1. General information
This Privacy Notice describes how Fondita Fund Management Company Ltd. (business ID: 0899688-5) (“Fondita”) processes personal data, what personal data Fondita collects, for what purposes the data is used and to whom the data can be disclosed. The Privacy Notice also informs about the obligations Fondita follows when processing personal data.
We are dedicated to processing personal data in compliance with the European Union’s General Data Protection Regulation (2016/679) and other applicable privacy laws (together as “data protection legislation”). Taking care of data protection is a part of Fondita’s business activities.
This Privacy Notice is applicable to all funds offered by Fondita, to our websites, social media services and events. The Privacy Notice applies to processing of personal data of our customers and potential customers, business partners and service providers and also to processing of personal data of our shareholders, job applicants and other people involved in recruitment processes.
“Personal data” refers to any information about natural person (“data subject”), which allows a person to be directly or indirectly identified as an individual person, as defined in the General Data Protection Regulation. Information about the data subject that may not be identified, directly or indirectly, is not considered as personal data.
2. Controller and Data Protection Officer
Controller Fondita Fund Management Company Ltd
Aleksanterinkatu 48 A, 00100 Helsinki
Contact details: firstname.lastname@example.org
Data Protection Officer:
Data Protection Officer of Fondita Fund Management Company Ltd: Fredrik von Knorring
Contact details: 09-6689 8933
3. Legal basis for the processing of personal data and the purpose of processing
The legal basis for the processing of the data subjects’ personal data is primarily the contract between Fondita and the data subject which is based on the order of the fund product or fund service. The process of personal data is also based on statutory obligations such as accounting obligations and obligations arising from Investment Funds Act and Limited Liability Companies Act. The process concerning customer relationship and direct marketing is based on the legitimate interest of Fondita.
Also, the legal basis for the process concerning recruitment procedure is primarily the legitimate interests pursued by Fondita and data subject.
We are processing personal data for example for the following purposes:
- Subscribing the fund units of the Fondita’s funds
- Ordering Fondita’s other services and participating in the events organized by Fondita
- Producing, maintaining, developing and assuring quality of the services
- Ensuring the security of services and preventing frauds
- Carrying out statutory obligations
- Business planning and product development
- Communication, information and marketing
- Risk management and preventing abuses
4. Processed categories of personal data, data content and sources of data
We only collect the data subjects’ personal data which is relevant and necessary for the purposes outlined in this Privacy Notice.
The following information is being processed from the data subjects:
Categories of personal data
Examples of data content
Data subject’s name, address, phone number and email.
Personal identity code or equivalent foreign identity identifier and date of birth.
Information concerning the customer relationship and customer transactions information
Account number, billing and payment information, and other information identifying the customer relationship, as well as contacts and complaints between the data subject and Fondita.
Know Your Customer (KYC) information
The name, date of birth and personal identity code of the data subject; full names, birth dates and nationalities of the legal entity’s board members or the corresponding decision-making body; the name of the document used to authenticate the identity, the document number or other identifying information and the issuer, or a copy of the document or, if the customer has not been physically present for the identification, information about the procedure or sources used for authentication; information about the customer's business, the quality and scope of the business, the financial position, the basis for the use of the transaction or service, and information on the origin of the assets.
Shareholders’ or outsourced share register’s fund units related information
The same information as the share register. The information is in the possession of the fund manager and will be handed over to Fondita if necessary.
The fund unit register
The list of shareholders and shares
Information on the data subject’s number of shares and historical data related to ownership. The name and postal address of the fund unit holder, the number of fund units owned, the specification of the different types of shares and series of shares, the date of registration of the fund unit and the serial number of the share certificate or fund unit share.
Information in data subject’s job application, curriculum vitae and other recruiting material and data collected during the recruitment process. In addition, information about other people involved in recruitment processes.
Providing the above-mentioned information is necessary to fulfil the obligations of the contract between Fondita and the data subject and the statutory obligations as well as providing Fondita’s services and handling the recruitment processes.
Mainly, the personal data is collected from the data subjects themselves, for example, in connection with marketing, in connection with entering into a customer agreement, during the use of the Fondita’s Online service and otherwise during the customer relationship and if required by the law also from other sources.
5. Retention of the personal data
Fondita will retain the personal data for as long as is necessary to fulfil the purposes outlined in the Privacy Notice unless a longer retention period is required by law (for example regarding obligations and responsibilities related to special legislation, accountancy or reporting) or unless the data is needed for drafting or presenting a claim or for a legal defence or for resolving a dispute of a similar nature.
The personal data will be processed for the duration of the customer and contractual relationship and for a necessary time after the end of the customer and contractual relationship. As a main rule, the personal data of customers will be deleted after ten (10) years after the end of the customer relationship.
Regarding the entities, the retention of the data subject’s personal data is linked to the length of time the data subject is acting as a representative towards Fondita. The personal data will be deleted within a reasonable time after the concerned role ends unless it is required by law to retain the data for a longer period of time.
