DATA PROTECTION STATEMENT
Bluestone Real Estate Fund S.C.A., SICAV-SIF, represented by its general partner Bluestone Real Estate Management S.à r.l. (the “Fund”), acts as data controller (the “Data Controller”). The Fund is committed to maintain the privacy and the security of any Personal Data, as defined below, by controlling the collection, the storage, the processing by the Data Processors, as defined below, of such Personal Data of the clients, investors, prospective investors, or other third parties related to them (each a “Data Subject”, all together, the “Data Subjects”).
The purpose of this Data Protection Statement is to explain how the DPC, as defined below, use the Data Subjects’ Personal Data.
By continuing to engage in the provision of services with the Fund, the Data Subjects authorize the Data Controller and the Data Processors (all together the “DPC”) to use and transfer the Personal Data about themselves, their employees, directors, managers, officers or representatives in accordance with this Data Protection Statement, as amended from time to time (the “DPS”). The Data Controller commits to observe confidentiality concerning information it possesses within the conditions as indicated below.
The Data Subjects should be aware that by subscribing for shares of the Fund, they give their consent to processing of their Personal Data by the DPC and any other duly authorized person to which their Personal Data are disclosed, as indicated in this DPS.
Where these DPS uses terms defined in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended from time to time (the “GPDR”), those terms shall have the meaning as in the GDPR.
The DPS shall be read and interpreted in the light of the provisions of the GPDR. Such DPS shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GPDR or in a way that prejudices the fundamental rights or freedoms of the Data Subjects. The DPC shall apply respectively (i) Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries or (ii) Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28 (7) of GPDR and Article 29 (7) of Regulation (EU) 2018/1725, as applicable and as amended from time to time (the “Clauses”). In the event of a contradiction between the Clauses and the provision of this DPS, the Clauses shall prevail.
In accordance with the GDPR, the Personal Data means any information relating to the Data Subjects, such as a name, an identification number, location data, email address, bank account information, source of funds and wealth, personal net worth, driver’s license number, social security or national insurance number, an online identifier or to one or more factors specific to the physical, economic, cultural or social identity that the Data Subjects provide. The Data Processors may also, in appropriate cases and to the extent permitted by the GDPR, control, process and use certain data inter alia regarding anti-money laundering (AML) and “Know Your Customer” (KYC).
Where the processing involves Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (sensitive data), the Data Processors apply specific restrictions and/or additional safeguards.
In the course of business relationships between the Data Subjects and the Fund (the “Business Relationship”), the following Data Processors may collect, record, organize, store, consult and process, only on documented instruction from the Data Controller, unless required to do so by relevant applicable laws, Personal Data:
The Data Processors shall immediately inform the Data Controller if, in the Data Processors’ opinion, instructions given by the Data Controller infringe the GDPR or the applicable data protection laws provisions. The Data Processors are responsible for the processing of the Personal Data with any applicable law.
The DPC may, during the course of the Business Relationship, transfer the Personal Data, to the extent permitted by the GDPR, to:
The Personal Data of the Data Subjects may be transferred to any Data Processors identified in this section 3 in connection with the Business Relationship or authorized by the Data Controller, some of which may be outside the European Economic Area (EEA). In such case, please refer to the section 5 of this DPS.
The Data Processors may process, use or transfer the Personal Data of the Data Subjects for the following purposes connected to the Business Relationship which are inter alia:
The provision of the Personal Data of the Data Subjects is necessary for DPC to:
When users surf to this website, the Data Processor stores certain information from the user in statistics (Google Analytics). This information includes inter alia the browser type, IP address, the operating system the user uses and the domain name of the website that guided the user to such website. The Data Processor uses these statistics to analyze the surfing behavior of the visitors. Based on this, the Fund can optimize such website for its users. The statistics are completely anonymous. In addition, when users subscribe to the newsletter of the website, the relevant Data Processor stores the e-mail address of the user. Such storage is needed for the Fund to have the ability to send to the users the subscribed newsletter. The e-mail address is stored securely at Mailchimp. Mailchimp secures the data of the user and is part of a certified EU-US Privacy Shield Framework and respects its privacy.
Personal Data are processed for various purposes. However, the DPC ensure that they only collect and process the data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
If Data Subjects do not wish to provide their Personal Data, in whole or in part, for any of the purposes listed immediately above, the DPC may not be able to provide their financial services to the Data Subjects.
The Personal Data of the Data Subjects may be transferred to any Data Processors identified in section 3 in connection with the Business Relationship or authorized by the Data Controller, some of which may be outside the European Economic Area (EEA). The countries to which the Personal Data of the Data Subject are transferred may not offer an equivalent level of protection for Personal Data to the laws applicable in Luxembourg. However, such transfer will be carried out in accordance with the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries. For such transfer, the relevant DCP implements measures to ensure an adequate level of protection and security of the Personal Data. This includes protecting the Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the Personal Data.
It is important for DPC to maintain accurate records of the Personal Data. The Data Subjects should inform as soon as possible the Data Controller of any changes to or errors in their Personal Data and the DPC will update their records accordingly. The DPC will only retain the Personal Data for as long as, in their reasonable opinion and in line with their data retention policy, is necessary to comply with applicable laws or for the purposes for which the DPC process the Personal Data (as set out in this statement). The Personal Data shall never be used for marketing purposes, unless the Data Subject has accepted otherwise.
The Data Controller will take steps to protect the Personal Data of the Data Subjects against loss or theft, as well as from unauthorized access, disclosure, copying, use or modification, regardless of the format in which it is held.
The Data Subjects have certain rights under data protection laws and GDPR. The Data Subjects have a right to:
(i) request access to and rectification, modification, correction or erasure of their Personal Data;
(ii) obtain restriction of processing or to object to processing of their Personal Data;
(iii) obtain a copy of their Personal Data being processed;
(iv) request the cessation of data processing, under certain circumstances;
(v) data portability; and
(vi) withdraw any consent given at any time.
The Data Subjects also have the right to lodge a complaint about the processing of their Personal Data with their local data protection regulator. Please note that these rights are not absolute: they do not always apply and exemptions may be engaged. The Data Controller may, in response to a request, ask the Data Subjects to verify and to provide information that helps the Data Controller to understand its request better. If the Data Controller does not comply with the request of the Data Subject, the Data Controller must explain why. If the Data Subjects require further information in relation to their rights under data protection laws and GDPR, the Data Controller invites the Data Subjects to visit the website of the relevant data protection regulators (a list is available under https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm) or contact the Data Controller via the contact details below.
If the Data Subjects have any questions or comments on this DPS, the Data Controller invites to contact it by email:
Email address: firstname.lastname@example.org
This DPS is dated July 2022. From time to time, the Data Controller may amend this DPS without notice and an amended DPS will be available by contacting M. Frederik Denys at email@example.com. This may be for a number of reasons, including changes in law, market practice or the DPC’s treatment of the Personal Data of the Data Subject.
This DPS is regulated by the GDPR, the Clauses and any other applicable Luxembourg laws. The data protection regulator of the Luxembourg is the National Commission for Data Protection (Commission Nationale pour la Protection des Données – CNPD).