Privacy Statement

This Data Protection Privacy Statement may be amended from time to time and should be read in conjunction with your New Street Management Limited Terms and Conditions of Business.

In this Data Protection Privacy Statement, references to you and your means the Customer. References to we, us or our include references to New Street Management Limited (NSML) or any Group Company and our or their representatives.

SCOPE

This NSML Customer Data Protection Privacy Statement takes effect on 25 May 2018. It applies to Personal Data (as defined below) which is processed by us:

(a) in a Member State of the European Union, the European Economic Area or Guernsey; or

(b) which relates to a data subject who is resident in, or located in, any of the above locations.

This Privacy Statement describes how we may collect, use and share Personal Data.

Our goal is to maintain your trust and confidence when handling Personal Data. We will not disclose or provide Personal Data to any third party for any purpose without written consent, except as set forth herein.

For the purposes of this Privacy Statement:

"Applicable Law" means, in each case, all laws and regulations (including requirements imposed by any competent regulatory body, whether domestic or foreign, or imposed by or arising under the constitution, rules, regulations, bylaws, customs, usages and interpretations of any market), whether domestic or foreign, or any agreement entered into with or between any competent regulatory, prosecuting, tax or governmental authority in any jurisdiction, domestic or foreign.

"Customer" means the person or persons, whether incorporated or unincorporated, requiring services in respect of one or more Customer Entity;

"Customer Entity" means the company, trust, foundation, association or partnership (whether or not having a separate legal personality) or any other form of legal entity or legal arrangement receiving services rendered by NSML or a Group Company;

"Group Company" means, in relation to NSML, any company wherever registered or incorporated which is for the time being a subsidiary or a holding company of NSML or an associated company (and associated company and subsidiary and holding company shall have the meanings ascribed to them in sections 529 and 531 respectively of the Companies (Guernsey) Law, 2008).

“Personal Data” means any information relating to you, any Customer Entity or another person whose information you or a Customer Entity (or another person on your or a Customer Entity's behalf) provide to us, and from which that individual can be identified, directly or indirectly, including by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and

“Processing” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

PERSONAL DATA WE MAY COLLECT

We may collect, receive, store and process the following Personal Data:

• Personal Data that you or a Customer Entity provides to us directly, such as:
  • name, date of birth, company, title and job description and contact details such as email address and telephone number and business address, IP address of devices and other personal identifiers;
  • information about related third parties, such as beneficiaries, family members, signatories, associates;
  • financial information, including source of wealth, investment experience and objectives and risk tolerance; and
  • a copy of a passport or national ID, drivers licence and other documents evidencing citizenship and address as required by due diligence and regulatory processes.
• Personal Data provided by our clients (including name, date of birth, company, title and job description and contact details such as email address and telephone number and business address);
• Personal Data within any emails or other communications sent to us;
• Personal Data we learn about from our dealings with you or a Customer Entity;
• Personal Data we may obtain from public sources; and
• other Personal Data we obtain from third parties in relation to potential relationships or obtained during our due diligence, “know your client” or investor or trustee or other suitability activities or information from credit reference agencies or international sanctions lists

If you or a Customer Entity elects not to provide us with this information, we may be unable to provide services to you or them. You should inform us where there are any changes or amendments to such details.

USES OF PERSONAL DATA

We may access, process and retain Personal Data for any of the following purposes (“Permitted Purposes”):

• the provision of services to you and/or any Customer Entitles and the operation, maintenance, and management of Customer Entities. This includes processing of instructions and generation of confirmations, advices and statements; maintenance of accurate “know your client” information; in connection with suspected money laundering or other serious crime; the operation of control systems; the operation of management information systems; communicating with credit reference and information agencies;
• to meet obligations and disclosure requirements or requests of any governmental entity or regulatory authority, financial market, broker or other intermediaries or counterparties, including as required or as is desirable in respect of any Applicable Law;
• for our internal record keeping and, where legally required, for transaction reporting with any regulators;
• to permit the processing of any subcontracted activities or outsourcing any part of our normal business functions (subject always to legal and regulatory requirements);
• to enable system administration, operation, testing and support; to investigate and remediate security incidents; and for risk assessment, statistical, monitoring, and planning purposes;
• complying with (and doing such things as we consider to be desirable in respect of) Applicable Law, or such actions as are requested by any authority, including the disclosure of data or confidential information that is in such authority’s jurisdiction;
• disclosure to and use by relevant parties if required under Applicable Law or by brokers, exchanges, other intermediaries or counterparties, or market practice;
• to allow a third party payment provider to access your personal and transactional data and/or initiate payment transactions;
• to help maintain service quality and train staff; to deal with complaints and disputes; and to help detect, prevent, investigate, and prosecute fraud, and security breach and/or other criminal activity;
• subject to the contact preference options notified to us, to provide information about our products and services;
• disclosure to other Group Companies or their agents or third party service providers so that they may offer their products or services;
• procuring goods or services for (or outsourcing any part of the business functions of) any Group Company;
• disclosure to third parties in connection with a change of ownership in NSML or any Group Company or any of its assets;
• disclosure to any Group Company or third party determined by us, including (without limitation) authorities, lawyers, auditors or service providers, for Processing in accordance with a Permitted Purpose; and
• for any other purposes that apply specifically to any of the products or services we offer to you and which are set out in our terms of business or application documents.

