English Version(¹) updated as at 2019.01.21 and issued in relation to KB Star Funds (the “Fund”)
We first invite you to familiarise yourselves with the few following key players as we will extensively refer to them in this Privacy Notice:
1. Personal data is any information relating to a data subject.
2. A data subject is a living natural person identified or identifiable in relation to her/his personal data.
3. An investor is any person (natural or not) investing, soliciting or solicited to invest, in the Fund.
4. A controller determines the purposes and means of personal data processing.
5. A processor processes personal data on behalf of, and upon instruction from, one or more controllers.
¹ This Privacy Notice is available in English version which are all accessible via
the internet on www.kbam.co.kr/ib/kbstarfunds or upon request to the contact point mentioned in Q&A 18, below.
1. Categories of data subjects
What/Who are the data subjects in relation to whom we process personal data?
The majority of data subjects in relation to whom the Fund and Carne Global Fund Managers (Luxembourg) S.A. acting in its capacity of management company of the Fund process personal data fall into one or more of the three main categories of data subjects described in the table below (“you”, “your” and more generally together the “data subjects”).
The above table uses terms such as “associated”, “involved”, “belong”, “supervising”, “assisting” and “contributing”. As a natural person, you may be so associated, involved, belonging to, assisting and/or contributing in an unlimited number of private, public and/or professional capacities, including – without limitation – as employee or self-employed, client, proxy-holder, authorised signatory, representative, nominee, intermediary, bo ard or committee member, trustee, settlor, agent, officer, delegate, consultant and/or adviser.
2. Categories of personal data
What are the categories of personal data that we process?
As a general rule we reserve the right to process any past, present or future personal data needed to attain the purposes described or referred to in this Privacy Notice. However, in the table below we have listed the main categories of personal data we process together with a few illustrations. Please note that these illustrations are not exhaustive and that certain illustrations may belong to one or more categories of personal data, whether or not we have a contractual relationship with any of them or the entity they represent or work for.
The personal data that we process may consist of or result from any use of or activity on computer systems, network and website, and may take any form possible. Personal data that we process may then include all types of electronic support, pictures, images, videos, sounds and voice recordings (such as telephone or online conversation recordings). Please note that the above categories of personal data are without prejudice to all specific or general personal data you have provided or will provide us with from time to time. The so-called “sensitive” personal data referred to in Q&A 3 below may also come in addition to or be part of the above categories of personal data.
3. Sensitive personal data
Do we process so-called “sensitive” personal data?
“Sensitive” personal data refer to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health or a natural person's sex life or sexual orientation, as well as personal data relating to criminal convictions and offences or related security measures. Sensitive personal data are sometimes referred to as “special category data” and “criminal offence data” targeted by Articles 9 and 10 of the GDPR, respectively. We do happen to process such sensitive personal data. However, we do so in only a limited number of instances. We may notably process sensitive personal data (a) which you have manifestly made public; (b) necessary for reasons of substantial public interest; (c) under the control of an official authority; and/or (d) when authorised by applicable law providing appropriate safeguards for your rights and freedoms. As a matter of illustration, we may process personal data revealing political opinions (which you have not necessarily manifestly made public) or relating to criminal convictions and offences when implementing our “know your customer” obligations. We may also fortuitously process sensitive personal data when wilfully processing non-sensitive personal data. As a matter of illustration, although we neither require nor need personal data revealing racial or ethnic origin or religious beliefs, nor genetic or biometric data, this information is sometimes disclosed in the official identification documents (such as passport photo pages) we receive for the purpose of implementing our “know your customer” obligations. If you do not want us to process this information and also for the reasons described in Q&A 4 below, we therefore strongly suggest that you carefully black this type of data out in any document sent or drawn to our attention.
4. Unsolicited personal data
What is our responsibility in relation to the processing of “unsolicited” personal data?
“Unsolicited” personal data basically refer to personal data which we have no intention, nor interest in processing, mainly because these data are not needed to attain any of the purposes described or referred to in this Privacy Notice. These are personal data which we did not solicit, and which we technically process (e.g. store and/or transfer), sometimes quite fortuitously (as illustrated in Q&A 3 above), but for no specific purpose. What is important for you to be aware of is that, in the absence of proven negligence on our part or unless otherwise so compelled by mandatory rules of law, we assume no obligation nor any liability for any damage suffered directly or indirectly by you or any third party as a result of such a technical processing, including in case of personal data breach. In view of the foregoing, we strongly recommend that you exclusively provide personal data that are expressly required from you, and that you refrain from providing any unsolicited personal data or making it available.
