Table of content
- Overview
- What is Personal Data & Processing?
- Who is the Data Controller of Your Personal Data?
- The Purposes: the Group’s Use of Personal Data
- Personal Data the Group Collects From You?
- The Legal Basis: On What Grounds does the Group Process your Personal Data?
- The Source of the Personal Data: Where Does your Personal Data Come From?
- The Group’s Sharing of Personal: Who May Have Access to Your Personal Data?
- Location of Personal Data: Where Do Your Personal Data May Be Transferred?
- Data Security: How Does the Group Protect Your Personal Data?
- The Retention Period: How Long Will the Group Retain Your Personal Data?
- Your Rights Over Your Personal Data?
- Contact / Privacy Questions
Overview
What is the purpose of this Privacy Policy?
The SIENNA Group is committed to privacy and the protection of personal data of the persons whose data are collected and processed by Sienna Investment Managers, namely the website’s visitors, applicants, service providers, subcontractors, clients or prospects, shareholders, co-investors, managers of companies in which Sienna Investment Managers or a group company is considering acquiring a stake, except for its employees and consultants.
For the purpose of this Policy, the “Group” means Sienna Investment Managers SA and/or any of its subsidiaries or affiliates processing personal data as a Data Controller (as defined in Section 3 below) regardless of their location.
In the course of its activities, the Group processes personal data relating to natural persons as described in the first paragraph (hereafter referred to as “you”, “your”, “yours” as the case may be).
To ensure fair and transparent processing of personal data, the Group wants to ensure that you have a clear understanding of how the Group collects, uses, and shares personal data.
Given the worldwide scope of this Policy, it will apply to the extent that it does not contradict applicable local regulations. If the local regulations of the country where you are established require so, this Policy may be supplemented by local mandatory provisions.
The Group may also provide you with additional information notice or policy regarding data protection on specific matters.
What you will find in this document
This Policy describes the Group’s practices in order to achieve a high standard of data protection, regardless of the location of the Group’s entity with which you deal.
This Policy is intended to explain to you, in a concise and transparent manner:
- The purposes – or for what reasons or objectives – the Group processes your personal data;
- Which categories of personal data the Group may be led to process;
- The legal bases, i.e., on what grounds, and what are the justifications that allow the Group to process your personal data;
- From which source the personal data originate or have been collected;
- The recipients who may receive or have access to the personal data, i.e., who are the authorized persons or entities to whom the Group may disclose your personal data to;
- The location of your personal data, i.e., where the Group and its authorized parties may process your personal data;
- The security, i.e., what security measures does the Group implement to protect your personal data;
- The retention period, i.e., for how long are your data retained by the Group and/or what is the Group’s approach to defining the term of retention of your personal data;
- What are your rights over your personal data and how you can exercise them;
- How to contact the Group if you have any questions or concerns about this Policy or your personal data.
Validity and evolution of this Policy
This Policy is communicated to you individually by any appropriate means and is available at any time on our website.
This Privacy Policy may be amended from time to time to take into account any changes in law or regulation, technical, economic or other significant changes.
What is Personal Data & Processing?
Personal data is any information relating to an identified or identifiable individual, no matter where the individual is located. This means that data that directly identifies you – such as your name, surname, photo – is personal data, and also data that does not directly identify you, but that can be used to identify you – such as any identifier, login information – is personal data.
Here are some examples of personal data:
- Identity information (name, email, address, phone number, etc.);
- Personal life data (marital status, children, etc.);
- Professional life data (qualifications, skills, position, resume, etc.);
- Connection data (ID, password, etc.);
- Picture;
- Sound recording;
- Social media post;
- Location data (badge management, etc.);
- Messages (emails, texts, etc.);
- Bank details (GNI, invoices, etc.).
Processing means any action that is performed on personal data, such as: collection, organization, making available, adaptation, erasure or destruction, media handling, consultation, disclosure, storage, restriction of use or access, remote access, recording, structuring, alignment, combination, matching, retrieval, by any means and on any format (whether in paper or electronic form).
Who is the Data Controller of Your Personal Data?
A “data controller” is an entity that determines the purposes and means of the processing of your personal data and is responsible for compliance with applicable data protection regulations.
For the implementation of this Policy, the data controller is the entity that processes your personal data for its own purposes, i.e., Sienna Investment Managers S.A. or any of its subsidiary or affiliate, as the case may be. For clarity, where several subsidiaries or affiliates of Sienna Investment Managers S.A. process your personal data, they shall be considered as separate data controllers.
