Table of contents
I. Introduction
II. Use of the website and data protection
III. General data protection information for the Aquila Group
IV. Data protection information according to Art. 13 GDPR for telephone recording pursuant to MiFID/MiFIR
V. Data protection information for video and telephone conferences via “Microsoft Teams”
VI. Data Protection Information for the Whistleblowing Portal
VII. DATA SUBJECT RIGHTS
I. Introduction
We are aware of the trust you are placing in us. Therefore, we would like to provide comprehensive information to you on how we handle your personal data at Aquila Group (which refers to Aquila Capital Holding GmbH and the companies affiliated with it within the meaning of §§ 15 et seqq. of the German Stock Corporation Act (AktG)) as well as information on your rights under the General Data Protection Regulation (GDPR) and other applicable data protection laws, in particular the Federal Act on Data Protection of Switzerland (“FADP”). In particular, we would like to inform you about the type of data we collect when you visit and/or use our website and on how we use this data. If we have received personal data from you through other communication channels (e.g. by e-mail), the following Privacy Policy applies as well.
Given that our website and the technologies on which it is based, as well as our business processes are subject to continuous development, the Privacy Policy may need to be changed too. All future changes will be published on this website.
II. Use of the website and data protection
1. Name and contact data of the controller for personal data processing on the Aquila Group website
We, Aquila Capital Holding GmbH, represented by the managing directors Dr. Dieter Rentsch und Roman Rosslenbroich, Valentinskamp 70, 20355 Hamburg (Tel.: +49 40 875050-100 / receptionist, Fax: +49 40 87 5050-129) are the controller for the processing of personal data in relation to the usage of the website.
2. Contact data of the Group Data Protection Officer
The Data Protection Officer of Aquila Group can be reached as follows:
Aquila Capital Holding GmbH
c/o the data protection officer
Valentinskamp 70, 20355 Hamburg
3. Processing of personal data in the context of informational use of our website
a. Description and scope of data processing
If you only use our website for informational purposes and have not consented to the setting and use of any optional cookies, we do not collect any personal data aside from the data transmitted by your browser, e.g. via basic cookies that are stored on your end device which are necessary to enable you to visit and functionally use the website.
That data is:
- Date and time of your request
- Duration of your visit
- Time zone difference compared to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status / HTTP status code
- Website & provider from/by which the request is made
- Browser
- Operating system
- Language and version of the browser software
- IP-address.
In addition to the aforementioned data, additional data may be collected and processed if you consent to the storage of optional cookies or the use of similar technologies on your computer and processing of such data when you visit and use our website. For more details on the processing of data via cookies, see II. Clause 6 of this Privacy Policy.
b. Legal basis of data processing
The legal term ‘personal data’ refers to all information relating to an identified or identifiable natural person.
To the extent that the GDPR is applicable, We process personal data exclusively
- with your consent (Art. 6 (1) lit. a GDPR),
- to perform a contract to which you are a party or to take steps at your request prior to entering into a contract (Art. 6 (1) lit. b GDPR),
- to comply with a legal obligation (Art. 6 (1) lit. c GDPR) or
- where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 (1) lit. f GDPR).
If you apply for an open position in our company, we will, additionally, process your personal data to decide on whether to hire you (Art.6 para 1 sentence 1 lit b. GDPR.
c. Duration of data storage
Unless otherwise stated in the following, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations.
d. Disclosure to third parties
To facilitate the purposes described we may exchange your data with third parties. Examples are third parties used to manage our web servers and to analyse data who may be able to access your data in this context. A data processing agreement is concluded in this case.
If you make your personal data available to us for the purpose of potential future cooperation, potential investments and/or to enable us to contact you, we may disclose this data to affiliated companies (as defined in Sections 15 et seqq. of the German Stock Corporation Act), if there is a legitimate interest on our part and your interests, fundamental rights and freedoms do not outweigh.
Otherwise we only provide your personal data to third parties if we are obligated to do so by compulsory legal regulations, if you ask us to do so or have consented to the disclosure, or after the data has been anonymised or pseudonymised.
e. Data Transfer to third countries
Our data processing operations may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such a transfer takes place in a permissible manner if the European Commission has determined that an adequate level of data protection is required in such a third country. If such an adequacy decision by the European Commission does not exist, a transfer of personal data to a third country will only take place if appropriate safeguards pursuant to Art. 46 GDPR are in place or if one of the conditions of Art. 49 GDPR is met.
