Privacy notice

Except as further described below, Arendt is to be considered the data controller with respect to your personal data that we collect and/or process.

Arendt acting as a data controller is committed to protecting your privacy and ensuring the security of your personal data. We (as a data controller) are responsible for determining “how” and “why” your personal data is processed, in accordance with the General Data Protection Regulation (GDPR). This means we are responsible for collecting, processing, and safeguarding your personal data. Our role as a data controller entail ensuring that your personal data is processed lawfully, fairly, and transparently. This Notice describes the types of personal data we collect, the purposes for which we collect and use it, and your rights in relation to your data. We take your privacy seriously and aim to be transparent about our data processing activities.

Depending on the Arendt entity and/or its mandate with you (including you on behalf of your company), under specific circumstances, Arendt will act as data processor. We (as a data processor) will solely determine where such a situation occurs and will inform you (as a data controller) consequently. The purpose of this section is to define the conditions under which we undertake to carry out personal data processing operations on your behalf.

We are authorized to process on your behalf the data necessary for us to perform our mission. Then it belongs to you to specify with the clearest and most exhaustive manner:

  • The nature of the operations to be carried out;
  • The purpose of the processing;
  • The data processed by these latter;
  • The categories of data subjects concerned by these data processing.

About our obligations towards you, we undertake to:

  • Process the data for the sole purpose for which you have transmitted it to us and in accordance with your documented instructions;
  • Apply the principles of data protection by design and data protection by default with respect to any activity by virtue of which we process data;
  • Assist you with sufficient guarantees by appropriate technical and organizational measures to ensure that the processing complies with the requirements of these regulations and guarantees the protection of the data subjects’ rights;
  • Guarantee the security, confidentiality and integrity of the personal data processed;
  • Provide the necessary awareness and training to persons authorized to process personal data on data protection;
  • Inform you in the event that, we consider that such processing may involve a breach of applicable law, as well as when there is a risk affecting your personal data or their processing;
  • In accordance with your request, delete or return to you all that personal data (in case we process such personal data only in our capacity as processor), and delete existing copies of any such personal information, except it is mandatory for us to retain that personal data;
  • Provide you all information necessary to demonstrate compliance with the obligations set out in the GDPR and allow for and contribute to audits, including inspections, conducted by you (as a controller) or another auditor mandated by you.

Whenever possible, we (as data processor) will assist you (as data controller) in fulfilling your obligation to comply with requests to exercise the rights of the individuals concerned: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision.

In case of using sub-contractors or replacing them, to carry out specific processing activities in order to perform our mission, we will notify you and will act with professional diligence.

This specific section is without prejudice to other non-contradictory provisions of this Notice and to Arendt commitments to respect and promote data protection principles.

To better understand how Arendt, if acting as a data processor, commit with its controller, please do refer to our Terms of Business below:

To provide its services, Arendt needs to collect and process information about you. The data we collect depends on the context of your interactions with Arendt and the choices you make including the services which are provided to you.

You can choose what data you allow us / or not to collect. Should you refuse to share your data, we may not be able to provide our service to you.

The data we collect and process include the following:

  • Identification data: we collect data about you such as your first and last name, email address, postal address, phone number, and other similar contact data, date and place of birth, gender, country, and preferred language;
  • Electronic identification data: we use cookies to collect data on how you use our website and view our marketing emails. This may include, for example, information on which Arendt’s website pages you have visited, how long you stayed on them or which items you clicked on. Please, do find here our dedicated Cookie Policy;
  • Business contact information: we collect data about you such as job function, job title, department, organisation name, size and location, and whether or not you are acting on behalf of a client;
  • Financial information: we collect your financial information, such as financial account information, if needed to take payment or fulfil contractual obligations or for related purposes;
  • Contractual information: any information provided by the data subject allowing Arendt to perform its contractual duties;
  • Sensitive data (i.e., personal information specifying criminal offences/convictions, medical or health conditions, biometric or genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), strictly to the limited extent that may be necessary for Arendt in the context of employment and in the context of performing a contract with a client or to fulfil a legal obligation.

Please also refer to the HR section below.

By interacting with us, directly or indirectly, you accept that we process your personal data.

Arendt will collect and process your personal data, when:

  • you visit our firm, website or social media pages;
  • you show interest in or may be interested in our firm or in our services;
  • you apply for a position within our firm;
  • you or your company become(s) our customer or supplier;
  • we provide services to you or our clients in general.

Depending on Arendt activities, we also may obtain your information from other sources (e.g.: Arendt’s subsidiaries, affiliates, business partners or other third-party sources) where they are authorized to share such information with us such as:

  • Updated business address information;
  • Identification data;
  • Financial information;
  • Contractual information.

