2. Roles Regarding the Processing of Personal Data
Mandatum Life SICAV-UCITS and Mandatum Life SICAV-SIF (each fund is the data controller for its shareholders and contacts)
Mandatum Life Fund Management S.A. (the data controller for the data of website visitors)
26–28 Rue Edward Steichen
Grand Duchy of Luxembourg
Contact information of the Data Protection Officer: email@example.com
Mandatum Life Fund Management S.A. is the management company of the fund and RBC Investor Services Bank S.A. is the administrator, registrar and depositary of the fund. Both companies process personal data of the shareholders on behalf of the fund. You can find more information about the processing of personal data carried out by RBC Investor Services Bank S.A. on RBC’s website.
3. How and Why We Process Personal Data?
We process personal data in order to manage the funds, shareholder holdings and shareholder relationships as well as to fulfil our statutory obligations. We also process the personal data of website visitors for analytics and marketing purposes, such as gathering statistics and improving the usability of our website.
The legal grounds for the processing of personal data of shareholders and those connected to institutional shareholders are performance of a contract between the data subject and the data controller as well as compliance with a legal obligation of the data controller. The processing of personal data of our website visitors is based on legitimate interests of the data controller. These interests include the marketing of our services and the development of our website.
4. Whose Data We Process and Where We Collect Data From?
We process personal data of the following groups of people:
Individual shareholders of the funds
Persons connected to institutional shareholders of the funds (such as employees of the institutional shareholders)
Visitors of the website of Mandatum Life Funds.
Personal data is collected from the individual shareholders and persons connected to institutional shareholders themselves as well as from the institutional shareholders before and during the customer relationship. The data of website visitors is collected from the interactions with the website and from the web browser used by the visitor.
5. What Kind of Data We Process?
We process personal data only to the extent necessary or as required by law. Generally, we process data belonging to the categories described below. The details of the processing and the categories of data processed depend on whether you are an individual shareholder of the funds, a person connected to an institutional shareholder of the funds or a website visitor.
Basic Identification and Contact Information
For example name, date of birth, address, phone number, e-mail address and nationality.
Investment and Account Information
For example current investments, dividend instructions and reporting preferences, information about investments made on behalf of other parties, bank account information and information on communications.
Information Required by Law
Information required by tax legislation (CRS and FATCA) and anti-money laundering legislation, for example information about tax residence and the origin of the invested funds.
Information about Website Visitors
For example IP address, used browser application and its version, visited pages and time spent on the website.
6. How Long Is Personal Data Retained?
Personal data of shareholders and those connected to institutional shareholders is stored according to the statutory requirements set for example in tax legislation and anti-money laundering legislation. Unless required by law to store the data longer, personal data is stored at longest for 13 years after the shareholdership. The data of website visitors is stored for 2 years.
7. Is Personal Data Disclosed to Others or Transferred Outside the EU?
Disclosures of Personal Data
Personal data may be disclosed to recipients outside Mandatum Life as allowed or as required by law. Data can be disclosed for example to authorities, companies within the Mandatum Life Group and other companies involved in managing the fund, such as the depositary and the central administrator of the funds.
Transfers of Personal Data outside the EU and the EEA
The funds and the management company process personal data within the EU. Some of the companies that process data on behalf of the funds process data outside the EU and the EEA. In these cases, we have taken care of protecting the data by using standard contractual clauses approved by the European Commission, binding corporate rules of the processor or similar safeguards, unless the European Commission has issued a decision on the adequacy of data protection.
8. What Rights Do You Have?
You have for example the right to access your data, the right to rectify inaccurate data and the right to erasure of your data as described in more detail below. Please note that we have statutory obligations to process or store certain data and may have an obligation to process or store your data even if you object to the processing or ask for the data to be erased.
You can use your rights described below by contacting the data protection officer of the funds at firstname.lastname@example.org.
The Right of Access
You have the right to receive confirmation on whether or not we are processing your personal data. If your personal data is being processed, you have the right to access the data and to receive a copy of the data. Please note that statutory confidentiality obligations may restrict the use of your right to access data.
The Right to Rectification
You have the right to request that we rectify any inaccurate personal data and complete any incomplete data.
The Right to Erasure (the Right to Be Forgotten)
If you request the erasure of your data or, if the processing is based on your consent, withdraw your consent, we will delete the data unless there are other legal grounds for the processing or unless we have a statutory obligation to store or process the data. In any case, we will delete your data after the retention period.
The Right to Restriction of Processing
You have the right to request that we restrict the processing of your personal data in cases where the conditions set in legislation are met. Please also note that the right to restriction of processing does not apply to the processing of personal data carried out to fulfil our statutory obligations.
The Right to Data Portability
If the processing of your personal data is based on your consent or the performance of a contract, you have the right to receive the personal data you have provided to us in a structured and commonly used format and the right to have the data transferred to another data controller.
The Right to Object
You have the right to object to the processing of your personal data if the processing is only based on our legitimate interests.
You also have the right to object to the processing of your personal data for direct marketing purposes.
The Right to Lodge a Complaint
If you consider that the processing of your personal data conflicts with the applicable legislation, you have the right to lodge a complaint with the data protection authority, the National Commission for Data Protection of Luxembourg.
9. Website and Cookie Information
We use analytics and marketing tools on our website to develop and market our services. The data collected for analytics and marketing purposes is not connected with data about shareholder accounts.
Cookies are small text files that are stored on the visitor’s computer or other device when visiting our website. Cookies are used for example to remember the selections made by the user when moving from one page to another. We also utilize cookies for example to individualize website visitors and to compile statistics of the visits to our website. Cookies may also be used to target marketing. Both session cookies and persistent cookies set by us and our partners are used on our website. You can control and manage cookies through the settings of your web browser.
10. How is Personal Data Protected and What Kind of Risks Are Involved?
We use necessary and appropriate technological and administrative data protection and security methods in accordance with the best practices to protect personal and other data. These methods include the use of firewalls, strong encryption techniques and secure facilities, access controls and limited access rights, training of the staff as well as the careful selection of subcontractors. The subcontractors are contractually bound to comply with the applicable legislation and the data protection and security principles and guidelines of Mandatum Life.
The processing of personal data is only allowed for employees who need to use the data to carry out their tasks. The systems containing personal data have individual user accounts and the use of the systems is monitored. Employees of Mandatum Life who process personal data are bound by a confidentiality undertaking. Personal data that is no longer necessary is deleted securely.
Despite careful and appropriate security and protection measures, data processing always includes a risk. If a personal data breach that is likely to result in a high risk to your privacy or other rights takes place despite the security and protection measures, we will contact you as soon as possible.