Karoll Capital Management EAD
Asset management company Karoll Capital Management EAD, registered in the Commercial Register with UIC 131134055, having its registered seat and address of management in Sofia 1303, 57 Hristo Botev blvd., with correspondence address in Sofia 1164, 1 Zlatovrah str. and e-mail: firstname.lastname@example.org, person in charge for protection of personal data- Kameliya Stoyanova, 02/4008 300 (Management company or Company) is an administrator of personal data under the Regulation (EU) 2016/679 and Law on Personal Data Protection.
The Management company treats personal data in compliance with a legally established obligation for identification of the persons within the meaning of the Law on Measures against Money Laundering, the Law on the Activity of Collective Investment Schemes and Other Collective Investment Undertakings, the Markets in Financial Instruments Act, and theirimplementing acts.In case of a client`s denial for presenting his/her own personal data, the Company should be obliged under the law to refuse the signing of a contract and presenting any service at all. In case of an already established relationship, the Company is obliged to terminate it.
This Policy (the "Policy") defines the terms and conditions under which natural persons, whose personal data are processed by the Management Company Karoll Capital Management, may exercise their rights under the legislation on the protection of personal data.
The terms used in this Policy have the following meanings:
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Applicable law” means European and Bulgarian legislationin the relation to the personal data protection;
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
“Regulation 2016/679” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 Von the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Art.1 (1) Karoll Capital Management EAD processes and protects personal data, gathered in the performance of its activities in a fair, lawful manner and for the purposes for which they were collected.
(2) The purposes of processing of personal data include not only conclusion and fulfillment of contracts for separate managed accounts as basic services of the Management Company, contracts for purchase and sale of managed and distributed by Karoll Capital Management collective investment schemes` units, but also contracts for providing investment advice and administration of units, legal and accounting services in relation to asset management and all activities included in the license of the Company.
(3) The Management Company processes personal data of the subjects also in compliance with statutory obligations such as
- obligations to provide information to supervisors;
- provision of information to the Commission for personal data protection in relation to obligations under the legislation on personal data protection;
- obligations provided by the Accountancy Law and the Tax-Insurance Procedure Code and other related statutory instruments in relation to the conduct of proper and lawful accounting.
(4) The controller does not intend to process the personal data for a purpose other than the one for which it was collected. If such processing is necessary, Karoll Capital Management EAD will provide the data subject with prior information for this different purpose and any other necessary information.
(5) The Company does not apply automated decision making
Art.2 (1) Employees of the Company who process personal data for the purposes listed in Article 1, paragraph 2 as part of their employment obligations shall observe the following principles when processing personal data of customers:
- Personal data are processed lawfully and in good faith.
- Personal data are collected for specific and legitimate purposes and are not processed in a manner incompatible with these purposes.
- Personal data that are collected and processed are relevant, related and not exceed the purposes for which they are processed.
- Personal data are accurate and if necessary updated.
- Personal data are deleted or corrected when they are found to be inaccurate or disproportionate to the purposes for which they are being processed.
- Personal data shall be maintained in a form that permits the identification of the individuals for a period no longer than it is necessary for the purposes they are processed.
- Personal data are processed in a manner that ensures a level of security, including protection against unauthorized and illegal processing, accidental loss, destruction or damage.
Art. 3 (1) The personal data typically collected and processed in connection with the conclusion and performance of obligations under the above contracts are the following:
- Name, surname and last name;
- Personal ID or passport number and date of issue;
- PIN, place of birth;
- Contacts: e-mail, address / permanent and / or current / telephone;
- Bank information: bank account number;
- Information gathered in connection with a contract for managing separate accounts - information on professional experience on capital markets, property and income etc.;
- Video capture as a result of video surveillance of the company's offices.
(2) Unsupported information provided by customers containing personal data is deleted.
Art.4 (1) Considering the activity of the Management Company it concludes written agreements with contractors for the provision and receipt of different types of services, which are processors or recipients of personal data. Observing legal requirements and solely for the purpose of providing the service requested by the customer, it is possible Management Company to disclose personal data provided by customers to the following non-exclusively listed persons:
- Licensed foreign and / or local companies and service providers (providers of electronic certification services, in case of usage of an electronic signature for signing documents, legal companies or other consultancy service providers, investment intermediaries in Bulgaria and the EU and their representatives, depository banks, courier companies and others).In the event that the Management Company discloses personal data to any of the abovementioned there must be a good reason for this and by signing a contract the recipients of the personal data must provide an adequate level of protection;
- Third persons whom by virtue of a law the Management Company have delegated part of their functions under its own license;
- Licensed security companies performing private security activities in connection with the processing of video recordings from the offices of the Management Company and / or provision of the access regime at the buildings;
- Other companies in the Karoll Group: Disclosure of personal data in this case is carried out in compliance with applicable Bulgarian and European legislation ;
- Agents- The Asset Management Company works with a wide network of agents to provide services close to customers. For this purpose personal data of the customers can be shared (usually directly by the customers themselves) to our agents.