5. Source of personal data
From whom or where do we collect or obtain your personal data?
We collect or obtain your personal data from various sources (and a combination thereof), and we reserve the right to opt at any time for any legally acceptable source. In practice, these sources may vary depending on the categories of natural persons described in Q&A 1 above. Our first source of information is you. We collect your personal data each time we communicate with you. We collect your personal data either directly from you or via third parties representing us or you. Third parties representing us may typically be our register and transfer agent, our management company, certain of our distributors, and other appointed intermediaries. Third parties representing you may include discretionary managers, lawyers and specific proxyholders. We may also obtain your personal data from a variety of third parties who represent neither us nor you. These third parties may include certain of our service providers (such as the depositary), certain distributors, your banker, social medias, subscription services and centralised investor database (whether or not they belong to the Fund initiator’s group), as well as your or our advisers. Third parties from whom we may obtain your personal data may also be public authorities, bodies or services, including Luxembourg and foreign supervisory and tax authorities. We may also obtain your personal data via any publicly accessible (free or paying) sources such as the internet, public registers (such as the Luxembourg Trade and Companies Register), and/or the press in general. In relation to Investing Persons in particular, we may obtain your personal data via special “know your customer” databases (such as World-Check™). We collect or obtain your personal data from various means (and combinations thereof), and we reserve the right to opt at any time for any legally acceptable means. In the following paragraphs, we would like to draw your attention to a few of them. The most obvious means of collection of your personal data is the subscription documentation, including that required to fulfil our “know your customer” or tax transparency obligations (e.g. via self-certification forms). But, we also collect information via your transactional activity or your visits to our website. We may also obtain personal information via exchanges of correspondence (whether or not in digital form), via telephone conversations (whether or not they are recorded), via contractual or operational documentation, via participation at board or shareholding meetings, and/or in the course of a complaint or litigious procedure.
6. Types of processing
What types of processing do we perform on your personal data?
We perform and reserve the right to perform at any time any processing which the GDPR authorises us to perform on your personal data. The processing that we perform or may perform therefore includes any operations (or set of operations) on your personal data (or on sets of your personal data), whether by electronic or other means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In particular, we or our service providers acting as processors or controllers in their own right may be obliged or wish to record communications (including telephone or online conversations and e-mails). Recordings may be produced in court or other legal proceedings and permitted as evidence with the same value as written documents. The absence of recordings may not in any way be used against us. The purposes, lawful bases and retention periods in this respect are described in Appendix A and Appendix C respectively. Please, also note that processing that we perform or may perform on your personal data may also consist in profiling and solely automated individual decision-making.
7. Purposes and lawful bases of processing
For what purposes and on what lawful bases do we process your personal data?
We reserve the right to process your personal data for any specified, explicit and legitimate purposes we deem appropriate, provided such processing is based on one or more of the 6 possible lawful (or legal) bases authorised by the GDPR. These lawful bases are related to contract, compliance, vital interests, public interest, legitimate interests, and consent. These lawful bases are more fully described in Appendix A of this Privacy Notice. We process your personal data for several purposes and on several lawful bases. In Appendix A, you will find tables listing the purposes of the processing (on the left-hand side column) and the corresponding lawful bases (on the right-hand side column). You should be aware that any of the (initial) purposes listed in Appendix A or otherwise referred to in this Privacy Notice may change over time and lead to a new purpose. If the new purpose is compatible with the initial purpose, we may continue the processing under the original lawful basis (unless this original lawful basis is your consen Finally, you should also be aware of the following regarding the lawful bases of our processing. When we process sensitive personal data or transfer personal data to third countries, we may do so on specific lawful bases which are more fully described in Q&A 3 and Q&A 9, respectively, and which come in addition to those otherwise described in this Q&A 7 and in Appendix A. Also, when we exceptionally base the processing of your personal data on your consent, you are entitled to withdraw your consent as more fully described in Q&A 14 below.
