Privacy notice

Except as further described below, Arendt is to be considered the data controller with respect to your personal data processing.

Arendt, acting as a data controller, is committed to protecting your privacy and ensuring the security of your personal data. As a data controller, we are responsible for determining “how” and “why” your personal data is processed, in accordance with the requirements of GDPR. This means we are responsible for collecting, processing, and safeguarding your personal data. Our role as a data controller entails ensuring that your personal data is processed lawfully, fairly, and transparently. This Privacy Notice describes the types of personal data we collect, the purposes for which we collect and use it, and your rights in relation to your data. We take your privacy seriously and aim to be transparent about our data processing activities.

Depending on the Arendt entity and/or its professional mandate, Arendt may also act as a data processor under specific circumstances. We (as a data processor) will solely determine when such a situation occurs and will inform you (as a data controller) accordingly. This section defines the conditions under which we undertake to process personal data on your behalf as a data processor.

In this regard, we process personal data as necessary for us to perform our mission. To this end, we will rely on your instructions with regards to:

• The nature of the operations to be carried out;
• The purpose of the processing;
• The data processed;
• The categories of data subjects concerned by the data processing.

About our obligations towards you, we undertake to:

• Process the data for the sole purpose for which you have transmitted it to us and in accordance with your documented instructions;
• Apply the principles of data protection by design and data protection by default with respect to any activity by virtue of which we process data;
• Assist you with sufficient guarantees by appropriate technical and organizational measures to ensure that the processing complies with the requirements of these regulations and guarantees the protection of the data subjects’ rights;
• Guarantee the security, confidentiality and integrity of the personal data processed,
• Provide the necessary awareness and training to persons authorized to process personal data on data protection;
• Inform you in the event that, we consider that such processing may involve a breach of applicable law, as well as when there is a risk affecting your personal data or their processing,
• In accordance with your request, delete or return to you all that personal data (in case we process such personal data only in our capacity as processor), and delete existing copies of any such personal information, except it is mandatory for us to retain that personal data;
• Provide you all information necessary to demonstrate compliance with the obligations set out in the GDPR and allow for and contribute to audits, including inspections, conducted by you (as a controller) or another auditor mandated by you.

Whenever possible, we (as data processor) will assist you (as data controller) in fulfilling your obligations to comply with requests to exercise the rights of any individuals concerned by the processing at hand, including the right of access, rectification, erasure, and objection; the right to restriction of processing; the right to data portability; and the right not to be subject to an automated individual decision.

In case of using sub-contractors or replacing them, to carry out specific processing activities in order to perform our mission, we will notify you and will act with professional diligence.

This specific section is without prejudice to other non-contradictory provisions of this Privacy Notice and to Arendt commitments to respect and promote data protection principles.

To better understand how Arendt, if acting as a data processor, commits with its controller, please do refer to our Terms of Business below:

• Arendt & Medernach S.A., Arendt Regulatory & Consulting S.A. (and its affiliates), Arendt Digital Services S.A.R.L. (and its affiliates)

• Arendt Investor Services S.A.(including AManco S.A., any branches of Arendt Investor Services S.A., and its affiliates)

To provide its services, Arendt needs to collect and process information about you. The data we collect depends on the context of your interactions with Arendt and the choices you make including the services which are provided to you.

You can choose what data you allow us / or not to collect. Should you refuse to share your data, we may not be able to provide our service to you. The data we collect, and process include the following:

• Identification data: we collect data about you such as your first and last name, email address, postal address, phone number, and other similar contact data, date and place of birth, gender, country, and preferred language;
• Electronic identification data: we use cookies to collect data on how you use our website and view our marketing emails. This may include, for example, information on which Arendt’s website pages you have visited, how long you stayed on them or which items you clicked on. Please find our dedicated Cookie Policy available here.
• Business contact information: we collect data about you such as job function, job title, department, organisation name, size and location, and whether or not you are acting on behalf of a client;
• Financial information: we collect your financial information, such as financial account information, if needed to take payment or fulfil contractual obligations or for related purposes;
• Contractual information: any information provided by the data subject allowing Arendt to perform its contractual duties;
• Sensitive personal data (i.e., specifically, personal information specifying criminal offences/convictions, medical or health conditions, biometric or genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), strictly to the limited extent that may be necessary for Arendt in the context of employment and in the context of performing a contract with a client or to fulfil a legal obligation.

For further information regarding personal data processing in the context of employment, please also refer to the HR section below.

By interacting with us, directly or indirectly, you accept that we process your personal data.

Arendt will collect and process your personal data, when:

• you visit our firm website or social media pages;
• you show interest in or may be interested in our firm or in our services;
• you apply for a position within our firm;
• you or your company plan on becoming and/or become(s) our customer or supplier;
• we provide services to you or our clients in general.

Depending on Arendt activities, we also may obtain your information from other sources (e.g.: Arendt’s subsidiaries, affiliates, business partners or other third-party sources) where they are authorized to share such information with us such as:

• Updated business address information;
• Identification data;
• Financial information;
• Contractual information.

Arendt may use AI technologies to enhance the services provided to our clients. Depending on the specific business activity, client documents may be uploaded into secure AI tools (excluding public GenAI tools such as ChatGPT, Predictivity, etc.). We have integrated this technology securely and responsibly, establishing specific usage guidelines and training our personnel on effective and safe AI tool use. We ensure that our AI vendors implement stringent measures to uphold confidentiality, comply with data protection regulations, and refrain from using our data to train their proprietary large language models (LLMs) or any other LLMs. Additionally, vendors are prohibited from accessing, using, reusing, or copying our data in any manner.

At Arendt, we use a range of advanced technology platforms to streamline and enhance our legal services. In doing so, we take your privacy and confidentiality very seriously. If you choose to share your documents or data with us, we commit to using such information solely for the purpose of providing our services to you. Furthermore, our arrangements with these technology providers explicitly prevent them from utilising any of your information for their own purposes—such as improving or training their models—or sharing it with unauthorised parties. Your data remains under our control to ensure that it is only accessed in accordance with strict confidentiality obligations and data protection regulations.

We also maintain a comprehensive internal policy governing the safe and responsible use of artificial intelligence, and our staff receive regular training on best practices and security measures. This policy ensures that everyone in our firm is aware of and complies with the strict guidelines and industry standards necessary to protect your data when using artificial intelligence and other advanced technologies.

Where applicable, processing involving such tools is subject to required assessments (e.g., prior legitimate interest assessment and/or Data Protection Impact Assessment (DPIA)), in accordance with the guidelines issued by the European Data Protection Board (EDPB) and, where relevant, the Luxembourg supervisory authority (Commission Nationale pour la Protection des Données – CNPD). The necessity of a DPIA will depend on the level of risk identified in connection with the rights and freedoms of data subjects.

For a processing of personal data to be compliant with the GDPR, a legal basis must be identified prior to its implementation.

We use or may use your personal data for the following purposes (or as otherwise described at the point of collection) in line with the lawful basis under the GDPR.

We may contact you by mail, telephone, fax, video conference, email, or other electronic messaging service to notify you about special events, new features or other information that may be of interest to you in accordance with your interaction with Arendt. Where required by applicable law, your prior consent will be obtained before sending you direct marketing and you may object or opt out of receiving marketing messages from Arendt.

Arendt does not in any way sell, lease, or rent your information to third parties.

Where processing is based on our legitimate interests, we ensure that a balancing test is performed to confirm that such interests are not overridden by the data subject’s rights and freedoms. You may request information regarding our legitimate interest assessments by contacting us.

With respect to employee data, specific legal bases apply as described in the section ‘Human resources and job application’ below. Further details are available in Arendt’s internal Privacy Policy provided to staff.

The Personal Data may also be disclosed to Arendt’s data recipients (the “Recipients”) as necessary to provide any service you have requested, authorised or consented for the purpose of / with:

• Service providers: we may disclose/transfer your data to every relevant service provider supporting Arendt in carrying all or a part of its business, including but not limited to: financial intermediaries, advisors, IT/cloud providers, procurement providers, recruitment firms.
  
  They will solely process personal data to the extent necessary to provide services to us and to assist us in providing services to you. Service providers must, in fact, abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any purpose other than for providing services to Arendt and assisting us in providing services to you.
• Third parties: we may disclose/transfer your data with third parties such as administration and public authorities, banking institutions, notaries, domiciliation agents and to professional advisors and auditors of Arendt, governmental, judicial, prosecution or regulatory agencies and/or authorities as well as official national registers, including tax authorities, in accordance with applicable laws and regulations. In particular, personal data may be disclosed to the Luxembourg authorities, which in turn may disclose the same to foreign authorities. In such case, Arendt and the recipient are both acting as data controller.
• Affiliates: we may disclose/transfer your data with our affiliates, as described in our General Terms & Conditions and Terms of Business.  Such affiliates will process your information in a manner consistent with this Notice.
• Safety, security and compliance with law: we may disclose/transfer personal data to comply with applicable law or respond to subpoenas, court orders or other valid legal process, for reasons relating to national security, to defend against legal claims, to protect the rights and safety of Arendt, Arendt’s clients, employees or others. This may involve the sharing of your data with law enforcement, government agencies, courts, and other authorised organisations.
• Consent: we may share your data in other ways and for new purposes if you have asked us to do so and have consented to such sharing.

