1. General requirements for data processing
1.1. Data processing means collection, recording, arrangement, storage, alteration, disclosing, consultation, extraction, use, transmission, cross-use, transferring or granting access to third parties, interconnecting, closure, deletion or destruction of data, or several of the aforementioned operations, regardless of the manner in which they are performed or the means used.
1.2. The Investment Firm shall compile a list and documentation of means used in data processing and shall keep records of data processing. The list of means used in data processing shall include the name, type and number of the equipment and the name of the manufacturer of the equipment; the name and number of the licence of the software used and the name of the software manufacturer; the location of the documentation of the software used.
1.3. Persons engaged in the processing of data shall process data only for authorised purposes under the established conditions and according to the instructions and orders received, and they shall maintain the confidentiality of data which has become known to them in the course of performance of their duties and which are not intended for public use. Such confidentiality requirement continues after termination of the employment or service relationship with the Investment Firm.
1.4. Unauthorised processing of data (including recording, alteration, deletion, reading, copying, (transmission), unauthorised transportation of records and any other unauthorised use of data (not prescribed by official duties) shall be prohibited.
1.5. Adequate security measures, including encryption of data if necessary, shall be implemented upon transmission of data by means of data communication equipment or in the transport of records.
1.6. Every user of database shall be issued personal means of authentication, enabling them to use the database. The access password for electronic databases shall be changed at least once a quarter. The use of any means of automatic entry of passwords shall be prohibited. A user of the data processing system shall not have access to data, which are not required for authorised data processing and the performance of duties of that particular user.
1.7. The Investment Firm shall implement adequate and sufficient measures to ensure that every data processing operation leaves a trace, which would afterwards enable identification of the person who performed the operation, the nature and time of the operation and any other relevant facts, including when, by whom and which data were recorded, altered or deleted, or when, by whom and which data in the data processing system were accessed, as well as information on any transmissions of data. A possibility for restoring the content of data before modifications shall be available when any modifications are made in data or documents.
1.8. The manager or an employee of the Investment Firm shall rely on justified expectation that data submitted by persons who submit data are correct. The manager or an employee of the Investment Firm shall, from time to time, verify the accuracy of data in the database(s) by requesting the data subject to check the data and, if necessary, make corrections or confirm the accuracy of data.
1.9. Any incomplete or incorrect data known to the manager or an employee of the Investment Firm shall be closed and any necessary measures shall be taken promptly to supplement and correct the data in question. Upon a request of a data subject, the manager or an employee of the Investment Firm shall correct any incorrect data on the data subject in the database if the data subject notifies the manager or employee of the Investment Firm of the inaccuracy of the data on the data subject and submits correct data; the incorrect data shall be stored with the correct data and with a note indicating in which period the incorrect data were used.
1.10. If the accuracy of data is in dispute, the data in questions shall be closed until confirmation of accuracy of the data or determination of correct data. Third persons who provided or received the data shall be promptly notified of any corrections made in data if it is technically feasible and does not lead to disproportionate expenses.
1.11. Automatic decisions of the data processing system, without participation of the data subject, shall be permitted only on the conditions and pursuant to procedures specified by law.
2. Rights of the data subject
2.1. The data subject shall have the right to withdraw at any time the consent for the processing of personal data, in which case the Investment Firm shall cease processing the data to the corresponding extent.
2.2. Every person has the right to access data concerning themselves, which are collected in databases, unless this right is restricted by law. Decisions on granting or withholding authorisations for access to data and issuing copies of data shall be made by the executive manager of the Investment Firm.
2.3. Upon request of the data subject, the Investment Firm shall notify the data subject of the data, which is available on the data subject in the database, and the sources of such data, the purpose of data processing and any third parties or categories of third parties that have receive authorisation for data transmission, as well as any other facts of which the owner (processor) of the database is required to notify the data subject, unless the right of the data subject to receive information is restricted by law. The data shall be issued by using the method requested by the data subject, if possible, within five business days from the receipt of the respective request.
2.4. In the cases specified by law, data shall be released to third parties with a statutory right to request and receive such data. In all other cases, data shall be released to third parties only if the data subject has granted a respective consent.
2.5. Authorised persons may review, on site in the Investment Firm, the documents on the establishment of databases and any other documents pertaining to the databases.
3. Data collected in databases
3.1. The Investment Firm may collect in databases any publicly available data or any data voluntarily submitted by data subjects. Only data necessary for the provision of service to the clients and/or for the performance of operations requested by the clients may be requested from the clients.
3.2. The Investment Firm shall collect and process the clients' data to the extent, which is necessary for the achievement of specified objectives (provision of services), and in a manner, which is designed for the specific purpose. Unnecessary data shall be deleted or destroyed at once. Use of data in any other manner than previously agreed is permitted only with a respective consent of the data subject or on the conditions specified by law.
3.3. The managers and employees of the Investment Firm shall register and preserve the data and documents associated with the provision of services, including:
a) documents, which specify the rights and obligations of the Investment Firm and the clients, or the conditions of provision of service by the Investment Firm to the clients;
b) details of provided services and transactions and any communications between the clients and the Investment Firm to the extent, which ensures an overview of the actions of the Investment Firm in the provision of services.
3.4. The managers and employees of the Investment Firm shall register and preserve the data on the decisions pertaining to the business and management of the Investment Firm, and preserve the internal procedure rules of the Investment Firm.
3.5. A person appointed by the Management Board of the Investment Firm shall keep records of the documents of the Investment Firm and shall organise preservation and archival of such documentson the conditions and pursuant to procedures specified by law and internal procedure rules (including periods of preservation).
3.6. The Investment Firm shall preserve data for at least five years, unless other terms for the preservation of data or documents are prescribed by law, instruments of the Financial Services Authority, the internal regulations of the Investment Firm or the decisions of the managing bodies of the Investment Firm.
3.7. Client agreements and/or conditions of the provision of service by the Investment Firm to the clients shall be preserved for at least as long as the contractual or other legal relationship connected to the provision of investment services or ancillary investment services to the client continues, unless a longer term is specified by law.
4. EMIR Reporting
4.1 The Investment Firm is subject to reporting obligations under Article 9 of EMIR, and has delegated certain reporting functions to a third party processor. The parties agree to take all necessary measures to enable the other party to comply with its reporting obligation.
4.2 The parties hereby expressly consent to the transfer of information to the extent required in order to comply with the reporting obligation in accordance with Article 9 EMIR. Such transfer of information will entail the disclosure of Transaction data, including the portfolio data, the value determined for the Transaction, collateral posted and the identity of the parties. The disclosure shall be made to a trade repository, European Securities and Markets Authority (“ESMA”) and/or a delegated third party processor. The trade repository or ESMA may pass such information to national supervisory authorities in countries where the data privacy laws do not afford the same protection as provided in the UK.
4.3 The Investment Firm shall not be liable to the Client for any failure by the Investment Firm or any third party processor to report or clear transactions in accordance with EMIR.
4.4 The Client shall promptly notify the Investment Firm of its Clearing Requirement relevant to the Transactions. Where the Clearing Requirement notified to the Investment Firm changes, the Client shall promptly provide Written Notice to the Investment Firm of such change.