Privacy Policy of Quercus Real Assets
__
Contact Information
Quercus Real Assets Limited.
11 Albemarle Street,
London W1S 4HH
United Kingdom
Email:gdpr@quercusrealassets.com
Definitions
Below are some of the definitions used in this Policy (along with other defined terms found elsewhere in this Policy). For purposes of simplicity, we use “Individual” and “you” interchangeably to mean the natural person about whom QRA collects and processes personal data. We call “personal data” “Information.” We use “QRA”, “we” and Controller interchangeably to mean Quercus Real Assets Limited.
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Information. The GDPR also refers to Controllers as “Data Controllers.” Throughout this Policy we use Controller and QRA interchangeably.
Cookies
A small amount of data stored in an Individual’s digital device that is often used at websites to give and receive information about that Individual to the owner and/or manager of that site. You can adjust your own Cookie settings in your digital device and on the sites that deploy Cookies on your digital devices.
Data Subject
This term is the definition used in GDPR, which is the natural person to whom the Personal Data (in this Policy, “Information”) refers.
European Union (or EU)
Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.
“GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
Individual
This term means each natural person who visits a QRA website, provides Information to us and/or from whom QRA obtains Information in other ways (described below).
Information
In this policy QRA uses the term “Information” to mean what is called “Personal Data” in the GDPR, which is any information that directly, indirectly, or in connection with other information, allows for the identification or identifiability of a natural person.
Processor and Sub-Processor
The natural or legal person, public authority, agency or other body which processes Personal Data (in this Policy the “Information”) on behalf of the Controller, as described in this Policy. “Sub-Processor” means an entity that is engaged in Processing under contract with a Processor.
Service Providers
This term means corporate entities or individuals that provide services to QRA or propose to provide such services, including, for example, third party accountants, auditors, lawyers, investment bankers, project managers, engineers, IT service providers and other consultants. Typically, Service Providers are Processors.
Usage Data
Information collected automatically through QRA (or third-party services used by QRA), which can include: the IP addresses or domain names of the digital device(s) utilized by Individual, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed on any QRA website with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the IT environment of the Individual. Usage Data usually resides in the “Systems Logs” of QRA. However, QRA does not collect any Usage Data, except for traffic numbers (number of visitors).
Terms used but not defined in this Policy shall have the same meaning as in Article 4 of the GDPR.
Who We Are: QRA as Controller
Under applicable regulations of the European Union, entities that collect (or, in our case, receive) and use information from individuals are called “Controllers” or “Processors.” A Controller decides on the information it collects and how it uses such information and a Processor “processes” the information on behalf of the Controller. Controllers and Processors are subject to slightly different regulations. In general, QRA is the Controller.
In some situations, an entity can be both a Controller and a Processor. For example, our UK entity, QRA, collects information on its own, but then it sends some of it to its subsidiary and corporate entities that advise and manage certain investments in other jurisdictions. In those situations, QRA would be the Controller and the other entities would be the Processors. Therefore, when each of these entities collects information, it could become a Controller for that information; when it sends it to one or both of the other entities, each of those entities could become a Processor. However, many such entities receive such information under the direction of QRA, in which case QRA would be the Controller. The entities within the QRA that transfer and process Information all have written agreements governing those transfers and the processing of the Information.
Each of these entities may also send information to a Service Provider. As we explain below, each of them is subject to confidentiality obligations as to the information collected. Each Service Provider is a Processor in their relationships with QRA entities.
The Individuals Who Provide Us with Information
We receive contact information from individuals with whom we come in contact in the normal course of our business of raising and managing funds, making and managing investments, seeking advice thereon, complying with applicable regulations and obtaining the services of third parties for such matters as office support, transportation, information technology and the like. As noted in the “Definitions” section above, these natural persons are called “Individuals” throughout this Policy.
