Privacy Notice - Tuma Mi Man

1. Introduction

This Privacy Notice (“Notice”) is addressed to individuals outside Amicorp Group (“Amicorp”, “we”, “us” or “our”) with whom we interact, including individual clients, personnel or representative of corporate clients, vendors and other recipients of our services (together, “you”) and explains how we collect, hold, use, disclose and transfer your Personal Data in every contractual relationship we may have with you.

This Notice also applies to the processing of all your Personal Data when you use the Website, including when you, as a natural person, user or entrepreneur, or as a representative of a business entity, provide Personal Data on the Website.

Definitions

In this Notice we may use the following words and, any time we use them, they will have the meaning provided below.

Data Protection Legislation: means the personal data protection law of the country where the Controller is established. For Controller established in a member state of the European Union (hereafter the “EU Controller”), the applicable data protection law shall mean the GDPR, and all additional regulations and rules in force in the relevant Member State(s) of the European Union applicable to the Processing.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th, 2016 on the protection of natural persons with regard to the Processing of Personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Controller/Joint Controller: means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data that may be performed as part of this Notice;

Data Subject: means any identified or identifiable natural person from whom Personal Data is collected; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data: means any information relating to an identified or identifiable natural person.
Personal Data Breach or Breach: means any suspected or actual security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Data Subject Personal Data transmitted, stored, or otherwise Processed.
Processing or Processed: means every operation or set of operations which is performed with regard to Personal Data, including without limitation the collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combining, linking to other data, blocking, erasure or destruction of Personal Data.
Website means the Amicorp’s website at https://www.amicorp.com/ or such other website as the Amicorp may maintain from time to time.

2. Protection of Personal Data

This Privacy Notice describes how we, as Controller of your Personal Data, collect, hold, use and disclose personal information that you provide, is provided on your behalf or is collected by us.

The Controller of your Personal Data is the Amicorp entity with which you have the contractual relationship. For Amicorp Group companies and their details, please visit: https://www.amicorp.com/offices/

Each Amicorp Group company (“Amicorp”) is subject to any Data Protection Legislation that may be applicable in the country in which it is located. This Privacy Notice should not be viewed as a supplement to such local privacy laws and shall not vary or diminish each Amicorp Group company’s obligations under the applicable local Privacy laws. To the extent this Privacy Notice conflicts with any provisions of local Privacy laws, such Data Protection Legislation shall take precedence over this Privacy Notice.

This Notice may be amended or updated at our discretion from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or any changes in applicable law.

3. Personal Data

In order to facilitate, enable and/or maintain our business relationship, we collect and otherwise Process Personal Data relating to the client and any other person(s) involved in the business relationship, as the case may be, such as authorized representative(s), person(s) holding a power of attorney, beneficial owners, if different from the client, any natural person who exercises control over an entity (control is generally exercised by any natural person who ultimately has a controlling ownership interest in an entity, “Controlling Person”) and any person for the benefit of which the client is holding a company as agent, nominee or similar (account holder for automatic exchange of information purposes, “AEI Account Holder”), each an “Affected Person”.

Relevant Data Processed by Amicorp includes, but is not limited to, Affected Person’s personal information, subject to applicable law, are as follows:

Personal details: given name(s); preferred name(s); nickname(s), gender; date of birth; age; marital status; Social Security number; passport number(s); other government issued number(s) (tax identification number(s), Green Card number(s); driving license number(s); social security number); nationality; lifestyle and social circumstances; images of passports, driving licenses, and signatures; authentication data (passwords, mother’s maiden name, challenge/response questions and answers, PINs, facial and voice recognition data); photographs; visual images; and personal appearance and behavior.
Contact details: address; telephone number; email address; and social media profile details.
Employment details: industry; role; business activities; names of current and former employers; work address; work telephone number; work email address; and work-related social media profile details.
Education history: details of your education and qualifications.
Financial details: billing address; bank account numbers; credit card numbers; cardholder or accountholder name and details; instruction records; transaction details; and counterparty details.
Electronic Identifying Data: IP addresses; cookies; activity logs; online identifiers; unique device identifiers; and geolocation data.
Images: videos, pictures, CCTV footages;

Data without personal information, which could be attributed to a natural person by the use of additional information, can also be considered Personal Data.

