Privacy Policy
1. Scope
This Privacy Policy informs visitors of this Website in accordance with the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), the Regulation (EU) 2016/679 (General Data Protection, “GDPR“) and the Teleservices Act (Telemediengesetz, “TMG”) about type, scope and purpose of the collection and use of personal data by the Controller before and after the foundation of a business relationship with another person.
User of this Website must be at least 16 years old.
Only the original German version of this Privacy Policy is legally binding.
2. Controller
XAIA Investment GmbH
Sonnenstr. 19
80331 Munich
Germany
E-Mail: info@xaia.com
Phone: +49 89 589257-0
For further details concerning the Controller please refer to our imprint (https://www.xaia.com/en/i/impressum/).
3. Data Protection Officer
Our Data Protection Officer can be contacted as follows:
Data Protection Officer
Sonnenstr. 19
80331 Munich
Germany
E-Mail: datenschutz@xaia.com
Phone: +49 89 589257 0
4. Personal Data
Personal data is information whereby a person can be determined, i.e. also information with which the identity of a person can be traced directly or indirectly. This includes, for example, the name, e-mail address, telephone number, IP-address or under certain circumstances the user behaviour when using this website.
Personal data is only collected by us, used and disclosed when permitted by law, the processing is necessary for the performance of a contract or the implementation of pre-contractual measures carried out on request of the person concerned, the processing for compliance with a legal obligation required or the users agree to the use of the data.
Please also bear in mind that data transmission over the internet can be subject to security vulnerabilities. Complete protection against access by third parties cannot be guaranteed.
The following describes the sources from which we retrieve personal information that we collect and process.
5. Our Data Sources
5.1. Processing of Personal Data with Informational Use of our Website
5.1.1 IP-Address and other Data
At informative call of the website (viewing), without having to go for e.g. registering the newsletter or providing us with information in any other way, only personal data transmitted by your web browser to our server will be charged. When looking at the website, only the following, technically necessary data is collected to enable the display of our website and to ensure stability and security:
- IP-address
- Date and time of the request
- Time zone difference to GMT
- Content of the website
- Access status (HTTP status)
- Transmitted amount of data
- Referrer URL (website from which the user came to this website)
- Operating system
- Web browser
- Language and version of the browser
The aforementioned data is stored on our servers or our webhosting provider. This data is not stored together with other personal data of yours. Furthermore, this data is not evaluated for marketing purposes.
The collection and storage of the above-mentioned data is necessary to enable the presentation of our website on your device. Storage in server log files serves to ensure the functionality and optimization of our website as well as to ensure the security of our information technology systems. We may collect and use this information beyond the end of a usage process, as appropriate, after weighing your fundamental rights and our interests. In doing so, we will take into account the currently prevailing risk potential for our website.
For the above purposes, we have a legitimate interest in the processing of data, which is why we are entitled to collect, store and use this data (§ 15 (1) TMG, article 6 (1) (f) GDPR). If these legitimate purposes cease to exist, the data will be deleted. A contradiction possibility of the user does not exist for the duration of the utilization process.
The user may object to the use of the data beyond the usage process at any time. In this case, the Provider no longer processes the data unless it can demonstrate compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the user, or the processing is for the purpose of enforcing, pursuing or defending legal claims.
5.1.2. Cookies
When users visit our website, one or more cookies are stored on their computers. A cookie is a small file that contains a specific string and uniquely identifies your browser. With the help of cookies, we improve the comfort and quality of our service by storing user preferences. We use cookies exclusively for controlling the selective offers of the website. By law, we are only able to unlock certain parts of our website offerings for users, according to their nationality and their status as institutional or private users. Accordingly, the user has when calling the website information to make "I'm from" and "I am". This information becomes part of our cookies. The user is therefore asked when calling the website in addition, if he agrees to the use of these cookies. The cookies contain no personal data. Cookies do not harm users' computers and contain no viruses.
We are entitled to use these cookies (§ 15 Abs. 3 TMG). We cannot activate our website for you if the above-mentioned information is not provided on entering the website or if the information does not permit activation (for example, if no consent is given for the use of the cookies). A use of our website offer without cookies is therefore not possible. Our cookies are valid for 90 days so that you do not have to repeatedly make the same entries when you visit our website repeatedly. You can delete cookies from your computer's hard drive at any time using the privacy features of your browser. In this case, the usability of the offer would be limited.
5.2. Processing of Personal Data in Case of Contacting on the Occasion of a Website Visit
When contacting us via the website or on the occasion of the visit to our website (for example, when ordering a newsletter or by e-mail), we will store your details for processing the request as well as for follow-up questions.
5.2.1. Publications
With our publications, we inform you on request and only after approval by e-mail about specialist topics, about us and our offers.
In order to ensure a consensual publication of a publication, we use the so-called double-opt-in procedure. In the course of this, the potential recipient can be included in a distribution list with the recipients of the publications. Afterwards, the user receives a confirmation e-mail to confirm the application legally. Only when the acknowledgment is made, the address is actively included in the distribution list.
By registering for one or more publications, we additionally and separately store your personal data for purely informative use (see above)
- E-mail-Address
- Forename
- Surname
- Date of registration
- Language setting
- List of desired publications
Further data is not collected. These data are used only for the distribution of the publications and for the legally required proof of the consent you have given. Personal data will not be passed on to third parties.