For example, such Individuals might be: potential, current and past investors; potential, current and past partners, managers or staff in our investment projects; individuals who might be involved in the decisions on and/or management of such projects (e.g., regulatory officials), candidates for employment or other engagement by one of our entities.
Types of Information Received
General Contact Information
QRA receives information that it considers necessary or appropriate to fulfil its business objectives. In general, the minimum amount received would be what one would expect to find on a business card: name, title, company name, email address, office and mobile number and business street address (with city and country). Sometimes the information is only name and email address. In some instances, an individual might give us his or her personal contact information such as personal email address and phone numbers. QRA might also receive other information freely given, such as birthdates and anniversaries of other significant events. In some instances, this information is available via social media platforms and access is provided to such information when, for example, a member of the QRA team “links” or otherwise connects with such individuals during the use of such social media platforms. Such information may include gender and other personal information.
Additional Information
QRA may also obtain from individuals additional information that is needed for our business. For example, Service Providers will usually have to provide financial information, such as bank and payment information (e.g., wire transfer instructions), credit or debit card information and, possibly, information necessary for a credit check. This information might come from an individual who is a Service Provider or one who represents a corporate Service Provider.
Similarly, investors might provide financial information for purposes of making their investments or receiving contractually mandated payments from QRA. This may also be true of potential investors. QRA may be required by law to request and obtain additional financial or other sensitive information due to requirements such as financial regulations. The above types of information might also be obtained from potential project partners and those involved in such projects or related decision-making. In all such cases, it is likely that QRA will obtain tax identification information, too.
QRA might also end up receiving additional “digital” information as a result of interaction by phone, email or SMS or their equivalents. For example, phones often display “Caller ID” and SMS systems that reveal your username for that system. Headers in email may also provide such information. In addition, websites might also collect what is called the “IP address” of visitors to such websites. In general, QRA does not actively use such digital information “active” meaning that it is not purposely collected but only incidental to other form of communications.
QRA might also obtain information that is publicly available, e.g., through profiles or other posts on social networks. It is natural that individuals in decision-making positions might seek information from such posts when they are considering a candidate for a position as an employee or Service Provider or in relation to a past, present or future project.
Usage Data
Unlike many websites, QRA websites do not include advertisements or information from third parties. Therefore, we do not collect that type of Usage Data, nor do third parties. However, like many other websites, the QRA websites respond to Cookies, which means that QRA may collect your IP address. Other analytics might also collect similar data, which is explained below under “Analytics.”
Information Individuals Provide
You and other individuals might provide QRA with information from you or from third parties. You confirm that the information you provide is truthful and accurate. If you provide information about third parties to QRA (or through QRA to others) you are responsible for any third-party information that you share through QRA and confirm that you have the consent necessary to provide it to QRA.
Processing the Information
Methods of Processing
The applicable regulation of the European Union defines “processing” as follows:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Put simply, for QRA, it means storing, organising and using the Information and in all cases for its business as described in the first paragraph of this Policy.
QRA processes the information using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In some cases, the Information may be accessible to certain individuals involved in these processes, including individuals inside of QRA involved in business development, investments, project identification, evaluation and management and operations such as administration, sales, marketing, legal, accounting and system administration. QRA Service Providers for some services such as technical service providers, mail carriers, hosting providers, IT companies, communications, accountants, lawyers, consultants, appraisers, investment bankers and others. The updated list of these parties may be requested from the Owner at any time, although the identities of some of the Service Provider might not be available due to confidentiality obligations.
The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
“Lawful Basis” of Processing under GDPR
According to the applicable regulations of the European Union, QRA may collect and process the Information only with a “legal basis,” which can be any number of the following:
- The relevant individuals have given their affirmative consent for one or more specific purposes;
- Provision of the Information is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
- Processing is necessary for compliance with a legal obligation to which QRA is subject;
- Processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in QRA;
- Processing is necessary for the purposes of the legitimate interests pursued by QRA or by a third party.
In any case, QRA will gladly help to clarify the specific legal basis that applies to the processing.
