top of page
Titanbay logo - White.png

Data Protection Addendum

Table of contents

1.    Definitions & interpretation
2.    Effective date and Effective terms
3.    Data Controller
4.    Personal Data
5.    Sources of Personal Data
6.    Purposes and legal bases of the data processing
7.    Data Recipients
8.    Personal Data Transfers to third countries
9.    Specific rights of Investors
10.    Personal Data Retention
11.    Applicable Law
12.    Dispute
13.    Changes to this Data Protection Addendum

1. Definitions & Interpretation

1.1    In this data protection addendum (the “Addendum”), capitalised terms not otherwise defined herein shall have the meaning ascribed to them in; (i) the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR’’); and the Partnership Materials. Where a term is defined in both the GDPR and Partnership Materials, the definition in the Partnership Materials shall prevail. Any remaining capitalised terms shall have the meaning ascribed to them below:    
    
Affiliate        
for the purposes of this Addendum, means (from time to time) an entity that owns or controls, is owned or controlled by or is under common control or ownership with any of the AIFM, the Administrative Agent, the Partnership or the General Partner where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
    
Applicable Laws    
for the purposes of this Addendum, means any law or regulation applicable to the AIFM, the Administrative Agent, the Partnership, the General Partner, their Affiliates or any Approved Sub-Processors on data protection;

 

Data Subject    
has the meaning given to it in the GDPR and, for the purposes of this Addendum, means any individual whose Personal Data is collected and processed by the General Partner as a data controller;
    
Data Subject Request    
means a request made by a Data Subject to exercise any of their rights under Data Protection Laws;
    
Data Protection Laws     
means the GDPR and any applicable law regarding the processing, privacy, and use of Personal Data, as applicable to the Partnership, the General Partner, the AIFM, the Administrative Agent and their Affiliates and/or any Approved Sub-Processor relating to the services provided to the Partnership (including but not limited to the Luxembourg law of 1st August 2018 on the organisation of the National Data Protection Commission and the general data protection framework, as amended from time to time); and

 

Supervisory Authority    
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

 

1.2    In this Addendum:
    
1.2.1    
references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be deemed to include any replacement, amendment, extension, re-enactment or consolidation of such laws, as well as any equivalent terms defined in such revised legislation, once in force and applicable;
    
1.2.2    
a reference to a law includes all subordinate or delegated legislation made under that law; and
    
1.2.3    
this Addendum shall survive termination (for any reason) or expiry of the Subscription Document.

 

2. Effective date and Effective terms

2.1    
The effective date of this Addendum shall be the date of the Subscription Document.

 

2.2    
The terms of this Addendum shall be deemed to form part of the Subscription Document.

 

2.3    
In the event of any conflict between the terms of the Subscription Document and this Addendum, the terms imposing a higher standard of protection in relation to Personal Data shall prevail.

 

2.4    
Except as modified by this Addendum, the terms of the Subscription Document shall have full force and effect.

 

3. Data Controller

 

The Partnership, acting through the General Partner, will act as data controller of your Personal Data (the “Data Controller”).

 

4. Personal Data
    
4.1    
The Data Controller collects the following categories of Personal Data:

 

  • Identification data: name, age, gender, date and place of birth, nationality, passport/ID number, identity card with photo, civil status, profession, signature.   

  • Contact data: e-mail, address, proof of address, phone number, fax number. 

  • Bank account data: IBAN and BIC codes and other bank account information.

  • Tax related data: Taxpayer identifying/identification number(s), country(ies) of tax residency, tax status and tax certificates.

  • Investors Interests related data: number of Investors Interests and any information regarding the dealing in Investors Interests (subscription, conversion, redemption and transfer as well as balance or value at year-end and total gross amount paid or credited in relation to the Investors Interests, including redemption proceeds).

  • AML/KYC related data:    income, sources of wealth and funds, power of attorney, related parties, special categories of personal data (criminal convictions and offences, political opinions).

  • Communication data: client communications via electronic or other means, telephone conversations recordings.

 

4.2    
The Data Subjects may, at their discretion, refuse to communicate the Personal Data to the Data Controller. In this event however, the Data Controller may reject their request for subscription for Investors Interests in the Partnership if the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to the subscription or holding of such Investor Interests (e.g., certain Personal Data are legally required for FATCA and CRS purposes).