The personal data necessary for marketing purposes will be maintained for as long as the data subject has not objected the use of personal data for the marketing.
Know Your Customer (KYC) information will be retained in compliance with the Act on Detecting and Preventing Money Laundering and Terrorist Financing (28.6.2017/444) for at least five (5) years after the end of the steady customer relationship. In addition, the subscription and redemption orders shall be retained for at least five (5) years.
Fondita will retain the accounting materials for as long as is required by law.
The list of shares and shareholders shall be constantly updated and the data shall be retained permanently.
Targeted job applications and the relevant recruiting material shall be retained for the period of one (1) year from the final recruitment decision. Open job applications and the relevant recruiting material shall be retained for one (1) year from the receipt of the application. After that the data may be retained on the basis of a separately given consent by the data subject.
When the personal data is no longer needed as defined above, data is deleted within a reasonable time.
6. Processors of the personal data and other recipients
Fondita may, in accordance with this Privacy Notice, outsource the processing of personal data to the service providers or subcontractors. The processing of personal data includes, for example, IT systems and financial management service providers as well as providers of debt collection and law services, supply service providers and service providers producing other services. In addition, service providers maintaining fund unit register and insider register may participate in the processing. Fondita ensures with adequate contractual obligations that personal data is processed properly.
The personal data may also be disclosed to the authorities such as tax and execution authorities to fulfil statutory and contractual obligations. The data may not be disclosed for the purposes of direct marketing.
Fondita may also have to disclose the personal data of data subjects’ in case of emergencies or in other unexpected situations to protect human life, health and property. Additionally, Fondita may have to disclose the personal data of the data subjects if Fondita is part of legal proceedings or other dispute resolution proceedings.
If Fondita is involved in a merger, business acquisition or other transaction, it may be required to disclose the personal data of the registered to third parties.
7. Transfer of personal data outside EU/EEA
Personal data will not be transferred outside the European Union or the European Economic Area.
8. Principles of protection of personal data and safety of process
Fondita processes the personal data in a manner that seeks to ensure in every situation the proper security and privacy of personal data, including the protection against unauthorized processing and accidental loss, destruction or damage.
Fondita uses appropriate technical and organizational safeguards to protect this, including the use of firewalls, encryption techniques and safe device facilities, proper access control and guidance for personnel and subcontractors involved in processing of personal data. Documents retained as original copies shall be kept in locked areas.
All persons processing the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to issues concerning the personal data of the data subjects.
9. Rights of data subjects
The data subjects have the rights set out in the data protection legislation.
Right of access
The data subject has the right to obtain a confirmation if his or her personal data is processed.
The data subject has the right to access the personal data about himself/herself and to request to receive the data in a paper copy or in an electronic form.
Right to correct and erase data
The data subject has the right to demand to correct any incorrect or incomplete personal data. The data subject has also the right to request to remove his/her data under the current data protection legislation.
The controller also removes, corrects and completes incorrect, unnecessary, incomplete or outdated data on its own initiative when controller notices such data.
Right to data portability and to restrict and object processing
The data subject has the right to request to transmit his/her data to another controller under the applicable data protection legislation.
The data subject has the right to request to restrict processing of personal data in accordance with the conditions set out in the data protection legislation. Additionally, in case where the personal data is suspected to be incorrect and cannot be corrected or removed or there is confusion about the removal request, Fondita will restrict access to the data.
The registered has the right to object processing personal data for certain purposes, such as direct marketing.
Right to withdraw consent
If the processing of personal data is based on data subject’s consent, the data subject has the right to withdraw consent at any time. The withdrawal does not affect the process based on consent before the withdrawal.
Execution of the rights of the data subjects
The requests about the rights of the data subjects shall be made in writing or in electronic form and shall be addressed to the controller (contact information in the section 2 in Privacy Notice).
The identity shall be confirmed prior providing the data. We can inquire additional information to fulfil the above-mentioned requests. The request shall be answered within a reasonable time, and if possible, within one (1) month from presenting the request and confirming the identity.
If the data subject’s request is denied, the data subject shall be informed about the refusal in writing. Fondita may refuse the request (such as deleting the data) because of the statutory obligation or the statutory right of Fondita, such as an obligation or a claim related to our services.
10. Right to lodge a complaint to the supervising authority
The data subject shall have the right to lodge a complaint to the data protection ombudsman if the data subject considers that his/her personal data has been processed against the current applicable data protection legislation.
You can find the contact information of the supervising authority here.
11. Changes to the Privacy Notice
We develop our services continuously and due to that might be forced to change and update this Privacy Notice. The changes might also be based on the amendments of the legislation. We recommend reviewing the content of the Privacy Notice regularly. If the changes contain new purposes for the processing of personal data, we will notify in advance and will ask for consent if necessary.
The Privacy Notice is published 25.5.2018.