PRIVACY POLICY

 

Introduction

  • This is the Privacy Policy of Activate Capital Limited and Activate Investments DAC which are referred to as the “Companies”, “us” or “we” throughout this Privacy Policy. This Privacy Policy provides details of the way in which we Process Personal Data in line with our obligations under Data Protection Law.
  • Capitalised terms used in this Privacy Policy are defined in the Glossary in Annex I.

 

Background and Purpose

  • The purpose of this Privacy Policy is to explain what Personal Data we Process and how and why we Process it. In addition, this Privacy Policy outlines our duties and responsibilities regarding the protection of such Personal Data. The manner in which we Process data will evolve over time and we will update this Policy from time to time to reflect changing practices.
  • In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Policy by reference into various points of data capture used by us e.g. application forms etc.

 

The Companies as Data Controllers

  • The Companies will act as Data Controllers in respect of Personal Data provided to us by various individuals in connection with the operation and administration of the Companies. Such individuals will generally include the following:
  • Customers and business contacts;
  • employees and contractors;
  • website visitors;
  • ultimate beneficial owners of corporate borrowers;
  • directors of corporate borrowers, and related entities; and
  • authorised signatories of corporate borrowers, and related entities.

Personal Data is processed by the Company for the following purposes:

Purpose of Processing

Lawful Basis under GDPR

Processing of customer details to allow the Companies to act as a development finance business and to provide its various services and to comply with applicable anti-money laundering and “know your client” obligations.

Such processing is necessary: (a) for the performance of a contract between the Companies and its customers pursuant to Article 6(1)(b) GDPR; and (b) for the legitimate interests pursued by the Companies pursuant to Article 6(1)(f) GDPR (in particular for anti-money laundering and “know your client” obligations).

 

Processing of employees’ Personal Data for employment purposes including payroll administration, general personnel administration and Company management.

Such processing is necessary: (a) for the performance of a contract between the Companies and its employees pursuant to Article 6(1)(c) GDPR; and (b) for compliance with applicable laws and regulations such as accounting and tax requirements pursuant to Article 6(1)(c) GDPR.

 

Processing of Personal Data of professional advisers such as lawyers and accountants.

Such processing is necessary for the legitimate interests pursued by the Companies as investment companies pursuant to Article 6(1)(f) GDPR.

 

Processing of Personal Data for website purposes such as technical information, information about your website visit and cookies.

Such processing is necessary for the legitimate interests pursued by the Company including for troubleshooting, data analysis, testing, research, statistical and survey purposes pursuant to Article 6(1)(f) GDPR.

Details of corporate borrowers, including for compliance with applicable anti-money laundering and “Know Your Client” obligations.

Such processing is necessary; (a) for the performance of a contract to enable the Companies to act as investment companies (Art. 6(1)(b) GDPR); and (b) for compliance with the legal obligations to which the Companies are subject as investment companies (Art. 6(1)(b) GDPR).

 

The Companies and Data Processors

  • The Companies will engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of the Companies and gives rise to a Data Controller and Data Processor relationship, the Companies will ensure that such relationships are governed by a contract which includes the data protection provisions prescribed by Data Protection Law.

 

Record Keeping

  • As part of our record keeping obligations under Art. 30 GDPR, the Companies retain a record of the Processing activities under its responsibility. This comprises the following:

Art. 30 GDPR Requirement

The Companies’ Record

Contact details of the Controller

 

Activate Capital Limited

98 St. Stephen’s Green

Dublin 2

Ireland

contact@activatecapital.ie

The purposes of the processing

 

See Section on the Companies as Data Controllers.

Description of the categories of data subjects and of the categories of personal data.

 

See Annex II of this Privacy Policy.

The categories of recipients to whom the Personal Data have been or will be disclosed.

 

See Section on Disclosing Personal Data.

Where applicable, transfers of personal data to a third country outside of the EEA.

 

See Section on Disclosing Personal Data.

Where possible, the envisaged time limits for erasure of the different categories of data. See Section on Data Retention.
Where possible, a general description of the technical and organisational security measures referred to in Article 32(1). See Annex III of this Privacy Policy.

 

Special Categories of Data

  • The Companies Process Special Categories of Data (“SCD”) in certain circumstances, such as the ordinary course of employee administration. The Companies shall Process such SCD in accordance with Data Protection Law.

