as well as any other persons who have requested financial information from the company is AS Redgate Capital, registry code 11532616, legal address Pärnu mnt 10, 10148 Tallinn, e-mail address firstname.lastname@example.org (hereinafter referred to as Redgate Capital or the Controller).
1.4. The controller of the personal data of the clients of Redgate Advisory Services OÜ and natural persons related thereto is Redgate Advisory Services OÜ, registry code 14043303, legal address Pärnu mnt 10, 10148 Tallinn, e-mail address email@example.com (hereinafter referred to as RGAS or the Controller).
1.5. For the purposes of these terms and conditions, a data subject means a natural person who uses or has expressed their wish to start using the services of the Controller or to obtain information about the services (hereinafter referred to as the Data Subject).
BASIS OF PROCESSING PERSONAL DATA
2.1. The basis of processing the personal data of the Data Subjects is as follows:
2.1.1. Consent of Data Subject: The Controller processes personal data with the consent of the Data Subject only to the extent and for the purposes to which the Data Subject has consented. The Data Subject gives their consent voluntarily. The Controller processes personal data with the consent of the Data Subject for the following purposes:
– transmission of enquiries;
– direct marketing;
– assessment of the suitability of the investments of the Data Subject;
– assessment of investor profiles.
2.1.2. Entry into contract and performance and enforcement thereof for the following purposes:
– identification of the Data Subject or their representative;
– drawing up of, entry into and management of contracts and other documentation related thereto;
– drawing up and transmission of invoices for and to the Data Subject;
– management of invoices and collection of debts.
2.1.3. Performance of legal obligations provided by law for the following purposes:
– implementation of the due diligence measures set out in the Money Laundering and Terrorist Financing Prevention Act;
– fulfilment of the requirements set out in the Securities Market Act (SMA) and thus the retention by the Controller of the following data:
– data collected in the provision of investment services and required to be registered and retained by the SMA and legislation established on the basis thereof and by Commission Regulation 1287/2006/EC, as specified in clause 85 (1) 10) of the SMA;
– documents which set out the rights and obligations of the investment firm and client under a contract for provision of investment services or ancillary services, or the terms and conditions on which the investment firm provides the services to the client, retained for at least the duration of the contractual relationship or other legal relationship related to the provision of investment services or ancillary services with the client, as specified in subsection 875 (13) of the SMA;
– records of services provided, transactions entered into and communication between the client and the investment firm, as specified in § 90 of the SMA and retained by Redgate Capital. Redgate Capital records and retains, pursuant to the procedure provided in § 90 of the SMA, telephone conversations and electronic communication for the purpose of, as a minimum, entry into transactions concerning the reception and transmission of orders related to a security, including if the telephone conversations or electronic communication do not result in entry into such transactions or in the provision of services, as specified in § 901 of the SMA.
CATEGORIES OF DATA BEING PROCESSED
3.1. For the purposes set out in clauses 2.1.1-2.1.3, the Controller may process the following categories of data:
3.1.1. data required for the identification of a person, including name, personal identification code, date of birth and the number and period of validity of the identity document;
3.1.2. data required for the assessment of the suitability of investments, including the amount and source of income, existing obligations and information on experience and knowledge of securities;
3.1.3. contact details required for communication, including residential address, telephone number and e-mail address;
3.1.4. data required for entry into a contract or transaction, including account number and payment date;
3.1.5. data required for the drawing up of a client or investor profile, including profession, education, general data on the assets, obligations and investment-related knowledge, experience and expertise of a person as well as national background if the person has transmitted such data to the Controller;
3.1.6. data on the source of the assets of the client or investor (e.g. data on the employer, parties to a transaction, business activities and actual beneficiaries), which is used for the assessment of the trustworthiness of the client, for the prevention of money laundering and terrorist financing and for the performance of the obligations (incl. collection of data, exchange of information and transmission of data to investigative
bodies, notaries and tax authorities) provided by international and national law and international treaties entered into and ratified by the Republic of Estonia;
3.1.7. other data obtained during pre-contractual negotiations and/or performance of the contract entered into between the Data Subject and the Controller.
RECORDING AND RETENTION OF PERSONAL DATA
4.1. The Controller retains personal data for as long as necessary for the purposes of processing, but no longer than the limitation period required by law.
