3.1. Depending on whether you are a client, a potential future client or other counterparty of one of the CapitalatWork Group companies, such entity is considered to be the “Data Controller” with regard to the Processing of your Data. This means that it determines the Purposes and means of the Processing of your Data and that it is first responsible to ensure that the Processing is done in a lawful, transparent and secure manner.

Our respective contact information are:

For Luxembourg:
CapitalatWork Foyer Group S.A.
12 rue Léon Laval
3372 Leudelange
Luxembourg
RCS: B78769

For Belgium and the Netherlands:
CapitalatWork S.A.
Avenue de la Couronne 153
1050 Bruxelles
Belgique
Entreprise number : 0441.148.080 RPM Bruxelles

For all our Group entities, we have appointed a Data Protection Officer (DPO) who you can reach by ordinary mail at the postal address of CapitalatWork or by email at: [privacy@capitalatwork.com].

3.2. We guarantee that any person having access to your Personal Data (e.g. our employees) and acting under our au-thority Processes your Data in respect of the instructions thatwe have given them and has committed to respect the confidentiality rules.

3.3. CapitalatWork may call on Processors for the Processing of your Personal Data (e.g. IT, logistics services providers, …). In such case, we commit to only call on Processors providing sufficient guarantees with regards to the lawfulness, transparency and the security of the Processing of your Data.

3.4. We reserve the right to share your Data within our Group in order to optimise its Processing, the efficiency and quality of the services and products that we deliver to you.

3.5. We may also be required to transfer your Data to public, regulatory or judiciary authorities, to our lawyers, counsels, auditors or other third parties, if we are required to do so by law or if we consider, in all good faith, that such disclosure is necessary to the safeguarding of the rights, property or security of the CapitalatWork Group, of our clients and other counterparties or the public. This type of transfer can for example take place in the context of a survey, in order to comply with a legal obligation or procedure, in the context of a merger, an acquisition or the restructuring of one of the companies or of the Group. Such transfers will also be made in accordance with our obligations under the Applicable laws.

3.6. In principle, we will not transfer your Data outside of the European Economic Area. However, should such transfers become necessary, we will first verify that the countries of the recipients ensure an adequate level of protection, or that appropriate (contractual) safeguards have been put in place beforehand. A copy of such safeguards can be provided to you by addressing a request to your CapitalatWork relationship manager.

4. We process different categories of Data

4.1. The categories of Data that we collect and Process are the following:

Personal Data :

• Identification Data
  e.g.: name, civil status, date of birth, nationality, address, identification documents, national identification number or similar identification number, fiscal identification number, etc.
• Personal legal status
  e.g.: civil status, matrimonial regime, family composition, capacity to enter into a contact
• Contact details
  e.g.: address(es), telephone number, e-mail, language, etc.
• Your preferences and interests
  e.g.: frequency of the sending of portfolio status, interest in our events, interest in our articles and news published on our website or on our My Capital platform or on our mobile app or other communication channels
• Financial information
  e.g.: financial situation, historic of account and transactions, investor profile and investment horizon, etc.
• Contractual and utilisation information
  e.g.: detail of the products and services you benefit of including the way you are using these
• Open data, public information and information received from third parties. e.g.: freely accessible data on the internet, data contained in official journals (Belgian Official Gazette, Luxembourg Official Journal, …), databases, … that we use to complete and improve our data
• Special personal data categories
  We only Process data about you which qualify as sensitive data if the Applicable Laws allow us to or require that we process them. e.g.: “politically exposed persons” in the meaning of the anti-money laundering legislation
• Communications. e.g.: Information that you share with us through our various exchanges (letters, emails, telephone conversation, etc.) or through the use of our mobile application or other communication and exchange channels
• Consents

4.2. In addition to the Data categories listed above, we may Process other types of Data relating to you that you may have voluntarily provided to us, that were provided to us in the context of our business relations or that we have deducted or generated from Data that were already in our possession.

