Laurion Group | Privacy Policy
page-template-default,page,page-id-15531,ajax_fade,page_not_loaded,,qode-title-hidden,qode-theme-ver-16.8,qode-theme-bridge,hide_inital_sticky,disabled_footer_top,disabled_footer_bottom,wpb-js-composer js-comp-ver-5.5.2,vc_responsive

Privacy Policy

September 2023  


The scope of this Policy is to establish the principles surrounding the handling and treating of Personal Data.  For the purposes of this Policy, LAURION GROUP has considered national and international applicable  regulations and conventions, adjusting them to the particular needs of its business, in line with consumer  protection, individual rights protection and the Corporate Governance Policy of LAURION GROUP. This  Policy shall therefore apply to all affiliated and participated companies of Laurion Group, and the obligations  derived herewith shall extend to its service providers and stakeholders. 



This Policy’s main goal is to make known the way in which it obtains, treats, processes and protects Personal  Data from its stakeholders during the tenancy of its relation, including what happens after said relation is  terminated. 

Therefore, this Policy shall detail the way in which LAURION GROUP acts towards meeting these objectives.  Please note this protocol applies solely to individuals, not to legal entities. Legal entities of which LAURION  must legally or contractually maintain secrecy shall be subject directly to the Corporate Governance. 


  1. SCOPE 

This Policy shall apply to all employees of LAURION GROUP, including employees and members of its  affiliated and participated companies. It shall extend to external service providers in case of conflict between  their policies and this Policy, in case the former offers a lesser degree of protection. In case where other companies of LAURION GROUP have their own Privacy Policy, that shall prevail.  However, there shall be a process in place to assist with the resolution of potential conflicts. The  responsibility for documenting said conflict shall solely rest with LAURION GROUP. 



This Policy considers the following applicable law: 

Regulation (UE) 2016/679 of the European Parliament and of the Council, from the 27th of April, regarding  the protection of individuals in terms of Data Protection and free movement of this data (GPRD). 



4.1. Definition of Personal Data 

Personal Data refers and includes all information regarding an individual, whose identity may be determined,  either directly or indirectly, by a series of identifiers (the “Identifiers”) including, but not limited to, physical  appearance, genetic characteristics, physiology, economical situation, cultural or social background or other  elements that, not included herein, are or may be usually identifiable in regards to an individual. In addition,  these identifiers include information that has been either anonymized, encrypted or presented with a  pseudonym, but that, when used with additional elements, can identify an individual. 

Identifiers can be categorized according to its nature; as such, we have classified them, not exclusively, as: Identification Identifiers: those that refer to name, surname, identification documents or driver  license, social security numbers, phones (mobile and landline), residence, address, email, photos  or audio notes. 

  • Social Identifiers: those that refer to properties, tastes, lifestyle, social media or public forums, clubs  or other public or private collectives. 
  • Personal Identifiers: those that refer to dates, places, birth date, age, civil status, family details, etc. Academics and training identifiers: those that refer to academic achievements or other type or  formal and informal qualifications. 
  • Professional and employment identifiers: those that refer to working experience, position or any  other work-related matter (including details related to workplace), unions or others. Economical and financial identifiers: those that refer to banking details, credit details, assets,  liabilities, estate, pension plans, savings or other financial details. 
  • Medical and Health Identifiers: those that refer to data contained in clinical profiles, medical history,  and other health related details. 
  • Administration and law identifiers: those that refer to judicial, legal or administrative procedures. Social Identifiers: those that refer to public subsidies, grants or other public disbursements. IP Address Identifiers: those that allow IP address to be identified, with the consequences it has,  including 
  • Trade Identifiers: those that refer to trade, commerce and industry.

The terminology used above is not extensive nor does it exclude any other elements that have or may have  the ability to identify individuals. The identifiers referred to above shall be extended in accordance with  applicable law, in order to protect fully personal data of Laurion’s stakeholders. All personal data collected  and processed by Laurion shall be treated in accordance with this Policy, being awarded full protection in  the terms of the applicable law. 


4.2. Especially sensitive data (Personal Data) 

Some Personal Data is awarded special protection due to its sensitive character. This Personal Data  includes public liberties, political views, intimacy and fundamental rights. 

As such, in accordance with Regulation (EU) 2016/679, sections 9, numbers 51 to 56, the Personal Data  below shall be awarded special protection and its treatment is limited in accordance with applicable law.  Laurion Group shall not process this data unless said process is considered legitimate and fit for purposes;  in this case, Laurion Group shall pay special due and care to this Data in line with its sensitivity. 

Especially Sensitive Data includes: 

– Race and ethnicity 

– Political views and affiliation 

– Beliefs and religious views 

– Sexual life, orientation and preference 

– Union affiliation 

– Health related data 

– Genetic data 

– Biometric data 

– Criminal record 

For the avoidance of doubt, LAURION GROUP does not collect Sensitive Personal Data, apart from criminal  records for the purposes of background check of its employees. 


4.3. Personal Data Treatment Principals 

LAURION GROUP, including its affiliated and participated companies, commit fully to comply with the  applicable regulation in terms of Personal Data protection and privacy policy, in the terms of this Policy. As  such, LAURION shall implement and effectively apply each one of the principles contained herein, both prior  to and during the relationship between Laurion and its clients, including private individuals and companies. 

These principles shall apply in full to the way Laurion treats and processes data and may be exercised by  the relevant parties in the terms and conditions set herein. 


Principle of Legitimacy, Legality and Loyalty 

Personal Data collection, processing and treatment shall be legitimate, legal and loyal, in accordance with  applicable regulation. Personal Data can only be collected for purposes that are (a) determined, (b) explicit,  (c) clear and (d) legitimate, and must not, in any way, be treated in a way that is inconsistent with the above,  or inconsistent with the purpose they have been requested for. Personal Data may only be collected when  clear consent is given. 


Legitimacy of Treatment 

Treatment of Personal Data shall be legitimate, and based on the below: 

Consent: subjects must give their consent prior to Personal Data being collected and treated; – Contractual: Personal Data may be subject to contractual obligations, in line with consent above; and – Legal Obligation: treatment may result of a legal obligation of LAURION GROUP, in which case consent  will be requested at the time of the contract; 


Loyalty of Treatment 

Personal Data treatment shall always be done in accordance with the principle of loyalty, and always in the  best interest of the subjects. Personal Data shall be treated in accordance with the legitimate expectations  of the stakeholders for known purposes and in full transparency. LAURION GROUP shall inform its  stakeholders of the means it uses for treatment, what it does with Personal Data and what grievance means  are available for complaints. 

To summarize the duties of the Data Protection Officer, he/she must act in accordance with the below  guidelines: 

– Duty to maintain records of all activities connected with treatment and processing; – Duty to ensure access of interested parties to data held on their behalf; 

– Duty to notify any changes in security access or breaches that may suppose a risk to the material interests  of the stakeholders; 

– Duty to keep records, if applicable, of the opinion of the stakeholders; and 

– Duty to inform all stakeholders of the data collection, at the time of the start of the relationship as well as  during treatment. 


Principle of minimum inference 

According to this principle, LAURION GROUP collects as little Personal Data as possible, always bearing in  mind the need to protect stakeholders’ interest. Therefore, Personal Data that is collected must be adequate, 

fit for purpose and limited to the contractual and legal needs of LAURION GROUP, in accordance with the  expectations of the stakeholders. 

Therefore, the Data Protection Officer shall, at all times, try to obtain and use the least possible information  from stakeholder to comply with its duties. This means: 

– Limitation of data that is collected; 

– Scope of treatment; 

– Time of holding and goals; and 

– Persons with access to the Data. 


Principle of limited scope 

Limited scope principle goes hand in hand with minimum data requirements. Data shall be collected solely  for the purposes of the relation between LAURION GROUP and the stakeholder, any other uses being  forbidden and illegal. For the avoidance of doubt, personal data can be used when anonymized by means  of pseudonymization in a way sufficient to prevent identification of individual stekholders. 

Any other use by any other means shall be sanctioned both internally and externally. 


Principle of data accuracy 

Personal Data must be accurate and correct at all times; stakeholders are advised to keep their personal  data updated at all times and inform LAURION GROUP of any changes in their details that may affect their  relationship. The Data Protection Officer shall envisage the ways in which this can be achieved, namely by  establishing procedures that periodically confirm data held, its accuracy and correction. 

Principle of Integrity and Confidentiality 

The Data Protection Officer, as well as any other persons involved with processing Personal Data, must, at  all times, keep Data processed confidential without limitation. This implies security and safety of all data,  including duty to physically store Personal Data in a safe room, with limited access and adequate solutions  for the encryption and safeguard of said data. 

In accordance with the law and the Corporate Governance of LAURION GROUP, the principle of  confidentiality is paramount and must be observed with special diligence at all times. To ensure this, there  is limited access to Personal Data and any breach is treated as a serious offence by the Data Protection  Officer. 

To deal with breaches, the Data Protection Officer shall: 

– Identify the fundamental rights of stakeholders that are at risk of being breached; – Identify, analyse and evaluate the risks; 

– Define and setup systems and controls; and 

– Follow up on any breaches. 


Principle of transparency 

LAURION GROUP’s pillar is transparency. In light of this, Personal Data we store shall be kept safe by the  Data Protection Officer, it shall be accessible at all times by the relevant interested parties and it shall be  treated in a fair way. 

Information shall be: 

– Concise, transparent, accurate and ready accessible; 

– Information shall be transmitted in a clear and non-misleading way; and 

– Information can be conveyed to an interest party in any means admissible upon request. The principles above shall be applicable to the Data Protection Officer and to all persons in LAURION  GROUP. The Data Protection Officer shall keep a detailed record of all activities that imply the use and  transmission of personal data, facilitating stakeholders all the information gathered about them (unless  otherwise bared by applicable law) as well as any event concerning their data subject to a threat or eminent  default of duties. 

For the purposes of this Data Protection Policy: 

The Data Protection Officer is Laia Gonzalez Exposito. 

Ms Laia can be contacted via email at 

Or by post at 63-65 Rue de Merl, L-2146 Luxembourg (Luxembourg) for any questions. Stakeholders have a right to present a complaint in accordance with this Policy, which should be directed at  the Data Protection Officer. LAURION GROUP shall confirm, in writing, to all stakeholders: – Purposes of treatment of Personal Data; 

– Length of holding said Data; 

– Rights of stakeholders, including withdrawal of consent and consequences of said withdrawal; – Rights of access, confirmation, rectification and right to be forgotten. 

The rights above shall not imperil the legal rights of LAURION GROUP in the regular course of business. Apart from the information as above, stakeholders have the right to: 

– Be made aware of the identity of the Data Protection Officer, as current as possible; – To whom Data has been transferred and the reasons why; 

– International transfers, in case they exist; and 

– Communication of Personal Data that may harm or imperil the standing of the stakeholders. Please note, as per above, the rights of stakeholders shall not imperil nor harm the rights and duties of  LAURION GROUP in the regular course of business. Here on out, LAURION GROUP is able, and shall, 

keep records of its stakeholders for the fulfilments of its legal obligations under the services it provides, in  accordance with the Terms of Business. This Data Protection Policy is, in accordance with the Terms of  Business, integral part of the Corporate Governance Policy of the Group. 

Principle of limitation of holding 

As explained above, Personal Data shall be kept for as little time as possible as part of the duty of minimum  interference and protection of stakeholders. 

For the avoidance of doubt, please note that: 

– Personal Data of Investors shall be kept for the duration of investment and five years thereafter; – Personal Data of potential business partners with whom non-disclosure agreements have been signed  shall be destroyed upon request, or 5 years after the date of the agreement; 

– Personal Data of former employees shall be kept for 5 years, although public data must be removed  immediately from any public presentations from the Group. 

Any breach of this principle may give way to remedies from the stakeholders using the appropriate means  at their disposal. 

Personal Data must be accurate, up to date and fit for purpose. Termination of a relationship is the opposite  of all this; therefore, it ceases the legitimacy of LAURION GROUP to treat said Data. The Data referred to above shall be kept privately, solely accessible to public authorities and administration.  No public access can be given, and no person other than the Data Protection Officer may access said Data  under penalty of breach, both legal and corporate. 


Principle of accountability 

Principle of accountability involves all principles above and fits with the core of LAURION GROUP’s values.  Only by being accountable may LAURION ensure the protection of Personal Data in accordance with the  spirit of the law. LAURION shall keep a detailed register of the evolution of Personal Data treatment and  learn from any lessons, breaches or suggestions from its stakeholders. The Data Protection Officer, together  with Compliance, shall enforce this principle. 

  • Risk based approach 

LAURION follows a risk-based approach to ensure compliance with the applicable principles. Different  activities bear different risks, and no one solution serves all scenarios. Stakeholder protection is paramount  and achieved using a proactive and accountable approach, where there is a register of all actions and an  active compliance conduct to protect personal data as a fundamental part of one’s rights. By having a risk 

based approach LAURION may dedicate more time and resources to situations that are, by default, riskier. 




In order to collect and treat Personal Data, LAURION GROUP must obtain consent of the stakeholders.  Consent must be clear and given freely, covering all purposes for which Data is being collected. LAURION  GROUP does not admit tacit consent, unless in those situations where clear consent implies tacit consent  for specific purposes. 

Consent must be: 

– Clear, positive and given freely for the purpose to which is has been requested; – Limited to the scope of use, not admitting any other use; 

– Limited to the use of LAURION GROUP, even if LAURION GROUP delegates certain functions and  responsibilities on to third parties; and 

– Not transmissible to third parties. 

Stakeholders may withdraw their consent at any time, although such withdraw may limit the services  provided by LAURION, and never to the detriment of LAURION pursuing legal action and remedies against  any illegal action or omission. 


Data Protection Officer 

LAURION GROUP shall process all Personal Data in house, going to third parties only in the following  situations: 

– Verification of identity, using third party software and platforms legally allowed and with protections in place  to avoid breaches; 

– Verification of PEP status, inclusion in sanctions lists, debt lists, financial lists or other situations that may  imperil or prevent the business relationship between LAURION and the stakeholder; – Processing of payments, receipts and other financial transactions and tax, which may include sharing  details with banking and financial institutions, tax officers, accountants, lawyers and other service providers; – Legal advice for managing the business relationship. 

LAURION GROUP shall undergo due diligence and verify that service providers named above, or referred  to above, shall keep a sufficiently robust privacy policy, and that Personal Data shall be treated in line with  this Policy herein. The Data Protection Officer shall keep a detailed record of all Data transfers and inform  stakeholders of any breaches. 

The Data Protection Officer is hereby responsible for the communication of any breaches to the authorities  (and to the stakeholders). 

In case of breach, the communication to the authorities and stakeholders shall contain, at least:

a) Description of the nature of the breach, including, when applicable, the types of data at stake and the  number of stakeholders that were affected; 

b) Name and contact details of the Data Protection Officer or any other applicable contact details; c) Description of the possible or foreseeable consequences of the Personal Data breach; d) Description of the remedies taken, or about to be taken, to address the situation, actions to mitigate risk  and changes in the Policy to prevent the error. 

Please note these must be sent either at the same time or as events unfold. 


Audit & Controls 

The Data Protection Officer may, in accordance with the accountability herein, request and undergo audits  and periodically control the treatment of Data performed by LAURION GROUP, its affiliated and participated  companies, as well as employees from the GROUP. 


5.1 Confidentiality 

As per above, Personal Data must be kept confidential at all times. No party or person related to LAURION  GROUP may divulge the contents of Personal Data, nor use Data for which it hasn’t been authorized. Especially, Personal Data such as KYC & CDD data, as per the Terms of Business, shall be awarded special  protection meaning that personal data collected for the purposes therein shall be treated with special due  care. 

The Data Protection Officer shall keep detailed information on how this Data is handled and protected,  reporting periodically under the Compliance Program to ensure a proper treatment based on risk. 


5.2 Security Measures 

LAURION GROUP, under direction of the Data Protection Officer, shall adopt, update and keep the procedures, mechanisms and technical means to guarantee the security and safety of Personal Data, in line  with the accountability principle to which LAURION is submitted. 

These measures must be in line with the protection awarded to Personal Data, and, in all cases, ensure the  proper confidentiality and integrity of Data. Such measures must include, but are not limited to: Physical measures, whereby hard copies of documentation are kept in a separate and privately accessible  storage room; 

Technological measures, whereby soft copies of documents are stored under passwords, private access  and safety copies are done; and 

Culture measures, where all personnel of LAURION understands the sensitivity of handling Data and acts  accordingly. 


5.3 Information regarding Data sharing 

LAURION GROUP does not usually share Personal Data with third parties. It may, however, share  information with third parties for the purposes of the fulfilment of is duties, such as verification of identity,  source of funds, suitability and other KYC & AML duties in line with the Corporate Governance Policy. Please note LAURION GROUP may share Data with third parties provided these are for scientific, statistic  and historical purposes. 

Laurion shall keep a detailed register of all parties with whom it has shared Data, incuding, but not limited  to, the details below: 

– Identity of the persons with whom the Data is shared; 

– Address of the persons with whom Data is shared; 

– Date of sharing (or date of the contract, if sharing is done on a continuous basis); – Reason for sharing; 

– Consent (whether clear or tacit); and 

– Any other reason worth disclosing. 



All stakeholders may exercise their rights without limitation. 

In this way, LAURION GROUP, applying the concepts of this Policy, provides its stakeholders with the tools  to exercise their rights, as per below: 

– Stakeholders may exercise their rights either directly or via a representative; 

– Stakeholders may exercise their rights, but must be respectful of the law and applicable regulations; – stakeholders may not, in the exercise of their rights, harm the interests of other stakeholders; and – Stakeholders have the right to complain if they believe to have been mistreated by LAURION. The Data Protection Officer will act on the best interest of the Stakeholders without limitation, being given  independence and autonomy by LAURION to act is such a way. 