 

Individual Data Subject Rights

  • Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):
  • The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
  • The right of access to Personal Data;
  • The right to rectify or erase Personal Data (right to be forgotten);
  • The right to restrict Processing;
  • The right of data portability;
  • The right of objection; and
  • The right to object to automated decision making, including profiling, and to Processing that is based on the Companies’ legitimate interests;
  • These Data Subject Rights will be exercisable by you subject to limitations as provided for under Data Protection Law. You may make a request to the Companies to exercise any of the Data Subject Rights by emailing Activate at contact@activatecapital.ie. Your request will be dealt with in accordance with Data Protection Law.

 

Data Security and Data Breach

  • We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. For more information on security measures see Annex III.
  • The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by the Companies will be dealt with in accordance with Data Protection Law and the Companies’ Data Breach Procedure.

 

Disclosing Personal Data

  • From time to time, we may disclose Personal Data to third parties such as our subsidiaries, our ultimate holding company and its subsidiaries. We may also allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data).
  • We may share with or disclose your Personal Data with selected third parties including:
  • business partners, suppliers, service providers, such as our outsourced payroll service provider and professional advisors, and sub-contractors; and analytics and search engine providers that assist us in the improvement and optimisation of our Site;
  • in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets (based on our legitimate business interests). If we or our assets are acquired by a third party (based on our legitimate business interests);
  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use www.activatecapital.ie/terms; or to protect our rights or property. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

 

Data Retention

  • We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed (as described in this Privacy Policy).

 

Data Transfers outside the EEA

  • From time to time, the Companies may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Ireland. It may also be processed by staff operating outside the EEA who work for us. If such transfer occurs, the Companies will ensure that such processing of your Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Model Contractual Clauses (as published by the European Commission) or ensuring that the recipient is Privacy Shield certified, if appropriate. If you require more information on the means of transfer of your data or would like a copy of the relevant safeguards, please email Activate at contact@activatecapital.ie.

Cookies

  • Cookies are small text files that may be placed on your browser when you visit our Site. Cookies are used primarily for administrative purposes, to improve your experience with our Site. For instance, when you return to the Site after logging in, cookies provide information to the Site, including personal data, so that the Site will remember who you are. Our Site uses cookies primarily to capture anonymous analytics used to improve our Site experience and performance. This includes compiling statistical information concerning, among other things, the frequency of use of our Site, the pages visited, and the length of each visit, as well as information about your computer, operating system, browser, language and country. We do not use cookies to store any personal data that could be read or understood by others.
  • Using the settings of your Internet browser, you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. Consult your browser Help menu to learn the correct way to modify your cookies. If you choose to turn off cookies, you may not have access to certain features of our Site. You may at any time delete any cookies set by using the relevant option of your Internet browser or by deleting the cookies on your hard drive.
  • We use the following cookies: Google Analytics – 1st Party – 12 months.

 

Further Information/Complaints Procedure

  • For further information about this Privacy Policy and/or the Processing of your Personal Data by or on behalf of the Companies please email Activate at contact@activatecapital.ieu. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact us in the first instance to give us the opportunity to address any concerns that you may have.

 

Date: May 2018

 

ANNEX I

Glossary

In this Privacy Policy, the terms below have the following meaning:

Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Processor” means the party that Processes Personal Data on behalf of the Data Controller.

Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the [Data Protection Act 2018] and any other laws which apply to the Company in relation to the Processing of Personal Data.

European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.

Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:

  • a name, an identification number;
  • details about an individual’s location; or
  • any other information that is specific to that individual.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.

Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.

ANNEX II

Types of Personal Data

Categories of Data Subject Type of Personal Data
Borrowers Names, addresses, utility bills, passport copies, driving licence copies, dates of birth and other proofs of address.

 

Directors, officers and authorised signatories of corporate borrowers, and related entities

 

Names, addresses, contact details, utility bills, passport copies, driving licence copies, dates of birth and other proofs of address (for AML and KYC purposes).

 

In relation to authorised signatories, specimen signatures, name and contact details.

 

Ultimate beneficial owners of corporate borrowers. Names, addresses, contact details, utility bills, passport copies, driving licence copies, dates of birth and other proofs of address (for AML and KYC purposes).

 

Employees Name, address, contact details, tax details, bank account details, HR/personnel file, dates of birth.

 

Website visitors With regard to each of your visits to our Site, We may automatically collect the following information: (a) technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and (b) information about your visit, including the pages you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs) and methods used to browse away from the page.

 

ANNEX III

IT Security Measures

  • The Companies store all Personal Data on cloud based servers operated by one of the main providers of such services globally (the “Cloud”).
  • Access to the Cloud is password controlled and such access is only granted to employees of the Companies and their IT service providers.
  • Backups of all data on the Cloud are taken on a daily basis and can be restored on notification to the Companies’ IT service providers.