Data protection matters in CapMan
This page explains the general principles related to how CapMan collects and processes personal data. CapMan Plc (and all companies belonging to the same group, hereinafter referred to as “CapMan”) undertakes to keep collected and processed personal data safe and to inform the data subjects (“Data Subject” refers to all persons whose personal data CapMan processes and collects) of all data usage purposes as well as the Data Subject’s rights.
Due to CapMan’s wide range of businesses, different situations require that different data is collected. Therefore, CapMan maintains several Privacy Notices which you can get familiar with through the links posted at the bottom of this page. Please note that depending on the relationship between you and CapMan, either one or more of the Privacy Notices may be applicable.
Which personal data does CapMan collect and process?
CapMan collects personal data of its investors, potential investors, their representatives and ultimate beneficial owners, employees and persons closely associated with them, representatives of business partners, current and previous employees and job applicants, board members, other managers and shareholders, managers of portfolio companies, tenants and representatives of the real estate investments in the portfolios. (hereinafter on this webpage referred as to “Data Subject(s)”).
CapMan collects, among others, the following personal data:
- Data Subjects’ name and contact information;
- information and notes related to meetings and correspondence;
- information of investments in funds managed by CapMan and investment potential
- details regarding attendance at events organised by CapMan
- information required due the Anti-Money Laundering, Tax reporting or other regulation;
- information related to recruiting
Detailed information and examples of the personal data that is collected can be found in the Privacy Notices placed at the bottom of this page.
Why does CapMan collect and process personal data?
Communication and marketing
CapMan processes personal data in order to contact, maintain, develop, and update, CapMan's business relationships by inviting stakeholders to events as well as by marketing its new products and services. Processing for this purpose is based on a consent given by the Data Subject or a contract made between the Data Subject and CapMan. CapMan sends marketing materials only after receiving an explicit consent from the Data Subject and the Data Subject always retains the right to later withdraw his or her consent.
Personal data is collected and processed so that press releases regarding interesting news related to CapMan, its subsidiaries or managed funds (such as new fund investments or new CapMan services) can be distributed. It is also necessary in order to send invitations to CapMan’s general meetings. The processing referred to in this clause is based on the consent of the Data Subject.
Personal data is collected and processed in CapMan’s fund operations, e.g. legal due diligence, fund administration, management of the fund unit holder register, reporting and decision making. Processing for this purpose is based either on fulfilling CapMan’s contractual obligations or legal requirements.
CapMan collects and processes personal data in order to fulfil its obligations under mandatory legislation, e.g. anti-money laundering checks and sanctions screening. In case a Data Subject refuses to provide CapMan with any obligatory information, CapMan may not be able to enter into a business relationship or to operate in normal course of business with the Data Subject.
Development of business operations
Personal data may be used for development of business operations. Personal data may be processed in order to analyse the business relationship or to enhance the quality of the products and services. General visitor information of our website is tracked, and this information may be generalized and used to analyse the use of the website and to further develop the website. The basis for the processing is CapMan’s legitimate interest to develop its operations and enhance the quality of the products and services provided to the Data Subjects.
CapMan processes personal data to be able to assess job applicants, to make recruitments decisions and to manage employment related matters. The basis for processing of personal data in this case is CapMan’s contractual obligations or legal requirements.
Other contractual obligations
CapMan also processes personal data on a more general level in order to execute obligations originating from agreements or to make preparations for such agreements.
No other purposes
CapMan does not process the collected personal data for any other purposes without informing the Data Subject and without receiving the Data subjects prior consent for that purpose, unless it is necessary in order to comply with contractual or regulatory obligations. The collected data is not processed for automated decision-making (including profiling).
What are CapMan’s information sources?
Personal data is mainly collected from the Data Subject himself/herself or from their employer entity. If you are providing CapMan with personal data about someone else, (such as company representatives or employees) please carefully read the section about “Providing personal data about someone else”.
