Privacy Statement & Data Processing Protocol

PRIVACY STATEMENT

This Privacy Statement sets out what personal data Molade Trust Management B.V. collects and how it uses the data.

This Privacy Statement is issued by and applies to Molade Trust Management B.V., Dr. Willem Dreesweg 2, 1085 VB Amstelveen, the Netherlands, hereinafter referred to as “Molade”. This Privacy Statement explains how Molade may collect, use, process and store your personal data as well as the rights you have in relation to this Personal Data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and other applicable privacy laws.

What kind of personal data does Molade collect?

Personal data means any information relating to an identified or identifiable natural person. Molade processes the following types of personal data:

  • name, address, email address, telephone number and other contact information;
  • date and place of birth;
  • nationality;
  • gender;
  • employment details;
  • marital status;
  • copies of identity documents (passport, national ID card, driver’s license, employee identification numbers);
  • source of wealth;
  • utility bill, bank statement;
  • tax residency.Please note that the list is not exhaustive and that Molade may also collect and process personal data to extent this, when it is useful or necessary for the provision of itsservices.

How does Molade collect personal data?

Molade obtains and processes personal data in different ways.

  • Personal data provided to Molade directly; Molade collects personal data directly from (prospective) clients, business partners and intermediaries for the purposes of entering into a contract or a service agreement and/or to meet certain legal requirements.
  • Personal data obtained from third parties; Molade also collects and processes personal data from publicly accessible sources such as internet, social networks, Relian or commercial registers. Furthermore, Molade may receive personal data from third parties as part of the services Molade provides to you or in connection with legal requirements that are applicable to Molade.

How does Molade use personal data?

The majority of the personal data processed by Molade is necessary for the performance of a contract to which the data subject is a party or to comply with the request of the data subject prior to entering into a contract. Molade also processes personal data in order to comply with our legal and regulatory obligations.

Molade may furthermore process personal data for the purposes of the legitimate business interests it pursues. Such legitimate interests include general research and development (including statistical research or as a basis to analyze current security measures) or to develop and improve services or to strengthen relationships. Molade may provide you with communications or information regarding our service offering which Molade think will be interesting for you.

When Molade processes your personal data for its legitimate business interests, we will consider and balance any potential impact on you and your rights under the relevant data protection and any other relevant law. Whenever Molade processes personal data for these purposes you have the right to object to this way of processing.

To whom does Molade provide personal data?

Molade may disclose or transfer personal data collected to its group companies insofar as reasonably necessary for the purposes of its service offering or for bona fide compliance purposes as well as on the legal basis as set out in this Privacy Statement.

Except as described in this paragraph, Molade will not disclose, transfer or sell your personal data to any third party unless you have consented to this.

Molade may disclose or transfer personal data to subcontractors for the purpose of the proper performance of the services it provides to its clients. It may, for example, disclose or transfer such personal data to third party service providers who provide administrative, computer, payment, data processing, debt collecting or other services. Molade enters into data processing agreements with such subcontractors to ensure that they process your data, on its behalf, with the same level of security and confidentiality as applied by Molade. Molade may furthermore disclose or transfer personal data when it received your consent to do so.

In addition Molade may disclose or transfer personal data to protect its rights or those of its clients and/or to prevent fraud. Molade can also be obliged to disclose or transfer personal data to competent authorities in order to comply with its legal and/or regulatory obligations.

Retention

Molade will process and store the relevant personal data for the duration of its services or for the duration of the business relationship. Molade may also store the data for as long as it is necessary or required in order to fulfill legal, contractual or statutory obligations and, or for the establishment, exercise or defense of legal claims, and in general where it has a legitimate interest for doing so.

Your rights

You have the following rights:

  • Access to your information; You have the right to access the personal information that Molade holds about you at any time.
  • Data portability; You may ask Molade to provide you with a copy of the personal information that Molade holds about you.
  • Correction of your personal information; You have the right to ask Molade to update and correct any out-of-date or incorrect personal information that Molade would hold about you.
  • Deletion of your personal information (the right to be forgotten); You have the right to ask Molade to delete your personal information, to the extent that Molade has no legal and/or regulatory obligations to keep such personal information.
  • Restriction of processing of your personal information; You have the right to ask Molade to restrict the processing of your personal information in case:
    1. You contested the accuracy of the personal information held by Molade;
    2. The processing is unlawful but you objected to the deletion of the personal data and request the restriction of the use instead;
    3. Molade no longer needs the personal data for the purposes of the processing, but you require them for legal reasons;
    4. You objected to processing and Molade is investigating whether there are legitimate grounds to override your objection.
  • Automatic decision making; Molade generally does not make decisions by purely automatic means, but if it does, you have the right to object.
  • Object; If you wish to exercise any of the above rights, you can contact Molade using the below contact details.

You have the right to object at any time to the processing of your personal data by Molade.

Navigation and Cookies

Please note that Molade is the controller of personal data collected through the Molade website (the “Website”).