Unless otherwise stated below, we use the EU standard contractual clauses as appropriate safeguards for the transfer of personal data to third countries. You have the possibility to obtain a copy of these EU standard contractual clauses or to inspect them. To do so, please contact our data protection officer (contact information under II. clause 2.)
If you consent to the transfer of personal data to third countries, the transfer is made on the legal basis of Art. 49 (1) lit. a GDPR.
Insofar as the FADP is applicable, in the event of data transfer to countries whose legislation does not provide an adequate level of data protection, the protection of your data is ensured with the legally prescribed precautions, such as in particular the conclusion of contractual agreements (standard contractual clauses of the European Commission, as well as appropriate technical and organisational measures.
4. Processing of personal data during the use of our website features
Google Tag Manager
We use the Google Tag Manager of the provider Google Ireland Limited (Ireland, EU) on our website. The Google Tag Manager is used to manage our website tags via an interface. The Google Tag Manager is a cookie-free domain to which the IP address is transmitted for technical reasons. The Google Tag Manager merely ensures that other tags are triggered, which in turn may collect data without accessing this data themselves. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.
Where the GDPR is applicable, the legal basis for the transmission of the IP address is Art.6 (1) lit. f GDPR. Our legitimate interest serves as the administration of our website services and the triggering of other tags.
- For more information on data processing, please visit: https://support.google.com/tagmanager/answer/7157428.
5. Data processing on our social media page
We operate a company page on LinkedIn. Here we offer the possibility of information about our company and exchange.
LinkedIn Company Page
Generally, the LinkedIn Ireland Unlimited Company (Ireland/EU) is the sole controller of the processing of your personal data relating to a visit to our LinkedIn page. Further information on the processing of personal data by LinkedIn are available via https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.
If you visit or follow our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights which enable us to gain knowledge about the ways in which interact with our page (so called ‘insights’). For this purpose, LinkedIn processes, in particular, such data that you already shared with LinkedIn by adding it to your profile like, for example, position, country, field of work, seniority, company size and employment status. Further, LinkedIn collects information on how you interact with our LinkedIn company page, for example whether you follow our LinkedIn company page. LinkedIn does not share personal data with us by providing us with the insights. We only have access to a summarized version of the insights. Also, we are unable to make conclusions about individual members from the information in the insights. LinkedIn and we are joint controllers of the processing regard the page insights. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. As far as the GDPR is applicable, this finds its legal basis in Art. 6 (1) lit. f GDPR. We have concluded an agreement with LinkedIn on joint controllership in which the data protection duties are allocated between LinkedIn and us. The agreement is available via https://legal.linkedin.com/pages-joint-controller-addendum. The agreement stipulates the following:
- LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights pursuant to the GDPR. In order to do so, you can contact LinkedIn online via https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de or via the contact details in the data protection guidelines. You can contact the Data Protection Officer of LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also reach out to us via the contact details mentioned above for the exercise of your rights relating to the processing of your personal data for insights. In such a case, we will forward your request to LinkedIn.
- LinkedIn and we have agreed that the Irish data protection commission shall be the responsible supervisory authority monitoring the processing for insights. You always have the right to lodge a complaint with the Irish data protection commission (see www.dataprotection.ie) or any other supervisory authority.
Please note that user data is also processed in the USA and other third countries according to LinkedIn’s data protection guidelines. LinkedIn only transfers user data to countries for which the European Commission has adopted an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR.
6. Cookies
a. Description and scope of data processing
We need certain information to enable us to design our websites based on user needs. For the collection of this information, we also use cookies. Cookies are meant to facilitate the use of the internet and communication. Cookies are stored on your PC or another end device to identify the device and to support the application when you return to our websites.
If you want to, you can suppress the storage of cookies in general through your web browser or you can decide if you want to be asked if a cookie should be stored or not. However, if you do not accept cookies some pages may not be displayed correctly anymore.
We use cookies on our website to store the following parameters, for example:
- Language and country
- Browser settings and installed plug-ins
- Data on the use of our website.
This website uses the following cookies:
- Transient cookies (temporary use)
- Persistent cookies (use for a limited time)
Transient cookies are deleted automatically when you close your browser. They specifically include session cookies. Session cookies store a “session ID” which allows to allocate various requests from your browser to a joint session. This allows the website to recognize your computer when you return to the website. Session cookies are deleted when you log out or close your browser.
