Privacy Policy

1. Introduction

​

1.1 In order to serve our clients, Royal Capital (hereinafter "Royal Capital", "we" or "us") needs to collect personal data from our clients and/or prospective clients and employees.

​

In light of the foregoing, Royal Capital wishes to ensure a high level of data protection, as privacy is a cornerstone in gaining and maintaining the trust of our customers, employees and suppliers and thus ensuring the business of Royal Capital in the future.

​

The protection of personal data requires the adoption of appropriate technical and organizational measures to demonstrate a high level of data protection. Royal Capital has adopted a series of internal and external data protection policies, which must be respected by Royal Capital employees.

​​

In addition, Royal Capital will monitor, audit and document internal compliance with data protection policies and applicable data protection legal requirements, including the General Data Protection Regulation ("GDPR") .

​

Royal Capital will also take the necessary steps to improve data protection compliance within the organization. These steps include assigning responsibilities, raising awareness, and training personnel involved in processing operations. Please note that this privacy policy will be revised from time to time to take account of new obligations and that any personal data held by us will be governed by our most recent policy.

​

This privacy policy, together with the guidelines for the processing of personal data, constitutes the general framework for the processing of personal data within Royal Capital.

​​

1.2 "Personal Data" is any information that may relate to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data, telephone number, age, gender, employee, job applicant, customers, suppliers and other businesses. . partners. This also includes special categories of personal data (sensitive personal data) and sensitive information, such as health information, account number, identification number, location data, an online identifier, or one or more factors specific to physical, physiological , genetic, mental and economic. , cultural or social identity of that natural person.

​

1.3 Although information about companies/companies is not such personal information, please note that information relating to contacts within said companies/companies, for example, name, title, work email, work phone number, etc. . is considered personal information.

​

1.4 Royal Capital collects and uses personal data for a variety of legitimate business purposes, including establishing and managing customer and supplier relationships, completing purchase orders, recruiting and managing all aspects of terms and conditions of employment, communication , compliance with legal obligations or requirements, execution of contracts, provision of services to clients, etc.

​

1.5 Personal data will always be:

​

Processed lawfully, fairly and transparently in relation to the data subject;

collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes;

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

accurate and, where necessary, updated; All reasonable steps must be taken to ensure that personal data that is inaccurate, taking into account the purposes for which it is processed, is erased or rectified without delay;

kept in a form that allows the identification of the interested parties for a period not exceeding that necessary for the purposes for which the personal data is processed;

processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

​

1.6 Royal Capital shall be liable and may demonstrate compliance with the foregoing as part of Royal Capital's liability.

​

2. Legal basis for processing personal data

​

2.1 The processing of personal data requires a legal basis. The most predominant legal basis for processing personal data within Royal Capital is:

Consent of the data subject for one or more specific purposes;

The execution of a contract to which the interested party is a party;

A legal obligation or requirement;

Legitimate interests pursued by Royal Capital;

​

2.2 Consent

​

2.2.1 If the collection, registration and subsequent processing of personal data of customers, suppliers, other business relationships and employees is based on the consent of said person for the processing of personal data for one or more specific purposes, Royal Capital may demonstrate that the data subject has consented to the processing of such personal data.

​

2.2.2 Consent must be: freely given, specific, informed and unambiguous.

The data subject must actively consent to the processing of personal data through a clear affirmative action or statement.

​

2.2.3 A request for consent must be presented in a way that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and simple language.

​

2.2.4 To process special categories of personal data (sensitive personal data), the consent must also be explicit.

​​

2.2.5 The data subject has the right to withdraw their consent at any time and, once withdrawn, we will stop collecting or processing personal data about that person unless we are required or entitled to do so under another legal basis.

​

2.3 Necessary for the execution of a contract:

​

2.3.1 It will be legitimate to collect and process relevant personal data for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract. This applies to all obligations and contractual agreements signed with Royal Capital, including the pre-contractual phase regardless of the success of the contract negotiation or not.

​

2.4 Comply with a legal obligation

​

2.4.1 Royal Capital must comply with various legal obligations and requirements, which are based on Union or Member State law. Said legal obligation, to which Royal Capital is subject, may be sufficient as a legitimate basis for the processing of personal data.

​

2.4.2 These legal obligations include the obligation to collect, record and/or make available certain types of information related to employees, customers, etc. Such legal requirements will form the legal basis for us to process the personal data, however, it is important to note whether the provisions allowing or requiring Royal Capital to process certain personal data also establish requirements in relation to the storage, disclosure and the elimination.

​

2.5 Legitimate interests

​

2.5.1 The data will only be processed when necessary for the purposes of the legitimate interests pursued by Royal Capital, and these interests or fundamental rights will not be overridden by the interests of the data subject. In deciding to process data, Royal Capital will ensure that legitimate interests override the rights and freedoms of the individual and that the processing does not cause undue harm. For example, it is in Royal Capital's legitimate interest to process personal data of prospective clients in order to expand business and develop new business relationships. The data subject must be informed about the specific legitimate interest if a processing is based on this provision, cf. section 4.1 below.

​

3. Processing and transfer of personal data

​

3.1 Royal Capital as data controller

​

3.1.1 Royal Capital will be considered a data controller to the extent that we decide by what means the personal data of the data subject will be processed, for example, when a data subject signs an agreement with Royal Capital.

​

3.2 Use of data processors

​

3.2.1 A third party data processor is a company that processes personal data on behalf of Royal Capital and in accordance with Royal Capital's instructions, for example in relation to human resources systems, third party IT providers etc. When Royal Capital outsources the processing of personal data to data processors, Royal Capital ensures that such company applies at least the same level of data protection as Royal Capital. If this cannot be guaranteed, Royal Capital will choose another data processor.

​

3.3 Data processing agreements

​

3.3.1 Prior to the transfer of personal data to the data processor, Royal Capital shall enter into a written data processing agreement with the data processor. The data processing agreement ensures that Royal Capital controls the processing of personal data, which takes place outside of Royal Capital and is the responsibility of Royal Capital.

​

3.3.2 If the data processor / data sub-processor is located outside the EU / USA, the conditions of clause 3.4.4 below will apply.

​

3.4 Disclosure of personal data

​

3.4.1 Before disclosing personal data to others, it is Royal Capital's responsibility to consider whether the recipient is our employee or not. Furthermore, we may only share personal data within Royal Capital if we have a legitimate business purpose in the disclosure.

​

3.4.2 It is Royal Capital's responsibility to ensure that the recipient has a legitimate purpose for receiving the personal data and to ensure that sharing of personal data is restricted and minimized.

​

3.4.3 Royal Capital should exercise caution before sharing personal data with persons, data subjects or entities outside of Royal Capital. Personal data will only be disclosed to third parties acting as individual data controllers if there is a legitimate purpose for such transfer. If the recipient is acting as a data processor, please see clause 3.2 above.

​

3.4.4 If the external recipient is located outside the EU/USA in a country that does not guarantee an adequate level of data protection, the transfer can only be completed if a transfer agreement has been concluded between Royal Capital and the third party. The transfer agreement will be based on the EU standard contractual clauses.

​

4. Rights of the interested parties

​

4.1 Duty of information

​

4.1.1 When Royal Capital collects and records personal data about data subjects, Royal Capital is obliged to inform such persons about:

​

The purposes of the processing for which the personal data is intended, as well as the legal basis for the processing;

The categories of personal data in question;

The legitimate interests pursued by Royal Capital, if the processing is based on a balance of interests;

The recipients or categories of recipients of the personal data, if any;

Where appropriate, the fact that Royal Capital intends to transfer personal data to a third country and the legal basis for such transfer;

The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

The existence of the right to request from Royal Capital access and rectification or erasure of personal data or restriction of processing in relation to the data subject or to oppose the processing, as well as the right to data portability;

When the processing is based on the consent of the data subject, the existence of the right to withdraw the consent at any time, without affecting the legality of the processing based on the consent before its withdrawal;

The right to lodge a complaint with Royal Capital through the correct procedure or with a supervisory authority;

If the provision of personal data is a legal or contractual requirement, or a necessary requirement to conclude a contract, as well as if the interested party is obliged to provide the personal data and the possible consequences of not providing such data;

The existence of automated decision-making, including profiling, and significant information about the logic involved, as well as the importance and expected consequences of such processing for the data subject.

​

4.2 Right of access

​

4.2.1 Any person whose personal data is being processed by Royal Capital, including but not limited to Royal Capital employees, job applicants, third party vendors, prospective clients, business partners, etc., has the right to request access to the personal data that Royal Capital processes or stores about him/her.

​

4.2.2 If Royal Capital processes or stores personal data about the data subject, the data subject will have the right to access the personal data and the reasons why the data will be processed in relation to the criteria set out in 4.1.1.

​

4.3 The interested party shall have the right to obtain, without delay, from Royal Capital the rectification of inaccurate personal data concerning him.

​

4.4 The data subject shall have the right to obtain from Royal Capital the deletion of personal data concerning him or her and Royal Capital shall be under an obligation to erase personal data without undue delay, unless required by law to retain any information for a prescribed period of time, for example, by financial regulators or tax authorities.

​

4.5 The data subject shall have the right to obtain from Royal Capital processing restriction, if applicable.

​

4.6 The data subject shall have the right to receive the recorded personal data in a structured and commonly used machine-readable format, if applicable.

​

4.7 The interested party will have the right to object, in relation to their particular situation, at any time to the processing of personal data that concerns them, which are based on a balance of interests, including profiling.

​

4.8 Any request received from a data subject to exercise the rights in this clause will be responded to as soon as reasonably possible, and no later than 30 days from receipt. Requests will be sent without delay to the Royal Capital service center. The Service Center will be supported by the Royal Capital Data Protection Officer to process the request to meet the response deadline.

​

5. Data protection by design and data protection by default

​

5.1 New products, services, technical solutions, etc. must be developed. so that they comply with the principles of data protection by design and data protection by default.

​

5.1.1 Data protection by design means that when new products or services are designed, data protection is duly taken into account.

​

Royal Capital will take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of variability and severity of the rights and freedoms of natural persons that the processing poses.

Royal Capital, both at the time of determining the means for processing and at the time of processing itself, will implement appropriate technical and organizational measures, such as pseudonymization, designed to implement data protection principles, such as data minimization , effectively and integrate the necessary safeguards in the processing to comply with data protection requirements and protect the rights of data subjects.

​

5.1.2 Data protection by default requires the implementation of relevant data minimization techniques.

​

Royal Capital will implement appropriate technical and organizational measures to ensure that, by default, only personal data that is necessary for each specific purpose of processing is processed.

This minimization requirement applies to the amount of personal data collected, the scope of its processing, the storage period and its accessibility.

Such measures will ensure that, by default, personal data is not accessible without careful consideration.

​

6. Records of processing activities

​

6.1 Royal Capital as data controller will keep records of the processing activities under the responsibility of Royal Capital. The records must contain the following information:

​

name and contact details;

the purposes of the processing;

a description of the categories of data subjects and of the categories of personal data;

the recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations;

where appropriate, transfers of personal data to a third country, including identification of that third country and, where appropriate, appropriate safeguards documentation;

when possible, the periods foreseen for the deletion of the different categories of data;

where possible, a general description of the technical and organizational security measures applied.

​

​

6.1.1 Royal Capital will make the records available to the relevant data protection authorities upon request.

​

7. Deletion of personal data

​

7.1 Personal data will be deleted when Royal Capital no longer has a legitimate purpose for the continued processing or storage of personal data, or when storage of personal data is no longer required in accordance with applicable legal requirements.

​

7.2 Detailed retention periods in respect of various categories of personal data are specified in Royal Capital's Information Retention and Sharing policy.

​

8. Risk assessment

​

8.1 If Royal Capital processes personal data that is likely to give rise to a high risk to the individuals whose personal data is processed, a data protection impact assessment ("DPIA") will be carried out.

​

8.1.1 A DPIA implies that Royal Capital, taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity of the rights and freedoms of natural persons, will apply the technical measures and appropriate organizations to guarantee and be able to demonstrate that the processing is carried out in accordance with data protection requirements.

​

8.2 The technical and organizational measures will be reviewed and updated when necessary and, at the latest, every 6 months.

​

8.2.1 Adherence to approved codes of conduct or approved certification mechanisms may be used as an element to demonstrate compliance with appropriate technical and organizational measures in accordance with this clause.

​

9. National requirements

​

9.1 Royal Capital shall comply with both the GDPR and national data protection legislation.

​

9.2 If national legislation requires a higher level of personal data protection than such policies/guidelines, such stringent requirements must be met. If Royal Capital's policies/guidelines are stricter than local law, our policies/guidelines must be followed.

​

10. Contact and complaints

​

10.1 If you have any questions about the content of this policy, please contact Royal Capital's Data Protection Officer at [email protected].

​

10.2 If you wish to make a complaint about Royal Capital's processing of personal data, please contact the US Data Protection Agency.

​