Synthix - Breaking Wave DB Limited

In accordance with disclosures required by data protection law, the following information provides an overview of how Synthix - Breaking Wave DB Limited (“we“) use information we hold about identifiable individuals (this is known as “personal data“), such as private clients, authorised representatives, ultimate beneficial owners, guarantors, beneficiaries and individual business contacts (all referred to below as “you“). This notice also outlines your rights under data protection law.

1. Who is legally responsible for the handling of your personal data and who can you contact about this subject?

In data protection law terminology, this is the “controller“, namely:

Synthix - Breaking Wave DB Limited
21 Moorfields
London
United Kingdom
EC2Y 9DB
Tel: +44 207 545 8000

We are required to handle (or “process“) your personal data securely and otherwise in accordance with applicable UK data protection law.

Should you have queries or complaints about the way in which we process your personal data, you may raise these with your usual contact or else with our internal Data Protection Officer via the contact details above or the following email address: dpo.uk@db.com

2. What personal data might we hold about you and where do we get it from?

We will only hold data about you that is relevant in the context of the business relationship which we have with you. Some of this information we will obtain directly from you. We also process personal data from a range of other sources, which may include your employer, other Synthix or other Deutsche Bank Group entities, other companies and financial institutions, publicly available sources (e.g. the media, registers of companies or assets, internet websites, including social media platforms like Linked-In) and from providers of business-risk screening services, such as credit reference agencies, anti-fraud databases, sanctions lists and databases of news articles.

The types of personal data that we process may include (but are not limited to):

— Name, contact information, employer;

— Records relating to our business relationship and relevant services, including data deriving from your usage of our IT platforms (including online services, websites and electronic communications), mobile apps, recorded telephone lines, office buildings, and from your engagement with our marketing activities;

— KYC (know your customer) records, such as passport details, social security number, date and place of birth, source of wealth, rationale for use of corporate structures, relationships with public officials, criminal record;

— Financial information, such as creditworthiness, bank account details, specimen signature, income, investments, assets, liabilities, outgoings, investment objectives, marital status and details of dependants, knowledge of financial products and services, risk appetite, capacity for loss, tax status, domicile.

3. What will we use your data for and does the law allow this?

The purposes for which we process your personal data are summarised below, together with the specific grounds under data protection law (see the bold bullet points) which allow us to do this:

• For the performance of a contract

  It may be necessary for us to process your personal data in order to perform a contract with you relating to our banking and financial services business, or to take steps at your request prior to entering into a contract. For further details, please refer to your contractual documentation with us.

• For compliance with a legal obligation or acting in the public interest

  As a bank, we are subject to a number of statutory and regulatory obligations that may require us to collect, store or disclose personal data, such as for anti-money laundering purposes or to respond to investigations or disclosure orders from the police, regulators of DB Group entities, and tax or other public authorities (including outside the UK).

• For the purposes of legitimate interests

  Where necessary, we process your personal data to serve our legitimate interests or those of a third party. (The law permits this only insofar as such interests are not outweighed by a greater need to protect your privacy.) Cases where we rely on our legitimate interests to process your personal data include (but are not limited to):

  — Know-your-customer and creditworthiness checks;

  — Client and vendor relationship management;

  — Business analysis and development of products and services;

  — Activities relating to information security and building security, including use of CCTV recording;

  — Managing the risks and optimising the efficiency of DB Group operations;

  — Recording of telephone lines and monitoring of electronic communications for business and compliance purposes;

  — Prevention and detection of financial crime;

  — Evaluating, bringing or defending legal claims;

  — Marketing of products and services (unless you have objected/unsubscribed);

  — Audits;

  — Business restructurings.

• On the basis of your consent

  If we wish to process your personal data in a way not covered by the legal justifications above, we will need your consent. Where you give consent, you are entitled to withdraw it at any time, including via the contact points given in section 1 above. Note that withdrawing your consent does not render our prior handling of your personal data unlawful, and that it might have an impact on our ability to continue to provide our services in the same way in future, as illustrated below. There are some categories of personal data which the law deems inherently sensitive, and we generally need an individual's consent to be able to store and use it. Information about a person's health or religious beliefs are examples. If you voluntarily provide such information to us in circumstances where this is relevant to the financial products and services, we offer you (as could be the case for appropriate investment planning or Islamic financing) or for broader relationship management purposes, we will take it that this constitutes your consent to store and use this information as appropriate. As mentioned above, you can withdraw your consent at any time. See section 8 below for additional rights you have over your data.