Personal data can be also collected from publicly available or other sources such as official registers maintained by Patent and Registration Offices, the National Bureaus of Investigation and the Finnish Business Information System (YTJ). CapMan may also collect information from the registers of credit rating bureaus such as Suomen Asiakastieto Oy. The information sources may vary depending the home country and the citizenship of the Data Subject.
Additionally, CapMan may collect, process and analyse personal data about visitors on the web page using cookies. Cookies are used to analyse the traffic, to plan the content and to develop the web pages. The collected personal data is not used to identify individuals.
How and with whom may personal data be shared?
CapMan may share personal data with the following persons and entities:
- Your personal data may be confidentially shared with companies within the CapMan Group, when this is necessary in order to produce the services provided by the CapMan Group, or for administrative, invoicing, or other necessary activities;
- As CapMan’s business partner or a representative of a business partner, your personal data may be shared with lawyers, consultants or other professionals as well as foreign law offices, financial institutions or other professional organisations when this is necessary in orderto fulfil CapMan’s contractual obligations;
- Your personal data may be disclosed to any reliable third party to which CapMan has transferred rights or obligations, e.g. IT- or HR-services;
- we may share your personal data with credit and financial institutions as well as with companies that provide services that prevent anti-money laundering, credit risk and other crimes. Data may also be shared with other companies providing similar services.
- personal data may be shared with courts, law enforcement authorities, regulatory and supervisory authorities, attorneys, alternative dispute resolution bodies or other organisations or entities, when it is reasonable and necessary for the purpose of pursuing or exercising a legal claim or for the defence of such or any other claim.
In general, the person or entity receiving personal data, becomes a data processor for CapMan. While sharing personal data with the processors, CapMan retains the control and responsibility for the data shared with the processor and uses appropriate safeguards required by law to maintain proper security for the personal data when services of the processor is obtained. CapMan is responsible for keeping personal data up to date and informs the processor of changes in the data or of removal of such.
In certain instances, such as when the receiver is obliged by law to maintain its own register, the receiver of personal data may instead take the role of a data controller and therefore adds shared personal data to its own register.
Transferring personal data to third countries
Personal data is primarily stored on servers that are located within the EU/EEA area. CapMan’s global operations may demand, that personal data is stored also at locations outside of the EU/EEA area. The countries outside of the EU/EEA area might not necessarily maintain the corresponding level of regulatory safeguards for personal data that is maintained within the EU/EEA area. For this reason CapMan pursues to maintain appropriate GDPR compliant safeguards in order to keep your personal data safe when transferring it. While transferring personal data outside the EU/EEA area, CapMan utilizes the EU Commission’s standard contractual clauses for the transfer of personal data. The contractual clauses can be found here.
CapMan also operates in Russia and for this reason certain personal data might be transferred to CapMan’s Russia Team. Additionally, some of CapMan’s funds are located in Guernsey, meaning that certain personal data might be transferred to local contact persons in Guernsey, such as companies governing the funds and auditors.
How long is the retention time?
Personal data is retained until it is no longer needed for the purpose it has been collected or you withdraw your consent to processing the personal data and we are not obliged by law to retain the data.
Basic personal data is retained until it is no longer needed in order to maintain the business relationship or communication with the Data Subject. The personal data is deleted when reasonable time has passed since last contact with the Data Subject. However, most personal data is stored at least until the general period for filing suit has passed.
Personal data that has been collected due to regulation is retained for as long as required by the applicable regulation, E.g. in case the personal data has been collected based on anti-money laundering (5 years after a single transaction or 5 years after the business relationship has ended) or accounting (10 years after the close of the fiscal year) regulation.
The retaining periods may wary due to differences in national regulation.
What are the rights of the Data Subject?
Each Data Subject has a legal backed right to verify personal data, concerning himself/herself, that CapMan holds in its registers. Additionally, the Data Subject has the right to demand that the personal data is updated, corrected or deleted. CapMan strives to comply with rightful claims effectively.
Subject to certain legal requirements you have a right to verify personal data about you by requesting a copy of your personal data. You may also demand that incorrect or inaccurate personal data is corrected. CapMan strives to keep its registers updated and faultless but cannot be held liable for any direct or indirect damage caused by inaccurate, insufficient or inaccurate personal data.
