Privacy notice – Statutory obligations
Updated 24 November 2023
This privacy notice describes the processing of the personal data of the following groups:
- our employees
- our clients or their representatives
- counterparties or their representatives
- our clients’ customers
- our clients’ personnel or other contractual partners
- other persons related to the assignment.
1. What data do we process?
We can process the following data, for example:
- name (including former names) and contact information (e.g. address, telephone number, email address)
- personal identification number or date of birth
- data related to an employment or service relationship (e.g. organisation, job title)
- the duties of an insider and the reason for entry into an insider list
- management position or board membership
- copy of passport or driving licence or the identifiers of these documents
- data on holdings and affiliations
- data on transactions
- data on whether the person is currently or has previously been a politically exposed person or a family member or associate of such a person
- data on whether the person is subject to EU sanctions.
We will only process the above data to the extent required to comply with our statutory obligations.
2. Why do we process your data?
We must comply with the obligations under the following legislation:
- the Advocates Act
- the Act on Preventing Money Laundering and Terrorist Financing
- the economic sanctions provided for in EU regulations
- the EU Market Abuse Regulation (the ‘MAR’)
- the Directive on criminal sanctions for market abuse (the ‘MAD II’)
- the Limited Liability Companies Act.
Due to the legislation above, we process the personal data covered by this privacy notice for the following purposes, among other things:
- identifying persons and verifying their identity
- simplified and enhanced customer due diligence
- identification of the beneficial owners of a company
- monitoring of client relationships
- establishing the source of funds related to a client relationship
- making a risk assessment concerning money laundering and terrorist financing
- identifying, preventing, detecting and investigating money laundering and terrorist financing; bringing crime related to money laundering and terrorist financing under investigation
- approving the establishment of a client relationship
- ascertaining the powers of a client’s representative
- maintaining an insider list
- verifying and reporting sanctions
- maintaining a share register and a shareholders’ register
- organising general meetings and complying with the related obligations
- collecting and maintaining data on the board of directors of a limited liability company.
3. How do we collect your data?
We collect data from the following sources:
- you or your representative
- the association, foundation or trade register or other public registers
- the authorities and public sources, such as the internet
- monitoring tools used as part of any Know Your Client (KYC) processes.
- In order to perform client due diligence, we can use monitoring tools, such as the Refinitiv World-Check service, in the KYC process to check the backgrounds of data subjects, for example potential clients and their representatives.
4. What is the legal basis for our processing?
Our processing is based on compliance with our legal obligations.
5. How long do we store your personal data?
How long your data will be stored depends on the type of the data.
- Data processed under the Act on Preventing Money Laundering and Terrorist Financing and the economic sanctions provided for in EU regulations is stored for five years from the termination of a regular customer relationship or the completion of a transaction.
- Insider lists in accordance with the MAR and MAD II and related data are stored for five years from the most recent update of the list.
- Data processed under the Limited Liability Companies Act, such as data in the shareholders’ register, is stored for the duration of our operations. Data on the possible political exposure of any of our board members and our managing partner will be removed when the person’s mandate as a board member or the managing director ends.
6. Who processes your data?
We disclose personal data to third parties, such as the Financial Supervision Authority or other authorities, only if it is necessary for compliance with statutory obligations.