Preamble
This Privacy Notice sets out how Investors Europe (Mauritius) Ltd, trading as CSB Investors, (‘we’ / ‘us’ / ‘our’) processes data (including personal data in respect of individuals who are clients, intermediaries or other third parties we interact with, or any individual who is connected to such parties) and outlines your rights under DPL. This Privacy Notice has been prepared in accordance with the provisions of EU Regulation 2016/679 of the European Parliament and Council, also known as General Data Protection Regulation (‘GDPR’), the UK Data Protection Act 2018 (‘UK DPA’), and the Mauritius Data Protection Act 2017 (‘MU DPA’) (such data protection legislation collectively ‘DPL’). Any questions or requests relating to this Privacy Notice, your personal data, or the exercise of your rights hereunder should be directed to our Data Protection Officer (‘DPO’), Naushikha Kasseeah, at naushikha@csbinvestors.com.
We may update this Privacy Notice from time to time to clarify it or reflect changes in law, regulation or our business operations. We will notify you (including via specific service documentation and online) of any such substantial updates, and you can always access the current version on our website.
Controller
In our legal capacity as ‘Controller’ of your personal data, we, Investors Europe (Mauritius) Ltd, trading as CSB Investors, a private limited company registered in Mauritius with company number C113933 and registered office at 4th Floor, Les Jamalacs Building, Vieux Conseil Street, Port Louis 11328 (Tel: +230 5297 0935) are required to handle (‘process’) your data securely and in accordance with the DPL.
Sources
We collect most of your personal data directly from you – in person, by telephone, e-mail, text and/or via our website. However, we may also collect and process information from other sources as follows:
• publicly accessible sources, e.g. company registries, press, internet websites, social media platforms;
• information vendors such as sanctions, negative publicity, PEP, credit-rating or anti-fraud databases;
• third parties, e.g. your bank(s), broker(s), accountant(s), auditor(s) or solicitor(s), with your consent;
• our IT systems and our website ‘cookies’ – for more information, please refer to our Cookies Notice.
We endeavour to ensure that your data are accessible only by those who need to access it to fulfil the purposes for which we hold them. Requests for any particular access restriction(s) made to our DPO will be duly considered and, where possible in relation to legal and regulatory obligations, actioned.
You are not required by law to provide us with personal data. However, if you refuse to do so, we may not be able to conduct (further) business with you. For example, in order to satisfy our KYC/AML/CTF or SOF/SOW obligations (as defined below), we have to verify your identity and obtain information on your status and past financial activity. This inevitably requires us to collect personal data from you.
Data
We only hold data about you that is relevant to the business relationship we have with you, including:
• full contact details (names, postal/registered addresses, e-mail addresses, and telephone numbers);
• legal and regulatory (‘KYC’ / ‘know your client’) information required by anti-money-laundering (‘AML’) and counter-terrorist-financing (‘CTF’) legislation, including identity/passport details, date and place of birth, citizenship, domicile, residence, tax identification (or equivalent) number(s), source of funds (‘SOF’), source of wealth (‘SOW’), relationships with public officials (‘PEP’), and criminal record;
• financial and other information including, but not limited to, employment, income, wealth, pensions, investments, assets, liabilities, incomings/outgoings, creditworthiness, investment objective, capacity for loss, risk appetite, knowledge of financial products and services, tax status and domicile, business or professional relationships and background, transactions, claims, disputes, and/or legal proceedings;
• account information such as account number, specimen signature, payments, orders or transactions;
• data relating to your usage of our IT platforms (including electronic communications, mobile ‘apps’, recorded telephone lines) and premises, and from your engagement with our marketing activities; and
• meetings attended, visits to our premises, any/or other information which you may provide to us.
In certain instances, the personal data we process may include ‘sensitive’ or ‘special category’ data, including your race, ethnicity, religion, political opinions, biometric/genetic identification data, health, sexual orientation, criminal record, or any alleged criminal activity, whose processing requires your consent (which you can withdraw at any time). The legal bases for processing such data include your consent (where you have provided such ‘sensitive’ personal data to us), our compliance with legal obligations, and/or legal proceedings. If you voluntarily provide us with such ‘sensitive’ personal data in circumstances where this could be relevant to our services to you, or for relationship management purposes, you will be deemed as having consented to our processing of any such data as appropriate.
Uses
The purposes of our data processing and the lawful bases of each processing activity are the following:
• relationship management, service provision and contract performance: it is necessary to process your personal data to enter into and manage our client relationship with you, perform a contract with you relating to our services to you, or take steps at your request prior to entering into such a contract;
• compliance with applicable legal and regulatory obligations: as a regulated financial services entity, we are subject to a number of statutory and regulatory obligations that may require us to collect, store or disclose personal data (including outside EU/UK/MU), such as KYC, AML and/or CTF requirements, regulatory or criminal investigations or disclosure orders, and tax or other public authority purposes;
• pursuit of our legitimate interests: where necessary, we may process your personal data to serve our legitimate interests or those of a third party (DPL permits this only insofar as such interests are not outweighed by a greater need to protect your privacy), including, but not limited to, the following:
— KYC / AML / CTF and creditworthiness checks and prevention and detection of financial crime;
— client and vendor relationship management, risk management, and/or operational efficiency;
— recording of telephone lines and/or monitoring of electronic communications for compliance;
— information security and/or premises security, including use of audio and/or video recordings;
— development and marketing of products and services (unless you have withheld consent); and
— investigations, audits, and evaluation, commencement or defence of legal proceedings, e.g., recovering from you of any money you owe to us, in respect of which you expressly agree that your personal data can be relied upon in identifying and taking legal action against you; and/or
• any other purpose which has been agreed by or notified to you, and to which you have consented.