The Purposes: the Group’s Use of Personal Data
The Group uses your personal data for the needs of its day-to-day operation of business and the management of your work relationship with the Group, which includes – as the case may be – supplier management, clients or prospects management, service providers management, recruitment management, contract management, for administrative reasons, and to the extent necessary to comply with applicable laws.
The Group uses your personal data only when it has a valid legal basis to do so (see Section 6 below for more information on legal bases).
More specifically, the Group is committed to ensuring that such processing only takes place for specified, explicit and legitimate purposes which include:
- Managing providers : processing of the contractual relationship (first name, last name, postal address and e-mail address of the point of contact and the intervener, financial data associated with the contractual relationship, invoices, ), referrals, communications with the contact point and intervener until the end of the relationship-building process;
- Managing recruitment: handling of applications (resumes, application letters), referrals, communications with candidates, follow-up of applications until the hiring process is completed;
- Carrying out external and internal communication for our events: identifying individual points of contact for communication or events; including information about you in advertising or communication campaigns (subject to your prior approval); etc. ;
- Complying with legal or regulatory obligations that apply to the Group (such as AIFM regulation, etc.); fighting against fraud and/or corruption; conducting internal investigations, audit or other mandatory internal procedures;
- Managing internal business operations: managing professional relationships and exchanges or communications with business partners (suppliers, customers, prospects etc.); evaluating business deals and investigating their relevance; conducting due diligence assessments; managing corporate transactions such as mergers and legal restructuring operations such as acquisitions, joint ventures, assignments, spin-offs or divestitures;
- Managing corporate governance and compliance obligations: managing specific lists of individuals related to corporate governance (delegations of authority or and/or power) and legal obligations or commitments (insiders lists, conflicts of interest);
- Managing professional premises and the provision of on-site services: management of access control systems (including badges);
- Ensuring the physical security of people, of the Group’s property and assets (access control, CCTV, physical security and facilities management, etc.); carrying out building entry/exit control; managing individuals’ presence at and premises occupation rates for security and facilities management;
- Responding to requests from administrative or judicial authorities, in accordance with applicable laws; complying with subpoenas, required registration, or legal process;
- Protecting our rights and interests; protecting the health, safety, and security of people working within the Group’s premises; carrying out internal audits; managing our assets; implementing business controls and systems; managing business administration (finance and accounting, fraud monitoring and prevention); maintaining the security of our services and operations; protecting our rights, safety or property, allowing us to pursue available remedies or limit the damages that we may incur as necessary; protecting ourselves against possible fraudulent actions;
- Responding to you when you fill out a contact form or when you browse our website: you provide us with your first name and last name, postal address, the company you work for or represent, your e-mail address and telephone number, and details about the request you are sending us. Some data may be collected automatically, including technical information, anonymous data collected by the hosting server for statistical purposes, IP address, browser type, time zone…
What Personal Data Does the Group Collect From You?
The Group only collects and processes personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, as described above.
When you engage in a work or business relationship with the Group, apply for a job offered by the Group or provide products or services to the Group, the Group may collect a variety of personal data, including:
- Identity information: information that allows the identification of natural persons (e.g., first name and last name, date and place of birth, nationality, gender, distinctions, passport, ID card, visa or resident title details, photos or images);
- Professional life data: information concerning past and current employment such as:
- Training and education: CV (e.g., education level, field and institution; competency assessments, skills and competences, professional licenses and certifications; training courses);
- Past employment: professional experience, employment history and recommendation letters, references and verifications;
- Service provided at the Group: start and end date of service, description of service, business contact information (business address, e-mail address, business phone number, business fax number, etc.);
- Provider identification number, job title, position/grade, etc.
- Connection data: this category of data relates to the information concerning your use of the technological resources and tools provided by the Group for the purposes of your service and may include, for instance, IP addresses, network identification data (identification numbers, login, passwords), connection logs, hardware and software used, activity conducted, data usage, websites consulted, etc.;
- Location data: this category of data relates to information regarding the geographical location of individuals and may include, for instance: information relating to badges (use of badges to enter and/or exit premises);
- Financial and economic information: this category of data relates to information which may be collected in connection with the financial status or banking information of individuals acting on behalf of the service providers, which may include, billing data, bank account data, etc.;
- Data relating to criminal convictions and offenses (when such data are collected the Group being under the obligation or allowed, locally, to collect it in accordance with applicable legislation);
- Biometric data: this category of personal data relates to biometric information regarding individuals such as, for instance, fingerprints, facial recognition, etc. (when such data are collected by the Group being under the obligation or allowed, locally, to collect it in accordance with applicable legislation).
Some of the categories of personal data listed above may be qualified as “sensitive” or “special” categories of personal data due to their particularly sensitive nature in relation to fundamental rights and freedoms. Such data must therefore benefit from a specific protection. The processing of such data may also be limited, restricted or prohibited in certain jurisdictions. The Group will process such data only as required or authorized by applicable laws and will ensure that your rights and freedoms are protected in all circumstances.
The Legal Basis: On What Grounds Does the Group Process your Personal Data?
In order for the processing to be lawful, personal data should be processed on a legitimate basis. Any processing of personal data carried out by the Group relies on an adequate legal basis, as detailed below.
In practice, one legal basis can be used for one or several data processing purposes (as detailed in Section 4 above).
For candidates: The processing of personal data related to the recruitment management relies on the performance of the steps necessary prior to entering into a contract with the candidates.
For providers: The processing of personal data related to the contractual relationship management relies on the performance of the agreement.
Regardless of the status of the individuals concerned: Some processing purposes may rely on a legal obligation to which the Group is subject:
- Protecting your safety and health;
- Formalities required by the fighting against fraud and/or corruption; conducting internal investigations, audit or other mandatory internal procedures;
- Managing corporate governance and compliance obligations;
- Responding to requests from administrative or judicial authorities.
Some processing purposes may also rely on the legitimate interests pursued by the Group, provided that such interests are not overridden by your fundamental rights and freedoms which require protection of personal data:
- Managing your onboarding and off-boarding;
- Protecting your safety and health;
- Carrying out external and internal communication for our events;
- Organizing social and cultural actions;
- Evaluating and conducting business transactions and operations;
- Managing professional premises and the provision of on-site services;
- Ensuring the physical security of people, of the Group’s property and assets;
- Protecting the Group’s rights and interests (as detailed in Section 4).
The Source of the Personal Data: Where Does your Personal Data Come From?
The Group usually directly collects personal data from you, such as when you voluntarily provide personal data in the course of your duties or in the context of your activity vis a vis Group, or when the Group requests you to provide personal data for the purposes set out above. This is also the case when you use the tools, software, applications and websites that the Group makes available to you.
The Group collects some specific personal data automatically, for instance when following your interactions with our websites, platforms, applications and services through certain technologies, such as cookies or other tracking devices.
The Group may also collect personal data in accordance with applicable law from publicly available sources, including personal data that are published by you in all supports (scientific or other publications, conferences, webinars, public profile in social networks, etc.).
The Group may legally obtain personal data from third parties, for example, from individuals and organizations who hold information related to your CV, reference or application to work with us, such as current, past employers, educators and examining bodies and employment and recruitment agencies ; from public authorities (e.g., tax administration, etc.). In such case, we generally receive such personal data from third-parties that are authorized to do so in the framework of their own privacy policies or in accordance with the law and/or the contract we have entered into with them.
The Group’s Sharing of Personal: Who May Have Access to Your Personal Data?
The Group will only grant access to your personal data to authorized recipients only. These authorized and identified recipients will only be granted access to the personal data that is necessary to perform the purpose for which such access is granted.
The Group does not share personal data with third parties for their own marketing purposes.
Depending on the type of personal data and purpose of processing, access may be granted to the following authorized third parties:
- Sienna Investment Managers S.A. and its subsidiaries and affiliates ;
- the Group personnel specifically concerned for the performance of their mission including: the managers and higher-level managers, and executives, personnel in the HR, IT, Audit, Finance, Legal and Compliance teams;
- selected service providers acting upon our instructions for data hosting, data analysis, payment processing, order fulfillment, travel and event organization, provision of information technology services and equipment, customer service, email delivery, auditing (including Workday, Dealcloud and Microsoft Azure);
- judicial or administrative authorities, as required by applicable laws including laws outside your country of residence; tax, audit, health or other authorities, when we believe in good faith that the law or other regulation requires us to share this personal data (for example, because of a request by a tax authority or in connection with any anticipated litigation);
- potential acquirers and other stakeholders in the event of a merger, legal restructuring operation such as, acquisition, joint venture, assignment, spin-off or divestitures;
- our professional advisers, such as our accountants, auditors, lawyers, bankers, insurers and other advisers, as well as governments, governmental agencies, regulatory bodies and law enforcement authorities in countries where we do business;
- banking establishments, and any third parties who hold information related to your financial records such as financial organizations, credit reference agencies and debt collection and tracing agencies.
Location of Personal Data: Where Does Your Personal Data May Be Transferred?
The Group is a multinational organization with affiliates, partners and subcontractors located in many countries around the world. For that reason, the Group may need to transfer (via communication, access, visualization, storage…) your personal data in other jurisdictions than the one to which you belong, including in countries where personal data regulations may not provide the same level of protection.
Where required by applicable laws, the Group will implement appropriate safeguard (such as the European Commission’s Standard Contractual Clauses adopted on June 4, 2021, where the GDPR applies) to ensure that all cross-border transfers comply with applicable rules.
Data Security: How Does the Group Protect Your Personal Data?
The protection of personal data largely depends on the security measures implemented.
The Group has implemented and maintains a variety of technical and organizational measures to ensure the integrity and confidentiality of your personal data from unauthorized access, use and disclosure, in accordance with the IT Security Policy as available on our website.
These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk and severity for the rights and freedoms of individuals.
In particular, measures have been adopted to:
- ensure the physical security of the premises and equipment;
- control access to the information system;
- ensure the security of workstations and communications;
- trace access and manage and solve security incidents;
- raise user awareness about the security and privacy issues.
The Retention Period: How Long Will the Group Retain Your Personal Data?
In accordance with applicable laws, the Group undertakes to keep your personal data only for as long as necessary to achieve the purpose for which they were collected, to respond to your requests, or to meet the Group’s legal obligations.
In order to determine this duration, the Group takes into account the following elements in particular:
- The duration of your contract/relationship with the Group or the contract in force between the Group and your organization;
- The time required to process your request or claim;
- Your interest in staying in touch with the Group;
- The need to keep a certain history of your interactions or your organization’s interactions with the Group, for the management of our business relationship, or administrative purposes;
- The Group’s legal or regulatory obligations (for example, according to tax and accounting obligations).
Once the data retention period has expired, the Group will implement procedures to delete or anonymize the personal data.
Your personal data as a candidate will be kept for the period necessary for the recruitment process. Subject to your prior consent, your personal data will be retained by the Group for the purpose of considering other positions that may be suitable for you for the maximum period provided for by the applicable legislation as of the date of the Group’s decision to refuse.
What Are Your Rights Over Your Personal Data?
The Group is committed to providing you with a number of rights regarding your personal data, in accordance with our internal rules.
The conditions for exercising these rights may differ according to the applicable laws and regulations.
These rights may be limited as provided by applicable laws and regulations, the Group’s legal obligations, the rights of third parties or the protection of the Group’s legitimate interests. Where relevant, you will be informed of the reasons why the Group could not fulfill all or part of your request.
The Group informs you that you are entitled:
- to have access upon simple request to your personal data – in which case you may receive a copy of such data, unless such data is made directly available to you, for instance within your personal account, on the Group’s intranet or other portals to which you have access;
- to obtain a rectification of your personal data should your personal data be inaccurate, incomplete or obsolete;
- to obtain the deletion (“right to be forgotten”) of your personal data where (i) they are no longer necessary in relation to the purposes for which they were collected; (ii) you withdraw your consent on which the processing is based (where relevant); (iii) you exercised your right to object to the processing and there are no overriding legitimate grounds for the processing; (iv) the personal data have been unlawfully processed; (v) the personal data have to be erased for compliance with a legal obligation;
- to withdraw your consent to the data processing without affecting the lawfulness of processing, where your personal data have been collected and processed on the basis of your consent;
- to object to the processing of your personal data, where your personal data have been collected and processed on the basis of legitimate interests of the Group, in which case you will need to justify your request by explaining to us your particular situation;
- to restriction of the data processing only (i) where the accuracy of the personal data is contested by you; (ii) where the processing is unlawful and you opposes the erasure of the personal data; (iii) where the Group no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims; (iv) you have objected to processing pursuant to prior paragraph pending the verification whether the legitimate grounds of the Group override yours;
- to receive your personal data or get them transmitted to a third-party of your choice in a standardized format, where technically feasible and only where the processing is based on your consent or a contract.
If you wish to exercise any of these rights, you can contact us as described in Section 13 “Contact / Privacy Questions” below and we will take necessary steps to respond as soon as possible.
You may also file a complaint before a competent data protection authority regarding the processing of your personal data. While we would suggest that you contact the Group beforehand, you may directly contact the competent data protection authority of your jurisdiction.
Contact / Privacy Questions
The Group welcomes any questions or concerns you may have regarding this Policy or its implementation.
To this end, the Group has appointed a Data Protection Officer who will be your designated contact point and may be reached:
- by email at the following address: dpo@sienna-im.com
- by mail at the following address:
Sienna Investment Managers
Monsieur le délégué à la protection des données
21, boulevard Haussmann
75009 Paris, France