(A) General data protection information for Aquila Capital

(B) Data Processing During Website Use, Use of Website Functions and Communication

(C) Data processing on our social media page at LinkedIN

(D) Specific Processing Situations 

I. Contacting us 

II. Data protection information according to Art. 13 GDPR for telephone recording pursuant to MiFID II / MiFIR (Taping)

III. Data protection information for video and telephone conferences via "Microsoft Teams", Recording of Online Meetings

IV. Data Protection Information for the Know Your Counterparty Check (KYC-Check)

V. Data Protection Information for Product-Related Disclosure Obligations pursuant Art. 10 SFDR

VI. Product and Service information, Marketing

VII. Data Protection Information for the Whistleblowing Portal 

VIII. Video monitoring of office entrances/exits 

(E) Data subjects rights

(F) Other applications, websites and services 

(G) Contact us 

(H) Changes to this privacy policy

Privacy Policy

This privacy policy (“Privacy Policy”) is dedicated to provide comprehensive information to you on how we handle your personal data at Aquila Capital (meaning Aquila Capital Investmentgesellschaft  mbH (including its branch offices) and subsidiaries within the meaning of §§ 15 et seq. of the German Stock Corporation Act (AktG)) as well as information on your rights under the General Data Protection Regulation (“GDPR”) and other applicable data protection laws, in particular the Federal Act on Data Protection of Switzerland ("FADP") or the UK- General Data Protection Regulation (“UK-GDPR”).

This Privacy Policy in particular specifies where and how we collect and handle your personal data in connection with the processing cases below and is structured as follows:

(A) General information about data protection at Aquila Capital, in particular: information about the data controller(s), the data protection officer(s) and how we generally handle personal data we have collected in adherence to data protection principles and our obligations under applicable data protection laws.

(B) Website use and communication: information about personal data processing when you visit and/or use our website, in particular via necessary and optional cookies and other tracking/analytics tools, when you use our website’s features, want to apply for a job at Aquila Capital or if we have received personal data from you through other communication channels (e.g. by e-mail).

(C) Social Media Pages: information about data processing in connection with our social media page(s).

(D) Specific processing situations: specific information about data processing relating to the particular business relationship(s) we may have with you.

(E) Your Rights: this Privacy Policy also informs you about your connected rights under applicable data protection laws.

Given that our website and the technologies on which it is based, as well as our business processes are subject to continuous development, we reserve the right to amend this Privacy Policy and updated from time to time to reflect the changes in the collection, processing or use of your data. The current version of the privacy Policy is always available on this website.

Status: 07.10.2025

(A) General data protection information for Aquila Capital

In this section we provide general information about data protection at Aquila Capital. Which specific personal data will be processed and how it is used depends on the specific business relationship we may have with you and/or the processing occasion and purpose or other factors. It is of great importance to us that all our processing operations are handled in adherence with applicable data protection laws and principles. The European general data protection regulation (“GDPR”) applies to the majority of Aquila Capital companies and their processing operations. If other data protection laws or regulations are applicable, Aquila Capital will observe them and provide separate information if this should be required. In particular, where matters affect Switzerland, Aquila Capital will comply with the requirements of the Federal Data Protection Act ("FDPA”).

I. Name and contact data of relevant Aquila Capital controllers

Controller within the meaning of GDPR and/or other data protection laws or regulations, is generally the legal entity of Aquila Capital, with which you maintain a business relationship, that collects personal data from you or to which you provide personal data.

• Aquila Capital Investmentgesellschaft mbH with legal seat in Hamburg, Germany, can be reached as follows:
  Valentinskamp 70, 20355 Hamburg, Germany
  Tel.: +49 40 875050-100
  info@aquila-capital.de
   
• Aquila Capitals Luxembourg branch office can be reached as follows:
  Airport Center Luxembourg, 5, Heienhaff, 1736 Senningerberg, Luxembourg
  Tel.: +352 24 83 29 1
  info@aquila-capital.de
   
• Aquila Capital’s Spanish branch office can be reached as follows:  
  Paseo de la Castellana, 259D, Torre Espacio , 28046 Madrid, Spain 
  Tel.: +34 91 511 90-50
  info@aquila-capital.com
   
• Aquila Capital’s Netherland branch office can be reached as follows:
  Schiphol Boulevard 215, WTC Schiphol, 1118BH Schiphol, Netherlands
  Tel.: +49 40 87 5050-100
  info@aquila-capital.com
   
• Aquila Capital Invest UK with legal seat in the UK can be reached as follows:
  20th Floor, Leaf B, Tower 42, 25 Old Broad Street, London EC2N 1HQ
  Tel. +44 2082085400
  info@aquila-capital.de
   
• AQ Investment AG with legal seat in Switzerland can be reached as follows:
  Poststraße 3, 8001 Zurich, Switzerland
  Tel.: +49 40 87 5050-100
  info@aquila-capital.com

II. Contact data of the data protection officer

The data protection officer of Aquila Capital, responsible for all above mentioned controllers, can be reached as follows:

Aquila Capital Investmentgesellschaft mbH
c/o data protection officer
Valentinskamp 70, 20355 Hamburg
privacy@aquila-capital.com

If you have any questions or comments about our handling of your personal data or if you would like to exercise the rights as a data subject mentioned in section (E), please contact the data protection officer.

III. Purposes of personal data processing and legal bases

We collect and process personal data in accordance with the relevant data protection regulations and principles, in particular only for specified legitimate purposes and only if and to the extent that a legal basis for the processing applies. The purposes and legal bases depend on the processing situation and are individually stated in the respective sections. The legal basis is generally one of the following:

• You have declared your consent to the processing of personal data for specific purposes (Art. 6 (1) lit. a GDPR).
• The processing of personal data is necessary for the performance of a contract with you or on your request in order to take steps prior to entering into a contract (Art. 6 (1) lit.  b GDPR).
• The processing of personal data is necessary for compliance with a legal obligation that we are subject to, for example the German money-laundering act (GwG), tax law, as well as regulatory regulations (Art. 6 (1) lit. c GDPR).
• The processing of personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interest are overridden by your interests or fundamental rights and freedoms (Art. 6 (1) lit. f GDPR).

Your personal data will only be processed for purposes other than those described if this is permitted by law or if you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with all other relevant information

IV. Transfer and disclosure of data

It may be or become necessary to transmit and disclose your personal data internally and/or externally. You will be informed if your data is transferred in the specific sections. The recipients, purposes and legal bases are usually the following:

1. within Aquila Capital, to entities within the Aquila Group

Due to the corporate structure of the Aquila Capital and Aquila Group, where some departments serve as central service departments for different entities or the respective services have been outsourced to another entity within the group and the processing activity therefore cannot be provided by the entity that originally collected your data. This is currently the case for example for the group’s IT department. In such cases, personal data is and will only be transferred if and insofar this is necessary for contractual (Art. 6 (1) lit. b GDPR) and/or regulatory purposes (Art. 6 (1) lit. c GDPR) or insofar as we are entitled to do so on another legal basis, such as on the basis of prevailing legitimate interests (Art. 6 (1) lit. f GDPR). Such prevailing legitimate interests have been determined for, inter alia, the abovementioned cross-group functional tasks, where the respective central service group-entity performs the tasks as controller itself. Such interests are, inter alia, the standardization and simplification of group-wide processes, optimisation of business processes, improvement of unit productivity, economic savings and profit optimisation, improving transparency and manageability of processes, comprehensive and realisable data protection and deletion concepts, manageable standardised network and information security. These legitimate interests outweigh the interests of the data subjects in having their data processed exclusively by the collecting entity, especially since, due to the size, structure and field of activity of Aquila Capital and Aquila Group, it can generally be expected or is known, that processes may be or are pooled and/or outsourced to a central service entity.  