On certain areas of the Website Molade collects personally-identifiable information when users request information and/or sign up for news letters. The personally-identifiable information collected may consist of information that you provide, such as names, e-mail addresses and other information as provided by you such as a telephone number and any other personally-identifiable information.

The Website does not use cookies to identify you nor your interests.

How does Molade protect personal data?

Molade is committed to ensuring the security of your personal data. Molade takes appropriate commercially reasonable technical, physical and organizational measures to prevent unauthorized or unlawful processing of your personal data or accidental loss or destruction of your personal data. Molade will ensure a level of security suitable to the identified risks and pursuant to applicable Data Protection Laws and shall take measures required pursuant to article 32 GDPR.

Employees of Molade are trained to handle personal data securely and with utmost respect and they will treat your personal data strictly confidential. Staff members shall be authorized to access personal data only to the extent necessary to serve the applicable legitimate purposes for which the data are processed by Molade and to perform their job.

Molade will not divulge client information to a third party unless its has received explicit client authorization or is required to do so by law.

Changes to this Privacy Statement

Molade may update this Privacy Statement from time to time. Molade will advise you to periodically review this Privacy Statement to be informed of how it is protecting your privacy.

Contact Data Protection Officer

If you have any questions, concerns or complaints with respect to this Privacy Statement, the way Molade is handling your privacy or you wish to exercise any of your rights please contact the Molade Data Protection Officer Mr. R.M. van den Outenaar.

DATA PROCESSING PROTOCOL

In its role as Service Provider, Molade  is obligated to collect and/or process certain personal data.

The Data Processing Protocol (the “Protocol”) is applicable in the situation where Molade may process certain personal information of which the client or client entities are the controller. It sets, amongst others, out the principle of confidentiality, the security practices and technical and organizational measures that Molade has put in place.

The Protocol shall apply between Molade and the Client Entity (“Client”) it is servicing, where Molade may process Personal Data, of which the Client is the Controller. The Protocol forms part of any agreement in place between Molade and the Client (the “Management or Service Agreement”).

  1. Definitions

Where this Protocol uses terms which are defined in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation the “GDPR”), then the definitions set out in that Regulation shall apply. “Client” shall mean the company, trust, foundation, any other form of legal entity, partnership, or unincorporated business, set up, to which Molade provides any service at the request or instruction of such entity and/or its group members; and “Molade” shall mean Molade Trust Management B.V. which has concluded a Management or Service Agreement with the Client.

  1. Scope of the Protocol
  1. Molade shall only process the Personal Data on the instructions of the Client and in accordance with the provisions of this Protocol and associated Management or Service Agreement(s). Molade confirms that it will not process the Personal Data for its own use or any other purposes other than as provided for under this Protocol.
  2. Molade will have no control over the purposes of processing the Personal Data.
  3. The GDPR and any other applicable privacy laws apply to this Protocol and anything not specifically mentioned in this Protocol shall be governed by the GDPR and any other applicable privacy laws.
  1. Scope of the Protocol
  1. Molade, receiving the Personal Data from the Client pursuant to the Service Agreement, will exercise at least the same degree of care with respect to Personal Data with which Molade protects its own Personal Data of the same or similar nature.
  2. Molade shall not communicate the Personal Data to or put the Personal Data at the disposal of third parties without the Client’s prior written consent thereto unless it is required to do so by mandatory law or regulation or ordered to do so by a competent authority.
  3. Molade will only use or reproduce the Client’s Personal Data to the extent necessary to it to fulfil its obligations under the Management or Service Agreement.
  1. Security Practices, Procedures and Technical and Organisational Measures
  1. Molade shall implement appropriate commercially reasonable technical, physical and organizational security measures to protect Personal Data from misuse and/or accidental, unlawful and/or unauthorized destruction, loss, alteration, disclosure, acquisition and/or access and against all other unlawful forms of Processing in accordance with adequate internal instructions adopted by Molade. Molade will ensure a level of security suitable (taking into account the state of the art and the costs of implementation of such security) in relation to the risks and the nature of the personal data to be protected to the identified risks and pursuant to applicable Data Protection Laws and, where the Processing concerns personal data of EU residents, shall take all measures required pursuant to article 32 GDPR. Where local laws prescribe specific instructions and measures to be adopted for the purposes of this article, local laws will be applied.
  2. In fulfillment of Molade’s obligation to demonstrate compliance with this paragraph 4.1, Molade will make information on its processing of the Personal Data available (including at its discretion, certificates, third party audit reports or other relevant information).
  3. Client shall provide Molade with thirty (30) days advance notice of any audit request, which will be at the client’s expense. Client may not engage in an audit which would compromise confidentiality obligations towards any other clients and customers of Molade, require access to non-public external reports, supplier internal pricing information, Molade confidential information and/or any internal reports prepared by Molade’s WTT (RIB) auditor or Molade’s Compliance Officer. If the client wishes to nominate another auditor to undertake the audit, it shall ensure that the auditor enters into a confidentiality agreement with Molade in such form as Molade shall reasonably require. Any liability, indemnity and all obligations under this contract shall also remain with the client, even if it nominates another auditor. The client warrants that any auditors are suitably qualified to undertake such an exercise.
  1. Duration of processing of the Personal Data
  1. Molade will process the Personal Data for as long as it provides services to the Client and will hold the Personal Data in archive after that date to the extent necessary for legitimate business purposes or for bona fide compliance purposes.
  2. Client may instruct Molade to delete or return Personal Data at the end of the period during which Molade will process such Personal Data. Molade shall be authorized to keep a copy to the extent required for legal, regulatory or bona fide compliance purposes, as well as the exercise or defense of legal claims
  1. Data Breach Incident
  1. Molade will without undue delay notify the Client whenever Molade reasonably becomes aware that there has been a not-trivial breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by Molade in the context of this Protocol that is likely to result in a risk to the rights and freedoms of a data subject (“Data Breach Incident”). After providing notice, Molade will investigate the Data Breach Incident, and take necessary steps to eliminate or contain the impact of the Data Breach Incident to the extend which may reasonably be expected.
  2. Molade shall maintain written procedures which enable it to provide an immediate response to the Client about a Data Breach Incident.
  1. Transfer of Personal Data

