Data Protection Information Clause

In accordance with applicable regulations, such as the General Data Protection Regulation of the (EU) 679/2016 ("GDPR"), your data will be processed by Phoenix Tower US Holdings, L.P. and its subsidiaries and affiliates worldwide (collectively “PTI,” “Phoenix Tower”) in conformity with the provisions of this clause.

 

Identification of the Data Controller

 

The data subject is informed that Phoenix Tower US Holdings, L.P. will be responsible for the processing of your personal data (hereinafter, the "Data Controller"). The Data Controller makes available this information, as well as the contact details for privacy purposes available to the data subject by writing to the following e-mail address: privacy@phoenixintnl.com.

 

Purposes of the processing of personal data and legal basis

 

  1. In the event that regulations requiring PTI to collect information on anti-corruption, anti-money laundering, Trade Sanction Programs and other aspects related to crime prevention apply in your jurisdiction, the data provided through this form will be collected for the purpose of complying with the concrete legal obligations, such as, but not limited to, the United States Foreign Corrupt Practices Act (the “FCPA”), legislation enacted in accordance with the Organization for Economic Co-operation and Development Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (the “OECD Convention”), US Trade Sanction Programs (OFAC), European Union Sanction Programs, among others. In the United States, this also includes the United States Medicare and Medicaid Patient Protection Act of 1987 (the “Anti-kickback Statute”), Stark Laws and Federal False Claims Law. The legal basis for this data processing would be compliance with a legal obligation.
  2. In the event that your jurisdiction does not have regulations that expressly require PTI to carry out checks and collect information relating to crime prevention and anti-corruption, the data provided through this form will be collected for the purpose of fulfilling internal anti-corruption and crime prevention procedures and standards. The legal basis for this data processing would be the legitimate interest of the data controller.

 

Data subjects may object to this processing in accordance with the provisions of the section on the rights of data subjects in relation to data protection.

 

The legitimate interest of the data controller lies in the prevention of fraud, the prevention of corruption, and the defense of transparency and ethics in the exercise of its business activity, in order to comply with internal policies and procedures in its relations with third parties.

 

In order to achieve those purposes, the Data Controller will process corporate identification data, corporate contact details, and data relating to business activities, and will carry out checks on data relating to anti-corruption and the prevention of fraud and crime.

 

The checks described above are considered necessary to prevent the risk of certain offences committed and to maintain an appropriate level of integrity among third parties who maintain relations of any kind with the Data Controller.

Data processing carried out in accordance with the purposes described above always involves human intervention, so that no automated decisions with binding legal effects are taken on the basis of the information obtained from the counterparty and each case is analysed in detail to adopt the appropriate due diligence measures.

 

Communication of personal data

 

The personal data may be disclosed to the following categories of recipients:

 

  1. Third-party service providers who are in charge of processing activities and who provide services, assistance and/or advice to the Data Controller.
  2. Entities belonging to the Group to which the Data Controller belongs, in order to verify the information provided by your company and to carry out due diligence investigations.
  3. Competent authorities, recognized by law or regulation or by provisions issued by authorities legally empowered to do so, have the right to access the data, in order to comply with the obligations to which the Data Controller is subject.

 

International data transfers

 

In case that you are in the European Economic Area (EEA), your personal data may be transferred to countries outside the EEA. In this regard, in the absence of Adequacy Decisions for transfers from the EEA to such third countries, the Data Controller has implemented appropriate and adequate protection measures to protect the personal data of the data subject and to ensure an adequate level of security, including by entering into Standard Contractual Clauses, approved by the European Commission. Accordingly, the personal data of the data subject would be transferred in accordance with the requirements and obligations laid down by the applicable data protection regulations. For more information about the appropriate and adequate security measures, the data subject may contact the Data Controller privacy@phoenixintnl.com.

 

Retention of personal data

 

The personal data shall be stored for the period necessary to fulfil the purposes for which they were collected. In any case, the personal data necessary for the performance of the pre-contractual or contractual relationship shall be kept for the duration of the same and, thereafter, until the expiry of any liabilities arising therefrom, in order to respond or bring any legal action, in accordance with their interests, at the request of the competent authorities or in compliance with the applicable regulations.

 

Rights of data subjects

 

The data subject may exercise the rights of access, rectification, deletion, opposition and limitation, as well as request the portability of their data by means of a written communication addressed to the Data Controller by email to the Data Protection Office at privacy@phoenixintnl.com, in accordance with the provisions of the regulations in force.

 

In the event that the data subject considers that the Data Controller has violated his or her rights under the applicable data protection legislation, the data subject may lodge a complaint with the competent supervisory authority.

 

Security of processing and obligations to provide information

 

The processing of the personal data shall be carried out in such a way as to ensure the security, protection and confidentiality of the data by means of appropriate administrative, technical, personal and physical measures against loss, theft and unauthorized use, disclosure or modification.

 

The Company undertakes that, prior to the provision of any personal data of any natural person involved in the performance of the Contract, it shall have informed such natural person of the content of this clause and shall have complied with any other requirements that may be applicable for the correct communication of his or her data to the Data Controller.