CLOSE

Featured events

Events | Virtual

Private Funds Industry Live, Demystifying Private Capital Funds

6 Dec 2022

Watch webinar recording >

Events | Virtual

State of the Market and Growing your Business – Setting up and Maintaining WFOEs in China

15 Nov 2022

Watch the recording >

Events | Singapore

Rules, Compliance, Respect – Singapore

27 Oct 2022

Learn more >
Show all events >
CLOSE

Data protection and privacy

Your privacy is important to us, and we are committed to protecting your personal data. Our role towards certain personal data may be that we collect certain personal data or process certain personal data that is controlled by our clients. Our commitments in both cases can be found in respectively the Privacy Notice and the Data Processing Protocol.

Data Processing Protocol

The Data Processing Protocol is applicable in the situation where we may process certain personal information of which our client or client entities are the controller. It sets, among others, out the principle of confidentiality, the security practices and technical and organizational measures that Intertrust has put in place.

Please find our full Data Processing Protocol in the snap-down below:

Data Processing Protocol

This Data Processing Protocol (the “Protocol”) shall apply between Intertrust and the Client Entity (“Client”) it is servicing, where Intertrust Group may process Personal Data, of which the Client is the Controller.

The Protocol forms part of any agreement in place between Intertrust and the Client (the “Service Agreement”).

1. Definitions

Where this Protocol uses terms which are defined in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, the “GDPR”), then the definitions set out in that Regulation shall apply.

Client” shall mean the company, trust, foundation, any other form of legal entity, partnership, or unincorporated business, set up, to which Intertrust provides any service at the request or instruction of such entity and/or its group members;

Intertrust” shall mean the relevant Intertrust group compan(y)/(ies) that are affiliates to Intertrust Group B.V. (the Netherlands, 1043 AP Amsterdam, Basisweg 10) and have concluded a Service Agreement with the Client; and

Personal Data” shall mean personal data as defined in Article 4 GDPR, which Intertrust processes as a Processor in the course of providing services to the Client.

2. Scope of the Protocol

2.1 The Client and Intertrust note that:

a) Intertrust may process Personal Data whilst providing services to the Client, acting on behalf and under the direct authority of the Client (acting as sole controller) who (i) initiates and delegates such processing to Intertrust and (ii) ultimately reviews, controls, confirms and approves such processing. Intertrust shall (I) only carry out such processing on the instructions of the Client and in accordance with the provisions of this Protocol and the associated Service Agreement(s), and (II) immediately inform the Client if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions, to the extent permitted by law; and

b) the Protocol does not apply to Intertrust’s processing of Personal Data concerning the Client’s representatives, stakeholders and ultimate beneficial owners as necessary for the purposes of its service providing or as required by applicable laws (notably for AML and KYC purposes).

2.2 The Client shall obtain the required consent for collecting and processing the Personal Data in accordance with the Applicable Laws.

2.3 Where Intertrust may be provided with sensitive Personal Data (as defined under the Applicable Laws), excluding special categories of personal data as defined under art. 9 of the GDPR, for the purposes of its service offering, the Client hereby confirms that it shall obtain the required consent for collecting and processing the sensitive Personal Data in accordance with the Applicable Laws.

2.4 Intertrust will have no control over the purposes and means of processing the Personal Data.

2.5 The GDPR and any other applicable privacy laws apply to this Protocol and anything not specifically mentioned in this Protocol shall be governed by the GDPR and any other applicable privacy laws (“Applicable Laws”).

3. Confidentiality

3.1 Intertrust, and any person authorized to process Personal Data on its behalf, receiving the Personal Data from the Client pursuant to the Service Agreement, will exercise at least the same degree of care with respect to Personal Data with which Intertrust protects its own Personal Data of the same or similar nature.

3.2 Intertrust shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Intertrust and its employees shall not communicate the Personal Data to or put the Personal Data at the disposal of third parties without the Client’s prior written consent thereto unless (a) it is required to do so by mandatory law or regulation or ordered to do so by a competent authority or (b) pursuant to Clause 9.

3.3 Intertrust will only use or reproduce the Client’s Personal Data to the extent necessary to it to fulfil its obligations under the Service Agreement.

4. Security Practices, Procedures and Technical and Organisational Measures

4.1 Intertrust shall implement appropriate commercially reasonable, technical, physical and organisational security measures to protect Personal Data from misuse and/or accidental, unlawful and/or unauthorized destruction, loss, alteration, disclosure, acquisition and/or access and against all other unlawful forms of Processing in accordance with adequate internal instructions adopted by Intertrust. Intertrust will ensure a level of security suitable (taking into account the state of the art and the costs of implementation of such security) in relation to the risks and the nature of the Personal Data to be protected to the identified risks and pursuant to applicable Data Protection Laws and, where the Processing concerns Personal Data of EU residents or in case GDPR applies, shall take all measures required pursuant to Article 32 GDPR. Where local laws prescribe specific instructions and measures to be adopted for the purposes of this Article, local laws will be applied.

4.2 In fulfillment of Intertrust’s obligation to demonstrate compliance with paragraph 4.1, Intertrust will make available a description of its Technical and Organizational Measures. The Intertrust Information Security Overview as published on the website of Intertrust includes an overview of the Technical and Organizational Measures, as may be amended from time to time. Intertrust may from time to time also make, at its discretion, reference to certificates, third party audit reports or other relevant information.

4.3 Client shall provide Intertrust with thirty (30) calendar days advance notice of any audit request, which may be at the Client’s expense. The Client may not engage in an audit which would compromise confidentiality obligations towards any other Clients of Intertrust, access to non-public external reports, supplier internal pricing information, Intertrust confidential information and/or any internal reports prepared by Intertrust’s internal audit function. If the Client wishes to nominate another auditor to undertake the audit, it shall ensure that the auditor enters into a confidentiality agreement with Intertrust in such form as Intertrust shall reasonably require. Any liability, indemnity and all obligations under this contract shall also remain with the Client, even if it nominates another auditor. The Client warrants that any auditors are suitably qualified to undertake such an exercise.