Performance of an Agreement as the Lawful Basis of Processing
In many situations, the information will be processed on the lawful basis that there is a contract that involves, and requires, the transmission and processing of Information. To be specific, this basis can be found in Article 6(1)(b) of the GDPR, relating to actions necessary to perform a contract or to respond to your requests for actions to be taken prior to a contract taking effect. Employment agreements are one example. So also are subscription agreements with investors. Vendors agreements are another example. In all such situations where QRA or one of the entities in the QRA Group has an agreement which involves Information, that Information will be processed consistent with GDPR.
“Legitimate Interest” as the Lawful Basis of Processing
In other situations, the lawful basis of processing will be a “legitimate interest” of the relevant QRA Group entity, which is determined in a three-part test to: (1) identify the “Legitimate Interest” in question; (2) analyse the “necessity” of the processing; and (3) “balance” the rights and freedom of the individual with the “Legitimate Interest” identified in the first step of the test. Understandably, the test differs according to the circumstances such as the Information to be processed and the availability of alternatives for processing.
Accordingly, we believe that we have a legitimate interest in the safety of our workplace and fraud prevention when we perform the normal functions of human resources and of management in finding and selecting employees, Service Providers, potential investors and potential directors for QRA Group entities. Those normal functions would include background and credit checks, for example. There are no reasonable alternatives to such processing.
“Special Category” Information
The GDPR notes that certain Information is so sensitive that it requires additional safeguards and attention, including, for example, race, gender, political affiliation and health conditions. This Information is received and processed exclusively through human resources and is based on Articles 9(2)(b) and 9(2)(h) of the GDPR. In addition, we believe that our processing also comports with Schedule 1 part 1(1) and (2)(a) and (b) of the Data Protection Act 2018 of the United Kingdom relating to processing for employment, work capacity of candidates and medical matters.
Location of Processing
QRA uses the Information in its operating office (currently the United Kingdom). With reference to some individuals, Information may be processed in countries where projects—or possible projects—are located. When QRA uses third parties to process Information (e.g., hosting providers, IT services), the Information is processed at the operating offices of each third party and in any other places where the parties involved in the processing are located. For example, our IT Service Provider, like other Service Providers, uses the “Cloud” for storage and transfer of Information. That Service Provider is responsible in its contract with us to manage any transfers that might occur as a result of Cloud usage to be in compliance with GDPR. This may result in Information being transferred to a country or countries other than the country of residence of the particular individual.
You can find out more by checking the relevant sections of this policy or contact QRA (the contact information is set forth at the beginning of this Policy). You can also learn more about transfers of Information to a country outside of the European Union or to international organizations governed by public international law or set up by two or more countries (such as the UN), also be contacting us
The Types of Processing
Information is received and/or processed as follows:
Contact by the Individual
When you email QRA (or use some other method of contacting QRA), naturally, we will receive that Information. We will use it only to keep in touch with you regarding the specific purposes of the communications—such as reaching agreement on you becoming an investor, or engaging you as a Service Provider and so forth. If QRA and you enter into a written agreement, then we will use that Information to fulfil the obligations under that agreement. For example, once you have become an investor, we will send you periodic communications regarding QRA, its projects, plans and so forth.
Information collected: email address, name and whatever information you provide in that email (e.g., your signature block might include your phone number, title, company name and/or address).
Newsletter
QRA does not circulate a newsletter. In the future, it might do so. However, you will be asked to sign up for the newsletter—that is, to give your consent to receiving the newsletter. You will have no obligation to do so. Your consent will be used only to provide you the newsletter and only for as long as you wish to receive it.
Handling Payments
When investors make their investments or provide information to receive payments from QRA, they provide Information beyond name and email address. To ensure greater security, QRA shares only the information necessary to execute the transaction with the financial intermediaries handling the transaction. You might receive communications such as notices of clearance of a payment and other such notices. QRA will also provide you with financial information for your accounting and fiscal purposes.
