- INTRODUCTION
17 Capital LLP, 17Capital Americas Inc, 17 Capital Services Limited and 17Capital (DIFC Representative Office) (together, “17Capital”, “we” and “us”) is committed to protecting the privacy and security of the Personal Data that we hold.
This notice (“Data Protection Notice”) is intended to explain how we collect, use and protect your Personal Data as a Controller and Processor.
References to Controller, Personal Data, Processing and Data Subjects shall have the meaning given to these terms by the Data Protection Laws (as defined below).
- WHO WE ARE
17Capital is a private debt fund manager specialised in the provision of liquidity to other private equity funds and their managers. 17Capital is authorised and regulated by the Financial Conduct Authority (“FCA”) under licence number 481506 and is also an Exempt Reporting Adviser (“ERA”) under the Securities and Exchange Commission (“SEC”). 17 Capital LLP (Representative Office) is registered with the Dubai Financial Services Authority.
17Capital is committed to handling Personal Data fairly and lawfully and takes its data protection obligations very seriously. We have taken measures to ensure that we process Personal Data in compliance with applicable data protection laws, including without limitation, the UK General Data Protection Regulation (“GDPR”), as tailored from time to time by the Data Protection Act 2018, and any applicable national data protection law, and the DIFC Data Protection Law No. 5 of 2020 and its Regulations (together, the “Data Protection Laws”).
- WHAT IS PERSONAL DATA AND WHAT DATA DOES 17CAPITAL HOLD?
The Data Protection Laws define Personal Data as “any information relating to an identified or identifiable natural person, including an Data Subject’s name, age, home address, income, marital status, education, employment information, email address or any combination of these things”. The information we collect and hold can be categorised as follows:
- Employees and Prospective Employees – includes contact details, identification information, bank account details, background checks, employment history, performance information, remuneration, healthcare and pension arrangements.
- Clients and Prospective Clients – in relation to our Data Subject clients, includes contact details, identification information, bank account details, background checks, transaction histories etc. For our corporate clients, includes the names and contact details of the Data Subjects we interact with together with background and identification information of directors and officers that we are required to collect for regulatory purposes. For our prospective clients, primarily includes names and contact details but if being on-boarded could also include other information as described above.
- Service Providers, Suppliers and Contractors – the names and business contact details of the Data Subjects we interact with at our service providers, suppliers and contractors together with background and identification information that we are required to collect.
- Other Business Partners / Contacts (e.g. banks, brokers, registrars, lawyers, accountants, actuaries, regulators, HMRC, investee companies, managing agents etc) – the names and business contact details of the Data Subjects we interact with at these entities together with background and identification information that we are required to collect.
- HOW IS PERSONAL DATA COLLECTED?
17Capital uses different methods to collect Personal Data including the following:
- personal details provided directly by employees, clients, suppliers & contractors and other business contacts; and
- third parties and publicly available sources e.g. Companies House, registrars in the UK, the Public Register in the DIFC and background check providers.
- HOW DO WE USE PERSONAL DATA?
The Personal Data we obtain and hold is used to enable us to:
- provide investment management services to our investors; and
- fulfil our contractual and other obligations to employees, suppliers, contractors and other business partners; and
- meet our legal and regulatory obligations; and
- market to professional Data Subjects whom 17Capital believe support our business.
Under the Data Protection Laws, we must have a legal basis / justification for Processing data. In the vast majority of instances, 17Capital will have one of the following justifications:
- performance of a contract;
- compliance with legal obligations; and/or
- legitimate business interests – and, in this instance, the Processing must be “necessary” and must balance the interests of the Controller with the rights of the Data Subject.
Our “legitimate interests” referred to above are:
- the provision of the proof, in the event of a dispute, of a transaction or any commercial communication as well as in connection with any proposed purchase, merger or acquisition of any part of our business;
- compliance with laws and regulations and/or any order of a court, government, supervisory, regulatory or tax authority;
- risk management; and/or
- exercising our business in accordance with reasonable market standards.
We may combine the Personal Data that we collect from Data Subjects with information obtained from other sources to the extent permitted by law.
It is important that the Personal Data we hold is accurate and current and therefore the Data Subject should advise us as soon as possible in the event of any changes.
- TO WHOM DO WE DISCLOSE PERSONAL DATA?
