Your privacy is important to us, and we are committed to protecting your personal data. Our role towards certain personal data may be that we collect certain personal data and or process certain personal data. Our commitments in both cases can be found in the Privacy Notice.
This Data Processing Protocol (the “Protocol”) shall apply between Intertrust and the Client Entity (“Client”) it is servicing, where Intertrust may process Personal Data, of which the Client is the Controller.
The Protocol forms part of any agreement in place between Intertrust and the Client (the “Service Agreement”).
Where this Protocol uses terms which are defined in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation the “GDPR”), then the definitions set out in that Regulation shall apply.
“Client” shall mean the company, trust, foundation, any other form of legal entity, partnership, or unincorporated business, set up, to which Intertrust provides any service at the request or instruction of such entity and/or its group members; and
“Intertrust” shall mean the relevant Intertrust group compan(y)/(ies) that have concluded a Service Agreement with the Client.
2. Scope of the Protocol
2.1 Intertrust shall only process the Personal Data on the instructions of the Client and in accordance with the provisions of this Protocol and associated Service Agreement(s). Intertrust confirms that it will not process the Personal Data for its own use or any other purposes other than as provided for under this Protocol.
2.2 Intertrust will have no control over the purposes of processing the Personal Data.
2.3 The GDPR and any other applicable privacy laws apply to this Protocol and anything not specifically mentioned in this Protocol shall be governed by the GDPR and any other applicable privacy laws.
3.1 Intertrust, receiving the Personal Data from the Client pursuant to the Service Agreement, will exercise at least the same degree of care with respect to Personal Data with which Intertrust protects its own Personal Data of the same or similar nature.
3.2 Intertrust shall not communicate the Personal Data to or put the Personal Data at the disposal of third parties without the Client’s prior written consent thereto unless it is required to do so by mandatory law or regulation or ordered to do so by a competent authority.
3.3 Intertrust will only use or reproduce the Client’s Personal Data to the extent necessary to it to fulfil its obligations under the Service Agreement.
4. Security Practices, Procedures and Technical and Organisational Measures
4.1 Intertrust shall implement appropriate commercially reasonable technical, physical and organisational security measures to protect Personal Data from misuse and/or accidental, unlawful and/or unauthorized destruction, loss, alteration, disclosure, acquisition and/or access and against all other unlawful forms of Processing in accordance with adequate internal instructions adopted by Intertrust. Intertrust will ensure a level of security suitable (taking into account the state of the art and the costs of implementation of such security) in relation to the risks and the nature of the personal data to be protected to the identified risks and pursuant to applicable Data Protection Laws and, where the Processing concerns personal data of EU residents, shall take all measures required pursuant to article 32 GDPR. Where local laws prescribe specific instructions and measures to be adopted for the purposes of this article, local laws will be applied.
4.2 In fulfillment of Intertrust’s obligation to demonstrate compliance with this paragraph 4.1, Intertrust will make information on its processing of the Personal Data available (including at our discretion, certificates, third party audit reports or other relevant information).
4.3 Client shall provide Intertrust with thirty (30) days advance notice of any audit request, which will be at the client’s expense. Client may not engage in an audit which would compromise confidentiality obligations towards any other clients and customers of Intertrust, access to non-public external reports, supplier internal pricing information, Intertrust confidential information and/ or any internal reports prepared by Intertrust’s internal audit function. If the client wishes to nominate another auditor to undertake the audit, it shall ensure that the auditor enters into a confidentiality agreement with Intertrust in such form as Intertrust shall reasonably require. Any liability, indemnity and all obligations under this contract shall also remain with the client, even if it nominates another auditor. The client warrants that any auditors are suitably qualified to undertake such an exercise.
5. Duration of processing of the Personal Data
5.1 Intertrust will process the Personal Data for as long as it provides services to the Client and will hold the Personal Data in archive after that date to the extent necessary for legitimate business purposes or for bona fide compliance purposes.
5.2 Client may instruct Intertrust to delete or return Personal Data at the end of the period during which Intertrust will process such Personal Data. Intertrust shall be authorized to keep a copy to the extent required for legal, regulatory or bona fide compliance purposes, as well as the exercise or defense of legal claims.
6. Data Breach Incident
6.1 Intertrust will without undue delay notify the Client whenever Intertrust reasonably becomes aware that there has been a not-trivial breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by Intertrust in the context of this Protocol that is likely to result in a risk to the rights and freedoms of a data subject ("Data Breach Incident"). After providing notice, Intertrust will investigate the Data Breach Incident, and take necessary steps to eliminate or contain the impact of the Data Breach Incident.
6.2 Intertrust shall maintain written procedures which enable it to provide an immediate response to the Client about a Data Breach Incident.
7. Transfer of Personal Data
The Client confirms that Intertrust may transfer personal data to its affiliates and subprocessors inside and outside the European Economic Area (EEA) for purposes of servicing, support, back-up or any other legitimate interest Intertrust may have to transfer personal data in order to fulfil its obligation(s) as per the relevant Service Agreement(s). Intertrust has established safeguards to protect Personal Data transferred to countries outside the EEA, including appropriate standard contractual clauses as approved by the European Commission.
8. Rights of Data Subjects
8.1 Upon instruction of the Client, Intertrust will cooperate in:
a) providing access to Data Subjects whose Personal Data are being processed via the provision of the services by Intertrust;
b) deleting or correcting their Personal Data
c) demonstrating that their Personal Data have been deleted or corrected if they are incorrect, or, if the Client disagrees with the point of view of the Data Subject, recording that the Data Subject is of the opinion that the Personal Data is incorrect.
d) restricting the processing of personal data as per Article 18 GDPR
e) protecting the rights of data subjects to its best advantage
8.2 Notwithstanding Clause 8.1, Intertrust shall not be obligated to delete copies of Personal Data that we hold as Controller, to the extent where further processing is required in order to comply with a legal obligation to which Intertrust is subject or for the establishment, exercise or defence of legal claims.
8.3 The Client has the responsibility to provide the data subject with the information necessary to ensure fair and transparent processing in respect of the data subject (as set out in Article 14.1 of the GDPR or any similar provision under other applicable Data Protection Law). Where further processing of the personal data is required, for a purpose other than that for which the personal data were obtained, the client shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in Article 14.2 of the GDPR or any similar provision under other applicable Data Protection Law).Intertrust shall not be held responsible if not aware of such information not being provided to the data subject
8.4 Intertrust shall not correct, delete or restrict data to be processed on behalf of the Client in an unauthorized manner. Should a Data Subject contact Intertrust directly in this context, Intertrust shall forward this request to the Client without undue delay.
Client agrees that Intertrust may use subprocessors to provide support to the services under the Service Agreement. Intertrust shall remain primarily responsible for the performance of its obligations under this Protocol and shall ensure that its agreements with such subprocessors are at least as restrictive as this Protocol. Intertrust may change or add subprocessors from time to time, which changes shall be announced via an update of this Protocol. The client shall consult the Protocol regularly in order to be kept informed of such changes.
10. Modification or amendment
Any amendment to this Protocol shall be published on the website of Intertrust, but shall not reduce or otherwise limit the rights of the Client.
11. Applicable Law and Jurisdiction
This Agreement is governed by the applicable law of the Service Agreement and any dispute in respect of this Agreement or execution thereof shall be submitted to the Intertrust entity servicing the Client and before the competent court as defined in the Service Agreement.
Annex 1 - Description of processing of personal data
1. Subject Matter, Nature and Purpose
All processing activities (including the collection, organization and analysis of personal data) as are reasonably required to facilitate or support the provision of the services described under the Service Agreement.
2. Categories of data subjects:
The Data Subjects may include individuals that represent the Client, that are advising the Client, that are in any contractual or statutory relationship with the Client, or that the Client has collected in view of its servicing towards such individuals, or are otherwise connected to such individuals.
Most commonly the Data Subjects will include: (1) employees, contractors or other workers of the Client and/or their family members, representatives or others connected with workers and (2) past, existing or prospective clients and/or contractual counterparties of the Client, and/or their employees or other individuals connected with them, and/or their family members, representatives or others connected with them.
3. Types of personal data:
The services under the Service Agreement may involve the processing of the following types of Personal Data:
Privacy Notice May 2018
The Privacy Notice sets out what personal data we collect and how we collect and use it. It also sets out the rights you have in relation to the Personal Data.
This Privacy Notice is issued by Fairfield Real Estate Finance Services Limited and applies to REF EPFIV Designated Activity Company and Fairfield REF ECS Designated Activity Company and to their direct or indirect subsidiaries (hereinafter “Fairfield”)
Fairfield understands that your privacy is important. Therefore, we respect and protect your right to privacy and will process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and other applicable privacy laws.
The GDPR and any other applicable privacy laws apply to this Privacy Notice and anything not specifically mentioned in this notice shall be governed by the GDPR and any other applicable privacy laws.
This Privacy Notice explains how we may use, process and store your personal data.
What kind of personal data do we collect?
Personal data means any information relating to an identified or identifiable natural person. Fairfield processes the following types of personal data:
name, address, email address, telephone number and other contact information;
date and place of birth;
certified copies of identity documents (passport, national ID card, driver’s license, employee identification numbers);
certified copies of utility bill, bank statement;
ownership of borrowing entities;
background searches for KYC requirements
statement of means;
details of existing loans.
Please note that the list is not exhaustive, and that Fairfield may also collect and process personal data to extent this is useful or necessary for the provision of our services and required to satisfy legal or regulatory requirements.
How does Fairfield collect personal data?
Fairfield obtains and processes personal data in different ways.
Personal data provided to Fairfield directly; We collect personal data directly from prospective clients, clients, business partners and intermediaries for the purposes of entering into a contract or a service agreement and/or to meet certain legal requirements.
Personal data obtained from third parties; We also collect and process personal data from publicly accessible sources such as the internet, social networks or commercial registers. Furthermore, we may receive personal data from third parties as part of the service we provide to you or in connection with legal and or regulatory requirements that are applicable to us.
How does Fairfield use personal data?
We have reviewed the purposes of our processing activities and concluded that the processing of certain personal data is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests). Fairfield processes certain personal data relating to its potential and existing borrowers to enable the provision of the lending services requested by these individuals. Fairfield cannot reasonably achieve this purpose by some other less obtrusive way.
To whom does Fairfield provide personal data?
Fairfield may disclose or transfer personal data collected to our group companies insofar as reasonably necessary for the purposes of our service offering or for bona fide compliance purposes as well as on the legal basis as set out in this Privacy Notice.
Except as described in this paragraph, Fairfield will not disclose, transfer or sell your personal data to any third party unless you have consented to this.
Fairfield may disclose or transfer personal data to subcontractors for the purpose of the proper performance of the services we provide to our clients. It may, for example, disclose or transfer such personal data to third party service providers who provide administrative, due diligence, IT, payment, debt collecting or other services.
In addition, Fairfield may disclose or transfer personal data to protect our rights or those of our clients and/or to prevent fraud. Fairfield can also be obliged to disclose or transfer personal data to competent authorities in order to comply with our legal and/or regulatory obligations.
International transfers and data storage
Fairfield may occasionally disclose or transfer personal data to other companies of the Fairfield group that are located in countries that are outside the European Economic Area in connection with the above purposes.
The personal data Fairfield processes is stored by Fairfield on the secure database management services Fairfield engages (for example SharePoint, Outlook); on paper; and on the secured data sharing platforms of some of our third party service providers (for example Dropbox and Intralinks). If disclosure or transfer of personal data is being done in a country that does not ensure an adequate level of protection of your personal data, Fairfield will make sure additional safeguards are put in place.
Fairfield will process and store the relevant personal data for the duration of our services or for the duration of the business relationship or for a fixed period thereafter in line with our data retention policy. Fairfield may also store the data for as long as it is necessary or required in order to fulfill legal, contractual or statutory obligations and, or for the establishment, exercise or defense of legal claims, and in general where it has a legitimate interest for doing so.
You have the following rights:
Access to your information
You have the right to access the personal information that Fairfield holds about you at any time.
You may ask Fairfield to provide you with a copy of the personal information that Fairfield holds about you.
Correction of your personal information You have the right to ask Fairfield to update and correct any out-of-date or incorrect personal information that we would hold about you.
Deletion of your personal information (the right to be forgotten) You have the right to ask Fairfield to delete your personal information, to the extent that Fairfield has no legal and/or regulatory obligations to keep such personal information.
Restriction of processing of your personal information You have the right to ask Fairfield to restrict the processing of your personal information in case:
a. You contested the accuracy of the personal information held by Fairfield;
b. The processing is unlawful but you objected to the deletion of the personal data and request the restriction of the use instead;
c. Fairfield no longer needs the personal data for the purposes of the processing, but you require them for legal reasons;
d. You objected to processing and Fairfield is investigating whether there are legitimate grounds to override your objection
Automatic decision making Fairfield generally does not make decisions by purely automatic means, but if we do, you have the right to object.
Object You have the right to object at any time to the processing of your personal data for any direct marketing (and related profiling) by Fairfield.
If you wish to exercise any of the above rights, you can contact Fairfield using the below contact details.
In addition, you have the right to make a complaint with the local supervisory authority with respect to the way Fairfield is processing your personal data or the way Fairfield is handling your rights.
How To Manage Cookies
Cookies are stored on your own PC and can be managed through your Internet Browser (lookup "cookies" in your browser help for more information).
How we protect personal data?
Fairfield is committed to ensuring the security of your personal data. Fairfield takes appropriate commercially reasonable technical, physical and organisational measures to prevent unauthorised or unlawful processing of your personal data or accidental loss or destruction of your personal data. Fairfield will ensure a level of security suitable to the identified risks and pursuant to applicable Data Protection Laws and, where the Processing concerns personal data of EU residents, shall take measures required pursuant to article 32 GDPR.
Employees of Fairfield are trained to handle personal data securely and with utmost respect and they will treat your personal data strictly confidential. Staff members shall only access personal data to the extent necessary to serve the applicable legitimate purposes for which the data are processed by Fairfield and to perform their job.
Fairfield will not divulge client information to a third party, other than in the way described above, unless we have received explicit client authorisation or we are required to do so by law.
Changes to this notice
Fairfield may update this Privacy Notice from time to time.
Contact Fairfield/Data Protection Officer
If you have any questions, concerns or complaints with respect to this Privacy Notice, the way Fairfield is handling your privacy, or you wish to exercise any of your rights please contact our Data Protection Officer Sue Hoole firstname.lastname@example.org