The Client confirms that Molade may transfer personal data to its affiliates and sub-processors inside the European Economic Area (EEA) for purposes of servicing, support, back-up or any other legitimate interest Molade may have to transfer personal data in order to fulfill its obligation(s) as per the relevant Management or Service Agreement(s).

  1. Rights of Data Subjects
  1. Upon instruction of the Client, Molade will cooperate in:
    • providing access to Data Subjects whose Personal Data are being processed via the provision of the services by Molade;
    • deleting or correcting their Personal Data
    • demonstrating that their Personal Data have been deleted or corrected if they are incorrect, or, if the Client disagrees with the point of view of the Data Subject, recording that the Data Subject is of the opinion that the Personal Data is incorrect.
    • restricting the processing of personal data as per Article 18 GDPR
    • protecting the rights of data subjects to its best advantage
  2. Notwithstanding Clause 8.1, Molade shall not be obligated to delete copies of Personal Data that we hold as Controller, to the extent where further processing is required in order to comply with a legal obligation to which Molade is subject or for the establishment, exercise or defense of legal claims.
  3. The Client has the responsibility to provide the data subject with the information necessary to ensure fair and transparent processing in respect of the data subject (as set out in Article 14.1 of the GDPR or any similar provision under other applicable Data Protection Law). Where further processing of the personal data is required, for a purpose other than that for which the personal data were obtained, the client shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in Article 14.2 of the GDPR or any similar provision under other applicable Data Protection Law). Molade shall not be held responsible if not aware of such information not being provided to the data subject.
  4. Molade shall not correct, delete or restrict data to be processed on behalf of the Client in an unauthorized manner. Should a Data Subject contact Molade directly in this context, Molade shall forward this request to the Client without undue delay.
  1. Sub-processors

Client agrees that Molade may use sub-processors to provide support to the services under the Service Agreement. Molade shall remain primarily responsible for the performance of its obligations under this Protocol and shall ensure that its agreements with such sub-processors are at least as restrictive as this Protocol. Molade may change or add sub-processors from time to time, which changes shall be announced via an update of this Protocol. The client shall consult the Protocol regularly in order to be kept informed of such changes.

  1. Modification or amendment

Any amendment to this Protocol shall be published on the website of Molade, but shall not reduce or otherwise limit the rights of the Client.

  1. Applicable Law and Jurisdiction

This Agreement is governed by the law of the Netherlands any dispute arising under this Agreement shall be brought before the competent court of Amsterdam, the Netherlands, notwithstanding Molade’s right to have such dispute brought before any other competent court.

Annex 1 – Description of processing of personal data

  1. Subject Matter, Nature and Purpose

All processing activities (including the collection, organization and analysis of personal data) as are reasonably required to facilitate or support the provision of the services described under the Management or Service Agreement.

  1. Categories of data subjects:

The Data Subjects may include individuals that represent the Client, that are advising the Client, that are in any contractual or statutory relationship with the Client, or that the Client has collected in view of its servicing towards such individuals, or are otherwise connected to such individuals. Most commonly the Data Subjects will include:

  • employees, contractors or other workers of the Client and/or their family members, representatives or others connected with workers; and
  • past, existing or prospective clients and/or contractual counter parties of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them.
  1. Types of personal data:

The services under the Service Agreement may involve the processing of the following types of Personal Data:

  • names and contact information;
  • general demographic information (such as gender, age, date of birth, marital status, nationality, employment details, residence, utility bills, etc.);
  • personal identification documentation and related information such as passport numbers and employee identification numbers;
  • financial and payment data such as bank account numbers and transaction information;
  • information related to the provision of the services performed under the Management or Service Agreement or per the services provided by the Client to such individuals.