Data Protection Protocol
WHEREAS This Protocol is applicable in the situation where Circle processes and/ or controls personal information of which our clients are the (joint) controller. It sets, among
others, out the principle of confidentiality, the security practices and technical and organizational measures that Circle has put in place.
WHEREAS as part of the execution of the agreement between Circle and the manager, the UBO, the company or the fund (hereinafter the “Client”) Circle controls and processes personal data;
WHEREAS Circle and the Client (jointly referred to as “the Parties”) are deemed joint controllers within the meaning of the Regulation (EU) 2016/679 of the European Parliament and of the
council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “the GDPR”), the Cayman Data Protection Law, 2017 (the
“DPL”) and any other data protection laws and/or internationally recognized privacy principles (hereinafter the “Privacy Laws”). Where Circle only processes Personal Data on the instructions of the Client, Circle is deemed a
processor under the Privacy Laws.
WHEREAS under the Privacy Laws, Parties are obliged to enter into an arrangement with one another setting out their specific rights and obligations with respect to the processing or
joint controlling of personal data and to ensure that sufficient safeguard is provided in respect of the technical and organisational security measures concerning the processing to be carried out;
WHEREAS the Privacy Laws impose on the Parties the obligation to monitor compliance with these measures.
THEREFORE this Protocol forms part of any Administration agreement in place between Circle and the Client (the “Agreement”).
|Data Subject:||the person to whom personal data relates.|
|Security Incident:||an infringement of the technical or organizational security measures taken that may lead to a considerable chance of serious adverse consequences or that has serious adverse consequences for the protection of personal data.|
|Data Leak:||an incident resulting in unlawful destruction, loss, change, unauthorized disclosure of or access to personal data as a result of a security incident.|
|Personal Data:||any data regarding an identified or identifiable living person, processed by Circle.|
|Subject Transmission Request:||the request of a Data Subject to have its Personal Data transferred or transmitted to a third party controller.|
|Circle:||shall mean the relevant Circle group compan(y)/(ies) that have concluded an Agreement with the Client.|
ARTICLE 1 – DATA PROCESSING
- Circle obtains the Personal Data of Data Subjects for the purposes of:
- administrative processing of subscription applications;
- transfers and requests for redemptions of shares or participations in the Fund;
- satisfying itself as to the identity of any applicant in accordance with all applicable anti-money laundering laws and regulations and determining that such applicant is not an ineligible applicant as may be defined in the Fund’s offering documents;
- the sending of data to the tax authorities for the purpose of performing statutory duties;
- complying with any legal obligation to which either Party is subject.
- The details of the processing activities carried out on behalf of the Client by Circle (such as the subject matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects) are listed in Appendix I.
- The Parties agree that this Agreement formalizes a lawful transfer of Personal Data between the Parties and presents no new or additional privacy concerns. A risk assessment has been conducted in respect of the Personal Data to be shared and the necessity of the sharing; the Agreement serves to address any residual privacy or information risks and document the actions taken to identify, address and mitigate those risks wherever possible.
- The Parties shall not process Personal Data in a way that is incompatible with the purposes agreed above and in the Agreement.
- Circle takes no responsibility for obtaining consent by the Client for the purposes of sending marketing communications including newsletters or statements.
- As a Data Controller, the Client remains responsible along with Circle for ensuring that all uses of the Personal Data are in compliance with the Privacy Laws.
- Circle guarantees that the processing of Personal Data for the Fund is done with due care and only processes the Personal Data made available within the framework of the Agreement, except for deviating statutory obligations and/or with the Client’s prior permission. Circle may decide on its sole discretion on the means of processing of Personal Data and will inform the Client if any relevant changes occur.
