I. Introduction
Vault-AM places great importance on protecting your personal data. This Privacy Notice explains how Vault-AM collects, uses, shares, and otherwise processes your personal data in connection with your relationship with us as an investor, in accordance with applicable data privacy laws and regulations, including the General Data Protection Regulation 2016/679 (“GDPR”).
We process your personal data for various purposes, including managing your investments, complying with regulatory obligations, and maintaining a secure and efficient operational environment. Throughout all these processing operations, Vault-AM is committed to maintaining the confidentiality, integrity, and security of your personal data and ensuring that your rights as an investor are respected.
In this regard, Vault-AM may process your personal data either as an independent data controller or as a joint controller in collaboration with other entities.
2. Definitions
For the purposes of this Privacy Notice, the following terms are defined as follows:
Personal data: Any information relating to an identified or identifiable natural person (« data subject »). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data subject: The individual whose personal data is being processed. For the purposes of this Privacy Notice, the data subject refers to you as an investor.
3. What are the purposes of the processing?
Vault-AM processes your personal data for a range of purposes necessary to manage your investments and comply with our legal and regulatory obligations. This notably includes:
• The management of your investment portfolio, which involves recording and updating your investment holdings, executing transactions, and providing you with statements and reports regarding your investments.
• Compliance with legal obligations, such as anti-money laundering (AML) and know-your-customer (KYC) requirements, tax reporting, and adherence to relevant European and international regulations.
• Communication regarding your investment activities, including providing updates on your portfolio and sharing any necessary information related to your relationship with Vault-AM, such as account statements, performance reports, and regulatory updates.
• Ensuring the security and integrity of our systems by monitoring and managing access, securing communication channels, and implementing fraud detection measures to protect against risks associated with our business operations.
• Conducting risk management and performance evaluation to continuously assess the risks and performance associated with your investments, ensuring that the implemented strategies align with legal and contractual obligations and protect investors' interests.
• Regulatory reporting and transparency, which involve providing regular reports to investors and regulatory authorities to meet transparency and compliance requirements as mandated by the AIFMD and other financial regulations.
With your explicit consent, we can also use your personal data for marketing and promotional activities, such as informing you about new investment opportunities, products, or services that may be of interest to you.
If any additional processing purposes arise, Vault-AM will provide you with prior notice and all relevant information before proceeding.
4. What are the lawfulness of the processing?
Vault-AM processes your personal data based on the following legal grounds, ensuring compliance with GDPR requirements:
• Performance of a Contract: We process your data to fulfill our contractual obligations as your investment manager. This is necessary for the proper management of your investments and the related services.
• Compliance with Legal Obligations: Certain data processing activities are required to meet regulatory and legal obligations, such as those related to anti-money laundering, know-your-customer, and financial reporting regulations.
• Legitimate Interests: We may process your data to protect our systems, prevent fraud, and manage operational risks.
• Consent: For optional activities like marketing communications, we rely on your explicit consent, which you may withdraw at any time without affecting the processing done prior to withdrawal.
5. What are the personal data collected?
Vault-AM collects categories of personal data necessary to manage your investments and comply with legal and regulatory obligations. The types of personal data collected may include:
Identification and contact information
Name, first name, date and place of birth, nationality, national identification number, gender, postal address, email address, phone number
Financial information
Investment portfolio details, transaction history, bank account details, tax identification number, income details
Compliance and regulatory Information
AML/KYC data, copies of identification documents (e.g., passport, identity card), proof of address, compliance records
Professional information
Employment details, business relationships, professional history
Vault-AM collects this data directly from you during the onboarding process, as well as throughout the duration of your relationship with us. We may also collect data from third-party sources, such as financial institutions, regulatory bodies, or publicly accessible registers, where necessary to fulfill our obligations or verify your information.
6. How we maintain the security of your personal data?
Vault-AM undertakes to implement appropriate technical and organizational measures to ensure the security of personal data. These measures are designed to protect the data against any security breaches that could result in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (referred to as a personal data breach).
When assessing the appropriate level of security, we consider the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risks posed to the data subjects.
Furthermore, our employees are bound by confidentiality obligations and are prohibited from unlawfully or unnecessarily disclosing your data.
7. Who is authorized to view or access your personal data?
Only individuals and entities with a legitimate need are authorized to access your personal data. This includes authorized employees of Vault-AM who manage your investments and ensure compliance with regulatory requirements.
Vault-AM may also share your personal data with other companies within the Vault-AM group (existing or future), whether established within or outside the European Union, to support the management of your investments and compliance with regulatory obligations.
Additionally, Vault-AM may engage external service providers, such as IT and cloud storage providers, compliance consultants, or auditors, to perform specific tasks. When this happens, strict contractual safeguards ensure these providers comply with data protection regulations.
Regulatory authorities may also receive your personal data when required to fulfill our legal obligations. In instances where Vault-AM collaborates with business partners as joint controllers for the management of your investments, we ensure that appropriate agreements are established to protect your rights.
8. How long do we retain your data?
Vault-AM retains your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal and regulatory obligations. The retention period depends on the type of data and the legal requirements applicable.
For investment management purposes, your personal data is kept for the duration of your contractual relationship with Vault-AM. Once the relationship ends, we may retain your data for a further period as required by law, particularly for tax, anti-money laundering, and financial reporting purposes. Typically, this retention period may extend up to 10 years following the termination of your relationship with Vault-AM, as mandated by financial regulations.
At the end of the applicable retention period, Vault-AM will securely delete, anonymize, or archive your personal data in accordance with legal requirements.
9. Do we transfer your data outside the European Union?
Some of your personal data may eventually be transferred to Switzerland, which is located outside the European Union, for collaboration with Swiss partners. Switzerland has been recognized by the European Commission as providing an adequate level of protection for personal data, ensuring that your rights and data remain safeguarded under GDPR standards.
If any future transfers are required to other countries outside the EU/EEA, Vault-AM will implement additional safeguards, such as standard contractual clauses, to maintain the same level of protection.
10. What are your rights regarding your personal data?
As a data subject, you have several rights concerning your personal data, including:
• Right of access: You can request access to the data concerning you at any time as well as a copy of the data.
• Right to rectification: You can request at any time that inaccurate or incomplete data be rectified.
• Right to request the erasure: You can request that your data be deleted when, for example, the data is no longer necessary for the purposes for which it was collected or processed.
• Right to restriction of processing: You can request that we restrict the processing of data if, for example, you question the accuracy of the data concerning you or if you object to the processing of data concerning you.
• Right to data portability: You have the right to have your data transferred to another data controller in a structured, commonly used, and machine-readable format, if the processing is carried out by automated means and if it is based on prior consent or on a contract to which you are a party.
• Right to object to processing: You can object to the processing of your data and can withdraw your consent if the processing is based on consent, for example if the data is used for commercial prospecting purposes.
You can exercise these rights by contacting the DPO at the following address : dpo@vault-am.lu
Requests will be addressed by the DPO and responded to within 1 month, which may be extended by an additional 2 months for complex requests or a high volume of requests, from the moment your identity is confirmed. Requests will be fulfilled within the legal limits, particularly those provided by articles 15 to 23 of the GDPR.
If you are not satisfied with our response, you have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD), the Luxembourg supervisory authority for data protection, or any other competent EU member state supervisory authority at any time.
11. Updates to this notice
We regularly review and update this Notice to ensure it remains accurate and relevant. Changes, modifications, additions, or deletions may be made at any time, and we will notify you of any such updates before they become effective.
Last update: 22/10/2024