We do not use automated decision-making processes or ‘profiling’ when processing personal data. If we wish to process your personal data in a way not covered by the legal bases and justifications above, we will contact you for your consent. Where you give such consent, you may withdraw it at any time. Doing so shall not render our prior handling of your personal data unlawful, but may have an impact on our ability to continue to provide our customised services to you in the same way in theretofore.
Transfer
Where necessary to fulfil your instructions to us, or for any other purposes outlined above, we may transfer and share your data with a range of recipients including, but not limited to, financial, legal, regulatory, judicial, administrative, transactional or other authorities and service providers (including outside EU/UK/MU), e.g., credit reference and background screening agencies, financial institutions, funds, electronic trading platforms, payment, clearing or settlement service providers, exchanges, law enforcement agencies, courts, tribunals, regulators, governmental or public authorities (including tax authorities and supervisory bodies with a legal right to such information or a legitimate interest in any material), corporate registries, professional advisors, auditors, insurers, document processing, storage or translation services, IT systems or software providers, our agents, service providers, subcontractors, marketing services providers and potential acquirers, and affiliates or associates forming part of our corporate group, including, in each case, their respective agents, directors, officers, employees, and service providers, whenever disclosure thereto is necessary to fulfil any of the purposes set out above.
We will only transfer, share or disclose your personal data as permitted under the DPL and our client confidentiality obligations. Accordingly, unless you consent otherwise, your personal data will not be disclosed to any third parties other than those falling in one or more of the aforementioned categories. Where we enter into an engagement with a third party pursuant to which your data may be processed by such third party, we will seek to enter into an agreement with such third party setting out the respective obligations of each party, and we will seek to be reasonably satisfied that such third party has measures in place equivalent to ours to protect your personal data against unauthorized and/or accidental use, access, transmission, sharing, disclosure, damage, degradation, loss and/or destruction.
Your personal data will not be transferred, transmitted or disclosed to countries outside the European Union, European Economic Area, United Kingdom, or Mauritius (as applicable) except as requested by you or deemed necessary for the performance of our services to you, including transfer and storage in Mauritius of your personal data if you are not a citizen or resident of Mauritius, to which you are deemed to consent by using any of our services to you. In such cases of transfer or transmission, your data will be protected under the DPL, and we will ensure that the relevant requirements are met prior to any such transmission or transfer, including satisfying ourselves prior to any such data transfer that:
• the destination country has data protection laws and regulations reasonably equivalent to the DPL;
• the recipient has agreed through contract to protect your data at a standard equivalent to the DPL;
• we have obtained your express consent to the transfer of your personal data outside EU/EEA/UK/MU;
• or, if transferred to the United States of America or Canada, such transfer will be under the scheme of the modernised 2021 GDPR Standard Contractual Clauses (SCC) issued by the European Commission.
Retention
We will keep personal data for as long as necessary to fulfil the purposes for which they were collected. After the fulfilment of these purposes, such data will be destroyed, unless destruction is prohibited for legal, regulatory or technical reasons. In deciding how long to retain data, we take into account:
• the termination date of the relevant contract or business relationship;
• any retention period required by law, regulation or internal policy; and
• any need to preserve records beyond the above periods for audits, tax matters and/or legal claims.
Requests for information on continued processing or destruction of data should be made to the DPO.
Rights
In your capacity as ‘Data Subject’ in the European Union (or any jurisdiction with equivalent legislation to GDPR), United Kingdom or Mauritius, you have the following rights in respect of your personal data:
• receive information on data processing and a copy of your processed data (under certain conditions);
• demand rectification of inaccurate data or completion of incomplete data (under certain conditions);
• demand erasure/destruction of your personal data (under certain conditions) (right to be forgotten);
• demand restriction or suspension of data processing (under certain conditions, e.g., during claims);
• transfer personal data to another controller in a structured, portable and machine-readable format;
• withdraw any given consent of yours at any time to stop any data processing based on such consent;
• demand to not be subject to automated decision-making or profiling (currently inapplicable to you);
• and object to data processing (i) for the purposes of our legitimate interests; or (ii) on the basis that we are acting in the public interest; or (iii) for direct marketing purposes. If you lodge an objection on the last of these three grounds, we will stop processing your personal data for marketing purposes (and any associated profiling); in the other two cases, we will stop processing the relevant data unless we identify compelling legitimate grounds for their processing which override your rights and interests or we need to process such data in connection with a legal claim or any legal actions and proceedings.
You can contact our DPO at any time to exercise any one or more of your rights above and/or complain about the way we have handled your personal data. You can also write to us at our registered address set out in the ‘Controller’ section of this Privacy Notice. In response to your request or complaint, we reserve the right to require you to provide certain details about yourself so we can validate that you are indeed the person to whom the data refer. We also reserve the right to charge a reasonable fee to cover any expenses that may arise from your request due to its excessive and/or disproportionate nature. In any case, we are required to respond to your request or complaint within 30 calendar days.
In case you exercise any of your rights above to limit the processing of your personal data, we may be unable to provide you with relevant services, or there may be restrictions on the services we provide.
If you feel that any complaint of yours regarding our processing of your personal data has not been remedied to your satisfaction by our DPO in the first instance, you can contact the Mauritius Data Protection Office and Data Protection Commissioner at:
Data Protection Office
5th Floor, SICOM Tower
Wall Street
Ebene Cybercity, Mauritius
T: +230 460 0251
E: dpo@govmu.org
W: https://dataprotection.govmu.org