Liontrust Europe S.A. ("Liontrust”) is committed to maintaining your trust and confidence by handling your personal data with respect and enabling you to self-manage the communications you receive from Liontrust. In addition, it is important that you know what personal data Liontrust holds about you and how it is used.
In this respect, Liontrust, acting as controller (the “Controller”), has prepared this privacy notice (the “Privacy Notice”) in compliance with (i) the EU Regulation n°2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) and (ii) any applicable national data protection laws (including but not limited to the Luxembourg law of 1st August 2018 on the organisation of the National Data Protection Commission and the general data protection framework, as may be amended or replaced) (collectively hereinafter the “Data Protection Laws”).
The Privacy Notice concerns you, if you are applying for a position at Liontrust or if you are already employed by Liontrust.
The below key terms used in this Privacy Notice have the following meaning:
- controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- personal data: any information relating to an identified or identifiable natural person;
- data subject: the identified or identifiable natural person to whom personal data relates;
- recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed.
Table of contents
- What are the categories of Data Subjects?
- What Personal Data does the Controller collect?
- From which sources will Personal Data be collected?
- For what purposes are Personal Data processed and upon which legal bases?
- With whom will Personal Data be shared?
- Where will Personal Data be transferred?
- How long will Personal Data be retained?
- Commitments
- The Data Subjects’ rights
- Changes to this Privacy Notice
- Contact information
1. What are the categories of Data Subjects?
The Controller collects personal data related to the following identified or identifiable natural person (the “Data Subject(s)”):
|
Applicants or employees: |
the applicant or employee himself/herself.
|
|
Applicant or employee related persons: |
any natural person related to the applicant or the employee, whose personal data is supplied by the applicant or the employee (such as emergency contacts or relatives, as the case may be) during the application process or their employment relationship with Liontrust. |
2. What Personal Data does the Controller collect?
The Controller collects the following categories of personal data (the “Personal Data”):
|
Identification data: |
name, age, gender, date and place of birth, nationality, passport/ID number, identity card with photo, images and photos, address, proof of address, signature, employee ID number, tax ID. |
|
Contact data: |
e-mail, address, proof of address, phone number, fax number. |
|
Professional data: |
marital status, immigration status, job title, salary, bonuses and other benefits, professional experience, education, qualification, hobbies and interests, career plans, performance history, information concerning performance and/or disciplinary and grievance matters. |
|
Applicant data: |
name, age, gender, date and place of birth, nationality, address, phone number, email address, professional experience, education, qualification, hobbies and interests, career plans, references and other information contained in the applicant curriculum vitae (CV) and/or cover letter. |
|
Bank account data: |
IBAN and BIC codes and other bank account information. |
|
Health related data: |
medical leave information, emergency and health or handicap data to the extent permitted by employment laws and regulations. |
|
Special categories of personal data: |
information about your race or ethnicity; religious or philosophical believes, trade union membership, sexual orientation and political opinions and criminal convictions and offences. |
|
Communication data: |
communications prior and during the employment relationship with the Controller via electronic or other means, telephone conversations recordings. |
The Data Subjects may, at their discretion, refuse to communicate the Personal Data to the Controller. In this event however, the Controller may be prevented from (i) assessing your profile in view of the conclusion of a potential employment contract or (ii) entering into and executing the employment contract, if the relevant Personal Data is necessary for such purposes.
In addition, the Data Subjects should refrain from supplying additional Personal Data which are not requested by the Controller or any other entity acting on its behalf. Unless provided otherwise by applicable law, the Controller shall not be liable for any damage caused by the processing of such Personal Data provided by the Data Subjects without being requested by the Controller.
3. From which sources will Personal Data be collected?
The Personal Data are collected from various sources, namely:
- directly from the Data Subject;
- from third parties representing the Controller;
- from the employee’s former employer;
- from the Controller’s service providers;
- from public registers/platforms;
- from public social media platforms;
- from public agencies/authorities.
4. For what purposes are Personal Data processed and upon which legal bases?
In order for a data processing activity to take place lawfully, the latter first needs to be legitimate and thus to be based on at least one of the grounds set out in article 6 of the GDPR, including among others:
- the Data Subject has given his/her consent to the processing of his or her Personal Data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the Controller is subject;
- processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.
For the avoidance of doubt, where consent is given by the Data Subjects, such consent shall be construed distinctly from any consent given in the context of confidentiality and/or professional secrecy compliance obligations.
In the case at hand, the purposes for which the Personal Data are collected and the legal bases upon which the Controller relies are further specified in Appendix A. Where the Controller’s purposes change over time or where the latter wants to use Personal Data for new purposes, the Controller will inform the employee of such new processing in accordance with the Data Protection Laws
Nevertheless, where the Controller has collected the Personal Data based on consent or following a legal obligation, no further processing is allowed beyond what is covered by the original consent or the provisions of the law.
The Controller will not process the Data Subject’s Personal Data for commercial prospecting purposes.
The Controller may also, in exceptional cases and in order to safeguard its legitimate interests, access the professional e-mail box/files and, where applicable, the instant messaging system made available to the Data Subject for his/her work, where, for instance, the Data Subject is on an extended leave. Any such review will always be carried out in strict compliance with the applicable data protection and privacy legislation and the Controller’s internal IT policy.
5. With whom will Personal Data be shared?
The Controller may disclose Personal Data to other persons or entities (the “Recipients”) which, in the context of the above-mentioned purposes, refer to:
- all relevant units of the Employer to perform the Employer’s contractual and statutory obligations;
- the Controller’s affiliates;
- the Controller’s service providers and auxiliary persons that observe all relevant secrecy obligations: IT service providers, logistics service providers, pre-employment background check providers, human recourses administration providers, printing services and telecommunications service providers, legal advisors, accounting firms, benefit administrators, payroll administrators, tax preparation firms;
- Any third party that acquires, or is interested in acquiring or securitizing, all or part of the Controller’s assets or shares, or that succeeds to it in carrying on all or a part of its businesses, or services provided to it, whether by merger, acquisition, financing, reorganization or otherwise
- Any other third party supporting the activities of the Controller;
- Public authorities: governmental, judicial, prosecution or regulatory agencies and/or authorities;
- Official national and international registers.
In particular, in compliance with the Foreign Tax Compliance Act (FATCA) and Common Reporting Standard (CRS), Personal Data may be disclosed to the Luxembourg tax authorities, which in turn may, acting as controller, disclose the same to foreign tax authorities.
The Recipients may, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the “Sub-Recipients”), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to the Controller and/or assisting the Recipients in fulfilling their own legal obligations.
The Recipients and Sub-Recipients may, as the case may be, process the Personal Data as processors (when processing the Personal Data on behalf and upon instructions of the Controller and/or the Recipients), or as distinct controllers (when processing the Personal Data for their own purposes, namely fulfilling their own legal obligations).
6. Where will Personal Data be transferred?
The Recipients and Sub-Recipients may be located either inside or outside the European Economic Area (the “EEA”).
In any case, where the Recipients are located in a country outside the EEA which benefits from an adequacy decision of the European Commission, the Personal Data will be transferred to the Recipients upon such adequacy decision.
Where the Recipients are located outside the EEA in a country which does not ensure an adequate level of protection for Personal Data, the Controller will enter, prior to such transfer, into legally binding transfer agreements with the relevant Recipients in the form of the European Commission approved standard contractual clauses or any other appropriate safeguards pursuant to the GDPR, as well as, if necessary, supplementary measures.
In this respect, the Data Subjects have a right to request copies of the relevant document for enabling the Personal Data transfer(s) towards such countries by writing to the Controller at the address referred to in the Section 11 (“Contact Information”).
The countries to which Personal Data may be transferred are further specified in Appendix B.
7. How long will Personal Data be retained?
The Controller will retain the Personal Data for the duration of the contract between the Controller and the employee and thereafter for a period of ten (10) years, unless longer or shorter statutory limitation periods apply. Once the Controller no longer requires the Personal Data for the purposes for which it was collected, it will securely destroy the Personal Data in accordance with applicable laws and regulations. The principal retention periods applied by the Controller are further specified in Appendix C.
In some circumstances the Personal Data may be anonymised so that it can no longer be associated with the Data Subjects, in which case documents having been anonymised can be kept for an unlimited period of time.
8. The Data Subjects’ rights
In accordance with the conditions and limitations laid down by the Data Protection Laws, the Data Subjects acknowledge their right to:
|
Access their Personal Data: |
To obtain from the Controller confirmation as to whether or not Personal Data concerning them are being processed, and, where that is the case, access to the Personal Data. |
|
Rectify their Personal Data: |
To obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning them. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement. |
|
Object to the processing of their Personal Data: |
To object, on grounds relating to his or her particular situation, at any time to processing of Personal Data concerning them which is based on the performance of a task carried out in the public interest or the legitimate interests pursued by the Controller or by a third party. The Controller shall no longer process the Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
|
|
Restrict the use of their Personal Data: |
To obtain from the Controller restriction of processing, in some circumstances. Where processing has been restricted under the above paragraph, such Personal Data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. |
|
Have their Personal Data erased: |
To obtain from the Controller the erasure of Personal Data concerning them without undue delay and the Controller shall have the obligation to erase Personal Data without undue delay, except in certain limited scenarios set out in the GDPR. |
|
Withdraw their consent: |
To withdraw their consent easily and at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. |
|
Ask for Personal Data portability: |
To receive the Personal Data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the Personal Data have been provided, where (i) the processing is based on consent or on a contract and (ii) the processing is carried out by automated means. |
The Data Subjects may exercise their above rights by writing to the Controller at the address referred to in Section 11 (“Contact Information”).
The Data Subjects also acknowledge the existence of their right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”) at the following address: 15, Boulevard du Jazz, L-4370 Belvaux, Grand Duchy of Luxembourg; or with any competent data protection supervisory authority of their EU Member State of residence.
9. Commitments
Employees supplying Personal Data relating to any other natural persons other than themselves (such as emergency contacts or relatives, as the case may be) undertake and guarantee to process Personal Data and to supply such Personal Data to the Controller in compliance with the Data Protection Laws, including, where appropriate, informing the relevant Data Subjects of the content of this Privacy Notice and any updated version thereof in accordance with articles 12, 13 and/or 14 of the GDPR.
In addition, the employees undertake to ensure the accuracy of the Personal Data provided and promptly inform the Controller where such Personal Data is not up to date.
10. Changes to this Privacy Notice
The Controller reserves the right to update this Privacy Notice at any time.
An up-to-date version will be made available to the employee on the Controller’s Policy Portal which is available on the Intranet. In case of substantial updates to the present Privacy Notice, employees will be notified via e-mail and/or through the Controller’s Policy Portal or other means of communication.
11. Contact Information
The Data Subjects may exercise their above rights by writing to the Controller at the following address:
Or:
Compliance
Liontrust Europe S.A.
18 Val Sainte Croix
L-1370
Grand Duchy of Luxembourg
Appendix A
Purposes and legal bases
The Personal Data are processed by the Controller for the following purposes and legal bases:
(i) Compliance with applicable legal obligations
|
Categories of Personal Data |
Purposes |
|
Identification data, contact data, professional data, health related data, sensitive data. |
Enabling the Controller to comply with its legal obligations and employment-related requirements, including income tax, social security, health and safety, data protection, regulatory and immigration obligations, the amended Criminal Records Act of 29 March 2013, to carry out any other duties relating to employment and social security legislation (e.g. in relation to sick pay) or to comply with reporting or disclosure obligations under applicable laws and regulations (e.g. in relation to health and safety at work duties);
Health related data of Data Subjects will be processed by the Controller on the basis of article 9 (2) (a) (b), (c), (f) or (h) of the GDPR.
Special categories of personal data, specifically political opinions of Data Subjects having a public political exposure will be processed by the Controller on the basis of article 9, (2), e) and/or g) of the GDPR (i.e. respectively the personal data have manifestly been made public by the data subject and/or the personal data is necessary for reasons of substantial public interest). |
(ii) Necessity to execute the contract between the employee and the Controller or in order to take steps at the request of the data subjects prior to entering into the contract
|
Categories of Personal Data |
Purposes |
|
Applicant data, special categories of personal data (if applicable), health related data, and communication data |
The consideration of the applicant’s candidacy for employment, to communicate with the applicant, including with respect to offer letters and in relation to the future employment contracts. |
|
Identification data, contact data, professional data, bank account data, health related data, sensitive data and communication data |
The performance of the agreement, manage human resources, performance appraisal, promotions, training, payroll administration, insurance and social security. |
(iii) The legitimate interests of the Controller or of relevant third parties
|
Categories of Personal Data |
Purposes |
|
Applicant data and special categories of personal data (if applicable) |
Performing background checks on applicants in the recruitment process, including requesting criminal record extracts in accordance with applicable law. |
|
Identification data, contact data, professional data, health related data, performance data and communication data |
Responding to the Data Subject’s requests and enquiries and otherwise communicate with the Data Subject or the Data Subject’s emergency contact or third parties. |
|
Identification data, contact data, professional data and communication data, |
Allowing the Controller to exercise and defend their rights before any relevant court, government, supervisory or regulatory authority. |
|
Identification data, contact data, professional data, sensitive data, communication data |
Investigating and resolving the Data Subject’s disciplinary issues or grievances. |
|
Identification data, contact data, bank account data, professional data and communication data |
Conducting the Controller’s business, manage client relationships and secure the Controller’s IT networks and systems, operations, assets, premises and clients. |
|
Identification data, contact data, bank account data, professional data and communication data |
The provision of evidence in the event of a dispute, transaction or business communication and in connection with any proposed purchase, merger or acquisition of all or part of the Controller's business. |
|
Identification data, contact data, professional data, bank account data, health related data, sensitive data and communication data |
Compliance with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority. |
|
Identification data and contact data |
Protection of the Controller’s property, assets and investments (including camera recording). |
|
Identification data, contact data, professional data and communication data |
Control, monitoring and ensuring compliance with the Controller’s policies and procedures. |
|
Identification data, contact data, professional data and communication data |
The prevention, investigation, monitoring and resolution of any misuse of the system or computer resources, or security incidents that may occur in relation to the network and/or computer systems. |
|
Identification data, contact data, professional data and health related data |
The effective administration of business and labour relations at the level of the group to which the Controller belongs. |
Appendix B
Recipients and countries of establishment
The Controller transfers Personal Data to the below categories of recipients and their countries of establishment:
|
Categories of recipients |
Name and country of establishment |
|
The Controller’s affiliates |
Liontrust Asset Management Plc, Liontrust Investment Partners LLP and Liontrust Fund Partners LLP of 2 Savoy Court, London, United Kingdom, WC2R 0EZ |
|
The Controller’s service providers |
The Controller’s service providers are based in the EEA, the UK, the US, India and Australia. |
|
Legal advisor(s) |
Arendt & Medernach S.A., Luxembourg |
Appendix C
Retention Periods
The Controller undertakes to ensure that necessary records and documents are adequately protected and maintained and that records that are no longer needed or are of no value are deleted or destroyed in compliance with the provisions of the GDPR.
In this respect, unless longer or shorter statutory limitation periods apply, the principal retention periods implemented by the Controller are specified below:
|
General |
|
|
Type of records |
Retention periods |
|
Contracts |
10 years from the end of the contractual relationship to which the documents relate. |
|
Business correspondence (letters, emails, faxes, etc.) |
10 years from the end of the accounting year in which the document was sent or received. |
|
Employee earning records |
10 years from the end of the accounting year in which the document was sent or received. |
|
Employee expense records |
10 years from the end of the accounting year in which the document was sent or received. |
|
Human resources |
|
|
Type of records |
Retention periods |
|
Applicant records (not hired) |
Data will be deleted after the decision not to hire the applicant. However, data will be kept during a period of 6 months if the employer considers that an offer could be made during this period of 6 months, unless otherwise agreed by the applicant (consent). |
|
Criminal records (for applicants not hired) |
Data will be deleted after the decision not to hire the applicant. |
|
Criminal records (for employees) |
1 month as of the conclusion of the employment contract for newly hired employee and 2 months for employee changing function. |
|
Compensation records |
10 years from the end of the accounting year to which the documents relate. |
|
Complementary pension scheme |
As long as the last employee benefits from such complementary pension scheme. |
|
Employment contracts |
10 years from the end of the employment relationship |
|
Annual leave register |
5 years as from the date of the closing of the liquidation of the company. |
|
Pay slips and records related to payroll administration and records supporting the wages and taxes paid, withheld and reported. |
10 years from the end of the accounting year to which the documents relate. |
|
Employees’ files including medical certificates sent by the employee in case of sickness |
If the documents cannot be relevant for the evaluation or payment of the employee’s remuneration (including bonuses):
If the documents can be relevant for the evaluation or payment of the employee’s remuneration (including bonuses):
In any case, such documents should not be kept for more than 10 years after the end of the employment relationship. |
|
Registers for hours worked (including overtime / hours worked on Sunday / hours worked at night) |
5 years as from the date of the closing of the liquidation of the company. |
|
Register for hours worked on public holidays |
5 years as from the date of the closing of the liquidation of the company. |
|
List of industrial accidents having caused a disablement of an employee for more than 3 days |
5 years as from the date of the closing of the liquidation of the company.
|
