Data Protection Policy

This is the data privacy policy adopted by HFFT Family Office (which shall include HFFT Limited, its parents, subsidiaries, associated and affiliated companies, together the “Group” or “we”) The Group’s policy is to comply with the requirements under the European Union (“EU”) General Data Protection Regulation (“GDPR”) and all other relevant data protection legislation which applies to the Group.

The Group wishes to provide its clients and other individuals (together the “data subjects”) with total confidence at all times that it operates to the highest levels of confidentiality when managing documentation and information. In providing its services (the “services”) the Group may collect, use, consult, record, store, adapt, transfer or otherwise process a data subjects’ Personal Data. The Group (or “each company”) is considered as a ‘data controller` and will at all times act accordingly under the provisions of the data protection laws in force.

The term “Personal Data” refers to the information a data subject provides to the Group in the form of identity documents or copies thereof, proof of address, source of wealth or income and source of funds to be used in the relationship, contact details or other documents or information containing personal information relating to a data subject. Such Personal Data will at all times be kept securely whether in paper form or computerised. The Group operates sophisticated antivirus, antimalware, antispam and advanced threat protection technologies that strongly mitigate the risk of its IT systems being compromised and all systems are regularly updated and actively monitored. Should the Group need to exchange data between offices of the Group to provide any services such exchange is exclusively through VPN encrypted connections.

Personal Data will only be processed by the Group to discharge its legal obligations under any applicable law related to the performance of the services provided (e.g., anti-money laundering and terrorist financing legislation), the carrying out of activities necessary to perform the agreed services or in order to contact a data subject. Personal Data is only requested by the Group in order to perform one or more of these functions.

Any Personal Data provided by a data subject will only be transferred to a third party to the extent the transfer is necessary to perform the services or to comply with a legal obligation to which the Group [as data controller,] is subject. Further, the Group may transfer copies of Personal Data to third countries outside the UK, Gibraltar and the EU which do not have an adequacy decision by the European Commission if necessary for the performance of the agreed services.

In relation to Personal Data which is held by the Group, in accordance with the data protection laws a data subject has rights as follows: (a) to access a copy of the Personal Data held by the Group; and (b) to request the rectification of the Personal Data in the event of error; (c) to have its Personal Data erased (‘right to be forgotten’) provided that the Group is not under an obligation, howsoever arising, to keep the Personal Data; (d) to ask for the restriction of the processing of Personal Data with the aim of limiting processing in the future; (e) to object at any time to the processing activity; and (f) to have its Personal Data transmitted directly from the Group to another data controller, where technically feasible (‘right to data portability’). These rights are enforceable by a data subject to the extent they are compatible with legal and contractual obligations to which the Group complies.

In accordance with legal and regulatory requirements, the Group will retain Personal Data of a client for a period of five (5) years (for Fidux Management Services GmbH this period is seven (7) years in order to comply with Austrian accounting rules) following the termination of the relationship between the Group and the client. This period may be extended by force of law, regulatory requirement or agreement between the parties.

Where a data subject on which the Group holds Personal Data wishes to make a complaint related to the processing activities of its Personal Data, it shall first address the complaint to the relevant office of the Group (please see Contact details on the website). If the complaint remains unresolved, the individual may lodge a complaint with the relevant data protection authority or supervisory authority located in the jurisdiction of their habitual residence, place of work, or where the alleged infringement happened.

Should any party wish to know more about our data protection policy, or should data subject wish to know what personal data is held by the Group please email on dataprotection@hfft.com stating your full name and the Company in the Group with whom you have the business relationship.

February 2022