Data Protection Notice

1. Purpose of this data protection notice

Your privacy is important to us and we are committed to protecting the personal data you provide to us. 

This Data Protection Notice defines how Astorg may process, in accordance with the Applicable Laws and for the purposes defined below, personal data collected from time to time (directly or indirectly, in a compulsory or voluntary manner, manually or otherwise) from data subjects themselves and from publicly available sources, where applicable. 

Furthermore, this notice sets out how we intend to use and share personal data and how you can correct or change such information.

2. Scope

In the course of its operations and activities as an Alternative Investment Fund Manager, Astorg collects, stores and processes, by electronic or other means, whether in its capacity as manager of a Fund or for its own account, personal data of the following categories of data subjects: 

• Prospective Investors and, where such Investors are legal persons, Related Persons. 
• Investors and, where such Investors are legal persons, Related Persons.
• Former Investors, and where such former Investors are legal persons, Related Persons. 
• Natural persons acting on behalf of Portfolio Companies, as well as Related Persons. 
• Related Persons of third parties in contact with and/or contractually bound to Astorg such as advisors, service providers, suppliers, institutional partners, agents, etc. 
• Job candidates

If you are not a natural person, you shall inform any Related Persons about the processing of their personal data for the applicable purposes below as well as on their related rights. You shall, where relevant or required, obtain prior consent from any Related Persons for the processing of their personal data and provide them with a copy of this Data Protection Notice. We may assume that you have complied with the undertakings mentioned in this paragraph and that any Related Persons have, to the extent required, given their consent to and have been informed of the processing of their personal data in accordance with this Data Protection Notice. 

This Data Protection Notice does not cover the processing of personal data of Astorg’s own personnel, which is subject to a separate policy.

3. Data Controller

Astorg, acting both for its own account and, where relevant, as the manager of the Funds, acts as the data controller of personal data.

4. What personal data do we process?

4.1 Investors

In relation with (former and prospective) Investors (and if the Investor is a legal person, where applicable, of any Related Person) we collect and process the following personal data: 

• Name.
• Contact details (including postal and/or e-mail address, phone number, business or Fund affiliation). 
• Banking details. 
• Invested amount. 
• Identification (passport, identity card, driver’s license). 
• Financial information related to payments. 
• FATCA/CRS status
• Agreements executed with the Fund and/or Astorg. 
• Results of name screening. 
• Any other details Investors may provide. 
• Family relationships in case of politically exposed persons. 

4.2 Portfolio Companies

In relation with natural persons acting on behalf of Portfolio Companies, as well as Related Persons we collect and process the following personal data: 

• Name. 
• Contact details (including postal and/or e-mail address, phone number, business of Fund affiliation). 
• Identification (passport, identity card, driver’s license). 
• Agreements executed with the Fund and/or Astorg, if any. 
• Any other details such persons may provide. 

4.3 Other third parties

In relation with third parties (and where such third parties are legal persons, where applicable, any Related Persons) contractually bound to Astorg (other than Investors) such as advisors, service providers, suppliers, institutional partners, agents, etc. we collect and process the following personal data: 

• Name. 
• Contact details (including postal and/or e-mail address, phone number, business affiliation). 
• Identification (passport, identity card, driver’s license). 
• Any other details such third parties may provide. 

4.4 Job candidates

In relation with Job candidates we may process the following data:

• Name.
• Contact details (including postal and/or e-mail address, phone number).
• Identification (passport, identity card, driver’s license).
• References, CV, covering letter. 
• Information about remuneration package. 
• Excerpt of criminal record.

5. For what purposes do we process personal data?

Astorg and, where applicable, the Funds will only process personal data where we have a legal basis to do so under Applicable Laws and for the legitimate interests of Astorg and, where applicable, the Funds, including where the processing is necessary for the purposes as listed below. 

The legitimate interests referred to above are: 

• The processing purposes described in this section 5;
• Meeting and complying with Astorg’s and, where applicable, the Funds’ accountability requirements and regulatory obligations globally;
• Exercising Astorg’s and, where applicable, the Funds’ business in accordance with reasonable market standards;
• Ensuring the security of the services provided by Astorg; and
• Improving and personalising Astorg’s services and personalising information addressed to data subjects. 

Considering the specific purposes for which we process your personal data, we do not anticipate obtaining your consent to do so. If we were to solely rely on consent as a legal basis to process your personal data, Astorg shall contact you in order to obtain such consent. 

We hereby inform you that in the event we would solely rely on your consent for processing of personal data, you may withdraw such consent at any time. The withdrawal of such consent shall not affect the lawfulness of the processing based on that consent prior to withdrawal. 

In the specific case of job applicants, we consider that in the event a job applicant has directly transmitted his/her personal data to us within the framework of a recruitment process consent has been granted by that job applicant. In case a job applicant’s personal data are transmitted to us through an intermediary (such as a recruitment agency), such intermediary shall be required to confirm to us that the job applicant’s consent to transfer such personal data was obtained and that the data subject has been made aware of the contents of this data privacy notice. 