5. Duration of processing of the Personal Data

5.1 Intertrust will process the Personal Data for as long as it provides services to the Client and will hold the Personal Data in archive after that date to the extent necessary for legitimate business purposes or for bona fide compliance purposes.

5.2 The Client may instruct Intertrust to delete or return Personal Data at the end of the period during which Intertrust will process such Personal Data. Intertrust shall be authorized to keep a copy to the extent required for legal, regulatory or bona fide compliance purposes, as well as the exercise or defense of legal claims for as long as is legally required for such purposes. Intertrust will delete such Personal Data at the end of such period.

6. Data Breach Incident

6.1 Intertrust will comply with GDPR requirements with respect to notifying the impacted Client whenever Intertrust becomes aware that there has been a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Intertrust in the context of this Protocol (“Data Breach Incident”). Intertrust will investigate the Data Breach Incident and take necessary steps to eliminate or contain the impact of the Data Breach Incident.

6.2 Intertrust shall maintain written procedures which enable it to provide a response to the Client about a Data Breach Incident as soon as practicably possible.

7. Transfer of Personal Data

The Client confirms that Intertrust may transfer Personal Data to its affiliates and subprocessors inside and outside the European Economic Area (EEA) for purposes of servicing, support, back-up or any other legitimate interest Intertrust may have to transfer Personal Data in order to fulfil its obligation(s) as per the relevant Service Agreement(s). Intertrust confirms that it has established safeguards to protect Personal Data transferred to countries outside the EEA that are, as a minimum, in accordance with the relevant Standard Contractual Clauses as approved by the European Commission. Where Intertrust enters such arrangements, it may act either for itself or as an agent for the Client or in both capacities. Every Intertrust group company has adhered to or is bound by the Standard Contractual Clauses through an intragroup arrangement.

8. Rights of Data Subjects

8.1 Upon instruction of the Client, Intertrust will cooperate to enable the Client:

a) in providing access to Data Subjects whose Personal Data are being processed via the provision of the services by Intertrust;

b) in deleting or correcting their Personal Data;

c) demonstrating that their Personal Data have been deleted or corrected if they are incorrect, or, if the Client disagrees with the point of view of the Data Subject, recording that the Data Subject is of the opinion that the Personal Data is incorrect;

d) in restricting the processing of Personal Data as per Article 18 GDPR;

e) in protecting the rights of Data Subjects to its best advantage;

f) in case a Data Subject exercises his or her right to data portability to another Data Controller pursuant to Article 20 GDPR and where technically feasible; and

g) in case a Data Subject exercises his or her right to object in accordance with Article 21 GDPR.

8.2 Notwithstanding Clause 8.1, Intertrust shall not be obligated to delete copies of Personal Data that it holds, to the extent where further processing is required in order to comply with a legal obligation to which Intertrust is subject or for the establishment, exercise or defence of legal claims.

8.3 The Client, as Controller, has the responsibility to provide the Data Subject with the information necessary to ensure fair and transparent processing in respect of the Data Subject (as set out in Article 14.1 of the GDPR or any similar provision under other applicable Data Protection Law). Where further processing of the Personal Data is required, for a purpose other than that for which the Personal Data were obtained, the Client shall provide the Data Subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in Articles 13.1 and 14.2 of the GDPR or any similar provision under any other applicable privacy laws. Intertrust shall not be held responsible if it is not aware of such information not being provided to the Data Subject.

8.4 Intertrust shall not correct, delete or restrict data to be processed on behalf of the Client in an unauthorized manner. Should a Data Subject contact Intertrust directly in this context, Intertrust shall forward this request to the Client without undue delay

9. Subprocessors and contractors

9.1 The Client hereby generally authorizes Intertrust to use subprocessors and/or contractors (as defined and under the conditions described in Intertrust’s General Terms & Conditions and/or Intertrust’s Service Delivery Conditions) to provide support to the services under the Service Agreement.

9.2 Intertrust shall remain primarily responsible for the performance of its obligations under this Protocol and shall ensure that its agreements with such subprocessors and/or contractors are at least as restrictive as this Protocol. A list of the current main subprocessors and Contractors can be found in the Intertrust Outsourcee Overview as published on the website of Intertrust. Intertrust may change or add subprocessors and/or contractors from time to time, which changes shall be announced via an update of the Intertrust Outsourcee Overview as published on the website of Intertrust. The Client shall consult the Intertrust Outsourcee Overview regularly in order to be kept informed of such changes and may, within a reasonable period of time, object to such changes.

10. Modification or amendment

Any amendment to this Protocol shall be published on the website of Intertrust, but shall not reduce or otherwise limit the rights of the Client.

11. Assistance to Client compliance with Articles 32 to 36 GDPR

Intertrust shall assist the Client in ensuring compliance with its obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to Intertrust.

12. Applicable Law and Jurisdiction

This Data Processing Protocol is governed by the applicable law of the relevant Service Agreement and any dispute in respect of this Data Processing Protocol or execution thereof shall be submitted to the Intertrust entity servicing the Client and before the competent court as defined in the relevant Service Agreement.

Annex 1 – Description of processing of personal data

1. Subject Matter, Nature and Purpose

All processing activities (including the collection, organization and analysis of Personal Data) as are reasonably required to facilitate or support the provision of the services described under the Service Agreement.

2. Categories of Data Subjects

The Data Subjects may include individuals that represent the Client, that are advising the Client, that are in any contractual or statutory relationship with the Client, or that the Client has collected in view of its servicing towards such individuals or are otherwise connected to such individuals.

