GDPR Data Privacy Notice

Caystone Solutions Luxembourg 
19, Rue Philippe II, L-2340 Luxembourg
RCS number 278057
+352 203 31795

[email protected]

1.   Introduction

1.1. Scope of the Notice

In accordance with the General Data Protection Regulation (697/2016/EU) of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal date and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR“), this data privacy notice (the “Notice“) is addressed to you as a natural person outside Caystone Solutions Luxembourg  (“Caystone”) in the context of the interactions we may have in the course of our business relationships.

We may collect and process personal data (“Personal Data“) in our capacity as data controller (“Data Controller“) in our provision of our services to our clients.

As Data Controller, we comply with applicable data protection laws and in particular with the GDPR to ensure the relevant standard of protection and privacy is applied to the Personal Data that we collect.

This Notice aims to provide you with information in a transparent manner regarding the processing of your Personal Data and notably the type of Personal Data collected, the reasons why we may process such Personal Data, the regulatory framework, the criteria to determine the duration of retention as well as your rights as data subject (the “Data Subject“) under the GDPR and how to exercise them.

This Notice shall apply to all Caystone clients for which Personal Data processing (the “Processing“) is required.

1.2. Definitions and interpretation

For the purpose of this Notice:

  • The terms “Data Controller”, “Personal Data”, “Data Subject”, “Processing”, “Third Party” and any other term expressly defined in Article 4 of the GDPR shall have the meaning given to these terms in Article 4 of the GDPR.
  • Any reference to “Caystone”, “we” and “us” shall refer to Caystone Solutions Luxembourg when collecting and Processing Personal Data.
  • Further information about Caystone is available on Caystone’s website: www.caystone.com

2.   What kind of Personal Data is collected?

As Controller and depending on the service that we provide you, we may collect and process the following types of Personal Data about you:

  • Personal identification data: your name, addresses, telephone numbers, email addresses, business contact information, utility bills or equivalent to confirm your personal address.
  • Biographical information: date of birth, civil status, gender, tax identification number, passport or ID card number, nationality, country of domicile, national insurance number, social security number.
  • Professional information: employment and job history, education, title or CV.
  • Power of attorney or mandate-related information when you act as board member or legal representative of a corporate client or an investment vehicle.
  • Financial information: financial and credit history information, bank details, income, expenditure, assets and liabilities, sources of wealth.,
  • Tax-domicile and other tax-related documents and information such as tax residency, TIN, beneficial ownership, percentage of holding in a corporate entity notably in the context of compliance with the Foreign Account Tax Compliance Act (“FATCA”), Automatic Exchange of Information (“AEOI”), or local tax laws.
  • Transaction/investment data: knowledge and experience in the investment field, current and past investments, investment profile, investment preferences and invested amount, number and value of shares held, role in a transaction (seller/acquirer of shares), transaction details, your goals and objectives in procuring our services.
  • Information to assess whether you may represent a politically exposed person or money laundering risk.
  • In some limited cases, other categories of Personal Data may be needed such as for instance:
    • an extract of criminal records if you are a board member of a corporate client or an investment vehicle or;
    • a declaration of beneficial ownership or information on a holding of more than 25% of the capital or voting rights of a corporate client or an investment vehicle if you are legal representative of a corporate client or investment vehicle, or information on whether you qualify as a “politically exposed person”.

3.   Source of Personal Data

We may collect information from you directly or from a number of sources as further detailed below.

3.1. Information that you provide us

We process the Personal Data that you provide us with directly, and the Personal Data we obtain in the course of our relationship with you, including:

  • When you contact us (on behalf of your company or directly) in connection with our professional activities.
  • When you provide us with your Personal Data in the context of on-boarding a company, for which you are an employee, director, beneficial owner or legal representative, as a client of Caystone following Know Your Customer rules (“KYC“) or for authentication of your electronic signature.
  • When your name and details appear in any service offer, contractual document or operating memorandum or any procedure or template document as the contact person of a client in the context of providing our services.
  • When you provide us with your Personal Data in mail correspondences and conversations during our business relationship; or
  • When you have been visiting our website or have attended one of our events (as representative of a prospective or existing client).

3.2. Information that we may obtain from external sources

We also may collect and process your Personal Data that we receive from, among others, the following external sources:

  • Publicly available and accessible databases and sources made available by official authorities or third parties.
  • Bankruptcy registers.
  • Your employer (the latter being one of our clients or service providers).
  • Public administration or tax authorities.
  • Governmental and competent regulatory authorities; and
  • Fraud prevention and detection agencies and organisations (such as OFAC, European Union or locally entities).