2. Commerz Real Group

In addition, data may be transferred to the Commerz Real Group (meaning Commerz Real AG as the main shareholder of Aquila Capital Investmentgesellschaft mbH and affiliated companies). Commerz Real AG is the main shareholder of Aquila Capital Investmentgesellschaft mbH, and Aquila Capital is therefore integrated into and subject to certain regulatory requirements and processes of the Commerz Real Group, some of which may require the transmission and disclosure of personal data. Transfer may in particular be required in the context of (joint) internal investigations (e.g. regarding alleged criminal offences or other material allegations against you), compliance and audit processes or regulatory requirements, where such transfer is necessary and if the interests or fundamental rights and freedoms of the person concerned do not outweigh Aquila Capital’s interests. Also, if we intend to hire you for a position at Aquila Capital, Commerz Real AG may require us to disclose your name to them for the performance of a reliability check in accordance with the applicable requirements for the prevention of money laundering and financing of terrorism. Detailed information can be found in the Privacy Policy for Applicants. The legal basis for such transfer is the legitimate interest of Aquila Capital pursuant to Art. 6 (1) lit. f GDPR. This interest lies in maintaining effective concern-wide governance, ensuring compliance, and fulfilling legal obligations. In each case, your rights and freedoms will be carefully considered and protected, and data will only be transferred to the extent necessary and proportionate.

3. Third parties

We rely on external service providers to provide or facilitate certain services and may in this relation transmit your personal data to external data processors (e.g. IT provider, support and maintenance, web hosting provider, communication service provider, analytics provider, newsletter service provider). These recipients are contractually obliged to comply with the currently applicable data protection legislation and to maintain confidentiality. Service providers are prohibited from using your personal data for their own commercial, promotional or other purposes other than those expressly instructed and must follow our express instructions and comply with appropriate security measures to protect your personal data.

As part of the further development of our business, the structure of our company may change in that the legal form is changed, subsidiaries, parts of the company or components are founded, bought or sold. In such transactions, customer information is passed on together with the part of the company to be transferred. Whenever personal data is passed on to third parties to the extent described above, we ensure that this is done in accordance with this privacy policy and the relevant data protection laws.

4. Legal obligations, disclosure in the event of unlawful acts, enforcement or defense of legal claims and contract

We may transmit personal data to other recipients, e.g. public authorities or organisations in case of legal obligations.

If it is necessary to clarify illegal behavior on our website, for example criminal acts using the contact form, or for legal prosecution, personal data will be forwarded to law enforcement authorities or other authorities and, if necessary, to injured third parties or legal advisors. However, this only happens if there are specific indications of unlawful or abusive behavior. Data may also be passed on if this serves to enforce contractual provisions or to enforce or defend legal claims. We are also legally obliged to provide information to certain public authorities on request. These are law enforcement authorities, authorities that prosecute administrative offenses subject to fines and the tax authorities.

Any disclosure of personal data is justified by the fact that (1) the processing is necessary to fulfill a legal obligation to which we are subject pursuant to Art. 6 (1) c) GDPR in conjunction with. national legal requirements for the disclosure of data to law enforcement authorities, or (2) we have a legitimate interest in disclosing the data to the aforementioned (third) parties if there are indications of abusive behavior or to enforce our terms of use, other conditions or legal claims and your rights and interests in the protection of your personal data within the meaning of Art. 6 (1) f) GDPR do not prevail.

5. Data transfers to third countries

Your data will generally be processed in Germany or within the European Union (EU) or European Economic Area (EEA). When we or a service provider are transferring personal data outside the EU/EEA, we ensure that the country has an adequate level of data protection (Art. 45 GDPR) or we ensure an adequate level of protection by means of appropriate safeguards (Art. 46 ff. GDPR), in particular contractual arrangements (e.g. based on standard contractual clauses of the European Commission and if necessary effective additional security measures). Contact us if you would like a copy of the standard contractual clauses. If you consent to the transfer of personal data to third countries, the transfer is made on the legal basis of Art. 49 (1) lit. a GDPR.

V. Data Retention and deletion

We generally only store your data insofar as necessary to fulfil the purpose for which it was collected or as long as it is required for other legal reasons such as retention obligations.

There may be a requirement to store the data for other reasons if the data is still required to fulfill contractual services. In the case of statutory retention obligations, deletion only comes into consideration after the respective retention obligation has expired. Such retention and documentation obligations may arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The retention and documentation periods prescribed there are two to ten years from the end of the year in which the last action was taken on the tax-relevant documents (usually the fund's last annual financial statements/tax return). Finally, the storage period also depends on the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years. However, retention periods according to legal regulations of other countries may also apply.

In some cases a further storage of data may be necessary to safeguard legitimate interests of Aquila Capital (Art. 6 (1) lit. f GDPR), for example in ongoing legal proceedings, to enforce or to defend legal claims.

VI. Automated decision-making including profiling

In some cases, your personal data will be partially processed automatically, to analyse certain personal aspects (profiling). Profiling is used in the following areas: We are subject to certain legal and regulatory requirements, e.g. anti-money laundering, terrorist financing and asset risk offenses. Concurrently, these measures are for your protection.

VII. Data Security

We would like to point out that data transmission over the Internet (e.g. when communicating by e-mail) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

However, we take all necessary technical and organizational measures to ensure an appropriate level of protection for your data and, in particular to protect it from the risks of unintentional or unlawful destruction, alteration, manipulation, loss or unauthorized access. Security measures are regularly reviewed and improved in line with technological developments.

Our website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

VIII. Your rights

Your rights with regard to data processing are outlined below in section (E) of this Privacy Policy.

(B) Data Processing During Website Use, Use of Website Functions and Communication

When you visit our website, personal data of you is processed. The scope of the processing of personal data depends largely on your use and choice of settings, in particular your consent or no consent to the setting and usage of different cookies (including other tracking/analytic tools and integrated external services) as well as what functions you choose to use within the website. Some basic data will always be processed in order to display the website to you.

I. Data controller

Responsible data controller for the processing of personal data in connection with the usage of the website and its functions is Aquila Capital Investmentgesellschaft mbH.

II. Cookies and similar Tracking Technologies

1. General Information

Our website uses cookies. Cookies are small text files that are stored on the user's computer or other end device and exchange certain settings and data with our systems via the user's browser. A cookie usually contains the name of the domain from which the cookie data was sent, as well as information about the duration of the cookie and an alphanumeric identifier. Cookies enable us to display the website to you, to make the website appealing to you and to make it easier for you to use, for example to identify your device and by saving certain entries so that you do not have to enter them again when you return to our website.

You can decide to generally suppress the storage of cookies through your web browser or you can decide if you want to be asked if a cookie should be stored or not. However, if you have deactivated certain cookies some pages may not be displayed correctly.

We use cookies on our website to store the following parameters, for example:

1. Language and country
2. Browser settings and installed plug-ins
3. Data on the use of our website.

More information on how cookies work can be found on the following website: http://www.allaboutcookies.org.

a) Purpose and legal basis of data processing

The use of cookies is partly technically necessary for the operation of our website and thus permissible without the consent of the user. In addition, we may use cookies to offer special functions and content as well as for analysis and marketing purposes. These may also include cookies from third-party providers (so-called third-party cookies). We only use such technically unnecessary cookies with your consent in accordance with § 25 (1) Telecommunication-Telemedia-Data-Protection-Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TDDDG) and, where applicable, Art. 6 (1) lit. a GDPR.

Information on the purposes, providers, technologies used, data stored and the storage period of individual cookies can be found in the cookie settings of our Consent Management Tool.

b) Duration of storage, objection and elimination options

Cookies are stored on the user's end device and via them, data is transmitted to our site.

This website uses the following cookies:

• Transient cookies (temporary use)
• Persistent cookies (use for a limited time)

Transient cookies are deleted automatically when you close your browser. They specifically include session cookies. Session cookies store a "session ID" which allows to allocate various requests from your browser to a joint session. This allows the website to recognize your computer when you return to the website. Session cookies are deleted when you log out or close your browser.

Persistent cookies are deleted automatically after a specified period which may vary depending on the type of the cookie. You can delete the cookies at any time in the security settings of your browser.

For every Cookie we have set a specific storage limitation, depending on the purpose, which you can view under Cookie Settings – “Cookie Details”.

c) Customize cookie- and external technology- settings

You as a user have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. When calling up our website, we offer you the possibility to individually adjust the optional cookies via the "Settings" item in the cookie banner. Your consent to optional cookies is voluntary, not necessary for the use of this website and a given consent can be revoked at any time. Cookies that have already been saved can be deleted at any time. This can also be done automatically via the settings of your internet browser. On our website, you can adjust the cookie settings via the always visible icon from any location on our website or here at any time. If cookies are deactivated for our websites, it may no longer be possible to use all functions of the website to their full extent.