The Recipients may also, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the sub-Recipients), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to Arendt and/or assisting the Recipients in fulfilling their own legal obligations.

The above-mentioned Recipients may be located inside or outside the European Economic Area (EEA).

Where personal data is transferred outside the European Economic Area (EEA) to a third country not recognised by the European Commission as providing an adequate level of protection, Arendt ensures that such transfers are carried out in accordance with Chapter V of the GDPR.

In particular, we rely on the European Commission’s Standard Contractual Clauses (SCCs), accompanied where necessary by a transfer impact assessment (TIA) and additional technical, organisational and contractual safeguards to ensure a level of protection essentially equivalent to that in the EU, in line with applicable legal and regulatory requirements.

These measures may include data encryption, access controls, pseudonymisation, and contractual commitments from the recipient not to further disclose the data and to notify us in case of access requests by public authorities.

You may request additional information about the safeguards applicable to your personal data by contacting us via the “HOW TO CONTACT US” section of this Notice.

Arendt seeks to ensure that you are able to exercise your rights at any time. Arendt will address any request within the limits of its technical and organizational means. These include:

• Right to access your personal data: should you want to have further information about the data we hold, collect and process about you;
• Right to rectification: should the data we hold, collect and process about you be inaccurate or incomplete, you have the right to update such data at any time;
• Right to erasure: if at any time you decide you do not want us to retain any personal data we collected from you, you may request the deletion of your data. We will take reasonable measures to comply with your request in accordance with applicable laws;
• Right to restriction of processing: should you wish to restrict the processing of your personal data in accordance with applicable laws;
• Right to object: should you object to the processing of your personal data we shall consider your objection and comply with it unless we have a compelling legitimate ground as permitted by applicable law;
• Right to data portability: should you wish to have your personal data transferred from us to another controller, provided that you have sent a formal request and when such transfer is technically feasible;
• Right to withdraw consent: where the processing is based on your consent you may withdraw your consent at any time, without this affecting the processing carried out before such withdrawal and without prejudice to any retention or processing that may be required from us by law;
• Right not to be subject to automated decision-making, including profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, unless such processing is necessary for the performance of a contract, authorised by law, or based on your explicit consent. Arendt does not carry out any automated decision-making at this time. Should this change in the future, our privacy notice will be systematically updated to reflect any new practices, and the safeguards implemented;
• Right to lodge a complaint with the supervisory authority: If you believe that your data is being processed in a way that does not comply with the GDPR, you have the right to lodge a complaint with the national supervisory authorityor with any competent data protection supervisory authority of their EU Member State of residence.

The Luxembourg supervisory authority is:

Commission Nationale pour la Protection des Données (the “CNPD”)

Address: 15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg

Tel: (+352) 26 10 60 -1

Website: https://cnpd.public.lu/

Should you wish to exercise any of the abovementioned rights, please contact us through the contact details provided in the section “HOW TO CONTACT US” of this Notice.

Arendt acknowledges your trust and is committed to protecting by design and by default the data you provide to us.

We maintain appropriate organisational, physical, and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption of personal data) to protect against unauthorised or accidental access, loss, alteration, disclosure, or destruction of personal data.

The personal data processed by Arendt is exclusively hosted on servers located in the EU / EEA and/or countries deemed to provide an adequate level of personal data protection by the EU Commission. Regardless of the personal data’s processing location in or outside the EU / EEA area, Arendt will ensure any sub-processor engaged applies, adequate technical and organizational security measures and complies with the GDPR’s requirements.

Our list of latest sub-processors is available here

A separate list specifically applicable to Arendt Investor Services is available here

Moreover, to further ensure the security of the data processed, Arendt pays particular attention to its “work from home” ethics. We prevent our staff from taking home any hard copies of documents and require our staff to perform any task requiring the use of hard copies to be carried out from the office.