Persistent cookies are deleted automatically after a specified period which may vary depending on the type of the cookie. You can delete the cookies at any time in the security settings of your browser.
More information on how cookies work can be found on the following website: http://www.allaboutcookies.org.
b. Purpose and legal basis of data processing
The use of cookies is partly technically necessary for the operation of our website and thus permissible without the consent of the user. In addition, we may use cookies to offer special functions and content as well as for analysis and marketing purposes. These may also include cookies from third-party providers (so-called third-party cookies). We only use such technically unnecessary cookies with your consent in accordance with § 25 (1) Telecommunication-Telemedia-Data-Protection-Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG) and, where applicable, Art. 6 (1) lit. a GDPR. Information on the purposes, providers, technologies used, data stored and the storage period of individual cookies can be found in the Cookie Settings of our Consent Management Tool.
c. Duration of storage -objection and elimination options
Cookies are stored on the user’s end device and via them, data is transmitted to our site. For every Cookie we have set a specific storage limitation, depending on the purpose, which you can view under Cookie Settings – “Cookie Details”. In addition, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our websites, it may no longer be possible to use all functions of the website to their full extent.
d. Customise cookie settings
When calling up our website, we offer you the possibility to individually adjust the optional cookies via the “Settings” item in the cookie banner. Your consent to optional cookies is voluntary, not necessary for the use of this website and can be revoked at any time. You can adjust the cookie settings here at any time: Cookie Settings
In addition, the banner helps us to provide evidence of the declaration of consent. For this purpose, we process information about the declaration of consent and further log data about this declaration. Cookies are also used to collect this data. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (if the GDPR applies: Art. 6 (1) lit. c in conjunction with Art. 7 (1) GDPR).
7. Google Analytics
We use the Google Analytics service (Google Analytics 4) of the provider Google Ireland Limited (Google Ireland/EU) on our website.
Google Analytics is a web analytics service that allows us to collect and analyse data about the behaviour of visitors to our website. Google Analytics sets and uses cookies for this purpose, which enable an analysis of the use of our website. This involves processing personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about interaction with our website.
Some of this data is information stored in the end device you are using. In addition, further information is also stored on your end device via the cookies used. Such setting of cookies, storage of information by Google Analytics or access to information already stored in your end device as well as the processing of data by us will only take place with your consent.
Google Ireland will process the data thus collected on our behalf in order to evaluate the use of our website by users, to compile reports on the activities within our website and to provide us with further services related to the use of our website and the use of the Internet. In doing so, pseudonymous user profiles can be created from the processed data.
The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for the setting of the cookies and data processing in connection with the Google Analytics service is therefore § 25 (1) TTDSG and Art. 6 (1) a GDPR (If the GDPR is applicable). You can revoke this consent via the Cookie Settings at any time with effect for the future.
The personal data processed on our behalf to provide Google Analytics may be transferred to any country in which Google Ireland or Google Ireland’s sub-processors maintain facilities. Google Ireland transmits data to Google LLC and its servers located in the United States. For the United States, an adequacy decision has been adopted by the EU Commission. Google Ireland currently continues to use the EU standard data protection clauses as appropriate safeguards for these transfers of personal data to the United States , which can be found at the following link: https://business.safety.google/adsprocessorterms/sccs/eu-p2p-intra-group/ and has performed a Transfer Impact Assessment for the transfer.
We only use Google Analytics with IP anonymisation activated. This means that the IP address of users is shortened by Google Ireland within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. The IP address transmitted by the user’s browser is not merged with other data. Further information on the use of data for advertising purposes can be found in Google’s privacy policy at: www.google.com/policies/technologies/ads/.
The data on user actions is stored for a period of 2 months to enable us to reach the purposes for which we collected the data and then automatically deleted. Data whose storage period has expired is automatically deleted once a month.
8. Your rights
Your rights with regard to data processing are outlined in section VI of this Privacy Policy.
III. General data protection information for the Aquila Group
The privacy, protection and processing of your personal data is very important to Aquila Group. In the following we would like to inform you about the processing of your personal data at Aquila Group and your rights regarding personal data protection. Which specific personal data will be processed and/or used depends on the specific business relationship with you and/or the processing occasion and purpose or other factors. In this respect, you will find in section IV and following sections specific data protection information relating to specific processing activities. Information regarding your rights are detailed in section IX. The GDPR applies to the majority of the Aquila Group companies. If other data protection laws or regulations are applicable, the Aquila Group will observe them and, if necessary, provide separate information if this should be required. In particular, where matters affect Switzerland, the Aquila Group will comply with the requirements of the Federal Data Protection Act (“FDPA”).
