This document establishes the rules of conduct, as well as the rights and obligations of Mezzanine Partners d.d., Radnička cesta 39, Zagreb, related to the protection of personal data of clients that Mezzanine Partners d.d. processes for the purpose of providing management services for alternative investment funds with a private offer (AIF) and the rights and obligations of natural persons whose personal data is processed, all in accordance with the provisions of the General Regulation on the Protection of Personal Data.
Certain terms used in this document have the following meanings:
"Company" is Mezzanine Partners d.d., Radnička cesta 39, Zagreb
Tel: 01 282 0616;
INFO e-mail: firstname.lastname@example.org;
INFO web: https://mezz-partners.hr/
"Controller" is the Company in relation to the personal data it processes.
"Processor" is a natural or legal person who processes personal data on behalf of the Company, based on the concluded contract.
"Personal data" is any data relating to an individual whose identity has been determined or can be determined, directly or indirectly, in particular by means of data such as name, personal identification number (OIB), other identification number, location data, network identifier or with the help of one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity.
"Processing" is any procedure or set of procedures performed on personal data, by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transfer, dissemination, or by making it available in another way, matching or combining, limiting, erasing or destroying.
"GDPR" (engl. General Data Protection Regulation) is the General Regulation on the protection of personal data, the full name of which is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC.
"Respondent" is a natural person whose personal data the Company processes on the basis of one or more legal grounds prescribed by the GDPR. The respondent can be a person who joined the AIF, then a person who requested the conclusion of an investment contract in the AIF, his/her legal representative, guardian or proxy, a person whose personal data is processed as part of the consideration and implementation of Alf's investments, as well as a person who has given consent for data processing (further: Client), but can also be a person who is not a client, such as the person who visited the Company's business premises.
"Consent" is any voluntary, special, informed and unequivocal expression of the Respondent's desire by which he consents to the processing of personal data relating to him by means of a statement or clear affirmative actions.
"Anonymization" is a type of personal data processing that includes appropriate procedures that prevent the identification and/or linking of personal data and/or records in personal data bases with the identity of the Client or another respondent whose personal data is being processed. Anonymization can be carried out, for example, by deleting data or permanently changing data.
3. PERSONAL DATA PROCESSING
Categories of personal data
The Company collects and processes the following categories of Clients' personal data:
1. Basic personal data such as: first and last name, residential address, OIB, tax identification number of other tax jurisdictions, date, place and country of birth, citizenship, number and issuer of identification document;
2. Socio-demographic factors such as: type of employment/activity, average monthly income, other sources of income, experience in trading with financial instruments;
3. Data on the Client's business relationship with the Company, for example: category and name of the AIF, date of establishment and termination of the business relationship, data on payments and disbursements, data on the state of investments;
4. Financial identification information, such as transaction account number;
5. Contact information: phone number and type (landline, mobile), e-mail address, correspondence address, method of reporting;)
The complete list of personal data of Clients processed by the Company is attached to these Rules.
Purpose and legal basis of processing
Companies collect and process personal data in order to achieve certain purposes. The purposes of processing together with the legal bases and processing procedures for each purpose of processing are described in more detail below in this document.
Personal data of the Client are processed for the following purposes and based on one or more of the following legal bases:
a. Compliance with the Company's legal obligations
The Company is registered for the performance of AIF management activities, which is governed by laws and by-laws, which legally bind the Company. The company processes personal data in order to fulfill legal obligations based on a series of regulations of the Republic of Croatia and European Union law. On the basis of the Law on alternative investment funds and related regulations, the Company maintains a register of shares and processes the Client's personal data for each AIF fund it manages. The Law on Prevention of Money Laundering and Financing of Terrorism and its implementing acts, as well as the Law on International Restrictive Measures and European Union Decisions on the Application of International Restrictive Measures and their Justice Regulations, prescribe measures for in-depth analysis of the Client and other legal obligations of the Company.
Pursuant to the Agreement between the Government of the Republic of Croatia and the Government of the United States of America in order to improve the execution of tax obligations at the international level and the implementation of FATCA and the Law on Administrative Cooperation in the Field of Taxes, the Company is obliged to collect information on financial accounts and information on accounts that are reported the tax authorities of the USA, the tax authorities of the member states of the European Union and other jurisdictions outside the European Union, in order to deliver them to the Ministry of Finance - the Tax Administration, which exchanges them with the competent authorities of other countries, including the tax authorities of the USA. The Law on Income Tax stipulates the obligation of the Company to keep tax records in certain situations on determined income from capital and the calculation of tax on income from capital based on capital gains and other legal obligations of the Company.
b. Conclusion of a contract and/or execution of a contract in which the Client is a party or its legal representative, guardian or proxy
A contract must be concluded for the provision of any financial service. In order for this to be possible, the Client is obliged to provide the Company with his personal data, and in some cases also the personal data of other persons (e.g. proxy, etc.). By submitting a proper request for the issuance of shares in the AIF fund, and after payment to the fund's account, that is, by entering the Client in the register of shares in all other cases of acquisition of shares, the Client enters into an investment contract with the Company. In order for this to be possible, the Client is obliged to provide the Company with his personal data (or this data is provided by the Client's legal representative/guardian).