Most commonly the Data Subjects will include: (1) employees, contractors or other workers of the Client and/or their family members, representatives or others connected with workers and (2) past, existing or prospective Clients and/or contractual counterparties of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them.

3. Types of Personal Data

The services under the Service Agreement may involve the processing of the following types of Personal Data:

  • names and contact information;
  • general demographic information (such as gender, age, date of birth, marital status, nationality, employment details, residence, utility bills, etc.);
  • personal identification documentation and related information such as passport numbers and employee identification numbers;
  • financial and payment data such as bank account numbers and transaction information;
  • details of shareholdings and other assets which are legally or beneficially owned by the Data Subject
  • details of people and organizations which may be connected to the Data Subject (family or otherwise); and
  • information related to the provision of the services performed under the Service Agreement or per the services provided by the Client to such individuals.
《数据处理协议》

本《数据处理协议》(“协议”)适用于富信与其服务的客户实体(“客户”)之间,富信集团可处理客户作为数据控制方而掌控的个人数据。

该协议构成富信与客户之间任何现有协议(“服务协议”)的一部分。

1. 定义

如果本协议使用了欧洲议会和理事会2016年4月27日针对在处理个人数据和个人数据自由流动方面保护自然人,并废除第95/46/EC号指令(《欧盟通用数据保护条例》“GDPR”)而通过的第2016/679号条例(欧盟)中定义的术语,则该条例中规定的定义应适用。

客户” 指富信根据该实体及/或其集团成员的要求或指示而向其提供任何服务的公司、信托机构、基金会、任何其他形式的法人实体、合伙企业或非法人企业;

富信” 指作为富信集团股份有限公司(注册地址:荷兰阿姆斯特丹Basisweg大街10号,邮编:1043 AP)的下属公司且已与客户签订服务协议的富信集团各关联公司;以及

个人数据” 指《欧盟通用数据保护条例》第4条中定义的、富信在向客户提供服务的过程中作为处理方进行处理的个人数据。

2. 协议范围

2.1 客户和富信注意到:

a) 富信可处理个人数据的情形包括向客户提供服务、代表客户并在其(作为唯一控制人)直接授权下行事,在此过程中客户(i)发起并委托富信进行此类个人数据处理,以及(ii)最终审查、控制、确认和批准此类个人数据处理。富信应(I)仅依照客户的指示并根据本协议和相关服务协议的规定进行此类个人数据处理,以及(II)在其认为某项指示违反《欧盟通用数据保护条例》或其他联盟或成员国数据保护规定的情况下,在法律允许的范围内立即通知客户;以及

b) 本协议不适用于富信在提供服务所必需或适用法律要求(尤其是出于反洗钱和了解客户的目的)的情况下处理与客户代表、利益相关者和最终受益人相关的个人数据。

2.2 客户须根据适用法律就个人数据的收集及处理取得所需同意。

2.3 如果富信因其提供服务而可能获取敏感个人数据(定义见适用法律),但不包括《欧盟通用数据保护条例》第9条所定义的特殊类别的个人数据,则客户特此确认,其将根据适用法律获得收集及处理敏感个人数据所需的同意。

2.4 富信将无法控制处理个人数据的目的和方式。

2.5 《欧盟通用数据保护条例》及任何其他适用的隐私保护法律适用于本协议,本协议中未特别提及的任何内容应受《欧盟通用数据保护条例》及任何其他适用的隐私保护法律(“适用法律”)的管辖。

3. 保密

3.1 富信以及获授权代表富信处理个人数据的任何人士,针对根据《服务协议》从客户处接收的个人数据所采取的保护措施至少与富信对其自身相同或类似性质个人数据的保护措施程度相同。

3.2 富信应确保被授权处理个人数据的人士承诺保密或承担适当的法定保密义务。未经客户事先书面同意,富信及其员工不得将个人数据传达给第三方或将个人数据交由第三方处置,除非(a)强制性法律或法规要求或主管部门命令这样做;或(b)需要遵循第9条的规定。

3.3 富信仅在履行其在服务协议项下的义务所需的范围内使用或复制客户的个人数据。

4. 安全惯例、程序以及技术和组织措施

4.1 富信应实施商业合理、技术、物理和组织方面的适当安全措施,以保护个人数据免受滥用和/或意外、非法和/或未经授权的销毁、丢失、更改、披露、获取和/或访问,并根据富信采用的适当内部指令防止所有其他非法形式的个人数据处理。富信将根据已识别的风险和适用的数据保护法,针对所要保护个人数据的风险和性质而确保适当的安全级别(考虑到现有技术发展水平和实施此类安保的成本),如果处理涉及欧盟居民的个人数据或《欧盟通用数据保护条例》适用,则富信将采取《欧盟通用数据保护条例》第32条要求的所有措施。如果当地法律规定了就本条而言应采取的具体指示和措施,则当地法律应适用。

4.2 为履行遵守第4.1款的义务,富信将提供其《技术和组织措施》的说明。于富信网站上发布的《富信信息安全概述》包括技术和组织措施概述(可不时进行修订)。富信亦可不时酌情参考有关证书、第三方审计报告或其他相关资料。

4.3 客户应就任何审计请求提前三十(30)个日历日向富信发出通知,审计费用由客户承担。客户所开展的审计活动不得危及富信对任何其他客户的保密义务、非公开外部报告的获取、供应商内部定价信息、富信机密信息和/或富信内部审计职能部门所编制的任何内部报告。如果客户拟提名另一名审计师进行审计,其须确保审计师按富信合理要求的形式与富信订立保密协议。本合同项下的任何责任、赔偿和所有义务也应由客户承担,即使其提名另一名审计员执行审计,亦是如此。客户保证任何审计师均具备开展有关审计工作的适当资格。

5. 处理个人数据的期限

5.1 富信在向客户提供服务期间处理个人数据,并在停止提供服务后之日起在开展合法业务或善意合规的必要范围内将个人数据存档。

5.2 客户可指示富信在富信处理该等个人数据的期限结束时删除或退回该等个人数据。只要法律要求用于有关目的,富信可经授权保留一份副本,以满足法律、监管或善意合规的要求,以及行使或抗辩法定求偿权。富信将于该期限结束时删除该等个人数据。

6. 数据泄露事件

6.1 富信将遵守《欧盟通用数据保护条例》的要求,每当富信意识到存在安全漏洞,导致出现本协议中所述的富信所处理个人数据的意外或非法销毁、丢失、更改、未经授权披露或访问(“数据泄露事件”)时,通知受影响的客户。富信将调查数据泄露事件,并采取必要措施消除或控制数据泄露事件的影响。

6.2 富信应保有书面程序,使其能够在可行的情况下尽快就数据泄露事件向客户做出响应。

7. 个人数据的传输

客户确认,富信可出于服务、支持、备份或富信为履行其根据相关《服务协议》所承担义务而传输个人数据所产生的任何其他合法权益的目的,向欧洲经济区(EEA)内外的其关联公司和分处理方传输个人数据。富信确认其已建立保护措施以保护传输到欧洲经济区以外国家的个人数据,而这些保护措施至少符合欧盟委员会批准的相关标准合约条款。如果富信订立有关安排,其可自行行事,或作为客户的代理人行事,或以上述两种身份行事。富信集团各公司已通过集团内部安排遵守或接受标准合约条款的约束。

8. 数据主体的权利

8.1 根据客户的指示,富信应配合客户行使其以下几方面的权利:

a) 通过富信提供的服务,向其个人数据正被处理的数据主体提供访问权限;

b) 删除或更正其个人数据;

c) 证明客户个人数据已被删除或更正(如果数据不正确),或如果客户不同意数据主体的观点,则记录下来数据主体认为其个人数据不正确;

d) 根据《欧盟通用数据保护条例》第18条限制对个人数据的处理;

e) 最大限度地保护数据主体的权利;

f) 如果数据主体根据《欧盟通用数据保护条例》第20条,且技术上可行的情形下,行使其数据可迁移至另一数据控制人的权利;以及

g) 如果数据主体根据《欧盟通用数据保护条例》第21条行使其反对权。

8.2 尽管有第8.1条之规定,只要为了遵守富信承担的法律义务或为了确立、行使或抗辩法定求偿权而需要进一步处理数据,则富信没有义务删除其持有的个人数据的副本。

8.3 客户,作为控制人,有责任向数据主体提供必要的信息,以确保为数据主体进行公平和透明的数据处理(如《欧盟通用数据保护条例》第14.1条或其他适用数据保护法律项下的任何类似条款所规定情形)。如果出于获得个人数据之外的目的而需要进一步处理个人数据,则客户应在进一步处理之前向数据主体提供关于该其他目的之有关信息、以及《欧盟通用数据保护条例》第13.1条和第14.2条中提及的任何相关进一步条文、或任何其他适用隐私保护法律项下的任何类似规定。如果富信不知道此类信息未向数据主体提供,则富信不承担任何责任。

8.4 未经授权,富信不得更正、删除或限制代表客户处理的数据。如果数据主体就此直接联系富信,富信应立即将此请求转发给客户,不得有不当延误。

9. 分处理方和承包商

9.1 客户在此总体授权富信通过分处理方和/或承包商(定义见富信的《一般条款和条件》和/或富信的《服务交付条件》)为《服务协议》项下的服务提供支持。

9.2 富信应继续对本协议项下义务的履行承担主要责任,并应确保其与此类分处理方和/或承包商的协议至少与本协议具有同等的限制性。当前主要分处理方和承包商的名录可在富信网站上发布的《富信外包方概述》中找到。富信可能会不时更改或增加分处理方及/或承包商,变更应通过富信网站上发布的《富信外包方概述》的更新予以公告。客户应定期查询《富信外包方概述》以便随时了解此类变更情况,并可在合理的时段内对此类变更提出反对。

10. 修改或修订

本协议的任何修订应在富信网站上公布,但不得减少或以其他方式限制客户的权利。

11. 协助客户遵守《欧盟通用数据保护条例》第32条至36条之规定

富信应基于数据处理的性质和富信可获得的信息,协助客户确保遵守《欧盟通用数据保护条例》第32条至36条规定的义务。

12. 适用法律及司法管辖权

本《数据处理协议》受相关服务协议的适用法律管辖,与本《数据处理协议》或其执行有关的任何争议应提交给为客户提供服务的富信实体,并由相关服务协议中指明的主管法院审理。

附件1 —个人数据处理有关说明

1. 主题、性质和目的

所有数据处理活动(包括个人数据的收集、组织和分析)都是为了促进或支持提供服务协议项下所述服务的合理要求。

2. 数据主体类别

数据主体可能包括代表客户、向客户提供咨询、与客户有任何合同或法定关系的个人,或客户为向此类个人提供服务而收集的或以其他方式与此类个人相关联的个人。

最常见的数据主体包括:(1)客户的雇员、承包商或其他工作人员及/或其家属、代表或与工作人员有关的其他人士;及(2)过往、现有或潜在客户及/或合同对手方客户,及/或其雇员或与其有关的其他个人,及/或其家属、代表或与他们有关的其他人士。

3. 个人数据类型

《服务协议》项下的服务可能涉及以下类型的个人数据的处理:

  • 姓名及联系方式;
  • 一般人口统计信息(诸如性别、年龄、出生日期、婚姻状况、国籍、就业详情、住所、水电费账单等);
  • 个人身份证明文件及相关信息,如护照号码及员工身份编码;
  • 金融和支付数据,例如银行账号和交易信息;
  • 数据主体合法或实益拥有的股票及其他资产的详情;
  • 可能与数据主体(家族或其他方面)有关的人士和组织的详情;以及
  • 与《服务协议》项下所提供服务或客户向该等人士所提供服务有关的信息

Privacy Notice

The Privacy Notice sets out what personal data we collect and how we collect and use it. It also sets out the rights you have in relation to the Personal Data.