- People/Companies outside the EU, subject to explicit prior consent of the customer.
(2) These persons process or receive personal data on behalf of and / or by assignment of the Management Company. They may not process the personal data they have provided for purposes other than the performance of the work entrusted to them. The Management Company shall take the necessary measures to ensure that the engaged processors and recipients of personal data strictly comply with the data protection legislation.
Art.5 Data transfer to a third country
Karoll Capital Management EAD does not transmit or intend to transmit personal data to a third country or international organization outside the EU or EEA, except for the MailChimp e-mail messaging system, which headquarter is in the United States, a country with an adequate level of protection for personal data for organizations that are certified / registered / on "Privacy Shield".
Information about MailChimp's policies can be found at: https://mailchimp.com/legal/, and registration for the Privacy Shield at: https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active .
Art.6 The Management Company keeps separate documents containing personal data of customers it administers for the purpose of concluding and executing contracts at least 5 years after the expiration of the period in which the person ceased to be a customer of the Management Company as follows: contracts,applications, declarations, orders, confirmations, transactions and other documents that are an essential part of it. This period can be longer The term may be extended on the explicit request of the Financial Supervision Commission.
For more information about the preservation periods of documents you can contract the Management Company.
II. RIGHTS OF DATA SUBJECTS
Art.7 Customers of the Management Company who are subjects of personal data have the following rights in connection with the provided personal data for:
- Right of access.
- Right of rectification.
- Right to be forgotten.
- Right to request restriction of processing.
- Right to data portability.
- Right to object to the processing of personal data.
- The right of the data subject not to be the subject of a decision based solely on automated processing involving profiling.
Right of access
Art.8(1) The Management Company provides the client with the following information upon request:
- confirmation whether the Management Company processes the person's personal data or not;
- a copy of the person's personal data processed by the Company and
- explanation of the processed data.
(2) The explanation under paragraph 1 shall include the following information regarding the personal data processed by the Management Company:
- Purposes of the processing;
- relevant categories of personal data;
- recipients or categories of recipients to whom personal data are or will be disclosed, in particular recipients in third countries or international organizations;
- whenever possible the foreseeable period for which personal data will be stored and if that is not possible, the criteria used to determine that period;
- the right to request the rectification or erasure of personal data or to limit the processing of personal data relating to the data subject or to object to such processing;
- when personal data are not collected by the data subject any available information about their source;
- when personal data are transferred to a third country or an international organization the data subject has the right to be informed of the appropriate transmission assurance.
(3) The Management Company may provide a copy of the personal data that is being processed upon request.
(4) When providing a copy of processed personal data the Management Company may not disclose the following categories of data:
- Third parties` personal data unless they have expressly agree to do so;
- data that constitute a trade secret, bank secrect or confidential information;
- other information which is protected under the applicable legislation.
Art.9 (1) Providing customers with access to their personal data cannot adversely affect the rights and freedoms of third parties or lead to a breach of the Company's statutory obligation.
(2) When access requests are clearly unfounded or excessive especially because of their repeatability the Company may charge a reasonable fee or refuse to respond to the request for access.
(3) The Management company shall judge on a case-by-case basis whether a request is unfounded or excessive.
(4) In case of refusal to grant access to personal data the Management Company shall justify its refusal and inform the data subject about his right to file a complaint with the Commission for personal data protection.
Right of rectification
Art.10(1) Data subjects may request their personal data processed by the Management Company to be corrected if the data are inaccurate or incomplete or not updated.
(2) When request for correction of personal data is satisfied the Management Company notifies the other recipients to whom the data were disclosed (government bodies, service providers) so that they can reflect the changes.
Right to be forgotten
Art.11 (1) The Management Company is obliged to delete personal data of the subject upon request on any of the following grounds:
- Personal data are no longer needed for the purposes for which they werecollected or otherwise processed;
- the data subject withdraws his/her consent on which the processing of the data is based and there is no other legal basis for the processing;
- the data subject objects to the processing of personal data for the purpose of direct marketing;
- personal data have been processed illegally;
- Personal data must be deleted to comply with a legal obligation of the Management Company.
(2) The Management company may reasonably refuse to delete the personal data as far as the processing is necessary:
- For observing the statutory liability of the Management Company;
- for the establishment exercise or protection of legal claims;
- because there is a legitimate interest.