5.4 Rights of the Stakeholders 

Right of Information 

Stakeholders may request LAURION GROUP access to all their Data that is held by the GROUP, including  the treatment being done and any transfers to third parties if applicable. LAURION shall at all times comply 

with this request provided it is not otherwise barred by applicable law. In some situations, LAURION GROUP  may withhold information related to specific subjects, provided such answers is done in accordance with the  law. 

When Laurion provides information to its stakeholders, it does not have to include information obtained from  third parties, unless it believes it to be protective towards the stakeholder. 

Laurion must provide: 

– The identity and contact details of the Data Protection Officer; 

– The purpose of Data collection and its legitimate interest; 

– The retention of the Data, its legal grounds and maximum retention time; 

– Data held on behalf of the stakeholder; 

– Transfers done to third parties, reason of the transfer and international transfers (if any); – Possibility and consequences of withdrawing consent; and 

– Right to file a complaint. 

In case Data has been obtained via a third party, LAURION must indicate the source and categories of Data. 


Right of Access 

Stakeholders have the right to Access the Data being held on their behalf as well as confirm the lawful  treatment of said Data. This right must not influence negatively the rights of others. Stakeholders may: 

– Obtain from Laurion the Data held, and the manner in which Data is being treated, which must include: a) Purpose of treatment; 

b) Types of Data being collected and treated; 

c) Persons with whom Data has been shared, if applicable; 

d) Retention of Data timeline, as well as applicable reasoning; 

e) Right of correction and modification; 

f) Right to file a complaint; and 

g) Any other relevant info. 

LAURION commits to deliver the information above within one month and allow stakeholders to exercise  their rights free of charge. In some cases, LAURION may take two more months in processing the request  of its stakeholders, if the complexity of the situations so requires. 


Right to modification 

Stakeholders may exercise the right to modification and rectification of Personal Data for all Data held on  their behalf by Laurion Group. This includes the right to be forgotten, as per below. Laurion shall make  available to all stakeholders the modification of Personal Data, as well as its correction and accuracy. Stakeholders are reminded to keep their Data updated and corrected at all times. The Data Protection Officer  shall take all reasonable steps to ensure stakeholders have easy access to data and may correct it at their  will. 

Additionally, the Data Protection Officer shall periodically contact stakeholders to ensure Data is correct and  kept up to date. 


Right to withdraw consent, remove data and cancel treatment 

Stakeholders may exercise their rights to withdraw or remove consent, and request LAURION to cancel any  treatment of Personal Data, that shall act on said request without undue delay. Removal can be done based  on: 

– Personal Data is no longer necessary of fit for purposes; 

– Stakeholders withdraw their consent; and 

– There is no a legal obligation to keep Data stored. 


Right to be forgotten 

The right to be forgotten is connected with the withdrawal of consent from stakeholders to have their Data  treated. 

Stakeholders may address Laurion to get their Data removed from Laurion’s files at any time. This shall  automatically imply withdrawal of consent and request of cancelation. 

Laurion does not public information and keep Personal Data confidential. Therefore, Laurion should be able  to, after the request is done and the legal timeframes are complied with, delete information of the specific  stakeholder. 

5.5 Exercise of rights 

The Data Protection Officer must inform all clients and potential clients of the means at their disposal to  exercise their rights. These means should be easily accessible and present no limitations as well as be  available in all documentation. 

To exercise their rights, stakeholders must email or contact the Data  Protection Officer using details below. 


63-65 Rue de Merl, L-2146 Luxembourg (Luxembourg)



Compliance shall be responsible for reviewing and update this Policy as the case may be. Reviews and updates shall include any new applicable regulations and should be understood as a mean to  protect Personal Data of Laurion’s stakeholders and not as a mere tick box exercise, in line with Laurion’s  values. 

Prior to launching any new products, Laurion shall review the impact any Personal Data request (whether  new or updated) may have in accordance with this Policy. 



In accordance with this Policy, Compliance shall be responsible for implementing these precepts, and  provide, in accordance with senior management, training and awareness to the staff of Laurion Group. This Policy is fully part of the Corporate Governance of Laurion and, as such, its observance is fully required  by all stakeholders of Laurion, including partners and service providers. Service providers may be dismissed  from complying with this Policy if they are legally obliged to comply with EU Regulations in place.