This Privacy Policy rules the Client’s use of products, services, technology, and content, offered by MB Fund Service Limited (or “the Company”) through its website and any other feature that collectively constitute the Company services offering. It also governs without limitation the provision and use of the Client’s personal data and information in relation to the provided services.

As a Client, by entering into an agreement with the Company to use any of the services, you accept and consent to this Privacy Policy, and by doing so you consent to the use and disclosure of your personal information by the Company as provided for herein.

Definitions

“Controller” shall mean the Company;

“Personal Data” or “Information” shall mean any information relating to an identified or identifiable Client including legal persons such as Merchant entities and which will be provided in relation to receiving the Company services. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

“Personal Data Filing System” or “Filing System” shall mean the Company system where the personal data of the Client is stored;

“Policy Update” shall mean any notice given to the Client in relation to policy changes prior to them taking effect;

“Processing of Personal Data” or “Processing” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

“Processor” shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of The Company;

“Recipient” shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;

“Third Party” shall mean any natural or legal person, public authority, agency or any other body other than the Client, The Company, and the persons who, under the direct authority of The Company, are authorized to process the data;

“the Client’s Consent” shall mean any freely given specific and informed indication of his wishes by which the Client signifies his agreement to personal data relating to him being processed.

References to a specific gender and the use of “he”, “him”, “his” should also be construed as references to another gender for the purposes of this policy.

Overview

The GDPR is in force as from 25/05/2018 and it replaces the 1995 EU Data Protection Directive. While GDPR preserves many aspects of the Directive, it imposes changes designed to address the realities of evolving, digital world while increasing the level of accountability for organizations processing personal data.

The Company is committed to ensuring compliance with GDPR across all products and services and in how the Company manages the client relationships. The Company know the clients are focused on matters of data privacy and security, and this overview is designed to give insight and visibility into the GDPR program.

In relation to the client accounts and services maintained with the Company and in accordance with the Clients obligations under GDPR, the Company hereby notifies the Client, that:

The Company, acting as data controller, may process information about the Client, the Client’s directors, officers, employees, affiliates, agents, which may constitute personal data under the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing personal data and on the free movement of such data (“Personal Data”).

The Company’s GDPR Policy sets out relevant information regarding:

1. collection and creation of Personal Data by the Company;
2. the categories of Personal Data Processed;
3. the lawful basis for such processing;
4. the purposes of such processing;
5. the disclosure of Personal Data to third parties;
6. the international transfer of Personal Data;
7. the data security measures applied by the Company;
8. the Company’s compliance with the principles of data accuracy, data retention and data minimization;
9. the rights of Data Subjects;
10. the contact details for enquiries and the exercise of data protection

The GDPR Policy may be updated and revised from time to time.

In the event the Client discloses the Personal Data of any individual to the Company, the Client shall to the greatest extent permitted under applicable law, draw the attention of that individual to the Company’s GDPR Policy, prior to making such disclosure. Particular, to the extent that the Client discloses the Personal Data of any of its employees to the Company, the Client shall notify those employees of that disclosure and of the Company’s GDPR Policy.

Processing Personal Data

The Company collects Personal Data about the client from a variety of sources as follows:

• obtains the Client’s Personal Data when the Client provides it to the Company (e.g. via email, telephone, or by any other mean)
• obtains the Client’s Personal Data in the ordinary course of the relationship with the Client (the course of managing transactions)
• obtains the Client’s Personal Data, that the Client manifestly chooses to make public, including via social media
• obtains the Client’s Personal Data from third parties who provide this to the Company (e.g. the client’s customers, credit reference agencies, law enforcement authorities, )
• obtains the Client’s Personal Data when the Client visit any of the Company’s sites or uses any feature or resources available on or through the Company’s site. When the Client visits a site, the device and browser may automatically disclose certain information (such as device type, operating system browser type, browser settings, IP address, language settings, dates and times of connecting to a Site and other technical communications information (some of which may constitute Personal

Creation of Personal Data

The Company creates Personal Data about the Client, such as records of the client’s interaction with the Company, details of the accounts, subject to applicable law.

The Categories of Personal Data about the Client that the Company processes, subject to applicable law:

• Personal Details: given name(s), preferred name(s), nickname(s), gender, date of birth/age, place of birth, marital status, Social Security number, passport number(s), other government issued number(s), (tax identification number(s), Green card number(s), driving license number(s), nationality, lifestyle and social circumstances, images of passports, driving licences, and signature, authentication data (responses to questions), photographs, visual images, personal appearance, behaviour
• Family Details: family members, dependents, where applicable contact details
• Contact Details: address, telephone number, email address, social media profile details
• Employment Details: industry, role, business activities, names of current and former employer, work address, work telephone number, work email address, work-related social media profile
• Education History: details of the education and qualification, the client’s knowledge and experience in specific financial instruments, products, investment, and ancillary
• Financial Details: bank account details, instruction records, transaction details, source of funds, source of wealth, overall financial situation
• Electronic Identifying Data: IP Addresses, activity logs, online identifiers, unique device identifiers and geolocation