4. Who might we share your data with?

Where necessary to fulfil your instructions to us and for the other purposes outlined above, we may share information about you with a range of recipients including (but not limited to) the following: credit reference agencies, background screening providers, financial institutions, funds, payment recipients, payment and settlement infrastructure providers, exchanges, regulators, courts, public authorities (including tax authorities), Synthix or Deutsche Bank Group entities and service providers, professional advisors, auditors, insurers and parties relevant to any merger or disposal activity on our part. These recipients could be located outside the UK.

We will only disclose information about you as permitted under the contractual terms we have in place with you, data protection law, client confidentiality obligations and other applicable law.

5. Will we transfer your data to other countries?

Synthix and its clients are active globally and thus information relating to you may, in line with the purposes described above, be transferred outside the UK.

Such countries' laws regarding personal data may not be as strict as those of the UK. However, if the bank uses service providers in such locations, it requires them to apply the same level of protection to your data as would be necessary in the UK. Typically, we achieve this through the use of officially approved standard contractual clauses, which provide appropriate safeguards for international data transfers. (A copy is available on request.) More generally, we will only transfer your personal data to other countries in a way that is permitted under UK data protection law.

6. How long will we keep your data for?

In general terms, we retain your personal data as long as necessary for the purposes for which we obtained it (see section 3 above). In making decisions about how long to retain data we take account of the following:

— The termination date of the relevant contract or business relationship;

— Any retention period required by law, regulation or internal policy;

— Any need to preserve records beyond the above periods in order to be able to deal with actual or potential audits, tax matters or legal claims.

7. Will we use your data for marketing and/or profiling purposes?

We may use your personal data to give you information about products and services offered by us or our DB Group affiliates that we think you may be interested in receiving. Where we consider it appropriate, and so far as compliant with marketing laws, we may contact you in this regard by email or other electronic messaging channels or by telephone. We refer to your right to object to marketing activity in the next section.

“Profiling“ in the context of this notice is the use of an automated process to analyse personal data in order to assess or predict aspects of a person's behaviour. We may use profiling in the following circumstances:

— To help identify potential cases of financial crime;

— To provide you with information on Synthix products and services that seem likely to be of interest;

— To assess creditworthiness (where automated credit scoring based on a mathematically and statistically recognised and proven procedure assists us with our decision making and ongoing risk management).

8. What data protection rights do you have?

Subject to certain exceptions and limitations, by law you have the right to:

— Request access to your personal data. This enables you to receive a copy of the personal data we hold about you.

— Request correction of the personal data that we hold about you. This enables you to have incomplete or inaccurate data that we hold about you corrected.

— Request erasure of your personal data. This enables you to ask us to delete your personal data where there is no good reason for us continuing to process it. This is sometimes referred to as the “right to be forgotten“.

— Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your data, such as during the period of time it might take us to respond to a claim by you that the data is inaccurate or that our legitimate interests in processing it are outweighed by yours.

— Request us to transfer personal data that you gave us either to you or to another company in a commonly used electronic format. This is known as the right to data portability.

— Object to processing of your data. This enables you to object to processing of your personal data which is carried out:

• for the purposes of our legitimate interests; or
• on the basis that we are acting in the public interest; or
• for direct marketing purposes.

If you lodge an objection on the last of these three grounds, we will simply stop processing your personal data for marketing purposes (and any associated profiling). In the other two cases we will stop processing the relevant data unless we identify compelling legitimate grounds for the processing which override your rights and interests or else if we need to process the data in connection with a legal claim.

— Request not to be subject to automated decision making. This enables you to ask us not to make a decision about you that affects your legal position (or has some other significant effect on you) based purely on automated processing of your data. (We do not as a rule make decisions of this nature based solely on automated processing and without any human assessment whatsoever. We would notify you specifically if we did).

To exercise any of these rights, please write to our Data Protection Officer via the contact details given in section 1 above. You are also entitled to submit any complaint you may have about our use of your personal data either to us or to the relevant data protection regulator, which in the UK is the Information Commissioner's Office (https://ico.org.uk), whose address is Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

9. Are you under an obligation to provide us with your personal data?

You are not required by law to provide us with your personal data. However, if you refuse to do so we may not be able conduct further business with you. For example, in order to satisfy our antimoney laundering obligations we have to verify the identity of our clients among other matters. This inevitably requires us to collect certain personal data from current and prospective clients.

10. Changes to this privacy notice

We may update this privacy notice from time to time in order to clarify it or address changes in law or our business operations. We will notify you if we make any substantial updates and you can always access the current version at the following website address:

Homepage | Synthix

We may also notify you in other ways about the processing of your personal data, such as in specific product documentation or via notices accessible on our websites or online platforms.