II. Use of the website and data protection
1. Name and contact data of the controller for personal data processing on the Aquila Group website
We, Aquila Capital Holding GmbH, represented by the managing directors Dr. Dieter Rentsch und Roman Rosslenbroich, Valentinskamp 70, 20355 Hamburg (Tel.: +49 40 875050-100 / receptionist, Fax: +49 40 87 5050-129) are the controller for the processing of personal data in relation to the usage of the website.
2. Contact data of the Group Data Protection Officer
The Group Data Protection Officer of Aquila Group can be reached as follows:
Aquila Capital Holding GmbH
c/o the data protection officer
Valentinskamp 70, 20355 Hamburg
3. Processing of personal data in the context of informational use of our website
a. Description and scope of data processing
If you only use our website for informational purposes and have not consented to the setting and use of any optional cookies, we do not collect any personal data aside from the data transmitted by your browser, e.g. via basic cookies that are stored on your end device which are necessary to enable you to visit and functionally use the website.
That data is:
1. Date and time of your request
2. Duration of your visit
3. Time zone difference compared to Greenwich Mean Time (GMT)
4. Content of the request (specific page)
5. Access status / HTTP status code
6. Website & provider from/by which the request is made
8. Operating system
9. Language and version of the browser software
b. Legal basis of data processing
The legal term ‘personal data’ refers to all information relating to an identified or identifiable natural person.
To the extent that the GDPR is applicable, We process personal data exclusively
• with your consent (Art. 6 (1) lit. a GDPR),
• to perform a contract to which you are a party or to take steps at your request prior to entering into a contract (Art. 6 (1) lit. b GDPR),
• to comply with a legal obligation (Art. 6 (1) lit. c GDPR) or
• where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 (1) lit. f GDPR).
If you apply for an open position in our company, we will, additionally, process your personal data to decide on whether to hire you (Art.6 para 1 sentence 1 lit b. GDPR.
c. Duration of data storage
Unless otherwise stated in the following, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations.
d. Disclosure to third parties
To facilitate the purposes described we may exchange your data with third parties. Examples are third parties used to manage our web servers and to analyse data who may be able to access your data in this context. A data processing agreement is concluded in this case.
If you make your personal data available to us for the purpose of potential future cooperation, potential investments and/or to enable us to contact you, we may disclose this data to affiliated companies (as defined in Sections 15 et seqq. of the German Stock Corporation Act), if there is a legitimate interest on our part and your interests, fundamental rights and freedoms do not outweigh.
Otherwise we only provide your personal data to third parties if we are obligated to do so by compulsory legal regulations, if you ask us to do so or have consented to the disclosure, or after the data has been anonymised or pseudonymised.
e. Data Transfer to third countries
Our data processing operations may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such a transfer takes place in a permissible manner if the European Commission has determined that an adequate level of data protection is required in such a third country. If such an adequacy decision by the European Commission does not exist, a transfer of personal data to a third country will only take place if appropriate safeguards pursuant to Art. 46 GDPR are in place or if one of the conditions of Art. 49 GDPR is met.
Unless otherwise stated below, we use the EU standard contractual clauses as appropriate safeguards for the transfer of personal data to third countries. You have the possibility to obtain a copy of these EU standard contractual clauses or to inspect them. To do so, please contact our data protection officer (contact information under II. clause 2.)
If you consent to the transfer of personal data to third countries, the transfer is made on the legal basis of Art. 49 (1) lit. a GDPR.
Insofar as the FADP is applicable, in the event of data transfer to countries whose legislation does not provide an adequate level of data protection, the protection of your data is ensured with the legally prescribed precautions, such as in particular the conclusion of contractual agreements (standard contractual clauses of the European Commission, as well as appropriate technical and organisational measures.
4. Processing of personal data during the use of our website features
a. Google Tag Manager
We use the Google Tag Manager of the provider Google Ireland Limited (Ireland, EU) on our website. The Google Tag Manager is used to manage our website tags via an interface. The Google Tag Manager is a cookie-free domain to which the IP address is transmitted for technical reasons. The Google Tag Manager merely ensures that other tags are triggered, which in turn may collect data without accessing this data themselves. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.
Where the GDPR is applicable, the legal basis for the transmission of the IP address is Art.6 (1) lit. f GDPR. Our legitimate interest serves as the administration of our website services and the triggering of other tags.
For more information on data processing, please visit: https://support.google.com/tagmanager/answer/7157428.
b. Contact form
We process your personal data provided in the contact form to contact you and to process your request. If your request is directed towards the conclusion or performance of a contract with us, Art. 6 (1) lit. b GDPR is the legal basis for the data processing (if the GDPR is applicable). Otherwise, we process the data based on our legitimate interest in contacting persons making enquiries. The legal basis for data processing is then Art. 6 (1) lit. f GDPR. Data transmitted via the contact form will remain with us until you request us to delete it or there is no longer any need to store the data. Mandatory legal provisions - in particular retention periods - remain unaffected.
If you also use our website to provide a profile/resume to us, we will also use that personal data to create our own professional profile for you in accordance with this Privacy Notice. Given that we will store your work history in this case, your submission must not contain any sensitive information with respect to race or ethnic origin, political opinions, religion or beliefs, trade union or political party memberships, genetic, physical or mental health status, dependencies, sexual orientation, criminal offences or criminal proceedings and related penalties or fines, social security number or national ID. If your profile contains such information regardless, you agree that we may store that information and also use it in accordance with this Privacy Notice. Please also note that where you provide information of a third party to us as a reference you are responsible for ensuring that the person involved is aware of your disclosure of his/her personal data and has provided his/her written consent to this disclosure.
We use Mapbox from the provider Mapbox, Inc. (USA) on our website to display maps and for virtual tours. For such integration, processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Mapbox and Mapbox may set its own cookies.
As far as the GDPR is applicable, the processing of your data is based on your consent in accordance with Art. 6 (1) a GDPR.
Our website uses plugins from Vimeo to integrate and display video content. The provider of the video portal is Vimeo Inc. (USA). When calling a page with an integrated Vimeo plugin, a connection to the servers of Vimeo is established and Vimeo may set its own cookies. This will tell Vimeo which of our pages you have accessed. Vimeo will know your IP address even if you are not logged in to the video portal or do not have an account there. The information collected by Vimeo is transmitted to servers of the video portal in the USA.
Vimeo can assign your surfing behaviour directly to your personal profile. You can prevent this by logging out beforehand.
When using the service, a transfer of your data to the USA cannot be ruled out. Please note the information in the section "Data transfer to third countries". Details on the handling of user data can be found in Vimeo's data protection declaration at: https://vimeo.com/privacy.
Note on legal basis:
As far as the GDPR is applicable, the processing of your data is carried out on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR. Your consent is controlled via our consent management and can be revoked at any time.
5. Data processing on our social media page
We operate a company page on LinkedIn. Here we offer the possibility of information about our company and exchange.
LinkedIn Company Page
Generally, the LinkedIn Ireland Unlimited Company (Ireland/EU) is the sole controller of the processing of your personal data relating to a visit to our LinkedIn page. Further information on the processing of personal data by LinkedIn are available via www.linkedin.com/legal/privacy-policy;
If you visit or follow our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights which enable us to gain knowledge about the ways in which interact with our page (so called ‘insights’). For this purpose, LinkedIn processes, in particular, such data that you already shared with LinkedIn by adding it to your profile like, for example, position, country, field of work, seniority, company size and employment status. Further, LinkedIn collects information on how you interact with our LinkedIn company page, for example whether you follow our LinkedIn company page. LinkedIn does not share personal data with us by providing us with the insights. We only have access to a summarized version of the insights. Also, we are unable to make conclusions about individual members from the information in the insights. LinkedIn and we are joint controllers of the processing regard the page insights. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. As far as the GDPR is applicable, this finds its legal basis in Art. 6 (1) lit. f GDPR. We have concluded an agreement with LinkedIn on joint controllership in which the data protection duties are allocated between LinkedIn and us. The agreement is available via legal.linkedin.com/pages-joint-controller-addendum. The agreement stipulates the following:
• LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights pursuant to the GDPR. In order to do so, you can contact LinkedIn online via https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de or via the contact details in the data protection guidelines. You can contact the Data Protection Officer of LinkedIn Ireland via the following link: www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also reach out to us via the contact details mentioned above for the exercise of your rights relating to the processing of your personal data for insights. In such a case, we will forward your request to LinkedIn.
• LinkedIn and we have agreed that the Irish data protection commission shall be the responsible supervisory authority monitoring the processing for insights. You always have the right to lodge a complaint with the Irish data protection commission (see www.dataprotection.ie) or any other supervisory authority.
Please note that user data is also processed in the USA and other third countries according to LinkedIn’s data protection guidelines. LinkedIn only transfers user data to countries for which the European Commission has adopted an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR.
a. Description and scope of data processing
If you want to, you can suppress the storage of cookies in general through your web browser or you can decide if you want to be asked if a cookie should be stored or not. However, if you do not accept cookies some pages may not be displayed correctly anymore.
1. Language and country
2. Browser settings and installed plug-ins
3. Data on the use of our website.
This website uses the following cookies:
Transient cookies (temporary use)
Persistent cookies (use for a limited time)
Transient cookies are deleted automatically when you close your browser. They specifically include session cookies. Session cookies store a "session ID" which allows to allocate various requests from your browser to a joint session. This allows the website to recognize your computer when you return to the website. Session cookies are deleted when you log out or close your browser.
Persistent cookies are deleted automatically after a specified period which may vary depending on the type of the cookie. You can delete the cookies at any time in the security settings of your browser.
More information on how cookies work can be found on the following website: http://www.allaboutcookies.org.
b. Purpose and legal basis of data processing
c. Duration of storage -objection and elimination options
d. Customise cookie settings
When calling up our website, we offer you the possibility to individually adjust the optional cookies via the "Settings" item in the cookie banner. Your consent to optional cookies is voluntary, not necessary for the use of this website and can be revoked at any time. You can adjust the cookie settings here at any time:
In addition, the banner helps us to provide evidence of the declaration of consent. For this purpose, we process information about the declaration of consent and further log data about this declaration. Cookies are also used to collect this data. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (if the GDPR applies: Art. 6 (1) lit. c in conjunction with Art. 7 (1) GDPR).
7. Google Analytics
We use the Google Analytics service (Google Analytics 4) of the provider Google Ireland Limited (Google Ireland/EU) on our website.
Some of this data is information stored in the end device you are using. In addition, further information is also stored on your end device via the cookies used. Such setting of cookies, storage of information by Google Analytics or access to information already stored in your end device as well as the processing of data by us will only take place with your consent.
Google Ireland will process the data thus collected on our behalf in order to evaluate the use of our website by users, to compile reports on the activities within our website and to provide us with further services related to the use of our website and the use of the Internet. In doing so, pseudonymous user profiles can be created from the processed data.
The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for the setting of the cookies and data processing in connection with the Google Analytics service is therefore § 25 (1) TTDSG and Art. 6 (1) a GDPR (If the GDPR is applicable). You can revoke this consent via the Cookie Settings at any time with effect for the future.
The personal data processed on our behalf to provide Google Analytics may be transferred to any country in which Google Ireland or Google Ireland's sub-processors maintain facilities. Google Ireland transmits data to Google LLC and its servers located in the United States. For the United States, an adequacy decision has been adopted by the EU Commission. Google Ireland currently continues to use the EU standard data protection clauses as appropriate safeguards for these transfers of personal data to the United States , which can be found at the following link: https://business.safety.google/adsprocessorterms/sccs/eu-p2p-intra-group/ and has performed a Transfer Impact Assessment for the transfer.
The data on user actions is stored for a period of 2 months to enable us to reach the purposes for which we collected the data and then automatically deleted. Data whose storage period has expired is automatically deleted once a month.
8. LinkedIn Insights and Conversion Tracking – LinkedIn Pixel
We use the LinkedIn Insight tag on our website, a marketing product of LinkedIn Ireland Unlimited Company (Ireland, EU). For information on the contact details of LinkedIn Ireland and the contact details of the data protection officer of LinkedIn Ireland, please refer to LinkedIn’s data policy at https://www.linkedin.com/legal/privacy-policy.
We can perform various functions via the LinkedIn Insight tag, which we describe in detail below.
LinkedIn conversion tracking is an analytics function supported by the LinkedIn Insight tag. The LinkedIn Insight tag allows us to collect data about visits to our website, including URL, referrer URL, IP address, device, and browser properties (user agent) and timestamp. IP addresses are shortened or (if used to reach members across devices) hashed. LinkedIn does not provide us with any personally identifiable information, only reports (which do not identify you) on website audience and ad performance. This allows us to track the effectiveness of LinkedIn ads for statistical and market research purposes.
Members’ direct identifiers are removed by LinkedIn within seven days to pseudonymise the data. LinkedIn then deletes this remaining pseudonymised data within 180 days.
This processing is done for the purpose of obtaining information about our website target group and a report on the effectiveness of LinkedIn campaigns.
We also use the Matched Audiences service to target our advertising campaigns to specific audiences. Through LinkedIn Matched Audiences and related data integrations, we can target advertising to specific audiences based on data we provide to LinkedIn (e.g. company lists, hashed contact information, device identifiers or event data such as websites visited).
This processing is done for the purpose of marketing our offerings via the targeting of advertising.
We have entered into a joint controller agreement with LinkedIn, which sets out the distribution of data protection obligations between us and LinkedIn. You can view this here: https://legal.linkedin.com/pages-joint-controller-addendum.
9. Your rights
III. General data protection information for the Aquila Group
The privacy, protection and processing of your personal data is very important to Aquila Group (meaning Aquila Capital Holding GmbH and its affiliated entities in the sense of sections 15 et seqq. of the German Stock Corporation Act (AktG)). In the following we would like to inform you about the processing of your personal data at Aquila Group and your rights regarding personal data protection. Which specific personal data will be processed and/or used depends on the specific business relationship with you and/or the processing occasion and purpose or other factors. In this respect, you will find in section IV and following sections specific data protection information relating to specific processing activities. Information regarding your rights are detailed in section IX. The GDPR applies to the majority of the Aquila Group companies. If other data protection laws or regulations are applicable, the Aquila Group will observe them and, if necessary, provide separate information if this should be required. In particular, where matters affect Switzerland, the Aquila Group will comply with the requirements of the Federal Data Protection Act ("FDPA”).
1. Name and contact data of the controller
Controller within the meaning of GDPR and/or other data protection laws or regulations, is the legal entity within Aquila Group, with which you maintain a business relationship, that collects personal data from you or to which you provide personal data.
The responsible companies of Aquila Group with legal seat in Hamburg, Germany, can be reached as follows:
Valentinskamp 70, 20355 Hamburg, Germany
Tel.: +49 40 875050-100
The responsible companies of Aquila Group with legal seat in the UK can be reached as follows:
20th Floor, Leaf B, Tower 42, 25 Old Broad Street, London EC2N 1HQ
Tel. +44 2082085400
The responsible companies of Aquila Group with legal seat in Luxembourg, can be reached as follows:
Airport Center Luxembourg, 5, Heienhaff, 1736 Senningerberg, Luxembourg
Tel.: +352 24 83 29 1
The responsible companies of Aquila Group with legal seat in Spain can be reached as follows:
Paseo de la Castellana, 259D, Torre Espacio , 28046 Madrid, Spain
Tel.: +34 91 511 90-50
The responsible companies of Aquila Group with legal seat in Switzerland can be reached as follows:
8001 Zurich, Switzerland
phone: +49 40 87 5050-100
The responsible companies of Aquila Group with legal seat in Norway can be reached as follows:
Haakon VIIs Gate 2
0161 Olso, Norway
phone: +47 90 14 36 67
The responsible companies of Aquila Group with legal seat in the Netherlands can be reached as follows:
Schiphol Boulevard 215, WTC Schiphol
1118BH Schiphol, Netherlands
phone: +49 40 87 5050-100
The responsible companies of Aquila Group with legal seat in Japan can be reached as follows:
12FYurakucho Itocia, 2-7-1 Yurakucho, Chiyoda-ku
100-0006 Tokio, Japan
phone: +49 40 87 5050-100
The responsible companies of Aquila Group with legal seat in Singapore can be reached as follows:
138 Market Street #15-03 Capitagreen
phone: +49 40 87 5050-100
The responsible companies of Aquila Group with legal seat in Portugal can be reached as follows:
Avenida Fontes Pereira de Melo, N14, 11
phone: +351 211 328 420
The responsible companies of Aquila Group with legal seat in Greek can be reached as follows:
151 25 Maroussi, Athen
The responsible companies of Aquila Group with legal seat in Italy can be reached as follows:
Via Mike Bongiorno 13
2. Contact data of the data protection officer
The group data protection officer of Aquila Group can be reached as follows:
Aquila Capital Holding GmbH
c/o data protection officer
Valentinskamp 70, 20355 Hamburg
3. Purpose of personal data processing and legal basis
We process personal data in accordance with the relevant data protection rules and regulations, in particular with GDPR.
The processing of personal data is necessary for the performance of a contract with you (Art. 6 (1) lit b GDPR).
The processing of personal data is necessary for the purposes of the legitimate interests pursued by you or by a third party (Art. 6 (1) lit. f GDPR).
If you have declared your consent in the processing of personal data for certain purposes, we process such data on the basis of your consent (Art. 6 (1) lit. a GDPR.
In addition, we are subject to a large number of legal obligations (money- laundering act, tax law etc.) as well as regulatory regulations. For this purpose we can use and process your personal data (Art. 6 (1) lit. c GDPR).
4. Recipients or categories of recipients of the personal data
Your personal data will be transmitted within Aquila Group to all entities, which need these data for contractual and/or regulatory purposes, insofar as we are entitled to do so on the basis of the applicable data protection provisions.
We also may transmit your personal data to data processors. These recipients are contractually obliged to comply with the currently applicable data protection legislation and to maintain confidentiality. To comply with certain contractual obligations we may transmit personal data to other recipients, e.g. public authorities or organisations in case of legal obligations. When we are transferring personal data outside EU or Switzerland, we ensure that the country has an adequate level of data protection. If the country does not have an adequate level of data protection, we will ensure an adequate level of protection by means of appropriate contractual arrangements (e.g. based on standard contractual clauses of the European Commission or ours and effective technical security measures). Contact us if you would like a copy of the standard contractual clauses.
5. Duration of storage
After collection, your data will be stored for as long as necessary to fulfil the purpose for which it was collected, taking into account the statutory retention periods.
We are subject to miscellaneous safekeeping and documentation obligations that may arise from e.g. German Commercial Code or General Fiscal Code. Pursuant to the provisions of these laws, personal data must generally be retained for a period of ten years. In addition, the statutory period of limitations within the meaning of §§ 195 et seq. German Civil Code (BGB) shall apply in relation to the duration of storage period. Thus, the maximum period of limitation term is up to 30 years. However, retention periods according to legal regulations of other countries may also apply.
6. Automated decision-making including profiling
Your personal data will be partially processed automatically, to analyse certain personal aspects (profiling). Profiling is used in the following areas: We are subject to certain legal and regulatory requirements, e.g. anti-money laundering, terrorist financing and asset risk offenses. Concurrently, these measures are for your protection.
7. Your rights
IV. Data protection information according to Art. 13 GDPR for telephone recording pursuant to MiFID/MiFIR
1. Controller according to Art. 4 no. 7 GDPR
Aquila Capital Investmentgesellschaft mbH is the controller of the data processing.
2. Purpose of the data processing
In accordance with the requirements of Directive 2014/65/EU ("MiFID II") and Regulation (EU) No. 600/2014 ("MiFIR") the obligation to record and store telephone calls and electronic communication in the performance of ancillary services has existed since January 3, 2018 (Aquila Capital Investmentgesellschaft mbH).
The obligation to record telephone conversations and electronic communication equivalent thereto requires that the conversation and electronic communication between the investors and controller mentioned under 1. be directed at least at the transactions carried out in trading for own account or at the acceptance, transmission or execution of investor orders. This also includes the provision of ancillary services such as investment brokerage, investment advice and financial portfolio management.
The aim of the supervisory authority is to give clients the opportunity to further document the investment mediation process in addition to the written records (e.g. in the brokerage protocol) as part of strengthening investor protection. The requirement applies to all client categories (private clients, semi-professional clients, professional clients and eligible Counterparties). In order to achieve this goal, Art.16 para. 7 MiFID II now prescribes the binding obligation to record telephone calls and electronic communication in addition to the general recording obligation of Art. 16 para. 6 MiFID II. For evidence purposes, all relevant telephone conversations or parts thereof with (potential) customers can be recorded in relation to business transactions or business conversations.
3. Legal basis for data processing
The data protection legal basis for these records derives from Art. 6 (1) lit. c. GDPR in conjunction with Art.16 para. 7 MiFID II, para. 6 MiFID II, Art. 76 MiFID II-DVO, §83 WpHG, §9 WpDVVerOV
4. Data protection officer
5. Recipient of the data
For audit purposes, Aquila Group's Compliance Department and Audit Department may be granted access to the telephone records. In addition, access by external auditors is possible.
The competent supervisory authorities (data protection authority, BaFin) may also request existing recordings of telephone calls or electronic communications from the responsible parties for audit purposes.
For the implementation of the recording obligation, the responsible parties work together with the external service provider ASC Technologies AG. A data processing agreement has been concluded. The hosting of the data takes place exclusively in Germany.
6. Deletion of data
Records to which Aquila Capital Investementgesellschaft mbH is legally obligated are kept for 5 years, maximum 7 years from the date of creation (§ 83 para. 3. WpHG in conjunction with Art 16 para. 7 MiFID II), unless legal retention periods apply that require longer storage.
The controllers collect this personal data as evidence of transactions carried out and to comply with applicable legal requirements.
7. Rights of the data subjects
V. Data protection information for video and telephone conferences via "Microsoft Teams"
The controller for data processing in direct connection with the holding of video and telephone conferences (hereinafter "Online Meetings") is Aquila Capital Holding GmbH.
2. Purpose of the data processing
We use the tool "Microsoft Teams" to conduct telephone and video conferences within the business purposes of Aquila Group. Different types of data are processed. The extent of the data also depends on the information provided before or during participation in an online meeting.
3. Which data is processed?
User details: e.g. display name, e-mail address (if applicable), profile picture (optional), preferred language
Meeting metadata: e.g. date, time, meeting ID, phone numbers, location
Text, audio and video data: It is possible to use the chat function in an online meeting. In this respect, the text entries made by the respective user are processed in order to display them in the online meeting. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera on the terminal device are processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the "Microsoft Teams" applications.
Log files, protocol data
4. Legal basis for data processing
The legal basis for data processing of "online meetings" is Art. 6 (1) lit. b GDPR, if the GDPR applies, insofar as the meetings are conducted within the framework of contractual relationships. If no contractual relationship exists, the legal basis is Art. 6 (1) lit. f GDPR. Our legitimate interest is to ensure effective communication between employees of Aquila Group and external persons/companies or business partners. Particularly against the background of the Corona Pandemic, the use of long-distance means of communication had to be increased in order to avoid, for example, personal meetings. You have the right to object to the processing of your personal data which is carried out (i.a.) on the basis of Art. 6 (1) lit. f GDPR at any time on grounds relating to your particular situation in accordance with Art. 21 GDPR.
5. Data protection officer
6. Recipient of the data
Personal data processed in connection with participation in online meetings is generally not passed on to third parties, unless it is specifically intended to be passed on. Please note that content from online meetings, as well as personal meetings, is used to communicate information to third parties and is therefore intended for disclosure.
Furthermore, we would like to inform you that the employees of Aquila Group are employed in various group companies. It is therefore possible that the meeting data may be passed on within the group. Our legitimate interest according to Art. 6 . (1) lit. f GDPR is to make online meetings effectively available to every employee in the company. You have the right to object to the processing of your personal data which is carried out (i.a.) on the basis of Art. 6 (1) lit. f GDPR at any time on grounds relating to your particular situation in accordance with Art. 21 GDPR. Further recipient: Microsoft necessarily receive knowledge of the above-mentioned data, as far as this is provided for in the framework of the contract processing agreements.
Microsoft Teams is part of the Office 365 cloud application, for which a user account must be created. Microsoft also reserves the right to process customer data for its own business purposes. According to Microsoft, these are activities related to the provision of the services, such as usage-based billing, capacity planning and combating cybercrime. Use for user profiling, advertising or similar commercial purposes is expressly excluded by contract. Please note that we have no control over Microsoft's data processing. To the extent that Microsoft teams process personal information in connection with Microsoft's legitimate business operations, Microsoft is an independent data controller for that use and as such is responsible for compliance with all applicable laws and a data controller's obligations. For more information about the purposes and extent of data collection and processing by Microsoft Teams, please see the Microsoft Privacy Statement at privacy.microsoft.com/de-de/privacystatement and Microsoft Teams at docs.microsoft.com/de-de/microsoftteams/teams-privacy. You can also obtain further information about your rights in this regard.
Since Microsoft is based in the USA, data processing outside the European Union (EU) is also possible. An adequacy decision exists for the USA. Despite this measures have been taken to protect data processing by a third country (e.g. standard contract clauses).You can request to view the relevant documents and guarantees at firstname.lastname@example.org.
Furthermore, we cannot exclude the possibility that the routing of data is carried out via Internet servers located outside the EU. This may be the case in particular if participants in online meetings are located in a third country. However, the data is encrypted during transport over the Internet and thus protected against unauthorized access by third parties.
7. Deletion of data
The online meetings are generally not recorded. We point out that the (secret) recording of video and/or audio data as well as the storage and distribution of the recordings is punishable by law.
A requirement for the recording and storage of data can exist in particular if the data is still needed to fulfill contractual services, to check and grant or ward off warranty and guarantee claims. In the case of legal storage obligations, deletion only comes into consideration after expiry of the respective storage obligation.
8. Rights of the data subject
VI. Data Protection Information for the Know Your Counterparty Check (KYC-Check)
The responsible company in the context of the KYC-Check is Aquila Capital Investmentgesellschaft mbH (“ACI”), Valentinskamp 70, 20355 Hamburg, email@example.com.
2. Processing purposes and legal basis of the data processing
The collection and further processing are carried out for the fulfillment of legal obligations to which ACI is subject (on the basis of Art. 6 (1) lit. c GDPR in conjunction with § 28 KAGB, § 25h KWG, §§ 10-17 GwG) for the prevention of money laundering, financing of terrorism and other criminal acts. The main measure to comply with this obligation is
the identification of the business/contractual partner and, if applicable, the persons acting on its behalf and their authorization and also
the determination of whether the contractual partner or the beneficial owner is a politically exposed person (PEP), a family member or a known related person of a PEP.
In the case of applicability of the GDPR, the following legal bases also arise :Since KYC checks are also to be carried out for contractual relationships in which ACI is not involved, the legal basis for the data processing in this context results from Art. 6 (1) f GDPR. ACI has a legitimate interest in ensuring that all transactions concluded within the Aquila Group comply with the high standards required by the Money Laundering Act (GwG), as any unlawful circumstances arising in these business relationships may in principle also affect ACI.
You have the right to object to the processing of your personal data which is carried out (i.a.) on the basis of Art. 6 (1) f GDPR at any time on grounds relating to your particular situation in accordance with Art. 21 GDPR.
3. What personal data is processed
Depending on the constellation, the following personal data of the acting person(s) and the beneficial owner may be collected and processed during a KYC-Check in connection with the KYC questionnaire and the associated verification documents (e.g. copy of ID, proof of residential address):
Surname, first name, nationality, date of birth, place of birth, ID card data (e.g. ID card number, date of issue, issuing authority), address data (street, house number, zip code, city, country), attribute of beneficial owner, information on origin of assets, gross income, type of contribution, PEP status (in this context, if applicable, also name of family members or other known related persons if they have a PEP status), any additional data that may result from the verification documents: Copy of ID (title, birth name, height, eye color, signature, order or artist name, if applicable), proof of address document (electricity consumption, telephone log, etc., if applicable).
4. Data Protection Officer
5. Data Transfer
Aquila Group - Internal: Since the data regarding the KYC check is collected by the respective employee responsible for the contract, there may be a transfer of data within the group.
External Service Providers: ACI uses external service providers to fulfill the purposes described in the context of the KYC check. For example, the collected data is stored in the customer management software "Salesforce", provided by Salesforce Inc. Salesforce is supported and maintained by our service providers Hanse CRM GmbH, Omega CRM Consulting S.L. and IT-Lotsen GmbH, whose employees may become aware of the above data in the course of providing their services. In addition, your name is checked against current PEP and sanctions lists via the tool WorldcheckOne, provided by Refinitiv Germany GmbH, as well as against, among other things, press releases on the subject of financial crime by Factiva Limited. Lionware GmbH is engaged for cases of necessary ID-verifications via post-ident.
Other Recipients: In addition, ACI may make (individual or combined) collected data available to other recipients, for example, to those companies that are jointly involved with Aquila Group in the procurement of investment projects, namely buyers or financing companies of the investment properties or owner companies. They pursue a similar, albeit separate interest in the audit, which they may carry out parallel as an independent responsible party. The additional verification can further reduce the overall risk of financial crime (especially prevention of money laundering and terrorist financing) in potential projects or project participations. In addition, in the case of investors in Luxembourg investment funds, Aquila forwards the data to the relevant register and transfer agent Apex Fund Services S.A. for the opening of the register, which is necessary to complete the subscription of shares in the investment fund. Before forwarding, Aquila checks the correctness and completeness of the data and documents collected.
6. Transfer to third countries
A transfer of personal data to a third country only takes place if the legal requirements are met. Some of the external service providers are registered in the USA. However, the data is stored on servers located within the European Economic Area.
We have concluded the necessary data protection agreements with all recipients of personal data. We have taken special measures to ensure that your personal data is processed just as securely in these third countries as it would be in the European Union. We sign data protection clauses provided by the Commission of the European Union with service providers in third countries. These clauses provide guarantees for the protection of your personal data with service providers in third countries and if necessary, we take additional measures to protect the data.
If you wish to inspect the existing contracts/guarantees, you can contact our data protection officer.
7. Deletion of Data
Your data is stored for as long as it is required for the processing purpose or until the expiry of statutory retention periods. KYC documents and the data contained therein are subject to a basic retention period of 5 years from the end of the business relationship pursuant to Section 8 (4) GwG and are generally deleted after expiry. Other storage and documentation obligations may arise, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO) to which ACI is subject to. The periods prescribed there for storage or documentation are two to ten years from the end of the year in which the last action was taken on the tax-relevant documents (usually the last annual financial statement/tax return of the fund). Finally, the storage period also depends on the applicable statutory limitation periods, e.g. according to §§ 195 et seq. of the German Civil Code (BGB), are generally three years, but in certain cases can be up to thirty years.
8. Voluntariness and necessity of the provision of personal data
The provision of personal data as part of the KYC-Check is neither legally nor contractually required of you. You are therefore not obliged to provide any information in this regard. Please note, however, that Aquila cannot enter into a business relationship with you without the provision of the requested data.
9. Automated decision making including profiling
We use automated decision making to process personal data to check whether individuals, companies or organizations are on sanctions lists and/or Politically Exposed Person (PEP) lists. This is to ensure that we comply with legal obligations and minimize the risk of financial crimes, such as money laundering or terrorist financing. Automated decision making is based on algorithms and is performed by systems operated by our service provider. We take reasonable steps to ensure that automated decision making is fair and transparent and protects the rights of data subjects. If you have any questions or concerns about automated decision making, please contact us.
10. Rights of the data subject
VII. Data Protection Information for Product-Related Disclosure Obligations pursuant Art. 10 SFDR
The responsible data controller for processing of personal data in connection with product related disclosure obligations pursuant to Art. 10 of the Sustainable Finance Disclosure Regulation (“SFDR”) is Aquila Capital Investmentgesellschaft mbH.
2. Subject Matter, personal data and legal basis of the processing, usage of data
3. Data Protection Officer
4. Retention and Deletion of Data
The log-in data is only stored for the duration of the log-in and is automatically deleted after the session.
5. Voluntariness and necessity of the provision of personal data
The provision of personal data as part of the log-in requirements to the investor space is neither legally nor contractually required of you. You are therefore not obliged to provide any information in this regard. Please note, however, that you will not be able to enter the investor space and view the information provided there in this case.
6. Rights data subjects
VIII. Data Protection Information for the Whistleblowing Portal
The controller for data processing in connection with the Whistleblowing Portal is each employer company of Aquila Group that is required by national law to establish an internal reporting channel. The contact information of the controller can be viewed by the employees in their employment contract.
To the extent that the Whistleblowing Portal is also made available to third parties on websites of the Aquila Group, the controller for data processing is Aquila Capital Investmentgesellschaft mbH, Valentinskamp 70, 20355 Hamburg, firstname.lastname@example.org.
2. Processing purpose
The Whistleblowing Portal is provided to Aquila Group’s employees and third parties to report illicit or irregular activities within Aquila Group, such as criminal activities and behavior that violates human rights. The goal is to protect the Aquila Group's business, assets, employees and its reputation. The Whistleblower Portal can be accessed here: https://portal.bdolegal-whistleblower.de/.
3. What kind of personal data are processed
The reporting channel is managed by BDO Legal Rechtsanwaltsgesellschaft mbH ("BDO"), an external law firm. BDO is the primary addressee of a report. The submitted complaints/reports will be processed by lawyers (ombudspersons).
As a user of the whistleblowing portal, you can choose:
to make a completely anonymous report;
to supplement the report with personal information;
whether you wish your personal data to be disclosed to the relevant company;
whether you wish to provide personal data of parties involved and/or witnesses;
whether you want to upload documents to your report.
The ombudsperson will inform the assigned contact person of the Compliance Department about the content of the reports, insofar as they are relevant under law and/or require further investigation. The conditions, format and method of informing Group Compliance will be determined by the Ombudspersons on a case-to-case basis.
Depending on the information you provide and whether you consent to the disclosure, the Compliance Department of Aquila Group consequently may also receive the disclosed personal data. Consequently, personal data is not obtained directly from the data subject, but from a third party in accordance with Art. 14 GDPR. The identity of the whistleblower will not be revealed without his/her explicit consent.
4. Legal basis of processing according to GDPR
As far as the GDPR is applicable, the following legal bases for data processing apply:
Reporting person (whistleblower)
Own personal data voluntarily disclosed by the whistleblower is processed on the basis of Art.6 para 1 sentence 1 lit. f GDPR. The processing of personal data is based on the legitimate interest of the detection and prevention of wrongdoing and the related prevention of damage and liability risks as described under clause 1.
Other (employee) personal data
Other employee’s data, in particular that of the accused person or other involved employees is also processed on the basis of Art. 6 para 1 sentence 1 lit. f) GDPR for the group’s legitimate interests to help prevent, investigate and solve illicit activities and to prevent legal consequences and/or a negative image for the Aquila Group. These interests have been determined to generally range above the interest of employees, such as potential victimization and stigmatization of accused persons which is avoided by a general limitation of access to the submitted information to, and the confidentiality commitment of, the responsible Compliance Department.
Same applies to personal data of third parties which are not employees of Aquila Group.
5. Transmission of data
We treat all submitted personal information confidential and knowledge will generally be restricted to the Aquila Compliance Department which is located in the Aquila Capital Investmentgesellschaft mbH.
Should the involvement of the Compliance department result in a transfer of data in the Group this is justified by legitimate interests, pursuant to Art. 6 para 1 sentence 1 lit. f GDPR. It is essential that a qualified and separate department receives the reports and, if necessary, initiates further steps. The employee is informed that a centralized Compliance Department exists which is not assigned to the employer company.
Depending on the individual case, an involvement of the group’s internal Legal Department or managing directors of the affected entity may be necessary. Before a transfer takes place, however, we examine in each individual case whether there is a legal basis for the transfer.
By submitting a report that voluntarily includes the disclosure of your identity, please be aware that we may be obliged to inform the accused person of your identity within one month of the submission in accordance with Art. 14 GDPR.
Data transfer to external parties or third countries does not take place, unless where we are legally required or it is necessary in connection with legal proceedings or on request of competent authorities, such as financial supervisory authorities.
6. Deletion of data
Any personal data is processed for as long as this is necessary to process the submission and follow-up investigations and will generally be deleted two months after the investigation has been completed. Storage beyond may be necessary and permissible for the duration of any further legal steps required, such as disciplinary proceedings or the initiation of criminal proceedings. Personal data deemed unnecessary for any of these purposes will be deleted immediately by Compliance.
IX. DATA SUBJECT RIGHTS
As a data subject, you have various rights vis-à-vis the responsible entity of Aquila Group with regard to your personal data, which we inform you about below. You can also find details about your rights in Art.15-21 of the GDPR:
Right to information according to Art. 15 GDPR:
You have the right to request information about your personal data processed by the controller. In particular, about the processing purposes, the categories of personal data and about recipients or categories of recipients to whom the personal data have been disclosed. Furthermore, you have the right to obtain information about the planned duration of storage.
Right to rectification pursuant to Art. 16 GDPR:
You have the right to request without delay the correction of inaccurate or the completion of your personal data stored by the controller.
Right to deletion according to Art. 17 GDPR
You have the right to request the deletion of your data under the conditions specified in Art. 17 GDPR.
Right to restriction according to Art. 18 GDPR
In specific cases specified in the GDPR, you have the right to request the restriction of the processing of your personal data.
Right to data portability according to Art. 20 GDPR
In specific cases set out in the GDPR, you have the right to receive and transfer all personal data concerning you to another controller (right to data portability).
In particular, you have a
Right of objection according to Art. 21 GDPR
In accordance with Art. 21 (1) GDPR, you have the right to object to processing based on the legal basis of Article 6 (1) lit. e or f GDPR on grounds relating to your particular situation. If we process personal data about you for the purpose of direct marketing, you may object to this processing of direct marketing, you may object to this processing pursuant to Art. 21 (2) and (3) GDPR.
as well as a
Right of revocation according to Art. 7 para. 3 GDPR
Insofar as we process your data on the basis of your consent (Art. 6 (1) lit. a or Art. 9 (2) GDPR), you have the right to revoke this consent at any time with effect for the future, without this affecting the lawfulness of the consent valid until then. The revocation is - like the granting of consent itself - possible orally or in text form.
You also have a
Right of appeal pursuant to Art. 77 GDPR
You have the right to complain to a data protection supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or the registered office of the responsible controller.
Your rights under the FADP follow from Art. 25, 32, 38 FADP.
The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch).