PREAMBLE

A This Data Protection Protocol (Protocol) sets out how the Bolder Group and its subsidiaries and affiliates (in this Data Protection Protocol referred to as Bolder, we, us or our) protect the confidentiality of the Personal Data which we collect, hold, use and disclose, for and on behalf of Clients.

B This Protocol is applicable where we process and/ or control Personal Data and where our clients are a (joint) Controller. It sets out the security practices and technical and organizational measures that we have implemented to ensure the security and confidentiality of the Personal Data.

C This Protocol shall form an integral part of the agreement for Services entered into between Bolder and and the Client (the Agreement) insofar as and to the extent that such Agreement shall provide for the protection and confidentiality of Personal Data and where applicable, this Protocol shall replace any and all other provision made in such Agreement, as it relates to the same subject matter.

D for the purposes of any applicable Data Protection Law, this Protocol shall be deemed to constitute an arrangement between the Parties with regard to (a) the specific rights and obligations related to the processing or controlling or joint controlling of personal data; and (b) to ensure that sufficient safeguard is provided in respect of the technical and organisational security measures concerning the use of such Personal Data. 

E Data Protection Laws impose on the Parties the obligation to monitor compliance with the measures set out herein.

NOW THEREFORE this Protocol shall form part of any Agreement in place between Bolder and a Client as regards the Agreement.

Definitions

Data Subject

the person to whom Personal Data relates.

Security Incident

an infringement of the technical or organizational security measures taken that may lead
to a considerable chance of serious adverse consequences or that has serious adverse
consequences for the protection of personal data.

Data Controller or Controller

shall have the meaning given to it under applicable Data Protection Laws and in the case where there shall be more than one Data Controller, each shall be a Joint Controller.

Data Processor or Processor

shall have the meaning given to it under applicable Data Protection Laws

Client

Means the party with whom Bolder shall have contracted with for the provision of Services.

Data Leak

an incident resulting in unlawful destruction, loss, change, unauthorized disclosure of or
access to personal data as a result of a security incident.

Data Protection Laws

means any laws or regulations that shall for the time being, be applicable to Personal Data relating to the protection of Personal Data but in particular shall include (without limitation):

(a) for the European Union, the Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “the GDPR”); (b) for the Cayman Islands the Cayman Data Protection Law 2019; (c) the British Virgin Islands, the Data Protection Act 2021; (d) for Singapore, the Personal Data Protection Act 2021; (e) for the Philippines, the Data Privacy Act 2012 and Implementing Rules and Regulations of the Data Privacy Act 2012; and (f) for Hong Kong, the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012

Personal Data

means any data regarding a Data Subject identified or identifiable living person, collected and processed by Bolder and for the purposes of this Protocol, the types of Personal Data may include (without limitation)

(a) Demographic data such as name, gender, date of birth, age, nationality;

(b) Contact details such as home and work phone numbers, postal addresses and email addresses;

(c) Financial data such as bank account number;

(d) Government identifiers such as passport copies, driver’s licence, income tax number; and

(e) Criminal records and political associations where they are revealed by client screening.

Agreement

means the agreement Bolder shall have entered into with a Client for the provision of the Services.

Services

Means the services provided by Bolder to a Client as specified in the Services Agreement and shall include (without limiting the generality thereof) fund administration and ancillary services, corporate and fiduciary services, reporting and tax services

Subject Transmission Request

Means a request by a Data Subject to have their Personal Data transferred or transmitted to a third-party Controller.

Subject Access Request

Means a request by a Data Subject to obtain information about the processing of their Personal Data or to have the information rectified, erased or blocked

Party or Parties

Means any party who shall be a party to a Services Agreement.

Interpretation

For the purposes of this Protocol:

(a) capitalised words used in this Protocol without definition, shall have the meaning as otherwise set out herein or as set out in any applicable Data Protection Laws.

Article 1 – Data processing

1. Bolder obtains Personal Data of Data Subjects for the purposes of:

• administrative processing of subscription applications;
• transfers and requests for redemptions of shares or participations;
• to enable Bolder to perform a risk assessment as prescribed by applicable anti-money laundering and anti-terrorist financing laws and regulations;
• to conduct checks and monitoring in accordance with Bolder KYC policies in force from time to time and as may be required by any applicable laws and regulations;
• to enable Bolder to carry out a classification for FATCA, CRS and other similar regulations and AEOI purposes;
• to enable Bolder to process Confidential Information in accordance with the performance of the Services
• complying with any legal obligation to which either Party is subject; and
• to optimise the global services which Bolder is able to provide to Clients.

2. The details of the processing activities carried out on behalf of the Client by Bolder (such as the subject matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects) are listed in Appendix I.

3. The Parties shall not process Personal Data in a way that is incompatible with the purposes agreed above and in the Agreement.