5.1 Prospective Investors

Personal data of prospective Investors are processed for the following purposes: 

• Complying with applicable anti-money laundering rules and other legal obligations, such as maintaining controls in respect of CRS/FATCA obligations. 
• Complying with accounting, tax and legal obligations.
• Group risk management and risk controlling purposes. 

5.2 Investors

Personal data regarding Investors are processed for the following purposes: 

• The processing of subscriptions, transfers, capital calls and distributions to Investors, and more generally, the performance of any subscription agreement entered into with an Investor related to a Fund. 
• Maintaining the relevant Fund’s register of shareholders. 
• Processing investments and withdrawals of and payments of distributions to Investors. 
• Account administration. 
• Complying with applicable anti-money laundering rules and other legal obligations, such as maintaining controls in respect of CRS/FATCA obligations. 
• Complying with accounting, tax and legal obligations.
• Complying with any order of a competent court or a competent regulator and to provide relevant information and reporting to the relevant regulator where Astorg has a legal obligation to do so. 
• Group risk management and risk controlling purposes. 
• Making available the Investor Portal. 

5.3 Former Investors

Personal data of former Investors are processed for the following purposes: 

• Maintaining the relevant Fund’s register of shareholders. 
• Account administration. 
• Complying with applicable anti-money laundering rules and other legal obligations, such as maintaining controls in respect of CRS/FATCA obligations. 
• Complying with accounting, tax and legal obligations.
• Complying with any order of a competent court or a competent regulator and to provide relevant information and reporting to the relevant regulator where Astorg has a legal obligation to do so. 
• Group risk management and risk controlling purposes. 

5.4 Portfolio Companies

Personal data of natural persons acting on behalf of Portfolio Companies as well as Related Persons are processed for the following purposes: 

• Complying with applicable anti-money laundering rules and other legal obligations, such as maintaining controls in respect of CRS/FATCA obligations. 
• Complying with (the relevant Fund’s) accounting, tax and legal obligations.
• Group risk management and risk controlling purposes. 

5.5 Other third parties

Personal data of other third parties such as advisors, service providers, suppliers, institutional partners, agents, etc. (and where such third parties are legal persons, their Related Persons): 

• The execution of the agreement(s) entered into with such third parties. 
• Complying with applicable anti-money laundering rules and other legal obligations, such as maintaining controls in respect of CRS/FATCA obligations. 
• Complying with accounting, tax and legal obligations.
• Group risk management and risk controlling purposes. 

5.6 Job applicants

Personal data of job applicants: 

• Assessing the suitability of a job applicant within the framework of our recruitment process.

6. Categories of recipients and data transfers

6.1 Personal data relating to Investors (including prospective and former Investors) and Portfolio Companies

Astorg may share such personal data with: 

• Investment manager(s) of the Fund
• The general partner of the Fund
• The administrator of the Fund
• The depositary of the Fund
  
• The transfer agent of the Fund
• The statutory auditors of the Fund
• The professional advisors of the Fund
• Group Companies, to the extent necessary for bona fide compliance and risk management purposes
• Astorg’s professional advisors, including but not limited to legal and tax counsels, accountants, internal and external auditors, independent appraisers, notaries, banks, other financial institutions and payment services providers, technology services providers etc. 
• Governmental and regulatory agencies, including tax authorities, in or outside the European Union, in accordance with applicable laws and regulations. 
• The Astorg Investor portal made available via Intralinks.

6.2 Personal data relating to other third parties

Astorg may share such personal data with: 

• Group Companies, to the extent necessary for bona fide compliance and risk management purposes
• Astorg’s professional advisors, including but not limited to legal and tax counsels, accountants, internal and external auditors, independent appraisers, notaries, banks, other financial institutions and payment services providers, technology services providers etc. 
• Governmental and regulatory agencies, including tax authorities, in or outside the European Union, in accordance with applicable laws and regulations.

6.3 Personal data relating to job applicants

Astorg shall not share such personal data with any third parties without the consent of the data subject (other than, where applicable, any intermediary through which the personal data were made available to us including Pinpoint Software (also known as The Infuse Group), our dedicated talent acquisition platform, with the data subject’s consent or on the basis of another lawful ground).

6.4 Data processors

Where any of the recipients mentioned in this section 6 process your personal data upon the instructions of Astorg, Astorg requires such recipients to agree in writing to maintain confidentiality and security of your personal data, to provide at least the same level of protection as prescribed by the GDPR, and to only process your personal data on Astorg’s documented instructions and only for the purposes as instructed by Astorg. 