Please find our full Privacy Notice in the snap-down below:

Intertrust Group Privacy Notice

17 November 2022

About Intertrust, introduction

This Privacy Notice is issued by Intertrust Group B.V. (the Netherlands, 1043 AP Amsterdam, Basisweg 10) and applies to Intertrust N.V. (with same registered office) and to its direct or indirect subsidiaries (hereinafter “Intertrust”).

Intertrust’s main establishment in charge of decision-making regarding the purposes and means of data processing in the EU (Intertrust Group B.V.) is established in the Netherlands. Therefore, Intertrust’s lead supervisory authority is the Dutch Data Protection Authority (Authoriteit Persoonsgevens).

Intertrust understands that your privacy is important. Therefore, we respect and protect your right to privacy and will process your personal data in accordance with the provisions of the European General Data Protection Regulation (“GDPR”) and other applicable privacy laws.

The GDPR and any other applicable privacy laws apply to this Privacy Notice and anything not specifically mentioned in this notice shall be governed by the GDPR and any other applicable privacy laws.

This Privacy Notice explains how we may use, process and store your personal data.

What kind of personal data does Intertrust collect?

Personal data means any information relating to an identified or identifiable natural person. Intertrust collects and processes the following types of personal data:

  • name, address, email address, telephone number and other contact information;
  • date and place of birth;
  • nationality;
  • gender;
  • employment details;
  • marital status;
  • copies of identity documents (such as passport, national ID cart, driver’s license, employee identification numbers);
  • source of wealth;
  • utility bills, bank statements;
  • tax residency;
  • details of shareholdings and other assets which are legally or beneficially owned by the data subject; and
  • details of people and organisations which may be connected to the data subject (family or otherwise).

Please note that the list is not exhaustive and that Intertrust may also collect and process personal data to extent this is useful or necessary for the provision of our services.

Where Intertrusts collects and processes personal data of minors as defined under the Applicable Laws, the disclosing party hereby confirms that the consent of the minor’s guardian or a person with parental responsibility has been provided.

Intertrust does not process sensitive personal data. To the extent you make sensitive personal data, excluding special categories of personal data as defined under art. 9 of the GDPR, available to Intertrust, you consent to Intertrust processing such personal data in accordance with this Privacy Notice.

How does Intertrust collect personal data?

Intertrust obtains and processes personal data in different ways.

  • Personal data provided to Intertrust directly;

We collect personal data directly from (prospective) clients, business partners and intermediaries for the purposes of entering into a contract or a service agreement and/or to meet certain legal requirements.

  • Personal data obtained from third parties;

We also collect and process personal data from publicly accessible sources such as internet, social networks, World-Check or commercial registers. Furthermore we may receive personal data from third parties as part of the service we provide to you or to people which are connected to you (including but not limited to organisations in which you have a shareholding or by which you are employed) or in connection with legal requirements that are applicable to us.

How does Intertrust use personal data?

The majority of the personal data processed by Intertrust is necessary for the performance of a contract to which the data subject is a party or to comply with the request of the data subject prior to entering into a contract. Intertrust also processes personal data in order to comply with our legal and regulatory obligations.

We may furthermore process personal data for the purposes of the legitimate business interests pursued by Intertrust. Such legitimate interests include general research and development (including statistical research or as a basis to analyze our current security measures), administration of our business and systems, including IT, billing and invoicing systems or to develop and improve our services or to strengthen our relationship with you. We may provide you with communications or information regarding our service offering which we think will be interesting for you. When we process your personal data for our legitimate business interests, or where consent to process personal data was received, we will consider and balance any potential impact on you and your rights under the relevant data protection and any other relevant law. Whenever we process personal data for these purposes you have the right to object to this way of processing.

To whom does Intertrust provide personal data?

Intertrust may disclose or transfer personal data collected by Intertrust to our group companies insofar as reasonably necessary for the purposes of our service offering or for bona fide compliance purposes as well as on the legal basis as set out in this Privacy Notice.

Except as described in this paragraph, Intertrust will not disclose, transfer or sell your personal data to any third party unless you have consented to this.

Intertrust may disclose or transfer personal data to subcontractors, intermediaries or external advisors for the purpose of the proper performance of the services we provide to our clients. It may, for example, disclose or transfer such personal data to third party service providers who provide administrative, computer, payment, data processing, debt collecting or other services. We enter into data processing agreements with such subcontractors to ensure that they process your data, on our behalf, with the same level of security and confidentiality as applied by Intertrust. Intertrust may furthermore disclose or transfer personal data when we received your consent to do so.

In addition Intertrust may disclose or transfer personal data to protect our rights or those of our clients and/or to prevent fraud. Intertrust can also be obliged to disclose or transfer personal data to competent authorities in order to comply with our legal and/or regulatory obligations.

Job Applicants and Employees

This section describes how Intertrust is handling and protecting personal information of employees and job applicantss provided to Intertrust, i.a. through the online Intertrust career website. This section should be read together with the rest of this Privacy Notice (except for the sections ‘What kind of personal data do we collect’ and ‘How does Intertrust use your personal data’).

Intertrust processes the following types of personal data of employees and job applicants:

  • Name, address, email address, telephone number and other contact information;
  • Date and place of birth;
  • Nationality;
  • Immigration, right-to-work and (tax) residence status;
  • Job-related information such as years of experience and work record;
  • Educational and training information;
  • Skills and competencies;
    • Name and contact details of references (please note that if you provide us with contact details of reference it is your responsibility to obtain consent from that individual before sending this information to Intertrust).
    • Any other personal information you choose to submit to Intertrust in connection with your application.

We use the personal data you provide in your application for the purpose of carrying out our recruitment activities. Your personal data will be used to assess if you are qualified for the position you apply to, to verify your information, to conduct reference checks, to communicate with you and to inform you of further career opportunities.

International transfers and data storage

Intertrust may disclose or transfer personal data to other companies of the Intertrust group that are located in countries that are outside the European Economic Area in connection with the above purposes.

The personal data Intertrust processes is stored by Intertrust on our servers, and/or on the servers of the cloud-based database management services Intertrust engages.

If disclosure or transfer of personal data is being done in a country that does not ensure an adequate level of protection of your personal data, Intertrust will make sure additional safeguards will be put in place.

Retention

Intertrust will process and store the relevant personal data for the duration of our services or for the duration of the business relationship. Intertrust may also store the data for as long as it is necessary or required in order to fulfill legal, contractual or statutory obligations or for the establishment, exercise or defense of legal claims, and in general where it has a legitimate interest for doing so.

Your rights

You have the following rights:

  • Access to your information

You have the right to access the personal information that Intertrust holds about you at any time.

  • Data portability

You may ask Intertrust to provide you with a copy of the personal information that Intertrust holds about you.

  • Correction of your personal information (the right to rectification)

You have the right to ask Intertrust to update and correct any out-of-date or incorrect personal information that we would hold about you.

  • Deletion of your personal information (the right to be forgotten)

You have the right to ask Intertrust to delete your personal information, to the extent that Intertrust has no legal and/or regulatory obligations to keep such personal information.

  • Restriction of processing of your personal information

You have the right to ask Intertrust to restrict the processing of your personal information in case:

a. You contested the accuracy of the personal information held by Intertrust;
b. The processing is unlawful but you objected to the deletion of the personal data and requested the restriction of the use instead;
c. Intertrust no longer needs the personal data for the purposes of the processing, but you require them for legal reasons;
d. You objected to processing and Intertrust is investigating whether there are legitimate grounds to override your objection.

  • Automatic decision making

Intertrust generally does not make decisions by purely automatic means, but if we do, you have the right to object.

  • Object

You have the right to object at any time to the processing of your personal data for any direct marketing (and related profiling) by Intertrust.

If you wish to exercise any of the above rights, you can contact Intertrust using the below contact details.

In addition you have the right to make a complaint with the local supervisory authority with respect to the way Intertrust is processing your personal data or the way Intertrust is handling your rights.

Navigation and Cookies

Please note that Intertrust is the controller of personal data collected through the Intertrust website (the “Website”) and the Intertrust global client portal, styled as Iris (the “Portal”).

Intertrust collects personally-identifiable information on certain areas of the Website and Portal when users register, request publications or other information, send Intertrust instructions in connection with services, sign up for conferences and events, apply for jobs, and participate in user posting areas, such as bulletin boards, discussion forums, and surveys. The personally-identifiable information collected may consist of information that you provide, such as names, mailing addresses, e-mail addresses, telephone and fax numbers, and, for recruiting purposes, any other personally-identifiable information on your resume.

The Website and the Portal also uses cookies to identify you and your interests and to track usage of the Website and Portal. Cookies are small pieces of text stored on your computer that help us know which browser you are using and where you have been on the Website and the Portal and on websites to which you may link in order to use some of our features. By accepting our cookie, you will be permitted access to certain pages of the Website and the Portal without having to log in each time you visit. A user who does not accept the cookie from the Website or Portal may not be able to access certain areas of the Website or Portal. Intertrust also logs IP addresses, access history or the location of computers on the Internet, to help diagnose problems with our server, to administer the Website and the Portal and/or to prevent or remedy any security incidents. If you prefer not to accept a cookie, you can set your web browser to warn you before accepting cookies, or you can refuse all cookies by turning them off in your web browser.

Please click here to learn more about the cookies and third-party cookies that are used on the Intertrust website and how to refuse the cookies.

How we protect personal data?

Intertrust is committed to ensuring the security of your personal data. Intertrust takes appropriate commercially reasonable, technical, physical and organisational measures to prevent unauthorised or unlawful processing of your personal data or accidental loss or destruction of your personal data. Intertrust will ensure a level of security suitable to the identified risks and pursuant to Applicable Laws and, where the Processing concerns personal data of EU residents or in case GDPR applies, shall take measures required pursuant to article 32 GDPR.

Employees of Intertrust are trained to handle personal data securely and with utmost respect and they will treat your personal data strictly confidential. Staff members shall be authorized to access personal data only to the extent necessary to serve the applicable legitimate purposes for which the data are processed by Intertrust and to perform their job.

Intertrust will not divulge client information to a third party unless we have received explicit client authorisation or we are required to do so by law.

Changes to this notice

Intertrust may update this Privacy Notice from time to time. We advise you to periodically review this Privacy Notice to be informed of how Intertrust is protecting your privacy.

Contact Intertrust/Data Protection Officer

If you have any questions, concerns or complaints with respect to this Privacy Notice, the way Intertrust is handling your privacy or you wish to exercise any of your rights please contact our Data Protection Officers as mentioned in Annex 1 attached hereto.

Annex 1 – Contact information Data Protection Officer

For Group:
Corneel Ryde – [email protected]

For Jersey:
Yezdi Patel – [email protected]

For Guernsey:
Ben Looijenga – [email protected]

For Cayman:
Rhona Sambula – [email protected]

For the United Arab Emirates:
Joanne Sweeney – [email protected]

For Switzerland:
Maria Bomrad – [email protected]

Data controllers in Switzerland:

  • Intertrust (Suisse) S.A.
  • Intertrust Services (Schweiz) A.G.
  • Intertrust Suisse Trustee GmbH
  • Intertrust Services (Liechtenstein) Trust Reg.
  • Intertrust Director (Malta) Limited
  • Intertrust Nominees Limited
  • Directo S.A.
  • Edelweiss (Directors) Limited
富信集团(Intertrust Group)隐私保护声明

2022 年 11 月 17 日

富信集团简介

本隐私保护声明由富信集团股份有限公司Intertrust Group B.V.(注册地址:荷兰阿姆斯特丹Basisweg大街10号,邮编:1043 AP)发布,适用于富信股份有限公司Intertrust N.V.(注册地址同上)及其直接或间接控股的子公司(以下简称“富信”)。

富信负责欧盟区域有关数据处理目的和方法的主要决策机构(富信集团股份有限公司Intertrust Group B.V.)设立在荷兰。因此,富信的主要监管机构是荷兰数据保护局(Authoriteit Persoonsgevens)。

富信深知您的隐私至关重要。因此,我们尊重并保护您的隐私权,并将根据《欧盟通用数据保护条例》(“GDPR”)及其他适用的隐私保护法律的规定处理您的个人数据。

《欧盟通用数据保护条例》及任何其他适用的隐私保护法律适用于本隐私保护声明,本声明中未明确提及的任何内容均应受《欧盟通用数据保护条例》及任何其他适用的隐私保护法律(“适用法律”)的管辖。

本隐私保护声明阐明了我们如何使用、处理及存储您的个人数据。

富信收集什么类型的个人数据?

个人数据指与已识别或可识别自然人有关的任何信息。富信收集并处理以下类型的个人数据:

  • 姓名、地址、电子邮件地址、电话号码等联系信息;
  • 出生日期及地点;
  • 国籍;
  • 性别;
  • 就业详情;
  • 婚姻状况;
  • 身份证明文件副本(如护照、国民身份证、驾驶执照、员工身份编码);
  • 财富来源;
  • 水电费账单、银行对账单;
  • 税收居民身份证明;
  • 数据主体合法或实益拥有的股票及其他资产的详情;以及
  • 可能与数据主体(家族或其他方面)有关的人士和组织的详情。

请注意,该清单并非详尽无遗,富信亦可能会收集及处理对提供服务有用或必要的个人数据。

如果富信收集及处理未成年人(定义见适用法律)的个人数据,披露方谨此确认已取得未成年人监护人或有父母责任人士的同意。

富信不处理敏感的个人数据。在您向富信提供敏感个人数据(不包括根据《欧盟通用数据保护条例》第9条定义的特殊类别的个人数据)的情况下,您同意富信根据本隐私保护声明处理此类个人数据。

富信如何收集个人数据?

富信以不同的方式获取和处理个人数据。

  • 直接向富信提供的个人数据;我们出于订立合约或服务协议及/或符合某些法律规定之目的,直接向(潜在)客户、业务伙伴及中介机构收集个人数据。
  • 从第三方获得的个人数据;我们亦从公开可获取的来源收集及处理个人数据,例如互联网、社交网络、路孚特World-Check数据库或商业登记信息。此外,作为我们向您或与您有关联的人士(包括但不限于您持股或受雇的组织)提供的服务的一部分、或与适用的法律要求有关的内容, 我们可能会从第三方接收个人数据。

富信如何使用您的个人数据?

富信处理的大部分个人数据,都是为履行数据主体作为一方所订立的合约或在订立合约前遵从数据主体的要求所必需的。另外,富信也会为了遵守法律和监管规定的义务而处理个人数据。

此外,我们可能出于追求合法商业利益的目的而处理个人数据。该等合法权益包括一般研发(包括统计研究或作为分析我们当前安全措施的依据)、业务及系统管理(包括IT、计费及开票系统)、发展及改善服务、乃至于加强我们与您的关系。我们可能会向您提供我们认为您会感兴趣的服务的有关信息。当我们出于合法商业利益目的,或当我们收到处理个人数据的同意书而处理您的个人数据时,我们将在相关数据保护法律及任何其他相关法律项下考虑并平衡对您以及您的权利造成的任何潜在影响。任何情况下我们出于此类目的而处理个人数据时,您都有权对这种数据处理方式提出反对。

富信向谁提供个人数据?

富信可出于提供服务的目的或出于善意合规的目的,并根据本隐私保护声明中列示的法律依据,在合理必要的情况下向我们的集团公司披露或传输富信收集的个人数据。

除根据本款所述内容行事外,富信不会向任何第三方披露、传输或出售您的个人数据,但经您同意的情况除外。

富信可能出于正当履行向客户所提供服务的目的而向分包商、中介机构或外部顾问披露或传输个人数据。例如,富信可以向提供行政、计算机、支付、数据处理、债款追收或其他服务的第三方服务提供商披露或传输个人数据。我们与该等分包商订立数据处理协议,以确保他们代表我们以与富信相同的安全及保密等级处理您的数据。在得到您的同意后,富信可能会进一步披露或传输您的个人数据。

此外,富信可能会披露或传输个人数据,以保护我们或我们客户的权利和/或防止欺诈。富信也有义务向主管部门披露或传输个人数据,以遵守法律和/或监管规定的义务。

求职者和员工

本部分介绍富信如何处理和保护员工和求职者通过富信在线职业网站提供给富信的个人信息。本部分应与本隐私保护声明的其余部分一起阅读(“富信收集什么类型的个人数据”和“富信如何使用您的个人数据”部分除外)。

富信会处理员工和求职者以下类型的个人数据:

  • 姓名、地址、电子邮件地址、联系电话等联系方式;
  • 出生日期和地点;
  • 国籍;
  • 移民状况、工作权和(税收)居民状态;
  • 与工作相关的信息,如过往工作经验和工作业绩;
  • 教育和培训信息;
  • 技能和能力;

o 推荐人的姓名和联系方式(请注意,如果您向我们提供推荐人的联系方式,您有责任在将此信息发送给富信之前获得该推荐人的同意)。

o 您选择提交给富信的、与您的申请相关的任何其他个人信息。

我们出于进行招聘活动的目的使用您在工作申请中提供的个人数据。您的个人数据将用于评估您是否有资格就任所申请的职位,核实您的信息,进行背景调查,与您沟通,并通知您进一步的职业机会。