4.   Why we process Personal Data?

As required by article 5 of GDPR, Caystone processes lawfully, fairly and in a transparent manner the Personal Data received from Data Subjects.

The Personal Data is processed by Caystone for one of the following purposes/legal basis:

  • Contract performance: your Personal Data might be collected and processed to enter into contractual relationships in connection with the services being provided, in accordance with the terms of a service agreement, to our corporate clients of which you may be an employee, shareholder or beneficial owner.
  • Legal obligation: your Personal Data might be processed to comply with any applicable legal, tax, statutory and regulatory requirements to which Caystone is subject including laws and regulations applicable to Luxembourg-authorized chartered professional accountants (“Experts-Comptables”) company law, or to reply to any official request from a public or judicial authority.
  • For AML and countering financial terrorism purposes: Caystone also processes Personal Data to meet the requirements of due diligence, AML, KYC and countering financial terrorism purposes. In the context of this processing we might be joint controllers with our affiliated company Caystone Solutions Ltd.
  • Legitimate interest: some of the processing we carry out is necessary to fulfil Caystone’s legitimate interests to provide and develop our products or services, to improve our risk management and/or to defend our legal rights.
  • Consent: you may be asked to confirm your consent to the processing of the Personal Data that we ask you to provide to us for one or more specific purposes. Personal Data can be used for other purposes but only with the explicit prior consent of the clients.
  • In any case, we process your Personal Data only to the extent necessary and only for one of the above-listed purposes/legal bases. For more specific examples, processing activities include:
    • Client onboarding processes, including verifying the legal capacity of a client’s representatives to enter into contractual relations with Caystone.
    • Authentication of electronic signatures of contractual documents.
    • Providing the services following our contractual arrangements.
    • Assisting our clients and answering their requests.
    • Managing our relationship with clients and prospective clients, including communications concerning our products and services.
    • Compliance with legal and regulatory duties imposed upon Caystone within the framework of the services provided to the clients.
    • Prevention of money laundering and financing of terrorism and compliance with legislation concerning sanctions and embargoes.
    • Prevention of tax fraud and fulfilment of tax control and notification obligations.
    • Replying to an official request from a public or judicial authority.
    • Defending our legal rights in cases of dispute (by notably holding proof of transactions, recording phone calls etc.).
    • Optimizing and developing our products or services and improving our risk management.
    • Improving quality and performance of our systems and our products and services.
    • Developing products, training and similar administrative purposes.

The data collected is not further processed in a manner that is incompatible with our services and it is limited to our legitimate needs as described above.

5.   With whom do we share Personal Data and why?

On an as-needed basis, your Personal Data might be shared with the following recipients:

  •  Caystone Group companies in order to ensure a consistent high standard of service across our group or legitimate interest as described above.
  • Our affiliated company, Caystone Solutions LTd. for limited purposes such as support in the provision of certain services to our clients as duly agreed under an outsourcing agreement, compliance requirements, risk management or to fulfil our legitimate interest described above.
  • Public or regulatory authorities (e.g. regulatory, tax and governmental) or judicial authorities when required by law or regulation, or when the authorities or bodies request us to do so; or in relation to our defense, action or proceeding or complying with a regulation or recommendation issued from a competent authority addressed to us or any member of the Caystone Group.
  • In some instances, we may also share Personal Data with our suppliers, including Caystone Group companies and other business partners, such as [IT and hosting providers, communication services, printing providers, legal advisors, auditors, consultants, our insurers, credit institutions or third party payment providers for the purpose of providing a payment initiation or account information service at your request]. We ensure that any supplier meets our data security standards and hence your Personal Data remains secure.
  • We will not disclose, transfer or sell Personal Data to any third party unless we have received clear prior consent to this from our client.

6.   Transfers of Personal Data outside the European Economic Area (“EEA”)

  • Given the international dimension of the Caystone Group and in certain limited circumstances, we may or may have to transfer Personal Data to a country outside the EEA in the course of our services and activities performed to our clients either to comply with some local regulations or to enhance the quality and time efficiency of our services.
  • In case of international transfers of Personal Data to a non-EEA country (which includes transfers of Personal Data to our affiliated companies in The Bahamas), we ensure that the transferred Personal Data is protected with adequate levels of data protection and appropriate measures in accordance with the GDPR and the European Commission’s decisions and guidelines and the Caystone’s Group GDPR policy.
  • We may also have to disclose Personal Data upon request to the official bodies and administrative or judicial authorities of a country located outside the EEA, in particular in the context of money laundering and terrorist financing. We do so in strict compliance with GDPR and any other applicable law.