4. Bolder takes no responsibility for obtaining consent by the Client for the purposes of sending marketing communications including newsletters or statements.

5. As a Data Controller, the Client remains responsible together with Bolder for ensuring that all uses of the Personal Data are in compliance with the Privacy Laws.

6. Bolder guarantees that the processing of Personal Data  is done with due care and only processes the Personal Data made available within the framework of the Agreement, except for deviating statutory obligations and/or with the Client’s prior permission. Bolder may decide in its sole discretion on the means of processing of Personal Data and will inform the Client if any relevant changes occur.

Article 2 – Responsabilities of the parties

1. Where the Client shall pass the Personal Data of a Data Subject to Bolder, it shall ensure that it is compliant with Data Protection Laws to the extent necessary for the processing of Personal Data, including:

a. ensuring it has obtained any necessary consents in order for Bolder to process the Personal Data in accordance with the Agreement; and
b. ensuring it has provided adequate notice as required by Data Protection Laws to the processing of the Personal Data by Bolder and if applicable the transfer of data outside the European Economic Area.

2. Where Personal Data relating to a Data Subject is collected by Bolder.  we shall, at the time when Personal Data is obtained, or at least within one month after that time, provide the Data Subject with all of the following information:

• Bolder’s company information and the contact details;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing for which the Personal Data is intended as well as any legal basis for the processing;
• the recipients or categories of recipients of the Personal Data, if any;
• where applicable, the fact that Bolder intends to transfer Personal Data to a third country or international organisation and reference to the appropriate or suitable safeguards in place.

3. In addition to the information referred to in paragraph 2 of this Article, Bolder shall, at the time when Personal Data is obtained, provide the Data Subject with the following further information necessary to ensure fair and transparent processing:

• the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
• the existence of the right to request from Bolder access to and rectification or erasure of Personal Data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability which is the right of a Data Subject to receive the Personal Data concerning him or her, which he or she has made available, in a structured, commonly used and machine-readable format and have it transmitted to another controller without hindrance;
• where the processing is based on consent or when it concerns specific categories of Personal Data, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• the right to lodge a complaint with a supervisory authority;
• whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as;
• whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such Personal Data.

4. Where Bolder intends to further process the Personal Data for a purpose other than that for which the Personal Data was collected, Bolder shall request approval from the Client first. After approval, Bolder shall provide the Data Subject prior to that further processing, with information on that other purpose and with any relevant further information as referred to in paragraph 2 and 3 of this Article.

5. Paragraphs 2, 3 and 4 of this Article shall not apply where and insofar as the Data Subject already has the information.

6. Each Party shall, in respect of Personal Data, ensure that they have provided sufficient information to the Data Subjects in order for them to understand which of their Personal Data is being shared, the circumstances in which it will be shared, the purposes for the data sharing and the identity of with whom the Personal Data shall be shared.

Article 3 – Non Disclosure

The Parties undertake not to disclose to third parties anything that comes to the notice of the parties or their employees about the other party’s operations and/or Personal Data made available, except for information that is known to and/or accessible to anyone, or if such is necessary or mandatory, it is:

• within the framework of the implementation of the Agreement;
• under or in compliance with legislation and regulations, including any applicable regulation or supervision of the services to be provided by Bolder;
• under a statutory obligation to disclose to a judicial authority, government authority or supervisory agency;
• under a provisionally enforceable or final and binding court decision;
• the information is public other than through a breach by a Party of the terms of the Agreement; or
• with the other Party’s written consent.

Article 4 – Security and subprocessing

1. Bolder shall take and maintain appropriate technical and organisational measures, and if necessary, adjust these to protect the Personal Data from destruction, loss, falsification, unauthorized dissemination or unauthorized access, or any form of unlawful processing.

2. Under this Article, Bolder ensures that a duty to protect Personal Data shall be imposed on third parties to be engaged by it. Bolder assures the Client that sub-processors will be chosen with the necessary care and that the same data protection obligation as stated in this protocol and if relevant is imposed on all its sub-processors. If Bolder engages a third-party processor for carrying out specific processing activities, the obligations that shall be imposed on that processor by way of a written contract providing sufficient guarantees to implement appropriate technical and organisational measures in such manner that the processing will meet the requirements of the Data Protection Laws. A list of approved sub-processors Bolder uses or intends to use, is attached to this Agreement as Appendix II.

3. Notwithstanding the obligations under this article, Bolder may in any case engage third parties that qualify or may qualify as Processor for delivering IT solutions to the organisation. Bolder will obtain the written consent of the Client at least 14 days before engaging Processors for any task not listed in this article. Bolder will accurately inform the Client on the Processors engaged by it and any changes thereof. In case the Client has reasonable grounds to object to the use of new or more sub-processors, the Client must immediately inform Bolder of this in writing within 14 days of receipt of this notification. Bolder will, if the objection is not unreasonable, endeavor to make changes to the services available to the Client or to recommend a commercially reasonable change in the configuration of the Client or the use by the Client of the services to prevent the processing of Personal Data by the new or other sub-processor objected to, without unjustifiably burdening the Client. If Bolder cannot make this change available within a reasonable period, which period shall not exceed sixty (60) days, the Client may terminate the affected part of the Agreement, but only in respect of those services that cannot be provided by Bolder without the use of the new or other sub-processors objected to by means of written notification to Bolder.

4. If a sub-processor is located in a third country (as defined and or stated under the Data Protection Laws), at the written request of the Client and insofar as required, Bolder shall enter into a model contract (in the name of the Client). In this case, the Client instructs and authorizes Bolder to give sub-processors instructions on behalf of the Client and to use all rights of Client to the sub-processors on the basis of the model contract.

5. Bolder remains liable to the Client for compliance with the obligations of a sub-processor, in case such sub-processor does not fulfil its obligations. However, Bolder is not liable for damage and claims arising from instructions from the Client to sub-processors.

6. Where Bolder only processes Personal Data on the instructions of the Client, Bolder has the obligation to demonstrate compliance with paragraph 1 of this article and should cooperate with any reasonable audit request from the Client on 30 days notice.

Article 5 – Data retention rules

1. Bolder shall not retain or process Personal Data for longer than is necessary to carry out the agreed purposes.

2. Notwithstanding paragraph 1 of this article, the Parties shall continue to retain Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and/or industry.

Article 6 – Security incidents and data leaks

1. Bolder shall at all times during the term of the Agreement, have measures and procedures in place designed to detect Security Incidents and Data Leaks and to take relevant action, including recovery measures. Upon discovery of a Security Incident or Data Leak Bolder shall notify the Client without undue delay of Security Incidents which have resulted in a Data Leak.

Bolder shall include information in the notification regarding:

• the nature of the infringement;
• the nature of the leaked Personal Data;
• the (alleged) cause of the infringement and the (alleged) cause of the leaked Personal Data;
• a description of the infringement found and the probable consequences of the infringement for the processing of Personal Data;
• the measures recommended to limit the negative consequences of the infringement;
• the measures Bolder has taken or proposes to remedy the consequences.

2. In the event of such an infringement in connection with Personal Data, Bolder will assist with the obligation of the Client pursuant to the applicable Data Protection Laws to inform the data subjects and the Supervisory Authorities respectively, and to document the Personal Data breach. Contact details regarding the report are recorded in the customer service system. Contacts persons are specified in Appendix I attached to this Agreement.

Article 7 – Rights of data subjects

1. Data Subjects have the right to obtain information about the processing of their Personal Data or to have the information rectified, erased or blocked through a Subject Access Request. Data Subjects may also request to have their Personal Data transferred or transmitted to a third-party controller through a Subject Transmission Request.

2. Where the data is to be transmitted to a third-party controller, this shall be done in a structured, commonly used and machine-readable format.

3. Bolder shall maintain a record of Subject Access Requests and Subject Transmission Requests received by Bolder, the decisions made and any information that was exchanged, transmitted or transferred.

4. The Parties agree that the responsibility for complying with a Subject Access Request or a Subject Transmission Request falls to the Party receiving the request in respect of the Personal Data held by that Party.

5. The Parties agree to provide reasonable and prompt assistance to each other as is necessary for each Party to comply with their obligations under applicable Data Privacy Laws.

Article 8 – Automated decision making

Bolder does not carry out automated profiling and will not make any decisions based on the automated processing of Personal Data without informing the Client.

Article 9 – Transfer of personal data

1. Bolder may, in the performance of the Services, transfer and provide access to Personal Data in third countries. Such transfer shall only be made to a country whose laws shall have been   assessed by the European Commission to have an adequate level of protection by means of an adequacy decision and in which case the transfer shall be subject to the terms of a contract incorporating standard contractual clauses in the form adopted by the European Commission under Decision 2010/87/EU
(the Model Clauses) or equivalent or replacement decision.

2. Bolder shall not transfer or provide access to Personal Data outside a country as referred to in Article 9.1 above, except with the Client’s express written permission.

Article 10 – Accountability and obligation to report

1. Following a reasonable request, Bolder shall provide the Client with the necessary information in order for the Client to be able to draw an informed opinion on Border’s compliance with its obligations set out under Data Protection Laws

2. Where Border qualifies as a Joint Controller the Parties are responsible for any applicable reporting of the relevant processing of (personal) data to the relevant data protection authority. The Parties will cooperate in this regard until the obligations have been met.

Article 11 – Liability

All liability arising from or in connection with this protocol follows and is exclusively governed by the liability provisions set out in, or otherwise applicable to, the Agreement. Therefore, and in order to calculate liability limits and/or to determine the application of other limitations of liability, any liability arising from this protocol is deemed to arise under the relevant Agreement.

Article 12 – Duration and termination

1. This protocol shall be in force for as long as the Agreement is in force. On termination of the Agreement, the arrangement of this protocol shall end by operation of law without any further (legal) act being required.

2. Early termination of this protocol or the arrangement made by it is not possible.

3. Subject to a statutory provision resting with Border, Border shall, in the case of termination of the Agreement, and when the processing of Personal Data is no longer necessary to settle the Agreement’s termination, ensure that:

• the Personal Data is returned or provided to the Client or a successive contractor designated by the Client on a suitable information carrier;
• the Personal Data is destroyed, if the Client so requests;
• after return, provision or destruction, it immediately ceases and does not resume any processing of (the relevant) Personal Data.

4. Obligations under the Agreement including this protocol, which by their nature are intended to continue even after the end of the Agreement, continue to exist after the end of the Agreement.

Article 13 – Miscellaneous

1. In the event of conflict between the provisions in this protocol and the Agreement and/or any other agreements between the Parties, the provisions of this protocol with regard to the data protection obligations of the Parties shall prevail. In case of doubt as to whether clauses in these other agreements relate to the data protection obligations of the Parties, the arrangements of this protocol will prevail.

2. The invalidity or unenforceability of any provision in this protocol will not affect the validity or enforceability of the other provisions of this protocol. The invalid or unenforceable provision is (i) so modified so as to guarantee its validity or enforceability and at the same time the parties’ intentions are preserved as much as possible or, if not possible, (ii) interpreted as if the invalid or unenforceable part had never been included therein. The foregoing also applies if this protocol contains an omission.

3. Personal Data which Bolder processes is stored by Bolder on its servers and/ or on the servers of the cloud-based database located in Switzerland. This protocol is exclusively governed by the applicable law of the Agreement and any dispute in respect of this Agreement or execution thereof shall be submitted to the Bolder entity servicing the Client and before the competent court as defined in the Agreement.

4. Any amendment to this protocol shall be published on the Bolder website, but shall not reduce or otherwise limit the rights of the Client.

Contact details in case of data breaches

Data Protection Officers

Location	Contact
The Netherlands	Sjaco Kroon Tel +31 (0) 33 467 3880 Email: dpo.nl@boldergroup.com
Luxembourg	Andrea Fusco Tel : +352 2740099413 Email: dpo.lux@boldergroup.com
Singapore	Karl Kwok Email: dpo.sg@boldergroup.com
Hong Kong	Karl Kwok Email: dpo.hk@boldergroup.com
Philippines	Karl Kwok Email: dpo.ph@boldergroup.com
British Virgin Islands	Damila Ogunleye Email: dpo.vgo@boldergroup.com
Cayman Islands	Adrian Mubangizi Email: dpo.ky@boldergroup.com

APPENDIX I

Categories of data subjects

The transmitted Personal Data concern the following categories of Data Subjects:

• The investors or unit holders in the investment funds administrated by us or individuals connected with the investor or unit holders (for example directors, trustees, employees, representatives, shareholders, investors, clients, beneficial owners or agents) which includes, but is not restricted to, data such name, residential address, email address, place of birth, date of birth, bank account details and details relating to your investment activity;
• Individuals that represent the Client, that are advising the Client, that are in any contractual or statutory relationship with the Client, or that the Client has collected in view of its servicing towards such individuals, or are otherwise connected to such individuals.

Subject of processing

All processing activities (including the collection, organization and analysis of Personal Data) as are reasonably required to facilitate or support the provision of the Services described under the Agreement.

Nature and purpose of the processing

Bolder collects, processes and uses the Personal Data of the Data Subjects:

• where this is necessary for the performance of the Agreement;
• where this is necessary for compliance with a legal obligation (such as the anti-money laundering obligation to verify the identity of our customers (and, if applicable, their beneficial owners) and other applicable regulations, such as tax reporting regimes as FATCA and CRS; and/or
• where this is necessary for the purposes of the legitimate interests of us or a third party and such legitimate interests are not overridden by your interests, fundamental rights or freedom.

Kind of personal data

The Personal Data collected, processed and used by Border includes:

• names and contact information;
• general demographic information (such as gender, age, date of birth, marital status, nationality, employment details, residence, utility bills, etc.);
• personal identification documentation and related information such as passport numbers and employee identification numbers;
• financial and payment data such as bank account numbers and transaction information;
• information related to the provision of the Services

Appendix II

1. POT Verhuizingen/ Logistiek B.V.
2. Avantage Cloud Solutions B.V.
3. Remondis B.V.
4. Docusign.