DATA PRIVACY STATEMENT (GDPR)

Data Responsible

With reference to the new European Directive on the processing of Personal Data - GDPR (EU) 2016/679, Valori Asset Management SA - located at 43, Boulevard Joseph II, L-1840 Luxembourg, Grand Duchy of Luxembourg (hereinafter referred to as the “Company” ) and its branch in Italy in via dei Bossi 4; 20121 Milan - as “Data Responsible”, is required to provide certain information concerning the use of the personal data of its clients (hereinafter referred to in the singular as the “Client”) in the provision of the investment services provided by the Company (hereinafter also referred to as the “Services”). It is understood that with reference to this subject, personal data includes: name, email address, postal address, date of birth, country of residence, number of identity card, social security number, bank current account number, wealth and source of funds. Confirming the constant commitment to keep your data protected and ensure maximum transparency on the way they are treated and kept safe, Valori Asset Management has adapted the information on processing of personal data to make it compliant with the new legislation. We remind you that you can exercise your rights any time under Articles. 15 and ss. of EU Regulation 2016/679, such as the right to access data, or simply updating the consents issued to Valori Asset Management by writing to Valori Asset Management Via dei Bossi, 4 - 20121 Milan or to info@valam.it/info@valam.lu

Data Protection Officer

The internal data controller is Mr. Carlo Tutucci
Email: carlo.tutucci@valam.lu
Phone: 00352 26259065

Data source

The Client’s personal data in the Company’s possession are gathered directly by employees, agents or financial advisors working for either Valori Asset Management SA Italian branch or for group companies, or from third parties such as, for example, external companies or individuals that collaborate with the Company for purposes of marketing information, market research, etc. In any case, the Client’s personal data are processed by the Company in compliance with the applicable law. The Company may come into possession of particular types of data that the law defines as “sensitive”. GDPR requires the Client’s specific consent for the processing of such data. In any case, such consent permits the processing of sensitive data only within the limits of the specific purpose of the services.

Purposes of the Processing

The Client’s personal data are processed within the scope of the Company’s activities for the following purposes:

  1. strictly connected to and necessary for the management of the relationship with the Client (for example, acquisition of information prior to execution of the agreement relating to the services, performance of the obligations deriving from the service, etc.);
  2. connected to the obligations provided for by laws, regulations and EU legislation, as well by provisions issued by authorities legally authorised to do so or by supervisory and regulatory bodies;
  3. necessary for Valori Asset Management SA’s activities for which the Client can express or withhold consent. The following activities are included in this category:
    • surveys of the Client’s satisfaction with the quality of the service and of any other services provided, carried out directly or through a specialist company by means of face-toface or telephone interviews, questionnaires, etc.;
    • promotion and sale of the Company’s products and services or the products and services of third parties by mail, telephone, email, etc.;
    • market surveys.

    Method of Processing

    With regard to the above-mentioned purposes, the personal data is processed using both electronic and non-electronic means and, in any case, in such a way as to ensure both the security and confidentiality of the data. In any event, the Company will do everything possible, in accordance with the current state of technology, to ensure the security of the Client’s personal data, including as regards processing carried out through distance communication used to perform the services. Disclosure and dissemination of the data In order to perform its activities, the Company may use external companies and in particular companies in the following categories:

    • providers of services for the acquisition, recording and processing of personal data;
    • providers of transmission, enveloping, transport, sorting and archiving activities;
    • entities that assess financial risks and providers of debt collection services;
    • operators of national and international systems for the control of fraud against financial intermediaries;
    • operators of IT networks used for the transmission of communications regarding transactions with the Client.

    Transfer of data to countries outside the European Union

    Data may be transferred to Switzerland.

    Mandatory and optional nature of the provision of personal data and consequences of refusal to provide such data

    Provision of the personal data by the Client is mandatory for the processing necessary for the activities mentioned in points 1 and 2 of the paragraph “Purposes of the Processing” above and any refusal by the Client to provide the personal data will prevent the Company from providing the services.

    Client’s rights

    The Client has the right to obtain confirmation as to whether data relating to him/her/it are being processed, even if not yet recorded, and to have such data communicated to him/her/it in an intelligible form.
    The Client has the right to be informed of:

    • he source of the personal data and the purposes and method of processing;
    • he logic involved when processing is carried out using electronic means;
    • the identification details of the Data Controller and Processors;
    • the persons or the categories of persons to whom the data may be disclosed or communicated or who may becomeaware of the data as designated representative in the country, as processors or persons in charge of the processing.
    The Client has the right to obtain:
    1. the updating, correction or, where necessary, completion of the data;
    2. the erasure, anonymity or blocking of data processed unlawfully, including data which do not need to be retained for the purposes for which the data were collected or subsequently processed;
    3. certification that the operations mentioned in letters a) and b), including the content thereof, have been brought to the attention of the persons to whom the data were disclosed or disseminated, except where this is impossible or involves the use of resources that are clearly disproportionate to the right protected;
    The Client is entitled to object, in full or in part:
    • for legitimate reasons, to the processing of his/her/its personal data, even where such data are relevant to the purpose of the data collection;
    • to the processing of his/her/its personal data for the purposes of sending advertising material, direct selling, market research or marketing communications.

    Data retention period

    Unless the law imposes specific retention requirements, we keep your personal data for the entire duration of the contract and for a further term of 10 years since the termination of the employment contract. With reference to the data useful for the establishement of the contractual terms, if not formalized, they will be kept for a maximum period of 24 months.

    Recorded telephone conversations

    The telephone conversations are recorded in conformity to the regulation in force in order to serve as evidence of some Company’s activities (e.g.: investment management transactions). These recordings will not be divulged to third parts but only and exclusively to the enquiries formulated by the competent authorities in case of necessity.

    Contractual terms

    At the end of any contract that links Valori to the data controller or its delegates, all personal data will be deleted or returned to the Company with destruction of the existing copies, except when the laws of each single state provides different methods or the request for further retention.

    Responsibility

    According to “Recital” 146 of GDPR, the Responsible or the Controller of data processing must respond for damages caused to a physical person under the current regulations. The Company can be exempted from this responsibility if the respect of the normative above mentioned has been proved and if all procedures have been followed for the safeguard of the personal data. “The person who is responsible for the processing shall restrict or defer the right of access of the person concerned to his personal data where such measure is necessary in order to: (a) enable the professionals, the FIU, a supervisory authority or a self-regulatory body to fulfil their tasks properly for the purposes of the Law of 12 November 2004 on the fight against money laundering and terrorist financing (hereafter “the AML Law”) or its implementing measures; or (b) avoid obstructing official or legal inquiries, analyses, investigations or procedures and to ensure that the prevention, investigation and detection of ML/TF is not jeopardised (Article 3(6a) of the AML Law)”.