We will only use a Data Subject’s Personal Data for our internal business purposes. This includes the provision of marketing related correspondence to the Data Subject on our products and services which Data Subjects have consented to. We may disclose Personal Data to our group companies, including 17 Capital Services Limited, 17Capital Americas Inc and 17 Capital LLP (DIFC Representative Office) in which case they will process such Personal Data in accordance with this Data Protection Notice.
We do not sell any Personal Data to third parties and we do not share Personal Data with third parties for the third parties’ marketing purposes.
However, we may need to disclose Personal Data strictly on a need to know basis to (a) one or more third party managers appointed by us in respect of any fund in which you propose to invest or are a current investor, in which case such manager will process your data in accordance with their privacy policy; (b)our service providers, contractors, suppliers; and (c) other parties such as banks, brokers, registrars, lawyers, accountants, actuaries, regulators and HMRC.
- WHAT DO WE DO TO KEEP PERSONAL DATA SECURE?
We have put in place appropriate physical and technical measures to safeguard the Personal Data we collect in connection with our services. In addition, we limit access to Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process Personal Data on our instructions and are subject to a duty of confidentiality.
However, please note that although we take appropriate steps to protect Personal Data, no device, computer system, transmission of data or wireless connection is completely secure and therefore we cannot guarantee the absolute security of Personal Data.
- INTERNATIONAL TRANSFER OF DATA
The Personal Data that we collect may be stored and processed in the European Economic Area (“EEA”) or transferred to, stored at or otherwise processed outside the UK or EEA. The Personal Data we collect may be stored and processed in the DIFC as well as outside the DIFC.
Where Personal Data is transferred outside the UK, EEA or DIFC we will take all steps reasonably necessary to ensure that the Data is kept secure, including being protected against unauthorised or unlawful Processing, and against accidental loss, destruction or damage, and treated in accordance with this Data Protection Notice and the requirements of applicable law wherever the data is located. If such data transfers occur in countries that are not recognised as adequate by the Commissioner, transfer agreements and mechanisms (such as Model Clauses, Binding Corporate Rules, an approved Code of Conduct or certification mechanism) will be put in place to help ensure that our third-party service providers and/or entities forming part of the 17Capital group, provide an adequate level of protection for Personal Data. We will only transfer Personal Data outside the UK, EEA and the DIFC, where applicable, in accordance with applicable laws or where the Data Subject has given us consent to do so. In this respect, you have a right to request copies of the relevant document for enabling the Personal Data transfer(s) towards such countries by writing to us.
- DATA RETENTION – HOW LONG IS PERSONAL DATA STORED / KEPT?
17Capital’s policy is to ensure that Personal Data is complete, accurate and up to date and only held where relevant and necessary. 17Capital retains Personal Data for as long as necessary to fulfil the purposes for which the Data has been collected as outlined in this Data Protection Notice unless a longer retention period is required by law and will be held securely to safeguard against unauthorised access and to prevent loss, destruction or damage. Data is kept under regular review to ensure that it is not held longer than is strictly necessary, whilst taking account of 17Capital’s other regulatory obligations such as the requirement to retain evidence of anti-money laundering checks.
When Personal Data is no longer required for the purpose for which it was collected or as required by applicable law, it will be deleted or in certain circumstances returned to the Data Subject in accordance with applicable law.
- ACCESSING PERSONAL DATA AND OTHER RIGHTS THAT A DATA SUBJECT HAS
17Capital will collect, store and process Personal Data in accordance with the Data Subject’s rights under the Data Protection Laws. Under certain circumstances the Data Subject has the following rights in relation to their Personal Data:
- the right to request details of their Personal Data held by 17Capital and to request copies of such information;
- where 17Capital’s use of Personal Data is based upon their consent, the right to withdraw such consent at any time, in which the Controller must cease storing or Processing such Personal Data as soon as reasonably practicable and ensure that any Processors do the same;
- the right in certain circumstances to request 17Capital to port (i.e. transmit) their Personal Data direct to another organisation;
- the right to obtain the following from 17Capital within one (1) month of request (which may be extended to further two (2) months) and without charge:
- confirmation in writing as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed;
- a copy of the Personal Data undergoing Processing, provided in an appropriate format, including but not limited to electronic form or hard copy format, and of any available information as to its source;
- the rectification of Personal Data unless it is not technically feasible to do so.
- the right to have Personal Data erased in the following circumstances;
- The Processing of Personal Data is no longer needed for the purposes it was originally collected;
- The Data Subject has withdrawn consent where consent was the lawful basis, and no other lawful basis exists;
- The Processing is unlawful, or the Personal Data must be deleted to comply with applicable law; and
- The Data Subject objects to the Processing, and there are no overriding legitimate grounds for the Controller to continue.
- the right to ask 17Capital to stop Processing their Personal Data on reasonable grounds and to only store such Data;
- the right to be informed before Personal Data is disclosed for the first time to third parties or used on the Data Subject’s behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses, subject to any legal limitations;
- the right to object to specific types of Processing of Personal Data on reasonable grounds, for example where it is being used for the purpose of direct marketing;
- the right in certain circumstances not to be subject to decisions being taken solely on the basis of automated Processing (e.g. profiling);
- The right to restrict Processing where:
- The accuracy of the contested Personal Data is verified;
- The Processing is unlawful and the Data Subject opposes the erasure but requests the restriction of the Personal Data’s use instead;
- The Controller no longer needs the Personal Data for the purposes of the Processing, but is required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to Processing and is pending verification whether the legitimate grounds of the Controller override those of the Data Subject;
- the right to notify any rectification or erasure of Personal Data or Processing restriction to each recipient to whom Personal Data has been disclosed, in certain circumstances, and disclose the recipients to the Data Subject upon request;
- the right to receive Personal Data in a structured, commonly used and machine-readable format where the Processing is based on the Data Subject’s consent or the performance of a contract and is carried out by automated means; and
- the right of non-discrimination by the Controller on a Data Subject who exercises any of their rights under the Data Protection Laws or this Privacy Notice.
- HOW CAN A DATA SUBJECT ENFORCE THEIR RIGHTS?
In the event of a Data Subject wishing to enforce any of their rights under the Data Protection Laws then please contact us using the details at section 15. A response to the request will be made without undue delay and no later than one month from receipt of such a request. We will not charge a fee for Processing such a request.
If a Data Subject is concerned that we have not complied with their legal rights under applicable Data Protection Laws, they may contact the Information Commissioner’s Office (www.ico.gov.uk) for Data Subjects based in the UK, or the DIFC Commissioner (commissioner@dp.difc.ae ) for Data Subjects based in the DIFC. Other, non-UK/DIFC Data Subjects may contact their local data protection supervisory authority.
- THIRD-PARTY LINKS AND PRODUCTS ON OUR SERVICES
Our websites, applications and products may contain links to other third-party websites that are not operated by 17Capital, and our website may contain applications that can be download from third parties. These linked sites and applications are not under 17Capital’s control and as such, we are not responsible for the privacy practices or the content of any linked websites and online applications. If a user chooses to access any third-party websites or applications, any Personal Data collected by the third party’s website or application will be controlled by the Data Protection Notice of that third party. We strongly recommend that you take the time to review the privacy policies of any third parties to which you provide Personal Data.
- COOKIES
This website uses tracking software to better understand how visitors use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computers’ hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information. You can read Google’s privacy policy here for further information http://www.google.com/privacy.html.
You can click the icon in the bottom-left at any time to change your analytics cookie preferences.
- CHANGES TO THIS DATA PROTECTION NOTICE
We will update this Data Protection Notice from time to time and hence it is important to check the “Date Notice Last Updated” legend at the bottom of this Notice. Any changes will become effective upon our posting of the revised Data Protection Notice.
We will provide notice to Data Subjects where any of the changes are material and, where required by applicable law, we will obtain your consent. We will provide this notice by e-mail or by posting notice of the changes on our website.
- CONTACT US / FURTHER INFORMATION
If you have any questions concerning the content of this Data Protection Notice, including any requests to exercise your legal rights, the relevant contact details are set out below.
Contact details:
Email address: compliance@17capital.com
Phone: +44 (0)20 7493 2462
Postal address: Almack House, 28 King Street, London, United Kingdom, SW1Y 6QW (UK); Unit L29-02, Level 29, ICD Brookfield Place, Dubai International Financial Centre, Dubai, United Arab Emirates (DIFC)
Date Notice Last Updated – 23 August 2024