4. Collection of Personal Data

We collect Personal Data about you from a variety of sources as follows:

Directly from you in the ordinary course of our relationship with you;
You manifestly choose to make public, including via social media, from third parties who provide it to us (e.g., Your intermediaries; and law enforcement authorities);
insofar as necessary to provide our service – from publicly accessible sources (e.g. debt registers, commercial and association registers, press, internet);
from other Amicorp Group of companies or other third parties (e.g. a bank) following a legitimate transfer.
We collect or obtain Personal Data when you visit any of our websites or use any features or resources available on or through our website. When you visit our website, your device and browser may automatically disclose certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connecting to a Site and other technical communications information), some of which may constitute Personal Data;

5. The legal basis for Processing your Personal Data

In accordance with the current Data Protection Legislation, we Process your Personal Data on the following legal grounds:

Processing is necessary for the performance of the contract(s) entered into with you or in order to take steps at your request prior to entering therein: Personal Data is Processed in order to provide services in accordance with the contract(s) with our clients or to take pre-contractual measures in preparation thereof. The purposes of Data Processing depend primarily on the concrete product (corporate services, fund services, bank account, client referral) and can include needs assessments, advice and support. You may find other details about the purposes of Data Processing in the relevant contract documents.
Processing is necessary to comply with a legal obligation to which Amicorp is subject: We are subject to various legal duties: such duties may include identification checks (know-your-customer), fraud and money laundering prevention and detection, fulfilling control and reporting obligations under fiscal laws, regulatory reporting. For these purposes, we may Process Personal Data in relation to both the Client and any Affected Person, as the case may be.
Processing is necessary to pursue out legitimate business interests: We Process your Personal Data, beyond the actual performance of the contract or legal obligations, to fulfil out legitimate interests, such as: improving products and services, asserting legal claims and defense in legal disputes, guarantee of the our IT security and IT operation, prevention and detection of frauds, video surveillance to protect the right of owner of premises to keep out trespassers, for collecting evidence in hold-ups or fraud, measures for building and site security (e.g. access controls), measures for business management and further development of services and products, risk management and reporting, compliance, internal supervision and internal audit, creating statistics, marketing of our products and services (to the extent it does not involve profiling).
Whenever we intend to rely on legitimate interest as the legal basis for the Processing of Personal Data, we will give due consideration to your and any Affected Person’s rights and freedoms.
Processing is based on your consent: If we have been granted consent to Process your Personal Data relating or any Affected Person for certain purposes (e.g. for marketing of our products and/or services), the related Processing of Data is based on the data subject’s consent. Consent given can be withdrawn at any time. However, withdrawing your consent will not affect the Data Processing carried out before the withdrawal, nor will prevent Amicorp from Processing your Personal Data based upon other legal grounds (listed under a) to c)).

6. Purposes for which we may Process your Personal Data

The purposes for which we may Process your Personal Data are:

on-boarding new clients; and compliance with our internal compliance requirements, policies and procedures;
maintaining and updating your contact information where appropriate;
Marketing and promotional activities;
providing you with information or assistance that you request from us;

conducting verifications, monitoring and reporting in accordance with anti-money laundering and counter terrorist financing laws;
providing our clients with the services requested, including administration, corporate and trust, banking, custody, middle office services, financial products, reporting and tax services amongst others;
notifying you or our clients about changes to our services;
monitoring and improving the quality of our services;
quality assurance and training purposes.

7. Disclosure of Personal Data to third parties

We may disclose your Personal Data to other entities within Amicorp, for legitimate business purposes (including providing services to you), in accordance with applicable law.