8. Recipients of personal data
Do we transmit your personal data to third-party recipients? If so, who are these recipients?
In the context of this Privacy Notice we understand “transmission” (or derived terms thereof) of personal data to a party as including the disclosure, the accessibility or otherwise availability of these personal data to this party.
Yes, we also transmit your personal data to a series of recipients or categories of recipients these include:
all our service providers, whether they act as processors and/or controllers in their own rights (which may be the Fund’s management company, investment adviser, investment manager, depositary and paying agent, administration and registrar and transfer agent, distributor and sub-distributors, auditor, legal, financial and other professional advisers, lawyers, consultants, as well as any existing or potential service provider of the Fund; the recipients may also be any of the foregoing respective representatives, agents, delegates, affiliates, subcontractors and/or their successors and assigns (including information technology providers, cloud service providers, or external processing centres);
entities belonging to KB Financial Group;
our various counterparties (such as prime brokers and credit institutions);
any targeted markets (regulated or not), investment, funds and/or related entities in or through which we intend to invest (including without limitation their governing entities, respective general partner, management companies, managers, central administration, investment manager, depositary, and other service providers);
any judicial, public, governmental, administrative, supervisory, regulatory or tax bodies or authorities; as well as
the Investing Persons, the Fund Persons, and the Other Persons.
You should also be aware that:
more information about the foregoing recipients (including our processors) may be found in Appendix D and in the Fund’s constitutive and/or offering documentation;
certain of the foregoing recipients (including our processors) may themselves transfer your personal data to other sub-recipients established or operating in and/or outside the European Economic Area. This may notably be the case in the context of exchange of information on an automatic basis with the competent authorities in the United States or other permitted jurisdictions as agreed in FATCA and CRS, at OECD and European levels, or equivalent Luxembourg legislation, as more specifically detailed in Q&A 16;
in the absence of proven negligence on our part or unless otherwise so compelled by mandatory rules of law, we bear no liability for any transmission of your personal data to any third party not authorised by us and, more generally, for any such unauthorised third party receiving knowledge of your personal data.
9. Transfer to third countries
Do you intend to transfer personal data to third countries or international organisations?
In the context of this Privacy Notice we understand “transfer” (or derived terms thereof) of personal data to third countries or international organisations as including the disclosure, the accessibility or the otherwise availability of these personal data to or from third countries or international organisations.
Yes, we do and will transfer personal data to third countries. And by third countries, we mean countries which do not belong to the European Economic Area and which legislation does not necessarily ensure an adequate level of protection as regards the processing of personal data.
In Appendix B of this Privacy Notice, you will find a brief description of the available lawful bases for performing transfers of personal data to third countries, as well as a table listing the recipient countries or third-country recipients to which we transfer or may transfer personal data (left-hand side column) together with the corresponding specific lawful bases and, where applicable, additional information (right-hand side column). In this context, you should be aware that:
Your personal data may be transferred to recipients (including processors and other controllers) which are located in third countries subject to an adequacy decision of the European Commission and/or on the basis of the so-called EU-U.S. Privacy Shield framework.In the table in Appendix B, each of these countries or recipients is referred to as an “adequate country” or an “adequate recipient”, respectively;
Your personal data may be transferred to recipients (including processors and other controllers) which may be located in third-countries which are not subject to an adequacy decision of the European Commission and whose legislation does not ensure an adequate level of protection as regards the processing of personal data. In this case, the transfer of your personal data may be based on one or more of the appropriate safeguards listed and briefly described in Appendix B. In the table in Appendix B, each of the relevant countries or recipient is referred to as a “safeguarded country” or a “safeguarded recipient”, respectively, and earmarkedwith the relevant appropriate safeguard;
In the absence of any adequacy decision or appropriate safeguard, your personal data may nevertheless be transferred to recipients (including processors and other controllers) located in third countries whose legislation does not ensure an adequate level of protection as regards the processing of personal data. In this case, a transfer or set of transfers of your personal data may be based on one or more of the derogations listed and briefly described in Appendix B. In the table in Appendix B, each of the relevant countries or recipient is referred to as a “derogatory country” or a “derogatory recipient”, respectively, and earmarked with the relevant derogation;
We may transfer your personal data to a third country in the event this is required by any judgment of a court or tribunal or any decision of an administrative authority, provided this takes place on the basis of an international agreement entered into between the European Union or another Member State and other jurisdictions worldwide.
