The purpose of this Privacy Notice is to inform how and why Verso Capital Oy (later the “Controller” or “we”) collect, store and process personal data of the representatives of clients, prospects and business partners of the Controller, as well as the representatives of investors investing on funds managed by the Controller (such representatives being the data subjects). Personal data refers to any information relating to a natural person (“data subject”), which allows a person to be directly or indirectly identified, as defined in the General Data Protection Regulation (EU 2016/679).
We are dedicated to processing the personal data in compliance with the General Data Protection Regulation and other applicable data protection and privacy laws (together the “data protection legislation”).
2 Controller and contact information
Verso Capital Oy (Business ID 2477697-0)
Mikonkatu 6, 00100 Helsinki
3 Legal basis and purposes of processing
The processing of personal data is based on the following legal bases:
– Legitimate interest of the Controller or a third party (such as current or future clients or business partners of the Controller); the legitimate interest being e.g. the performance of an agreement between the entity represented by the data subject and the Controller, or another relevant connection between the data subject and the Controller, as well as other legitimate interests of the Controller as further specified below;
– Compliance with a statutory obligation to which the Controller is subject, such as accounting and tax related obligations including obligations arising from the Act on Detecting and Preventing Money Laundering and Terrorist Financing (444/2017, as amended) and from the Finnish Act on Alternative Investment Funds Managers (162/2014, as amended);
– Consent of the data subject.
We process the personal data for the following purposes:
– Managing and developing business relations and other relevant connections with the client, the business partner or the investor, including business communications and marketing;
– The provision of the services ordered by the entity represented by the data subject, and the execution of obligations related to the provision of the services;
– Invoicing, keeping track of the accuracy of invoicing and the execution of administrative payments and costs;
– As applicable, preventing, revealing and investigating money-laundering and terrorist financing as well as for the purposes of bringing under the relevant authorities’ investigation money laundering, terrorist financing and/or criminal acts (by which the assets or benefit of crime have been received) and complying with other applicable laws and regulations (including obligations to report to tax authorities);
– In case of representatives of investors, processing subscriptions of interests, drawdown notices and payments of distributions to the holders of interests and more generally fulfilling the obligations under the fund agreement and providing services in relation to the investor’s investment;
– Ensuring the security of our services, risk management, as well as preventing and solving abuses and frauds;
– Business planning and development.
The provision of personal data and the processing thereof for the purposes set out above is in most cases necessary for both statutory and contractual reasons. Should the representative(s) of the clients, the business partner or the investors fail to provide the required personal data, we may not be able to fulfil our statutory or contractual obligations and thus we may not be able to enter into or continue the business relation between us and the relevant client, business partner or investor.
4 Categories of personal data and sources of data
We only collect personal data relevant and necessary for the purposes outlined in this Privacy Notice. Such personal data includes in particular the following data:
– Name and contact information (such as business address, telephone number and email address);
– Preferred language where applicable;
– Information concerning the data subject’s employer, title and position or assigned tasks within the entity represented by the data subject;
– Information on the business relationship and information related to the relevant agreement and the data subject’s association to the agreement;
– Invoicing and payment details;
– Details on communications and other interaction between the data subject and us, such as information on phone calls and other conversations including emails as well as information concerning executed marketing acts;
– Possible permissions and prohibitions concerning direct marketing
– As applicable, information required to be collected pursuant to anti-money laundering regulations or other regulations (including to those relating to reporting to tax authorities), such as “know your customer” (KYC) information, including social security numbers / dates of birth / personal identity codes / tax identification numbers, nationalities and photos (in passports or identity documents).
The personal data is mainly collected from the data subjects themselves, for example, in connection with entering into agreements and completing forms and questionnaires in that connection, in connection of business communications and marketing as well as otherwise during the contractual relationship. In case of representatives of investors, we may collect personal data also from documents and information supplied by the investor and its representatives in connection or as supplements to the forms and questionnaires attached as appendices to the relevant agreements or any later updates or amendments to such information. Where required or permitted by the law, we may collect data also from other sources.
5 Retention of personal data
The retention time of the collected personal data is subject to the legal basis and purpose of processing. In general, all collected personal data will be retained at least for the term of the relevant agreement, unless a longer retention period is required by law (for example regarding obligations and responsibilities related to accountancy or reporting) or unless the data is needed for drafting or presenting a claim or for a legal defence or for resolving any disputes.
Where the personal data is collected on the basis of an obligation based on applicable law, the retention of the personal data may also be subject to explicit statutory requirement. For example, “know your customer” (KYC) information will be retained in compliance with the Act on Detecting and Preventing Money Laundering and Terrorist Financing for at least five (5) years after the end of the customer relationship.
When the personal data is no longer needed as defined above, data is deleted within a reasonable time.
6 Transfers and disclosures of personal data
We utilise service providers and third parties to carry out our business and delegate some of our operations to our service providers, and we transfer personal data to such service providers for processing. For example, we use IT service providers e.g. to deliver office and communications software and equipment, and providers of administration services. We also use marketing, legal, accounting and other service providers, to which we may transfer or disclose personal data.
We may disclose personal data within the limits permitted or required by applicable legislation from time to time, for example to competent authorities when required to do so under applicable laws (for example to tax authorities in Finland and other countries in which we are required to fulfil statutory obligations), or to prepare for legal proceedings or to defend a claim. In addition, we may disclose personal data to financial service providers, such as banks and custodians, or to a debt collection agency for purposes of debt collection, or to other service providers, but only to the extent that the fulfilment of their tasks require the disclosure of personal data. We may also have to disclose a data subjects’ personal data in case of emergencies or in other unexpected situations to protect health and property.
In case of representatives of investors, personal data may also be disclosed to other limited partners (and as applicable, their general partners and/or managers). List of the applicable recipients of personal data will be provided upon request.
In addition, we may share personal data in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements.
Where personal data is transferred outside the European Union or the European Economic Area, we ensure by contractual or other applicable measures that the transfers are subject to appropriate safeguards. More information on cross border transfers of the personal data and on the appropriate safeguards applied thereto from time to time is available upon request.
7 rights of the data subject
The data subject has the rights set out in the General Data Protection Regulation.
– Right of access: The data subject has the right to obtain a confirmation whether his or her personal data is processed, and to access the personal data about himself/herself and to request to receive the data in a paper copy or in an electronic form.
– Right to rectification and erasure: The data subject has the right to demand the Controller to correct any incorrect or incomplete personal data and under certain conditions, the right to request the erasure of his/her personal data.
– Right to restriction of processing: The Controller may be obliged to restrict the processing of personal data in accordance with the conditions set out in the General Data Protection Regulation.
– Right to object to processing: In certain cases, the data subject may have the right to object to processing of personal data concerning him or her. The data subject always has the right to object the use of his/her personal data for purposes of direct marketing.
The data subject can use these rights by submitting a request to us by using the contact information mentioned in the beginning of this Privacy Notice.
After receiving all the required information to complete the request, including confirmation of identity, we will start the processing of the request. We will contact the data subject at the latest within a period of one month. If the request is denied, the data subject will be informed about the refusal in writing. We may refuse the request (such as erasure of the data) due to a statutory obligation or right.
In case the data subject considers our processing activities of personal data to be inconsistent with the applicable data protection legislation, the data subject has the right to lodge a complaint with the competent data protection supervisory authority.
8 Changes to this Privacy Notice
We may change this Privacy Notice from time to time, whenever necessary. The changes might also be based on the amendments of the legislation. All changes will be made available on our website or otherwise.