Collection and processing of personal data by Zenon Investments GmbH
1. Use of sources and data
We process personal data that we receive from our investors and business partners, their authorised representatives and other associated persons as well as interested parties in the context of our business relationship or in the context of business initiation. In addition, to the extent necessary for the provision of our services, we process personal data which we may obtain from publicly accessible sources (e.g. commercial register, press, internet) or which are transmitted to us by other authorized third parties.
Relevant personal data may include: personal details such as name, address and other contact data, date of birth, marital status or nationality; identification data; or authentication data, e.g. specimen signatures. In course of initiating a business relationship, further personal data may be collected, processed and stored, as well as information on knowledge and experience with securities, interest rate and currency products, investment behaviour/strategy or financial situation.
2. Data processing purpose and legal basis
The processing of personal data takes place in accordance with the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):
a. On the basis of consent (Art. 6 para. 1 a GDPR)
If we have been given permission to process personal data for certain purposes (e.g. passing on data for counselling purposes), the legality of this processing is given on the basis of the consent provided. A given consent can be revoked at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. The revocation is only effective for the future. Processing that took place before the revocation is not affected by this.
b. For the fulfilment of contractual obligations (Art. 6 para. 1 b GDPR)
The processing of personal data (Art. 4 para. 2 GDPR) takes place for the provision of our services as a capital management company (KVG) or for the implementation of pre-contractual measures which take place at the request of the person concerned.
c. Due to legal requirements (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)
As KVG, we are subject to various legal obligations (e.g. Securities Trading Act (WpHG), Money Laundering Act (GwG), German Investment Code (KAGB), German Regulation on Derivatives (DerivateV), tax laws) and regulatory requirements (e.g. BaFin). The purposes of the processing include, among other things, identity and age verification, checking whether an investor is semi-professional or professional within the meaning of Art. 1 para. 19 (32, 33) of the KAGB, as well as fraud and money laundering prevention.
d. Within the framework of the balancing of interests (Art. 6 para. 1 f GDPR)
If necessary, we process data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. Examples include asserting legal claims and defending against legal disputes, ensuring IT security / IT operations or preventing and solving crimes.
3. Additional information on data processing within the scope of our internet presence
The use of our website is basically possible without providing personal data. As far as personal data (for example name or email addresses) are collected on our internet pages, this is done on a voluntary basis.
For technical reasons, in particular to ensure a secure and stable internet presence, data is transmitted to us or to our webspace provider via the visitor’s (user’s) internet browser. With these server log files, the type of the user‘s internet browser, operating system, referrer URL, date/time of the respective access and the IP address of the internet connection from which our internet pages are visited are collected.
The data collected in this way is temporarily stored on the legal basis of Art. 6 para. 1 f GDPR – but not together with other user data – unless further storage is required for evidential purposes. Otherwise, the data will be excluded from deletion until an incident has been finally resolved.
Some of our website uses so-called cookies. Cookies are small text files that are stored on the user’s terminal device. They serve to make our website more user-friendly, effective and secure. These cookies process certain user information on the legal basis of Art. 6 para. 1 b GDPR: e.g. browser, location data or IP address. If necessary, cookies may also be used by business partners, service providers and vicarious agents for the purpose of analysing or maintaining and improving the functionalities of our website.
Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of the user‘s visit to our website. Other cookies remain stored on the user’s terminal device until they are deleted by the user. These cookies enable us to recognize the user’s browser the next time he or she visits our website. The installation of cookies can be prevented or restricted by settings in the user’s internet browser. Cookies that have already been saved can also be deleted in this way.
b. Google AnalyticsDisallow Google Analytics to track me
We use Google Analytics for our internet pages. This is the web analysis service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. Google Analytics serves to analyse the usage behaviour of our website on the legal basis of Art. 6 para. 1 f GDPR. Google LLC’s certification under the EU-US Privacy Shield guarantees that the EU’s data protection requirements are also complied with when processing data in the USA.
c. Contact form
If users send us enquiries using the contact form on this website, the information from the enquiry form, including personal data, will be stored for the purpose of processing the enquiry on the legal basis of Art. 6 para. 1 f GDPR.
4. Data recipients
Within the KVG, those departments receive access to data that need them to fulfil our contractual and legal obligations. Service providers and vicarious agents used by us may also receive data for these purposes if they comply with our data protection instructions. These are companies in the categories banking and financial services, IT services, telecommunications, auditing, consulting and sales and marketing.