4.2. The Controller retains personal data collected and processed for the purposes of entry into a contract and the performance and enforcement thereof for eight years following the termination of a business relationship with the Data Subject or at least eight years following the performance of the obligation to report to the Financial Intelligence Unit, where applicable.
4.3. The Controller retains personal data collected and processed with the consent of the Data Subject during the period of validity of the consent and for at least three years following withdrawal of the consent.
4.4. The Controller retains personal data collected and processed for the performance of the legal obligations provided by law for 10 years following the termination of a business relationship with the Data Subject or at least eight years following the performance of the obligation to report to the Financial Intelligence Unit, where applicable.
4.5. If the Controller wishes to retain personal data for longer than is necessary for the purposes of the collection of data, the Controller anonymises the personal data in such a way that the Data Subject can no longer be identified.
4.6. After the retention period has ended, all of the documents containing personal data are erased or destroyed or anonymised in such a way that the Data Subject can no longer be identified. Documents that are not automatically erased, destroyed or anonymised are erased, destroyed or anonymised manually by the Controller immediately after the retention period has ended, and in any event within three months of 1 January of the year following the end of the retention period. The Controller does not notify the Data Subject of the erasure, destruction or anonymisation of their personal data nor ask them for permission to erase or destroy their personal data after the retention period has ended.
4.7. Certain personal data retained in computer files may be available in data back-up systems for a certain amount of time after the retention period has ended until the files have been overwritten in the data back-up systems. Typically, the files in data back-up systems are not immediately overwritten, in order to reserve sufficient time for restoring data for as long as necessary.
4. Transmission of personal data to third parties
4.1. The Controller may authorise other persons or institutions to process the personal data of the Data Subject (hereinafter referred to as the Processor), provided that the Controller has entered into a contract with the Processor according to which the Processor undertakes to maintain the confidentiality of the personal data being processed and to ensure the performance of the obligations of the Processor as provided by law.
4.2. The Controller only uses Processors who provide sufficient guarantees that they implement appropriate technical and organisational measures in such a way that processing complies with existing requirements, and thereby ensures the protection of the rights of the Data Subject. 4.3. For the purposes of processing personal data, the Controller makes enquiries and obtains the necessary information from data sources. 4.4. The Controller has the right to transmit personal data to the following third parties:
– companies belonging to the same group as the Controller;
– business partners of the Controller with whom the Data Subject has entered into a legal relationship;
– advocates and other advisors, including providers of accounting services and auditors, involved in the activities of the Controller;
– IT partners of the Controller to the extent necessary for the management of the IT system of the Controller;
– state authorities and the courts on the basis provided by law for the protection of their legal interests.
4.5. The Controller does not transmit any personal data concerning the Data Subject to any third parties not specified in the consent, unless such a right or obligation arises from law. Additionally, the Controller must ensure that all of the clauses of the cooperation contract require compliance with the General Data Protection Regulation and that the third party does in fact comply with the signed terms and conditions. 4.6. To process personal data for the purposes set out in the terms and conditions, the Controller transmits personal data only within the European Union (EU)/European Economic Area (EEA). Data may be transmitted outside of the EU/EEA with the consent of the client or on another legal basis, provided that appropriate protective measures are implemented.
PROTECTION OF RIGHTS OF DATA SUBJECT, AMENDMENT AND ENTRY INTO FORCE OF TERMS AND CONDITIONS
5.1. The Data Subject has all of the rights pertaining to their personal data provided by law. The Data Subject has the right, among other things, to obtain their personal data from the Controller, request the rectification of inaccurate personal data, object to the processing of personal data, apply for the erasure of personal data and restrict the processing of personal data. Additionally, the Data Subject has the right to lodge a complaint with both the Controller and the Estonian Data Protection Inspectorate if they feel that the processing of their personal data infringes their rights provided by applicable law. The website of the Estonian Data Protection Inspectorate is www.aki.ee.
5.2. The Data Subject must submit all requests concerning their personal data to the Controller in writing and either sign them at the office of the Controller and provide proof of their identity by means of an identity document or send an electronically signed request to the e-mail address of the Controller. The Controller reviews the request within five working days, unless there is a valid reason for the implementation of a longer term.
5.3. The Controller has the right to unilaterally amend the terms and conditions of processing personal data pursuant to the Personal Data Protection Act. The Controller notifies the clients of the amendments in advance on their website at www.redgatecapital.eu or by other means (e.g. e-mail) at least 30 days before the amendments enter into force.