“GDPR”: General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Personal Data”: Information of any type regardless of the type of medium, including sound and image, relating to an identified or identifiable natural person (data subject).

To provide its services, Arendt needs to collect and process certain information about you. The data we collect depends on the context of your interactions with Arendt, the choices you make including the services which are provided to you.

It is to be noted that you have choices about the data we collect. When you are asked to provide personal data, you may decline. If you choose not to provide data that is necessary to provide the service, we may not be able to deliver the service.

The data we collect and process can include the following, but is not limited to:

• Identification data: we collect data about you such as your first and last name, email address, postal address, phone number, and other similar contact data, date and place of birth, gender, country, and preferred language;
• Electronic identification data: we use Cookies to collect data on how you use our website and view our marketing emails. This may include, for example, information on which Arendt’s website pages you have visited, how long you stayed on them, which items you clicked on and on your IP-address;
• Business contact information: we collect data about you such as job function, job title, department, organisation name, size and location, and whether or not you are acting on behalf of a client;
• Financial information: we collect your financial information, such as financial account information, if needed to take payment or fulfil contractual obligations or for related purposes;
• Contractual information: any information provided by the data subject allowing to Arendt to perform its contractual duties.

Further to the categories of data mentioned above, Arendt guarantees that, except to the limited extent that may be necessary in the context of employment and in the context of performing a contract with a client, or comply with legal obligations, we neither request nor collect special categories of data (i.e. personal information specifying criminal offences/convictions, medical or health conditions, biometric or genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual).

This Privacy Notice applies to personal data, which is information that Arendt collects from you and other third parties that specifically identifies you as an individual. Arendt may collect your personal data in various manners.

Ways of collecting data

• Information that we automatically collect when you use our Website: when you use our Website, we automatically collect, through Cookies, the following information:
  
  • Navigation and click-stream data;
  • HTTP protocol elements;
  • Search terms.

Cookies are small bits of text that are downloaded to your computer or other internet-enabled devices when you visit a website. Arendt uses Cookies on its website to improve its overall user experience.

For further information on Cookies, please refer to Arendt & Medernach’s Privacy Notice.

• Personal data that we collect when you do business with Arendt: we may collect and process your data when you conduct business with us. "Personal data" means information relating to an identified or identifiable natural person that Arendt receives on behalf of the data subjects. Examples of categories of such personal data can be found in the previous section.
• Personal data we obtain from other sources: we also may periodically obtain both personal and non-personal information about you from Arendt’s subsidiaries, affiliates, business partners or other third-party sources where they are legally permitted to share such information with us, and add it to the information we already hold about you, such as, but not limited to:
  • Updated business address information;
  • Identification data;
  • Financial information;
  • Contractual information.
• Personal data that we collect when you apply online for employment: please refer to the HR section.

Purposes for collection, use and processing of data

For processing to be lawful under the GDPR, a lawful basis needs to be identified before personal data is processed.

We use or may use your personal data for the following purposes (or as otherwise described at the point of collection) in line with the lawful basis under the GDPR:

• To provide you with the service you have requested;
  > Processing is necessary for the performance of a contract.
  
  
• To provide you with information, access to resources or other services that you have requested from us on behalf of your organisation;
  > Processing is necessary for the performance of a contract.
  
  
• To send you client service-related communications (marketing);
  > Processing is necessary for the purposes of the legitimate interests pursued by the controller.
  > Processing is based on your consent to receive marketing communications.
  
  
• To deal with communications that you send to Arendt and responding to your queries, requests and complaints;
  > Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  > Processing is necessary for compliance with a legal obligation.
  
  
• To fulfil our legal obligations namely in respect to AML/CTF (including KYC) and MAR ;
  > Processing is necessary for compliance with a legal obligation.
  
  
• To carry out the recruitment process:
  > Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  
  
• To promote our events and conferences via pictures and videos disclosed on our social medias:
  > Processing is necessary for the purposes of the legitimate interest pursued by the controller or by a third party.
  
