ENG

Data protection

Clients

1.    Data controller

The party responsible for the processing of the personal data of the Customer, and of the other persons whose personal data may be processed (third parties related to the customer), is "EDM GESTIÓN SAU SGIIC" (the “Entity"), with registered office for these purposes at Paseo de la Castellana 78, 28046 de Madrid (Tel: 91 411 03 98) and offices in Barcelona at Avenida Diagonal, 399, 3º-1ª, 08008 (Tel: 93 416 01 43).
Data Protection Officer contact: dpo@edm.es

2.    Personal data that are processed

The data processed by the Entity will include, without limitation, the following categories: identification, contact, professional, economic and financial data, and information of a business nature.

Category Personal data
Identifying information First and last name, type of tax ID, ID number, country
 of issue of the ID, expiry date of the document, date of birth, place of birth, nationality, national identification number, adult status.
Contact information Telephone number, contact address, full address, city, country, postal code, email address, tax residence.
Professional data Positions of public responsibility, professional status, information accrediting business/professional activity.
Economic and financial data Current asset situation, current annual income (gross).
Investor profile Content and results of suitability and appropriateness tests.
Business information Information on the beneficial owners/persons with significant control over the entity, information on the structure of the management body and legal representatives (for legal persons only). Information on relatives and minors.

Based on the above and particularly to be able to communicate with the Customer, all the data provided to the Entity must be correct, complete, accurate and duly updated. Therefore, if the Customer changes any of these data and, in particular, their postal or email address or contact telephone numbers (landline or mobile), they must inform the Entity of this change as soon as possible.

Otherwise, any communications the Entity sends to the addresses (postal or email address, or telephone numbers) that appear at that time in its files will continue to be valid.

3.    Processing of third-party personal data

The Entity may process personal data of other third parties, in addition to those of the Customer, such as legal representatives, persons with significant control, the holders of indirect control of the company, directors, attorneys-in-fact, shareholders, relatives (some of whom may be minors) and those with view-only authorisation in the Customer Area of EDM’s website.

In this regard, the Customer represents that (i) the Personal Data and information of those third parties provided to the Entity are true and accurate; that (ii) they have personally and directly informed them of that they may be communicated; and (iii) that they first obtained their authorisation for this purpose. In the case of the processing of data relating to minors, the Entity will only process information relating to minors with the express authorisation of the legal representative.

For these purposes, and if the contractual relationship calls for these personal data to be processed by the Entity, EDM will make the data protection information available to its Customers and their related third parties in the following links on its website, for consultation and downloading:

The above notwithstanding, EDM will provide the Customer the informative data protection clause regarding related third parties, as an Annex to this document.

4.    Sources of Customer data to be processed

As a general rule, EDM will process the personal data provided by the Customer, without prejudice to the fact that for anti-money laundering and countering of financing of terrorism (“AML/CFT”) purposes, it may collect information about the Customer from third party sources, such as the Commercial Registry or specialised information files such as Dow Jones.

Similarly, the contractual relationship with EDM may also arise from the commercial activity of a third-party partner (such as a financial institution with which the Customer has a business relationship). In that case, it will have been the third-party partner who, at the Customer’s request, provided us the personal data.

5.    Purposes pursued with the processing of personal data, and their corresponding legitimate interest

The Entity will process the Customer's personal data for the following purposes and in accordance with the following legitimate interests:

5.1.    Registration as an EDM customer. Development, management and maintenance of the contractual relationship
  • The Entity will process the Customer's data (both those provided directly by the Customer and those arising from the contractual relationship maintained with the Customer) to be able to duly execute its contractual relations, and for their subsequent development, performance, fulfilment and maintenance. In this way, the Entity will process the Customer's data so it can provide the financial services agreed in each contract, and so that it can make the successive communications that must be sent to the Customer.
  • Throughout the process of registering as a Customer, and signing and executing contracts with EDM, the Entity may require the Customer's voice to be recorded for prior identification of identity. Likewise, during the course of the business relationship and in compliance with the regulatory requirements applicable to us, there may be occasions when it is also necessary to record the Customer's voice, as it may be necessary to record their telephone conversations or electronic communications with EDM as a means of proof of the transactions and services in question.
  • In addition, the Customer's identity document will be stored and, where appropriate, viewed (by any means, formats and media) for the sole purpose of verifying their identity when necessary to carry out and perform the contracts or transactions they have entered into or instructed the Entity to carry out.
  • If the Customer is a legal entity (a commercial company, for example), EDM will process the personal data of the natural persons representing it to verify their powers of representation, by checking the sufficiency their powers of attorney, and to thus determine whether they are suitable to be able to represent and contractually bind the legal entity.

In any case, the Customer will be informed of all of the above before each contract is executed, and will thus be given legal information on the terms on which the data processing will be carried out, before contracting each product or service.

Any data requested as "obligatory" is precisely because it is necessary for the maintenance of the contractual and/or business relationship with the Entity or for the fulfilment of legal obligations. Therefore, failure to provide them would make it impossible for the Entity to handle the request and provide the service or product requested.

Customer Rating - Suitability Test and Appropriateness Test

There are a number of additional processing steps that EDM will need to carry out to comply with MiFID II (comprising the Markets in Financial Instruments Directive 2014/65/EU and Commission Delegated Regulation (EU) 2017/565 of 25 April 2016).

EDM must first classify Customers into one of the following three categories: retail, eligible counterparty and professional, based on their level of knowledge and experience in the financial market, and their ability to understand and take on the risks that any investment in financial instruments entails.

In addition, and depending on the services that the Customer has requested or will be purchasing from EDM, and so that it can recommend the products that best suit their personal situation, before executing the sale of financial products or services that are particularly complex, the Entity must analyse the Customer's knowledge, previous investment experience, investment objectives and financial situation. In this way, EDM will carry out a type of screening known as the "Suitability Test" and the "Appropriateness Test":

  • On the one hand, when the Entity will be providing non-independent investment advice or portfolio management services, so it can recommend the products to the Customer that best suit their personal situation. The Entity will have to assess the Customer's knowledge, previous investment experience, investment objectives and financial situation, to create a "knowledge and experience profile", which is known as a "Suitability Test", to be carried out in accordance with the information provided by the Customer. Thus, depending on the result of this test, the Customer will be assigned a specific investment profile.

The details and effects of the result of the Suitability Test are detailed in Clause 3.2 of the Framework Agreement.

  • On the other hand, when the Entity provides the Customer UCI trading services it will first have check whether the Customer has the necessary knowledge and investment experience to understand the requested financial instrument, and its risks, thus analysing whether or not it is appropriate for the Customer. The Entity will carry this out through the "Appropriateness Test", whose regulatory effects and exceptions are detailed in Clause 3.1. of the Framework Contract.
  • In addition, the Entity must keep a record of these appropriateness tests. This is required by Article 56 of Commission Delegated Regulation (EU) 2017/565 of 25 April 2016.

Both the Appropriateness Test and the Suitability Test are carried out in an automated way. For this purpose, the Entity follows a system that automatically classifies and assesses customers based on the personal and economic information previously provided by them: in the first case, broadly speaking, their education level and professional profile, and their previous experience in investment products and services, or the frequency and volume of the transactions they have carried out in the past. The Suitability Test also includes information on their level of income and savings, their financial commitments, investment objectives, risk tolerance and desired return.

In this respect, the Entity subjects this system to periodic reviews to avoid possible mismatches, errors or inaccuracies in assessing and classifying customers. Nevertheless, if in any case the Customer does not agree with the result of their classification, they may challenge it, providing the information they consider appropriate for this purpose, and even request the personal intervention of their advisor at the Entity, as they have the right not to be subject to fully automated decisions.

The data requested as "mandatory" are necessary for maintaining this contractual relationship. Therefore, failing to provide them would make it impossible to meet the Customer's request.

All of the above will be carried out based on the legitimate interest under Article 6(1)(b) of the EU’s General Data Protection Regulation 2016/679, as it is necessary to perform a contract that the data subject (in this case, the Customer) is a party to, or to implement pre-contractual measures at the Customer's request.

5.2.    Legal obligations

The Entity will also process the Customer's personal data to comply with the various legal obligations that may be required from time to time, including, but not limited to, those provided for in the following legislation:

  • The Spanish General Taxation Act 58/2003 of 17 December [Ley General Tributaria];
  • Royal Decree-Law 21/2017, of 29 December, on urgent measures for the adaptation of Spanish law to European Union securities market regulations [Real Decreto-ley 21/2017, de 29 de diciembre, de medidas urgentes para la adaptación del derecho español a la normativa de la Unión Europea en materia del mercado de valores]; and
  • In particular, the Spanish Anti-Money Laundering and Countering Financing of Terrorism Act 10/2010 [Ley de Prevención de Blanqueo de Capitales y Financiación del Terrorismo] (the “AML/CFT Act”). In particular, and in this regard:
    • Depending on the AML/CFT risk assigned to the Customer, to comply with the Law and in application of the corresponding due diligence measures, the Entity must obtain and keep certain information on its customers to duly identify and verify: (i) their identity; (ii) their professional or business activity; (iii) their person with significant control; (iv) the origin of their funds; and (v) the origin of their assets.
    • In addition, the following data will also be processed for the legitimate interest of AML: (i) obtaining all relevant information for these purposes; (ii) obtaining information from third-party sources such as specialised information files or public sources available on the internet, on their customers, account holders or parties involved in the accounts, legal representatives and persons with significant control; (iii) obtaining data from the Entity with which due diligence functions have been agreed; and (iv) communicating certain transactions and any other personal data to the Executive Service of the Bank of Spain’s Commission for the Prevention of Money Laundering and Monetary Offences (SEPBLAC).

Likewise, if the Customer files a claim with the General Investment Guarantee Fund (FGGI), and the FGGI orders EDM to verify the information provided under Royal Decree 628/2010, of 14 May, and other concordant legislation, EDM must provide the personal data obtained from the Customer to respond to the claim.

On the other hand, in compliance with the legal obligations that the Entity must comply with, throughout the process of registering as a Customer and signing and executing this contract, the Customer's voice and image may have to be recorded to verify their identity. Similarly, in the course of the business relationship and in compliance with the legal requirements applicable to us, there may be occasions when it is also necessary to record the Customer's voice. In those cases, the recording will be retained as evidence of the service provided. In any case, when this is going to happen, the Entity will first expressly inform the Customer of this and of the legal terms on which the data processing will be carried out.

These legal obligations will exist and will be fulfilled by the Entity even after the contractual relationship ends, as long as it is legally obliged to do so.

This processing will be carried out under the legitimate basis provided for in Article 6(1)(c) of the European General Data Protection Regulation 2016/679, as it is necessary for the data controller (the Entity) to comply with an applicable legal obligation.

5.3.    Legitimate interests of the Entity

The Entity will also carry out other additional processing operations on the basis of the legitimate interest provided for in Article 6(1)(f) of the above GDPR, insofar as it considers that they do not prejudice the privacy of Customers. Under that article, there is a legitimate interest in data processing that is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.

Regarding this processing, the Customer has the right to (i) obtain further information on what this "legitimate interest" consists of; (ii) know how the Entity has come to the conclusion that it will not harm the Customer’s privacy; or directly to object to the processing. This can be done as indicated in paragraph 9 below, indicating the specific processing operation objected to and the grounds for the request.

These processing operations are detailed and explained below. Of all of them, and in accordance with the GDPR referred to above, the Entity has carried out what is known as a "balancing test". This is an internal analysis to confirm that EDM's legitimate interest will not harm the interests of its Customers in the protection of their personal data. In short, that their privacy is not harmed. Customers who would like more information about this test can request it by sending an email to dpo@edm.es.

  • For customers that are legal entities, EDM will process the identification and contact data of their contact persons to satisfy its legitimate interest in maintaining contact with the customer for the duration of the contract. This is permitted by section 19(1)(b) Data Protection Act.
  • Intra-group processing, for internal administration purposes. Other EDM Group companies and companies of the Mutua Madrileña Group (to which EDM belongs) may have access to customer data to carry out internal administrative, accounting, control, management and reporting tasks, as permitted by the EU’s General Data Protection Regulation. This intra-group communication of data is also based on the legitimate interest of ensuring compliance with our AML/CFT obligations.
  • Furthermore, depending on the risk assigned to the Customer, the Entity may carry out enhanced monitoring of this business relationship by increasing the number and frequency of the controls applied. For this purpose, internal and external sources and databases (Dow Jones and Informa) may be consulted, and the relevant public registries, such as the commercial registries of each company.
  • Anonymisation. EDM may also carry out procedures to anonymise Customer data so that they cannot be identified, and once they have been anonymised, it may use them for statistical purposes and for internal modelling.

EDM aims to continually improve to adapt to the interests and preferences of its Customers, to improve the way it provides its services, and to assess whether its Customers are satisfied with the service they are given. For this purpose, EDM will process data associated with the relationship and interactions it maintains with its Customers, so it can prepare internal documents that, in any case, will contain general or aggregated and not personalised information about them. In other words, before drawing up these internal documents, the Entity will carry out procedures to anonymise its customers’ data so that they can no longer be identified with the information contained in these documents, because the data they contain will have been made anonymous.

These documents refer to market studies that allow EDM to determine and estimate customers’ commercial preferences. They also refer to internal statistics that let it see which products are most used by Customers, how often those products are purchased and/or used, and what their level of satisfaction is.

EDM will carry this out based on its legitimate interest in improving its business and economic results, growing within the financial sector, and providing a service that is perceived positively by Customers. In practical terms, it provides an insight into the degree of Customers’ satisfaction with EDM's investment services.

In accordance with data protection law, EDM has prepared the relevant "Balancing Test" and, taking into account the nature of the processing, it also carried out a Data Protection Impact Assessment, which assessed the risks arising from this anonymisation of Customer data and the appropriate measures to mitigate the relevant risks. EDM therefore understands that this processing does not affect its Customers’ privacy, insofar as the minimum and indispensable data will be processed to fulfil the objective of improving its economic activity and providing a better valued service. In addition, these documents will be produced with anonymised, aggregated data, so that they cannot be re-identified.

  • Detection of possible fraud attempts. The Entity may process the Customer's personal data to prevent and detect possible situations of fraud (such as improper access to customers' personal information, possible identity theft or any situation that could be interpreted as fraudulent or undesired use) with the aim of protecting their interests.

If an attempt to commit fraud affecting Customers’ personal data is detected, and unless there is a circumstance of public interest or other legal cause that prevents this, it will inform them of this, review the information available and, where appropriate, may ask for cooperation and additional information. At the same time, as a precautionary measure, for security reasons and until the appropriate checks have been carried out, the Entity may suspend any decision regarding your personal data. If other financial institutions are involved in these attempts, the Entity may be obliged to keep them duly informed.

All of the above will be carried out in the legitimate interest of the Entity and the Customer, to comply with adequate risk control and to avoid possible fraud attempts, thus protecting the stability and integrity of the financial system.

In this case, the Entity has also carried out a "balancing test" to ensure that its fraud prevention interests are not prejudicial to its Customers' data protection rights. Thus, its conclusion is that its legitimate interest prevails, as it is a necessary measure to protect the integrity and functioning of its services, and to avoid and prevent fraudulent conduct against its own and its customers' interests. After all, the purpose of this processing is to identify persons who may have acted fraudulently, to prevent future irregular purchases by them, or to take the necessary measures to protect the data controller’s interests against fraud.

More specifically, the Entity has determined that this legitimate interest will not affect the privacy of its Customers, based on the following aspects: (i) protecting the Entity's interests against fraudulent conduct is a legitimate activity recognised in the market and expressly regulated by the Spanish Data Protection Agency (AEPD); (ii) the personal data processed will be those strictly necessary in relation to the fraudulent transaction (or attempted transaction); and (iii) data protection legislation itself defines preventing fraud as a legitimate interest, under Recital 47 of the General Data Protection Regulation.

When referring to processing "strictly necessary data", the Entity refers to the personal data that are indispensable to detect fraudulent transactions: i.e., identification data, financial/economic data and data relating to the transaction in question.

In any case, the Customer has the right to obtain further information about EDM's legitimate interests, and to assert the right to object, indicating the specific processing objected to and the reasons related to their particular situation that justify this objection.

5.4.    Sales actions by the Entity

The Entity may, if the Customer does not object to this processing through the channels provided for this purpose, process the Customer's personal data to send them information, both by electronic and ordinary means, about other services or products offered by the Entity. In this sense, and for as long as you continue to be a Customer, the Entity may send you commercial communications about its own products and services, similar to others that you have purchased, and information about events and informative and promotional activities that it organises and carries out.

To send the above communications, EDM will not generate any kind of profile based on common patterns of behaviour, or on the Customer’s contracting history, preferences and investment tastes.

As in the previous cases, EDM has carried out a "balancing test" to confirm that its legitimate interest is not detrimental to the interests of its Customers. In fact, this is also expressly provided for in Recital 47 of the European General Regulation 2016/679 and Article 21 of the Spanish Information Society Services Act 34/2002, of 11 July [Ley de Servicios de la Sociedad de la Información], mentioned above.

As a conclusion and summary of this weighing test, EDM understands that its interest in carrying out this processing prevails, mainly so it can maintain a stable and ongoing relationship with the Customer, by offering and informing about new investment products.
In any case all the details of the analysis carried out in this respect can be requested at
dpo@edm.es

The Entity will carry out this processing for as long as you remain a Customer and unless you instructs it otherwise, by opposing processing as detailed in point 9 of this clause.

6.    Data storage period

The Entity will process the Customer's data for the duration of the contractual relationship. Therefore, the Entity will process the personal data for as long as they are necessary for the purpose for which the Customer provided them.

The Entity will also retain the Customer's data once the contractual relationship has ended, to comply with any legal obligations that may be required of it, and for the periods determined in each case by the applicable legislation. In principle, and principally, for the 10-year period required under AML/CFT law.

Following this, the Entity will keep the Customer's personal data duly blocked, in accordance with the law, to deal with possible claims and to keep them at the disposal of the competent authorities that may order their disclosure, during the legal limitation periods.

7.    Data recipients

The personal data may be disclosed to third parties when necessary to fulfil, perform, develop and maintain this Agreement, or to provide any services (investment and ancillary) that the Customer may request from the Entity. They may also be disclosed to the following third parties:

  • Where necessary to complete any order from the Customer involving the subscription of shares in funds managed by other Fund Managers, EDM will provide those funds the Customer’s necessary personal data, but only for the purpose of carrying out the order.
  • If the Customer has given authorisation for this to expedite the processing and execution of the investment with funds managed by other fund managers, EDM will provide those funds the Customers’ documentation from its databases, with regard to AML/CFT, FATCA and CRS.
  • To any public bodies, authorities and institutions that the Entity is legally obliged to provide them to, such as the Spanish National Securities Market Commission (CNMV), the Tax Agency or the courts, or to state security forces and corps that order it to provide information on the Customer.
  • The depository institutions of the purchased funds.
  • Likewise, to the FGGI, if the Customer lodges any kind of claim with it, if the FGGI contacts EDM to verify the information provided to it.
  • To EDM’s other Group companies for other internal, control, accounting and administrative matters.

In addition to the above data communications, EDM will collaborate with third-party service providers who may have access to the customer's personal data and who will process them for and on behalf of the Entity.

In this regard, the Entity follows strict criteria in selecting its service providers to comply with its data protection obligations and it agrees to enter into the corresponding data processing agreement with them under which they will have the following obligations, among others: to apply appropriate technical and organisational measures; to process the personal data for the agreed purposes and solely following the Entity’s documented instructions; and to delete or return the data the bank after the service provision has ended.

In particular, the Entity may contract third-party providers to provide services that operate in sectors including without limitation: logistics services, legal advice, supplier accreditation, multidisciplinary professional services companies, maintenance-related companies, technology service providers, IT service providers, instant messaging service providers, infrastructure management and maintenance companies and call centre service companies.

8.    Data Protection risk analysis

The Entity has carried out a data protection risk analysis of all the processing operations identified in this document. In this assessment, based on the necessity and proportionality of the processing to be carried out with respect to its purpose, it evaluates the risks to the Customer's rights and freedoms and considers the measures envisaged to address, manage and try to mitigate them, thus guaranteeing the protection of the Customer's personal data.

The issues analysed took into account aspects relating to: volume of data processed; participation of third parties in the data flow; evaluation of personal aspects of natural persons; categorisation/segmentation; performance of credit management tasks; use of external files as a reference; contracting of external suppliers; transfer of data; the legitimate interests of the processing and the possibility of exercising data protection rights by data subjects, among others.

Following the analyses performed, the Entity carried out the Data Protection Impact Assessments that were determined after these risk assessments were performed. Any further information about them can be requested at dpo@edm.es.

9.    Data protection rights

Customers and any other third parties whose personal data EDM processes as the legal data controller may assert their rights of access, rectification, erasure, opposition, restriction and portability, or may withdraw any consent they may have given, at any time. They may do so, free of charge, by sending a statement to "EDM GESTION, SAU SGIIC" at its registered office at Paseo de la Castellana 78, 28046 Madrid, at its offices in Barcelona, Avenida Diagonal, 399, 3º-1ª, 08008, or by submitting a statement to dpo@edm.es.

Complaints may also be submitted to the Entity and/or to the Spanish Data Protection Agency (www.aepd.es), especially when satisfaction in asserting these rights has not been obtained.

Customers also have the right not to be subject to fully automated decisions that could have legal effects for them, or that could significantly affect them in a similar way. In this respect, if this may happen: (a) EDM will provide the Customers meaningful information about the logic applied and the significance and possible consequences of the processing; and (b) the Customers will have the right to request the personal intervention of one of EDM's agents, to express their point of view, and to challenge the automated decision made.

10.    EDM’s Data Protection Officer

EDM has appointed a person from its Organisation as its "Data Protection Officer" to ensure its Customers’ data are protected properly and to guarantee that EDM complies with all legal requirements regarding the protection of personal data.

The DPO is responsible for providing any requested information on data protection. The DPO can be contacted at dpo@edm.es.

ANNEX: DATA PROCESSING BY THIRD PARTIES RELATED TO THE CUSTOMER

EDM GESTIÓN, S.A.U S.G.I.I.C. ("EDM"), as the legally responsible entity, informs you that it will process your personal data as a family member, legal representative, person with significant control, indirect holder of control over a company, authorised person with view-only access to the Customer Area of the EDM website, director, attorney-in-fact and/or shareholder, of one of our Customers who has provided us your personal data in the context of purchasing a product or service from EDM and for the purpose of sending you this informative data protection clause.

In this regard, EDM will process your personal data as the legal data controller, to duly confirm and verify your identity, in your capacity as a family member, legal representative, person with significant control, indirect holder of control over a company, authorised person with view-only access to the Customer Area of the EDM website, director, attorney-in-fact and/or shareholder of our Customer. This is information that EDM is obliged to process to comply with the AML/CFT Act 10/2010, within the framework of performing the agreement signed with the Customer.

In addition, with respect to third parties with view-only access to the Customer Area, EDM will process their data to manage their access permissions for the purpose of consulting their positions. These permissions will be maintained until the Customer revokes this access.

The personal data of third parties related to the Customer will not be disclosed to any third party, except when legally required by public authorities, official bodies or banking supervisory bodies. The personal data will not be used for any other purpose.

In this regard, we also inform you that the current legislation on personal data protection recognises your rights of access, rectification, erasure, opposition and restriction of processing, and the right not to be subject to a fully automated decision, all when legally applicable, and the right to lodge the corresponding complaint with the Spanish Data Protection Agency if you believe your rights have been violated.

For further legal information on privacy, additional information on data protection may be requested from EDM's Data Protection Officer by sending an email to dpo@edm.es.