9. Name and contact data of the controller
Controller within the meaning of GDPR and/or other data protection laws or regulations, is the legal entity within Aquila Group, with which you maintain a business relationship, that collects personal data from you or to which you provide personal data.
The responsible companies of Aquila Group with legal seat in Hamburg, Germany, can be reached as follows:
Valentinskamp 70, 20355 Hamburg, Germany
Tel.: +49 40 875050-100
The responsible companies of Aquila Group with legal seat in the UK can be reached as follows:
20th Floor, Leaf B, Tower 42, 25 Old Broad Street, London EC2N 1HQ
Tel. +44 2082085400
The responsible companies of Aquila Group with legal seat in Luxembourg, can be reached as follows:
Airport Center Luxembourg, 5, Heienhaff, 1736 Senningerberg, Luxembourg
Tel.: +352 24 83 29 1
The responsible companies of Aquila Group with legal seat in Spain can be reached as follows:
Paseo de la Castellana, 259D, Torre Espacio , 28046 Madrid, Spain
Tel.: +34 91 511 90-50
The responsible companies of Aquila Group with legal seat in Switzerland can be reached as follows:
Poststraße 3
8001 Zurich, Switzerland
phone: +49 40 87 5050-100
The responsible companies of Aquila Group with legal seat in Norway can be reached as follows:
Haakon VIIs Gate 2
0161 Olso, Norway
phone: +47 90 14 36 67
info@aquila-capital.com
The responsible companies of Aquila Group with legal seat in the Netherlands can be reached as follows:
Schiphol Boulevard 215, WTC Schiphol
1118BH Schiphol, Netherlands
phone: +49 40 87 5050-100
info@aquila-capital.com
The responsible companies of Aquila Group with legal seat in Japan can be reached as follows:
12FYurakucho Itocia, 2-7-1 Yurakucho, Chiyoda-ku
100-0006 Tokio, Japan
phone: +49 40 87 5050-100
The responsible companies of Aquila Group with legal seat in Singapore can be reached as follows:
138 Market Street #15-03 Capitagreen
048946 Singapore
phone: +49 40 87 5050-100
The responsible companies of Aquila Group with legal seat in Portugal can be reached as follows:
Avenida Fontes Pereira de Melo, N14, 11
1050-121 Lisbon
phone: +351 211 328 420
The responsible companies of Aquila Group with legal seat in Greek can be reached as follows:
Artemidos 1
151 25 Maroussi, Athen
Greek
The responsible companies of Aquila Group with legal seat in Italy can be reached as follows:
Via Mike Bongiorno 13
20124 Milan
Italy
10. Contact data of the data protection officer
The data protection officer of Aquila Group can be reached as follows:
Aquila Capital Holding GmbH
c/o data protection officer
Valentinskamp 70, 20355 Hamburg
privacy@aquila-capital.com
11. Purpose of personal data processing and legal basis
We process personal data in accordance with the relevant data protection rules and regulations, in particular with GDPR.
The processing of personal data is necessary for the performance of a contract with you (Art. 6 (1) lit b GDPR).
The processing of personal data is necessary for the purposes of the legitimate interests pursued by you or by a third party (Art. 6 (1) lit. f GDPR).
If you have declared your consent in the processing of personal data for certain purposes, we process such data on the basis of your consent (Art. 6 (1) lit. a GDPR.
In addition, we are subject to a large number of legal obligations (money- laundering act, tax law etc.) as well as regulatory regulations. For this purpose we can use and process your personal data (Art. 6 (1) lit. c GDPR).
Depending on the specific business relationship we have with you, we may collect and use personal data from our customers to send important information or updates on Aquila Group’s products and services. This includes, in particular, important security information or significant changes to products, services or this Privacy Policy. The legal basis for processing data for these purposes is the legitimate interest of Aquila Group to adapt and correct legal innovations or product errors, to comply with legal obligations and to offer high-quality product support. The collection and use of this data may be mandatory for compliance with existing legal regulations. Insofar as we collect or use data for purposes of advertising and customer retention, for example for performance reports, analyses and market-relevant assessments as well as invitations to specific events, following prior consent, there is a right of revocation for this consent at any time with effect for the future. The revocation can – just like the consent – be made orally, in writing or in text form.