7.   How long do we keep Personal Data ?

Caystone will retain your Personal Data covered by this Notice for as long as required to perform the purposes for which the data was collected and as long as we provide services to the clients.

We also retain your Personal Data to the extent necessary required for us to meet applicable legal and regulatory obligations.

In case we are requested to erase or return Personal Data, we reserve the right to keep a copy to defend ourselves from legal claims for as long as is legally required for such purposes.

We retain in particular your Personal Data according to applicable mandatory retention obligations and periods required by applicable laws and professional standards applicable to Luxembourg-authorized chartered professional accountants (including but not limited to storage periods provided for accounting maintenance standards, local civil and commercial laws, KYC rules, prevention of the use of the financial system for the purposes of money laundering and terrorist financing, or technical regulations such FATCA or AEOI.

More generally, we retain your Personal Data, information and records for the duration of the contractual relationship with you plus for a period of certain number of years after the termination of our contractual or other relationship with you as required by applicable laws or to protect Caystone’s interest in case any claims arise out of the provision of our services to you.

8.    Confidentiality and data security

Caystone’s staff, and any other service provider, authorized to process Personal Data of Data Subjects, via an outsourcing arrangement, exercises the same level of care applied on its own Personal Data.

All employees within Caystone are bound by a confidentiality clause as this constitutes a provision in their employment contract. A breach of this provision may lead to dismissal.

Our IT and physical structure are set out in a way that protects accidental loss and unauthorized access, use, alteration, or disclosure of Personal Data.

9.   Your rights relating to Personal Data

In accordance with GDPR, you have the following rights in respect of your Personal Data:

  • Right to access the Personal Data that is being process by Caystone: you have the right to know if we hold and process some of your Personal Data and to access the Personal Data that we hold about you upon request.
  • Right to rectify Personal Data which is incomplete and/or inaccurate and right to verify if the data has been rectified.
  • Right to restrict the use of your Personal Data on grounds relating to your particular situation.
  • Right to request that Personal Data is erased and right to verify if the data has been erased.
  • Right to object to processing of Personal Data. We stop such processing unless it is necessary to maintain it for the legitimate purposes listed above.
  • Right to data portability (in certain specific circumstances) and transfer the Personal Data to another controller where technically feasible and where it does not affect the provision of our activities and services.
  • Right to withdraw for consent for data processing (if the consent was required for lawful processing), provided that no regulatory or contractual provisions require us to maintain records of your Personal Data.
  • Right not to receive marketing communications.
  • Right to lodge a complaint with a supervisory authority, as further described below in Section 11.

To exercise your rights, please contact us at the address and email detailed in Section 12 below  “How to contact us”. We will respond to you as soon as practicable in accordance with GDPR.

10.        Communication of a Personal Data breach to the Data Subject

In case of data breach, Caystone will notify the National Commission for Data Protection (the “CNPD“), the Luxembourg supervisory authority not later than 72 hours after having become aware of it.

When the Personal Data breach is likely to result in a high risk to the rights and freedoms of natural persons, Caystone will also notify the Data Subject without undue delay.

11.        Your right to complain and raise questions to the data protection authorities

The client has as well the possibility to file a complaint to the CNPD, established on 1, Avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette, Luxembourg.

12.        How To Contact us

Should you request further details on the processing of your Personal Data or if you wish to exercise your rights or if you have any specific queries regarding the processing of your Personal Data, you can contact us as follows:

  • by email on the following address: [email protected].
  • by post at: 19, Rue Philippe II, L-2340 Luxembourg.

13.        Status and amendments to this Notice

This Notice is current as of September 24, 2024 in compliance with GDPR.

It aims to inform you, as Data Subjects, about Caystone’s organisation regarding Personal Data processing and your rights according to GDPR. It is not a binding document.

This Notice is subject to update and amendment from time to time. Although we may request our clients to inform you about that update, we may not be able to personally notify you.

We kindly ask you to review the Caystone website from time to time for possible changes.