It is to be noted that we are bound by confidentiality obligations regarding all client-related matters of which we acquire knowledge. We may pass Personal Data only if required by a legal provision or in case of client consent. Bearing in mind these requirements, please be informed that we may disclose your Personal Data to:

public bodies, such as Governmental, legal, regulatory, or similar authorities, accreditation bodies, central and/or local government agencies, upon request or where required, including for the purposes of reporting any actual or suspected breach of applicable law or regulation;
other entities within Amicorp Group, for the provision of the services under an intercompany service agreement;
business partners, such as accountants, auditors, financial advisors, lawyers and other outside professional advisors to Amicorp, and other service providers, subject to binding contractual obligations of confidentiality;
debt collector, such as debt-collection agencies and tracing agencies;
third-party service providers (such as payment services providers; shipping companies, anti-fraud services etc.), located anywhere in the world;

parties to disputes, such as any relevant party, claimant, complainant, enquirer, law enforcement agency or court, to the extent necessary for the establishment, exercise or defense of legal rights in accordance with applicable law;
investigative bodies, such as any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security in accordance with applicable law;
potential purchasers, any relevant third-party acquirer(s), in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation);
voluntary and charitable organizations.
your family, your associates and your representatives;

If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data; together with any additional requirements under applicable law.

8. International transfer of Personal Data

We may transfer Personal Data to Data Recipients located countries outside the European Economic Area1. Such transfer takes place so long as:

A country has been recognized by the EU Commission as guaranteeing adequate level of data protection (in particular, Switzerland), or
We have executed the Standard Contractual Clauses as adopted by the European Commission (the “SCCs”) with the Data Recipient, or
It is necessary for the performance of a contract between the Client and the Bank or implementation of the pre-contractual measures taken at your request (e.g. for the purpose of carrying out your orders (e.g. payment and securities orders), even if the recipient country has not been recognized by the EU Commission as guaranteeing adequate level of data protection, or
the Client has granted us an explicit consent, even if the recipient country has not been recognized by the EU Commission as guaranteeing adequate level of data protection.

These transfers will always be carried out in compliance with confidentiality obligations regarding all client-related matters of which we acquire knowledge and only to fulfil the purpose for which data have been collected.

9. Data security

We have implemented appropriate technical and organizational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and other unlawful or unauthorized forms of Processing, in accordance with applicable law.

You are responsible for ensuring that any Personal Data that you send to us are sent securely.

10. Data accuracy and minimization

We take reasonable steps designed to ensure that:

your Personal Data are accurate and, where necessary, kept up to date; and
if any of your Personal Data is inaccurate (having regard to the purposes for which they are Processed), it is erased or rectified without delay.

From time to time, we may ask you to confirm the accuracy of your Personal Data.

At the same time, we take reasonable steps designed to ensure that your Personal Data are limited to that reasonably required in connection with the purposes set out in this Notice.

11. Retention of your Personal Data

We will retain your Personal Data in accordance with Amicorp’s Data Retention Policy.

If the Data is no longer required in order to fulfill contractual or statutory obligations, it is deleted, unless its further Processing is required – for a limited time – for the following purposes:

Fulfilling obligations to preserve records according to commercial and tax laws as well as financial sector laws and regulations.
for the establishment, exercise or defence of legal claims.

12. Your rights

Subject to applicable law, you may have a number of rights regarding the Processing of your Personal Data, including:

the right to request access to, or copies of, your Personal Data that we Process or control, together with information regarding the nature, Processing and disclosure of those Personal Data;
the right to request rectification of any inaccuracies in your Personal Data that we Process or control;

the right to request erasure or restriction of your Personal Data that we Process or control;
the right to have your Personal Data that we Process or control transferred to another Controller, to the extent applicable;
the right to withdraw your consent. Please note that processing that was carried out before the withdrawal is not affected by it;
the right to lodge complaints with a Data Protection Authority regarding the Processing of your Personal Data by us or on our behalf;
the right to object to the Processing of your Personal Data by us or on our behalf that is necessary for our purposes of the legitimate interests. Please note that in such cases we might not be able to provide services and/or maintain a business relationship with you anymore.

You can exercise these rights by contacting the Group Data Protection Officer at: privacy@amicorp.com.

13. Joint controllership of your Personal Data

From time to time, two or more entities within the Amicorp Group may together provide their services to the same client. In this case, these entities jointly determine the purposes and the means of Processing, thus qualifying as Joint Controllers.

In an internal policy on joint controllership, taking effect of the arrangement required by Article 26(1) GDPR, Amicorp has determined how the respective tasks and responsibilities in the Processing of Personal Data are structured among the Joint Controller and who fulfills which data protection obligations.

The following is the essence of the arrangement between Joint Controllers which must be made available to the Data Subjects under Article 26(2) of the GDPR:

Joint Controllers Obligations

(a) Duty of compliance with Data Protection Legislation and the service agreement in Processing Personal Data;

(b) duty to adopt Technical and Organizational Measures (TOMs) to protect Personal Data;

(d) duty to comply with the retention period;

(e) duty of assistance between Joint Controllers in managing DSARs and reporting data breaches;

(f) duty to inform other Joint Controllers on the Processing, DSARs and inquiries by public and supervisory authority;

Procedure in case of breach of personal data

(a) notification without undue delay the other Joint Controllers of any data breach;

(b) provision to the other Joint Controllers of all required and necessary information to notify the breach to supervisory authorities and communicate it to the Data Subjects concerned;

(c) notification to the breach to the competent supervisory authority by the Joint Controller responsible for the system or process underlying the breach;

Data subjects’ rights

(a) Rights to the information required by Articles 13 and 14 of the GDPR, such information being available at: www.amicorp.com/privacynotice;

(b) right to contact any of the joint controllers about the rights granted to them by Articles 15 through 22 of the GDPR;

14. Use of our Website

This Notice is legally binding on you from the moment you log in to the Website, regardless of which device (computer, tablet, TV, etc.) You use. By using the Website and providing Personal Data, you acknowledge that you have read and agree to abide by this Notice. If you do not agree to the terms of the Notice, please do not visit (log out of) the Website or use its content and / or services.

If you are under the age of 18, please ensure that you have the permission of a parent / legal representative before providing us with Personal Data. Upon Our request, you will need to prove that such consent has been given. It is forbidden for persons under 14 years of age to provide Personal Data on the Website.

Third party websites, services and products on the Website
The Website may contain third-party billboards, links to their sites and services over which we have no control of. We are not responsible for the security or privacy of information collected by third parties. In this case, if You are directed to a third-party website by clicking on a link or panel, we recommend that you read the rules and privacy notices applicable to such website before using it.

Social network accounts
The Website may contain links to our social networking accounts. We may offer you to publish graphic, visual and / or other information about you on Our social networking accounts. We process this information in accordance with our legitimate interest to raise awareness about our goods and services. This Notice does not apply to the particular processing of Personal Data in our social network accounts for which we have obtained your consent (consent terms govern for these situations).
The Personal Data You post on our social network account is public and accessible to anyone with an internet connection until we fulfil your request to remove your personal data from our social network account.
When you post your Personal Data on our social network account, the social network website manager (e.g., Twitter International Company, LinkedIn Ireland Unlimited Company, Meta Platforms Ireland Limited, Google Ireland Limited, etc.) and third parties which they have chosen may have access to your posts.
For more detailed information about the processing of your Personal Data published on a particular our social network account, please refer to the privacy policy of the relevant social network website.

15. Cookies

A cookie is a small file that is placed on your device when you visit a website (including our websites). It records information about your device, your browser and, in some cases, your preferences and browsing habits. We may Process your Personal Data through cookie technology, in accordance with Amicorp Group of companies’ Cookie Notice.

16. Contact details

If you have any comments, questions, complain or any other issues relating to the Processing of Personal Data by Amicorp, please contact the Group Data Protection Officer at:

e-mail: privacy@amicorp.com
address: C/ Pau Claris 165, 3rd Floor, Barcelona – 08037, Spain