In this section we provide general information about data protection at Aquila Capital. The European general data protection regulation (“GDPR”) applies to the majority of Aquila Capital companies and their processing operations. If other data protection laws or regulations are applicable, Aquila Capital will observe them and provide separate information if this should be required.

I. Name and contact data of relevant Aquila Capital controllers

Controller within the meaning of GDPR and/or other data protection laws or regulations, is generally the legal entity of Aquila Capital, with which you maintain a business relationship, that collects personal data from you or to which you provide personal data, unless otherwise specified in the individual processing activities of this Privacy Policy. A complete list of all potentially relevant Aquila Capital controllers, including their contact details, can be found below under the section (N) Contact us.

II. Contact data of the data protection officer

The data protection officer of Aquila Capital, responsible for all relevant controllers, can be reached as follows:

Aquila Capital Investmentgesellschaft mbH
c/o data protection officer
Valentinskamp 70, 20355 Hamburg
privacy@aquila.capital

If you have any questions or comments about our handling of your personal data or if you would like to exercise your rights as a data subject, please contact the data protection officer.

When you visit our website, personal data of you is processed. The scope of the processing of personal data depends largely on your use and choice of settings, in particular your consent or no consent to the setting and usage of different cookies (including other tracking/analytic tools and integrated external services) as well as what functions you choose to use within the website.

We operate a company page on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Here we offer the possibility of information about our company and exchange with you.

If you visit or follow our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights which enable us to gain knowledge about the ways in which interact with our page (so called ‘insights’). LinkedIn does not share personal data with us by providing us with the insights.

The processing serves our legitimate interest according to Art. 6 (1) lit. f GDPR. Our legitimate interest lies in evaluating the ways in which people interact with our page and improving our page and services based on this, in order to make them more efficient and attractive. We ensure that the interests or fundamental rights and freedoms of data subjects’ do not prevail.

LinkedIn Ireland Unlimited Company and us are joint controllers of the processing regarding the page insights. Therefore we have concluded an agreement with LinkedIn on joint controllership in which the data protection duties are allocated between LinkedIn and us. The agreement is available via https://www.linkedin.com/legal/l/page-joint-controller-addendum. The agreement stipulates the following:

• LinkedIn is responsible for enabling you to exercise your rights pursuant to the GDPR. In order to do so, you can contact LinkedIn online via https://www.linkedin.com/help/linkedin or via the contact form to their Data Protection Officer https://www.linkedin.com/help/linkedin/ask/TSO-DPO . You can also reach out to us via the contact details mentioned above for the exercise of your rights relating to the processing of your personal data for insights. In such a case, we will forward your request to LinkedIn.

• LinkedIn and us have agreed that the Irish data protection commission shall be the responsible supervisory authority monitoring the processing for insights. You always have the right to lodge a complaint with the Irish data protection commission (see www.dataprotection.ie) or any other supervisory authority.

We delete the data arising in this context after storage is no longer required. You can find further information in LinkedIn’s Privacy Policy here: https://www.linkedin.com/legal/privacy/eu

When you contact us by e-mail or telephone, we will store your e-mail address or telephone number, as well as your name if you provide it, in order to answer your questions, process your request or continue connected discussions.

Controller within the meaning of GDPR, is the legal entity of Aquila Capital who you may contact and provide your personal data to. A complete list of all potentially relevant Aquila Capital controllers, including their contact details, can be found below under the Section (N) Contact us.

If your request is directed towards the conclusion or performance of a contract with us, Art. 6 (1)  lit. b GDPR is the legal basis for the data processing (if the GDPR is applicable). Otherwise, we process the provided personal data based on our legitimate interest in contacting persons making enquiries in accordance with Art. 6 (1) lit. f GDPR. The legitimate interest includes the ability to answer received queries, improve services and increase customer satisfaction. Data subjects should reasonably expect that their data will be processed to handle their requests, which may justify the processing in the context of data subjects’ legitimate expectations.

We may disclose this data to affiliated companies within Aquila Capital and/or Commerzbank Group, if there is a legitimate interest on our part and your interests, fundamental rights and freedoms do not outweigh. Otherwise, we only provide your personal data to third parties if we are obligated to do so by compulsory legal regulations, if you ask us to do so or have consented to the disclosure, or after the data has been anonymised or pseudonymised. For more detailed information on the disclosure of personal data to third parties, please refer to the below Section (K) Disclosure and Transfer of Data.

We delete the data arising in this context after storage is no longer required or - in the case of statutory retention obligations - restrict processing.

I. Controller

Aquila Capital Investmentgesellschaft mbH is the controller of the data processing in connection with the taping obligations.

