DATA PROTECTION AND PRIVACY POLICY

Revised September 2020

1. Introduction & Defined Terms

Distributor Due Diligence Ltd (“3D”) provides an online platform to assist its Clients with the performance and monitoring of regulatory compliance relating to the distributors of their financial products. 3D delivers this through a “Platform as a Service” model. 3D is registered in England under company number 11243284 and its registered address is 285 Kennington Rd, London, SE11 6BY, United Kingdom.

The privacy and security of its Clients, Distributors and Visitors (as these terms are defined below) are of paramount importance to 3D , and 3D is committed to protecting the data placed within the Application.

This Data Protection and Privacy Policy (“Privacy Policy”) explains how 3D processes information about you (also known as “Personal Data” under the General Data Protection Regulation) collected through use of its Website and Application (as defined below).

For Visitors, 3D is the legal entity deciding why and how your Personal Data is collected and processed, therefore acting as the controller of your Personal Data. For individuals related to our Clients and Distributors, 3D acts as the provider of a platform for the exchange of information about Distributors (including certain Personal Data), and in that context 3D generally acts as the Processor of your Personal Data on behalf of its Clients and Distributors (as these terms are defined below). 3D nevertheless believes it is important for you to understand its various activities related to the processing of your Personal Data.

All information stored on 3D’s platform is treated as confidential. All information is stored securely and is accessed by authorised personnel only, who are employees or independent contractors of 3D. Some of the information (principally Distributor data) is made available by the Distributors, acting as Controllers, to legitimate users (i.e., Clients and their Authorised Users) of the products and services provided by 3D. 3D may however also process the data it holds (including Personal Data) as a Controller to satisfy any contractual, regulatory or statutory requirements it may have under the laws of the European Union, the European Union Member States or the United Kingdom, and it may do so in either a manual format or in electronic format.

3D implements and maintains appropriate technical, security and organisational measures to protect Personal Data against unauthorised or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure.

For the purposes of this policy, 3D uses the following terms:

“Application” means the web-based application developed and maintained by 3D

“Authorised User” is an employee or independent contractor of the Client or the Distributor, as appropriate, who has dealings with 3D including those registered to receive a user ID to access and use the Application on behalf of the Client or the Distributor

“Client” is a fund manager that subscribes to the Application, together with its nominated group companies

“Controller” and “Processor” shall have the meaning given to them in the GDPR

“Distributor” is a third party appointed by one or more Clients to distribute their financial products

“GDPR” is Regulation (EU) 2016/679 (the General Data Protection Regulation) of the European Union and any law based on or seeking to enact any provisions of this Regulation in the United Kingdom (including the Data Protection Act 2018)

“Personal Data” has the meaning given to it in the second paragraph of this policy

“Visitor” is any individual who visits 3D’s public facing website at www.distributordd.com only, as opposed to an individual who accesses the Application.

 

2. Collection and use of Personal Data

The following sections cover the specifics of each of the three groups from whom Personal Data is collected:

  • Visitors
  • Authorised Users appointed by Distributors
  • Authorised Users appointed by Clients

2.1 Visitors

If you are a Visitor to 3D’s public facing website (“Website”) at www.distributordd.com only, and not Client or a Distributor accessing the Application, then this section is relevant for you.

By visiting the Website, you consent to the collection and use of your Personal Data as described below, for which 3D will act as a Data Controller for the purposes of the Data Protection Act 2018. If you do not agree with the terms set out below, please do not visit the Website. If required by applicable law, 3D will seek your explicit consent to process Personal Data collected through the Website or volunteered by you but if you do not grant the requested consent to the processing of your Personal Data, the use of the Website may not be possible.

3D may collect, record and analyse the following information of Visitors to its Website:

  • Computer access information such as your IP address, the type of internet browser and computer operating system you are using, and the domain name of the website from which the Visitor accessed the Website
  • Personal Data which you may enter into the Website’s contact forms, including your name, address, email address, telephone number, organisation, job title
  • Information you provide to 3D about your interest in its products and services

2.1.1 Purpose of processing Personal Data

3D gathers data about visits to the Website, including numbers of Visitors and visits, geo-location data, length of time spent on the Website, pages clicked on or where Visitors have come from. 3D collects this information to understand how the Website is accessed and used, and to improve the experience of the Website for Visitors. While 3D’s datacentres are located in the European Economic Area (“EEA”), in visiting the Website, you consent to 3D transferring your Personal Data outside of the EEA where operationally necessary. Further information about this is set out in section 2.3.4 below.

2.1.2 Sharing Personal Data

3D may also share such information on an aggregated and anonymised basis with other businesses it works with, in order to provide a requested service or transaction or in order to analyse the Visitor behaviour on its Website. Exceptionally, 3D may also be required to share data with regulators or other governmental bodies. 3D does not, however, sell, rent or otherwise market Personal Data to third parties.

2.1.3 Cookies

Cookies are small text files sent by a website to a Visitor’s computer or other device. Cookies cannot be used to run programs or deliver viruses to your computer. By continuing to visit 3D’s Website, you agree to the placement of cookies on your device. 3D does not link the information it stores in cookies to any Personal Data you submit while visiting its Website. If you choose not to accept 3D’s cookies it cannot guarantee that your experience will be as fulfilling as it would otherwise be. 3D may also place cookies from third parties for functional and marketing purposes. The use of cookies is a standard part of how most websites work.

2.1.4 Links to other sites

Please be aware that while visiting the Website, Visitors may be able to follow links to other sites that are beyond 3D’s control. 3D is not responsible for the content, functioning or privacy policy of these other sites. 3D encourages you to be aware and read the privacy statements of each website that collects your Personal Data.

2.2. Authorised Users appointed by Distributors

If you are acting as an Authorised User appointed by a Distributor, this section 2.2 will be relevant to you.

3D will act only as a Processor in respect of your Personal Data. Please refer to the relevant privacy policy/notice or equivalent of the Distributor that you have been appointed by for further information about the Processing of your Personal Data within the Application. The Distributor should also be in a position to inform you about the identity of 3D’s other Clients that received your Personal Data through the Application and which will further process them as Controllers.

If 3D has sent you an e-mail invitation to log on to its Application, one of its Clients has provided it with the Personal Data required to issue this invite (i.e. your name and e-mail address). In doing so, its Client acted as the Controller and 3D as the Processor on behalf of such Client.

When the Distributor who has appointed you decides to process your Personal Data further to such e-mail invitation to:

(i) enable you to access the Application; or
(ii) communicate your Personal Data to Clients of 3D for the purpose of assisting Clients is discharging their legal and regulatory obligations in relation to the oversight of their Distributors (to the extent the Distributor has authorised such communication),

the Distributor acts as the Controller of your Personal Data and relies upon 3D, still acting as a Processor, but this time on behalf of the Distributor.

During a Distributor’s registration with 3D (that may be terminated at any time) and throughout their use of the Application, the Authorised Users of a Distributor provide information which may include gender, name, surname, employer name, work address, job title and role, work e-mail address, work telephone numbers, birthplace, date of birth, age, picture, passport number, nationality, personal address) and other relevant data. 3D will not collect any special categories of Personal Data under Articles 9 and 10 of the GDPR (also known as ‘sensitive Personal Data’) from Distributors on behalf of either its Clients or the Distributor.

Distributors should be aware that in uploading their data to the Application, they will be disclosing information that will make individuals within their organisation identifiable to Clients. Prior to accessing the data that a Distributor uploaded to the Application, a Client is required to make a formal request through the Application, which can be accepted or declined by the Distributor. If the Distributor accepts the Client’s request for access, the Distributor data will be made available to that Client, including for downloading, storage and printing, and may be shared with third parties such as regulators and auditors in accordance with the relevant Client’s privacy policy, which can be provided to you by the Distributor by whom you are appointed.

3D will not process Personal Data of Distributors for other purposes or by other means than as instructed by the Distributors.

2.3 Authorised Users appointed by Clients

If you are acting as an Authorised User of a Client, this section will be relevant to you.

2.3.1 General

In order to provide services to its Clients, 3D processes certain categories of data from them, including Personal Data about you.

In this context, 3D will act as:

– a Processor in respect of Personal Data that are provided by its Clients to enable the creation of your user account, access to the Application and the provision of support in that respect. Please refer to the privacy policy of the Client whose Authorised User you are for more information about the processing of your Personal data within the Application (the Client acting as the Controller of your Personal Data in this context);
– a Controller in respect of Personal Data that you specifically authorise 3D to use for sales and marketing actions and contract management; and
– a Controller in respect of Personal Data that it will require to invoice the Client you are appointed by or whose Authorised User you are as well as to exercise its contractual rights and meet its contractual obligations.

This section will describe how Client data related to you are collected and used by 3D as well as geographical differences that affect this privacy policy. Data entered or transferred into the Application by Clients such as texts, questions, contacts, media files, etc., remain their property and may not be shared with a third party by 3D without express consent from such Clients.

2.3.2 Purpose of collection and processing of Client data and data about Authorised Users appointed by Clients

During a Client’s registration and throughout the use of 3D’s platform as set out under this section 2.3, the Client’s Authorised Users will provide Personal Data about themselves such as name, company name, address, user emails, contact details and other relevant data. 3D will not collect any special category data (also known as ‘sensitive personal data’) from the Client’s Authorised Users.

3D will only process your Personal Data when such processing (i) is necessary for the performance of a contract with you, and/or (ii) to comply with its obligations under the laws and regulations of the European Union, the European Union Member States and the United Kingdom and/or (iii) is necessary for the purpose of the legitimate interests pursued by 3D to conduct its business, in particular to enable it to execute an agreement with the Client whose Authorised User you are. To this end, 3D strives to maintain a fair balance between its need to process your Personal Data and the preservation of your rights and freedoms, including the protection of your privacy. If this is required under applicable law, 3D may also request your consent to process your Personal Data.

Authorised Users appointed by Clients can at any time access and edit, update or delete their contact details by logging in with their username and password to the Application. Clients may create more Authorised Users with different privilege levels within their account. It is the responsibility of the Client to choose the level of access each Authorised User should have. 3D will not retain Authorised User data of Clients longer than is necessary to fulfil the purposes for which it was collected or as required by applicable laws or regulations (please refer to section “3. Retention and Deletion” for more information). It is the responsibility of the Client to remove / revoke access to any of their Authorised Users who no longer should have access to the Application.

2.4 Geographical location

3D operates globally and recognises its Clients’ relationships with their Distributors span across multiple geographies. Its data centres are located within the EEA. This is where all Client and Distributor data are stored. 3D is supported through technical support centres located in Lviv, in Western Ukraine.

(a) Processing in the European Economic Area (EEA)

For Clients with accounts located in the EEA, all processing of Personal Data is performed in accordance with the GDPR.

All Personal Data collected by 3D will be stored exclusively in secure hosting facilities provided by Amazon Web Services in the Federal Republic of Germany and the Republic of Ireland. In addition, a secondary encrypted disaster recovery solution is hosted by Microsoft Azure in the United Kingdom. 3D has a data processing agreement in place with its hosting provider, ensuring compliance with GDPR. All hosting is performed in accordance with the highest security regulations. All transfers of data within the EEA are done in accordance with this data processing agreement.

In addition, 3D is supported by its technical support centre in Ukraine, which has access to the EEA-based data centres on the basis of EU standard contractual clauses. If you would like further information or would like to obtain a copy of these adequate safeguards, you can contact 3D using the details set out in the “Further information” section below.

(b) Processing in the United States of America (USA)

For Clients based in the USA, 3D processes data in data centres located in the EEA. 3D has adopted reasonable physical, technical and organisational safeguards against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure, access, use or processing of the data in 3D’s possession. 3D will promptly notify the Client in the event of any known unauthorised access to, or use of, the Client data.

All data collected by 3D will be stored exclusively in secure hosting facilities provided by Amazon Web Services. 3D’s contract with its hosting provider ensures that all hosting is performed in accordance with the highest security regulations. 3D’s policy is to protect and safeguard any personal information obtained by 3D in accordance with United States state or federal laws governing the protection of personal information and data. Accordingly, 3D adheres to practices and policies that aim to safeguard the data.

(c) Processing in Canada

For Clients based in Canada, 3D processes data in data centres located in the EEA. 3D has adopted reasonable physical, technical and organisational safeguards against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure, access, use or processing of the Client data in 3D’s possession. 3D will promptly notify the Client in the event of any known unauthorised access to, or use of, the Client data.

All data collected by 3D will be stored exclusively in secure hosting facilities provided by Amazon Web Services. 3D’s contract with its hosting provider ensures that all hosting is performed in accordance with the highest security regulations. 3D’s policy is to protect and safeguard any personal information obtained by 3D in accordance with Canadian laws governing the protection of personal information and data. Accordingly, 3D adheres to practices and policies that aim to safeguard the data.

(d) Processing in other regions

For Clients based in other regions, 3D processes data in data centres located in the EEA. 3D has adopted reasonable physical, technical and organisational safeguards against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure, access, use or processing of the Client data in 3D’s possession. 3D will promptly notify the Client in the event of any known unauthorised access to, or use of, the Client data.

All data collected by 3D will be stored exclusively in secure hosting facilities provided by Amazon Web Services. 3D’s contract with its hosting provider ensures that all hosting is performed in accordance with the highest security regulations. Accordingly, 3D adheres to practices and policies that aim to safeguard the data.

3D is supported by its Technical Support Centre which is located in Lviv in Western Ukraine, outside of the EEA. The Centre allows 3D to support, maintain and improve the Application. The Centre has access to the EEA-based data centres in accordance with EU model clauses.

 

3. Retention and deletion

3D will not retain data longer than is necessary to fulfil the purposes for which it was collected or as required by applicable laws or regulations. 3D also retains your Personal Data in order to provide the Client or Distributor by whom you were appointed an Authorised User with its services, handle potential legal claims in this respect, evidence its legal basis for processing your Personal Data in that context and fulfil the other purposes set out in this Privacy Policy as follows:

  • For Distributor data containing Personal Data that 3D processes as a Controller (including for its own legal and regulatory compliance purposes), 3D’s policy states that such data will be retained for a period of 10 years.
  • For Distributor data containing Personal Data that 3D processes as a Processor, Distributors have control over the duration for which they make the Personal Data available on the Application and Clients have control of the duration for which the Personal Data may be kept in order to discharge their regulatory obligations. Please refer to the relevant Distributor’s and Client’s privacy policies for more information in that respect.
  • For Client data containing Personal Data that 3D processes as a Controller (including for its own legal and regulatory compliance purposes), 3D’s policy states that such data will be retained for a period of 10 years.
  • For Client data containing Personal Data that 3D processes as a Processor, including data of Authorised Users with an active account, Clients will have the responsibility to archive or delete data when required. When an Authorised User’s account is terminated or expires, all Personal Data collected through the Application will be archived or deleted as per the Client’s instructions, unless otherwise required by applicable law or regulatory requirements.

 

4. Changes to these Conditions

3D reserves the right to change its privacy policy from time to time. 3D will notify you of any substantive or material change in this privacy policy by updating this web page, sending push notifications, e-mails or letters, by phone or by publishing announcements on the Website.

You can always review the latest version of this privacy policy on the Website of 3D, using the following link: https://distributordd.com/privacy-and-cookies/

 

5. 3D’s legal Obligation to Disclose Personal Data

3D may reveal Personal Data without your prior permission when the disclosure of this information is required to establish the identity of, to contact or to initiate legal proceedings against a person or persons who are suspected of infringing rights or property belonging to 3D or to others who could be harmed by the user’s activities or of persons who could (deliberately or otherwise) transgress upon these rights and property. 3D is also permitted to disclose Personal Data when it is legally required.

 

6. Your Data Protection rights

3D would like to make sure you are fully aware of all of your data protection rights under the GDPR. Note that your rights in other jurisdictions may vary depending on the applicable data protection and privacy laws.

Under the GDPR, every individual is entitled to the following:

The right of access – You have the right to obtain confirmation from 3D as to whether or not it processes Personal Data concerning you as well as the right to request from 3D copies of your Personal Data.

The right to rectification – You have the right to request that 3D corrects any information you believe is inaccurate. You also have the right to request 3D to complete the information you believe is incomplete.

The right to erasure – You have the right to request that 3D erases your Personal Data, under certain conditions.

The right to restrict processing – You have the right to request that 3D restricts the processing of your Personal Data, under certain conditions.

The right to object to processing – You have the right to object to 3D’s processing of your Personal Data, under certain conditions. You also have the right to object at any time to the processing of your Personal Data for direct marketing purposes.

The right to data portability – You have the right to request that 3D transfers the Personal Data that it has collected to another organisation, or directly to you, under certain conditions.

The right to withdraw your consent – If 3D has requested your consent in relation to the processing of your Personal Data, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. After you have chosen to withdraw your consent, 3D may have to continue processing your Personal Data to the extent required or otherwise permitted by applicable laws or regulations.

The right to lodge a complaint with a supervisory authority – Please note that you also have the right to lodge a complaint to the competent supervisory authority in the EU Member State of your habitual residence, your place of work or of an alleged infringement of the GDPR.

If you would like to exercise any of these rights, please contact 3D’s Data Protection Officer whose contact details are provided below.

 

7. 3D’s Data Protection Officer

3D has appointed a “Data Protection Officer” who is responsible for matters relating to privacy and data protection. This Data Protection Officer can be reached using the following contact details:

Please clearly identify the right(s) you wish to exercise and/or your privacy-related question and include your contact details (including a valid e-mail or postal address) so that 3D can respond to your request. Please note that you may be asked to provide further information so that 3D can verify your identity before granting you access to data or acting on your request to exercise your rights.

8. Further Information

If you have any further questions regarding the Personal Data collected by 3D, or how the manner in which such data are processed, then please feel free to contact 3D using the above contact details.