In addition to the information provided in Appendix B, you should be aware that:
you have the right to obtain a copy of, or access to, the appropriate safeguards which have been implemented for transferring your personal data to a safeguarded country or a safeguarded recipient by a request addressed to any contact point and by any means mentioned in Q&A 18 below;
when the transfer of your personal data to third countries is based on your explicit consent, you are entitled to withdraw your consent as more fully described in Q&A 14 below;
in the absence of proved negligence on our part or unless otherwise so compelled by mandatory rules of law, we bear no liability for any transfer of your personal data to any third country or third-country recipient not authorised by us and, more generally, for any such unauthorised third country or third-country recipient receiving knowledge of your personal data.
10. Retention period
For how long will we store your personal data?
Without prejudice to what follows, as a matter of general principle, we take care that your personal data is not held for longer than necessary with regard to the purposes for which they are or have been processed. We hold personal data of Investing Persons at least until the concerned investor ceases to be an investor. We then hold these personal data for a subsequent period of 10 years where necessary to comply with applicable laws and regulations, and/or to establish, exercise or defend actual or potential legal claims. Longer or shorter retention periods may apply where required by applicable laws and regulations, or as a result of applicable statutes of limitation. Some of these law and regulations are listed in the table of Appendix C to this Privacy Notice.
11. Data subject Rights
What are your rights in relation to our processing of your personal data?
In addition to your right of information as well as to rights otherwise described in this Privacy Notice or provided for in the GDPR, the available rights in relation to our processing of your personal data are as listed and briefly described below. The relevant legal provisions of the GDPR describing these rights may in our opinion be read and understood by persons who are not personal data protection professionals. For each of the rights listed below, we have therefore mentioned the applicable key provisions which we invite you to consult for further information.
Under the limits set out by the GDPR:
Right of access (Art. 15 of the GDPR) – You have the right to receive confirmation that your data are being processed by us (or not), to access your personal data, and to receive supplementary information (however, largely corresponding to that provided in this Privacy Notice).
Right to rectification (Art. 16 and 19 of the GDPR) – If your personal data are inaccurate or incomplete, you have the right to obtain assurance from us that they will be rectified without undue delay.
Right to erasure (Art. 17 and 19 of the GDPR) – The right of erasure is also known as the “right to be forgotten”. The broad principle underpinning this right is to enable you to request us to delete or remove your personal data where there is no compelling reason for our continued processing thereof.
Right to restriction (Art. 18 and 19 of the GDPR) – This right allows you to ‘block’ or suppress processing of your personal data. We may still store your data, but may not process them. We can retain just enough information about you to ensure that the restriction is respected in future.
Right to data portability (Art. 20 of the GDPR) – This right allows you to obtain and reuse the personal data you have provided us with for your own purposes across different services. It allows you to move, copy or transfer your personal data easily from one IT environment to another.
Right to complain to a supervisory authority (Art. 77 of the GDPR) – If you consider that our processing of personal data relating to you infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in your EU Member State of habitual residence, place of work or place of the alleged infringement.
You also have a right to obtain a copy of, or access to, any balancing test that has been conducted when a processing is based on legitimate interests as per Appendix A of this Privacy Notice. You may exercise any of the above rights (other than the right to complain to a supervisory authority) via any contact point and by any means mentioned in Q&A 18 below. There is a last general and important point we wish to draw your attention to. Your rights under the GDPR (including those listed above) are not “absolute” or unconditional. Your rights may then be limited to certain cases or circumstances, conditioned and/or affected by various elements such as the lawful basis of our processing.
12. Right to object
Do you have the right to object to our processing of your personal data?
Yes, Article 21 of the GDPR gives you a right to object, but this right is limited and depends on the purpose or lawful basis of our processing.
Firstly, you have the right to object at any time, on grounds relating to your particular situation, to processing of personal data, including profiling, concerning you which is based on our legitimate interests or on the performance of a task carried out in the public interest or in the exercise of any official authority that we would be vested in. In this case, we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Secondly, where your personal data are processed for direct marketing purposes, you have the unconditional right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Finally, you have the right to object, on grounds relating to your particular situation, to the processing of your personal data for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
You may exercise your right to object via any contact point and by any means mentioned in Q&A 18 below.