Also, when the Client decides to purchase shares or transfer shares to another person, the Company collects and processes personal data necessary for the execution of the contract, i.e. redemption of shares, iii transfer of shares.
When data is collected for the purpose of concluding or executing the contracts described above, it is necessary, in addition to personal data, to provide the Company with documents supporting the provided personal data (e.g. identity card), and documents and data proving facts relevant to the conclusion and/or execution of a certain contract (e.g. payment account information).
The Company has a legal obligation to establish the identity of each Client with whom it establishes a business relationship, and for this purpose, the Client is obliged to present documents proving the identity, and the Company is obliged to keep and store copies of identification documents on paper or in digital form.
If the Client does not provide all the data processed for this purpose or the corresponding documents, the Company will not be able to conclude the contract.
c. Realization of the Company's legitimate interests
The Company's legitimate interest is also the fulfillment of prescribed physical protection and security requirements, which is achieved by recording the personal data of persons visiting the Company's business premises.
As a rule, personal data is collected directly from the Client / Respondent (e.g. for the purpose of concluding a contract). However, the Company may obtain personal data from other natural or legal persons. For example, the personal data of a minor Client is provided to the Company by his legal representative. Then, the personal data of the proxy can be given to the Company by the proxy through a written power of attorney. Also, the Company may receive the Client's personal data from another Data Controller (e.g. in the process of transfer of fund management tasks or fund status change). When it receives the Client's personal data from other persons, the Company will apply the same rules to the processing of such obtained personal data as to the processing of data received from the Client.
Transfer of data to third parties
The Company will not disclose the personal data of the Client / Respondent to third parties, except in the following cases:
1. if he receives the consent of the Client / Respondent,
2. when it is obliged to do so by legal regulations,
3. in the cases described in these Rules.
In accordance with the provisions of the Alternative Investment Funds Act, the Company may communicate the Client's personal data to the depository of AIFs. Also, in accordance with the provisions of the Law on Alternative Investment Funds and the Law on the Capital Market, the Company may communicate the Client's personal data to a person who proves a legal interest, to judicial and administrative bodies and other persons based on requests and within the framework of authorization in accordance with the provisions of a special law.
Also, the Company will disclose personal data to processors with whom it has concluded or will conclude contracts that include the processing of personal data. These can be contracts for the purpose of calculating compensation, or contracts by which the Company entrusts part of its activities to third parties, e.g. contract on the provision of IT services, contracts on printing and sending notices for Clients, contracts on storage of business documents, contracts on physical and technical protection services, etc. The Company will enter into such contracts with processors who sufficiently guarantee the implementation of appropriate measures in such a way that the processing complies with the GDPR and fully ensures the protection of the rights of the Client and other respondents.
The company will also submit personal data to competent authorities in accordance with legal regulations (e.g. to the Croatian Financial Services Supervision Agency, the Tax Administration, courts and notaries public as court commissioners, the Office for the Prevention of Money Laundering, the Financial Agency, etc.).
In any case when forwarding data, the Company will require the recipients to act in accordance with the applicable legal obligations for the protection of personal data.
The Company maintains the Client's personal data in an electronic database (Database), in which personal data is processed (recorded, stored, found, changed, deleted, adapted, forwarded, etc.). Documents on the aforementioned business relationships (e.g. requests for the issuance of shares, request for the purchase of shares, etc.) and documents on registration data required for the establishment and management of a business relationship (e.g. copies of identification documents, power of attorney, public documents, decisions of competent authorities and s1.) on paper are stored in the Company's archives, and at the same time in digital form (data backup).
Data storage period
Data of Clients and Respondents are stored for the duration of business cooperation with the Company, i.e. for the time that there is consent for the processing of personal data, and for the time for which the Company is legally obliged to keep certain data. If the Client has requested a service and the contract has not been concluded, his personal data is stored for a period of 6 months from the date of receipt of the request, which refers both to the data in the software system in which the Client's request was processed and to the documents submitted for the purpose of realizing this demands.
Data collected on the basis of consent are stored until the moment when the Company receives a written revocation of the Client's consent to process his data for the stated purposes, unless the Client's data is also processed on the basis of another legal basis, in which case it is stored for the period determined for that basis, but are no longer used for the purposes for which the consent was revoked.
