Data Controller

With reference to the new European Directive on the processing of Personal Data - GDPR (EU) 2016/679, VALAM Asset Management SA - located at 43, Boulevard Joseph II, L-1840 Luxembourg, Grand Duchy of Luxembourg (hereinafter referred to as the "Company" ) and its branch in Italy in via dei Bossi 4; 20121 Milan - as "Data Controller”, is required to provide certain information concerning the use of the personal data of its website visitors, prospective clients and clients including any authorised representatives, proxy holders, beneficial owners and/or any other related persons (hereinafter referred to in the singular as the “Client”) in the provision of the investment services provided by the Company (hereinafter also referred to as the “Services”).
It is understood that with reference to this subject, personal data includes in general:

  • Identification data (such as name, email address, postal address, date of birth, country of residence, nationality, number of identity card, tax identification number, social security number);
  • Banking and financial data (bank current account number, wealth and source of funds);
  • Electronic identification data (such as cookies);
  • Qualifications and occupation (curriculum vitae, employer, function, title, place of work, work history);
  • Criminal record extract;
  • Images (such as copies of identification documents).
Data source

The Client’s personal data in the Company’s possession are gathered directly by employees, agents or financial advisors working for either Valori Asset Management SA Italian branch or for group companies, or from third parties such as, for example, external companies or individuals that collaborate with the Company for purposes of marketing information, market research, etc. In any case, the Client’s personal data are processed by the Company in compliance with the applicable law.
The Company may come into possession of particular types of data that the law defines as “sensitive” as follows:

  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Data concerning sex life and sexual orientation;
  • Biometric data (including photo on identity documents); andData relating to criminal convictions and offences

Indeed, processing of some of these sensitive data is necessary for the purposes of carrying out the obligations of the Company in the field of anti-money laundering and terrorism financing regulation.

Please note that if you decide to voluntarily disclose unsolicited sensitive data from us, you consent to the processing of such data by the Company.

GDPR requires the Client’s specific consent for the processing of such data. In any case, such consent permits the processing of sensitive data only within the limits of the specific purpose of the services.

Purposes of the processing

The Client’s personal data are processed within the scope of the Company’s activities for the following purposes:

  1. strictly connected to and necessary for the management of the relationship with the Client (for example, acquisition of information prior to execution of the agreement relating to the services, performance of the obligations deriving from the service, etc.);
  2. connected to the obligations provided for by laws, regulations and EU legislation, as well by provisions issued by authorities legally authorised to do so or by supervisory and regulatory bodies;
  3. legitimate interests pursued by the Company or by a third party as including the processing of personal data for the establishment of secure access to the Company’s premises and for having a global overview of the clients and of their needs;
  4. necessary for Valori Asset Management SA’s activities for which the Client can express or withhold consent. The following activities are included in this category:
    • surveys of the Client’s satisfaction with the quality of the service and of any other services provided, carried out directly or through a specialist company by means of face-to-face or telephone interviews, questionnaires, etc.;
    • promotion and sale of the Company’s products and services or the products and services of third parties by mail, telephone, email, etc.;
    • market surveys.
Method of processing

With regard to the above-mentioned purposes, the personal data is processed using both electronic and non-electronic means and, in any case, in such a way as to ensure both the security and confidentiality of the data. In any event, the Company will do everything possible, in accordance with the current state of technology, to ensure the security of the Client’s personal data, including as regards processing carried out through distance communication used to perform the services.

Disclosure and dissemination of the data

The Company may disclose personal data to the following data recipients, depending on the purpose of the processing of the personal data:

  • Other internal departments and/or VALAM group entity: for outsourcing purposes, for establishing the business relationship with the Client and complying with its legal and regulatory requirements.
  • Services providers: for outsourcing purposes and transactions operations (Please see below).
  • Local competent authorities: for being compliance with applicable law or regulation.

In order to perform its activities, the Company may use external companies and in particular companies in the following categories:

  • providers of services for the acquisition, recording and processing of personal data;
  • providers of transmission, enveloping, transport, sorting and archiving activities;
  • entities that assess financial risks and providers of debt collection services;
  • operators of national and international systems for the control of fraud against financial intermediaries;
  • operators of IT networks used for the transmission of communications regarding transactions with the Client.
Transfer of data to countries outside the European Union

Data may be transferred outside of European Union only to Switzerland.