Our organisation could use GenAI technologies to enhance the services we provide to our clients. Depending on the specific business activity, downloads of authorised documents into approved GenAI tools (excluding public GenAI tools) are permitted. We have integrated this technology securely and responsibly, establishing specific usage guidelines and training our personnel on effective and safe AI tool use. We ensure that our GenAI vendors implement stringent measures to uphold confidentiality, comply with data protection regulations, and refrain from using our data to train their proprietary large language models (LLMs) or any other LLMs. Additionally, vendors are prohibited from accessing, using, reusing, or copying our data in any manner.

For a processing of personal data to be compliant with the GDPR, a legal basis must be identified prior to its implementation.

We use or may use your personal data for the following purposes (or as otherwise described at the point of collection) in line with the lawful basis under the GDPR.

We may contact you by mail, telephone, fax, video conference, email, or other electronic messaging service to notify you about special events, new features or other information that may be of interest to you in accordance with your interaction with Arendt. Where required by applicable law, your prior consent will be obtained before sending you direct marketing and you may object or opt out of receiving marketing messages from Arendt.

Arendt does not in any way sell, lease, or rent your information to third parties.

Lawful basis

Categories of Personal Data

Purposes for collection, use and processing of clients’ data

Contract /

pre-contract

 

(execution and performance of a contract with the data subject or for requested pre-contractual steps between the latter and the company)

 

–       Identification data (first and last name, email / postal address, phone number, other similar contact data, date and place of birth, gender, country, preferred language)

–       application for a position within our firm

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier

–       investigate and resolve the company’s internal and external issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Financial (account) information

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier

–       investigate and resolve the company’s internal and external issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Business contact information (job function / title, department, organisation name, size, location, whether you are acting on behalf of a client or not)

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier

–       investigate and resolve the company’s issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Contractual information (any information provided by the data subject allowing us to perform our contractual duties)

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier for a service

–       investigate and resolve the company’s internal and external issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Performance data (performance information / history, disciplinary / grievance matter)

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier for a service

–       investigate and resolve the company’s internal and external issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Sensitive data (personal information specifying criminal offences/convictions, medical or health conditions, biometric or genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual)

–       application for a position within our firm

–       obligations under applicable laws and regulations (e.g. in relation to health and safety at work duties)

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

 

 

 

 

Legal obligation

–       Identification data (first and last name, email / postal address, phone number, other similar contact data, date and place of birth, gender, country, preferred language, national identification number, criminal record)

–       application for a position within our firm

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier for a service including to perform AML/KYC checks

–       investigate and resolve the company’s internal and external issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Financial (account) information

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier for a service including to perform AML/KYC checks

–       investigate and resolve the company’s internal and external issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Contractual information (any information provided by the data subject allowing us to perform our contractual duties)

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier for a service

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Electronic identification data (cookies*, online ID)

–       secure the IT networks and systems, operations, assets, premises, employees and clients

–       prevention, investigation, monitoring and resolution of any misuse of the system or computer resources, or security incidents that may occur in relation to the network and/or computer systems

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

 

 

 

 

 

 

Legitimate interest

–       Identification data (first and last name, email / postal address, phone number, other similar contact data, date and place of birth, gender, country, preferred language, images & videos)

–       interest in our firm or in our services throughout firm, website or social media pages visit (e.g.: job application / marketing / newsletter)

–       application for a position within our firm

–       security when visiting our firm

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier for a service

–       investigate and resolve the company’s internal and external issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       manage requests, registrations and certificates for training courses delivered by Arendt Institute

–       Business contact information (job function / title, department, organisation name, size, location, whether you are acting on behalf of a client or not)

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier

–       investigate and resolve the company’s issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Contractual information (any information provided by the data subject allowing us to perform our contractual duties)

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier for a service

–       investigate and resolve the company’s internal and external issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Performance data (performance information / history, disciplinary / grievance matter)

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier for a service

–       delivery of training certificates

–       manage requests, registrations and certificates for training courses delivered by Arendt Institute

–       Financial (account) information

–       (pre-)contractualization and management of on-boarding and business relationships with our client, provider or supplier for a service

–       investigate and resolve the company’s internal and external issues or grievances

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Electronic identification data (cookies*, online ID)

–       improve user online experience when visiting Arendt website or social media pages

–       secure the IT networks and systems, operations, assets, premises, employees and clients

–       prevention, investigation, monitoring and resolution of any misuse of the system or computer resources, or security incidents that may occur in relation to the network and/or computer systems