4.3    
In addition, the Data Subjects should refrain from supplying additional Personal Data which are not requested by the Data Controller or any other entity acting on its behalf. Unless provided otherwise by Applicable Law, the Data Controller shall not be liable for any damage caused by the processing of such Personal Data provided by the Data Subjects without being requested by the Data Controller.

4.4    
The Data Subject may at his/her discretion refuse to communicate Personal Data to the Partnership. In this case, however, the General Partner may reject a request for Investor Interests.

 

5. Sources of Personal Data

5.1    
The Personal Data are collected from various sources, namely:

5.1.1.    directly from the Data Subject;
    5.1.2.    from third parties representing the Investor;
    5.1.3.    from third parties representing the Data Controller;
    5.1.4.    from the Data Controller’s service providers;
    5.1.5.    from public registers/platforms;
    5.1.6.    from public agencies/authorities.

 

6. Purposes and legal bases of the data processing

 

6.1    
In accordance with the provisions of the Data Protection Laws and the Applicable Laws, the Data Controller collects, records, stores and processes, by electronic or other means, the data, including Personal Data on one of the legal bases set out in article 6 of the GDPR, inter alia:

  • 6.1.1.    the Data Subject has given his/her consent to the processing of his or her Personal Data for one or more specific purposes;

  • 6.1.2.    processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

  • 6.1.3.    processing is necessary for compliance with a legal obligation to which the Data Controller is subject;

  • 6.1.4.    processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.

 

6.2    
For the avoidance of doubt, where consent is given by the Data Subjects, such consent shall be construed distinctly from any consent given in the context of confidentiality and/or professional secrecy compliance obligations.

6.3    
In the case at hand, the purposes for which the Personal Data are collected and the legal bases upon which the Data Controller relies are further specified in Appendix A. Where the Data Controller’s purposes change over time or where the latter wants to use Personal Data for new purposes, the Data Controller will inform the Investor of such new processing in accordance with the Data Protection Laws. Nevertheless, where the Data Controller has collected the Personal Data based on consent or following a legal obligation, no further processing is allowed beyond what is covered by the original consent or the provisions of the law.

7. Data Recipients

7.1    
Personal Data may be transferred to other persons or entities (the “Recipients”), which, in the context of the above-mentioned purposes, refer to:

7.1.1.    
affiliated and third-party entities supporting the activities of the Partnership which include, in particular, the AIFM, the depositary, the administrator, registrar and transfer agent, investment manager (if any), investment advisor (if any), distributors, sub-distributors, their Affiliates and any other agents of the Partnership (including, without limitation, any Administrative Agent, Depositary, auditor or legal counsel);


    7.1.2.    other prospective or existing investor;
    7.1.3.    any pledgee in a pledge agreement over the Partnership’s assets;
    7.1.4.    credit institutions;
    7.1.5.    any third party that acquires, or is interested in acquiring or securitising, all or part of the Data Controller’s assets or shares, or that succeeds to it in carrying on all or a part of its businesses, or services provided to it, whether by merger, acquisition, financing, reorganisation or otherwise;
    7.1.6.    any other third party supporting the activities of the Data Controller;
    7.1.7.    governmental, judicial or regulatory agencies, including tax authorities, in or outside the European Union;
    7.1.8    official national and international registers.

 

7.2    
In particular, in compliance with the Foreign Tax Compliance Act (FATCA) and Common Reporting Standard (CRS), such Personal Data may be disclosed to the Luxembourg tax authorities, which in turn may act as data controller and disclose the same to foreign tax authorities.

 

7.3    
In addition, in compliance with the Luxembourg register of beneficial owners law of 13 January 2019 as amended, the Controller is also required to collect Personal Data of beneficial owners of the Partnership (i.e. any natural person(s) who ultimately own(s) or control(s) the Partnership or any natural person(s) on whose behalf a transaction or activity is being conducted) and make mandatory registrations with the Luxembourg register of beneficial owners.

 

7.4    
The Recipients may, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the “Sub-Recipients”), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to the Data Controller and/or assisting the Recipients in fulfilling their own legal obligations.