The cookie banner also helps us to provide evidence of your consent. For this purpose, we process information about the declaration of consent and further log data about this declaration. Cookies are also used to collect this data. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (if the GDPR applies: Art. 6 (1) lit. c in conjunction with Art. 7 (1) GDPR).

2. Data processing that takes place automatically when you visit the website (Essential cookies)

a) Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from your end device.

If you only use our website for informational purposes and have not consented to the setting and use of any optional cookies, we do not collect any personal data aside from the data transmitted by your browser via strictly necessary cookies (Essential Cookies) that are stored on your end device and which are necessary to enable you to visit and use the website. Detailed information about each cookie, its provider, purpose and storage duration can be found in the Cookie Manager under Cookie Details.

The following data is always processed when you visit our website:

• Date and time of your request
• Duration of your visit
• Time zone difference compared to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status / HTTP status code
• Website & provider from/by which the request is made
• Browser
• Operating system
• Language and version of the browser software
• IP-address.

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

Additional data is only collected and processed if and insofar you consent to the storage of optional cookies or the use of similar technologies. For details see below in section B II. 3.

b) Purpose and Legal basis of data processing

Essential Cookies are technically necessary  to ensure the basic functions of the website and to provide the telemedia services you have requested. Your data is processed by these cookies on the basis of § 25 (2) Nr. 2 TDDDG and Art. 6 (1) lit. b GDPR. These cookies are necessary to ensure the proper functioning and security of our website and to fulfil a contract or to carry out pre-contractual measures, and therefore do not require your consent. 

c) Duration of data storage

Essential cookies and the related data is stored as required to achieve the respective purpose, which can be for just the duration of your visit, for 1 day or for up to 1 year. Details can be under Cookie Settings – “Cookie Details”.

Unless otherwise stated in the following, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations.

d) Data transfer and disclosure

To facilitate the purposes described we may exchange your data with third parties. Examples are service providers used to manage our web servers  who may be able to access your data in this context. A data processing agreement is concluded in this case.

Otherwise we only provide your personal data to third parties if we are obligated to do so by compulsory legal regulations, if you ask us to do so or have consented to the disclosure, or after the data has been anonymised or pseudonymised.

e) Data Transfer to third countries

Our data processing operations may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such a transfer takes place in a permissible manner if the European Commission has determined that an adequate level of data protection exists in such a third country. If such an adequacy decision by the European Commission does not exist, a transfer of personal data to a third country will only take place if appropriate safeguards pursuant to Art. 46 GDPR are in place or if one of the conditions of Art. 49 GDPR is met.

Unless otherwise stated below, we use the EU standard contractual clauses as appropriate safeguards for the transfer of personal data to third countries. You have the possibility to obtain a copy of these EU standard contractual clauses or to inspect them. To do so, please contact our data protection officer (contact information under II. clause 2.)

3. Data processing via Optional Cookies (Statistics and Marketing)

If you have given your explicit consent in the cookie settings, we also use those optional cookies for marketing purposes and/or statistic tracking, for example to help understand how users interact with websites, what content appeals to them or to show you personalized advertisement. You can revoke your consent at any time with effect for the future in the cookie settings here or via the always visible icon from any location on our website.

With your consent we use the following optional cookies:

a) Google Analytics (Statistical analysis)

We use the Google Analytics service (Google Analytics 4) of the provider Google Ireland Limited (Google Ireland/EU) on our website.

Google Analytics is a web analytics service that allows us to collect and analyse data about the behaviour of visitors to our website. Google Analytics sets and uses cookies for this purpose, which enable an analysis of the use of our website. This involves processing personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about interaction with our website.

Some of this data is information stored in the end device you are using. In addition, further information is also stored on your end device via the cookies used. Such setting of cookies, storage of information by Google Analytics or access to information already stored in your end device as well as the processing of data by us will only take place with your consent.

Google Ireland will process the data thus collected on our behalf in order to evaluate the use of our website by users, to compile reports on the activities within our website and to provide us with further services related to the use of our website and the use of the Internet. In doing so, pseudonymous user profiles can be created from the processed data.

The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for the setting of the cookies and data processing in connection with the Google Analytics service is therefore § 25 (1) TDDDG and Art. 6 (1) a GDPR (If the GDPR is applicable). You can revoke this consent via the Cookie Settings at any time with effect for the future. The lawfulness of the processing carried out on the basis of the consent until revocation remains unaffected.

The personal data processed on our behalf to provide Google Analytics may be transferred to any country in which Google Ireland or Google Ireland's sub-processors maintain facilities. Google Ireland transmits data to Google LLC and its servers located in the United States. For the United States, an adequacy decision has been adopted by the EU Commission. Google Ireland currently continues to use the EU standard data protection clauses as appropriate safeguards for these transfers of personal data to the United States , which can be found at the following link: https://business.safety.google/adsprocessorterms/sccs/eu-p2p-intra-group/ and has performed a Transfer Impact Assessment for the transfer.

We only use Google Analytics with IP anonymisation activated. This means that the IP address of users is shortened by Google Ireland within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. The IP address transmitted by the user's browser is not merged with other data. Further information on the use of data for advertising purposes can be found in Google's privacy policy at: www.google.com/policies/technologies/ads/.

The data on user actions is stored for a period of 2 months to enable us to reach the purposes for which we collected the data and then automatically deleted. Data whose storage period has expired is automatically deleted once a month.

b) LinkedIn Insights and Conversion Tracking – LinkedIn Pixel (Marketing)

We use the LinkedIn Insight tag on our website, a marketing product of LinkedIn Ireland Unlimited Company (Ireland, EU). For information on the contact details of LinkedIn Ireland and the contact details of the data protection officer of LinkedIn Ireland, please refer to LinkedIn’s data policy at https://www.linkedin.com/legal/privacy-policy.

The LinkedIn Insight tag is a JavaScript code snippet that is triggered by LinkedIn when you visit our website and stores a cookie on the device you are using. Such storage of information by the LinkedIn Insight tag or access to information already stored in your end device and also further processing of personal data in connection with the LinkedIn Insight tag will only take place with your consent, which is provided directly on LinkedIn. The legal basis for the collection and transmission of personal data by us to LinkedIn Ireland is therefore Art. 6 (1) a GDPR (if the GDPR applies).

We can perform various functions via the LinkedIn Insight tag, which we describe in detail below.

LinkedIn conversion tracking is an analytics function supported by the LinkedIn Insight tag. The LinkedIn Insight tag allows us to collect data about visits to our website, including URL, referrer URL, IP address, device, and browser properties (user agent) and timestamp. IP addresses are shortened or (if used to reach members across devices) hashed. LinkedIn does not provide us with any personally identifiable information, only reports (which do not identify you) on website audience and ad performance. This allows us to track the effectiveness of LinkedIn ads for statistical and market research purposes.

Members’ direct identifiers are removed by LinkedIn within seven days to pseudonymise the data. LinkedIn then deletes this remaining pseudonymised data within 180 days.

This processing is done for the purpose of obtaining information about our website target group and a report on the effectiveness of LinkedIn campaigns.

We also use the Matched Audiences service to target our advertising campaigns to specific audiences. Through LinkedIn Matched Audiences and related data integrations, we can target advertising to specific audiences based on data we provide to LinkedIn (e.g. company lists, hashed contact information, device identifiers or event data such as websites visited).

This processing is done for the purpose of marketing our offerings via the targeting of advertising.

We have entered into a joint controller agreement with LinkedIn, which sets out the distribution of data protection obligations between us and LinkedIn. You can view this here: https://legal.linkedin.com/pages-joint-controller-addendum.

Please note that in accordance with LinkedIn’s privacy policy, personal data may also be processed by LinkedIn in the USA or other third countries outside the European Union and Switzerland. LinkedIn only transfers personal data to countries for which the European Commission has issued an adequacy decision in accordance with Art. 45 GDPR or on the basis of appropriate guarantees in accordance with Art. 46 GDPR.

4. Data Processing via External Services use of our website features (optional)

Personal data is also processed when you consent to external services such as Google Tag Manager, Mapbox or Vimeo or if you make use of other provided features on our website such as the contact form or job application link. Your consent to the activation of external services can be revoked at any time with effect for the future in the cookie settings here or via the always visible icon from any location on our website.

a) Google Tag Manager

We use the Google Tag Manager of the provider Google Ireland Limited (Ireland, EU) on our website. The Google Tag Manager is used to manage our website tags via an interface. The Google Tag Manager is a cookie-free domain to which the IP address is transmitted for technical reasons. The Google Tag Manager merely ensures that other tags are triggered, which in turn may collect data without accessing this data themselves. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

Where the GDPR is applicable, the processing is based in accordance with Art. 6 (1)  a GDPR. You can revoke your consent at any time with effect for the future by adjusting the corresponding settings in our cookie banner.  Personal data may also be transferred to the parent company Google LLC, based in the USA.

For more information on data processing by Google Tag Manager please visit: https://support.google.com/tagmanager/answer/7157428.

b) Contact form

We process your personal data provided in the contact form to contact you and to process your request. You can enter your email address and optionally also further data, such as title, name and address or other data necessary to handle your request in the free-text field.  If your request is directed towards the conclusion or performance of a contract with us, Art. 6 (1) b GDPR is the legal basis for the data processing (if the GDPR is applicable). Otherwise, we process the data based on our legitimate interest in contacting persons making enquiries. The legal basis for data processing is then Art. 6 (1) f GDPR. The legitimate interest includes the ability to answer received queries, improve services and increase customer satisfaction. Data subjects should reasonably expect that their data will be processed to handle their requests, which may justify the processing in the context of data subjects’ legitimate expectations. Data transmitted via the contact form will remain with us until you request us to delete it or there is no longer any need to store the data. Mandatory legal provisions - in particular retention periods - remain unaffected.

c) Job application via our career applicant portal or proactive application

If you use the career-link on our website (Recruiting & Onboarding | Aquila Capital Career) to apply to a job advertisement and provide a profile/resume to us, we will use that personal data to create our own professional profile for you in accordance with this Privacy Notice. The processing of applications that are not sent via our applicant portal, but to general contact addresses on our website, is based on Art. 6 (1)  f  GDPR. Our legitimate interest is to identify suitable candidates for vacancies and to make the application process efficient. This includes reviewing and processing applications sent to our general contact addresses to ensure that no potential talent is overlooked. In doing so, we ensure that the interests or fundamental rights and freedoms of applicants do not prevail. Given that we will store your work history in this case, your submission must not contain any sensitive information with respect to race or ethnic origin, political opinions, religion or beliefs, trade union or political party memberships, genetic, physical or mental health status, dependencies, sexual orientation, criminal offences or criminal proceedings and related penalties or fines, social security number or national ID. If your profile contains such information regardless, you agree that we may store that information and also use it in accordance with this Privacy Notice. Please also note that where you provide information of a third party to us as a reference you are responsible for ensuring that the person involved is aware of your disclosure of his/her personal data and has provided his/her written consent to this disclosure. If you apply for an open position in our company, we will, additionally, process your personal data to decide on whether to hire you (Art.6 (1) b. GDPR.

If we intend to hire you for a position at Aquila Capital, Aquila Capital’s main shareholder Commerz Real AG may require us to disclose your name to them for the performance of a reliability check in accordance with the applicable requirements for the prevention of money laundering and financing of terrorism. For more details please see the KYC-Information below in section (D) IV.

Further details can be found in our Privacy Policy for online applications.

d)  Mapbox

We use Mapbox from the provider Mapbox, Inc. (USA) on our website to display maps and for virtual tours. For such integration, processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Mapbox and Mapbox may set its own cookies.

As far as the GDPR is applicable, the processing of your data is based on your consent in accordance with Art. 6 (1) a GDPR. If you do not consent the interactive maps of Mapbox on our website cannot be displayed to you.

When using the service, a transfer of your data to the USA cannot be ruled out. Please also note the information in the section "Data transfer to third countries". Further information on data protection at Mapbox can be found in Mapbox’s privacy policy at https://www.mapbox.com/legal/privacy.

e) Vimeo

Our website uses plugins from Vimeo to integrate and display video content. The provider of the video portal is Vimeo Inc. (USA). When calling a page with an integrated Vimeo plugin, a connection to the servers of Vimeo is established and Vimeo may set its own cookies. This will tell Vimeo which of our pages you have accessed. Vimeo will know your IP address even if you are not logged in to the video portal or do not have an account there. The information collected by Vimeo is transmitted to servers of the video portal in the USA.

Vimeo can assign your surfing behaviour directly to your personal profile. You can prevent this by logging out beforehand.

As far as the GDPR is applicable, the processing of your data is based on your consent in accordance with Art. 6 (1) a GDPR. If you do not consent, Vimeo videos on our website cannot be displayed to you.

When using the service, a transfer of your data to the USA cannot be ruled out. Please note the information in the section "Data transfer to third countries". Details on the handling of user data can be found in Vimeo's data protection declaration at: https://vimeo.com/privacy.

5. Rights of the data subjects

Your rights with regard to data processing are described in section (E) of this Privacy Policy.

(C) Data processing on our social media page at LinkedIN

We operate a company page on LinkedIn. Here we offer the possibility of information about our company and exchange.

Generally, the LinkedIn Ireland Unlimited Company (Ireland/EU) is the sole controller of the processing of your personal data relating to a visit to our LinkedIn page. Further information on the processing of personal data by LinkedIn are available via https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

If you visit or follow our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights which enable us to gain knowledge about the ways in which interact with our page (so called ‘insights’). For this purpose, LinkedIn processes, in particular, such data that you already shared with LinkedIn by adding it to your profile like, for example, position, country, field of work, seniority, company size and employment status. Further, LinkedIn collects information on how you interact with our LinkedIn company page, for example whether you follow our LinkedIn company page. LinkedIn does not share personal data with us by providing us with the insights. We only have access to a summarized version of the insights. Also, we are unable to make conclusions about individual members from the information in the insights. LinkedIn and we are joint controllers of the processing regard the page insights. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. As far as the GDPR is applicable, this finds its legal basis in Art. 6 (1) lit. f GDPR. Our legitimate interests include the analysis and optimization of our marketing strategies and the improvement of our services in order to make them more efficient and attractive. By analysing anonymized insights via LinkedIn, we can develop marketing campaigns that are tailored to the interests of our audience. This information helps us to customize and improve our services to better meet the expectations of our customers. We ensure that the interests or fundamental rights and freedoms of data subjects’ do not prevail. We have concluded an agreement with LinkedIn on joint controllership in which the data protection duties are allocated between LinkedIn and us. The agreement is available via legal.linkedin.com/pages-joint-controller-addendum. The agreement stipulates the following:

• LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights pursuant to the GDPR. In order to do so, you can contact LinkedIn online via https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de or via the contact details in the data protection guidelines. You can contact the Data Protection Officer of LinkedIn Ireland via the following link: www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also reach out to us via the contact details mentioned above for the exercise of your rights relating to the processing of your personal data for insights. In such a case, we will forward your request to LinkedIn.
• LinkedIn and we have agreed that the Irish data protection commission shall be the responsible supervisory authority monitoring the processing for insights. You always have the right to lodge a complaint with the Irish data protection commission (see www.dataprotection.ie) or any other supervisory authority.

Please note that user data is also processed in the USA and other third countries according to LinkedIn’s data protection guidelines. LinkedIn only transfers user data to countries for which the European Commission has adopted an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR.

Your rights with regard to data processing are described in section (E) of this Privacy Policy.

(D) Specific Processing Situations

In the following we would like to inform you about specific common or frequent personal data processing situations that you may be subject to depending on the circumstances and the business relationship we may have with you. In these cases, you will receive basic information and a link to this privacy policy for more details which are hereby provided:

I. Contacting us

When you contact us by e-mail or , we will store your e-mail address and, if you provide it, your name and telephone number in order to answer your questions, process your request or continue connected discussions. We delete the data arising in this context after storage is no longer required or - in the case of statutory retention obligations - restrict processing.

If you make your personal data available to us for the purpose of potential future cooperation, potential investments and/or to enable us to contact you, we may disclose this data to affiliated companies within Aquila Capital  and/or Commerz Real Group, if there is a legitimate interest on our part and your interests, fundamental rights and freedoms do not outweigh.

Otherwise we only provide your personal data to third parties if we are obligated to do so by compulsory legal regulations, if you ask us to do so or have consented to the disclosure, or after the data has been anonymised or pseudonymised.

Your rights with regard to data processing are described in section (E) of this Privacy Policy.

II. Data protection information according to Art. 13 GDPR for telephone recording pursuant to MiFID II / MiFIR (Taping)

1. Controller according to Art. 4 no. 7 GDPR

Aquila Capital Investmentgesellschaft mbH is the controller of the data processing in connection with the taping obligations.

2. Scope and purpose of the data processing

As part of the implementation of the regulatory requirements of Directive 2014/65/EU (MiFID II), and Regulation (EU) No. 600/2014 (MiFiR) both incoming and outgoing telephone calls and equivalent electronic communication by employees of our Sales- and Portfoliomanagement FAG departments are recorded and stored. This applies to relevant calls from fixed-line phones and from cell phones as well as relevant email-communication. The so-called taping affects all conversations concerning the acceptance and forwarding of orders, the execution of client orders and trading on own account.  

This also includes the provision of ancillary services such as investment brokerage, investment advice and financial portfolio management. 

The aim is to strengthen investor protection by additionally documenting (in addition to the written records, e.g. in the mediation protocol) the process of investment mediation. The requirement applies to all client categories (private clients, semi-professional clients, professional clients and eligible Counterparties). In order to achieve this goal, Art.16 para. 7 MiFID II prescribes the binding obligation to record telephone calls and electronic communication in addition to the general recording obligation of Art. 16 para. 6 MiFID II. For evidence purposes, all relevant telephone conversations or parts thereof as well as relevant email-communication with (potential) customers can be recorded in relation to business transactions or business conversations. 

3. Personal data

We would like to point out that the entire content of the conversation, including all the data mentioned, is recorded and not just the part concerning investment mediation. 

4. Legal basis for data processing

The data protection legal basis for the processing of your personal data is Art. 6 (1) lit. c. GDPR in conjunction with Art.16 para. 7 MiFID II, para. 6 MiFID II, Art. 76 MiFID II-DVO, §83 WpHG, §9 WpDVVerOV as the taping takes place to fulfil a legal obligation of the controller. For those parts of the conversation that do not relate to investment mediation, the legal basis for the recording is Art. 6 para. 1 lit. f GDPR. The legitimate interest of the controller follows from the interest to document the overall context of the mediation discussion, since the qualification of the possibly relevant part according to MiFID II is difficult to assess and thus unreasonable. You have the right to object at any time the processing of your personal date which is carried out on the basis of Art. 6, para. 1 f) GDPR.

5. Transmission and disclosure of data 

Aquila Capital uses external service providers for the realization of the taping, which are bound by the necessary agreements, such as data processing agreements. For the implementation of the recording obligation, the responsible parties work together with the external service provider ASC Technologies AG. A data processing agreement has been concluded. The hosting of the data takes place exclusively in Germany. 

For audit purposes, Aquila Capital's Compliance Department and Audit Department may be granted access to the telephone records. In addition, access by external auditors is possible. 

The competent supervisory authorities (data protection authority, BaFin) may also request existing recordings of telephone calls or electronic communications from the responsible parties for audit purposes. 

6. Deletion of data

Records to which Aquila Capital Investementgesellschaft mbH is legally obligated are kept for 5 years, maximum 7 years from the date of creation (§ 83 para. 3. WpHG in conjunction with Art 16 para. 7 MiFID II), unless legal retention periods apply that require longer storage.

The retention serves as evidence of transactions carried out and to comply with applicable legal requirements.

7. Rights of the data subjects
 
Your rights with regard to data processing are outlined in section (E) of this Privacy Policy. 

III. Data protection information for video and telephone conferences via "Microsoft Teams", Recording of Online Meetings

1. Controller 

The controller for data processing in direct connection with the general holding of video and telephone conferences (hereinafter "Online Meetings") is Aquila Capital Holding mbH, an affiliated company of Aquila Capital Investmentgesellschaft mbH within the Aquila Group located at Valentinskamp 70, 20355 Hamburg, Germany, as the cross-group IT-infrastructure is provided and maintained by this entity via an outsourcing agreement. The data protection officer of Aquila Capital Holding GmbH can be reached at privacy-aq-group@aquila-capital.com. 

In the case you are participant of an Online Meeting which is transcribed via the transcript function or recorded (audio and video), the data controller for the processing in this context is Aquila Capital Investmentgesellschaft mbH. You may contact Aquila Capital's data protection officer at any time regarding your rights and obligations and any other information exchange. The contact details of the data protection officer can be found in section (A) II of this Privacy Policy.

2. Purpose of the data processing

We use the tool "Microsoft Teams" to conduct telephone and video conferences within the business purposes of Aquila Capital. 

3. Which data is processed? 

When using Microsoft Teams, different types of data are processed. The scope of the data processed depends on the information provided before or during participation in an Online Meeting. The following data are subject to processing:

• User details: e.g. display name, e-mail address (if applicable), profile picture (optional), preferred language
• Meeting metadata: e.g. date, time, meeting ID, phone numbers, location
• Text, audio and video data: It is possible to use the chat function in an Online Meeting. In this respect, the text entries made by the respective user are processed in order to display them in the Online Meeting. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera on the end device are processed for the duration of the meeting.  You can switch off or mute the camera or microphone yourself at any time using the "Microsoft Teams" applications. If the transcription function is activated, a live transcription of your voice/the content is made during the meeting and displayed to the participants. The transcript is saved and can be downloaded after the meeting. Audio, video and text data is also processed when the meeting is recorded.
• Sensitive data: video data includes all visual data captured by your camera, which potentially may also include special categories of data in the sense of Art. 9 I GDPR. For example glasses or hearing aids can hint to a handicap/disability and may categorize as sensitive health data.
• Log files, logging data

There is no statutory requirement for you to provide personal data to the controller in connection with Online Meetings.

4. Legal basis for data processing
 
a) General holding of Online Meetings

The legal basis for data processing of "online meetings" is Art. 6 (1) lit. b GDPR, if the GDPR applies, insofar as the meetings are conducted within the framework of contractual relationships. If this is not the case, Art. 6 para. 1 lit. f) GDPR is the legal basis for the data processing. According to Art. 6 para. 1 lit. f) GDPR, the processing is lawful if it is necessary to safeguard the legitimate interests of Aquila Capital, unless your interests, fundamental rights or freedoms outweigh the interests for processing. Aquila Capital's legitimate interest is to ensure effective communication among Aquila Capital and Aquila Group employees and between employees and external persons/companies. Especially since the Corona Pandemic, the use of long-distance means of communication had to be increased, e.g. to avoid personal meetings. This is also in the interest of the employees of the Aquila Capital as well as in the interest of external communication partners. Online meetings have since become a standard and globally accepted and expected way of communication without which Aquila Capital's competitive position would be limited significantly. With regard to data processing based on Art. 6 para. 1 lit. f) GDPR, you have the right to object according to Art. 21 GDPR. Exercising this right does not affect the lawfulness of the processing before the objection.

b) Live transcription of an Online Meeting

In some cases there may be an interest to use the live transcript function to transcribe (parts of an) Online Meeting. The transcription function is approved for board meetings of Aquila Capital Investmentgesellschaft mbH and you will be informed in case you are affected by this. The legal basis for the automatic transcription of the summary by each participant at the end of board meetings is Art. 6 para. 1 lit. f) GDPR.  Automatic transcription of the summaries is necessary for the purposes of the legitimate interests pursued by Aquila Capital Investmentgesellschaft mbH. These legitimate interests include establishing efficiency, economy and labor-saving. This is also in the interest of the participants (internal or external) of these meetings. As an alternative to the use of the transcription tool for transcribing the summaries, each participant could hand in a written summary after the meeting. The use of automatic transcription therefore is saving each participant work. The scope of the processed data is small and concerns mostly professional data. Your interests, fundamental rights or freedoms do therefore not override the interests for processing. 

c) Audio and video recording of an Online Meeting

In some cases there may be an interest of Aquila Capital to document an Online Meeting or parts thereof via audio and video recording, for example in conferences with relevant information for other participants (e.g. online-trainings, brown bag sessions for employees) to provide the information to other or all employees via the intranet. This can be done either in form of the Live-Event Webinar Setting, where per default participants’ camera and microphone are disabled so participants will not be recorded, or the participation via camera and microphone is enabled. Any audio or video- recording of you during an Online Meeting is only done with and based on your prior consent pursuant to Art. 6 para. 1 lit. a), Art. 9 para. 2 lit. a) GDPR, § 26 para. 2 BDSG.
 
Your consent is absolutely voluntary and there will be no disadvantages if you do not agree to the recording. You will be informed about the recording in advance; once the organiser of the meeting initiates the recording your microphone and camera will automatically be muted/turned off. A pop-up window will indicate this and provide you with the option to consent to the recording by re-activating your camera and/or microphone or by clicking on the agree button.

If you consent to the recording, your consent includes

• the recording of audio and/or video itself,
• the storage and
• the potential sharing of the recording with colleagues and/or publication in the intranet for the purpose of making this information available to relevant other employees.

Public sharing of recordings is not done.

If you have given your consent to the recording, you can withdraw this consent at any time. The withdrawal is effective for the future and shall not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw your consent during a recording, all you have to do is deactivate your camera and microphone to deactivate further recording. If you withdraw your consent after a meeting or when a recording is already shared or published in the intranet Aquila Capital will either delete the video or edit the video so you will no longer be identifiable.

 Please note that Aquila Capital will never secretly record an Online Meeting. The secret recording of a non-public conversation as well as the storage and sharing of such recordings is punishable by criminal law.

5. Transmission and disclosure of data

Personal data processed in connection with participation in online meetings is generally not transferred to third parties, unless it is specifically intended to be transferred.

Further recipients: Microsoft necessarily receives knowledge of the above-mentioned data, as far as this is intended in the data processing agreements.

 Microsoft Teams is part of the Office 365 cloud application, of which a user account must be created. Microsoft also reserves the right to process customer data for its own business purposes. According to Microsoft, these are activities related to the provision of the services, such as usage-based billing, capacity planning and combating cybercrime. Use for user profiling, advertising or similar commercial purposes is expressly excluded by contract. Please note that we have no control over Microsoft's data processing. To the extent that Microsoft teams processes personal information in connection with Microsoft's legitimate business operations, Microsoft is an independent data controller for that use and as such is responsible for compliance with all applicable laws and a data controller's obligations. For more information about the purposes and extent of data collection and processing by Microsoft Teams, please see the Microsoft Privacy Statement at https://privacy.microsoft.com/de-de/privacystatement and Microsoft Teams at https://docs.microsoft.com/de-de/microsoftteams/teams-privacy. You can also obtain further information about your rights in this regard.

Since Microsoft Ireland's mother entity is located in the USA, data processing outside the European Union (EU) may also be possible. An adequacy decision exists for the USA and Microsoft is certified under the respective framework. Additional measures have been taken to protect personal data (e.g. standard contractual clauses). You can request to view the relevant documents and guarantees at privacy@aquila-capital.com.

Furthermore, we cannot exclude the possibility that the routing of data is done via Internet servers located outside the EU. This may be the case in particular if participants in online meetings are in a third country. However, the data is encrypted during transport over the Internet and thus protected against unauthorized access by third parties.

6. Deletion of data

a) General Data of Online Meetings

The data processed during the general holding of a meeting is stored as long as it is necessary for the respective purpose. Your user details (profile) are stored within Teams for 90 days after you leave the company or until you delete optional data (e.g. photo). Meeting metadata is stored 3 months within Teams after you leave the company. Texts and content from the chat-function is generally stored for 90 days and then automatically deleted, unless it is subject to retention obligations and legitimate retention interests. A requirement for storage can exist in particular if the data is still needed to fulfill contractual services, to check and grant or ward off warranty and guarantee claims. In the case of legal storage obligations or legitimate interests for retention, deletion is only possible after expiry of the respective obligation or the subordination of the respective legitimate interests. If you share documents in a Meeting they will be stored 30 days after you delete them in Teams.

b) Transcripts and transcript files

If the meeting or parts of it are lawfully transcribed, the transcription file will be stored on Microsoft OneDrive for 60 days and then automatically deleted. The necessary transient recording of the audio is not saved. The transcript file can be downloaded and saved by the meeting participants. Employees are instructed to only save the transcript if this is necessary and are requested to check 6 months after the transcription file has been created whether it is still needed and, if not, to delete it afterwards. The file may be kept for a maximum period of one year, unless longer retention is justified.

c) Audio and video recording files

Recording files are automatically stored on the initiator’s Microsoft OneDrive for 30 days and are then automatically deleted. In case of sharing of a recording or publishing on the intranet, the recording or the relevant parts thereof will be deleted if you revoke your consent or if the purpose of the publication is fulfilled.

A requirement for further storage of data can exist in particular if the data is still needed to fulfill contractual services, to check and grant or ward off warranty and guarantee claims. In the case of legal storage obligations, deletion only comes into consideration after expiry of the respective storage obligation.

7. Privacy friendly settings

Aquila Capital has configured the Online Meeting function with privacy friendly default settings and designs to achieve a minimal processing of personal data as necessary for the respective purposes. This includes the default deactivation of your camera when you join an Online Meeting and the automatic deactivation of your camera and microphone when a transcription or a recording is initiated. 

In addition to the technically preset settings, there are a few things that you can do yourself to increase privacy:

• Change your background for a Teams Meeting

To protect your personal data in your home office, you can change your background while you're setting up your video and audio before joining a meeting. Therefore, select Background effects on the right of the mic switch. Your background options will than display on the right. Choose Blur to blur your background. You'll appear nice and clear while everything behind you is subtly concealed. You can also replace your background with one of the images provided, or with one of your own choosing. To use an image of your own, choose Add new and then select one to upload from your computer. Make sure it's a .JPG, .PNG, or .BMP file. 

Your new background will persist in all your meetings and calls until you change it again.

• Transcription and recording of Online Meetings

If you do not wish to be transcribed or recorded during an online meeting, we advise you to leave your microphone on mute and your camera off and not to share your screen. You can hide your user name and photo also if you wish to be even more anonymous. Please see below for settings.

• Create private channels

The menu with the three items allows users to perform various actions. "Add Channel" creates a new channel. "Standard" creates a channel that is automatically accessible to all members of a team. “Private" creates a channel where the channel owner can invite members from a team. This allows for sensitive conversations that other team members should not follow.

• Control personal security and privacy settings in Microsoft Teams.

In Teams you will per default only appear with minimal personal information: your name and email address as well an icon with your initials. The inclusion of a photo is optional.

Each user can customise the client to his or her requirements by clicking on his or her username in the Teams client with the menu item "Settings". The menu item "Privacy" also offers numerous settings, which can be used to block callers, to hide the username in live transcriptions and the stored transcription or deactivate read receipts, for example.

8. Rights of the data subjects

Your rights with regard to data processing are described in section (E) of this Privacy Policy. 
 

IV. Data Protection Information for the Know Your Counterparty Check (KYC-Check)

1. Controller 

The responsible company in the context of the KYC-Check is Aquila Capital Investmentgesellschaft mbH (“ACI”). 

2. Processing purposes and legal basis of the data processing 

The collection and further processing are carried out for the fulfillment of legal obligations to which ACI is subject (on the basis of Art. 6 (1) lit. c GDPR in conjunction with § 28 KAGB, § 25h KWG, §§ 10-17 GwG) for the prevention of money laundering, financing of terrorism and other criminal acts. The main measure to comply with this obligation is

• the identification of the business/contractual partner and, if applicable, the persons acting on its behalf and their authorization and also
• the determination of whether the contractual partner or the beneficial owner is a politically exposed person (PEP), a family member or a known related person of a PEP. 

In the case of applicability of the GDPR, the following legal bases also arise: Since KYC checks are also to be carried out for contractual relationships in which ACI is not involved, the legal basis for the data processing in this context results from Art. 6 (1) f GDPR. ACI has a legitimate interest in ensuring that all transactions concluded within the Aquila Capital comply with the high standards required by the Money Laundering Act (GwG).

You have the right to object to the processing of your personal data which is carried out (i.a.) on the basis of Art. 6 (1) f GDPR at any time on grounds relating to your particular situation in accordance with Art. 21 GDPR.

3. What personal data is processed

Depending on the constellation, the following personal data of the acting person(s) and the beneficial owner may be collected and processed during a KYC-Check in connection with the KYC questionnaire and the associated verification documents (e.g. copy of ID, proof of residential address): 

Surname, first name, nationality, date of birth, place of birth, ID card data (e.g. ID card number, date of issue, issuing authority), address data (street, house number, zip code, city, country), attribute of beneficial owner, information on origin of assets, gross income, type of contribution, PEP status (in this context, if applicable, also name of family members  or other known related persons if they have a PEP status), any additional data that may result from the verification documents: Copy of ID (title, birth name, height, eye color, signature, order or artist name, if applicable), proof of address document (electricity consumption, telephone log, etc., if applicable).

4. Data transfers and disclosure 

a) Aquila Capital – Internal

Since the data regarding the KYC check is collected by the respective employee responsible for the contract, there may be a transfer of data within Aquila Capital from/to the respective branch offices and subsidiaries. 

b) Commerz Real Group 

As part of the Commerz Real Group, ACI’s compliance department is increasingly involved in and making use of intra-group synergies and processes, in which sharing of data may be or become necessary to maintain effective concern wide governance and to ensure regulatory requirements. Also, if we intend to hire you for a position at Aquila Capital, Commerz Real AG may require us to disclose your name to them for the performance of a reliability check in accordance with the applicable requirements for the prevention of money laundering and financing of terrorism. Detailed information can be found in the Privacy Policy for Applicants. The legal basis for such transfer is the legitimate interest of Aquila Capital pursuant to Art. 6 (1) lit. f GDPR. This interest lies in maintaining effective concern-wide governance, ensuring compliance, and fulfilling legal obligations. In each case, your rights and freedoms will be carefully considered and protected, and data will only be transferred to the extent necessary and proportionate. 

c) External Service Providers

ACI uses external service providers to fulfill the purposes described in the context of the KYC check. For example, the collected data is stored in the customer management software "Salesforce", provided by Salesforce Inc. Salesforce is supported and maintained by our service providers Hanseforce GmbH, Omega CRM Consulting S.L. and Wipro Technologies GmbH, whose employees may become aware of the above data in the course of providing their services. In addition, your name is checked against current PEP and sanctions lists via the tool WorldcheckOne, provided by Refinitiv Germany GmbH, as well as against, among other things, press releases on the subject of financial crime by Factiva Limited. Lionware GmbH is engaged for cases of necessary ID-verifications via post-ident.

d) Other Recipients

In addition, ACI may make (individual or combined) collected data available to other recipients, for example, to those companies that are jointly involved with Aquila Capital in the procurement of investment projects, namely buyers or financing companies of the investment properties or owner companies. They pursue a similar, albeit separate interest in the audit, which they may carry out parallel as an independent responsible party. The additional verification can further reduce the overall risk of financial crime (especially prevention of money laundering and terrorist financing) in potential projects or project participations. In addition, in the case of investors in Luxembourg investment funds, Aquila Capital forwards the data to the relevant register and transfer agent Apex Fund Services S.A. for the opening of the register, which is necessary to complete the subscription of shares in the investment fund. Before forwarding, Aquila Capital checks the correctness and completeness of the data and documents collected. 

e) Transfer to third countries

Some of the external service providers are registered in the USA. However, the data is stored on servers located within the European Economic Area.

ACI has ensured the necessary data protection with all recipients of personal data. For the USA, an adequacy decision of the European Union exists. We have taken special measures to ensure that your personal data is processed just as securely in these third countries as it would be in the European Union. We sign data protection clauses provided by the Commission of the European Union with service providers in third countries. These clauses provide guarantees for the protection of your personal data with service providers in third countries and if necessary, we take additional measures to protect the data.
If you wish to inspect the existing contracts/guarantees, you can contact our data protection officer. 

5. Deletion of Data 

Your data is stored for as long as it is required for the processing purpose or until the expiry of statutory retention periods. KYC documents and the data contained therein are subject to a basic retention period of 5 years from the end of the business relationship pursuant to Section 8 (4) GwG and are generally deleted after expiry. Other storage and documentation obligations may arise, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO) to which ACI is subject to. The periods prescribed there for storage or documentation are two to ten years from the end of the year in which the last action was taken on the tax-relevant documents (usually the last annual financial statement/tax return of the fund). Finally, the storage period also depends on the applicable statutory limitation periods, e.g. according to §§ 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.

6. Voluntariness and necessity of the provision of personal data

The provision of personal data as part of the KYC-Check is neither legally nor contractually required of you. You are therefore not obliged to provide any information in this regard. Please note, however, that ACI cannot enter into a business relationship with you without the provision of the requested data. 

7. Automated decision-making including profiling

We use automated decision making to process personal data to check whether individuals, companies or organizations are on sanctions lists and/or Politically Exposed Person (PEP) lists. This is to ensure that we comply with legal obligations and minimize the risk of financial crimes, such as money laundering or terrorist financing. Automated decision making is based on algorithms and is performed by systems operated by our service provider. We take reasonable steps to ensure that automated decision making is fair and transparent and protects the rights of data subjects. If you have any questions or concerns about automated decision making, please contact us.

8. Rights of the data subjects

Your rights with regard to data processing are described in section (E) of this Privacy Policy.

V. Data Protection Information for Product-Related Disclosure Obligations pursuant Art. 10 SFDR

1. Controller 
 
The responsible data controller for processing of personal data in connection with product related disclosure obligations pursuant to Art. 10 of the Sustainable Finance Disclosure Regulation (“SFDR”) is Aquila Capital Investmentgesellschaft mbH (“ACI”).

2. Subject Matter, personal data and legal basis of the processing, usage of data

ACI is legally obligated to provide information or sustainability-related disclosures on Aquila Capital’s products via its public website to its investors. In order to comply with this obligation while maintaining confidentiality of confidential business information, ACI has implemented a respective password-protected investor-space, including a Log-In mask for authorized investors. This Log-In Mask processes the email address and the password of the user on the basis of Art. 6 (1) lit. c GDPR in connection with Art. 10 SFDR. We do not use this data for any other purpose than to provide you with the product-related information. Tracking, processing or transfer of log-in data and other user data while navigating the investor space will only take place if you have consented to the usage of optional cookies and technologies, e.g. the Google Analytics Cookie (Section (B) III a) of this Privacy Policy). 

3. Retention and Deletion of Data

The log-in data is only stored for the duration of the log-in and is automatically deleted after the session.

4. Voluntariness and necessity of the provision of personal data

The provision of personal data as part of the log-in requirements to the investor space is neither legally nor contractually required of you. You are therefore not obliged to provide any information in this regard. Please note, however, that you will not be able to enter the investor space and view the information provided there in this case.

5. Rights of the data subjects  

Your rights with regard to data processing are described in section (E) of this Privacy Policy.

VI. Product and Service information, Marketing

Depending on the specific business relationship we have with you, we may collect and use personal data from our customers to send important information or updates on Aquila Capital’s products and services. This includes, in particular, important security information or significant changes to products, services or this Privacy Policy. The legal basis for processing data for these purposes is the legitimate interest of Aquila Capital to adapt and correct legal innovations or product errors, to comply with legal obligations and to offer high-quality product support. The collection and use of this data may be mandatory for compliance with existing legal regulations. Insofar as we collect or use data for purposes of advertising and customer retention, for example for performance reports, analyses and market-relevant assessments as well as invitations to specific events, following prior consent, there is a right of revocation for this consent at any time with effect for the future. The revocation can - just like the consent - be made orally, in writing or in text form.

VII. Data Protection Information for the Whistleblowing Portal

1. Controller

The controller for data processing in connection with the Whistleblowing Portal is the respective employer company of Aquila Capital that is required by national law to establish an internal reporting channel. The contact information of the controller can be viewed by the employees in their employment contract.

To the extent that the Whistleblowing Portal is also made available to third parties on Aquila Capital’s website, the controller for data processing is Aquila Capital Investmentgesellschaft mbH.

2. Processing purpose 

The Whistleblowing Portal is provided to Aquila Capital’s employees and third parties to report illicit or irregular activities within Aquila Capital, such as criminal activities and behavior that violates human rights. The goal is to protect Aquila Capital's business, assets, employees and its reputation. The Whistleblower Portal can be accessed here: https://portal.bdolegal-whistleblower.de/.

3. What kind of personal data are processed 

The reporting channel is managed by BDO Legal Rechtsanwaltsgesellschaft mbH ("BDO"), an external law firm. BDO is the primary addressee of a report. The submitted complaints/reports will be processed by lawyers (ombudspersons). 

As a user of the whistleblowing portal, you can choose:

• to make a completely anonymous report;
• to supplement the report with personal information;
• whether you wish your personal data to be disclosed to the relevant company;
• whether you wish to provide personal data of parties involved and/or witnesses;
• whether you want to upload documents to your report.

The ombudsperson will inform the assigned contact person of Aquila Capital’s  Compliance Department about the content of the reports, insofar as they are relevant under law and/or require further investigation. The conditions, format and method of informing the Compliance Department will be determined by the Ombudspersons on a case-to-case basis.

Depending on the information you provide and whether you consent to the disclosure, the Compliance Department consequently may also receive the disclosed personal data. Consequently, personal data is not obtained directly from the data subject, but from a third party in accordance with Art. 14 GDPR. The identity of the whistleblower will not be revealed without his/her explicit consent.

4. Legal basis of processing according to GDPR

As far as the GDPR is applicable, the following legal bases for data processing apply:

Reporting person (whistleblower):

Own personal data voluntarily disclosed by the whistleblower is processed on the basis of Art.6 (1)  c GDPR in conjunction with §12 (1) and §10 HInSchG. This includes compliance with applicable laws and regulations regarding the protection of whistleblowers and the reporting of illegal activities. Additioanlally, the processing of personal data is based on the legitimate interest pursuant to Art. 6 (1)  f GDPR. These interests include the prevention, detection, and investigation of misconduct, fraud, corruption, and other illegal activities within the organization, the prevention of damage and liability risks as described under clause 1 as well as ensuring compliance with relevant legal and regulatory frameworks.

Other (employee) personal data

Other employee’s data, in particular that of the accused person or other involved employees is also processed on the basis of Art. 6 (1)  c GDPR  in conjunction with § 12 (1) and § 10 HinSchG as well as Art. 6 (1)  f GDPR. Aquila Capital’s legitimate interest include the prevention, detection, and investigation of misconduct, fraud, corruption, and other illegal activities within the organization, the prevention of damage and liability risks, as well as ensuring compliance with relevant legal and regulatory frameworks. These interests have been determined to generally range above the interest of employees, potential victimization and stigmatization of accused persons are  avoided by a general restriction  of access to the information provided to the responsible Compliance Department and its obligation to maintain confidentiality.

Same applies to personal data of third parties which are not employees of Aquila Capital. 

5. Transmission of data

We treat all submitted personal information confidential and knowledge will generally be restricted to the Compliance Department which is located in Aquila Capital Investmentgesellschaft mbH.

Depending on the individual case, an involvement of Aquila Capital’s DPO, Legal Department or managing directors of the affected entity as well as a report to, collaboration or joint investigation with the relevant departments at Commerz Real Group (as Aquila Capital’s main shareholder) may be necessary. Before a transfer takes place, however, we examine in each individual case whether there is a legal basis for the transfer.

By submitting a report that voluntarily includes the disclosure of your identity, please be aware that we may be obliged to inform the accused person of your identity within one month of the submission in accordance with Art. 14 GDPR.

Data transfer to external parties or third countries does generally not take place, unless where it is necessary (e.g. in connection with necessary data analysis) or where we are legally required or it is necessary in connection with legal proceedings or on request of competent authorities, such as financial supervisory authorities.

6. Deletion of data
Any personal data is processed for as long as this is necessary to process the submission and follow-up investigations and will generally be deleted two months after the investigation has been completed. Storage beyond may be necessary and permissible for the duration of any further legal steps required, such as disciplinary proceedings or the initiation of criminal proceedings. Personal data deemed unnecessary for any of these purposes will be deleted immediately by the Compliance Department.

VIII. Video monitoring of office entrances/exits

1. Data controller and purpose of processing

The controller for data processing in direct connection with the implementation of video monitoring is Aquila Capital Holding GmbH, Valentinskamp 70, 20355 Hamburg as the provider of IT-services for the whole Aquila Group, including Aquila Capital. The data protection officer can be reached via the controller or directly at privacy-aq-group@aquila-capital.com.

Video monitoring is used exclusively for the prevention and prosecution of criminal offences, the prevention of access by unauthorized persons and the protection of company and business secrets. Furthermore, the monitoring measures are intended to help prevent break-ins and thefts.

2. What kind of data are processed?

Video monitoring at the offices are only carried out at the entrances/exits of the business premises.

Recordings are only made if movements are detected. These are pure visual recordings. Sound recordings, however, are not made.

3. Legal basis of the data processing

In accordance with Art. 6 (1) f GDPR, video monitoring serves to protect the householder's rights, prevent and investigate offences and protect material assets and information.

If personal data is processed based on legitimate interests pursuant to Art. 6 (1) f GDPR, you have the right to object to the processing of personal data if there are reasons to do so arising from the special situation. 

4. Transmission of data

Only the IT administrator and management board have access to the records on request. The IT administrator is an employee of the service provider Wipro Technologies GmbH. For this reason, a data processing agreement has been concluded with Wipro Technologies GmbH in accordance with Art. 28 GDPR. 

5. Deletion of the data

The storage is generally for a period of ten days. Beyond that, data will only be stored as far as this is necessary for the respective purpose in each individual case and no interests of the data subject worthy of protection conflict with further storage or the data subject demands longer storage.

(E) DATA SUBJECT RIGHTS

As a data subject, you have various rights vis-à-vis the responsible entity of Aquila Capital with regard to your personal data, which we inform you about below. You can also find details about your rights in Art.15-21 of the GDPR:

• Right to information according to Art. 15 GDPR:
  You have the right to request information about your personal data processed by the controller. In particular, about the processing purposes, the categories of personal data and about recipients or categories of recipients to whom the personal data have been disclosed. Furthermore, you have the right to obtain information about the planned duration of storage.
   
• Right to rectification pursuant to Art. 16 GDPR:
  You have the right to request without delay the correction of inaccurate or the completion of your personal data stored by the controller.
   
• Right to deletion according to Art. 17 GDPR
  You have the right to request the deletion of your data under the conditions specified in Art. 17 GDPR.
   
• Right to restriction according to Art. 18 GDPR
  In specific cases specified in the GDPR, you have the right to request the restriction of the processing of your personal data.
   
• Right to data portability according to Art. 20 GDPR
  In specific cases set out in the GDPR, you have the right to receive and transfer all personal data concerning you to another controller (right to data portability).

In particular, you have a

• Right of objection according to Art. 21 GDPR
  In accordance with Art. 21 (1) GDPR, you have the right to object to processing based on the legal basis of Article 6 (1) lit. e or f GDPR on grounds relating to your particular situation. If we process personal data about you for the purpose of direct marketing, you may object to this processing of direct marketing, you may object to this processing pursuant to Art. 21 (2) and (3) GDPR.

as well as a

• Right of revocation according to Art. 7 para. 3 GDPR
  Insofar as we process your data on the basis of your consent (Art. 6 (1) lit. a or Art. 9 (2) GDPR), you have the right to revoke this consent at any time with effect for the future, without this affecting the lawfulness of the consent valid until then. The revocation is - like the granting of consent itself - possible orally or in text form.

To assert your rights, you can contact the responsible entity of Aquila Capital or Aquila Capital’s data protection officer (for contact details, see section II.2 of this Privacy Policy).

You also have a

• Right of appeal pursuant to Art. 77 GDPR
  You have the right to complain to a data protection supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or the registered office of the responsible controller.

Your rights under the FADP follow from Art. 25, 32, 38 FADP.

The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch).

(F) Other applications, websites and services

Our website may contain links to other websites. This may allow you to access other services and applications that process your personal data. We are not responsible for the use and protection of personal data on these other sites. The use of personal data there is explained in separate data protection notices.

(G) Contact us

If you have any questions or comments about our handling of your personal data or if you would like to exercise the rights as a data subject mentioned in section 12, please contact our data protection officer at the following address:

Contact for questions and to exercise your rights as a data subject

privacy@aquila-capital.com

When you contact us by e-mail or via a contact form, we will store your e-mail address and, if you provide it, your name and telephone number in order to answer your questions. We delete the data arising in this context after storage is no longer required or - in the case of statutory retention obligations - restrict processing.

(H) Changes to this privacy policy

We always keep this privacy policy up to date. We therefore reserve the right to amend it from time to time and to update it to reflect changes in the collection, processing or use of your data. The current version of the privacy policy is always available on our website.

Status: 10.07.2025