ARTICLE 2 – RESPONSIBILTIES OF PARTIES
- Where Personal Data relating to a Data Subject is collected either from the Data Subject, the Client or a third party, Circle shall, at the time when Personal Data are obtained or at least within one month after that time, provide the Data Subject with all of the following information:
- Circle’s company information and the contact details;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the Personal Data are intended as well as the legal basis for the processing;
- the recipients or categories of recipients of the Personal Data, if any;
- where applicable, the fact that Circle intends to transfer Personal Data to a third country or international organisation and reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
- In addition to the information referred to in paragraph 1 of this article, Circle shall, at the time when Personal Data are obtained, provide the Data Subject with the following further information necessary to ensure fair and transparent processing:
- the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from Circle access to and rectification or erasure of Personal Data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability which is the right of a data subject to receive the Personal Data concerning him or her, which he or she has provided to either the Client or Circle, in a structured, commonly used and machine-readable format and have it transmitted another controller without hindrance;
- where the processing is based on consent or when it concerns specific categories of Personal Data, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as;
- whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data.
- Where Circle intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected, Circle shall request approval from the Client first. After approval, Circle shall provide
the Data Subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 1 and 2 of this article.
- Paragraphs 1, 2 and 3 shall not apply where and insofar as the Data Subject already has the information.
- Both Parties shall, in respect Privacy of Personal Data, ensure that their privacy notices are clear and provide sufficient information to the Data Subjects of the Fund in order for them to understand what of their Personal
Data the Parties are sharing, the circumstances in which it will be shared, the purposes for the data sharing and the identity with whom the data is shared.
ARTICLE 3 – NON DISCLOSURE
The parties undertake not to disclose to third parties anything that comes to the notice of the parties or their employees on the business, the other party’s operations and/or the Personal Data made available, except for information that is known to and/or accessible for anyone, or if such is necessary or mandatory:
- within the framework of the implementation of the Agreement;
- under or in compliance with legislation and regulations, including any applicable regulations pursuant to the supervision of the Fund or the Client;
- under a statutory obligation to disclose to a judicial authority, government authority or supervisory agency;
- under a provisionally enforceable or final and binding court decision;
- this information is public other than by an act of one of the parties;
- with the other party’s permission obtained in writing.
Under this article, the parties are obliged to impose a duty of confidentiality on their employees and/or third parties to be called in by them.
ARTICLE 4 – SECURITY AND SUBPROCESSING
- Circle shall take and maintain appropriate technical and organisational measures, and if necessary adjust these to protect the Personal Data from destruction, loss, falsification, unauthorized dissemination or unauthorized access, or any form of unlawful processing.
- Under this article, Circle ensures that a duty to protect Personal Data shall be imposed on third parties to be engaged by it. Circle assures the Client that sub-processors have chosen with the necessary care and that the same data protection obligation as stated in this protocol and if relevant is imposed on all its sub-processors. If Circle engages another processor for carrying out specific processing activities on behalf of the Fund, the obligations that shall be imposed on that processor by way of a written contract providing sufficient guarantees to implement appropriate technical and organisational measures in such manner that the processing will meet the requirements of the PPrivacy Laws. A list of sub-processors Circle uses or intends to use is attached to this Agreement as Appendix II.
- Notwithstanding the obligations under this article, Circle may in any case engage other parties that qualify or may qualify as processor for delivering IT solutions to the organisation. Circle will obtain the written consent of the Client at least 14 days before engaging processors for any task not listed in this article. Circle will accurately inform the Client on the processors engaged by it and any changes thereof. In the case the Client has reasonable grounds to object to the use of new or more sub-processors, the Client must immediately inform Circle of this in writing within 14 days of receipt of this notification. Circle will, if the objection is not unreasonable, endeavour to make changes to the services available to the Client or to recommend a commercially reasonable change in the configuration of the Client or the use by the Client of the services to prevent the
processing of Personal Data by the new or other sub-processor objected to without unjustifiably burdening the Client. If Circle cannot make this change available within a reasonable period, which period shall not exceed sixty (60) days, the Client may terminate the affected part of the Agreement, but only in respect of those services that cannot be provided by Circle without the use of the new or other sub-processors objected to by means of written notification to Circle.
- If a sub-processor is located in a third country (as defined and or stated under the Privacy Laws), at the written request of the Client and insofar required, Circle shall enter into a model contract (in the name of the Client). In this case, the Client instructs and authorizes Circle to give sub-processors instructions on behalf of the Client and to use all rights of Client to the sub-processors on the basis of the model contract.
- Circle remains liable to the Client for compliance with the obligations of a sub-processor, in case such sub-processor does not fulfil its obligations. However, Circle is not liable for damage and claims arising from instructions from the Client to sub-processors.
- Where Circle only processes Personal Data on the instructions of the Client, Circle has the obligation to demonstrate compliance with paragraph 1 of this article and should cooperate with any reasonable audit request from the Client at 30 days notice.
ARTICLE 5 – DATA RETENTION RULES
- Circle shall not retain or process Personal Data for longer than is necessary to carry out the agreed purposes.
- Notwithstanding paragraph 1 of this article, the Parties shall continue to retain Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and/or industry.
ARTICLE 6 – SECURITY INCIDENTS AND DATA LEAKS
- Circle will implement measures and procedures aimed to detect Security Incidents and Data Leaks and to take relevant action, including recovery measures. Upon discovery, Circle shall notify the Client forthwith of Security Incidents resulting in a Data Leak.
Circle shall include information in the notification regarding:
- the nature of the infringement;
- the nature of the leaked Personal Data;
- the (alleged) cause of the infringement and the (alleged) cause of the leaked Personal Data;
- a description of the infringement found and the probable consequences of the infringement for the processing of Personal Data;
- the measures recommended to limit the negative consequences of the infringement;
- the measures Circle has taken or proposes to remedy the consequences.
- In the event of such an infringement in connection with Personal Data, Circle will assist with the obligation of the Client pursuant to the applicable Privacy Laws to inform the data subjects and the Supervisory Authorities
respectively, and to document the Personal data breach. Contact details regarding the report are recorded in the customer service system. Contacts persons are specified in Appendix I attached to this Agreement.
ARTICLE 7 – RIGHTS OF THE DATA SUBJECTS
- Data Subjects have the right to obtain information about the processing of their Personal Data or to have the information rectified, erased or blocked through a Subject Access Request. Data Subjects may also request to have their Personal Data transferred or transmitted to a third party controller through a Subject Transmission Request.
- Where the data is to be transmitted to a third party controller, this shall be done in a structured, commonly used and machine-readable format.
- Circle shall maintain a record of Subject Access Requests and Subject Transmission Requests received by Circle, the decisions made and any information that was exchanged, transmitted or transferred.
- The Parties agree that the responsibility for complying with a Subject Access Request or a Subject Transmission Request falls to Party receiving the request in respect of the Personal Data held by that Party.
- The Parties agree to provide reasonable and prompt assistance (within 5 Business Days of such a request for assistance) as is necessary to each other to enable them.
ARTICLE 8 – AUTOMATED DECISION MAKING
Circle does not carry out automated profiling and will not make any decisions based on the automated processing of Personal Data.
ARTICLE 9 – TRANSFER OF PERSONAL DATA
- Circle may transfer and provide access to Personal Data in countries within an appropriate protection level as defined under the Privacy Laws.
- Circle shall not transfer or provide access to Personal Data outside a country as referred to in article 9.1 above, except with the Client’s express written permission.
ARTICLE 10 – ACCOUNTABILITY AND OBLIGATION TO REPORT
- Following a reasonable request, Circle shall provide the Client with the necessary information on the basis of which the Client can form an opinion on Circle’s compliance.
- Where Circle qualifies as a joint controller the Parties are responsible for any applicable reporting of the relevant processing of (personal) data to the relevant data protection authority. The Parties as will cooperate in this regard until the obligations have been met.
ARTICLE 11 – LIABILITY
All liability arising from or in connection with this protocol follows and is exclusively governed by the liability provisions set out in, or otherwise applicable to, the Agreement. Therefore, and in order to calculate liability limits and/or to determine the application of other limitations of liability, any liability arising from this protocol is deemed to arise under the relevant Agreement.
ARTICLE 12 – DURATION AND TERMINATION
- This protocol shall be in force for as long as the Agreement is in force. On termination of the Agreement, the arrangement of this protocol shall end by operation of law without any further (legal) act being required.
- Early termination of this protocol or the arrangement made by it is not possible.
- Subject to a statutory provision resting with Circle, Circle shall, in the case of termination of the Agreement and when the processing of Personal Data is no longer necessary to settle the Agreement’s termination, ensure that:
- the Personal Data are returned or provided to the Client or a successive contractor designated by the Client on a suitable information carrier;
- the Personal Data are destroyed, if the Client so requests;
- after return, provision or destruction, it immediately ceases and does not resume any processing of (the relevant) Personal Data.
- Obligations under the Agreement including this protocol, which by their nature are intended to continue even after the end of the Agreement, continue to exist after the end of the Agreement.
ARTICLE 13 – MISCELLANEOUS
- In the event of conflict between the provisions in this protocol and the Agreement and/or any other agreements between the Parties, the provisions of this protocol with regard to the data protection obligations of the
Parties shall prevail. In case of doubt as to whether clauses in these other agreements relate to the data protection obligations of the Parties, the arrangements of this protocol will prevail.
- Invalidity or unenforceability of any provision in this protocol will not affect the validity or enforceability of the other provisions of this protocol. The invalid or unenforceable provision is (i) so modified so as to
guarantee its validity or enforceability and at the same time the parties’ intentions are preserved as much as possible or – in case this is not possible – (ii) explained as if the invalid or unenforceable part had never been included therein. The foregoing also applies if this protocol contains an omission.
- This protocol is exclusively governed by the applicable law of the Agreement and any dispute in respect of this Agreement or execution thereof shall be submitted to the Circle entity servicing the Client and before the competent court as defined in the Agreement.
- Any amendment to this protocol shall be published on the website of Circle, but shall not reduce or otherwise limit the rights of the Client.
Categories of Data subjects
The transmitted Personal Data concern the following categories of Data Subjects:
- The applicants;
- The investors or unit holders of the Client or individuals connected with the investor or unit holders (for example directors, trustees, employees, representatives, shareholders, investors, clients, beneficial owners or agents) which includes, but is not restricted to, data such name, residential address, email address, place of birth, date of birth, bank account details and details relating to your investment activity;
- individuals that represent the Client, that are advising the Client, that are in any contractual or statutory relationship with the Client, or that the Client has collected in view of its servicing towards such individuals, or are otherwise connected to such individuals.
Subject of processing
All processing activities (including the collection, organization and analysis of Personal Data) as are reasonably required to facilitate or support the provision of the services described under the Agreement.
Nature and purpose of the processing
Circle collects, processes and uses the Personal Data of the Data Subjects:
- where this is necessary for the performance of the Agreement;
- where this is necessary for compliance with a legal obligation (such as the anti-money laundering obligation to
verify the identity of our customers (and, if applicable, their beneficial owners) and other applicable
regulations, such as tax reporting regimes as FATCA and CRS; and/or
- where this is necessary for the purposes of the legitimate interests of us or a third party and such legitimate
interests are not overridden by your interests, fundamental rights or freedom.
Kind of personal data
The Personal Data collected, processed and used by Circle on behalf of the Client concern:
- names and contact information;
- general demographic information (such as gender, age, date of birth, marital status, nationality, employment
details, residence, utility bills, etc.);
- personal identification documentation and related information such as passport numbers and employee
- financial and payment data such as bank account numbers and transaction information;
- information related to the provision of the services performed under the Agreement or per the services provided
by the Client to such individuals.
- POT Verhuizingen/ Logistiek B.V.
- Avantage Cloud Solutions B.V.
- Remondis B.V.
Contact details in case of data breaches
Data Protection Officer
|Andreia Muresan||Sander van den Horst|
|Tel: +31 (0) 33 467 3880|
|Email: firstname.lastname@example.org||Email: email@example.com|