Privacy notice for issuers

PrimaryBid Limited, its subsidiaries and affiliates ("PrimaryBid", "we", "our" or "us") respect the privacy of the individuals whose personal data we collect ("you" or "your").

This privacy notice (the "Privacy Notice") provides information, for the purposes of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as it forms part of domestic law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the UK Data Protection Act 2018 ("DPA") and other applicable national data protection laws, concerning how PrimaryBid processes and protects your personal data that we may receive as part of your registering and interactions with PrimaryBid.

The terms "controller", "processor", "data subject", "personal data", "process", "processes", and "processing" used in this Privacy Notice have the meanings given to them in the UK GDPR.

This notice applies to the current, prospective and former beneficial owners, officers, and employees in positions of senior management, as well as their family members ("you", "your" or "data subject") of the issuers of securities with whom PrimaryBid is in, or is proposing to enter into, a contractual relationship to assist with such offering ("Issuers").

Controllership

PrimaryBid is an independent 'controller' in respect of its processing of your personal data. We are responsible for ensuring that we hold and use your personal data in compliance with the UK GDPR and the DPA and other applicable national data protection laws.

Who do we collect personal data from?

We may collect personal data from the following persons / sources:

  • Issuers, including but not limited to sources such as their websites and other documentation (both external public information, and internal documents provided by the Issuers to us);
  • Regulators and government bodies: regulators and government bodies, as well as officers, directors, employees, advisors, intermediaries and other representatives of the same; and
  • Publicly accessible sources, such as sanctions lists and LinkedIn.
The personal data that we collect about you
  • Identifiers: for example, name, postal address;
  • Professional or work-related information: your professional role, occupational history, business relationship with PrimaryBid and background and interests, and any other personal data which may be incidentally processed if you contact us;
  • 'Politically Exposed Person' ("PEP") information: personal data which we are required by applicable law or for prudential reasons to collect on individuals who have certain political links and / or connections to prominent public functions. This may include special category personal data subject to Article 9 UK GDPR, for example political opinions;
  • Anti-Money Laundering ("AML") information: personal data which we are required by applicable law or for prudential reasons to collect on individuals in respect of ensuring that PrimaryBid or our services are not used in connection with the proceeds of crime. This may include personal data related to criminal convictions and offences or related security measures subject to Article 10 UK GDPR;
  • Terrorist financing information: personal data which we are required by applicable law or for prudential reasons to collect on individuals in respect of ensuring that PrimaryBid or our services are not used in connection with terrorist financing. This may include personal data related to criminal convictions and offences or related security measures subject to Article 10 UK GDPR;
  • Sanctions information: personal data which we are required by applicable law or for prudential reasons to collect on individuals in respect of ensuring that PrimaryBid or our services are not used by individuals subject to state or international sanctions. This may include personal data related to criminal convictions and offences or related security measures subject to Article 10 UK GDPR;
The purposes for processing your personal data

We process your personal data for internal and external compliance purposes in respect of terrorist financing, sanctions, AML and PEP checks, pursuant to (i) applicable laws and regulations; and / or (ii) for prudential risk management and ensuring compliance with PrimaryBid policies, such as prevention of legal claims against PrimaryBid and prevention of fraudulent activities for the protection of PrimaryBid's business reputation and assets.

Where we process your personal data for prudential reasons this is to pursue our other legitimate interests, including where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

What is the legal basis of the processing?

When we process your personal data, we may rely on:

  • Article 6(1)(c) UK GDPR to the extent processing is necessary for compliance with a legal obligation to which PrimaryBid is subject. Examples of this might include obligations relating to AML, PEP, suspicious activity reports, fraud prevention, sanctions, and terrorist financing.
  • Article 6(1)(e) UK GDPR to the extent processing is necessary for the performance of a task carried out in the public interest. Where special category data is processed and we rely substantial public interest (Article 9(2)(g) UK GDPR) as the lawful basis of processing, we have taken the position that we should also rely on public interest under Article 6(1)(e) UK GDPR.
  • Article 6(1)(f) UK GDPR to the extent such processing is necessary for the purposes of the legitimate interests we pursue to the extent we have concluded that our processing is not overridden by yours interests or fundamental rights or freedoms that require the protection of personal data.
  • Article 9(2)(g) UK GDPR and Paragraph 10, Part 2 of Schedule 1 to the DPA to the extent such processing is necessary for preventing or detecting unlawful acts, and / or Paragraph 11, Part 2 of Schedule 1 to the DPA to the extent such processing is necessary for protecting the public against dishonesty etc. Where we rely on either of these lawful bases of processing, we will have in place an Appropriate Policy Document as required pursuant to Paragraph 5, Part 2 of Schedule 1 to the DPA.
  • Article 10 UK GDPR and Paragraph 10, Part 2 of Schedule 1 to the DPA to the extent such processing is necessary for preventing or detecting unlawful acts, and / or Paragraph 12, Part 2 of Schedule 1 to the DPA to the extent such processing is necessary for regulatory requirements relating to unlawful acts and dishonesty etc. Where we rely on this lawful basis of processing we will have in place an Appropriate Policy Document as required pursuant to Paragraph 5, Part 2 of Schedule 1 to the DPA.
  • Article 4(11) and Article 7 UK GDPR where we have obtained your consent to the relevant processing activity (NB – we will not generally rely on this processing ground where we are able to rely on another processing ground instead).
Who will your personal data be shared with? / Who are the recipients of your personal data?

We may share your personal data with legal or other professional advisors and with regulators, prosecutors and law enforcement authorities which regulate us and persons to whom we are required by law or lawful order, instruction or direction to disclose your personal data. We may also share your personal data with our affiliates.

Any such transfers will be in compliance with our obligations as a controller under the UK GDPR, the DPA and other applicable national data protection laws. Some of these persons may process your personal data in accordance with our instructions and others will themselves be responsible for their use of your personal data.

The disclosures described in this Privacy Notice may involve transferring your personal data to countries outside the UK and EEA which may not have similarly strict data privacy laws. When this occurs, we will ensure that any such transfers are carried out in compliance with applicable law, including, where necessary, being governed by data transfer agreements designed to ensure that your personal data is protected, on terms approved for this purpose by the UK or EU.

We will never sell your personal data and in all cases, PrimaryBid will ensure that your personal data is only disclosed for the purposes set out above and in compliance with applicable data protection laws.

Retention and deletion of your personal data

We intend to keep your personal data accurate and up to date and, as a general principle, we do not retain your personal data for longer than we need it. We will delete or anonymise any information that we hold about you when it is no longer required for the purposes set out above, or where longer, such period as is required or permitted by law or regulatory obligations which apply to us. Specific information about our record retention policies is available on request. Please contact us (see below).

Automated decision-making techniques (including profiling)

We do not envisage your personal data will undergo any automated decision making.

Your rights in relation to your personal data

The UK GDPR and other applicable laws provide you (as the data subject) a number of absolute or qualified legal rights in relation to the processing of your personal data. These rights include:

  • the right to know what personal data we process and a right of access to such personal data;
  • the right to request any incomplete or inaccurate personal data to be corrected;
  • the right to object to our processing of your personal data;
  • the right to require us to delete your personal data in some limited circumstances;
  • the right to object to our processing of some or all of your personal data on grounds relating to your particular situation which are based on legitimate interests, at any time (and require such personal data to be deleted). If you object, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms or where it is necessary for the establishment, exercise or defence of legal claims; and
  • a "data portability" right to require us to transfer your personal data to you or to a new service provider in a structured, commonly used and machine-readable format.

If you wish to exercise any of the rights referred to above, please contact us using the details set out under "Contacting Us" below.

We review and verify data protection rights requests. We apply non-discriminatory principles when we action requests relating to your data, in accordance with applicable data protection laws and principles.

We exercise particular care when receiving a request to exercise these rights on your behalf by a third party. We will ensure that the third party is correctly authorised by you to receive the requested information on your behalf.

If you wish to exercise any of these rights, please contact us (see Contacting Us below). You can also lodge a complaint about our processing of your personal information with the office of the UK Information Commissioner.

When exercising any of these rights, we may request specific information from you to prove your identity to our satisfaction so that we can safeguard your personal data from unauthorised access by someone impersonating you.

Contacting Us

If you would like further information on the collection, use, disclosure, transfer or processing of your personal data, or to exercise of any of the rights listed above, please address questions, comments and requests to our Data Protection Officer at [email protected].

Changes to this policy

Any changes we make to this Privacy Notice in the future will be posted to our website. This Privacy Notice was last updated on 6 July 2022.