Data protection information notice to shareholders
Reinet Investments S.C.A. (the “Company”) acting through its general partner, Reinet Investments Manager S.A. (the “General Partner”), may, itself or through the use of service providers, collect, store on computer systems or otherwise and further process, by electronic or other means, personal data (i.e. any information relating to an identified or identifiable natural person) concerning its shareholders (the “Shareholders”) and their representative(s) (including, without limitation, legal representatives and authorised signatories), employees, directors, officers, trustees, settlors, their shareholders and/or unitholders, nominees and/or ultimate beneficial owner(s), as applicable (“Data Subjects”) (the “Personal Data”).
In this notice, “we”, “us” or “our” shall refer to the Company acting through the General Partner and “you” or “your” shall refer to the Shareholder(s).
1. Who is the controller of your personal data and who are the processors processing personal data on behalf of the controller?
The Controller and Processors will process Personal Data in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation”), as well as any law or regulation relating to the protection of personal data applicable to them, as any of such instruments may be modified or complemented from time to time (together the “Data Protection Legislation”).
2. What personal data do we collect or receive?
Personal Data may include, without limitation, personal identification data such as the name, professional and personal addresses, contact details such as email address and telephone number, financial information such as details of current and historic holdings (e.g. number of shares/depository receipts, voting rights attached to shares/depository receipts), any information that may be provided by the Shareholders or regarding the Shareholders, the voting results at general meetings of Shareholders and any other Personal Data that is necessary to the Controller and Processors for the purposes described below.
Personal Data is collected directly from the Data Subjects by the Controller and Processors or is collected by the Controller and/or Processors through the Dutch company Nederlands Centraal Instituut voor Giraal Effectenverkeer B.V. (Euroclear Nederland) and/or the South African company Strate (Pty) Limited (the South African Central Securities Depository).
3. For which purposes do we process your personal data and on which legal bases?
Personal Data will be processed by the Controller and Processors for the purposes of (i) performing services relating to your holding of Ordinary Shares including but not limited to the management and administration of your Ordinary Shares on an on-going basis, the administration of Shareholders and the response to the Shareholders’ requests, the payments to the Shareholders, updating and maintaining records, maintaining, where relevant, the register of Shareholders, providing financial and other information to the Shareholders, (ii) providing the Shareholders with legal and/or financial information (whether periodic or ad hoc), in particular via electronic communications, (iii) organising and holding general meetings and analysing and administering the attendance and voting process in connection with the general meetings, and, (iv) other related services rendered by any service provider of the Controller and Processors in connection with your holding of Ordinary Shares (the “Purposes”).
Personal Data will also be processed by the Controller and Processors to comply with legal or regulatory obligations applicable to them and to pursue their legitimate business interests or to carry out any other form of cooperation with supervisory authorities including but not limited to legal obligations under applicable securitisation and company law and the legal and regulatory obligations resulting from the laws and regulations on transparency requirements for issuers (the “Compliance Obligations”).
Communications (including any form of correspondence and e-mails but excluding telephone conversations) are recorded by the Controller where necessary for the performance of a task carried out in the public interest or where appropriate to pursue the Controller’s legitimate interests, including (i) for record keeping as proof of a transaction or related communication in the event of a disagreement, (ii) for processing and verification of instructions, (iii) for investigation and fraud prevention purposes, (iv) to enforce or defend the Controller’s and Processors’ interests or rights in compliance with any legal obligation to which they are subject and (v) for quality, business analysis, training and related purposes to improve the Controller’s and Processors’ relationship with the Shareholders in general. Such recordings will be processed in accordance with Data Protection Legislation and shall not be released to third parties, except in cases where the Controller and/or Processors are compelled or entitled by laws or regulations applicable to them or court order to do so. Such recordings may be produced in court or other legal proceedings and permitted as evidence with the same value as a written document. The absence of recordings may not in any way be used against the Controller and Processors.
The Controller and Processors will collect, use, store, retain, transfer and/or otherwise process Personal Data: (i) as a result of the holding by Shareholders of Ordinary Shares where necessary to perform the Purposes; (ii) where necessary to comply with a legal or regulatory obligation of the Controller or Processors and/or; (iii) where necessary for the performance of a task carried out in the public interest and/or; (iv) where necessary for the purposes of the legitimate interests pursued by the Controller or by Processors, which mainly consist in the performance of the Purposes, including complying with the Compliance Obligations and/or any order of any court, government, supervisory, regulatory or tax authority.
4. Who we share your personal data with?
Personal Data will only be disclosed to, and/or transferred to, and/or otherwise accessed by the Processors as well as any court, governmental, supervisory or regulatory bodies (including the Commission de Surveillance du Secteur Financier, the Luxembourg supervisory authority), (the “Authorised Recipients”). In compliance with applicable laws and regulations, certain Personal Data regarding the significant shareholders are made available to the public via the Company’s website and/or its financial reports and/or the publication of an announcement by the Company.
The Controller undertakes not to transfer Personal Data to any third parties other than the Authorised Recipients, except as disclosed to Shareholders from time to time or if required by applicable laws and regulations applicable to them or, by any order from a court, governmental, supervisory or regulatory body, including tax authorities.
By holding Ordinary Shares, the Shareholders acknowledge that Personal Data of Data Subjects may be processed for the Purposes and Compliance Obligations described above and in particular, that the transfer and disclosure of such Personal Data may be made to the Authorised Recipients, including the Processors, some of which are located outside of the European Union, in Switzerland (this location benefiting from an adequacy decision) or in South Africa, this country being not subject to an adequacy decision of the European Commission and which legislation does not ensure a comparative level of protection as regards the processing of personal data. The Controller will only transfer Personal Data of Data Subjects for performing the Purposes or for complying with the Compliance Obligations.
The Controller will transfer Personal Data of the Data Subjects to the Authorised Recipients located outside of the European Union either (i) on the basis of the adequacy decision of the European Commission with respect to the protection of personal data in Switzerland (in compliance with Article 45 of the General Data Protection Regulation) (this concerns in particular the service providers located in Switzerland operating in the IT and Communication fields and being in charge, on behalf of the Controller, of the administration of the distribution lists and the communication, publication, distribution and regulatory filing (as may be required) of legal and/or financial information (whether periodic or ad hoc) from the Company) or, (ii) on the basis of standard data protection clauses approved by the European Commission (in compliance with Article 46.2 of the General Data Protection Regulation), or, (iii) in the event it is required by any judgment of a court or tribunal or any decision of an administrative authority, Personal Data of Data Subjects will be transferred on the basis of an international agreement entered into between the European Union or a concerned member state and other jurisdictions worldwide or, in compliance with Article 49.1 of the General Data Protection Regulation, (iv) where necessary for the performance of the Purposes or for the implementation of pre-contractual measures taken at the Shareholders’ request or, (v) where necessary for the Processors to perform their services rendered in connection with the Purposes which are in the interest of the Data Subjects or, (vi) where necessary for the establishment, exercise or defence of legal claims.
5. What we expect from you?
Insofar as Personal Data is not provided by the Data Subjects themselves (including where Personal Data provided by the Shareholders include Personal Data concerning other Data Subjects), the Shareholders represent that they have authority to provide such Personal Data of other Data Subjects. If the Shareholders are not natural persons, they undertake and warrant to (i) adequately inform any such other Data Subject about the processing of their Personal Data and their related rights (as well as how to exercise them) as described under this information notice, in accordance with the information requirements under the Data Protection Legislation and (ii) where necessary and appropriate, obtain in advance any consent that may be required for the processing of the Personal Data of other Data Subjects in accordance with the requirement of Data Protection Legislation. Any consent so obtained is documented in writing. Shareholders will indemnify and hold the Controller and the Processors harmless for and against all financial consequences arising from any breach of the above warranties.
6. What are your rights?
Data Subjects may request, in the manner and subject to the limitations prescribed in accordance with Data Protection Legislation:
(i) access to and rectification or deletion of Personal Data concerning themselves,
(ii) a restriction or objection of processing of Personal Data concerning themselves; in particular, Data Subjects may at any time object, on request, to the processing of Personal Data concerning themselves for any processing carried out on the basis of the legitimate interests of the Controller or the Processors.
(iii) to receive Personal Data concerning themselves in a structured, commonly used and machine readable format or to transmit those Personal Data to another controller,
(iv) to obtain a copy of, or access to, the adequacy decision published by the European Commission for Switzerland [and the standard contractual clauses which have been entered into with the Computershare entities in South Africa] for transferring the Personal Data outside of the European Union.
v) to obtain from us a copy of, or access to, any balancing test that has been conducted in relation to the processing of personal data based on legitimate interests.
The Shareholders are entitled to address any claim relating to the processing of their Personal Data carried out by the Controller in relation with the performance of the Purposes or compliance with the Compliance Obligations by lodging a complaint with the relevant data protection supervisory authority (i.e. in Luxembourg, the Commission Nationale pour la Protection des Données – www.cnpd.lu).
The Controller and Processors processing Personal Data on behalf of the Controller will accept no liability with respect to any unauthorised third party receiving knowledge and/or having access to Personal Data, except in the event of proved negligence or wilful misconduct of the Controller or such Processors.
7. For how long do we keep your personal data?
Personal Data of Data Subjects will be retained by the Controller until Shareholders cease to hold the Ordinary Shares and a subsequent period of 10 years thereafter after having being explicitly notified of such event by the relevant Shareholder where necessary to comply with laws and regulations applicable to them or to establish, exercise or defend actual or potential legal claims, subject to the applicable statutes of limitation, unless a longer period is required by laws and regulations applicable to them. In any case, Personal Data of Data Subjects will not be retained for longer than necessary with regard to the Purposes and Compliance Obligations contemplated in this information notice, subject always to applicable legal minimum retention periods.
8. How we will update this data protection information notice?
Further (updated) information relating to the processing of Personal Data of Data Subjects may be provided or made available, on an ongoing basis, through additional documentation and/or, through any other communications channels, including electronic communication means, such as electronic mail, websites, portals or platform, as deemed appropriate to allow the Controller and/or Processors to comply with their obligations of information according to Data Protection Legislation.
The latest version will always be available here: www.reinet.com/investor-relations/data-protection.