II. Processing purpose

As an investment firm, we are legally required, as part of the implementation of the regulatory requirements of Directive 2014/65/EU (MiFID II), and Regulation (EU) No. 600/2014 (MiFiR) to record and store, both incoming and outgoing telephone calls and equivalent electronic communication by employees of our Sales- and Portfoliomanagement FAG departments. This applies to relevant calls from fixed-line phones and from cell phones as well as relevant email-communication. The so-called taping affects all conversations concerning the acceptance and forwarding of orders, the execution of client orders and trading on own account. This also includes the provision of ancillary services such as investment brokerage, investment advice and financial portfolio management. The aim is to strengthen investor protection by additionally documenting (in addition to the written records, e.g. in the mediation protocol) the process of investment mediation.

III. Which personal data is being processed

We would like to point out that the entire content of all relevant telephone conversations as well as relevant email-communication with (potential) customers, including all the data mentioned, is recorded and not just the part concerning investment mediation. Our legal requirement applies to all client categories (private clients, semi-professional clients, professional clients and eligible Counterparties).

IV. Legal basis for data processing

The data protection legal basis for the processing of your personal data is Art. 6 (1) lit. c GDPR in conjunction with Art.16 (7) MiFID II, (6) MiFID II, Art. 76 MiFID II-DVO, § 83 WpHG, § 9 WpDVerOV as the taping takes place to fulfil a legal obligation of the controller. For those parts of the conversation that do not relate to investment mediation, the legal basis for the recording is Art. 6 (1) lit. f GDPR. The legitimate interest of the controller follows from the interest to document the overall context of the mediation discussion, since the qualification of the possibly relevant part according to MiFID II is difficult to assess and thus unreasonable. You have the right to object at any time the processing of your personal data which is carried out on the basis of Art. 6 (1) lit. f GDPR.

V. Disclosure and Transfer of data

Aquila Capital uses external service providers for the realization of the taping. For the implementation of the recording obligation, the responsible parties work together with the external service provider ASC Technologies AG, Seibelstraße 2, 63768 Hösbach, Germany. A data processing agreement pursuant to Art. 28 GDPR has been concluded. The hosting of the data takes place exclusively in Germany.

For audit purposes, Aquila Capital's or its Affiliates’ Compliance Department and Audit Department may be granted access to the telephone records. In addition, access by external auditors is possible.

The competent supervisory authorities (data protection authority, BaFin) may also request existing recordings of telephone calls or electronic communications from the responsible parties for audit purposes.

For more detailed information on the disclosure of personal data to third parties, please refer to the below Section (K) Disclosure and Transfer of Data.

VI. Deletion of data

Records to which Aquila Capital Investementgesellschaft mbH is legally obligated are kept for 5 years, maximum 7 years from the date of creation (§ 83 (3) WpHG in conjunction with Art 16 (7) MiFID II), unless legal retention periods apply that require longer storage.

The retention serves as evidence of transactions carried out and to comply with applicable legal requirements.

I. Controller

The controller for data processing in direct connection with the holding of video and telephone conferences (hereinafter "Online Meetings"), as well as a potential transcription or recording,  is Aquila Capital Investmentgesellschaft mbH.

II. Processing purpose

We use the tool "Microsoft Teams" to conduct telephone and video conferences within the business purposes of Aquila Capital.

III. Which personal data is being processed

When using Microsoft Teams, different types of data are processed. The scope of the data processed depends on the information provided before or during participation in an Online Meeting. The following data are subject to processing:

• User details: e.g. display name, e-mail address (if applicable), profile picture (optional), preferred language
• Meeting metadata: e.g. date, time, meeting ID, phone numbers, location
• Text, audio and video data: It is possible to use the chat function in an Online Meeting. In this respect, the text entries made by the respective user are processed in order to display them in the Online Meeting. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera on the end device are processed for the duration of the meeting.  You can switch off or mute the camera or microphone yourself at any time using the "Microsoft Teams" applications. If the transcription function is activated, a live transcription of your voice/the content is made during the meeting and displayed to the participants. The transcript is saved and can be downloaded after the meeting. Audio, video and text data is also processed when the meeting is recorded.
• Sensitive data: video data includes all visual data captured by your camera, which potentially may also include special categories of data in the sense of Art. 9 I GDPR. For example glasses or hearing aids can hint to a handicap/disability and may categorize as sensitive health data.
• Log files, logging data

There is no statutory requirement for you to provide personal data to the controller in connection with Online Meetings.

IV. Legal basis for data processing

a) General holding of Online Meetings

The legal basis for data processing of Online Meetings is Art. 6 (1) lit. b GDPR, if the GDPR applies, insofar as the meetings are conducted within the framework of contractual relationships. If this is not the case, Art. 6 (1) lit. f GDPR is the legal basis for the data processing. According to Art. 6 (1) lit. f GDPR, the processing is lawful if it is necessary to safeguard the legitimate interests of Aquila Capital, unless your interests, fundamental rights or freedoms outweigh the interests for processing. Aquila Capital's legitimate interest is to ensure effective communication among Aquila Capital’s and Affiliates’ employees and external communication partners. Especially since the Corona Pandemic, Online meetings have become a standard and globally accepted and expected way of communication without which Aquila Capital's competitive position would be limited significantly. 

b) Live transcription of an Online Meeting

In some cases there may be an interest to use the live transcript function to transcribe Online Meetings or parts of it. The transcription function is for example approved for investor- meetings of Aquila Capital Investmentgesellschaft mbH and you will be informed in case you are affected by this. The transcription is then based on our legitimate interests (Art. 6 (1) f. GDPR), in particular to document meetings more efficiently, economic and labour-saving creation of protocols, support post-meeting follow-up, improve the traceability of meeting outcomes and decision-making processes, and promote efficient digital collaboration in an increasingly hybrid, remote, and international work environment. This is also in the interest of the employees of Aquila Capital and Affiliates as well as in the interest of external communication partners. 