The Data Subject has no obligation to disclose all personal data requested by CapMan (e.g. regarding allergies or special diets for CapMan’s events), unless CapMan’s regulatory obligations or contractual maintenance requires such data to be disclosed. You may at any time withdraw your consent for collecting this personal data and demand that it is deleted.
You may request that the personal data that CapMan holds about you, is transferred to another personal data controller. Please note that CapMan does not take responsibility for personal data transferred outside the CapMan Group (unless CapMan makes the transfer to the third party in within the scope of its business).
Should you wish to exercise aforesaid rights, please send a written request as well as proof of your identity to CapMan by using the inquiry form on the bottom of the page. Proof of your identity is needed for preventing unauthorized disclosure of the personal data. The written request can also be sent by mail to the address CapMan / Privacy Matters, Ludviginkatu 6, 00130 Helsinki, Finland.
Upon receiving your request, we strive to deliver the requested material to you as soon as possible. Depending on the extent of the data request, the estimated delivery time is 1-4 weeks. The data request is generally free of charge but in case the data request is very extensive or very frequent, we may charge a reasonable fee to cover the administrative expenses.
We take all data requests seriously but in case the request is manifestly unfounded or unreasonable, we may decline to provide the requested material. In case your data request is declined due to being manifestly unfounded or unreasonable, we will notify you about this and the reason the request was declined in writing.
How can I send feedback to CapMan?
We strive to constantly develop and enhance our data protection practices and are thankful for all feedback. Please inform us about any and all of your concerns and development ideas by using he inquiry form on the bottom of the page.
If the Data Subject finds violation to his or her legal rights, he or she has the right to file a complaint with the national Data Protection Authority or another Data Protection Authority within the EU/ EEA area.
The Data Protection Ombudsman acts as the supervising authority in Finland. You can find the contact information of the Data Protection Ombudsman through this link.
How does CapMan secure the safety of personal data?
CapMan uses appropriate technical security measures to protect any information we hold from loss, misuse, and unauthorized access, disclosure, alteration and destruction. For instance, in CapMan transportable computers/devices are required to be secured with anti-theft devices, placed in locked files or cabinets or otherwise secured. Individuals who have access to the register are required to provide credentials to confirm their identity (at a minimum). Also, practices will be implemented to prevent introduction of malware and/or other destructive elements that would impair normal and expected system operation with antivirus software with automatic updates enabled.
In addition to the technical security measures, there are also organizational and administrative measures in place. CapMan employees are regularly trained on IT security, data protection and privacy matters. Internal policies and procedures are also designed to enhance the IT security and privacy of Data Subjects.
Personal data may also temporarily be stored on hard copies on paper in CapMan’s or its service providers’ supervised premises. Hard copies are destroyed by a specialised service provider.
Should you provide CapMan with your personal data?
The general principle is that that each Data Subject provides us with their personal details entirely voluntary and there are no adverse consequences if you decide not to provide your data. CapMan’s operations as a listed company and fund manager is however heavily regulated, meaning that there are several situations where providing personal data is necessary in order for CapMan to be able to comply with regulatory obligations or enter necessary agreements. Among other situations, a fund investment or establishing a business relationship with CapMan is not possible without sufficient personal data.
Providing personal data about someone else
CapMan generally conducts business with legal entities, meaning that the person providing personal details to CapMan might be someone else than the Data Subject him or herself, e.g. his or her employer or other similar legal or natural person.
If you provide personal details about someone else, we advise you to ensure that you are entitled to provide these personal details to CapMan and that CapMan, without further actions, may collect and process these personal details as described in this page.
When providing personal details about someone else, you must also ensure, that the person whose personal details you are about to provide, is informed about the contents of this page and his or her applicable legal rights.
Updates to CapMan’s data protection practices
This page has been updated in May 2018. CapMan reserves the right to unilaterally update this page in the future to ensure that the page complies with applicable regulation and internal data protection practices. The most recent data protection practices and valid privacy notices can at all times be found on this page.