This Data Privacy Policy applies to Personal Data processed by the Fund as a controller and processor, in accordance with the EU General Data Protection Regulation 2016/679 (GDPR) (as may be amended or supplemented from time to time) (hereinafter the “GDPR”) and in line with best practices applied.

1. Protection of Personal Data

The Fund is committed to protecting Clients’ Personal Data and to achieving the best means of processing it in a fair and transparent manner.

The Fund continuously reinforces its standards of technology, managerial measures and operational security, to ensure maximum protection of Clients’ Personal Data. Such measures include applying robust technical controls and procedures to restrict access as required, as well as physical security measures by maintaining data at appropriately secured locations, and ensuring all staff are educated and well-trained with regards to their privacy obligations, handling of Personal Data in strict confidence and applying appropriate measures when processing such data.

2. Personal Data Processed

Personal Data means any information about an individual from which such individual may be identified. Personal Data the Fund processes may include data grouped under the following indicative headings:

• Identity Data: e.g. colour passport copies / identity cards, first and middle name, surname, date of birth, gender, marital status, specimen signatures, etc;
• Contact Data: e.g. company address, electronic mail, telephone numbers, residential address, etc;
• Profile / Financial Data: e.g. details on and information to substantiate one’s source of wealth, size of wealth, profession, reference letters / recommendation letters, etc;
• Transaction Data: e.g. details about payments to and from data subjects, businesses they are involved in, other details of the services we provide to data subjects such as records of meetings, etc;
• Technical Data: e.g. internet protocol addresses (IP), time zone settings and location, cookies.

The Fund does not process Special Categories of Personal Data including details on religion, sexual orientation, political opinions, etc.

The Fund may process personal data relating to criminal convictions and offences (Article 10 GDPR) only where required under applicable law, including anti-money laundering and counter-terrorism financing legislation, and subject to appropriate safeguards.

3. How Personal Data is Collected

In the provision of our services, the Fund processes Personal Data collected / received from a range of sources such as:

• data subjects, directly;
• parties acting on the data subject’s behalf;
• third parties e.g. agencies, credit institutions, etc.;
• publicly available sources, such as registries.

4. How the Fund Processes Personal Data, and Legal Basis for such Processing

Processing activities carried out by the Fund include: collection, recording, organisation, storage, use, disclosure by transmission or otherwise making available, destruction, etc, as may be required from time to time, for legitimate purposes and in the context of the carrying out of our professional activities / services.

The Fund will only process Personal Data within the parameters permitted by law, which will most commonly include the following reasons:

• to perform our contractual obligations / provide a service which the Fund has been engaged to carry out, e.g. asset management, investment advice, etc;
• for administration and operational purposes, including the provision of services by the Fund;
• to comply with all legal and regulatory obligations we are subject to, including those required from time to time under the laws of the Republic of Cyprus, the European Union and other applicable laws, regulations and directives and obligatory guidelines set by the Supervisory Authority. Such legal and regulatory obligations may relate to the Prevention of Money Laundering, national and foreign security policy, prevention, investigation, detection or prosecution of fraud / criminal offences etc.;
• to perform a task carried out in the public interest;
• to manage our relationship with the data subject, e.g. regarding the management of fees, notifying the subject of changes to our Data Privacy Policy, etc.;
• on the basis of any other legitimate interest (including our legitimate interest and / or those of a third party).

As the protection of Clients’ Personal Data is of utmost importance, the Fund makes sure at all times to give careful consideration to and assess all legitimate interests that arise (including the Fund’s legitimate interests, those of third parties and those of the data subject), against the data subject’s rights and potential impact thereon.

The Fund may process Personal Data on more than one lawful ground, depending on the specific purpose for which it is using such data. Clients can contact the Fund at for details about the specific legal ground(s) the Fund is relying on in processing clients’ Personal Data.

5. How long the Fund Retains Personal Data

 Personal Data shall be retained for:

• as long as necessary to fulfil the purposes for which it was collected ;
• any retention period that is required by a compelling legal obligation (e.g. by law, pursuant to litigation or investigation which might arise, etc.);
• any retention period as per the Document Retention and Destruction policy (details of which may be made available to the Client upon request).

In determining the appropriate retention period, the Fund gives careful consideration to applicable legal and regulatory requirements, the amount, nature and sensitivity of the data in question, potential risk of harm from unauthorised use or disclosure, and whether it could achieve the purposes at hand through other means.

6. Disclosure/Transfer of Personal Data

In achieving the legitimate purposes for processing of Personal Data, the Fund may have to share it with other parties which shall also act as processors or joint controllers of such Personal Data, e.g.:

External Third Parties

• other service providers which the Fund cooperates with for the provision of further services / products, and of which our clients shall be informed of from time to time;
• credit institutions and other financial institutions;
• third parties as and when explicitly requested / instructed by a data subject;
• Public / Semi-Public registries, maintained in the Republic of Cyprus or outside;
• regulatory and / or supervisory and / or other competent authorities, when the Fund is obliged to do so under law or court order;
• other professionals such as legal advisors, auditors, insurers, etc., as may be necessary from time to time, in assisting the Fund in adhering to its legal obligations, carrying out its duties and providing the services which it has been engaged to carry out.

The Fund requires all such parties to respect the security of the Clients’ Personal Data and to treat it in accordance with the law.

Where Personal Data is transferred outside the European Economic Area to jurisdictions not recognised by the European Commission as providing an adequate level of data protection, the Fund will take such steps as are reasonably necessary to ensure that appropriate safeguards are in place to protect such Personal Data.

7. Data Subject Legal Rights

 a)Client rights: Clients’ rights are listed below and may be exercised to the extent permitted under the GDPR, in line and within the parameters of the legal and regulatory framework within which the Fund – as a regulated internally managed AIFLNP – operates, and in accordance with this Data Privacy Policy:

• to request data portability;
• to request access to Personal Data, e.g. for updating or rectification purposes (where practical);
• to request clarifications as to the purposes for which Personal Data is being processed and / or as to where it is being processed;
• in some circumstances, to explicitly withdraw any consent provided to the Fund, or limit such consent e.g. by requesting the restriction of a specific processing of Personal Data;
• in some circumstances, to request erasure of Personal Data;
• in some circumstances, to object to the processing of Personal Data.
• Clients’ rights may be exercised by contacting: info@med-dynamic.cy.net

The Fund does not carry out automated decision-making, including profiling, as defined under Article 22 GDPR.

Such requests shall not affect the lawfulness of any processing carried out before the exercise of Clients’ rights. If, despite the Fund’s commitment and continuous efforts to protect Clients’ data, the Client feels that his or her data protection rights are not being adequately safeguarded, the Client may lodge an official complaint with the Data Protection Commissioner:

http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_en/home_en?opendocument.

b)Clients’ responsibilities: It is important that Clients’ Personal Data remains accurate and current at all times. The client should keep the Fund informed of any changes in the collected Personal Data, during the business relationship.

c)Time Limit to Respond: The Fund should respond to all legitimate requests of clients within one month, depending on the complexity and number of requests.

 

8. Changes to the data privacy and related matters: The Data Privacy Policy shall be subject to periodic review; at least annually; and any modifications / changes, drafted in line with and within the parameters of the GDPR and other applicable laws, will be included in the Fund’s policies and procedures. Any modifications / changes shall be effective as of the date of revision.

 

9. Definitions 

Term	Definition
Client	means any natural or legal person who has a contractual, regulatory or business relationship with the Fund or to whom the Fund provides services.
Consent	of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Art. 4(11) GDPR).
Controller	means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Art. 4(7) GDPR).
Data Protection Commissioner	means the Office of the Commissioner for Personal Data Protection in the Republic of Cyprus.
Data Subject	an identified or identifiable natural person.
Retention and Destruction Policy	means the internal policy of the Fund that governs the retention and destruction of documents and records, as may be amended from time to time.
Fund	means Med-Dynamic AIFLNP V.C.I.C. Ltd.
Personal data	means any information relating to a data subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4(1) GDPR).
Processing	means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4(2) GDPR).
Processor	means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4(8) GDPR).
Special Categories of Personal Data	has the meaning given in Article 9 GDPR, for example personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Supervisory Authority	means the Office of the Commissioner for Personal Data Protection in the Republic of Cyprus, or any successor authority.