12. Recipients or categories of recipients of the personal data
Your personal data will be transmitted within Aquila Group to all entities, which need these data for contractual and/or regulatory purposes, insofar as we are entitled to do so on the basis of the applicable data protection provisions.
We also may transmit your personal data to data processors. These recipients are contractually obliged to comply with the currently applicable data protection legislation and to maintain confidentiality. To comply with certain contractual obligations we may transmit personal data to other recipients, e.g. public authorities or organisations in case of legal obligations. When we are transferring personal data outside EU or Switzerland, we ensure that the country has an adequate level of data protection. If the country does not have an adequate level of data protection, we will ensure an adequate level of protection by means of appropriate contractual arrangements (e.g. based on standard contractual clauses of the European Commission or ours and effective technical security measures). Contact us if you would like a copy of the standard contractual clauses.
13. Duration of storage
After collection, your data will be stored for as long as necessary to fulfil the purpose for which it was collected, taking into account the statutory retention periods.
We are subject to miscellaneous safekeeping and documentation obligations that may arise from e.g. German Commercial Code or General Fiscal Code. Pursuant to the provisions of these laws, personal data must generally be retained for a period of ten years. In addition, the statutory period of limitations within the meaning of §§ 195 et seq. German Civil Code (BGB) shall apply in relation to the duration of storage period. Thus, the maximum period of limitation term is up to 30 years. However, retention periods according to legal regulations of other countries may also apply.
14. Automated decision-making including profiling
Your personal data will be partially processed automatically, to analyse certain personal aspects (profiling). Profiling is used in the following areas: We are subject to certain legal and regulatory requirements, e.g. anti-money laundering, terrorist financing and asset risk offenses. Concurrently, these measures are for your protection.
15. Your rights
Your rights with regard to data processing are outlined in section VI of this Privacy Policy.
IV. Data protection information for video and telephone conferences via “Microsoft Teams”
16. Controller
The controller for data processing in direct connection with the holding of video and telephone conferences (hereinafter “Online Meetings”) is Aquila Capital Holding GmbH.
17. Purpose of the data processing
We use the tool “Microsoft Teams” to conduct telephone and video conferences within the business purposes of Aquila Group. Different types of data are processed. The extent of the data also depends on the information provided before or during participation in an online meeting.
18. Which data is processed?
- User details: e.g. display name, e-mail address (if applicable), profile picture (optional), preferred language
- Meeting metadata: e.g. date, time, meeting ID, phone numbers, location
- Text, audio and video data: It is possible to use the chat function in an online meeting. In this respect, the text entries made by the respective user are processed in order to display them in the online meeting. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera on the terminal device are processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the “Microsoft Teams” applications.
- Log files, protocol data
19. Legal basis for data processing
The legal basis for data processing of “online meetings” is Art. 6 (1) lit. b GDPR, if the GDPR applies, insofar as the meetings are conducted within the framework of contractual relationships. If no contractual relationship exists, the legal basis is Art. 6 (1) lit. f GDPR. Our legitimate interest is to ensure effective communication between employees of Aquila Group and external persons/companies or business partners. Particularly against the background of the Corona Pandemic, the use of long-distance means of communication had to be increased in order to avoid, for example, personal meetings. You have the right to object to the processing of your personal data which is carried out (i.a.) on the basis of Art. 6 (1) lit. f GDPR at any time on grounds relating to your particular situation in accordance with Art. 21 GDPR.
20. Data protection officer
You may contact the Aquila Group’s data protection officer at any time regarding your rights and obligations and any other information exchange. The contact details of the data protection officer can be found in section II. clause 2 of this Privacy Policy.
21. Recipient of the data
Personal data processed in connection with participation in online meetings is generally not passed on to third parties, unless it is specifically intended to be passed on. Please note that content from online meetings, as well as personal meetings, is used to communicate information to third parties and is therefore intended for disclosure.
Furthermore, we would like to inform you that the employees of Aquila Group are employed in various group companies. It is therefore possible that the meeting data may be passed on within the group. Our legitimate interest according to Art. 6 . (1) lit. f GDPR is to make online meetings effectively available to every employee in the company. You have the right to object to the processing of your personal data which is carried out (i.a.) on the basis of Art. 6 (1) lit. f GDPR at any time on grounds relating to your particular situation in accordance with Art. 21 GDPR. Further recipient: Microsoft necessarily receive knowledge of the above-mentioned data, as far as this is provided for in the framework of the contract processing agreements.
Microsoft Teams is part of the Office 365 cloud application, for which a user account must be created. Microsoft also reserves the right to process customer data for its own business purposes. According to Microsoft, these are activities related to the provision of the services, such as usage-based billing, capacity planning and combating cybercrime. Use for user profiling, advertising or similar commercial purposes is expressly excluded by contract. Please note that we have no control over Microsoft’s data processing. To the extent that Microsoft teams process personal information in connection with Microsoft’s legitimate business operations, Microsoft is an independent data controller for that use and as such is responsible for compliance with all applicable laws and a data controller’s obligations. For more information about the purposes and extent of data collection and processing by Microsoft Teams, please see the Microsoft Privacy Statement at https://privacy.microsoft.com/de-de/privacystatement and Microsoft Teams at https://docs.microsoft.com/de-de/microsoftteams/teams-privacy. You can also obtain further information about your rights in this regard.
Since Microsoft is based in the USA, data processing outside the European Union (EU) is also possible. An adequacy decision exists for the USA. Despite this measures have been taken to protect data processing by a third country (e.g. standard contract clauses).You can request to view the relevant documents and guarantees at privacy@aquila-capital.com.
Furthermore, we cannot exclude the possibility that the routing of data is carried out via Internet servers located outside the EU. This may be the case in particular if participants in online meetings are located in a third country. However, the data is encrypted during transport over the Internet and thus protected against unauthorized access by third parties.
22. Deletion of data
The online meetings are generally not recorded. We point out that the (secret) recording of video and/or audio data as well as the storage and distribution of the recordings is punishable by law.
A requirement for the recording and storage of data can exist in particular if the data is still needed to fulfill contractual services, to check and grant or ward off warranty and guarantee claims. In the case of legal storage obligations, deletion only comes into consideration after expiry of the respective storage obligation.
23. Rights of the data subject
Your rights with regard to data processing are described in section IX of this Privacy Policy.
V. Data Protection Information for the Whistleblowing Portal
24. Controller
The controller for data processing in connection with the Whistleblowing Portal is each employer company of Aquila Group that is required by national law to establish an internal reporting channel. The contact information of the controller can be viewed by the employees in their employment contract.
To the extent that the Whistleblowing Portal is also made available to third parties on websites of the Aquila Group, the controller for data processing is Aquila Capital Holding GmbH Valentinskamp 70, 20355 Hamburg, info@aquila-capital.com.
25. Processing purpose
The Whistleblowing Portal is provided to Aquila Group’s employees and third parties to report illicit or irregular activities within Aquila Group, such as criminal activities and behavior that violates human rights. The goal is to protect the Aquila Group’s business, assets, employees and its reputation. The Whistleblower Portal can be accessed here: https://portal.bdolegal-whistleblower.de/.
26. What kind of personal data are processed
The reporting channel is managed by BDO Legal Rechtsanwaltsgesellschaft mbH (“BDO”), an external law firm. BDO is the primary addressee of a report. The submitted complaints/reports will be processed by lawyers (ombudspersons).
As a user of the whistleblowing portal, you can choose:
- to make a completely anonymous report;
- to supplement the report with personal information;
- whether you wish your personal data to be disclosed to the relevant company;
- whether you wish to provide personal data of parties involved and/or witnesses;
- whether you want to upload documents to your report.
The ombudsperson will inform the assigned contact person of the Compliance Department about the content of the reports, insofar as they are relevant under law and/or require further investigation. The conditions, format and method of informing Compliance will be determined by the Ombudspersons on a case-to-case basis.
Depending on the information you provide and whether you consent to the disclosure, the Compliance Department of Aquila Group consequently may also receive the disclosed personal data. Consequently, personal data is not obtained directly from the data subject, but from a third party in accordance with Art. 14 GDPR. The identity of the whistleblower will not be revealed without his/her explicit consent.
27. Legal basis of processing according to GDPR
As far as the GDPR is applicable, the following legal bases for data processing apply:
Reporting person (whistleblower):
Own personal data voluntarily disclosed by the whistleblower is processed on the basis of Art.6 para 1 sentence 1 lit. f GDPR. The processing of personal data is based on the legitimate interest of the detection and prevention of wrongdoing and the related prevention of damage and liability risks as described under clause 1.
Other (employee) personal data
Other employee’s data, in particular that of the accused person or other involved employees is also processed on the basis of Art. 6 para 1 sentence 1 lit. f) GDPR for the group’s legitimate interests to help prevent, investigate and solve illicit activities and to prevent legal consequences and/or a negative image for the Aquila Group. These interests have been determined to generally range above the interest of employees, such as potential victimization and stigmatization of accused persons which is avoided by a general limitation of access to the submitted information to, and the confidentiality commitment of, the responsible Compliance Department.
Same applies to personal data of third parties which are not employees of Aquila Group.
28. Transmission of data
We treat all submitted personal information confidential and knowledge will generally be restricted to the Aquila Compliance Department. which is located in the Aquila Capital Holding GmbH.
Should the involvement of the Compliance department result in a transfer of data in the Group this is justified by legitimate interests, pursuant to Art. 6 para 1 sentence 1 lit. f GDPR. It is essential that a qualified and separate department receives the reports and, if necessary, initiates further steps. The employee is informed that a centralized Compliance Department exists which is not assigned to the employer company.
Depending on the individual case, an involvement of the group’s internal Legal Department or managing directors of the affected entity may be necessary. Before a transfer takes place, however, we examine in each individual case whether there is a legal basis for the transfer.
By submitting a report that voluntarily includes the disclosure of your identity, please be aware that we may be obliged to inform the accused person of your identity within one month of the submission in accordance with Art. 14 GDPR.
Data transfer to external parties or third countries does not take place, unless where we are legally required or it is necessary in connection with legal proceedings or on request of competent authorities, such as financial supervisory authorities.
29. Deletion of data
Any personal data is processed for as long as this is necessary to process the submission and follow-up investigations and will generally be deleted two months after the investigation has been completed. Storage beyond may be necessary and permissible for the duration of any further legal steps required, such as disciplinary proceedings or the initiation of criminal proceedings. Personal data deemed unnecessary for any of these purposes will be deleted immediately by Compliance.
VI. DATA SUBJECT RIGHTS
As a data subject, you have various rights vis-à-vis the responsible entity of Aquila Group with regard to your personal data, which we inform you about below. You can also find details about your rights in Art.15-21 of the GDPR:
- Right to information according to Art. 15 GDPR:
You have the right to request information about your personal data processed by the controller. In particular, about the processing purposes, the categories of personal data and about recipients or categories of recipients to whom the personal data have been disclosed. Furthermore, you have the right to obtain information about the planned duration of storage.
- Right to rectification pursuant to Art. 16 GDPR:
You have the right to request without delay the correction of inaccurate or the completion of your personal data stored by the controller.
- Right to deletion according to Art. 17 GDPR
You have the right to request the deletion of your data under the conditions specified in Art. 17 GDPR.
- Right to restriction according to Art. 18 GDPR
In specific cases specified in the GDPR, you have the right to request the restriction of the processing of your personal data.
- Right to data portability according to Art. 20 GDPR
In specific cases set out in the GDPR, you have the right to receive and transfer all personal data concerning you to another controller (right to data portability).
In particular, you have a
- Right of objection according to Art. 21 GDPR
In accordance with Art. 21 (1) GDPR, you have the right to object to processing based on the legal basis of Article 6 (1) lit. e or f GDPR on grounds relating to your particular situation. If we process personal data about you for the purpose of direct marketing, you may object to this processing of direct marketing, you may object to this processing pursuant to Art. 21 (2) and (3) GDPR.
as well as a
- Right of revocation according to Art. 7 para. 3 GDPR
Insofar as we process your data on the basis of your consent (Art. 6 (1) lit. a or Art. 9 (2) GDPR), you have the right to revoke this consent at any time with effect for the future, without this affecting the lawfulness of the consent valid until then. The revocation is – like the granting of consent itself – possible orally or in text form.
To assert your rights, you can contact the responsible entity of Aquila Group or Aquila Group’s data protection officer (for contact details, see section II.2 of this Privacy Policy).
You also have a
- Right of appeal pursuant to Art. 77 GDPR
You have the right to complain to a data protection supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or the registered office of the responsible controller.
Your rights under the FADP follow from Art. 25, 32, 38 FADP.
The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch).