September 2023
The scope of this Policy is to establish the principles surrounding the handling and treating of Personal Data. For the purposes of this Policy, LAURION GROUP has considered national and international applicable regulations and conventions, adjusting them to the particular needs of its business, in line with consumer protection, individual rights protection and the Corporate Governance Policy of LAURION GROUP. This Policy shall therefore apply to all affiliated and participated companies of Laurion Group, and the obligations derived herewith shall extend to its service providers and stakeholders.
- OBJECTIVE
This Policy’s main goal is to make known the way in which it obtains, treats, processes and protects Personal Data from its stakeholders during the tenancy of its relation, including what happens after said relation is terminated.
Therefore, this Policy shall detail the way in which LAURION GROUP acts towards meeting these objectives. Please note this protocol applies solely to individuals, not to legal entities. Legal entities of which LAURION must legally or contractually maintain secrecy shall be subject directly to the Corporate Governance.
- SCOPE
This Policy shall apply to all employees of LAURION GROUP, including employees and members of its affiliated and participated companies. It shall extend to external service providers in case of conflict between their policies and this Policy, in case the former offers a lesser degree of protection. In case where other companies of LAURION GROUP have their own Privacy Policy, that shall prevail. However, there shall be a process in place to assist with the resolution of potential conflicts. The responsibility for documenting said conflict shall solely rest with LAURION GROUP.
- APPLICABLE LAW
This Policy considers the following applicable law:
Regulation (UE) 2016/679 of the European Parliament and of the Council, from the 27th of April, regarding the protection of individuals in terms of Data Protection and free movement of this data (GPRD).
- PERSONAL DATA TREATMENT
4.1. Definition of Personal Data
Personal Data refers and includes all information regarding an individual, whose identity may be determined, either directly or indirectly, by a series of identifiers (the “Identifiers”) including, but not limited to, physical appearance, genetic characteristics, physiology, economical situation, cultural or social background or other elements that, not included herein, are or may be usually identifiable in regards to an individual. In addition, these identifiers include information that has been either anonymized, encrypted or presented with a pseudonym, but that, when used with additional elements, can identify an individual.
Identifiers can be categorized according to its nature; as such, we have classified them, not exclusively, as: • Identification Identifiers: those that refer to name, surname, identification documents or driver license, social security numbers, phones (mobile and landline), residence, address, email, photos or audio notes.
- Social Identifiers: those that refer to properties, tastes, lifestyle, social media or public forums, clubs or other public or private collectives.
- Personal Identifiers: those that refer to dates, places, birth date, age, civil status, family details, etc. • Academics and training identifiers: those that refer to academic achievements or other type or formal and informal qualifications.
- Professional and employment identifiers: those that refer to working experience, position or any other work-related matter (including details related to workplace), unions or others. • Economical and financial identifiers: those that refer to banking details, credit details, assets, liabilities, estate, pension plans, savings or other financial details.
- Medical and Health Identifiers: those that refer to data contained in clinical profiles, medical history, and other health related details.
- Administration and law identifiers: those that refer to judicial, legal or administrative procedures. • Social Identifiers: those that refer to public subsidies, grants or other public disbursements. • IP Address Identifiers: those that allow IP address to be identified, with the consequences it has, including
- Trade Identifiers: those that refer to trade, commerce and industry.
The terminology used above is not extensive nor does it exclude any other elements that have or may have the ability to identify individuals. The identifiers referred to above shall be extended in accordance with applicable law, in order to protect fully personal data of Laurion’s stakeholders. All personal data collected and processed by Laurion shall be treated in accordance with this Policy, being awarded full protection in the terms of the applicable law.
4.2. Especially sensitive data (Personal Data)
Some Personal Data is awarded special protection due to its sensitive character. This Personal Data includes public liberties, political views, intimacy and fundamental rights.
As such, in accordance with Regulation (EU) 2016/679, sections 9, numbers 51 to 56, the Personal Data below shall be awarded special protection and its treatment is limited in accordance with applicable law. Laurion Group shall not process this data unless said process is considered legitimate and fit for purposes; in this case, Laurion Group shall pay special due and care to this Data in line with its sensitivity.
Especially Sensitive Data includes:
– Race and ethnicity
– Political views and affiliation
– Beliefs and religious views
– Sexual life, orientation and preference
– Union affiliation
– Health related data
– Genetic data
– Biometric data
– Criminal record
For the avoidance of doubt, LAURION GROUP does not collect Sensitive Personal Data, apart from criminal records for the purposes of background check of its employees.
4.3. Personal Data Treatment Principals
LAURION GROUP, including its affiliated and participated companies, commit fully to comply with the applicable regulation in terms of Personal Data protection and privacy policy, in the terms of this Policy. As such, LAURION shall implement and effectively apply each one of the principles contained herein, both prior to and during the relationship between Laurion and its clients, including private individuals and companies.
These principles shall apply in full to the way Laurion treats and processes data and may be exercised by the relevant parties in the terms and conditions set herein.
Principle of Legitimacy, Legality and Loyalty
Personal Data collection, processing and treatment shall be legitimate, legal and loyal, in accordance with applicable regulation. Personal Data can only be collected for purposes that are (a) determined, (b) explicit, (c) clear and (d) legitimate, and must not, in any way, be treated in a way that is inconsistent with the above, or inconsistent with the purpose they have been requested for. Personal Data may only be collected when clear consent is given.
Legitimacy of Treatment
Treatment of Personal Data shall be legitimate, and based on the below:
– Consent: subjects must give their consent prior to Personal Data being collected and treated; – Contractual: Personal Data may be subject to contractual obligations, in line with consent above; and – Legal Obligation: treatment may result of a legal obligation of LAURION GROUP, in which case consent will be requested at the time of the contract;
Loyalty of Treatment
Personal Data treatment shall always be done in accordance with the principle of loyalty, and always in the best interest of the subjects. Personal Data shall be treated in accordance with the legitimate expectations of the stakeholders for known purposes and in full transparency. LAURION GROUP shall inform its stakeholders of the means it uses for treatment, what it does with Personal Data and what grievance means are available for complaints.
To summarize the duties of the Data Protection Officer, he/she must act in accordance with the below guidelines:
– Duty to maintain records of all activities connected with treatment and processing; – Duty to ensure access of interested parties to data held on their behalf;
– Duty to notify any changes in security access or breaches that may suppose a risk to the material interests of the stakeholders;
– Duty to keep records, if applicable, of the opinion of the stakeholders; and
– Duty to inform all stakeholders of the data collection, at the time of the start of the relationship as well as during treatment.
Principle of minimum inference
According to this principle, LAURION GROUP collects as little Personal Data as possible, always bearing in mind the need to protect stakeholders’ interest. Therefore, Personal Data that is collected must be adequate,
fit for purpose and limited to the contractual and legal needs of LAURION GROUP, in accordance with the expectations of the stakeholders.
Therefore, the Data Protection Officer shall, at all times, try to obtain and use the least possible information from stakeholder to comply with its duties. This means:
– Limitation of data that is collected;
– Scope of treatment;
– Time of holding and goals; and
– Persons with access to the Data.
Principle of limited scope
Limited scope principle goes hand in hand with minimum data requirements. Data shall be collected solely for the purposes of the relation between LAURION GROUP and the stakeholder, any other uses being forbidden and illegal. For the avoidance of doubt, personal data can be used when anonymized by means of pseudonymization in a way sufficient to prevent identification of individual stekholders.
Any other use by any other means shall be sanctioned both internally and externally.
Principle of data accuracy
Personal Data must be accurate and correct at all times; stakeholders are advised to keep their personal data updated at all times and inform LAURION GROUP of any changes in their details that may affect their relationship. The Data Protection Officer shall envisage the ways in which this can be achieved, namely by establishing procedures that periodically confirm data held, its accuracy and correction.
Principle of Integrity and Confidentiality
The Data Protection Officer, as well as any other persons involved with processing Personal Data, must, at all times, keep Data processed confidential without limitation. This implies security and safety of all data, including duty to physically store Personal Data in a safe room, with limited access and adequate solutions for the encryption and safeguard of said data.
In accordance with the law and the Corporate Governance of LAURION GROUP, the principle of confidentiality is paramount and must be observed with special diligence at all times. To ensure this, there is limited access to Personal Data and any breach is treated as a serious offence by the Data Protection Officer.
To deal with breaches, the Data Protection Officer shall:
– Identify the fundamental rights of stakeholders that are at risk of being breached; – Identify, analyse and evaluate the risks;
– Define and setup systems and controls; and
– Follow up on any breaches.
Principle of transparency
LAURION GROUP’s pillar is transparency. In light of this, Personal Data we store shall be kept safe by the Data Protection Officer, it shall be accessible at all times by the relevant interested parties and it shall be treated in a fair way.
Information shall be:
– Concise, transparent, accurate and ready accessible;
– Information shall be transmitted in a clear and non-misleading way; and
– Information can be conveyed to an interest party in any means admissible upon request. The principles above shall be applicable to the Data Protection Officer and to all persons in LAURION GROUP. The Data Protection Officer shall keep a detailed record of all activities that imply the use and transmission of personal data, facilitating stakeholders all the information gathered about them (unless otherwise bared by applicable law) as well as any event concerning their data subject to a threat or eminent default of duties.
For the purposes of this Data Protection Policy:
The Data Protection Officer is Laia Gonzalez Exposito.
Ms Laia can be contacted via email at lge@lauriongroup.com
Or by post at 63-65 Rue de Merl, L-2146 Luxembourg (Luxembourg) for any questions. Stakeholders have a right to present a complaint in accordance with this Policy, which should be directed at the Data Protection Officer. LAURION GROUP shall confirm, in writing, to all stakeholders: – Purposes of treatment of Personal Data;
– Length of holding said Data;
– Rights of stakeholders, including withdrawal of consent and consequences of said withdrawal; – Rights of access, confirmation, rectification and right to be forgotten.
The rights above shall not imperil the legal rights of LAURION GROUP in the regular course of business. Apart from the information as above, stakeholders have the right to:
– Be made aware of the identity of the Data Protection Officer, as current as possible; – To whom Data has been transferred and the reasons why;
– International transfers, in case they exist; and
– Communication of Personal Data that may harm or imperil the standing of the stakeholders. Please note, as per above, the rights of stakeholders shall not imperil nor harm the rights and duties of LAURION GROUP in the regular course of business. Here on out, LAURION GROUP is able, and shall,
keep records of its stakeholders for the fulfilments of its legal obligations under the services it provides, in accordance with the Terms of Business. This Data Protection Policy is, in accordance with the Terms of Business, integral part of the Corporate Governance Policy of the Group.
Principle of limitation of holding
As explained above, Personal Data shall be kept for as little time as possible as part of the duty of minimum interference and protection of stakeholders.
For the avoidance of doubt, please note that:
– Personal Data of Investors shall be kept for the duration of investment and five years thereafter; – Personal Data of potential business partners with whom non-disclosure agreements have been signed shall be destroyed upon request, or 5 years after the date of the agreement;
– Personal Data of former employees shall be kept for 5 years, although public data must be removed immediately from any public presentations from the Group.
Any breach of this principle may give way to remedies from the stakeholders using the appropriate means at their disposal.
Personal Data must be accurate, up to date and fit for purpose. Termination of a relationship is the opposite of all this; therefore, it ceases the legitimacy of LAURION GROUP to treat said Data. The Data referred to above shall be kept privately, solely accessible to public authorities and administration. No public access can be given, and no person other than the Data Protection Officer may access said Data under penalty of breach, both legal and corporate.
Principle of accountability
Principle of accountability involves all principles above and fits with the core of LAURION GROUP’s values. Only by being accountable may LAURION ensure the protection of Personal Data in accordance with the spirit of the law. LAURION shall keep a detailed register of the evolution of Personal Data treatment and learn from any lessons, breaches or suggestions from its stakeholders. The Data Protection Officer, together with Compliance, shall enforce this principle.
- Risk based approach
LAURION follows a risk-based approach to ensure compliance with the applicable principles. Different activities bear different risks, and no one solution serves all scenarios. Stakeholder protection is paramount and achieved using a proactive and accountable approach, where there is a register of all actions and an active compliance conduct to protect personal data as a fundamental part of one’s rights. By having a risk
based approach LAURION may dedicate more time and resources to situations that are, by default, riskier.
- PERSONAL DATA TREATMENT
Consent
In order to collect and treat Personal Data, LAURION GROUP must obtain consent of the stakeholders. Consent must be clear and given freely, covering all purposes for which Data is being collected. LAURION GROUP does not admit tacit consent, unless in those situations where clear consent implies tacit consent for specific purposes.
Consent must be:
– Clear, positive and given freely for the purpose to which is has been requested; – Limited to the scope of use, not admitting any other use;
– Limited to the use of LAURION GROUP, even if LAURION GROUP delegates certain functions and responsibilities on to third parties; and
– Not transmissible to third parties.