Arendt will only retain the Personal Data:

• For as long as it is necessary for the purpose(s) for which it was intended;
• For the purposes of performing and fulfilling a contractual obligation with you or the organisation you represent and, therefore, for legitimate business purposes (or) for the duration of the contractual relationship;
• For as long as required or permitted by law, especially Data Protection laws, unless longer or shorter statutory limitation periods apply:

In some circumstances the personal data may be anonymized so that it can no longer be associated with the data subjects, in which case it is no longer personal data and can be kept for an unlimited period of time. Once Arendt no longer requires the personal data for the purposes for which it was collected, it will securely destroy the personal data in accordance with applicable laws and regulations.

Personal data that we collect when you apply online for employment: you may submit personal data through the use of our website to be considered for employment at Arendt. Such information includes, amongst others, your name, your address, your phone number, your email address, experience, education, job skills and other information contained on your curriculum vitae (CV) and/or your cover letter. Arendt uses such data solely for consideration of your candidacy for employment, to communicate with you and to generate related correspondence, including offer letters and employment agreements. Such data may also be used, subject to applicable local laws, to conduct necessary background checks for compliance and other employment related purposes (including the assessment of your profile in view of the conclusion of a potential employment contract, to the extent permitted by applicable laws and regulations).

Human Resources / Employee Data Processing — Legal Basis

For the processing of employees’ personal data, the following legal bases apply:

• Performance of the employment contract between the employee and Arendt. This includes human resources management activities such as recruitment, performance evaluation, promotions, training, payroll administration, insurance and social security, administrative management of staff (including maintenance of professional files, staff directories, allocation of professional resources), provision of professional tools, organisation of work (agendas, schedules, distribution of tasks), career monitoring and mobility, maintaining mandatory registers, relations with staff representative bodies, internal communication, and management of social benefits and assistance.
• Compliance with legal obligations to which Arendt is subject, including obligations related to income tax, social security, health and safety, data protection, immigration, regulatory reporting, criminal record checks, employee representation and professional elections, as well as any other employment-related obligations.
• Legitimate interests pursued by Arendt, which include:
  • responding to employees’ requests and communications;
  • ensuring IT, building, asset and staff security;
  • managing operations and maintaining effective business and HR administration;
  • investigating and resolving disciplinary matters or grievances;
  • exercising and defending legal rights before competent courts, authorities or regulators;
  • ensuring compliance with internal policies and procedures;
  • protecting Arendt’s assets, property and investments;
  • carrying out audits, managing disputes and pre-litigation matters;
  • facilitating internal communication and collaboration within Arendt.

Where the processing is based on legitimate interests, Arendt ensures that a balancing test is carried out to safeguard employees’ fundamental rights and freedoms.

Further information on the processing of employee data is available in Arendt’s internal Privacy Policy, which is made accessible to staff.

Retention of HR Data

HR data is retained only for as long as strictly necessary after the end of the employment relationship, and never beyond the applicable statutory limitation periods.

We expect you to inform us in writing and without undue delay of any changes to the information you provided us with, so that we can keep it up to date.

If you provide us with personal information relating to someone else (e.g., information about your respective representatives, staff members and agents, beneficial owners, shareholders, etc. or about any third party), you must first inform such individual(s) about this and make sure they acknowledge that we can use such information as set out in this Privacy Notice. In particular, you must provide them with the information relating to their rights as data subjects. We assume that these third parties are informed of the processing of any personal information relating to them that we may carry out and of the disclosure of the same to third parties and countries as described herein and that, as far as necessary, you obtained these data subjects ‘prior written consent.

By providing us with personal data relating to third parties, you confirm that you are authorised to do so and that the data subjects concerned have been appropriately informed and, where required, have consented to such processing as described in this Privacy Notice.

We reserve the right to amend this Privacy Notice from time to time to reflect changes in the law, our data collection and use practices, and to ensure it is accurate, complete and up to date*. You are advised to check this Notice from time to time.

If you have any questions or concerns about our use of your information or regarding our Privacy Notice, you may contact us by the following contact details:

Arendt & Medernach S.A., Arendt Regulatory & Consulting S.A. (and its affiliates), Arendt Digital Services S.A.R.L. (and its affiliates).

Data Protection Officer
41A, avenue J.F. Kennedy
L-2082 Luxembourg
Grand Duchy of Luxembourg

Email: dpo@arendt.com

Arendt Investor Services S.A., any of its branches and affiliates, and AManco S.A.

Data Protection Officer

9 Rue de Bitbourg

L-1273 Hamm, Luxembourg

Grand Duchy of Luxembourg

Email: dpo@arendtservices.com