EU Privacy Notice

This EU Privacy Notice (this “EU Privacy Notice”) applies to the extent that EU Data Protection Legislation (as defined below) applies to the processing of personal data by an Authorized Entity (as defined below) or to the extent that a data subject is a resident of the United Kingdom (the “UK”), the European Union (the “EU”) or the European Economic Area (the “EEA”). If this EU Privacy Notice applies, the data subject has certain rights with respect to such personal data, as outlined below.   

For this EU Privacy Notice, “EU Data Protection Legislation” means all applicable legislation and regulations relating to the protection of personal data in force from time to time in the EU, the EEA or the UK, including the following: the Data Protection Directive (95/46/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Data Protection (Processing of Sensitive Personal Data) Order 2000, any other legislation that implements any other current or future legal act of the EU concerning the protection and processing of personal data (including Regulation (EU) 2016/679 (the General Data Protection Regulation) and any national implementing or successor legislation) and any amendment or re-enactment of the foregoing. The terms “data controller,” “data processor,” “data subject,” “personal data” and “processing” in this EU Privacy Notice shall be interpreted in accordance with the applicable EU Data Protection Legislation.  Unless the context otherwise requires, as used herein the words “include,” “includes” and “including” shall be deemed to be followed by the phrase “without limitation.”  All references to “user(s)” in this EU Privacy Notice shall be to such actual or potential user(s) of the website.  

Please direct any questions arising out of this EU Privacy Notice to privacy@pontoro.com.  

Categories of personal data collected and lawful bases for processing 

Pontoro and its respective affiliates and, in each case, their respective administrators, legal and other advisors and agents (the “Authorized Entities”) collect, record, store, adapt and otherwise process and use personal data, either relating to users or to any other data subjects, including from the following sources:  

• information captured on any Authorized Entity’s website and any information provided through online forms and any information captured via “cookies” 

Any Authorized Entity may process the following categories of personal data: 

• names, dates of birth and birth place;  

• contact details and professional addresses (including physical addresses, email addresses and telephone numbers);  

• account data and other information contained in any document provided by users to the Authorized Entities (whether directly or indirectly); 

• information regarding your use of our website (e.g., cookies, browsing history and/or search history); and 

• information regarding a user’s citizenship and location of residence; 

Any Authorized Entity may, in certain circumstances, combine personal data it receives from a user with other information that it collects from or about such user. This will include information collected in an online or offline context.   One or more of the Authorized Entities are “data controllers” of personal data collected in connection with the Partnership. In simple terms, this means such Authorized Entities: (a) “control” the personal data that they or other Authorized Entities collect from users or other sources; and (b) make certain decisions on how to use and protect such personal data. 

Purpose of processing 

The applicable Authorized Entities process the personal data for the following purposes (and in respect of paragraphs (1), (2) and (4), in the legitimate interests of the Authorized Entities):  

• Ongoing communication with users that reach out to the Authorized Entities.  

• The ongoing administrative, accounting, reporting and other processes and communications required to operate the business of the Authorized Entities.  

• Any legal or regulatory requirement. 

• Keeping users informed about the business of the Authorized Entities.  

• Any other purpose for which notice has been provided, or has been agreed to, in writing. 

The Authorized Entities monitor communications where the law requires them to do so. The Authorized Entities also monitor communications, where required to do so, to comply with regulatory rules and practices and, where not prohibited to do so, to protect their respective businesses and the security of their respective systems. 

Sharing and transfers of personal data 

In addition to disclosing personal data amongst themselves, any Authorized Entity may disclose personal data, where not prohibited by EU Data Protection Legislation, to other service providers, employees, agents, contractors, consultants, professional advisors, lenders, data processors and persons employed and/or retained by them in order to fulfill the purposes described in this EU Privacy Notice. In addition, any Authorized Entity may share personal data with regulatory bodies having competent jurisdiction over them, as well as with tax authorities, auditors and tax advisors (where necessary or advisable to comply with law). Any Authorized Entity may transfer personal data to a Non-Equivalent Country (as defined below), in order to fulfill the purposes described in this EU Privacy Notice and in accordance with applicable law.  For information on the safeguards applied to such transfers, please contact Pontoro.  For the purposes of this EU Privacy Notice, “Non-Equivalent Country” shall mean a country or territory other than (a) a member state of the EEA; or (b) a country or territory which has at the relevant time been decided by the European Commission in accordance with EU Data Protection Legislation to ensure an adequate level of protection for personal data. 

Retention and security of personal data  

Pontoro and its affiliates consider the protection of personal data to be a sound business practice, and to that end, employ appropriate technical and organizational measures, including physical, electronic and procedural safeguards to protect personal data in their possession or under their control. 

Personal data may be kept for as long as it is required or advisable for legitimate business purposes, to perform contractual obligations or, where longer, as long as is required to comply with applicable legal or regulatory obligations.  

Data Subject Rights 

It is acknowledged that, subject to applicable EU Data Protection Legislation, the data subjects to which personal data relates have the following rights under EU Data Protection Legislation: to obtain information about, or (where applicable) withdraw any consent given in relation to, the processing of their personal data; to access and receive a copy of their personal data; to request rectification of their personal data; to request erasure of their personal data; to exercise their right to data portability; and to exercise their right not to be subject to automated decision-making. Please note that the right to erasure is not absolute, and it may not always be possible to erase personal data on request, including where the personal data must be retained to comply with a legal obligation.  

In case a data subject to whom personal data relate disagrees with the way in which his or her personal data is being processed, the data subject has the right to object to this processing of personal data and request restriction of the processing. The data subject may also lodge a complaint with the competent data protection supervisory authority in the relevant jurisdiction.   

A data subject may raise any request relating to the processing of his or her personal data with Pontoro at the contact information provided above.