The scope of the processed personal data is generally small and concerns mostly professional data. Limitations are implemented regarding the scope of data, the purposes of use and storage limitations via internal framework, guidelines and technical settings. Your interests, fundamental rights or freedoms do therefore generally not override the interests for processing.

c) Audio and video recording of an Online Meeting

In some cases there may be an interest of Aquila Capital or Affiliates to document an Online Meeting or parts thereof via audio and video recording, for example in conferences with relevant information for other participants (e.g. online-trainings, brown bag sessions for employees to provide the information to other or all employees via the intranet). This can be done either in form of the Live-Event Webinar Setting, where per default participants’ camera and microphone are disabled so participants will not be recorded, or the participation via camera and microphone is enabled. Any audio or video- recording of you during an Online Meeting is only done with and based on your prior consent pursuant to Art. 6 (1) lit. a and Art. 9 (2) lit. a GDPR.

Your consent is absolutely voluntary and there will be no disadvantages if you do not agree to the recording.  You will be informed about the recording in advance; once the organiser of the meeting initiates the recording your microphone and camera will automatically be muted/turned off. A pop-up window will indicate this and provide you with the option to consent to the recording by re-activating your camera and/or microphone or by clicking on the agree button.

If you consent to the recording, your consent includes

• the recording of audio and/or video itself,
• the storage and
• the potential sharing of the recording with colleagues and/or publication in the intranet for the purpose of making this information available to relevant other employees.

Public sharing of recordings is not done.

If you have given your consent to the recording, you can withdraw this consent at any time. The withdrawal is effective for the future and shall not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw your consent during a recording, all you have to do is deactivate your camera and microphone to deactivate further recording. If you withdraw your consent after a meeting or when a recording is already shared or published in the intranet Aquila Capital will either delete the video or edit the video so you will no longer be identifiable.

Please note that Aquila Capital will never secretly record an Online Meeting. The secret recording of a non-public conversation as well as the storage and sharing of such recordings is punishable by criminal law.

With regard to data processing based on Art. 6 (1) lit. f GDPR, you have the right to object according to Art. 21 GDPR on grounds relating to your particular situation. Exercising this right does not affect the lawfulness of the processing before the objection.

V. Disclosure and Transfer of data

Personal data processed in connection with participation in Online Meetings is generally not transferred to third parties, unless it is specifically intended to be shared.  Recorded Online Meetings or Transciptions may be shared internally within Aquila Capital or Affiliates if a legitimate interest exists and confidentiality obligations do not prohibit us from doing so, e.g. provision of content relevant or helpful for other employees. 

Further recipients: Microsoft Ireland, One Microsoft Place, South County Business Park, Carmanhall And Leopardstown, Dublin, Ireland, necessarily receives knowledge of the above-mentioned data, as far as this is intended in the data processing agreements.

Microsoft Teams is part of the Office 365 cloud application, of which a user account must be created. Microsoft also reserves the right to process customer data for its own business purposes. According to Microsoft, these are activities related to the provision of the services, such as usage-based billing, capacity planning and combating cybercrime. Use for user profiling, advertising or similar commercial purposes is expressly excluded by contract. Please note that we have no control over Microsoft's data processing. To the extent that Microsoft teams processes personal information in connection with Microsoft's legitimate business operations, Microsoft is an independent data controller for that use and as such is responsible for compliance with all applicable laws and a data controller's obligations. For more information about the purposes and extent of data collection and processing by Microsoft Teams, please see the Microsoft Privacy Statement at https://privacy.microsoft.com/de-de/privacystatement and Microsoft Teams at https://docs.microsoft.com/de-de/microsoftteams/teams-privacy. You can also obtain further information about your rights in this regard.

Since Microsoft Ireland's mother entity is located in the USA, data processing outside the European Union (EU) may also be possible. An adequacy decision exists for the US and Microsoft is certified under the respective framework. Additional measures have been taken to protect personal data (e.g. standard contractual clauses). You can request to view the relevant documents and guarantees at privacy@aquila.capital.

Furthermore, we cannot exclude the possibility that the routing of data is done via Internet servers located outside the EU. This may be the case in particular if participants in online meetings are in a third country. However, the data is encrypted during transport over the Internet and thus protected against unauthorized access by third parties.

V. Deletion of data

a) General Data of Online Meetings

The data processed during the general holding of a meeting is stored as long as it is necessary for the respective purpose. Meeting metadata is stored 3 months within Teams after the relevant employee leaves the company. Texts and content from the chat-function is generally stored for 180 days and then automatically deleted, unless it is subject to retention obligations and legitimate retention interests. A requirement for storage can exist in particular if the data is still needed to fulfill contractual services, to investigate,  grant or ward off warranty, guarantee or other legal claims. In the case of legal storage obligations or legitimate interests for retention, deletion is only possible after expiry of the respective obligation or the subordination of the respective legitimate interests. If you share documents in a Meeting they will be stored 30 days after you delete them in Teams.

b) Transcripts and transcript files

If the meeting or parts of it are lawfully transcribed, the transcription file will be stored on the Microsoft OneDrive and within the Chat/Calendar-Meeting, generally available only for internal participants, for 30 days and then automatically deleted. The necessary transient recording of the audio is not saved.

c) Audio and video recording files

Recording files are automatically stored on the initiator’s Microsoft OneDrive for 30 days and are then automatically deleted. In case of sharing of a recording or publishing on the intranet, the recording or the relevant parts thereof will be deleted if you revoke your consent or if the purpose of the publication is fulfilled.

A requirement for further storage of data can exist in particular if the data is still needed to fulfill contractual services, to check and grant or ward off warranty and guarantee claims. In the case of legal storage obligations, deletion only comes into consideration after expiry of the respective storage obligation.

I. Controller

The responsible company in the context of the KYC-Check is Aquila Capital Investmentgesellschaft mbH (“ACI”).

II. Processing purpose

For the prevention of money laundering, financing of terrorism and other criminal acts, we are legally obligated to:

• identify the business/contractual partner and, if applicable, the persons acting on its behalf and their authorization and also
• determine  whether the contractual partner or the beneficial owner is a politically exposed person (PEP), a family member or a known related person of a PEP.

III. Which personal data is being processed

Depending on the constellation, the following personal data of the acting person(s) and the beneficial owner may be collected and processed during a KYC-Check in connection with the KYC questionnaire and the associated verification documents (e.g. copy of ID, proof of residential address):

Surname, first name, nationality, date of birth, place of birth, ID card data (e.g. ID card number, date of issue, issuing authority), address data (street, house number, zip code, city, country), attribute of beneficial owner, information on origin of assets, gross income, type of contribution, PEP status (in this context, if applicable, also name of family members  or other known related persons if they have a PEP status), any additional data that may result from the verification documents: Copy of ID (title, birth name, height, eye color, signature, order or artist name, if applicable), proof of address document (electricity consumption, telephone log, etc., if applicable).

IV. Legal basis for data processing

The collection and further processing of your personal data is carried out for the fulfillment of legal obligations to which we are subject to, on the basis of Art. 6 (1) lit. c GDPR in conjunction with § 28 KAGB, § 25h KWG, §§ 10-17 GwG.

Since KYC checks are also to be carried out for contractual relationships of other entities of Aquila Capital in which ACI may not be involved, the legal basis for the data processing in this context results from Art. 6 (1) f GDPR. ACI has a legitimate interest in ensuring that all transactions concluded within Aquila Capital  comply with the high standards required by law i.a. the Money Laundering Act (GwG).

You have the right to object to the processing of your personal data which is carried out on the basis of Art. 6 (1) f GDPR at any time on grounds relating to your particular situation in accordance with Art. 21 GDPR.

V. Disclosure and Transfer of Data

Since the data regarding the KYC check is collected by the respective employee of the entity responsible for the contract, there may be a transfer of data within Aquila Capital from/to the respective branch offices and subsidiaries, for maintaining effective concern-wide governance, ensuring compliance, reliability check and fulfilling legal obligations. This also applies to potential disclosures to the Commerz Real AG or Commerzbank AG, as ACI is part of the Commerzbank Group. For more detailed information on the disclosure of personal data within Aquila Capital and to the Commerzbank Group, please refer to the below Section (K) Disclosure and Transfer of Data.

ACI uses external service providers to fulfill the purposes described in the context of the KYC check. For example, the collected data is stored in the customer management software "Salesforce", provided by Salesforce Inc. Salesforce is supported and maintained by our service providers Hanseforce GmbH, Friesenweg 38, 22763 Hamburg, Omega CRM Consulting S.L., Cetig of 9, 9 Periodista F Gomez de la cruz, 18014 Granada, Spain, and Wipro Technologies GmbH, Opernpl. 14, 60313 Frankfurt am Main, Germany, whose employees may become aware of the above data in the course of providing their services. In addition, your name is checked against current PEP and sanctions lists via the tool WorldcheckOne, provided by Refinitiv Germany GmbH, Friedrich-Ebert-Anlage 49, 60327 Frankfurt am Main, Germany, as well as against, among other things, press releases on the subject of financial crime by Factiva Limited. Lionware GmbH, Im Kaisemer 13a, 70191 Stuttgart, Germany, is engaged for cases of necessary ID-verifications via post-ident. A data processing agreement pursuant to Art. 28 GDPR has been concluded with each of these external service providers.

In addition, ACI may make (individual or combined) collected data available to other recipients, for example, to those companies that are jointly involved with Aquila Capital in the procurement of investment projects, namely buyers or financing companies of the investment properties or owner companies. They pursue a similar, albeit separate interest in the audit, which they may carry out parallel as an independent responsible party. The additional verification can further reduce the overall risk of financial crime (especially prevention of money laundering and terrorist financing) in potential projects or project participations. In addition, in the case of investors in Luxembourg investment funds, Aquila Capital forwards the data to the relevant register and transfer agent Apex Fund Services S.A., Rue Gabriel Lippmann 3, Schuttrange, 5365, Luxembourg for the opening of the register, which is necessary to complete the subscription of shares in the investment fund. Before forwarding, Aquila Capital checks the correctness and completeness of the data and documents collected.

Some of the external service providers are registered in the US. However, the data is stored on servers located within the European Economic Area. ACI has ensured the necessary data protection with all recipients of personal data. For more detailed information on the transfer of personal data to third countries outside of the EU, please refer to the below Section (K) Disclosure and Transfer of Data.

VI. Deletion of Data

Your data is stored for as long as it is required for the processing purpose or until the expiry of statutory retention periods. KYC documents and the data contained therein are subject to a basic retention period of 5 years from the end of the business relationship pursuant to § 8 (4) GwG and are generally deleted after expiry. Other storage and documentation obligations may arise, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO) to which ACI is subject to. The periods prescribed there for storage or documentation are two to ten years from the end of the year in which the last action was taken on the tax-relevant documents (usually the last annual financial statement/tax return of the fund). Finally, the storage period also depends on the applicable statutory limitation periods, e.g. according to §§ 195 et seq. BGB, are generally three years, but in certain cases can be up to thirty years.

VII. Automated decision-making including profiling

We use automated decision making to process personal data to check whether individuals, companies or organizations are on sanctions lists and/or Politically Exposed Person (PEP) lists. This is to ensure that we comply with legal obligations and minimize the risk of financial crimes, such as money laundering or terrorist financing. Automated decision making is based on algorithms and is performed by systems operated by our service provider. We take appropriate measures to ensure that automated decision making is fair and transparent and protects the rights and freedoms of data subjects. This includes at least the right to obtain human intervention on our part, your right to express your point of view and your right to contest the decision. If you have any questions or concerns about automated decision making, please contact us.

I. Controller

Aquila Capital Investmentgesellschaft mbH is the controller in connection with product and service information and marketing activities.

The contact details of the data protection officer can be found in section (A) II of this Privacy Policy.

II. Processing purpose

Depending on the specific business relationship we have with you, we may collect and use personal data from our customers to send important information or updates on Aquila Capital’s products and services. This includes, in particular, important security information or significant changes to products, services or this Privacy Policy. Subject to specific requirements, we may also use your data for direct marketing purposes, e.g. to send you advertisement for similar products, invite you to our events or include you in our marketing campaigns.

III. Which personal data is being processed

For the purpose of addressing you in connection with the above-mentioned information, we process your first name, last name, email address, address as well as your telephone number where applicable.

IV. Legal basis for data processing

The processing of personal data by us for the purpose of providing you with Product and Service Information is based, depending on the type of information, on Art. 6 (1) lit. b GDPR (performance of a contract) or Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest includes the adaption and correction of legal innovations or product errors, and to offer high-quality product support. If we already have a business relationship with you and you have not objected to this, we may use your data for direct marketing purposes and send you information about similar products and services of us on the basis of Art. 6 (1) lit. f GDPR, our legitimate interest lying in the expansion of our business and profit generation.  

The collection and use of your personal data for inclusion in  advertising campaigns or invitations to our events is based solely on your prior explicit consent pursuant to Art. 6 (1) lit. a GDPR. There is a right of revocation for this consent at any time with effect for the future. This revocation shall not affect the lawfulness of processing based on consent before its withdrawal.

V. Disclosure and Transfer of Data

The relevant contact data may be shared with service providers engaged for specific events or campaigns under the provision of conclusion of necessary data processing and confidentiality obligations.

VI. Deletion of data

We retain your personal data for as long as the contractual relationship with you exists, our legitimate interest exists and you have not objected or, where the processing is based on your consent, until such consent is withdrawn. Once the respective retention period expires, we delete your personal data, unless statutory retention obligations require us to store the data for a longer period.

I. Controller

The controller for data processing in connection with the Whistleblowing Portal is the respective employer company of Aquila Capital. The contact information of the controller can be viewed by the employees in their employment contract.

To the extent that the Whistleblowing Portal is also made available to third parties on Aquila Capital’s website, the controller for data processing is Aquila Capital Investmentgesellschaft mbH (“ACI”).

The contact details of the data protection officer can be found in section (A) II of this Privacy Policy.