13. Refusal to provide personal data
Can you refuse to provide your personal data? If so, what are the consequences?
There are certain cases where the provision of your personal data results from a legal or contractual obligation applicable to you and/or to us, or where the provision of your personal data is necessary for us to enter into, continue and/or implement a professional relationship and/or contract, and/or otherwise deal with you. As a general rule, failure to provide certain requested personal data may result in the impossibility to communicate (or to communicate safely) with you and/or to fulfil certain of our duties, obligations and services. As an Investing Person in particular, failure to provide certain requested personal data may result in the impossibility for you or the investor to invest or maintain an investment in the Fund. It may also result in incorrect or double reporting. Please note that we may from time to time and as the case may be on a case-by-case basis indicate whether or not requesting and/or providing this information is mandatory for us and/or for you, respectively, and/or the reasons for which this is mandatory. Where necessary, we may also indicate on such occasions the consequences for your refusal to provide the requested information.
14. Withdrawal of consent
Can you withdraw the consent given for processing your personal data, and if so, how?
Yes, when we base the processing of your personal data on your consent, you have the right to withdraw your consent at any time, yet without affecting the lawfulness of all processing based on your consent before its withdrawal.
You must be aware, however, that we reserve the right to continue the processing for which you have withdrawn your consent if there is another lawful basis to this processing.
Your decision to withdraw your consent may be notified to any contact point and by any means mentioned in Q&A 18 below.
15. Further processing
Do we intend to process your personal data for a purpose other than that for which they were collected or obtained?
Although we have no intention to do that at the date of issuance of this Privacy Notice, we reserve the right to further process your personal data for a purpose other than that for which they were collected or obtained. If such were the case and prior to that further processing, we would provide you with information on that other purpose and with any relevant further information required by law which is not already contained in this Privacy Notice.
16. Other information
Is there other information we deem appropriate to provide you with in the context of this Privacy Notice?
Yes, we believe that the following additional information might be of interest to you.
Data protection officer The data protection officer is governed by specific provisions of the GDPR (Articles 37 to 39), but is not defined in the GDPR. It may be described as the person appointed by an organisation to serve as its personal data protection guardian. For your information, we have not appointed, and have no current plan to appoint, a data protection officer. Any question, enquiry or solicitation regarding the Privacy Notice and the processing of data by the the Fund and Carne Global Fund Managers (Luxembourg) S.A. in general may be addressed to firstname.lastname@example.org or to 41F, Three IFC 10, Gukjegeumyung-ro, Yeongdeungpo-Gu, Seoul 07326, Korea for the attention of KB Asset Management, or by calling +01-2-2167-8204.
Professional secrecy and confidentiality waiver Any consent that you may give or may from time to time be requested to give in order to waive the professional secrecy or confidentiality duty to which we are subject pursuant to laws and regulations applicable to us is distinct from, and may not be construed as, any consent that you might give in the context of the GDPR.
FATCA, CRS and other tax identification legislation to prevent tax evasion and fraud To comply with “know your customer” and tax related laws and regulations such as FATCA and CRS at OECD and European levels or equivalent Luxembourg legislation, we are and our service providers may be obliged to collect and, where appropriate, report certain information in relation to you and your investments in the Fund (including but not limited to name and address, date of birth, U.S. tax identification number (TIN), account number, balance on account, the “Tax Data”) to the Luxembourg tax authorities (Administration des contributions directes) which will exchange this information (including personal data, financial data and Tax Data) on an automatic basis with the competent authorities in the United States or other permitted jurisdictions (including the U.S. Internal Revenue Service (IRS) or other US competent authority and foreign tax authorities located outside the European Economic Area) for the purposes provided for in FATCA and CRS at OECD and European levels or equivalent Luxembourg legislation. In this context, it is mandatory to answer questions and requests with respect to the data subjects’ identification and investment held in the Fund. We reserve the right to reject any application for investment if the required information and/or documentation are not provided or the applicable requirements not complied with. Investors acknowledge that failure to provide the relevant information in the course of their relationship with the Fund may result in incorrect or double reporting, prevent them from acquiring or maintaining their investment in the Fund and may be reported to the relevant Luxembourg authorities.
