Business Centre

Aragon House

PRIVACY POLICY STATEMENT

Aragon Co. Ltd is a limited liability company established under the laws of Malta having its registered address Level 9, Aragon House - Business Centre, Dragonara Road St Julians, STJ 3149, Malta and forms part of a group of companies (the “Group”) whose ultimate parent company is Mercury p.l.c. which is also a limited liability company established under the laws of Malta having its registered address Level 9, Aragon House - Business Centre, Dragonara Road St Julians, STJ 3149, Malta.

As the policies affecting personal data and the mechanisms necessary to ensure due compliance with all the requirements at law have been established on a group-wide basis the Privacy Policy Statement set out hereunder reflects the Group principles and measures applicable at this time.

PRIVACY POLICY STATEMENT

We are committed to respecting your privacy. If you wish to contact us about the Group’s privacy practices please feel free to do so by post on the abovementioned address or by email at info@aragon.com.mt. You may also wish to contact us by telephone on (+356)2579 3000.

Our Data Protection Officer is Mr Norbert Tabone who may be contacted by email at dpo@aragon.com.mt or by telephone on (+356) 2579 3000.

Please read this Privacy Policy Statement carefully to understand our practices with respect to your personal data.

References to “data controller”, “data subject”, “personal data”, “process”, “processed”, “processing” and “Data Protection Officer” in this Privacy Policy Statement have the meanings set out in, and will be interpreted in accordance with applicable laws.

References to “you” shall as the context of the relationship may require mean “you or your company” even when this is not specifically stated in those terms herein.

UPDATES

This Privacy Policy Statement may be updated in the Group’s sole discretion including as result of a change in applicable law or processing activities. Any such changes will be communicated by way of updating this document on the website (website details link) or in such further manner as the Group may determine prior to the commencement of the relevant processing activity.

WHAT AMOUNTS TO PERSONAL DATA?

The term “personal data” refers to all personally identifiable information about you, such as your name, surname and address, and includes all information which may arise that can be identified with you personally.

HOW DO WE COLLECT PERSONAL DATA?

In the course of carrying out its activities in the normal course of business each Company in the Group regularly collects personal data as part of its professional and commercial obligations in the execution of its activities. Personal data is typically collected, for example :

• As part of each Group company’s account setup procedures;
• When you or your company requests Group company services;
• When you or your company provides services to the Group;
• When you post a query, complain or observation through any of the Group’s websites and
• When you contact us voluntarily in other circumstances such as when seeking employment or traineeship with the Group or seeking to attend a Group organised or sponsored event or promotional activity.

Generally, you would have provided your personal data to the Group. However, in some instances, the Group may collect personal data about you from third party sources, such as online searches or from public registers.

Third parties may also provide your personal data to the Group.

WHAT PERSONAL DATA DO WE PROCESS?

The personal data that the Group typically collects are:

• The personal data that is collected for the establishment of your or your company’s relationship with a Group company including all personal data in such forms as may be devised for such purpose and any documents or information which you may be required to supply to the Group for such purposes;

• Your identity details such as your name, surname, employer, title, position, and status;

• Your contact information such as your email address, physical address and telephone numbers;

• Your bank account details and other financial information;

• Any information you provide when posting a query, complaint or observation through a Group website ;

• Information you provide to us for the purposes of attending meetings or events;

• Personal data provided to us by, on behalf of or in relation to Group counterparties, business partners, service providers and employees;

• Any personal data lawfully generated by Group companies in the normal course of their activities;

• CCTV footage, when you visit Group offices; and

• Any personal data which you may voluntarily provide to us.

Apart from the processing that derives from in the normal course of Group companies carrying out their respective activities personal data may be processed also as a result of obligations as may arise at law;

HOW DO WE USE YOUR PERSONAL DATA?

Irrespective of the manner that we have collected your personal data, we will only process such data for the purposes of managing our relationship or for purposes which are inherently related thereto, including the fulfilment of any legal or regulatory obligation as may apply or may be imposed on us in that regard.

Typically, your personal data will be processed for:

• Providing to you or receiving from you such services as may result pursuant to and for the management of our relationship ;

• Complying with all legal obligations, in particular legal obligations with respect to anti-money-laundering and combating the funding of terrorism;

• Conflict check purposes, particularly in Group companies operating in a regulated environment which formally mandate such checks;

• Managing our relationship with you or your company, including for billing and debt collection purposes;

• Securing access to our offices;

• The purpose of a legitimate interest pursued by us or by a relevant third party, provided such interest is not overridden by your interests, fundamental rights and freedoms; and

• Such purposes as you may have requested when providing us your personal data

We might also process your personal data on the basis of your explicit consent, in which case we will process your data for the purposes for which your explicit consent was requested. Processing your data on the basis of consent is not envisaged, except with respect to applicants for a job with the Group who wish their personal data to be retained by us for the purposes of being contacted with future potential job openings of interest and with respect to communications related to such matters as are catered for in any of the interfaces with Group counterparties particularly any website operated by a Group company or any other relevant communications media or other specific intra-party exchanges.

LEGAL BASES OF PROCESSING PERSONAL DATA

We process your personal data on the basis of the following legal bases:

• Entering into and performing a contract which term shall include the commercial obligations that derive from our relationship even where no formal contract is executed – in particular to provide our services to you and in general to manage our relationship with you or your company as well as when receiving a service from you or your company. Providing such personal data is necessary for our performance of such contract. The consequence for not doing such processing could well be that we would be unable to provide you with our services and / or enter into such relationship as may be otherwise intended;

• Our legitimate interests – in particular legitimate interests which may arise directly or indirectly in relation to such matters as derive from our relationship by way of such exchanges as may result pursuant thereto, CCTV footage at our offices, and in keeping you updated as may be appropriate to our relationship. When we process your personal data on the basis of our legitimate interests, we ensure that the legitimate interests pursued by us do not override your interests, rights and freedoms;

• Your explicit consent – in which case, our processing shall be limited to the purposes specifically indicated when your consent was requested as hereinbefore contemplated.

• and such updates or further communications where we do not have a legitimate interest to send you such communications but which appear to be opportune on the basis of our relationship ; and

• Compliance with legal obligations as may generally apply or are imposed on us – in particular obligations with regard to anti-money-laundering and combating the funding of terrorism legislation, and to prevent, detect, respond or report other potential illegal activities;

• On the basis of our legitimate interests or compliance with legal obligations, as applicable, We may also process your personal data for the purposes of establishing, exercising or defending legal proceedings.

Keeping in view the activities undertaken by Group companies, we would in general require to process personal data only for the purposes of ensuring that our communications to you have the most opportune relevance to our relationship with you particularly when this is aimed at facilitating its ongoing development for mutual benefit or, otherwise, if we are involved in the establishment, exercise or defence of legal claims.

RECIPIENTS

We may share your personal data with third party recipients who are:

• selected individuals within the Group, on a need-to-know basis;

• any service providers that may have access to your personal data in rendering us their support services, including IT and accounting service providers; and

• third parties to whom disclosure may be required as a result of our relationship with you;

• third parties involved in the organisation of such events or promotions as may be contemplated by Group companies;

• any business partners to whom you may have requested that we transfer your personal data; and

• third parties to whom disclosure may be required as a result of legal obligations as may generally apply or may be specifically imposed on us.

Unless specifically instructed and consented by you, we do not share your personal data with any entity located outside of the EU or EEA.

AUTOMATED DECISION-MAKING AND PROFILING

Your personal data will not be used for any decision solely taken on the basis of automated decision making processes, including profiling, without human intervention.

In the interest of transparency, note that certain Group companies may use systems which could profile you for the purpose of ensuring that communications with you are relevant to our ongoing relationship. Otherwise, such systems are used exclusively to help us comply with legal obligations deriving anti-money-laundering and combating the funding of terrorism legislation. As stated, no automated-decision will result from our use of such systems.

DATA RETENTION

We retain your personal data exclusively for the period which is lawfully permissible to retain your personal data. Thereafter, your personal data shall be immediately and irrevocably destroyed.

As a result of legal obligations, we typically retain your personal data for up to ten (10) years from when our relationship ceases, unless we have a statutory obligation to retain your data for a further period or a business need or require your personal data to exercise or defend legal claims.

Invoices, credit notes and similar transactional documents or information will be kept by us for up to nine (9) years from completion of the relevant transaction on the basis of legal obligations to retain such information.

We may have a legitimate interest to hold your data for longer periods such as when your data is required for exercising or defending legal claims.

Any personal data which we may hold on the basis of your consent as hereinbefore provided shall be retained exclusively until when you withdraw your consent.

YOUR RIGHTS

For as long as we retain your personal data, you have certain rights in relation to your personal data including:

Right of access - you have the right to ascertain the personal data we hold about you and to receive a copy of such personal data;

Right to complain - you have the right to lodge a complaint regarding the processing of your personal data with the supervisory authority for data protection matters. In Malta this is the Information and Data Protection Commissioner (contact details provided below);

Right to Erasure - in certain circumstances you may request that we delete the personal data that we hold about you;

Right to Object - you have a right to object and request that we cease the processing of your personal data where we rely on our, or a third party’s legitimate interest for processing your personal data;

Right to Portability - you may request that we provide you with certain personal data which you have provided to us in a structured, commonly used and machine-readable format. where technically feasible, you may also request that we transmit such personal data to a third party controller indicated by you;

Right to Rectification - you have the right to update or correct any inaccurate personal data which we hold about you;

Right to Restriction - you have the right to request that we stop using your personal data in certain circumstances, including if you believe that we are unlawfully processing your personal data or the personal data that we hold about you is inaccurate;

Right to withdraw your consent - where our processing is based on your consent, you have the right to withdraw your consent. Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent; and

Right to be informed of the source - where the personal data we hold about you was not provided to us directly by you, you may also have the right to be informed of the source from which your personal data originates.

Note that we may contact you with updates, newsletters and notices of promotional or other events on the basis of our legitimate interests such as, but not limited to, those of seeking to promote our ongoing relationship for mutual benefit. In this respect, you have a right to opt-out and to object to receiving any further such communications from us.

Note that if we contact you on such matters on the basis of your consent, you have a right to withdraw your consent and no longer be contacted for such purposes at any time.

Please note that in terms of the applicable laws, your rights in relation to your personal data are not absolute.

You may exercise the rights indicated in this section by contacting us or our Data Protection Officer at the details indicated above.

KEEPING YOUR DATA SECURE

We shall keep your personal data secure and shall commit to take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, including against accidental loss, destruction, storage or access. Your personal data may be stored in paper files or electronically on our technology systems or on technology systems of our IT service providers.

COMPLAINTS

If you have any complaints regarding our processing of your personal data, please note that you may contact us or our Data Protection Officer at the details indicated above. You also have a right to lodge a complaint with the Office of the Information and data Protection Commissioner in Malta (www.idpc.gov.mt).