  
• To manage the infrastructure and business operations of Arendt and to comply with internal policies and procedures;
  > Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
  
  
• To comply with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities.
  > Processing is necessary for compliance with a legal obligation.

We may contact you by mail, telephone, fax, video conference, email or other electronic messaging service to notify you about special events, new features or other information that may be of interest to you in accordance with your interaction with Arendt. Where required by applicable law, your prior consent will be obtained before sending you direct marketing and you may object or opt out of receiving marketing messages from Arendt. To opt out of marketing communications, you can send an email to: unsubscribe@arendt.com. For emails, you can also opt out by clicking the “unsubscribe” button found at the bottom of our emails.

Arendt does not in any way sell, lease or rent your information to third parties.

[1]AML : Anti Money Laundering

  CTF: Counter Terrorist Financing

  KYC : Know Your Customer

  MAR : Market Abuse Regulation

Arendt shares your personal data as necessary to render any service you have requested or authorised.

Arendt may also share your personal data with your consent namely for the following purposes:

• Recruitment;
• AML/CTF including KYC (third parties including but not limited to namely notaries, domiciliation agents, banks, auditors…).

• Service providers: we may disclose/transfer your data to third parties, including cloud services providers, that we refer to as service providers solely to the extent necessary to enable such service providers to provide services to Arendt and to assist us in providing services to you. Arendt’s policy is to maintain contracts with all third parties to whom we disclose/transfer personal information to, in order to restrict their access, use and disclosure of personal data. Service providers must, in fact, abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any purpose other than providing services to Arendt and assisting us in providing services to you.
• Third parties: we may disclose/transfer your data to third parties such as administration and public authorities, banking institutions, notaries, domiciliation agents and to professional advisors and auditors of Arendt.
• Affiliates/branches/subsidiaries: we may disclose/transfer your data, as provided in our General Terms and Conditions, to other companies under common ownership or control as Arendt who will process your information in a manner consistent with this Privacy Notice.
• Safety, security and compliance with law: we will access, transfer, disclose and preserve personal data to comply with applicable law or respond to subpoenas, court orders or other valid legal process, for reasons relating to national security, to defend against legal claims, to protect the rights and safety of Arendt, Arendt’s clients, employees or others. This may involve the sharing of your data with law enforcement, government agencies, courts and other organisations.
• Consent: we may share your data in other ways and for new purposes if you have asked us to do so and have consented to such sharing.

These recipients may be located in and outside the European Union. Your personal data will not be transferred to any country outside the European Union which does not ensure an adequate level of protection unless you gave us prior authorization to do so or specific measures (such as adequate contractual arrangements) have been taken by us or if the concerned companies have binding corporate rules in order to ensure that the requirements of the applicable data protection law have been fulfilled.

Where personal data is transferred/disclosed to Arendt’s affiliates/branches/subsidiaries, such transfer is based on specific measures, specifically the model clauses issued by the European Commission with regards to transfer of personal data outside the European Union. Should you wish to consult the latter, please let us know by contacting us to the contact information provided in the section “HOW TO CONTACT US” of this notice.

Arendt seeks to ensure that you are able to exercise your rights at any time. Arendt will address any request within the limits of its technical and organizational means.

These include:

• Right to access your personal information: should you want to review the data we hold, collect and process about you, please let us know by contacting us. Information on how to do so is provided in the section “HOW TO CONTACT US” of this notice.
• Right to rectification: should the data we hold, collect and process about you be inaccurate or incomplete, you have the right to update such data at any time by contacting us via the contact information provided in the section “HOW TO CONTACT US” of this notice.
• Right to erasure: if at any time you decide you do not want us to retain any personal data we collected from you, you may request we delete your data by contacting us via the contact information provided in the section “HOW TO CONTACT US” of this notice. We will take reasonable measures to comply with your request in accordance with applicable laws.
• Right to restriction of processing: should you wish to request Arendt to restrict or suppress personal data processing, please contact us to the contact information provided in the section “HOW TO CONTACT US” of this notice. You should obtain the right to restriction of processing only where possible, in accordance with applicable laws.
• Right to object: should you wish to object to the processing of personal data, please contact us at the contact information provided in the section “HOW TO CONTACT US” of this notice. We will consider your objection and we will comply with it unless we have a compelling legitimate ground as permitted by applicable law.
• Right to data portability: you may have the right to have your personal data transmitted directly from us to another controller only when you have asked us to do so and have consented to such sharing, and when technically feasible. Should you wish to exercise this right, please contact us at the contact information provided in the section “HOW TO CONTACT US” of this notice.
• Right to lodge a complaint with the supervisory authority: where you believe that your data is being processed in a way that does not comply with the GDPR, you have the right to lodge a complaint with the respective authority as follows:
  Luxembourg - Commission Nationale pour la Protection des Données (the “CNPD”). You can do so via the CNPD’s complaint form, available at: https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html

Please be aware that these rights are not always absolute and there may be some situations in which, technically or legally, Arendt may not be able to comply with your request.

Arendt acknowledges your trust and is committed to protecting the data you provide to us. Arendt pays a particular attention to work from home ethics. We avoid any hard copy to be taken at home and require from our employees that any task requiring the use of hard copies is done from the office. We maintain appropriate organisational, physical and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of personal data) to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of personal data.

Where Arendt acts as a controller, it will notify its customer of any personal data breach by Arendt, its processors, or any other third-parties acting on Arendt’s behalf without undue delay, only where the personal data breach is likely to result in a high risk to the rights and freedoms of the client.

Arendt will only retain your personal data:

• For as long as it is necessary for the purpose or purposes for which it was intended;
• For the purposes of performing or fulfilling a contractual obligation with you or the organisation that you represent and, therefore, legitimate business purposes;
• For as long as required or permitted by law.

We expect you to inform us in writing and without undue delay of changes in the information you provided to us or others about you, so that we can keep it up-to-date.

If you provide us with personal information not relating to you (e.g. information about your respective representatives, staff members and agents, beneficial owners, shareholders, etc. or about any third party), you must first inform them about this fact and make sure they acknowledge that we can use such information as set out in this Privacy Notice. In particular, you must provide them with the information relating to their rights as data subjects. We assume that these third parties are informed of the processing of any personal information relating to them that we may carry out and of the disclosure of the same to third parties and countries as described herein and that, as far as necessary, you obtained these data subjects’ prior written consent.

We reserve the right to amend this Privacy Notice from time to time to reflect changes in the law, our data collection and used practices, and to ensure it is accurate, complete and up-to-date. You are advised to check this Privacy Notice from time to time.

If you have any questions or concerns about our use of your information or regarding our Privacy Notice, you may contact us by sending an email to dpo@arendtservices.com or by writing to us at:

Arendt Services S.A.
Attention: Data Protection Officer
9, rue de Bitbourg
L-1273 Luxembourg
Grand Duchy of Luxembourg

Personal data that we collect when you apply online for employment: you may submit personal data through the use of our website to be considered for employment at Arendt. Such information includes, amongst others, your name, your address, your phone number, your email address, experience, education, job skills and other information contained on your curriculum vitae (CV) and/or your cover letter. Arendt uses such data solely for consideration of your candidacy for employment, to communicate with you and to generate related correspondence, including offer letters and employment agreements. Such data may also be used, subject to applicable local laws, to conduct necessary background checks for compliance and other employment related purposes (including the assessment of your profile in view of the conclusion of a potential employment contract, to the extent permitted by applicable laws and regulations). Finally, Arendt only retains such data for as long as is necessary to address your employment application and any questions that may arise regarding your application’s processing. Your submission of personal data or a resume through our website constitutes your consent to the collection, storage and use of that information by Arendt during the recruitment process.

We may disclose/transfer your data to other companies under common ownership or control as Arendt who will process your information in a manner consistent with this Privacy Notice.