17. Non-exhaustive information
Is this Privacy Notice exhaustive of all information pertaining to the processing of your personal data?
No. Although this Privacy Notice claims to be exhaustive in relation to the information that we must convey to data subjects pursuant to the GDPR, it does not claim to be exhaustive of all information pertaining to the entire processing we perform as controllers.
In relation to personal data that we did not obtain directly from you, our duty to inform you does not apply insofar as:
you may already have the information;
the provision of certain information may prove impossible or would involve a disproportionate effort, or is likely to render impossible or seriously impair the achievement of the objectives of certain processing;
obtaining or disclosure is expressly laid down by Union or Member State law to which we are subject;
where the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or Member State law, including a statutory obligation of secrecy.
18. Contact Point
What are our contact details and how can you contact us?
Email sent to email@example.com
Letter sent to 41F, Three IFC 10, Gukjegeumyung-ro, Yeongdeungpo-Gu, Seoul 07326, Korea and for the attention of Barkely Lim / Jaesub Lee / Seunghwan Lim, Global Business Team, Global Investment Division, KB Asset Management
When you contact us, please, kindly provide your complete identification information, and state as clearly and completely as possible why you are contacting us and what you expect from us. Please kindly note that before we are able to revert to you or implement your request, you may be required to provide further identification details, information or clarification. You may also be required to fill out specific forms. All this may be needed for adequately addressing your solicitation, as well as protecting both your and our interests.
List of Appendices and Schedules
Appendix A – Purposes and legal basis of the processing
Appendix B – Transfers to third countries
Appendix C – Specific retention periods
Appendix D – (Categories of) recipients of personal data
Purposes and legal basis of the processing
The authorised lawful bases under the GDPR
Our processing of your personal data shall be lawful only if and to the extent that at least one of the following applies:
Contract = our processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract
Compliance = our processing is necessary for compliance with a legal obligation to which we are subject
Public interest = our processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us
Legitimate interests = our processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data
Vital interests = our processing is necessary in order to protect your vital interests or those of another natural person.
Our processing of your personal data for one or more specific purposes shall also be lawful if you have given your consent to this processing for this or these specific purposes.
Transfers to third-countries
As indicated in Q&A 9, we only consider the following appropriate safeguards when your personal data are to be transferred to a recipient located in a third country which is not subject to an adequacy decision. These appropriate safeguards may be provided for by:
BCR = binding corporate rules
EU contractual clauses = standard data protection clauses adopted by the European Commission
National contractual clauses = standard data protection clauses adopted by a supervisory authority and approved by the European Commission
Private contractual clauses = contractual clauses between us and the controller, processor or the recipient of the personal data in the third country (subject to authorisation by competent supervisory authority)
Code of Conduct = an approved code of conduct with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards your rights
Certification = an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards your rights
Appropriate safeguards may also be provided for by a legally binding and enforceable instrument between public authorities or bodies, and (subject to authorisation by competent supervisory authority) by provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
As indicated in Q&A 9, we only consider the following derogations when we have to make a transfer or a set of transfers of your personal data to a recipient located in a third country which is not subject to an adequacy decision and where there is no appropriate safeguard. Such a transfer or a set of transfers may take place only on one of the following derogatory conditions:
Consent = you have explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards;
Contract with you = the transfer is necessary for the performance of a contract between you and us or the implementation of pre-contractual measures taken at your request;
Contract in your interest = the transfer is necessary for the conclusion or performance of a contract concluded in your interest between us and another natural or legal person;
Public interest = the transfer is necessary for important reasons of public interest; the third country (subject to authorisation by competent supervisory authority)
Legal claim = the transfer is necessary for the establishment, exercise or defence of legal claims;
Vital interests = the transfer is necessary in order to protect your vital interests or those of other persons, where the relevant person is physically or legally incapable of giving consent;
Public register = the transfer is made from a register which according to EU or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case;
Compelling interests = where necessary and under specific conditions for the purposes of compelling legitimate interests pursued by us.
Specific retention periods
Without prejudice and subject to retention periods that are imposed by applicable laws, regulations and court orders, the following retention periods should apply to personal data.
(Categories of) recipients of personal data