II. Processing purpose

The Whistleblowing Portal is provided to Aquila Capital’s employees and third parties to report illicit or irregular activities within Aquila Capital, such as criminal activities and behavior that violates human rights. The goal is to protect Aquila Capital's business, assets, employees and its reputation. The Whistleblower Portal can be accessed here: https://portal.bdolegal-whistleblower.de/.

III. Which personal data is being processed

The reporting channel is managed by BDO Legal Rechtsanwaltsgesellschaft mbH, Fuhlentwiete 12, 20355 Hamburg, Germany ("BDO"), an external law firm. BDO is the primary addressee of a report. The submitted complaints/reports will be processed by lawyers (ombudspersons). 

As a user of the whistleblowing portal, you can choose:

• to make a completely anonymous report;
• to supplement the report with personal information;
• whether you wish your personal data to be disclosed to the relevant company;
• whether you wish to provide personal data of parties involved and/or witnesses;
• whether you want to upload documents to your report.

The ombudsperson will inform the assigned contact person of Aquila Capital’s Compliance Department about the content of the reports, insofar as they are relevant under law and/or require further investigation. The conditions, format and method of informing the Compliance Department will be determined by the Ombudspersons on a case-to-case basis.

Depending on the information you provide and whether you consent to the disclosure, the Compliance Department consequently may also receive the disclosed personal data. Consequently, personal data is not obtained directly from the data subject, but from a third party in accordance with Art. 14 GDPR. The identity of the whistleblower will not be revealed without his/her explicit consent.

IV. Legal basis for data processing

As far as the GDPR is applicable, the following legal bases for data processing apply:

a) Reporting person (whistleblower):

Own personal data voluntarily disclosed by the whistleblower is processed on the basis of Art. 6 (1) c GDPR in conjunction with § 12 (1) and § 10 HInSchG. This includes compliance with applicable laws and regulations regarding the protection of whistleblowers and the reporting of illegal activities. Additionally, the processing of personal data is based on the legitimate interest pursuant to Art. 6 (1) f GDPR. These interests include the prevention, detection, and investigation of misconduct, fraud, corruption, and other illegal activities within the organization, the prevention of damage and liability risks as well as ensuring compliance with relevant legal and regulatory frameworks.

b) Other (employee) personal data

Other employee’s data, in particular that of the accused person or other involved employees is also processed on the basis of Art. 6 (1) c GDPR  in conjunction with § 12 (1) and § 10 HinSchG as well as Art. 6 (1)  f GDPR. Aquila Capital’s legitimate interest include the prevention, detection, and investigation of misconduct, fraud, corruption, and other illegal activities within the organization, the prevention of damage and liability risks, as well as ensuring compliance with relevant legal and regulatory frameworks. These interests have been determined to generally range above the interest of employees, potential victimization and stigmatization of accused persons are avoided by a general restriction of access to the information provided to the responsible Compliance Department and its obligation to maintain confidentiality.

Same applies to personal data of third parties which are not employees of Aquila Capital.

V. Disclosure and Transfer of Data

We treat all submitted personal information confidential and knowledge will generally be restricted to the Compliance Department which is located in Aquila Capital Investmentgesellschaft mbH.

Depending on the individual case, an involvement of Aquila Capital’s DPO, Legal Department or managing directors of the affected entity as well as a report to, collaboration or joint investigation with the relevant departments at Commerzbank Group or Commerzreal AG (as Aquila Capital’s main shareholder) may be necessary. Before a transfer takes place, however, we examine in each individual case whether there is a legal basis for the transfer.

By submitting a report that voluntarily includes the disclosure of your identity, please be aware that we may be obliged to inform the accused person of your identity within one month of the submission in accordance with Art. 14 GDPR.

Data transfer to external parties or third countries does generally not take place, unless where it is necessary (e.g. in connection with necessary data analysis) or where we are legally required or it is necessary in connection with legal proceedings or on request of competent authorities, such as financial supervisory authorities.

For more detailed information on the disclosure of personal data to third parties, please refer to the below Section (K) Disclosure and Transfer of Data.

VI. Deletion of data

Any personal data is processed for as long as this is necessary to process the submission and follow-up investigations and will generally be deleted two months after the investigation has been completed. Storage beyond may be necessary and permissible for the duration of any further legal steps required, such as disciplinary proceedings or the initiation of criminal proceedings. Personal data deemed unnecessary for any of these purposes will be deleted immediately by the Compliance Department.

I. Data controller

The controller for data processing in direct connection with the implementation of video monitoring is Aquila Capital Investmentgesellschaft mbH.  

II. Processing purpose

Video monitoring is used exclusively for the prevention and prosecution of criminal offences, the prevention of access by unauthorized persons and the protection of company and business secrets. Furthermore, the monitoring measures are intended to help prevent break-ins and thefts, as well as assert, exercise, or defend legal claims.

III. Which personal data is being processed

Video monitoring at the offices of Aquila Capital are only carried out at the entrances/exits of the business premises.

Recordings are only made if movements are detected. These are pure visual recordings. Sound recordings, however, are not made.

