In this document, the references made to “the Company“, “we” and “our” includes Innofor and, where appropriate and if the context so requires, the representatives, subcontractors and/or delegates thereof, who may be situated in the European Economic Area (hereinafter, the “EEA“) or outside it.

We would draw your attention to the fact that this notice may be amended, updated or supplemented from time to time (where appropriate, by any other document or procedure), in order to reflect any change in our practice concerning the processing of personal data and/or any change introduced into the Data Protection Legislation. We would also keenly encourage you to read this notice carefully and to regularly check any amendment that may subsequently be made.

WHO IS CONCERNED
This notice applies to any natural person with whom we interact, particularly customers, prospects, personnel, managers and other representatives of our customers and prospects who are legal entities, to all our business relations (investors, counterparties, etc.), and to the recipients of our services and to visitors to our websites (hereinafter, collectively referred to as “you” and the terms “you” and “your” should be constructed accordingly).

WHAT TYPE OF PERSONAL DATA DO WE PROCESS?
The data collected is limited to that required to achieve the purposes identified by the Company, and particularly the appropriate performance of its activities, the supply of quality products and services or the fulfilment of the legal and regulatory obligations applicable to it.

Personal data includes, for example (these lists not being restrictive) data that makes it possible to:

• identify you: surname, forename, identity card and/or passport numbers, nationality, place and date of birth, photo, signature, bank account number(s), country of residence, national number or tax number, IP address, cookies, identifier or codes allowing access to websites

• contact you: postal address(es), email address(es) or telephone number(s);

• find out about your personal situation: civil status, marital system, number of children, assets and source of income;

• find out about your habits and your preferences: credit history, history of your transactions and investments, invoicing address, other information collected through our personal or telephone conversations or email exchanges;

• enable you to access products or services requiring personal information or tax information; or

• offer us your services: employer, occupation/job, level of education or occupational experience.

Some data results from or has been collected within the scope of our commercial relations: bank account details, and credit card number, history of transactions on your accounts including recipients of payments made by you and the values of your various assets, and of course your investor profile.

Some data may be collected for security reasons or owing to obligations to the official authorities:

• video surveillance data for the protection of our customers, employees and premises;

• telephone recordings;

• data supplied by the official authorities; or

• data collected from external sources: fraud combating agencies, public data suppliers.

WHAT TYPE OF PERSONAL DATA DO WE NEVER PROCESS?
Data on your origin (racial or ethnic), your religion, your political or philosophical opinions, your sexual orientation and finally, your genetic data is never processed.

WHERE DOES THIS DATA COME FROM?
Most of this data constituting personal data within the meaning of the Data Protection Legislation is initially supplied to us by yourself, when entering into our business relationship and during the course thereof (to conclude any agreement enabling you to benefit from any product or service supplied by the Company, for example), when you use our applications and/or browse on our websites, or when you interact with us in any way whatsoever (particularly by telephone calls or by an email exchange).

In some situations, you may also inform us of personal data on other natural persons with whom you maintain relations for any reason whatsoever (managers, representatives, shareholders, beneficial owners, representatives, agents, etc.), particularly when you act as a legal representative, family member, beneficiary of a transaction or a contract, as a guarantor, joint borrower, shareholder or managing member of a legal person. Personal data concerning third parties is processed in the same way as personal data concerning you.

We also collect personal data from third parties (partners or suppliers with whom we already maintain business relations, public authorities or institutions, establishments operating business databases, other asset management companies or investment companies, etc.) and particularly persons with whom we could develop relations (prospects).

Finally, we can also obtain some of this data from sources accessible to the public.

UNDER WHAT CIRCUMSTANCES ARE WE AUTHORIZED TO USE YOUR PERSONAL DATA?
Any personal data processing effected by the Company is based on one of the following legal conditions:

• Execution of a contract:

  • to provide you with information on our products and services;

  • to assist you and answer your requests;

  • to satisfy required precontractual measures, particularly to assess the conditions under which we can offer you a product or a service; or

  • to obtain your consent on the choice of new services or products;

  • The Company’s legal and regulatory obligations, particularly with regard to:

  • combating money laundering and terrorist financing;

  • compliance with the applicable legislation on international sanctions and restrictive measures;

  • combating tax fraud and observance of obligations on tax control and declaration;

• The Company’s legitimate interests:

  • pursuit of commercial purposes, including, among others, marketing measures, promotion of services and products, or personalization of the Company’s commercial offers:

  • by improving the quality of the banking, financial or insurance products or services; or

  • by offering you products or services corresponding to your situation and your profile;

  • keeping proof of transactions and operations performed;

  • defending the Company’s interests in law;

  • fraud detection and prevention and risk management;

  • IT management, including the management of infrastructure (for example, information exchange platforms), maintaining business continuity and IT security; or

  • processing of electronic communication data. Electronic communication is deemed to include telephone conversations, the use of messaging systems (email, instant messaging, SMS and similar technologies) or connection to Internet services (website or electronic safes, for example);

• To respect the choice of the person whose personal data is processed, when he or she has given his or her consent. In some cases, your consent is necessary for the Company to be able to process your personal data.

The automated decision-making processing including profiling is not applicable in any sense within the Company (Article 22 of the GDPR). In case of your personal data is required as a statutory or contractual requirement, failure to provide such data will result in us not being able to deliver our services to you. In the event we process data for purposes other than those described in this notice, we will inform you and request your consent, if necessary.

WHY AND WITH WHICH PERSONAL DATA RECIPIENTS MAY PERSONAL DATA BE SHARED?
We may transfer personal data to:

• any of our subsidiaries, branches, establishments, or representatives;

• any of our subcontractors and/or delegates and, more broadly, service providers providing services on our behalf and/or contributing to the supply of products or services;

• commercial partners, including consulting firms, insurance companies, insurance brokers, payment and credit card issuers and agents, payment institutions, payment service providers, or other service providers;

• financial, judicial or administrative authorities and/or State agencies or public bodies, on application and within the limits permitted by law; or

• certain regulated professions such as lawyers, notaries or accountants.

These transfers take place within the scope of the Company’s business, when regulatory, legal or contractual provisions authorize it or require it.

Besides the obligations devolving upon them under the agreements signed with the Company, third parties receiving personal data are also required to observe the obligations devolving upon them (as “Data Protection Officer” or “Subcontractor” where appropriate) under the Regulation and, more broadly, under the Data Protection Legislation.

Personal data may be transferred by the Company outside the EEA solely under the conditions provided for by the legal or regulatory provisions applicable. In accordance with the Regulation, the Company shall thus ensure that, for the territory in question, either a decision on suitability previously issued by the European Commission exists, or suitable guarantees enabling personal data protection to be ensured have been put in place.

The Company anticipates that, within the scope of the transfer of funds or transactions on financial instruments, some participating third parties (stock exchange/market, correspondent bank, service providers, etc.), that may be situated outside the EEA will be required to process the personal data required for the performance of such transactions.

HOW LONG IS YOUR PERSONAL DATA KEPT FOR?
The Company stores personal data in accordance with the obligations applicable thereto and during the period necessary to achieve the purposes for which such data has been collected. As a registered organization, there are laws and regulations that apply to us that set out a minimum period of retention of personal information and data, subject to the legal periods of limitation (as a principle, ten (10) years for commercial matters) and to the situations where applicable laws require or allow Personal Data to be retained for a certain period of time after the termination of the contractual and commercial relationship (such as the legal obligation to keep accounting documents for a period of ten (10) years or AML/CTF related information for a period of five (5) years at least).

As an exception, personal data may be kept once such purposes have been achieved, in order, in particular, to deal with any complaint, for the purposes of legal action in progress or on the request of competent authorities. For more information on our specific retention policies, please inquire us through our contact details included at the end of this notice.

WHAT MEASURES ARE TAKEN IN RESPECT OF INTERNATIONAL DATA TRANSFERS?
In the event of data transfers to third countries outside the EEA, the Company has in place the measures provided by Articles 45 and 46 of the GDPR.

If the level of protection of the destination country can be considered adequate, the personal data may be transferred in the same manner as if it was transferred within the EEA. The general principles of the GDPR (e.g. lawfulness of processing, compatibility of the communication of data to a third party with the initial processing activity, information to data subjects) shall be observed in all circumstances.

For service providers and delegates (acting as data processors) located outside of the EEA in the countries without an EU adequacy decision, the Company has implemented the appropriate safeguards such as EU standard contract clauses.

WHAT MEASURES ARE TAKEN TO PROTECT PERSONAL DATA
The Company adopts and maintains appropriate technical or organizational measures enabling it to ensure that it processes personal data in such a way as to guarantee appropriate security, and particularly to protect it against unauthorized or illegal processing, loss, destruction or accidental damage.

Any personal data transfer shall be effected in accordance with the Data Protection Legislation.

The Company is informing you and, insofar as is permitted under the Data Protection Legislation, will inform any natural person concerned with whom you maintain relations, of any infringement of personal data that may give rise to a high risk to the rights and freedoms of the natural person concerned.

WHAT RIGHTS DO YOU HAVE, AND HOW CAN YOU EXERCISE THEM?
In accordance with the Data Protection Legislation, you and/or, insofar as is permitted under the Data Protection Legislation, any natural person concerned with whom you maintain relations, hold several rights to your personal data, including:

• Right to access any personal data concerning you and a copy of such data;

• Right to examine and correct your personal data if you consider it to be incorrect or incomplete;

• Right to obtain the deletion of your personal data (“Right to be forgotten”), under the conditions and within the limits stipulated by the Data Protection Legislation;

• Right to request a restriction to the processing of your personal data;

• Right to object to the processing of your personal data, under the conditions and within the limits stipulated by the Data Protection Legislation, for reasons connected with your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, including profiling connected with direct marketing.

• Right to withdraw your consent to the processing of your personal data at any time;

• Right to the portability of some of your personal data, i.e. you may ask to receive such data in a machine-readable structured format commonly used in order to pass it on to a third party; and

• Right to lodge a complaint with the supervisory data protection authority in your country of professional establishment or residence. A list of the EU data protection authorities is available by clicking this link: https://edpb.europa.eu/about-edpb/board/members_e

If you wish to exercise one of the aforesaid rights or if you have any questions concerning the use of your personal data, please contact us, by email or letter. Our contact details can be found in the last section of this notice.

In the interest of confidentiality and data protection, the Company must be sure of your identity before responding to your request. The Company will then endeavour to answer your request within a period of one (1) month from receipt of the request. Depending on the complexity of the request or the number of requests to be dealt with, the Company may increase this period to two (2) months, provided you have been informed in advance.

The Company reserves the right to refuse any request for which it is unable to identify its author in a way satisfactory to it or if it considers the request to be excessive or unfounded. You will then be informed of the reasons for the refusal within a period of one month from receipt of the request.

The Company may also require the payment of reasonable fees in the case of unfounded or excessive requests, especially if they are repetitive.