 

7.5    
The Recipients and Sub-Recipients may, as the case may be, process the Personal Data as processors (when processing the Personal Data on behalf and upon instructions of the Data Controller and/or the Recipients), or as distinct controllers (when processing the Personal Data for their own purposes, namely fulfilling their own legal obligations).

 

8. Personal Data transfers to third countries

 

8.1    
The Recipients and Sub-Recipients may be located either inside or outside the European Economic Area (the “EEA”) in countries such as the United Kingdom.

 

8.2    
In any case, where the Recipients are located in a country outside the EEA which benefits from an adequacy decision of the European Commission, the Personal Data will be transferred to the Recipients upon such adequacy decision.

 

8.3    
Where the Recipients are located outside the EEA in a country which does not ensure an adequate level of protection for Personal Data, the Data Controller will implement the necessary safeguards, including the conclusion of the EU Commission approved standard contractual clauses in accordance with article 46 GDPR, as well as, if necessary, supplementary measures. Data Processors may transfer Personal Data to their affiliates and agents. The contract between the Data Processors and their sub-contractors shall impose on the subcontractors the same obligations as imposed on the Data Processors in their own contracts with the Partnership.

 

8.4    
In this respect, the Data Subjects have a right to request copies of the relevant document for enabling the Personal Data transfer(s) towards such countries by writing to the Data Controller at the address referred to in section 9.2 below.

 

9. Specific rights of Investors

 

9.1    
In accordance with the conditions and limitations laid down by the Data Protection Laws, you are granted the following rights:

 

9.1.1    access your Personal Data;
    9.1.2     ask for your Personal Data to be rectified where it is inaccurate or incomplete;
    9.1.3    ask for a restriction of the process of your Personal Data;
    9.1.4    to object to the processing of your Personal Data (including for marketing purposes);
    9.1.5    to ask for erasure of your Personal Data if the conditions provided under the Data Protections Laws in this respect are met;
    9.1.6    to ask for data portability under certain conditions set out under the Data Protection Laws;
    9.1.7    to receive any information regarding entities to which your Personal Data is disclosed;
    9.1.8    to not be subject to automated decision making.

 

9.2    
If you (or your related individuals) have any questions or comments or want to exercise your above rights, you may contact the Partnership at its registered office or via e-mail at support@titanbay.com.

 

9.3    
You acknowledge the existence of your right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”) at the following address: 15, Boulevard du Jazz, L-4370 Belvaux, Grand Duchy of Luxembourg or any competent supervisory authority of your EU Member State of residence.

 

10. Personal Data Retention

10.1    
Personal Data will be retained for the duration of the agreement between the Data Controller and the Investor and thereafter a period of six years, subject to applicable legal minimum retention periods as provided by the Data Protection Laws and for such period as required by Applicable Laws.

 

10.2    
Once the Data Controller no longer requires the Personal Data for the purposes for which it was collected, it will securely destroy the Personal Data in accordance with Applicable Laws and regulations. The principal retention periods applied by the Data Controller are further specified in Appendix B.

 

11. Applicable Law

The validity, construction and performance of this Addendum and any non-contractual obligations arising out of or in connection with it are governed by and construed in accordance with the laws of the Grand Duchy of Luxembourg.

12. Dispute

Any dispute in relation to this Addendum will be resolved in accordance with the provisions of clause 13 of the Subscription Document.

13. Changes to this Data Protection Addendum

 

13.1    
The Data Controller reserves the right to update this Data Protection Addendum at any time.

13.2    
An up-to-date version will be made available to the Investors on the Titanbay platform. In case of substantial updates to the present Data Protection Addendum, investors will be notified through the Titanbay platform or other means of communication. 
 
APPENDIX A

i. Compliance with applicable legal obligations

Categories of Personal Data

  • Identification data and Investors Interests related data.    

Purpose: Maintaining the register of shareholders.

  • Identification data and Investors Interests related data.    

Purpose: Mandatory registration with registers including among others the Luxembourg register of beneficial owners.

  • Identification data, contact data, tax related data and AML/KYC related data.    