Stakeholders may withdraw their consent at any time, although such withdraw may limit the services provided by LAURION, and never to the detriment of LAURION pursuing legal action and remedies against any illegal action or omission.
Data Protection Officer
LAURION GROUP shall process all Personal Data in house, going to third parties only in the following situations:
– Verification of identity, using third party software and platforms legally allowed and with protections in place to avoid breaches;
– Verification of PEP status, inclusion in sanctions lists, debt lists, financial lists or other situations that may imperil or prevent the business relationship between LAURION and the stakeholder; – Processing of payments, receipts and other financial transactions and tax, which may include sharing details with banking and financial institutions, tax officers, accountants, lawyers and other service providers; – Legal advice for managing the business relationship.
LAURION GROUP shall undergo due diligence and verify that service providers named above, or referred to above, shall keep a sufficiently robust privacy policy, and that Personal Data shall be treated in line with this Policy herein. The Data Protection Officer shall keep a detailed record of all Data transfers and inform stakeholders of any breaches.
The Data Protection Officer is hereby responsible for the communication of any breaches to the authorities (and to the stakeholders).
In case of breach, the communication to the authorities and stakeholders shall contain, at least:
a) Description of the nature of the breach, including, when applicable, the types of data at stake and the number of stakeholders that were affected;
b) Name and contact details of the Data Protection Officer or any other applicable contact details; c) Description of the possible or foreseeable consequences of the Personal Data breach; d) Description of the remedies taken, or about to be taken, to address the situation, actions to mitigate risk and changes in the Policy to prevent the error.
Please note these must be sent either at the same time or as events unfold.
Audit & Controls
The Data Protection Officer may, in accordance with the accountability herein, request and undergo audits and periodically control the treatment of Data performed by LAURION GROUP, its affiliated and participated companies, as well as employees from the GROUP.
5.1 Confidentiality
As per above, Personal Data must be kept confidential at all times. No party or person related to LAURION GROUP may divulge the contents of Personal Data, nor use Data for which it hasn’t been authorized. Especially, Personal Data such as KYC & CDD data, as per the Terms of Business, shall be awarded special protection meaning that personal data collected for the purposes therein shall be treated with special due care.
The Data Protection Officer shall keep detailed information on how this Data is handled and protected, reporting periodically under the Compliance Program to ensure a proper treatment based on risk.
5.2 Security Measures
LAURION GROUP, under direction of the Data Protection Officer, shall adopt, update and keep the procedures, mechanisms and technical means to guarantee the security and safety of Personal Data, in line with the accountability principle to which LAURION is submitted.
These measures must be in line with the protection awarded to Personal Data, and, in all cases, ensure the proper confidentiality and integrity of Data. Such measures must include, but are not limited to: Physical measures, whereby hard copies of documentation are kept in a separate and privately accessible storage room;
Technological measures, whereby soft copies of documents are stored under passwords, private access and safety copies are done; and
Culture measures, where all personnel of LAURION understands the sensitivity of handling Data and acts accordingly.
5.3 Information regarding Data sharing
LAURION GROUP does not usually share Personal Data with third parties. It may, however, share information with third parties for the purposes of the fulfilment of is duties, such as verification of identity, source of funds, suitability and other KYC & AML duties in line with the Corporate Governance Policy. Please note LAURION GROUP may share Data with third parties provided these are for scientific, statistic and historical purposes.
Laurion shall keep a detailed register of all parties with whom it has shared Data, incuding, but not limited to, the details below:
– Identity of the persons with whom the Data is shared;
– Address of the persons with whom Data is shared;
– Date of sharing (or date of the contract, if sharing is done on a continuous basis); – Reason for sharing;
– Consent (whether clear or tacit); and
– Any other reason worth disclosing.
Stakeholders
All stakeholders may exercise their rights without limitation.
In this way, LAURION GROUP, applying the concepts of this Policy, provides its stakeholders with the tools to exercise their rights, as per below:
– Stakeholders may exercise their rights either directly or via a representative;
– Stakeholders may exercise their rights, but must be respectful of the law and applicable regulations; – stakeholders may not, in the exercise of their rights, harm the interests of other stakeholders; and – Stakeholders have the right to complain if they believe to have been mistreated by LAURION. The Data Protection Officer will act on the best interest of the Stakeholders without limitation, being given independence and autonomy by LAURION to act is such a way.