Evidence of the given consent (signed consent in electronic form or on paper or another permanent medium, i.e. consent given on the Company's website) is stored until the end of the deadline for data storage on one of the aforementioned grounds. After the expiration of the aforementioned deadlines:
1. personal data in the database and program systems are anonymized,
2. stored documents on business relations, i.e. evidence of consents given in physical form, are removed from the archive and destroyed, i.e. if the nature of those documents or regulations require it, they are returned to the Client, and documents and personal data in digital form are deleted.
Rights of Clients and Respondents
In this chapter, any reference to the Client includes the Respondent.
Access to personal data
The client has the right to ask the Company for information on whether his personal data is being processed. If his personal data is processed, the Company will, upon his request, provide the Client with a confirmation of this, which will contain all the Client's personal data being processed (further: a copy of the data) and, if he requests additional information about the purpose of processing, categories of data, recipients to which the data was or will be transferred, the expected storage period, the right to correction or deletion or limitation of processing or the right to object, to submit a complaint to the supervisory authority, about the source of the data if they were not collected from the Client, automated decision-making (including profiling) with basic data on profiling, refer to these Rules.
A copy of the data is delivered to the Client free of charge, in accordance with his request, in electronic form on a permanent medium (e-mail or data storage medium) or on paper at the Company's headquarters.
The client has the right to request from the Company the correction of any of his personal data that he considers to be incorrect. The company will carry out the requested correction immediately after receiving the Client's request, supported by the original of the appropriate document proving such a request, a copy of which is authorized to be kept in paper and/or digital form. To the greatest extent possible, the company tries to maintain the accuracy of the personal data it processes.
The client can ask the Company to delete his personal data. At the request of the Client, the Company will anonymize his data in the Database and/or other electronic database if the deadlines for their storage have passed, and if the Company has not previously anonymized this data in the regular procedure. If it concerns personal data collected based on the Client's consent, the Client's request to delete his personal data will be considered a withdrawal of all consent, and the Company will anonymize his data in the Database, unless there is another legal basis for their further storage.
Restriction of processing
The client has the right to ask the Company to restrict processing in the following cases:
1. when he disputes the accuracy of the data, until the Company verifies his objection; 2. if it is proven that the processing was illegal, but the Client requests restriction of the processing instead of deletion;
3. if the Company no longer needs the Client's personal data for the intended purposes and they have not already been anonymized, but the Client needs them in order to fulfill his requests; 4. if the Client has filed an objection to data processing based on legitimate interest, until the Company confirms that the legitimate reasons of the Company exceed those of the Respondent.
The client has the right to receive his personal data from the Company, in order to store and/or further use them for his personal needs. The client also has the right to transfer his personal data to another data controller. In both cases, the Company will, based on the written request of the Client, his personal data in a structured and machine-readable format:
1. deliver to the Client for personal needs iii for transfer to another Manager, iii 2. transfer directly to another processing manager, if the Client expressly requests it, and in both cases, only if such a transfer is technically feasible.
The subject of transfer can only be the Client's personal data, which are automatically processed in the Database. In the described cases, after the transfer of data to the Client or another processor, the Company is not responsible for the processing of personal data carried out by the Client or another processor, as well as for the compliance of the other processor with the GDPR.
The Company may refuse the Client's request for data transfer if such transfer would negatively affect the rights and obligations of other Clients.
The client can at any time submit an objection to the processing of his data on the basis of a legitimate interest, if he considers that his rights or freedoms are threatened by such processing to such an extent that, despite the limited processing and security measures applied to the processing of personal data, they exceed the legitimate interests of the Company due to whose data is processed.
Complaint to the supervisory authority
Any Client who believes that the Company violates the provisions of the GDPR by processing personal data, may file a complaint with the Personal Data Protection Agency.
The Company undertakes, applies and maintains all necessary organizational and technical measures to protect the security of Clients' personal data from accidental, unauthorized or illegal access, disclosure, modification, loss or destruction, as well as from all illegal forms of processing. The company ensures that personal data can be accessed only by employees whose access to data is necessary for the performance of the duties of the workplace and only to the extent necessary. The company regularly informs and educates employees about security procedures, their roles, restrictions on data access, as well as the possible consequences of violating security rules and procedures. The company will regularly check once a year whether the conditions for anonymization or deletion of personal data have been met, and anonymize those personal data for which the storage period has expired.
5. FINAL ORDERS
These Rules have the meaning of information that the Company, as a data controller, is obliged to provide to the Respondent/Client when it collects personal data from him, as well as in the event that personal data is not obtained from the Respondent/Client, and by publishing these Rules on the official website, the Company has fulfilled the obligation informing the Client or Respondent in the sense of Art. 13. i 14. GDPR.