Purpose: Carrying out anti-money laundering checks and related actions considered appropriate to meet any legal obligations relating to the prevention of fraud, money laundering, terrorist financing, bribery, corruption, tax fraud and evasion and the provision of financial and other services to persons who may be subject to economic or trade sanctions, on an on-going basis. - Special categories of personal data, in particular political opinions of Data Subjects having a public political exposure will be processed by the Data Controller on the basis of article 9, (2), e) and/or g) of the GDPR (i.e., respectively the personal data have manifestly been made public by the data subject and/or the personal data is necessary for reasons of substantial public interest).

  • Identification data, tax related data, Investors Interests related data and AML/KYC related data.    

Purpose: Reporting tax related information to tax authorities under Luxembourg or foreign laws and regulations (including, but not limited to, laws and regulations relating to FATCA or CRS).

ii. Necessity to execute the contract between the investor and the Data Controller or in order to take steps at the request of the data subjects prior to entering into the contract

Categories of Personal Data    

  • Identification data, contact data, bank account data and tax related data.    

Purpose: Processing subscriptions, holding redemptions and conversions of Investors Interests and payments of dividends or interests to investors (including entering into financing agreements).

  • Identification data, bank account data and Investors Interests related data.    

Purpose: Account and distribution fee administration.

iii. The legitimate interests of the Data Controller or of relevant third parties 

Categories of Personal Data
    

  • Identification data, contact data, bank account data, tax related data, Investors Interests related data, AML/KYC related data and communication data.    

Purpose: A due diligence carried out by any third party that: acquires, or is interested in acquiring or securitising, all or part of the Data Controller’s assets or Investors Interests; succeeds to the Data Controller in carrying on all or a part of its businesses, or services provided to it, whether by merger, acquisition, financing, reorganisation or otherwise; or intends to onboard the Data Controller as a client or a co-investor or otherwise.

 

  • Identification data and contact data.    

Purpose: Investor relationship management.

  • Identification data, contact data, bank account data, tax related data, Investors Interests related data, ALM/KYC related data and communication data.    

Purpose: Establishing, exercising, or defending legal claims and providing proof, in the event of a dispute, of a transaction or any commercial communication.

  • Identification data, contact data, bank account data, tax related data, Investors Interests related data, AML/KYC related data and communication data.    

Purpose: Complying with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority.

  • Identification data, contact data, bank account data, tax related data, Investors Interests related data, AML/KYC related data and communication data.    

Purpose: Risk management.

  • Identification data and contact data.    

Purpose: Marketing.

  • Identification data and contact data.    

Purpose: Processing Personal Data of employees or other representatives of investors which are legal persons.

  • Identification data and investors Interests related data.    

Purpose: Disclosing the list of existing investors to prospective investors in compliance with their investment policies.
 

APPENDIX B

Retention Periods

The Data Controller undertakes to ensure that necessary records and documents are adequately protected and maintained and that records that are no longer needed or are of no value are deleted or destroyed in compliance with the provisions of the GDPR.

In this respect, unless longer or shorter statutory limitation periods apply, the principal retention periods implemented by the Data Controller are specified below: 

Type of records    

  • Contracts    

Retention period: 6 years from the end of the contractual relationship to which the documents relate.

  • Business correspondence (letters, emails, faxes, etc.)    

Retention period: 6 years from the end of the accounting year in which the document was sent or received.

  • Accounting related documents    

Retention period: 6 years from the latest of either the end of the accounting year.

  • Corporate related documents    

Retention period: 5 years from the date of the closing of the liquidation of the Data Controller.

  • AML/KYC related documents    

Retention period: 6 years from the end of the contractual relationship to which the documents relate.

  • Beneficial owners related documents    

Retention period: 5 years from the radiation of the Data Controller from the Luxembourg trade and companies register.

Titanbay

Titanbay provides the infrastructure, technology and operations to simplify and scale private markets for asset managers and distributors.

  • LinkedIn

LONDON, UK

Third Floor, Elsley House, 20/30 Great Titchfield Street, W1W 8BF

DUBLIN, IRELAND

26/27 Pembroke Street Upper, Dublin, D02 F5Y6

LUXEMBOURG

12, rue des Mérovingiens,

L-8070 Bertrange,

Grand Duchy of Luxembourg

bottom of page