6.5 Transfers of Personal data outside of the EEA

Where Astorg transfers your personal data to Data processors outside of the EEA, Astorg shall only make such personal data transfers in accordance with the relevant provisions of the GDPR and to the extent appropriate safeguards have been put in place (including but not limited to the adoption of standard data protection clauses as approved by the EU Commission). 

6.6 Investor Portal

As part of its services to Investors, Astorg makes available an Investor Portal available via its website (www.astorg.com). This Investor Portal is an internet-based hosted platform made available by Intralinks, Inc. Astorg draws specific attention to the Legal Notices (https://www.intralinks.com/legal), the End User Agreement (https://www.intralinks.com/eula) and the Privacy and Cookies Policy (https://www.intralinks.com/privacy) of Intralinks that apply to Investors when making use of the Investor Portal.

7. Security of Personal Data

Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Astorg shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: 

• The pseudonymisation and encryption of personal data;
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore the availability and access to Personal data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

8. Retention period

Personal data shall not be held by Astorg for longer than necessary with regard to the purpose of the processing, without prejudice to automatic IT back-ups and Astorg’s legal and regulatory archiving and data retention obligations. 

As from the moment our business relationship comes to an end Astorg will retain your personal data in accordance with legally prescribed retention periods, unless the retention of personal data for a longer period is required for the establishment, exercise, or defence of legal claims or other compelling legitimate grounds.

9. Cookies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behaviour information. 

When visiting our website (www.astorg.com) we may collect information from you automatically through cookies or similar technology. 

We use such cookies for the purposes of measuring the number of visitors on our website and improving its functioning. Astorg uses Google Analytics. 

Astorg may read the information stored in such cookies upon your return visit to our website. 

You can set your browser not to accept cookies. However, some of our website features may not be accessible or function as a result for which Astorg shall not accept any responsibility. 

For more information, please refer to our Cookie policy available on our website.

10. Individual rights of data subjects

To the extent permitted under and within the limits of Applicable Laws, you have a right of access, rectification of incomplete or inaccurate personal data, erasure, restriction of processing, portability and objection to the processing of your personal data. 

Although Astorg shall act in good faith in its efforts to provide you with access to your personal data, there may be circumstances in which Astorg is unable to grant you access, such as: 

(i) Where the personal data are subject to legal privilege or their access would compromise other data subjects’ privacy or other legitimate rights;

(ii) Where the burden or expense of providing access to the personal data would be disproportionate to the risks to the data subject’s privacy in that specific case; or

(iii) Where such personal data are commercially proprietary. 

If Astorg processes your Personal data in order to comply with a legal obligation or for the establishment, exercise, or defence of legal claims, we may not be able to comply with your request to erase your personal data. If such an event arises, Astorg shall erase your personal data once such processing is no longer required. 

Furthermore, the above-mentioned right of portability of personal data only applies to personal data (i) that you have provided to Astorg, (ii) the processing of which is based on consent or on a contract, (iii) the processing of which is carried out by automated means, and (iv) the exercise of the portability of which does not adversely affect the rights and freedoms of others. 

Lastly, your right to object to the processing of your personal data is limited to those instances where Astorg’s legal basis for processing is based on legitimate interest. If you choose to exercise this right Astorg shall no longer process your related personal data unless Astorg demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedom. 

If and when the need arises, an Investor can update certain of his/her personal data directly via the investor portal accessible through our website (www.astorg.com). 

You may exercise your rights at any moment by contacting Astorg as outlined in section 11 of this Data Protection Notice and by specifying the right that you wish to exercise. In order to ensure the confidentiality and protection of your personal data, Astorg may ask you to identify yourself in order to reply to your request and may ask you to provide a copy of your current and valid passport or identity card.

In addition to the above-mentioned rights, you have the right to file a complaint with the competent data protection authority:

Luxembourg: 

Commission nationale pour la protection des données (CNPD), at the following address: 1, Avenue du Rock’ N’ Roll, L-4361 Esch-sur-Alzette, Grand Duchy of Luxembourg (www.cnpd.lu).

France: 

Commission Nationale de l’Informatique et des Libertés (CNIL), at the following address: 3, Place de Fontenoy – TSA 80715 – 75334 Paris CEDEX 07, France (www.cnil.fr). 

United Kingdom: 

Information Commissioner’s Officer (ICO), at the following address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom (www.ico.org.uk). 

Italy: 

Garante per la protezione dei dati personali, at the following address: Piazza Venezia 11 – 00187 Roma, Italy (https://www.garanteprivacy.it/web/guest/home_en).

Germany (Land Hessen): 

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, at the following address: Gustav-Stresemann-Ring 1, 2. Obergeschoss, 65189 Wiesbaden, Germany (https://datenschutz.hessen.de/).

11. How to contact us

For any information regarding the processing of your personal data please contact: 

Astorg Group

15, rue Edward Steichen
L-2540 Luxembourg
Grand Duchy of Luxembourg
Email: data@astorg.com