The payment procedures with Service Providers are a little different because the payments are between two corporate entities. It is likely that Information about the individuals involved in that relationship is transferred (e.g., name and email address). QRA uses such Information only in relation to the contract it has with that Service Provider.
Hosting and Backend Infrastructure
QRA stores Information on either its servers or servers provided by a data centre or Service Provider. Some of these Service Providers use servers that are geographically distributed, which makes it difficult to determine every location where Information is stored. Each Service Provider enters into a written agreement with QRA and each such Service Provider is subject to confidentiality and security obligations.
Interaction with Social Networks
As noted above, it may be that individuals within, or Service Providers to, some part of the QRA Group may obtain Information from Social Networks. This Information is used only for the purposes of fulfilling business obligations, such as interviewing potential candidates or evaluating past, present or future projects. See the section above “Location of Processing” for additional information.
Managing Contacts and Sending Messages
QRA uses a “contact management system” to send information to Individuals, typically periodic financial reports that are required by contract or in the period of discussions of a possible contractual relationship.
Analytics
QRA can analyse certain anonymized information as to website traffic (number of visitors) within certain parameters (e.g., time and duration of visit). For example, Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google may utilize the Information to track and examine the use of QRA, to prepare reports on its activities and share them with other Google services. QRA does not control Google Analytics.
System Logs and Maintenance
For operation and maintenance purposes, QRA and certain Service Providers may collect files that record interaction with QRA (System logs) or use other Information (such as the IP Address), for example, to maintain (including upgrading or otherwise altering) its systems, network, software and equipment.
Communications within QRA or the future QRA Group
Some of the other entities may collect Information in the normal course of their businesses, or QRA may provide Information to one or more of such entities for those entities to conduct their business. For example, each fund engages its own Depositary and Paying Agent, responsible for communications with investors. Each future QRA Group entity might engage its own Service Providers. QRA sometimes serves as the Controller and Processor for such Information and therefore shares Information with other entities in the QRA Family Group.
Legal Action
QRA can use Information for legal purposes in judicial systems where QRA is defending its interests or in the stages leading to possible legal action. You understand and acknowledge that you are aware that QRA may be required to comply with requests by government authorities for the release of Information.
Where Information Goes
Information Transferred and Processed within the (future) QRA Group
Information is transferred among the entities of the QRA Group—and outside the QRA Group—depending upon how and why the Information is processed. In all cases, however, the transfer and processing are governed by written data processing agreements among the entities (and outside, with the Service Providers).
For example, Information regarding investors (part, current and potential) is received and processed by: Investor Relations, which is managed by QRA; if such Information is relevant to other entities within QRA Group and to part owners of some of the operating assets.
Information on candidates for such positions as directors or members of boards of QRA and its funds also go to the entities described above. Information on candidates for other jobs is transferred to and processed by the entities seeking employees and entities providing management services to such entities.
Information Transferred Outside the “QRA Group”
Sometimes (as noted above), Information is transferred to third parties—i.e., corporate entities who are not part of the QRA Group. This group of third parties includes banks and other financial institutions required to receive the Information by law or to provide services to one or more entities in the QRA Group. These third parties serve as Processors (or Sub-processors) and therefore have data processing agreements governing the processing of Information.
As previously noted, we might be compelled by regulations to transfer Information to regulatory authorities or to parties in a legal dispute.
How Long QRA Keeps Information
QRA will keep Information for as long as required by the purpose of the original collection. For example, Information collected and processed for the performance of a contract will continue for as long as any part of that contract remains in effect. Information might be maintained for a longer period if there is a reason to do so, such as potential litigation or for records regarding, for example, distributions made by one of our funds. Legal obligations or regulatory compliance may require Information to be retained for a longer period. In addition, QRA might seek your consent to retain Information for a longer period.
Once the retention period expires for particular Information QRA will delete that Information. This will mean that your rights under the European Union regulations will also expire. Those rights are described in more detail below.
QRA will keep Information for as long as required by the purpose of the original collection. For example, Information collected and processed for the performance of a contract will continue for as long as any part of that contract remains in effect.
The Rights of Individuals as to the Information QRA Receives and Processes
Your Rights
If we have some of your Information, then you have rights to do the following, which in general will require QRA to respond to your requests. Additional details are provided below this section, Your Rights.
- Withdraw your consent at any time. If you have provided affirmative consent you can withdraw consent you have given. Please not that if you do so we might not be able to fulfil certain obligations. Please see the section at the start of this policy for the procedure for doing so.
- Object to processing. You can object to the processing by QRA of your Information if the processing is carried out on a legal basis other than consent (with some exceptions described below).
- Access Information about You. You have the right to learn QRA is processing Information about you and obtain a copy of it.
- Verify and seek Corrections. You can verify the Information and request that it be updated or corrected.
- Restrict Processing. Under certain circumstances, you can restrict processing by QRA, in which case QRA can only store it.
- Have Information Deleted or Otherwise Removed. Under certain circumstances, you can have QRA “erase” your Information.
- Receive a Copy of the Information and Have it Transferred. Under certain circumstances, at your request QRA will provide you with a copy of the Information in a “structured, commonly used and machine-readable format” and, if technically feasible, have it transmitted to another controller without any impediment.
- Object to Direct Marketing Processing. At any time, without explanation, you can object to direct marketing processing. QRA does not engage in direct marketing.
- Lodge a Complaint with a Government Authority. Members states of the European Union have data protection authorities. You can lodge a complaint with them at any time.
Please note that exercising rights of removal, etc., might not be possible if the basis of collecting and processing the Information derives from an agreement QRA may have with you (or a company with which you are involved).
How to Exercise These Rights
Any requests to exercise your rights should be sent to QRA at the contact information at the start of this Policy. QRA is obligated by law to respond in a prompt manner to your request—in no event longer than thirty days.
Cookie Policy
QRA does not currently use Cookies but has the technical capacity to do so. It will use Cookies only to optimize your browsing experience at the website, for language setting and positioning of information and links on the website.
Other Types of Cookies or Third Parties That Install Cookies
When you arrive on a QRA website, you may bring with you Cookies installed at other websites you have visited. QRA does not control these Cookies.
How to Provide or Withdraw Consent to the Installation of Cookies
You can manage preferences for Cookies directly from within your own browser and prevent – for example – third parties from installing Cookies. Through browser preferences, it is also possible to delete Cookies, including the Cookies that may have saved the initial consent for installation. You can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses: Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Internet Explorer. Often, you can find an “opt-out” link connected to those Cookies. You should also be able to find other means for doing so in the privacy policy of the owners of such Cookies or by contacting those owners.
In certain countries, initiatives have started to control tracking preferences of advertisers, such as EDAA (EU), the Network Advertising Initiative (US) and the Digital Advertising Alliance (US), DAAC (Canada), DDAI (Japan). Such initiatives allow you to select their tracking preferences for most of the advertising tools. We recommend that you make use of these resources in addition to the information provided in this document.
Obtaining Additional Information
You may request additional details concerning the collection or processing of the Information at any time by contacting QRA using the contact information at the beginning of this Policy.
How “Do Not Track” Requests Are Handled
QRA does not support “Do Not Track” requests. To determine whether any of the third-party services it uses honour the “Do Not Track” requests, please read their privacy policies.
Changes to this Privacy Policy
QRA reserves the right to make changes to this Policy at any time by giving you notice, usually on the website and this page. We urge you to check this page on a frequent basis. The date at the top of this Policy will indicate the most recent modification to the Policy. Should the changes affect processing activities performed on the basis of your affirmative consent, QRA shall obtain new consent, where required.
Legal information
This privacy statement has been prepared based on provisions of multiple statutes, including the GDPR.