Personal Data Protection Policy – Capital Trustees

This policy applies to the Processing of Personal Data of Data Subjects by Capital Trustees on behalf of Clients of Capital Trustees whereby Capital Trustees will be acting as Processor and the Client will be acting as Controller (the Policy).

All capitalized terms will have the meanings ascribed to such terms in this Policy or as otherwise defined in the service agreement between Capital Trustees and the Client.

1.          The Client authorizes and instructs Capital Trustees or any Capital Trustees Affiliate to:

(a)        Process the Personal Data for all legitimate and relevant purposes in connection with the Services of Capital Trustees,

(b)        Process the Personal Data insofar necessary to comply with a legal obligation of the Client or Capital Trustees, including the disclosure of Personal Data to competent local authorities;

(c)        Transfer the Personal Data as necessary or relevant to any Sub-Processor, together hereinafter referred to as the Authorized Purposes.

Capital Trustees will not further Process the Personal Data in a way that is incompatible with the Authorized Purposes.

At Client’s request, Capital Trustees shall provide the Client with information as to the names and addresses of the Sub-Processors as well as the nature of the Processing activities performed by such Sub-Processors.

2.         Capital Trustees shall keep the Personal Data confidential and will instruct its staff and Sub-Processors to the same. Capital Trustees shall implement appropriate and commercially reasonable technical, physical and organizational measures and precautions to protect the Personal Data from accidental loss, misuse, unauthorized access and disclosure, alteration, or unlawful destruction, in particular where the Processing involves the transmission of Personal Data over a network, and against all other unlawful forms of Processing. Such measures shall comply with Applicable Law. The security measures are further described and specified in the document – Statement of Continuity -.

3.         Capital Trustees shall without undue delay, but within the period specified by Applicable Law, inform the Client of any loss or breach of security of the Personal Data. Capital Trustees shall at least provide the following details:

(a)        the nature of the loss or breach and

(b)        an estimation of the number of Data Subject’s involved, and, where possible, their names.

4.         The Client and each Client Affiliate involved warrant that:

(a)        the Client is entitled to provide the Personal Data to Capital Trustees or to the relevant Capital Trustees Affiliate and that the Client is authorized to engage Capital Trustees and or the Capital Trustees Affiliate(s) as Processor(s);

(b)        the Client complies and will continue to comply with all Applicable Law as well as with any other applicable obligations regarding the Processing and protection of Personal Data, including but not limited to any contractual obligations or agreements or protocols agreed with employee representatives;

(c)        the Client has informed Capital Trustees and will inform Capital Trustees of all obligations and restrictions referred to in sub-section 4 (b), which are applicable to the Personal Data and relevant to the Services, including, but not limited to, having provided Capital Trustees with the applicable privacy notice(s);

(d)        the processing of the Personal Data is lawful and does not infringe any third party rights;

(e)        no later than the Effective Date, the Client has duly informed or will duly inform the Data Subjects that their Personal Data will be Processed by Capital Trustees or – as the case may be – Capital Trustees’s Sub-Processors for the Authorized Purposes and that the Client has obtained all consents of the Data Subjects required under Applicable Law, which includes the Processing of the Personal Data by Capital Trustees or its Sub-Processors;

(f)        no later than the Effective Date, the Client has duly informed or will duly inform the Data Subjects that the Services may require the transfer of the Personal Data, specifically any Sensitive Data where relevant, to a Capital Trustees Affiliate or Sub-Processor in a third country providing a level of protection different than the protection afforded to such Personal Data by the laws in the jurisdiction in which the Client is established or in which Client’s employees reside, and that the Client has obtained all consents of the Data Subject to such transfer required under Applicable Law;

(g)        the Personal Data provided to Capital Trustees are accurate.

5.         Upon termination of the Agreement in whole or in part and at Client’s choice, Capital Trustees shall:

(a)        destroy all Personal Data Processed and any copies thereof and certify to the Client at Client’s written request that it has done so; or

(b)        in accordance with Client’s instructions return all Personal Data Processed and the copies thereof to the Client or Client Affiliate, unless any Applicable Law, competent court, supervisory or regulatory body prevents Capital Trustees from returning or destroying all or part of the Personal Data transferred. The obligation to destroy or return Personal Data does not apply to any notes, analyses, memoranda, minutes or other internal corporate documents, prepared by or on behalf of Capital Trustees which are based on, derived from, contain or otherwise make reference to Personal Data. Furthermore, Capital Trustees is entitled to retain copies of any computer records and files containing Personal Data which have been created pursuant to automatic electronic archiving and back-up procedures and which is not immediately retrievable as part of day-to-day business. Capital Trustees hereby warrants the confidentiality of the Personal Data and that such Personal Data will not be Processed for the Authorized Purposes or any other purposes other than their storage or their protection or as required by Applicable Law.

6.

(a)        At Client’s written request, the Capital Trustees Affiliate Processing the Personal Data of the Client shall allow, an audit (whether on-site or remotely) to verify Capital Trustees’s  compliance with its   obligations under Applicable Law and this Agreement, to be carried out either (i) by an independent third party audit firm bound by a duty of confidentiality and selected by the Client and approved by the Capital Trustees Affiliate (which approval shall not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (ii) by a competent data protection authority. The audit will be carried out in close cooperation with Capital Trustees’s Chief Information Security Officer. Parties shall agree the scope of the audit in advance. The Client shall notify Capital Trustees and the Capital Trustees Affiliate in writing with a minimum of fifteen (15) calendar days prior to any audit being carried out. The Client shall bear the costs of the audit. Capital Trustees is entitled to a reasonable compensation for the costs of the audit incurred by Capital Trustees, to be paid by the Client.

(b)       Capital Trustees shall assist the Client, to the extent reasonably possible, (i) to comply with Applicable Law in a reasonable time and (b) to respond to any Data Subject access, correction, erasure or blocking requests and objections.

7.         The Client will indemnify and hold Capital Trustees, Capital Trustees Affiliates and Sub-Processors harmless from and against any Claims from any Data Subjects and/or third parties relating to or arising from the Processing of Personal Data by Capital Trustees and/or which result from the breach of any of the warranties of the Client in this Policy.

Capital Trustees, Capital Trustees Affiliates will indemnify and hold the Client harmless from and against any Claims from any Data Subjects and/or third parties relating to or arising from or resulting from the breach of any of obligations of Capital Trustees in this Policy.

8.         Any agreement between Capital Trustees and a Sub-Processor shall at least contain similar obligations as section 1, section 2, section 3, section 5 and section 6 in this Policy.

9.         In the event of cross-border transfers of Personal Data between the Capital Trustees Affiliate and any Sub- Processor, the following shall apply (insofar relevant):

(a)        Where any data protection law of one or more of the Member States of the European Economic Area or Switzerland applies to the Personal Data (e.g., where the Client or its relevant Affiliates are established in such Member State and the Personal Data are Processed by Capital Trustees in the context of such establishment), the Personal Data may, at the discretion of Capital Trustees, be transferred to (i) one or more Capital Trustees Affiliates in either one or more Member States of the European Economic Area or Switzerland on the basis of Applicable Law, or to (ii) one or more Capital Trustees Affiliates in one or more third countries on the basis of the Binding Corporate Rules For Processing Customer Personal Data (Processor) of Capital Trustees, which are published on the website of Capital Trustees (www.beta.capitaltrustees.ch/gdpr-statement/). In such case, the information referred to in sub-section 4 (f) in this Policy shall include a reference to the Binding Corporate Rules For Processing Customer Personal Data (Processor) of Capital Trustees, Data Subject’s rights thereunder and Capital Trustees’s complaint procedure. The Client or the relevant Capital Trustees Affiliate, as applicable, shall upon request of the Data Subject, provide the Data Subject(s) with a copy of such Binding Corporate Rules and this Agreement (without any business sensitive or Confidential Information). Where permitted by Applicable Law, Capital Trustees shall, no later than the Go-Live Date, obtain all relevant authorizations or permits for such transfer of Personal Data based on such Binding Corporate Rules. Where Applicable Law does not allow Capital Trustees to obtain such authorization or permit for itself, the Client shall in a timely manner issue a Power-of-Attorney to the relevant Capital Trustees Affiliate to obtain such authorization or permit on behalf of the Client. Where the use of a Power-of-Attorney is not accepted under Applicable Law, the Client warrants that it has obtained, no later than the Go-Live Date, all necessary authorizations or permits to allow Capital Trustees to share the Personal Data with Affiliates of Capital Trustees in a third country.

(b)        Where any data protection law of one or more of the Member States of the European Economic Area or Switzerland applies to the Personal Data (e.g., where the Client or its relevant Affiliates are established in such Member State and the Personal Data are Processed by Capital Trustees in the context of such establishment), the Personal Data may, at the discretion of Capital Trustees, be transferred to one or more Sub-Processors  (other than Capital Trustees Affiliates) in one or more Member States of the European Economic Area or Switzerland on the basis of Applicable Law, or to one or more such Sub-Processors in one or more third countries on the basis of an exception under Applicable Law or on the basis of adequate safeguards adduced either, insofar as allowed under Applicable Law, by Capital Trustees to ensure the protection of the Personal Data, or by the Client, in which case Capital Trustees shall cooperate with the Client to seek an adequate basis for the cross-border transfer of Personal Data to such Sub-Processor. At Client’s request, Capital Trustees shall inform the Client of the applicable basis for the cross-transfer of the Personal Data.

(c)        Where the data protection or privacy law of any country outside the European Economic Area or Switzerland applies to the Personal Data, the Clients warrants that any cross-border transfer of Personal Data from Capital Trustees to a Sub-Processor shall be allowed on one of the following grounds, justifications or safeguards allowed under Applicable Law:

(i)       the cross-border transfer of the Personal Data is allowed under Applicable Law, without any additional safeguards to be taken by the Client;
(ii)      the consent of the Data Subjects obtained by the Client;
(iii)     a contract between the Client and the receiving Sub-Processor  of the Personal Data;
(iv)     the transfer is necessary for the performance of a contract between the Client or any Client’s Affiliate and the Data Subject;  or
(v)      any other safeguard or instrument.

The applicable ground, justification or safeguard shall be specified in a relevant statement of work or addendum to the service agreement between Capital Trustees and the Client.

Definitions

Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data; where the purposes and means of Processing are determined by national laws or regulations or laws or regulations of the European Union, the Controller or the specific criteria for his/her nomination may be designated by such laws or regulations.

Data Subjects means the directors, officers and employees of the Client and/or the relevant Client Affiliate and, to the extent applicable, its customers.

Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identityany information relating to Data Subjects.

Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Processor means the party, which Processes Personal Data on behalf of a Controller.

Sensitive Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the Processing of data concerning health, sex life, or any other Personal Data the processing of which is specifically restricted or specifically prohibited unless authorized by Applicable Law.

Sub-Processor means any Capital Trustees Affiliate assisting Capital Trustees in the provision of the Services as well as any contractor engaged by Capital Trustees to assist Capital Trustees in the provision of the Services in countries where Capital Trustees does not have a presence or to provide information technology, administrative support or consultancy services to Capital Trustees.

Capital Trustees reserves the right to update this policy without consulting or pre-informing its clients