IV. Legal basis for data processing

We have a legitimate interest in processing your data in accordance with Art. 6 (1) f GDPR. Insofar as special categories of personal data are processed, this is done on the basis of Art. 9 (2) lit. f GDPR. Video monitoring serves to protect our property rights, prevents and investigates criminal offences and supports the assertion, exercise, or defense of legal claims.

You have the right to object to the processing of personal data if there are reasons to do so arising from the special situation. 

V. Disclosure and Transfer of Data

Only the IT administrator and management board have access to the records on request. The IT administrator is an employee of the service provider Wipro Technologies GmbH, Opernpl, 14, 60313 Frankfurt am Main, Germany. For this reason, a data processing agreement has been concluded with Wipro Technologies GmbH in accordance with Art. 28 GDPR. 

In the event of suspected criminal offenses, we may also pass on the data to lawyers, insurance companies and law enforcement authorities. Otherwise, the data will only be disclosed if there is a legal basis for doing so. This may be the case, in particular, if the police or other security authorities take action within the so-calles “hazard prevention” and request access to the video surveillance data.

Data transfer to third countries does generally not take place.

VI. Deletion of data

Data from video surveillance is generally deleted after 72 hours Beyond that, data will only be stored as far as this is necessary for the respective purpose in each individual case if there are grounds to believe that recordings from a limited period of time show actions that are to be prosecuted as criminal offenses or used to assert civil law claims.

It may be or become necessary to transmit and disclose your personal data internally and/or externally. You will be informed if your data is transferred in the specific sections. The recipients, purposes and legal bases are usually the following:

I. Within  Aquila Capital and its Affiliates

In certain cases it is necessary to transfer your personal data within Aquila Capital as well as to affiliated companies in the sense of §§15 et seq. Stock Corporation Act (AktG), including entities of the Commerzbank AG (“Affiliates”), as far as there is a legal basis for such transfer. This may also include transfers to Commerz Real AG (or its successor) as the main shareholder of Aquila Capital Investmentgesellschaft mbH or other relevant Affiliates within the Commerzbank Group.

This is due to the corporate structure, where some functions or services that involve the handling of your personal data are assigned to and performed by specialized entities of Aquila Capital or its Affiliates (central service entity) or resources are pooled for collaboration.

The disclosure and transfer of your personal data within Aquila Capital and its Affiliates will only take place if this is necessary for contractual reasons (Art. 6 (1) lit. b GDPR), for regulatory legal purposes (Art. 6 (1) lit. c GDPR) or insofar as we are entitled to do so on another legal basis, such as on the basis of prevailing legitimate interests (Art. 6 (1) lit. f GDPR). Such legitimate interest may include, inter alia, the standardization and simplification of group-wide processes, optimisation of business and IT operations (including the introduction of common systems), improvement of productivity and efficiency, realisation of synergies and cost savings, enhancement of transparency and process manageability, and the implementation of effective data protection and deletion concepts. Legitimate interests may also include the conduct of (joint) internal investigations, compliance processes, and regulatory requirements where such transfer is necessary and if the interests or fundamental rights and freedoms of the person concerned do not outweigh our interests.

II. Service Providers or other Third Parties

We rely on external service providers to provide or facilitate certain services and may in this relation transmit your personal data to external data processors (e.g. IT provider, support and maintenance, web hosting provider, communication service provider, analytics provider, newsletter service provider). These recipients are contractually obliged to comply with the currently applicable data protection legislation and to maintain confidentiality. Service providers are prohibited from using your personal data for their own commercial, promotional or other purposes other than those expressly instructed and must follow our express instructions and comply with appropriate security measures to protect your personal data. The disclosure of personal data to external service providers is based on Art. 28 GDPR, if they are acting as processors, as well as our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest lies in ensuring the efficient and secure operation of our business processes by using specialised service providers.

As part of the further development of our business, the structure of our company may change in that the legal form is changed, subsidiaries, parts of the company or components are founded, bought or sold. In such transactions, customer information is passed on together with the part of the company to be transferred. Whenever personal data is passed on to third parties to the extent described above, we ensure that this is done in accordance with this Privacy Policy and the relevant data protection laws.

III. Legal Obligations and Protection of Rights

We may disclose and transmit personal data to other recipients, e.g. public authorities, law enforcement bodies or legal advisors, if we are legally obliged to do so, or if this is necessary to assert, exercise or defend legal claims or to investigate suspected unlawful behaviour.

The legal basis for such disclosure of personal data is either Art. 6 (1) lit. c GDPR in conjunction with national legal requirements for the disclosure of data, or our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest consists in ensuring the establishment, exercise or defence of legal claims, investigation suspected unlawful acts, safeguarding our rights, or cooperating with competent authorities where necessary and your rights and interests in the protection of your personal data within the meaning of Art. 6 (1) lit. f GDPR do not prevail.