跨境传输和数据存储

富信可能出于上述目的向富信集团旗下位于欧洲经济区以外国家的其他公司披露或传输个人数据。

富信处理的个人数据由富信存储在我们的服务器上,及/或富信使用的基于云端的数据库管理服务的服务器上。

如果在某个国家/地区进行的个人数据披露或传输无法确保您的个人数据得到充分保护,富信将确保采取额外的保护措施。

数据保留

富信将在提供服务期间或保持业务关系期间处理和存储相关个人数据。富信还可以在为履行法律、合同或法定义务,或为了确立、行使或抗辩法定求偿权所必需或要求的时间段内,并且通常在其具有这样做的合法利益的情况下存储个人数据。

您的权利

您拥有以下权利:

  • 信息获取您有权随时获取富信所持有的关于您的个人信息。
  • 数据迁移您可以要求富信向您提供一份其所持有的您的个人信息的副本。
  • 个人信息更正(更正的权利)您有权要求富信更新并更正其持有的有关您的任何过期或不正确的个人信息。
  • 个人信息删除(被遗忘的权利)您有权要求富信删除您的个人信息,前提是富信没有保留此类个人信息的法律和/或监管规定的义务。
    • 限制个人信息处理在下列情况下,您有权要求富信限制对您的个人信息的处理:a. 您质疑富信所持个人信息的准确性;
      b. 有关数据处理非法,但您反对删除该等个人数据,并要求限制使用该等数据;
      c. 富信出于数据处理目的不再需要该等个人数据,但您出于法律原因需要这些数据;
      d. 您反对处理数据,而富信正在调查是否有正当理由驳回您的反对。
  • 反对自动决策权富信通常不会通过纯粹的自动方式进行决策,但如果我们采用了自动决策的方式,您有权反对。
  • 反对权您有权随时反对富信就任何直接营销(及相关分析)处理您的个人数据。

如果您希望行使上述任何权利,可以使用以下联系方式与富信联系。

此外,您有权就富信处理您的个人数据的方式或富信处理您的权利的方式向当地监管机构提出投诉。

导航和Cookies

请注意,富信是通过富信网站(“网站”)和富信全球客户门户网站(Iris)(“门户网站”)收集的个人数据的控制人。

富信在用户注册、请求获得出版物或其他信息、向富信发送与服务相关的指示、注册会议和活动、申请工作以及参与用户发帖区(如公告板、论坛和调查)时,会在网站和门户网站的某些区域收集可识别个人身份的信息。所收集的可识别个人身份的信息可能包括您提供的信息,如姓名、邮寄地址、电子邮件地址、电话和传真号码,以及出于招聘目的简历中任何其他可识别个人身份的信息。

网站和门户网站还使用Cookies来识别您和您的兴趣,并跟踪网站和门户网站的使用情况。Cookies是储存在您电脑上的小型文本,可协助我们知道您使用的是哪种浏览器、您在网站和门户网站的浏览记录、以及您为了使用我们的某些功能可能链接的网站。通过接受我们的Cookies,您将被允许访问网站和门户网站的某些页面,而无需在每次访问时登录。不接受网站或门户网站Cookies的用户可能无法访问网站或门户网站的某些区域。富信还会记录IP地址、访问历史记录或计算机在互联网上的位置,以帮助诊断服务器问题、管理网站和门户网站和/或防止或补救任何安全事件。如果不愿意接受Cookies,可以将网页浏览器设置为在接受Cookies之前发出警告,或者可以在网页浏览器中关闭所有Cookies来予以拒绝。

点击此处,即可更为详细地了解在富信网站和门户网站上使用的Cookies和第三方Cookies,以及如何拒绝这些Cookies。

我们如何保护个人数据?

富信致力于确保您个人数据的安全。富信采取商业合理、技术、物理以及组织方面的适当安全措施,以防止您的个人数据遭受未经授权或非法处理或意外丢失或销毁。富信将根据适用法律和已识别的风险而确保相应安全级别,如果处理涉及欧盟居民的个人数据或《欧盟通用数据保护条例》适用,则富信将采取《欧盟通用数据保护条例》第32条要求的所有措施。

富信的员工都接受过专业培训,能够在给以最大限度尊重的前提下安全地处理个人数据,并对您的个人数据严格保密。员工仅有权在为满足富信处理数据的适用合法目的和履行其工作职责所必需的范围内访问个人数据。

富信不会将客户信息泄露给第三方,但我们已获得明确的客户授权或法律要求进行信息披露的情况除外。

对本声明的更改

富信可能会不时更新本隐私保护声明。我们建议您定期查看本隐私保护声明,以了解富信如何保护您的隐私。

联系富信/数据保护官

如果您对本隐私保护声明、富信处理您隐私的方式或您希望行使的任何权利有任何疑问、担心或投诉,请联系本声明附件1中提及的数据保护官。

附件1––数据保护官联系信息

集团总部:

Corneel Ryde [email protected]

泽西岛:

Yezdi Patel [email protected]

格恩西岛:

Ben Looijenga [email protected]

开曼群岛:

Rhona Sambula – [email protected]

阿拉伯联合酋长国:

Joanne Sweeney [email protected]

瑞士:

Maria Bomrad [email protected]

瑞士的数据控制方:

  • Intertrust (Suisse) S.A.
  • Intertrust Services (Schweiz) A.G.
  • Intertrust Suisse Trustee GmbH
  • Intertrust Services (Liechtenstein) Trust Reg.
  • Intertrust Director (Malta) Limited
  • Intertrust Nominees Limited
  • Directo S.A.
  • Edelweiss (Directors) Limited