1. CATEGORIES OF PERSONAL DATA AND SOURCE OF DATA
By way of example, your personal data, contact details and banking details, (e.g. IBAN) are among the Personal Data processed by SGR. In order to be able to identify and manage conflicts of interest related to the activity of the management of mutual funds, in several cases, the personal data of third parties specifically indicated by you may also be processed, such as, for example, the personal data of the persons that operate within SGR that you may be related to (therein including an indication of the degree of family relationship) and/or the name of the company with which you may have close ties or in which you hold important offices, as well as the personal data of the legal representative/proxy of the aforesaid company (therein including the indication of the degree of the relationship/office held).
2. PURPOSES OF THE PROCESSING
Personal data may be processed by SGR for the following purposes:
a. The establishment and performance of the contractual relationship;
b. The response to requests for information sent by you;
c. The performance of administrative, accounting, tax and financial activities;
d. If necessary, the enforcement and/or defence of SGR’s rights in civil, criminal and/or administrative disputes;
e. The performance of the obligations specifically provided for in the internal procedures adopted by SGR on the subject of the identification and management of conflicts of interest related to the management of mutual funds;
f. The fulfilment of obligations provided for by laws, regulations or Community legislation or provisions of the Supervisory Authority, on the subject of conflicts of interest.
The legal basis of the processing consists of:
1. For the purposes stated in a) and b) above, the performance of the contract to which you are party or the performance of pre-contractual measures;
2. For the purposes of d) and e) above, the legitimate interest of the Data Controller;
3. For the purposes stated in c) and f) above, the fulfilment of legal obligations;
The provision of the data is not mandatory, but any refusal to provide your data will result in the impossibility of SGR to pursue the purposes stated above.
3. PROCESSING METHODS
Personal data may be processed using manual tools, as well as with the assistance of electronic and computerised means and will be processed pursuing the logics strictly connected to the purposes referred to in point 3 above, with the intention of ensuring the security and confidentiality of the personal data. In any event, similar protection will be ensured if innovative tools leading to remote contact with clients are implemented.
In the event of electronic and non-electronic processing and processing with the use of management and storage systems with state-of-the-art hardware and software, SGR may make use of third-party service companies that will be made aware of their responsibilities with the notification of the requirement to appoint a Data Processor under art.28 of the GDPR.
4. STORAGE PERIOD OF PERSONAL DATA
The personal data collected by SGR will be processed for the entire duration of the existing contractual relationship and, subsequently, for the period envisaged by the laws in force.
In the event of conflict, the Data will be stored for the entire duration of the dispute and until the time limits for the remedy of any appeals have expired.
5. CATEGORIES OF PARTIES TO WHOM THE DATA MAY BE COMMUNICATED
In the performance of its activities the Company makes use of third parties, to whom control and/or corporate functions have been outsourced or that offer consultancy services to the Company. In particular, the following functions have been entrusted to third parties: “Company information systems”, “Administrative and accounting services” and the “Internal Audit”.
For the pursuit of the purposes described in paragraph 2, SGR is required to communicate your personal data to third parties belonging to the following categories of parties:
• Supervisory Authorities and Bodies, Judicial Authorities and in general public or private parties with important public functions (e.g. Banca d’Italia, CONSOB);
• Parties that provide banking and financial services;
• Parties that perform technical or organisational tasks, on behalf of SGR, such as, for example, third parties, to whom control and/or corporate functions have been outsourced or that offer consultancy services to the Company.
• External professionals used by SGR for assistance and consultancy.
The parties belonging to the categories to whom the data may be communicated will process and use the data, depending on the circumstances, as the Data Processors expressly nominated by the Data Controller in accordance with the laws in force, or as autonomous Data Processors.
The list of designated Data Processors is constantly updated and is available at the registered office of SGR.
6. TRANSFER OF PERSONAL DATA OUTSIDE THE EU
Personal data may be transferred to countries outside the EU, in particular in the case of services that are located outside the territory of the European Union (e.g. cloud storage). In this case, the Data Controller henceforth ensures that the data will be transferred outside the EU in compliance with the provisions of the applicable laws in force, for example, subject to the stipulation of standard contractual clauses adopted by the European Union.
7. CONTACT INFORMATION OF THE DATA PROTECTION OFFICER
Green Arrow Capital SGR has appointed a data protection officer, who can be contacted by the data subjects and by third parties (for example, joint owners) that have provided their personal data as potential beneficiaries of the signed agreement at the email address: privacy@gacsgr.com. The name of the data protection officer can be consulted at the registered office of the Data Controller.
8. RIGHTS OF DATA SUBJECTS
In their capacity as data subjects, subscribers can exercise the rights referred to in articles 15-22 of the GDPR and, in particular, the right:
• to request the Data Controller for access to the data, its erasure, the rectification of inaccurate data, the integration of incomplete data and the restriction of the processing of the data in the cases laid down in art.18 of the GDPR;
• to object , at any time, fully or in part, the processing of the data necessary for the legitimate pursuit of the interest of the Data Controller;
• if the conditions exist for the exercising of the right to portability referred to in art.20 of the GDPR, to receive the data provided to the Data Controller in a structured, commonly used and machine-readable format, as well as, if technically feasible, to send it to another Data Controller without hindrance;
• to withdraw consent given at any time;
• to lodge a complaint with the competent supervisory authority.
These rights may be exercised by sending a registered letter with return receipt to Green Arrow Capital SGR S.p.A. for the kind attention of the data processor responsible for responding to the data subject, Mr. Pierpaolo Sogliani, via Mazzini 2, 20123 Milan.
10. IDENTITY AND CONTACT INFORMATION OF THE DATA CONTROLLER
The Data Controller is Green Arrow SGR S.p.A., registered in the Register of Asset Management Companies under no.28, in the Managers of Alternative Investment Funds section, with registered office in Milan, via Mazzini 2.