GROUNDS ON WHICH WE LAWFULLY PROCESS PERSONAL DATA

Fulfilment of contractual obligations

We enter into contracts and agreements with our clients in order to provide services to them. We need to process Personal Data in relation to our clients in order to facilitate entering into such contracts and to allow us to fulfil obligations created by those contracts. For example, we may need to assess the needs of our clients in relation to specific products or services, we may need to determine the level of advice, asset management or support that a client needs or carry out transactions in compliance with contractual obligations. Our various contracts and terms and conditions will contain further details of the obligations we may need to comply with.

Compliance with legal obligations and public interest considerations

NSML is subject to a lot of legal obligations because of the services we provide. We may need to process Personal Data in order to comply with these legal obligations which sometimes also relate to public interest considerations. Examples include carrying out identity and other checks to ensure we properly know our clients, fraud and money laundering prevention, assessing and managing risk, complying with various reporting obligations and other legal requirements

Legitimate interest

We also process Personal Data when it is in our legitimate interests to do this and when these interests are not overridden by a data subject's data protection rights. For example, we have a legitimate interest in using Personal Data:

• to provide services;
• to manage and administer our business;
• to manage, administer, maintain and improve relationships with you, Customer Entities and our clients and assist with client management;
• for marketing and business development activities and analysis;
• to communicate with you and Customer Entities;
• to inform you or Customer Entities about our products or services during the continuance of our relationship with you, a Customer Entity and/or our client, to the extent permitted by Applicable Law;
• for our internal record keeping;
• to investigate and respond to any complaints about us or our business or any incidents relating to us or our business;
• to conduct security and cyber investigations;
• to meet obligations and disclosure requirements or requests of governmental entities or regulatory authorities or markets, brokers or other intermediaries or counterparties where this is not required by Applicable Law;
• to comply with non-EU and non-Member State Applicable Law;
• to assign or sub-contract, procure goods or services for, or outsource any part of our normal business functions to third parties;
• to monitor our services, whether by us or a third party; where relevant, for the establishment, exercise or defence of legal claims;
• to communicate with credit reference and information agencies;
• to detect, investigate or prevent security or cyber incidents; and
• in order to protect the rights, property, or safety of us, our business, our clients or others.

Where we process Personal Data for contacting you or Customer Entities, we will request you to select a preferred channel of communications with us. You may request not to be contacted for marketing activities in certain (or all) channels and for a certain period. You may change your preferences anytime.

Consent to Our Processing

We may also process Personal Data based on consent granted to us. Where data Processing isperformed subject to consent, this may be withdrawn at any time by informing us in writing of such withdrawal. However, if consent is withdrawn it may not be possible for us to provide certain services to you or any Customer Entity.

WHEN WE MAY DISCLOSE PERSONAL DATA

We may disclose or transfer Personal Data to others as follows:

• to any Group Company for the purpose of managing our and their relationship with you and/or any Customer Entity and other purposes identified in this statement;
• at the request of a counterparty in relation to you, any Customer Entity or business process and to service a Customer Entity;
• as required in order to establish, exercise or defend or to protect legal claims, including in relation to our contracts with our clients and in order to protect the rights, property, or safety of us, our business, our clients or others;
• to any competent regulatory, prosecuting, tax or governmental authorities, courts or othertribunals in any jurisdiction (1) for or in connection with an examination of us by any lawful examiners; (2) pursuant to subpoena or other legal process; (3) at the express direction of any other authorised government agency; (4) to our internal or external legal counsel or auditors; (5) to others to whom we are required to make such disclosure by law;
• In addition, because a Customer Entity may include information about more than one individual and about your or its business relations with us and our affiliates, statements released to comply with legal process may contain information regarding your or a Customer Entity's relationship with these individuals and with us and our affiliates.

HOW LONG WE KEEP PERSONAL DATA

We keep Personal Data for as long as is required in order to fulfil our contractual obligations and as long as we are required to under Applicable Law, including any applicable limitation periods.

USE OF PROFILING AND AUTOMATED DECISION MAKING

We may process some Personal Data automatically in order to make certain assessments about you and/or any Customer Entities. This is known as profiling. We may do this for instance to assess investment performance, objectives and risk tolerance, and to assess your or a Customer Entity's ability to meet regulatory or legal requirements (such as combatting money laundering); and to tailor our service to your or a Customer Entity's needs.

Where we rely on profiling, we will seek consent for this. A data subject has the right to request a person to re-assess any profiling. However, certain investments (including robotic investments) may necessitate profiling.

We generally do not use any automated decision-making in providing services to you or a Customer Entity. If we do use this process, you will be entitled to opt-out.

USE OF "COOKIES"

A "cookie" is a small piece of information that a site stores on a web browser and can later retrieve.

NSML uses operational cookies to allow our services to operate in a secure and reliable manner, prevent false impersonation, prevent electronic attacks and provide service functionalities within our sites. Such cookies are essential for usage and an internet browser is likely to accept them by default. However, a browser can be set to reject these cookies and to delete them from the system at any time. Site experience cookies that facilitate site navigation and store preferences and certain kinds of information (such as about new products and services and some enhancements that may be of interest) can be subject to opt-in. Non-essential cookies can be rejected or their use limited to an online session with NSML or any Group Company or anytime thereafter.

Joint marketing cookies and data analytics can also be subject to opt-in. However, no cookie set by our websites on a web browser will contain information that could enable any third party to contact you or a Customer Entity via telephone, email or postal mail.

INFORMATION SECURITY

We protect Personal Data by maintaining physical, electronic, and procedural safeguards and train our staff in the proper handling of information. When we use third parties to provide services we require them, under stringent contractual and administrative provisions to protect the confidentiality of any Personal Data to at least the same standard we have in our own systems. We use encryption technology to protect the transmission of data to or from you or a Customer Entity. However, data transmissions 6 over public networks cannot be guaranteed to be error free or entirely secure. Any registration information and passcodes must be kept confidential. If you have reason to believe that your interaction with us is no longer secure or feel that the security of any communications you have with us has been compromised, please immediately notify us of the problem by contacting our Data Protection Officer using the contact details in the Data Controller and Data Protection Officer section below

DATA RIGHTS

Data subjects may ask us to access, amend or correct their Personal Data. We may also rectify any mistakes in data we hold on our own initiative, where appropriate. In limited circumstances such as marketing, data subjects also have the right to object to certain communications, delete their data and transfer their Personal Data to other organisations. However, as we offer trust company and other services, we operate within a highly regulated environment, are under a legal obligation to retain certain data and to hold it for our legitimate interests.

Where we have asked for consent to process Personal Data or where Processing is made in connection with sensitive Personal Data consent may be withdrawn at any time by informing us in writing of the withdrawal.

Where we process Personal Data on the basis of a legitimate interest in doing so (as described above), the data subject also has a right to object to this and the right to restrict Processing in certain circumstances. These rights may be limited in some situations – for example, where we can demonstrate that we have legitimate grounds to process the data. To exercise these rights, please contact the Data Protection Officer using the contact details in the Data Controller and Data Protection Officer section below. We may ask to verify the data subject's identity and to provide other details to help us to respond to the request. We hope that we can satisfy all queries about the way we process data.

DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is NSML or the Group Company providing services to you or a Customer Entity and may change as notified by us from time to time, always subject to prior notice and Applicable Law.

Any questions or requests in relation to data protection rights or how we deal with Personal Data should be addressed to:

The Compliance Officer
New Street Management Limited
Les Echelons Court
Les Echelons
St Peter Port
Guernsey
GY1 1AR

Or alternatively by using our dedicated data privacy e-mail address: Dataprivacy@nsmtrust.com

A complaint may also be lodged directly with the Data Protection Officer or the Guernsey Data Protection Authority.

Guernsey Data Protection Authority
Tel +44 (0)1481 742074
https://dataci.gg

CROSS BORDER DATA TRANSFERS

Personal Data is subject to supervision by the regulatory authorities in the jurisdiction of NSML or the Group Company providing services to you or where the services are performed and, in certain cases, by the jurisdiction of the data subject's residence or citizenship.

Where it is necessary for providing services to you, any Customer Entity or our clients, where required by Applicable Law or where we have received the necessary consent, Personal Data may be transferred to a country outside Guernsey, a Member State of the European Union, or the European Economic Area, including countries that do not offer adequate protection for the purposes of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) or the Data Protection (Bailiwick of Guernsey) Law 2017.