Right to request restriction of processing
Art.12(1) The data subject has the right to request a limitation of processing when one of the following applies:
- the accuracy of personal data is disputed by the data subject for a period that allows the controller to verify the accuracy of the personal data;
- processing is illegal but the data subject does not want personal data to be deleted but instead requires a limitation of their use;
- the controller no longer needs personal data for the purpose of processing but the data subject requires them to identify exercise or protect legal claims;
- the data subject has objected to the processing on the basis of the legitimate interest of the Management Company and it is being examined whether the controller's legal grounds take precedence over the interests of the data subject.
(2) The Management Company may only process personal data which processing is limited for the following purposes only:
- for storing data
- with the consent of the data subject;
- for the establishment, exercise or protection of legal claims;
- to protect the rights of another individual;
- on important grounds of public interest;
- to observe the statutory liability of the Management Company.
(3) When data subject has requested a limitation of the processing on the grounds under paragraph 2 above the Management Company shall inform it before the revocation of the limitation of processing.
Right to data portability
Art.13(1) The data subject has the right to receive personal data that concern him and which he has provided to the Management Company in a structured, widely used and machine readable format.
(2) Such data may be transferred to another administrator pointed by the data subject upon request and in case this is technically possible.
(3) The subject of personal data may exercise the right of portability in the following cases:
- processing is based on the consent of the data subject;
- processing is based on a contractual obligation;
- processing is done in an automated manner.
(4) The right of portability can not adversely affect the rights and freedoms of others.
Right of objection
Art.14(1) The data subject has the right to object to the processing of his personal data by the Management Company if the data is processed on one of the following grounds:
- processing is necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
- processing is necessary for purposes related to the legitimate interests of the Management Company or of a third party;
- Data processing involves profiling.
(2) The administrator shall terminate the processing of personal data unless it can demonstrate that there are convincing legal grounds for its continuation which take precedence over the interests, rights and freedoms of the data subject or for the establishment, exercise or protection of legal claims.
(3) When processing personal data for purposes of direct marketing the subject data is entitled at any time to object to the processing of personal data and withdraw the consent for that purpose including in relation to profiling related to direct marketing.
(4) When the data subject object processing for direct marketing purposes the Management Company terminates processing unless it is necessary to perform the contract.
The right of the data subject not to be the object of a decision based solely on automated processing including profiling
Art. 15 Where the Management Company takes automated individual decisions including or excluding profiling that have legal consequences or significantly affect the individuals, such persons may request a review of the decision with human intervention.
III. PROCEDURE FOR EXERCISING OF THE RIGHTS OF PERSONAL DATA
Art.16(1) Customers may exercise their rights under these Rules by submitting a personal application to the Management Company.
(2) The application may also be presented by an authorized person with an explicit power of attorney notarizedunless a special law excludes that power.
Art.17 Applications for the exercise of the rights of data subjects may be presented as follows:
- To the following email address email@example.com
- In writing in an office of the Management Company at the address of Sofia,1 Zlatovrah str.;
- Written by post to the address of the Head Office of the Management Company at Sofia, 57 Hristo Botev buld. Or at Sofia, 1 Zlatovrah str.
Art.18(1) The application should contain the following information:
- Identification of the subject data– full name, PIN, address, client number and other identification information;
- Explanation of the request;
- Way of communication;
- Signature, date and address for communication.
(2) The Management Company may request the provision of additional information necessary to verify the identity of the subject of data when there are reasonable concerns about the identity of the natural person making the request.
Art.19 The Management Company shall provide information or motivated refusal regarding the application within 30 days of receipt of the request, which term may be extended for a further period of one month with an explicit warning to the applicant.
Art.20 When the application is submitted by electronic means the information shallbe provided electronically unless the data subject has explicitly indicated otherwise in his application.
Art.21 Each data subject has the right to file a personal data protection case with the Commission for personal data protection at the following address: Sofia, 2 Prof. Tsvetan Lazarov buld.,web site: www.cpdp.bgin case of violation of its rights under Regulation (EC) 2016/679 and the Personal Data Protection Act in accordance with national legislation.
Art.22 Apart from the above, any data subject is entitled to appeal against the actions and acts of the controller and the processor in front of the competent court.
IV. FINAL PROVISIONS
§ 1. The present rules shall be reviewed periodically at least once a year and updated as necessary by decision of the Board of Directors of the Management Company Karoll Capital Management EAD.
§ 2 The present rules were adopted by unanimous decision of the Board of Directors of the Management Company Karoll Capital Management EAD on 23.05.2018 and amended with decision on 10.10.2018.