Processing Sensitive Personal Data

The Company does not collect or otherwise process the sensitive personal data, except where:

• the processing is necessary for compliance with a legal obligation (e.g. to comply with the diversity reporting obligations)
• the processing is necessary for the detection and prevention of crime (including the prevention of fraud) to the extent permitted by applicable Law)
• the Client has manifestly made the Sensitive Personal Data public
• the processing is necessary for the establishment, exercise or defence of legal rights
• the Company in accordance with applicable law, obtained the explicit consent prior to Processing the sensitive personal data (as above, this legal basis is only used to Processing that is entirely voluntary it is not used for Processing that is necessary or obligatory in any way); or
• Processing is necessary for reasons of substantial public interest and occurs on the basis of an applicable law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard the fundamental rights and

The processing of personal data will be done for the following purposes:

• for compliance with a legal obligation;
• for the performance of a contract the individual is a party to;
• to ensure the vital interests of the individual;
• for the legitimate interests pursued by the controller or the third party, under the condition that such interests override the rights of the individual, interests and fundamental freedoms;
• the examination of an application(s) for opening an account and assessing what instruments and/or services are appropriate/suitable to the client;
• the maintenance and development of your relations with the Company and the exercise of the Company’s rights which arise from the relations between us, as well as the protection of the legal interests of the Company in the context of its transactions with you or with persons connected with you;
• the performance of the Company’s legal duties and obligations;
• the control and the prevention of offences, including but not limited to, offences entailing fraud and money laundering offences

Also, the purposes for which the Company may process personal data, subject to applicable law and legal basis on which the Company may perform such processing:

Client on-boarding: onboarding new clients, compliance with internal requirements, policies, and procedures.

AML/KYC: fulfilling regulatory requirement obligations, checks, identification and verification of identity, screening against government, supranational bodies, agency sanction lists, legal restrictions and publicly available news and systems.

Provision of products and services to the Client: administering relationships and related services, performance of tasks necessary for the provision of services, communicating in relation to such services, assessment of appropriate products.

Operating of web-site: operation and management of web-site, providing content to the Client, displaying information, communicating and interaction with the Client.

IT operations: management of the communication systems, IT security, IT security audits

Investigations: detecting investigating and preventing breaches of policy, criminal offences, in accordance with the applicable law

Legal compliance: compliance with legal and regulatory obligations under applicable law, establishing, exercising, defending legal rights

Risk management: audit, compliance, controls, other risk management exercises

Fraud prevention: detecting, preventing, investigating fraud

The Processing is necessary for Compliance with legal obligation, is necessary in connection with any contract that the Client may enter into with the Company, to take steps prior to entering into a contract, legitimate interest, prior consent is obtained (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way)

Disclosure of Personal Data to third parties

The Company may disclose Personal Data to:

• the Client, and where appropriate client’s family, associates, representatives (in case of proper authorisation provided by the Client)
• anti-fraud services
• third party processors
• law enforcement agency or court
• any relevant party for the purposes of prevention, investigation, detection, prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security in accordance with applicable law
• accountants, auditors, financial advisors, lawyers, other outside professional advisors, subject to binding contractual obligations of confidentiality
• governmental, legal, regulatory, or similar authorities, ombudsmen, central/local government agencies, upon request and where required, including for the purposes of reporting any actual or suspected breach of applicable law or regulation
• regulatory authorities with regards to reporting obligations
• brokers/custody in case of prior written consent from the Client

If the Company will engage a third-party processor to process client’s personal data, the processor will be subject to binding contractual obligations to: i) only process personal data in accordance with the prior written instructions; and ii) use measures to protect the confidentiality and security of the Personal Data; together with any additional requirements under applicable law.

International transfer of Personal Data

Because of the international nature of the business, the Company may need to transfer Clients Personal Data to third parties as noted above, in connection with the purposes set out in this Policy. For this reason, the Company may transfer the Personal Data to other countries that may have different laws and data protection compliance requirements, including data protection laws of lower standard to those that apply in the country in which the Client is located.

Where the Company will transfer the Client’s Personal Data to other countries, the Company will do so on the basis of:

• adequacy decisions
• binding corporate rules
• suitable Standard Contractual Clauses
• other valid transfer mechanisms

Data Security

The Company implemented appropriate technical and organisational security measures designed to protect the Client’s Personal Data against accidental and unlawful destruction, loss, alteration, unauthorized disclosure, unauthorised access, other unlawful or unauthorised forms of Processing, in accordance with applicable law. The client is responsible for ensuring that any Personal Data that is sent to the Company is sent securely.

Accuracy

The Company takes all reasonable steps designed to ensure that: Personal Data of the Client is accurate and where necessary kept up to date, as well as that any of the Personal Data that the Company process that is inaccurate (having regards to the purposes for which they are processed) are erased or rectified without delay

From time to time the Company may ask the Client to confirm the accuracy of the Personal Data.