Mandatory and optional nature of the provision of personal data and consequences of refusal to provide such data

Provision of the personal data by the Client is mandatory for the processing necessary for the activities mentioned in points 1 and 2 of the paragraph “Purposes of the Processing” above and any refusal by the Client to provide the personal data will prevent the Company from providing the services.

Client’s rights

The Client has the right to obtain confirmation as to whether data relating to him/her/it are being processed, even if not yet recorded, and to have such data communicated to him/her/it in an intelligible form.
The Client has the right to be informed of:

  • the source of the personal data and the purposes and method of processing
  • the logic involved when processing is carried out using electronic means
  • the identification details of the Data Controller and Processors
  • the persons or the categories of persons to whom the data may be disclosed or communicated or who may become aware of the data as designated representative in the country, as processors or persons in charge of the processing.

The Client has the right to obtain:

  1. the updating, correction or, where necessary, completion of the data;
  2. the erasure, anonymity or blocking of data processed unlawfully, including data which do not need to be retained for the purposes for which the data were collected or subsequently processed;
  3. certification that the operations mentioned in letters a) and b), including the content thereof, have been brought to the attention of the persons to whom the data were disclosed or disseminated, except where this is impossible or involves the use of resources that are clearly disproportionate to the right protected;

The Client is entitled to object, in full or in part:

  • for legitimate reasons, to the processing of his/her personal data, even where such data are relevant to the purpose of the data collection;
  • to the processing of his/her personal data for the purposes of sending advertising material, direct selling, market research or marketing communications.

The Client has the right to data portability i.e. he/she must be able to receive a copy of personal data that you have provided to the Company in a structured, commonly used and machine-readable format and to transmit those data to a third party.

The Client has the right to contest a decision based solely on automated processing.

If the Company adopts a decision based solely on automated processing, including profiling, which produces legal effects concerning the Client or similarly significantly affects the Client (e.g. the approval for a loan or an insurance contract), the Company must grant the Client the right to express his/her point of view and to contest the decision. The Company must also inform the Client of the logic involved in the decision-making.

Data retention period

Personal data shall be retained by the Company only for the time necessary for the achievement of the purposes referred to above i.e. for at least the duration of the relationship with the client. After the end of the relationship personal data shall be retained for a maximum period of ten (10) years unless a different retention period should be required by public authorities or by legal prescription periods during which you or the Company require such information for the exercise or defence of a legal claim.

Recorded telephone conversations

The telephone conversations are recorded in conformity to the regulation in force in order to serve as evidence of some Company’s activities (e.g.: investment management transactions).
These recordings will not be divulged to third parts but only and exclusively to the enquiries formulated by the competent authorities in case of necessity.

Contractual terms

At the end of any contract that links Valori to the data controller or its delegates, all personal data will be deleted or returned to the Company with destruction of the existing copies, except when the laws of each single state provides different methods or the request for further retention


According to “considerando” 146 of GDPR, the Responsible or the Controller of data processing must respond for damages caused to a physical person under the current regulations. The Company can be exempted from this responsibility if the respect of the normative above mentioned has been proved and if all procedures have been followed for the safeguard of the personal data.

Update or change of this Statement:

The Company may change or update parts of this memorandum in order to maintain its compliance with applicable law and regulations, or following an update of our internal practices. When the Company changes this Statement, it will publish the updated version on its website. The Clients should check this Statement regularly.

For any request for information concerning the processing of personal data by the Company or if the Client wishes to exercise your rights, he/she can contact the Data Protection Officer (“DPO”) of the Company by post at the following address : 43 Boulevard Joseph II-L-1840 Luxembourgor by email:

After contacting the Company, if the Client believes that his/her data protection rights have been infringed by the Company, he/she has the right to complain to the competent data protection authority, in particular in the Member State of his/her habitual residence, place of work or place of the alleged infringement. The competent data protection authorities are especially the following:
- in Luxembourg, “Commission Nationale pour la Protection des Données” (CNPD) at
- in Italy: Garante per la Protezione dei Dati Personali.