GDPR Investors Data Privacy Notice

1. Introduction

This document is the Investors Privacy Notice of BBGI Global Infrastructure S.A. (“BBGI”/”the Company”/”us”/”we”/”ours”). It has been written to inform you about how the Company processes personal information within the framework of the General Data Protection Regulation (Regulation (EU) 2016/679).

Please read this document carefully, together with the Company’s Privacy Policy, to understand how the Company acts regarding Personal Data.

This document might be changed or updated (in full or in part) in order to maintain our compliance with applicable laws and regulations, or following an update to our internal practices. When we change this Investors Privacy Notice, we will publish the updated version on our website (http://www.bb-gi.com/). Please check this Notice regularly. Subject to applicable law, all changes will take effect as soon as we publish the updated Notice, but where we have already collected Personal Data on you and/or where legally required to do so, we may take additional steps to inform you of any material changes to this Privacy Notice and may request that you agree to these changes.

2. Definitions

GDPR

General Data Protection Regulation - REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

CNPD

Commission Nationale pour la Protection des Données (“National Commission for Data Protection”).

Data Controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of a Data Controller.

Data Subject

An identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data

Any information of any kind, regardless of its form, including sound and image, relating to an identified or identifiable person.

Personal Data Processing

Any operation or set of operations performed on personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. Data Controller and Data Processors

By determining the category of data and the purpose for which they are processed, BBGI Global Infrastructure S.A. (company number B163879) whose registered office is at 6E Route de Trèves, L-2633 Senningerberg, Luxembourg, is considered the Data Controller.

RBC Investor & Treasury Services (company number B119549) whose registered office is at 14 Porte de France, L-4360 Esch-sur-Alzette, Luxembourg, and Link Asset Services (company number 05309552) whose registered office is at 6th Floor, 65 Gresham Street, London EC2V 7NQ, and are considered the Data Processors in relation to investor services.

4. Personal Data collected by BBGI and the Data Processors

The Personal Data referred to in this Privacy Policy relates to investors in the Company and any natural persons involved in our business relationship with them, as the case may be, including any authorised representatives, persons holding a power of attorney, beneficial owners and/or any other related persons (“you”/“yours”).

In general, the Data Processors will collect, receive, store and process the following information:

  • Name, address, email address, telephone number and other contact details which you provide us with on completing, for example, within the on-boarding investor process;
  • Personal characteristics, such as date of birth, country of residence, passport, identity card, tax identification number and any information related to the Know Your Customer obligations;
  • Banking and financial data, such as financial identification, financial situation, ability to bear loss, investment objectives or preferences;
  • A record of any correspondence you have with the Data Processors, including certain telephone calls which we may be legally required to record (but you will be informed at the beginning of the telephone conversation if recording is necessary);
  • Online identifiers including IP address and cookies.

The Data Controller does not, and the Data Processors generally do not (unless required by law) collect, process or store data considered to be sensitive as defined by the GDPR Article 9(1).

The Privacy Policies of each of the Data Processors can be found as follows:

RBC: https://www.rbcits.com/en/who-we-are/governance/european-privacy-policy-statement.page

Link: https://www.linkassetservices.com/privacy-policy

5. How BBGI and Data Processors protect your Personal Data

The Data Controller and Data Processors are committed to safeguarding and protecting your Personal Data and maintaining appropriate security to protect any Personal Data provided to us from improper or accidental disclosure, use, access, loss, modification or damage. They will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with applicable law and regulations, and internal policies and standards.

In order to do so, data protection “by design” and “by default” is ensured, in accordance with Article 25 of the GDPR. Data protection “by design” means that both at the time of the determination of the means of processing data, and at the time of the processing itself, Data Processors ensure the implementation of appropriate technical and organisational measures designed to implement data protection principles and necessary safeguards. Data protection “by default” means that Data Processors ensure that only personal data necessary for each specific purpose of the processing are processed.

6. Personal Data retention period

All Personal Data must be stored by us or our Data Processors for the whole duration of our contractual relationship with you, plus the legal prescription periods during which you or we require such information for the exercise or defence of a legal claim.

7. Information on Data Subject rights and the withdrawal of consent

The following rights are applicable under our duty to comply with the GDPR requirements per Article 6(1).

a. GDPR Articles 13 – 15: Rights of information and access

i. Articles 13-14: As Data Controller, BBGI is obligated to provide you with the information cited in these articles, inter alia: the purposes of the processing; contact details of the Data Controller and the Data Protection Officer; the period for which your Personal Data will be stored.

ii. Article 15: You have the right to access the Personal Data related to you collected by or disclosed to BBGI, and the right to have such Personal Data corrected if it is inaccurate or incomplete. Therefore, you have the right to obtain:

  • confirmation on whether, and where, Personal Data is processed; and
  • where the data was not provided by you, information on the source of the data.

In this respect, you may receive a copy of your Personal Data undergoing processing free of charge. For any further copies, we reserve the right to charge a reasonable fee based on administrative costs. To exercise this right, please contact us as set out below.

b. GDPR Article 16: Right of rectification

Under this Article the Data Processors ensure that inaccurate and incomplete Personal Data is rectified or completed.

c. GDPR Article 17: Right of erasure (“Right to be forgotten”)

Article 17 gives you the right to have your Personal Data erased (the “right to be forgotten”) if:

  • the Personal Data is no longer needed for its original purpose (and no new lawful purpose exists);
  • the lawful basis for the processing is your consent, and you withdraw that consent, and no other lawful grounds exist;
  • you exercise your right to object, and Data Processors have no overriding grounds for continuing the processing;
  • the Personal Data has been processed unlawfully; or
  • erasure of the Personal Data is necessary to comply with legal or regulatory obligations.

d. GDPR Article 18: Right to restrict processing

You have the right to restrict the processing of your Personal Data. This means that your Personal Data may only be held by us, and may only be used for limited purposes, if:

  • You contest the accuracy of your Personal Data, but only for as long as it takes to verify its accuracy;
  • the processing is unlawful and you request restriction (as opposed to exercising your right to erasure);
  • Data Processors no longer need your Personal Data for its original purpose, but your Personal Data is still required by us to establish, exercise or defend legal rights; or
  • If verification of overriding grounds is pending, in the context of an erasure request.

e. GDPR Article 20: Right of data portability

You have the right to receive a copy of your Personal Data in a commonly used machine-readable format, and to transmit that data to another controller where the processing is based on your consent and the processing is carried out by automated means. You may have your Personal Data transmitted directly from us to another controller, where technically feasible, and where the exercising of this right by you does not adversely affect the rights and freedoms of others.

f. GDPR Article 21: Right to object

You have the right to object, on grounds relating to your particular situation, to the processing of your Personal Data where the basis for that processing is either public interest or our legitimate interest as Data Controller.

Data Processors will erase such processing, unless they :

  • demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms; or
  • require the Personal Data in order to establish, exercise or defend legal rights.

Moreover, you have the right to object to the use of your Personal Data for the purposes of direct marketing including, but not limited to, consumer profiling.

g. Withdrawal of consent

You may at any time withdraw your consent to the processing of your Personal Data which is based on such consent, and you have the right to object to processing of such Personal Data upon legitimate grounds, save where otherwise provided by law. If you withdraw your consent, this will not affect the lawfulness of the processing of your Personal Data before such withdrawal.

8. What is the competent data protection authority

If you believe the Data Processors have infringed your data protection rights, you have the right to complain to the competent data protection authority in Luxembourg, the CNPD (as defined) at:
https://cnpd.public.lu/en/commission-nationale.html .

9. Action in the event of a Breach

a. Data Breach procedure

In the event of an incident defined as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (a “Breach”); the new Breach notification regime under the GDPR is as follows:

i. Obligation for Data Controller to notify CNPD
In the event we detect a breach, we shall without undue delay, and in any event no later than 72 hours after becoming aware of it, notify the breach to the CNPD. We are not required to report directly to the Data Subject(s) if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the timing obligation is not met, we must provide the reasons to the CNPD.

ii. Obligation for Data Controller to communicate a Personal Data Breach to Data Subject(s)
We must inform the Data Subject(s) of the Breach. The CNPD may also compel us to communicate a Personal Data Breach to the affected Data Subject(s) unless one of the following three exemptions is satisfied. The information to the Data Subject(s) should be done by us “without undue delay”; you should note however that the need to mitigate an “immediate risk of damage” calls for prompt communication with Data Subject(s), whereas the need to implement appropriate measures against continuing or similar Data Breaches may justify more time for communication.

No reporting to Data Subject(s) is required if:

  • the Breach is unlikely to result in a high risk to the rights and freedoms of the Data Subject(s);
  • appropriate technical and organisational protections were in place at the time of the incident; or
  • this would require disproportionate efforts.

b. How to contact BBGI and Data Processors

If you wish to contact us in relation to this Investor Privacy Policy or the Data Processors in connection with the Personal Data they collect including, without limitation:

  • if you would like to update your Personal Data;
  • receive a copy of the Personal Data collected in relation to you; or
  • would like to raise a complaint or provide feedback;

Please contact us at the Company’s registered office (details on the website “Contacts” page) or the Data Processors through their own websites.