Data Minimisation

The Company takes all reasonable steps designed to ensure that Personal Data that the Company process is limited to the personal data reasonably required in connection with the purposes set out in this Policy

Data Retention

The Company takes all reasonable steps designed to ensure that Personal Data of Clients that the Company process is only processed for the minimum period necessary for the purposes set out in this Policy. The criteria to determine the duration for which the Company will retain the Personal Data and its form are cited below.

The Company will retain copies of the Personal Data in a form that permits identification only for as long as:

1. The Company maintain ongoing relationship with the
2. Client’s Personal Data are necessary in connection with the lawful purposes set out in the Policy, for which the Company has already had a valid legal

For the duration of:

1. at least 5 years from the date of the termination of the business relationship for all
2. 7 years of tax information, or as required by Law and in accordance with the decision and relevant request from Securities Commission of the Bahamas

Legal rights

The client has the following rights with respect to handling his/her personal data by the Company:

• right to request access to, or copies of, the Personal Data that the Company processes or control, together with information regarding the nature, processing and disclosure of those personal data;
• right to request rectification of any inaccuracies in the personal data that the Company processes or controls right to request on legitimate grounds a) erasure of the personal data that the Company processes or controls, or b) restriction of Processing of Personal Data that the Company processes or controls;
• right to have the Personal Data that the Company processes or controls transferred to another controller, to the extent applicable;
• right to withdraw the consent, where the Company processes or controls Personal Data on the basis of the consent;
• right to log complaint with a Data Protection Authority regarding the Processing of Personal Data by the Company or on behalf of the Company;
• right to object on grounds relating to a particular situation, to the processing of the personal data by the Company or on behalf of the Company;

Contacts

If the Client has any comments, questions, concerns about any of the information in this Policy or any other issues relating to Processing of Personal Data by the Company, the Client may contact the regular Company’s client service contact at: 00357 22279700 or at the e-mail: DPA@mbfs.bs

Data Protection officer is appointed within the Company. For more details, the Client is required to submit request via above mentioned contacts.

Confidentiality

The Company will, except only in so far as is:

1. Established by Law or applicable regulation; or
2. Necessary for effecting settlement; or
3. Permitted in writing by the Client, ensure that all non-public matters relating to the Portfolio will be kept strictly confidential within the Company and its

Notwithstanding the foregoing, the Company’s composite performance record may include the results of the Portfolio’s trading without naming the Client.

The Parties will always keep confidential and shall not disclose to a third party any information of a confidential nature acquired in connection with the Agreement or Portfolio, except for information which is bound to disclose under compulsion of law or by request of regulatory agencies or to respective professional advisers or where disclosure to a third party such as an intermediary or clearing house is necessary in order to facilitate the proper performance under the Agreement.

All information which the Company and/or the Company’s brokers receive from the Client concerning Client’s business or affairs and any information or work product generated from such information, which is not in the public domain, or is not available to the Company on a non-confidential basis, or has not been independently developed by us and which we and/or our brokers are not required to disclose by any applicable regulation or as authorised or required to be disclosed by a court of law or by any Competent Authority including without limitation the Courts or authorities in order to fulfil any requirements under the relevant legislation will be held in confidence by the Company and/or the Company’s brokers, as applicable, unless and until such time as the Client specifically consent to the disclosure of that Confidential Information.

For the avoidance of doubt, nothing in this Term will prevent the Company from disclosing information to the extent required to perform the Services.

In addition to any other right or obligation by virtue of which the Company or any of the Company’s brokers may be entitled or bound by law to disclose information, the Company or any of the Company’s brokers will be entitled, if requested or required, at our discretion, to disclose any information (including Confidential Information) known to the Company or any of the Company’s brokers, and/or to produce any documents relating to the Client’s business or affairs to any governmental or regulatory agency or authority (whether in the Bahamas or elsewhere), to any exchange, clearing house, credit reference agencies, auditors, professional advisers, dealers, custodians, agents, bankers and any of the Company’s affiliate and any relevant self-regulatory organisation. In addition, the Company will, where reasonably practicable, seek to impose a confidentiality requirement in any case where the information is not subject to statutory restrictions on disclosure by the recipient.

Neither the Company nor any of the Company’s brokers will have any duty to disclose to the Client any information that comes to the Company or one of the Company’s brokers, in the course of carrying on any other business or as a result of or in connection with the provision of services to other persons.

The Client Accepts that the Company and any of the Company’s brokers may be prohibited from disclosing or having regard to, or it may be inappropriate for the Company and any of the Company’s brokers to disclose to the Client or have regard to, such information even if it relates to the Client or to the Services.

All information, documents and communications in the Company’s possession or control relating to the Services or the subject matter of the Services shall be the Company’s sole property, save for original contracts, share certificates and other original documents held on the Client’s behalf. The Company shall be permitted to retain a copy of all information, documents and communications between the Company or sent or received by the Company in connection with the Services for regulatory and risk management purposes.

Any information which

1. was already in the Company’s possession prior to delivery by the Client,
2. was or becomes available in the public domain other than as a result of disclosure by the Company,
3. becomes available to the Company from a third party who the Company does not know may be under an obligation of confidentiality to the Client, or
4. was or is independently developed by the Company, shall not be Confidential Information for the purposes of this subject.