NOTICE REGARDING THE DATA PROTECTION 2018

1 ) INTRODUCTION

The most practical overview to the news introduced by the EU General Data Protection Regulation 2016/679 (the “GDPR”), entering into force the 25^th May 2018, can be summarised in the following six principles expressed by Article 5 of the GDPR.

According to Article 5, the data protection shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

2) WHAT IS THE LEGAL BASIS AND WHY DO WE PROCESS YOUR DATA?

With the entry into force of the GDPR, all companies are obliged to comply with it.

In line with the data protection policy currently in force at our firm, we are required to process your personal data in accordance with the provisions of the GDPR (Article 6) to the extent that:

Based in Luxembourg, Mikro Kapital Management SA is subject to several legal local and European obligations including, in respect of the securities admitted to trading on the Euro MTF market and listed on the Official List of the Luxembourg Stock Exchange, to comply with the relevant requirements.

One of the purposes of the data processing operation regards the issue and payment of invoices, the provision of investor-related services, the administration of shareholdings, the handling of subscriptions, redemption and conversion orders, the maintenance of the register of shareholders, the management of distributions, the management and monitoring of portfolios, the sending of notices, information and communications as well as the accounting of both our firm and our employees, the establishment of pay slips and the payment of source deductions and social contributions.

We process your data in order to provide you, inter alia, with such services as investment management, sales and distribution support, accounting, fund administration, risk services, investment compliance, and corporate governance.

Our firm may use your personal data as part of a marketing campaign or market research. The processing of your data for this purpose is legal as long as you will have given us your consent to this end. However, you may withdraw your consent at any time in accordance with the instructions at section 8 below.

3) HOW DO WE COLLECT YOUR PERSONAL DATA AND FOR HOW LONG?

There are several ways to collect your personal information.

For instance, you could directly send them to us either in electronic or hardcopy.

Otherwise your personal data may be collected when the business relation with you starts, when you request an offer, when you receive a business proposal, when we realise a project for you or when you send your application (spontaneously or in reply to an announcement) for a role in our firm.

We may also receive your data from external sources, such as public databases, websites, social networks and third parties.

Personal data shall be kept in an appropriate form, allowing your identification for no longer than is necessary for the business purposes of our firm.

4)WHAT PERSONAL DATA ARE PROCESSED?

Personal data processed by our firm are mainly related to your identity, but our intervention is limited to the processing of data obtained in the context of our commercial relations or work, namely for example:

• Name and surname;
• Role;
• Details (e.g. email address, telephone number, postal address);
• Bank account;
• Proof of origin of funds;
• Tax numbers/TIN;
• Investment data.

In the frame of a possible recruiting, we are equally led to collect the following personal information:

• Diplomas;
• Social security number;
• Tax card;

5) WHO RECEIVES YOUR DATA?

All the departments requiring your data to meet the firm’s contractual and legal obligations will have access to your personal data and therefore all employees at our firm have received specific training to understand the importance of the confidentiality of your data and have signed a confidentiality clause.

Our firm will also be required to process your personal information for administrative or contractual scope in the frame of the contractual relationship established with you.

In this context, we may therefore be required to transmit certain information to third-party providers (e.g. with regard to the recovery of claims, the keeping of accounts or the preparation of employee pay slips), where legal provisions require that you have given your consent.

For the sake of clarity, we undertake to verify that concerned third-party providers comply with our same level of confidentiality and process your personal data in accordance with the provisions of the GDPR.

It is important to specify that your personal data may be transferred to any jurisdiction, inside and outside the European Union (the “EU”), and to third party organisations.

However, the transfer of personal data outside the EU may be made to countries able to ensure an adequate level of protection (based on the European Commission’s decision) or to countries not matching such protection level. In the latter case, the transfer of personal data will be protected by appropriate or suitable safeguards, in accordance with the data protection policy of the firm and data protection laws and it will not be made unless you will have explicitly provided a consent to do so.

6) WHO IS RESPONSIBLE FOR DATA PROCESSING AND HOW CAN BE CONTACTED?

You may contact the responsible for the data protection through our firm at the following coordinates:

Mikro Kapital Management SA
10, Rue C. M. Spoo,
L – 2546 Luxembourg
Telephone: (+352) 2697 6304
Fax: (+352) 2697 6305

Email: funds@mikrokapital.com

7) YOUR RIGHTS IN CONFIDENTIALITY OF DATA?

You may withdraw your consent to the processing of your personal data at any time by contacting our responsible for the data protection at the aforementioned address.

You are also entitled to:

• access the data processed by us under Article 15 of the GDPR;
• to rectify personal data under Article 16 of the GDPR;
• to erase your data under Article 17 of the GDPR, when the data we hold are no longer necessary for the purposes for which they were collected.

Thus, you can simply withdraw your consent if you object to the processing of your data, if the processing is unlawful or if the legal obligation imposing the retention of your data by our firm has expired. In addition, you are entitled to limit the processing of your data, ensured by Article 18 of the GDPR.

You also have a right of objection pursuant to Article 21 of the GDPR and a right of portability of your data under Article 20 of the GDPR.

We ask you to be clear about the purpose of your request.

In particular, please expressly state whether you wish your personal data to be completely deleted from our database or whether you wish to restrict the access to your data (in cases where you have the right to delete your data).

For any complaint concerning the processing of your personal data by us, you also have the right to lodge a complaint with the relevant authority responsible for the protection of personal data under Article 77 of the GDPR.

In Luxembourg, the authority in charge of protecting personal data is the Commission Nationale de Protection des Données, based in 1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette, Tel: (+352) 26 10 60 -1 (www.cnpd.lu ).

8) HOW TO RETRACT YOUR CONSENT

You now are aware that you can withdraw your consent at any time by contacting our responsible for data controlling at the contact details mentioned above.
This rule also applies to any consent statement given before the entry into force of the GDPR, i.e. before 25^th May 2018.
The withdrawal of consent does not affect the legality of the processing of the data that occurred prior to this withdrawal.

We remain at your disposal for any further information you may need.

Sincerely,

Your team Mikro Kapital Management S.A.