IV. Data transfers to third countries

Your data will generally be processed in Germany or within the European Union (EU) or European Economic Area (EEA). When we or a service provider are transferring personal data outside the EU/EEA, we ensure that the country has an adequate level of data protection (Art. 45 GDPR) or we ensure an adequate level of protection by means of appropriate safeguards (Art. 46 ff. GDPR), in particular contractual arrangements (e.g. based on standard contractual clauses of the European Commission and if necessary effective additional security measures). Contact us if you would like a copy of the standard contractual clauses. If you consent to the transfer of personal data to third countries, the transfer is made on the legal basis of Art. 49 (1) lit. a GDPR.

We would like to point out that data transmission over the Internet (e.g. when communicating by e-mail) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

However, we take all necessary technical and organizational measures to ensure an appropriate level of protection for your data and, in particular to protect it from the risks of unintentional or unlawful destruction, alteration, manipulation, loss or unauthorized access. Security measures are regularly reviewed and improved in line with technological developments.

Our website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

As a data subject, you have various rights vis-à-vis the responsible entity of Aquila Capital with regard to your personal data, which we inform you about below. You can also find details about your rights in Art.15-21 of the GDPR:

• Right to information according to Art. 15 GDPR:
  You have the right to request information about your personal data processed by the controller. In particular, about the processing purposes, the categories of personal data and about recipients or categories of recipients to whom the personal data have been disclosed. Furthermore, you have the right to obtain information about the planned duration of storage.
• Right to rectification pursuant to Art. 16 GDPR:
  You have the right to request without delay the correction of inaccurate or the completion of your personal data stored by the controller.
• Right to deletion according to Art. 17 GDPR:
  You have the right to request the deletion of your data under the conditions specified in Art. 17 GDPR.
• Right to restriction according to Art. 18 GDPR:
  In specific cases specified in the GDPR, you have the right to request the restriction of the processing of your personal data.
• Right to data portability according to Art. 20 GDPR:
  In specific cases set out in the GDPR, you have the right to receive and transfer all personal data concerning you to another controller (right to data portability).
• Right of objection according to Art. 21 GDPR:
  In accordance with Art. 21 (1) GDPR, you have the right to object to processing based on the legal basis of Article 6 (1) lit. e or f GDPR on grounds relating to your particular situation. If we process personal data about you for the purpose of direct marketing, you may object to this processing of direct marketing, you may object to this processing pursuant to Art. 21 (2) and (3) GDPR.
• Right of revocation according to Art. 7 (3) GDPR:
  Insofar as we process your data on the basis of your consent (Art. 6 (1) lit. a or Art. 9 (2) GDPR), you have the right to revoke this consent at any time with effect for the future, without this affecting the lawfulness of the consent valid until then. The revocation is - like the granting of consent itself - possible orally or in text form.

To assert your rights, you can contact the responsible entity of Aquila Capital or Aquila Capital’s data protection officer (more details under Section (A) and (N) of this Privacy Policy).

You also have a

• Right of appeal pursuant to Art. 77 GDPR:
  You have the right to complain to a data protection supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or the registered office of the responsible controller.

Your rights under the FADP follow from Art. 25, 32, 38 FADP.

The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch).

If you have any questions or comments about our handling of your personal data or if you would like to exercise the rights as a data subject, please contact our data protection officer. You can find their contact details under Section (A) of this Privacy Policy.

The following companies of the Aquila Capital Group may serve as the responsible controller for your personal data, depending on your contractual relationship:

• Aquila Capital Investmentgesellschaft mbH with legal seat in Hamburg, Germany, can be reached as follows: Valentinskamp 70, 20355 Hamburg, Germany
  Tel.: +49 40 875050-100
  info@aquila-capital.de
   
• Aquila Capitals Luxembourg branch office can be reached as follows:
  Airport Center Luxembourg, 5, Heienhaff, 1736 Senningerberg, Luxembourg
  Tel.: +352 24 83 29 1
  info@aquila-capital.de
   
• Aquila Capital’s Spanish branch office can be reached as follows: 
  Paseo de la Castellana, 259D, Torre Espacio , 28046 Madrid, Spain 
  Tel.: +34 91 511 90-50
  info@aquila-capital.com
   
• Aquila Capital’s Netherland branch office can be reached as follows:
  Schiphol Boulevard 215, WTC Schiphol, 1118BH Schiphol, Netherlands
  Tel.: +49 40 87 5050-100
  info@aquila-capital.com
   
• Aquila Capital Invest UK with legal seat in the UK can be reached as follows:
  20th Floor, Leaf B, Tower 42, 25 Old Broad Street, London EC2N 1HQ
  Tel. +44 2082085400
  info@aquila-capital.de
   
• AQ Investment AG with legal seat in Switzerland can be reached as follows:
  Poststraße 3, 8001 Zurich, Switzerland
  Tel.: +49 40 87 5050-100
  info@aquila-capital.com

Given that our website and the technologies on which it is based, as well as our business processes are subject to continuous development, we reserve the right to amend this Privacy Policy and updated from time to time to reflect the changes in the collection, processing or use of your data. The current version of the privacy Policy is always available on this website.

Status: 23.04.2026