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

–       Identification data (first and last name, email / postal address, phone number, other similar contact data, date and place of birth, gender, country, preferred language, images & videos)

–       allow the company to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority

Consent

–       Electronic identification data (cookies*, online ID)

–       interest in our firm or in our services throughout firm, website or social media pages visit (e.g.: job application / marketing / newsletter)

–       improve the user experience

–       CV’s

–       to contact the data subject in case of a new application opportunity

 

*Please, find our Cooke Policy here

The Personal Data may also be disclosed to Arendt’s data recipients (the “Recipients”) as necessary to provide any service you have requested, authorised or consented for the purpose of / with:

  • Service providers: we may disclose/transfer your data to every relevant service provider supporting Arendt in carrying all or a part of its business, including but not limited to : financial intermediaries, advisors, IT/cloud providers, procurement providers, recruitment firms.
    They will solely act to the extent necessary to provide services to us and to assist us in providing services to you. Service providers must, in fact, abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose providing services to Arendt and assisting us in providing services to you.
  • Third parties: we may disclose/transfer your data with third parties such as administration and public authorities, banking institutions, notaries, domiciliation agents and to professional advisors and auditors of Arendt, governmental, judicial, prosecution or regulatory agencies and/or authorities as well as official national registers, including tax authorities, in accordance with applicable laws and regulations. In particular, Personal Data may be disclosed to the Luxembourg authorities, which in turn may disclose the same to foreign authorities. In such case, Arendt and the recipient are both acting as data controller.

    Affiliates: we may disclose/transfer your data, as described in our General Terms & Conditions, with our affiliates (Worldwide Presence) which will process your information in a manner consistent with this Notice.

    Safety, security and compliance with law: we may disclose/transfer personal data to comply with applicable law or respond to subpoenas, court orders or other valid legal process, for reasons relating to national security, to defend against legal claims, to protect the rights and safety of ArendtArendt’s clients, employees or others. This may involve the sharing of your data with law enforcement, government agencies, courts, and other authorised organisations. 
  • Consent: we may share your data in other ways and for new purposes if you have asked us to do so and have consented to such sharing.

The Recipients may also, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the sub-Recipients), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to Arendt and/or assisting the Recipients in fulfilling their own legal obligations.

The above-mentioned Recipients may be located inside or outside the European Economic Area (EEA).

Should your information be transferred outside the EEA, in countries not recognised by the European Commission* as having an adequate level of data protection or not benefiting from an adequacy decision of the European Commission, such transfer will be made in accordance with the relevant appropriate safeguards, as applicable.

Should you have any question regarding this section, please let us know by contacting us to the contact information provided in the section “HOW TO CONTACT US” of this Notice.

Arendt seeks to ensure that you are able to exercise your rights at any time. Arendt will address any request within the limits of its technical and organizational means. These include:

  • Right to access your personal data: should you want to review the data we hold, collect and process about you, please let us know by contacting us at the contact information provided in the section “HOW TO CONTACT US” of this Notice.
  • Right to rectification: should the data we hold, collect and process about you be inaccurate or incomplete, you have the right to update such data at any time by contacting us at the contact information provided in the section “HOW TO CONTACT US” of this Notice.
  • Right to erasure: if at any time you decide you do not want us to retain any personal data we collected from you, you may request we delete your data by contacting us at the contact information provided in the section “HOW TO CONTACT US” of this Notice. We will take reasonable measures to comply with your request in accordance with applicable laws.
  • Right to restriction of processing: should you wish to exercise this right, please contact us at the contact information provided in the section “HOW TO CONTACT US” of this Notice. You should obtain the right to restriction of processing only where in accordance with applicable laws.
  • Right to object: should you wish to exercise this right, contact us at the contact information provided in section the section “HOW TO CONTACT US” of this Notice. We will consider your objection and we will comply with it unless we have a compelling legitimate ground as permitted by applicable law.  
  • Right to data portability: you may have the right to have your personal data transmitted directly from us to another controller only when you have asked us to do so and have consented to such sharing, and when technically feasible. Should you wish to exercise this right, please contact us at the contact information provided in the section “HOW TO CONTACT US” of this Notice.
  • Right to withdraw consent: where the processing is based on your consent you may withdraw your consent at any time, without this affecting the processing carried out before such withdrawal and without prejudice to any retention or processing that may be required from us by law. Should you wish to exercise this right, please contact us at the contact information provided in the section “HOW TO CONTACT US” of this Notice.
  • Right to lodge a complaint with the supervisory authority: If you believe that your data is being processed in a way that does not comply with the GDPR, you have the right to lodge a complaint with the national supervisory authority or with any competent data protection supervisory authority of their EU Member State of residence.

The Luxembourg supervisory authority is:

Commission Nationale pour la Protection des Données (the “CNPD”)
Address: 15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
Tél: (+352) 26 10 60 -1

Website: https://cnpd.public.lu/

Arendt acknowledges your trust and is committed to protecting by design and by default the data you provide to us.

We maintain appropriate organisational, physical and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of personal data) to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of personal data.

The personal data is exclusively hosted on servers located in the EU / EEA. Whether the personal data will be processed in or outside the EU / EEA area, Arendt will pay a particular attention to process it, even throughout subcontractors (Sub-processors), on a confidential basis with adequate technical and organizational security measures, unless required by law or agreed otherwise by you.

By the way, we pay a particular attention to work from home ethics. We prevent any hard copy to be taken at home and require from our employees that any task requiring the use of hard copies to be done from the office.

Arendt will only retain the Personal Data:

  • For as long as it is necessary for the purpose or purposes for which it was intended (or)
  • For the purposes of performing and fulfilling a contractual obligation with you or the organisation that you represent and, therefore, legitimate business purposes (or) for the duration of the contractual relation,
  • For as long as required or permitted by law, especially Data Protection laws, unless longer or shorter statutory limitation periods apply:
  • 10 years for accounting and finance information, client request for proposal, Market Abuse Disclosure List, Personal Investment Lists,
  • 5 years for insider list
  • 2 years for pre-contractual documents
  • 10 years for client contracts (could be reduced to 5 years in application of the “Loi sur la profession d’avocat”)
  • 5 years as from the end of the relationship for KYC documentation
  • 10 years for service provider contracts (could be reduced to 5 years based on “prescription civile”)
  • 5 years minimum after liquidation of the company for corporate records (prescription period)
  • 1 year for mail/post listings, 3 years for event listings, 5 years for visitors register
  • 10 years after the most recent event for all personal data implied into creation of the CRM, change of company, opt-out request
  • 3 years for CVs unsuccessful applicants with their consent
  • CV of employees; for the time of their employment

In some circumstances the Personal Data may be anonymized so that it can no longer be associated with the Data Subjects, in which case it is no longer personal data and can be kept for an unlimited period of time. Once Arendt no longer requires the Personal Data for the purposes for which it was collected, it will securely destroy the Personal Data in accordance with applicable laws and regulations.

Personal data that we collect when you apply online for employment: you may submit personal data through the use of our website to be considered for employment at Arendt. Such information includes, amongst others, your name, your address, your phone number, your email address, experience, education, job skills and other information contained on your curriculum vitae (CV) and/or your cover letter. Arendt uses such data solely for consideration of your candidacy for employment, to communicate with you and to generate related correspondence, including offer letters and employment agreements. Such data may also be used, subject to applicable local laws, to conduct necessary background checks for compliance and other employment related purposes (including the assessment of your profile in view of the conclusion of a potential employment contract, to the extent permitted by applicable laws and regulations).

We expect you to inform us in writing and without undue delay of any changes of the information you provided to us, so that we can keep it up to date.

If you provide us with personal information not relating to you (e.g., information about your respective representatives, staff members and agents, beneficial owners, shareholders, etc. or about any third party), you must first inform them about this and make sure they acknowledge that we can use such information as set out in this Notice. In particular, you must provide them with the information relating to their rights as data subjects. We assume that these third parties are informed of the processing of any personal information relating to them that we may carry out and of the disclosure of the same to third parties and countries as described herein and that, as far as necessary, you obtained these data subjects ‘prior written consent.

We reserve the right to amend this Notice from time to time to reflect changes in the law, our data collection and used practices, and to ensure it is accurate, complete and up to date*. You are advised to check this Notice from time to time.

 *Last update on 13/11/2024

If you have any questions or concerns about our use of your information or regarding our Notice, you may contact us by the following contact details:

Arendt & Medernach S.A., Arendt Regulatory & Consulting S.A., Converginvest S.A., Converginvest Capital Partners S.A., Converginvest Management S.A.and Arendt Digital Services S.A.R.L.

Data Protection Officer
41A, avenue J.F. Kennedy
L-2082 Luxembourg
Grand Duchy of Luxembourg

Email: dpo@arendt.com


Arendt Investor Services S.A., any of its branches and affiliates, and AManco S.A.
Data Protection Officer
9 Rue de Bitbourg
L-1273 Hamm, Luxembourg
Grand Duchy of Luxembourg

Email: dpo@arendtservices.com