We may only pass on personal information to recipients outside the KVG who are not service providers or vicarious agents if required to do so by law or if we have the consent of the persons concerned. Under these conditions, recipients of personal data can be, for example:
- Public bodies and institutions (e.g. BaFin, tax authorities, law enforcement authorities) in the event of a legal or official obligation.
- Financial services institutions or similar institutions to which we transmit data (e.g. depositaries or asset managers) in order to conduct our business relationship with investors.
Further data recipients may be those bodies for which we have been given the corresponding consent for data transmission.
5. Transmission of data to third countries or international organisations
Data is transferred to offices in countries outside the EU and the EEC (so-called third countries) to the extent required by law (e.g. tax reporting obligations), if we have been given consent for the execution of transactions, or as part of order processing.
When processing an order, the service providers are contractually bound by our instructions and are subject to strict technical and organisational security measures. The appropriation or earmarking and the exclusion of the right to process the data for one’s own purposes have been agreed. Processors are located both in countries that are the subject of a Commission adequacy decision and in countries that do not have a level of data protection comparable to that of the EU. If service providers in third countries are used for which no adequacy decision has been taken, these were obliged to comply with the level of data protection in Europe in addition to the instructions in writing by the agreement of the EU standard data protection clauses. The standard contractual clauses (contract processors) are available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF (Annex to Commission Decision of 5 February 2010, document number C(2010) 593).
6. Data protection rights
According to Article 12 GDPR, every person concerned has the right to information according to Article 15 GDPR, the right to correction according to Article 16 GDPR, the right to cancellation according to Article 17 GDPR, the right to limitation of processing according to Article 18 GDPR, the right to objection according to Article 21 GDPR and the right to data transferability according to Article 20 GDPR. The restrictions according to Art. 34, 35 BDSG apply to the right to information and deletion. Persons concerned may contact the KVG on all questions relating to the processing of their personal data and the exercise of their rights (Art. 38 para. 4 GDPR). In addition, there is a right of appeal to a competent data protection supervisory authority (Art. 77 GDPR in conjunction with Art. 19 BDSG).
7. Duration of data storage
Where necessary, we process and store data for the duration of our business relationship with our investors and business partners, which also includes the initiation and execution of a contract. This business relationship is a continuing obligation and is intended to last for years. If data are no longer required for the fulfilment of contractual or legal obligations, they are regularly deleted, unless their temporary further processing is necessary for the following purposes:
- Fulfilment of commercial and tax retention obligations – in particular the German Commercial Code (HGB), Fiscal Code (AO) and Money Laundering Act (GwG) with retention periods of 5 to 10 years.
- Preservation of evidence in accordance with the statutory statute of limitations. According to Art. 195 ff. German Civil Code (BGB) these can amount to up to 30 years, whereat the regular period of limitation is 3 years.
8. Obligation to provide data
As part of the business relationship, our investors and business partners must provide us with the data required for the establishment, execution and termination of a business relationship or to the collection of which we are legally obliged. In particular, under the Money Laundering Act (GwG), we are obliged to identify investors on the basis of an identification document before establishing the right of representation and to collect and record their name, date of birth, nationality, address and identity card data. In order for us to fulfil this obligation, investors must provide us with the necessary information and documents in accordance with the GwG and notify us immediately of any changes arising in the course of the business relationship. If we are not provided with the necessary information and documents, we may not enter into or continue the business relationship.
9. Automated decision making and profiling
We do not use fully automated decision making according to Art. 22 GDPR and do not use personal data for profiling.
10. Right of objection according to Art. 21 GDPR
Objections can be addressed to us form-free – the contact details can be found in item 11.
a. Right of objection on a case-by-case basis
Investors and business partners have the right to object at any time for reasons arising from their particular situation to the processing of personal data based on Art. 6 para. 1e and f GDPR; this also applies to profiling within the meaning of Art. 4 para. 4 GDPR. If an objection is filed, the personal data will no longer be processed, unless we can prove compelling reasons worthy of protection for the processing, which outweigh the interests, rights and freedoms of the investor or business partner, or the processing serves to assert, exercise or defend legal claims.
b. Right of objection to the processing of data for direct marketing purposes
In individual cases we process data for direct advertising. Investors and business partners have the right to object at any time to the processing of personal data concerning them for the purpose of such advertising. If the processing for direct marketing is objected to, the corresponding personal data will no longer be processed for these purposes.
11. Responsible for data processing and contact
Zenon Investments GmbH, Otilostrasse 22, 82166 Graefelfing, Germany, is responsible and can be contacted by post or using the contact form on our website.