5. We Process your Data for specific purposes and have the required legal basis to do so

5.1. We Process Personal data for the following purposes (“Purposes”)

• Management of your contracts and services
• Management of our suppliers, clients, partners and public relations
• Revention of money laundering, fraud and the financing of terrorism, prevention and detection of market abuse and insider trading
• Compliance with legal and tax obligations
• Management of legal proceedings and other potential disputes (law suits, claims, …)
• Security and protection of our organization, of our activities, of our partners, our clients, our visitors and the public
• Technical and commercial information regarding the use of our services, including how you use our website, mobile application, MyCapital platform or other means of communication and exchange to improve our services and for evidentiary purposes
• Creation of aggregated usage statistics, after pseudonymisation, for our website, our mobile application, our MyCapital platform or other means of communication and exchange
• Managing and maintaining our website, mobile application,
  MyCapital platform or other communication and exchange channels
• Communication and marketing, including the sending of our newsletters, the management of our website and other communication channels.

5.2. We Process Data ensuring that one of the following legal bases exist:

a)  The processing is necessary for compliance with our legal obligations;

b)  The processing is necessary for the purpose of our legitimate interest, namely:

•  The proper execution and continuity of our activities and the expansion or improvement of our services and products
• The information and communication to existing contractual relations about our products and services that we consider pertinent given our understanding of your profile
• The protection of our organization, of our activities, of our partners, of our clients, of our visitors and the public. When we Process Data on the grounds of our legitimate interest, it is always in respect of the balance with your rights and fundamental interests;

c) The processing is necessary for the performance of a contract to which you are a party or the execution of certain pre-contractual steps taken at your request;

d) You have given your consent for the Processing of your data for one or several specific purposes.

6. We keep your data for a limited period and for a specific purpose

6.1. We only keep your Data for as long as it is required by the Purpose of the Processing. We will delete or anonymise your Data, as the case may be, as soon as the Purpose of the Processing or the legal obligation to retain it has disappeared.

7. We respect your rights

7.1. We have implemented appropriate technical and organisational measures to ensure that your Data is Processed in the appropriate security conditions in order to protect it from loss, any unauthorised use, modifi- cation or destruction.

7.2. Please remember that, as Data Subject, you can at any time ask us to:

• confirm that we actually Process Data relating to you and to grant you access;
• rectify or complete inaccurate or incomplete Data;
• limit the Processing of your Personal Data or erase it;
• transfer your Data to another Data Controller of your choice.

You can also object to the Processing of your Personal Data and withdraw your consent when Processing is based on it. In order to guarantee the security of your Data and to avoid any misuse, before responding to your request, we will ask you to provide us with an acceptable proof of your identity and will verity the legitimacy of your request and whether all the conditions have been satisfied. If your request is valid, we will respond within one (1) month from the date of its reception.

We will not respond to excessive requests. A request can be considered excessive because of its repetitiveness for example.

8. Do you still have questions or wish to file a complaint?

8.1. If you have any questions or concerns about the way we Process your Data, don’t hesitate to direct them to your CapitalatWork relationship manager, who is also trained and authorised to receive your questions regarding your Privacy and who will, where necessary, redirect them to our Data Protection Officer (DPO).

You can also reach us at privacy@capitalatwork.com by attaching a recto verso copy of your identity card to your request.

We assure you that we will deploy our best efforts to find a quick and fair solution to any concern that you may submit to us.

8.2. In addition, if you have reasons to believe that the Processing of your Personal Data by CapitalatWork infringes the Applicable Laws, you have the right, at all times, to lodge a complaint with the supervisory authority of your choice.

You can visit the websites of the Supervision Authority relating to you in order to obtain their up-to-date contact details:

• Belgium – www.dataprotectionauthority.be
• Luxembourg – www.cnpd.public.lu
• The Netherlands – www.autoriteitpersoonsgegevens.nl