5.4 Rights of the Stakeholders
Right of Information
Stakeholders may request LAURION GROUP access to all their Data that is held by the GROUP, including the treatment being done and any transfers to third parties if applicable. LAURION shall at all times comply
with this request provided it is not otherwise barred by applicable law. In some situations, LAURION GROUP may withhold information related to specific subjects, provided such answers is done in accordance with the law.
When Laurion provides information to its stakeholders, it does not have to include information obtained from third parties, unless it believes it to be protective towards the stakeholder.
Laurion must provide:
– The identity and contact details of the Data Protection Officer;
– The purpose of Data collection and its legitimate interest;
– The retention of the Data, its legal grounds and maximum retention time;
– Data held on behalf of the stakeholder;
– Transfers done to third parties, reason of the transfer and international transfers (if any); – Possibility and consequences of withdrawing consent; and
– Right to file a complaint.
In case Data has been obtained via a third party, LAURION must indicate the source and categories of Data.
Right of Access
Stakeholders have the right to Access the Data being held on their behalf as well as confirm the lawful treatment of said Data. This right must not influence negatively the rights of others. Stakeholders may:
– Obtain from Laurion the Data held, and the manner in which Data is being treated, which must include: a) Purpose of treatment;
b) Types of Data being collected and treated;
c) Persons with whom Data has been shared, if applicable;
d) Retention of Data timeline, as well as applicable reasoning;
e) Right of correction and modification;
f) Right to file a complaint; and
g) Any other relevant info.
LAURION commits to deliver the information above within one month and allow stakeholders to exercise their rights free of charge. In some cases, LAURION may take two more months in processing the request of its stakeholders, if the complexity of the situations so requires.
Right to modification
Stakeholders may exercise the right to modification and rectification of Personal Data for all Data held on their behalf by Laurion Group. This includes the right to be forgotten, as per below. Laurion shall make available to all stakeholders the modification of Personal Data, as well as its correction and accuracy. Stakeholders are reminded to keep their Data updated and corrected at all times. The Data Protection Officer shall take all reasonable steps to ensure stakeholders have easy access to data and may correct it at their will.
Additionally, the Data Protection Officer shall periodically contact stakeholders to ensure Data is correct and kept up to date.
Right to withdraw consent, remove data and cancel treatment
Stakeholders may exercise their rights to withdraw or remove consent, and request LAURION to cancel any treatment of Personal Data, that shall act on said request without undue delay. Removal can be done based on:
– Personal Data is no longer necessary of fit for purposes;
– Stakeholders withdraw their consent; and
– There is no a legal obligation to keep Data stored.
Right to be forgotten
The right to be forgotten is connected with the withdrawal of consent from stakeholders to have their Data treated.
Stakeholders may address Laurion to get their Data removed from Laurion’s files at any time. This shall automatically imply withdrawal of consent and request of cancelation.
Laurion does not public information and keep Personal Data confidential. Therefore, Laurion should be able to, after the request is done and the legal timeframes are complied with, delete information of the specific stakeholder.
5.5 Exercise of rights
The Data Protection Officer must inform all clients and potential clients of the means at their disposal to exercise their rights. These means should be easily accessible and present no limitations as well as be available in all documentation.
To exercise their rights, stakeholders must email compliance@lauriongroup.com or contact the Data Protection Officer using details below.
LAURION GROUP
63-65 Rue de Merl, L-2146 Luxembourg (Luxembourg)
- REVIEWS AND UPDATES
Compliance shall be responsible for reviewing and update this Policy as the case may be. Reviews and updates shall include any new applicable regulations and should be understood as a mean to protect Personal Data of Laurion’s stakeholders and not as a mere tick box exercise, in line with Laurion’s values.
Prior to launching any new products, Laurion shall review the impact any Personal Data request (whether new or updated) may have in accordance with this Policy.
- IMPLEMENTATION
In accordance with this Policy, Compliance shall be responsible for implementing these precepts, and provide, in accordance with senior management, training and awareness to the staff of Laurion Group. This Policy is fully part of the Corporate Governance of Laurion and, as such, its observance is fully required by all stakeholders of Laurion, including partners and service providers. Service providers may be dismissed from complying with this Policy if they are legally obliged to comply with EU Regulations in place.