You can revoke your consent to the storage of this data and its use for sending the newsletter at any time. The cancellation can be made by e-mail to info@xaia.com or letter to our contact details above. In case of a cancellation, your data will be deleted by us.
5.2.2. Contact Form and e-Mail Contacting
If you use the contact form or the given e-mail addresses on our website to contact us, we will use the personal data provided in your e-mail (usually name and surname, address, telephone number and e-mail address) for a reply and to process your requests. We understand your requests as consent to use the data for these purposes. Upon fulfilment of the stated purposes, we will delete the data or internally block it for further use, unless the processing of the data is considered for other permissible reasons (for example, you consent to the further use of the data). You also have the right to revoke your consent at any time without affecting the lawfulness of the processing based on the consent to revocation.
5.3. Other Contacting outside of Business Relationships / Data Usage in Connection with a Business Relationship
In the same way as contacting you by e-mail (see paragraph 5.2.2. above), we also use the data we receive from other communications with you, e.g. as a consequence of:
- Personal encounters,
- Chat contacts (e.g. via Bloomberg),
- email traffic,
- Events,
- Telephone inquiries
For example, if you give us e.g. in the context of events your business card of yours, we understand this as your consent that we may contact you to establish a business relationship.
We also collect and process personally identifiable information from publicly available sources (such as the press, the media, the Internet) or data that we have legitimately received from third parties.
In addition, we use the personal information we receive from or in connection with the conduct of a business relationship from our business partners or from third parties.
Types of personal data that we receive from business partners, usually through the employees of the business partners, may include amongst other:
- Name / contact details
- Corporate contact details
- Details of the function of the person in the company
- Passport data
- Curriculum vitae
- Qualification data
The use of such data may be on a different legal basis:
5.3.1. Consent of Persons (Article 6 (1) (a) GDPR)
With regard to certain uses, we must have obtained the consent of the persons concerned so that we may act. For example, we solicit consent to the use of contact information for the distribution of product information, marketing materials, and other useful information about us, our services, or other market or product-related information. These consents are given by the persons concerned only on a voluntary basis and can be revoked at any time. The revocation of consent does not affect the legality of the data processed on the basis of the consent until the revocation.
By contrast, we do not require your consent to the use of personally identifiable information we need to perform our contractual obligations. The use of this data is based on Art. 6 (1) (b) GDPR (see para. 5.3.2 below).
5.3.2. For the Fulfilment of Contractual Obligations (Article 6 (1) (b) GDPR)
We are a financial services institution with permission for, among other things, financial portfolio management, investment advisory and investment brokerage. In providing these services and in fulfilling our contractual obligations, we use the personal data of our business partners. Also for our actions in a pre-contractual stage the use of the personal data of our business partners is necessary.
5.3.3. Due to Legal Obligations (Article 6 (1) (c) GDPR) or in the Public Interest (Article 6 (1) (e) GDPR)
Due to our status as a regulated institution supervised by the Federal Financial Supervisory Authority (BaFin) and the Central Bank of the Federal Republic of Germany (Deutsche Bundesbank), we are subject to numerous legal requirements, such as the German Banking Act (KWG), the German Securities Trading Act (WpHG), the Money Laundering Act (GwG) and other relevant laws to use the personal information of our business partners and other data subjects. We need the data, e.g. for the following purposes: combating market abuse and insider trading, operational risk management, money laundering and fraud prevention, law enforcement, complaints management.
5.3.4. Change of Processing Purpose (Article 13 (3) GDPR)
If we process your data for a purpose other than the one for which the personal data was collected, we will provide you with the information for this new processing purpose.
5.3.5. Based on Legitimate Interests (Article 6 (1) (f) GDPR)
We process the personal data of data subjects even if we have a legitimate interest and the data usage is required. In doing so, we always weigh our interests against the interests, fundamental rights and fundamental freedoms of the persons concerned. Eligible interests may exist in the following circumstances:
- Education and prevention of crime
- Maintaining IT security
- Law Enforcement
- Involvement of consulting and other service companies
5.3.6. Duration of Data Usage
We retain data that we may use in the course of carrying out a business relationship until the termination of this business relationship. Data that we are entitled to use on the basis of a legitimate interest will be deleted by us as soon as the legitimate interest ceases. Data for which you have given us consent will be deleted if you revoke your consent. After all, data held by us due to legal obligations is generally deleted by us at expiry of the retention periods. The periods for storage in the German Commercial Code (HGB), the German Tax Code (AO), the German Banking Act (KWG), the Money Laundering Act (GwG) and the Securities Trading Act (WpHG) are up to ten years. It may happen that personal data are kept for more than ten years for the time in which claims can be asserted against our company (statutory limitation periods of 3 or up to 30 years). Personal data related to possible or existing pension claims are kept by us for 30 years.
6. Recipient of Personal Data
In the absence of a legal obligation or an official order for the transmission of our information to third parties or a consent from you to forward the data to a third party, we forward the personal data as specified in section 5 only to our employees for further processing as well as to our cooperation partners in the context of the execution of a contract.
Our cooperation partners can be the following service providers:
- Custodians
- Capital Management Companies
- Investment Intermediaries
- ICT Services
- Consulting and other service companies and
- Other external service providers
A legal obligation to transmit personal data can arise e.g. from the following third parties:
- Competent Supervisory Authorities
- Law Enforcement Authorities
- Data Protection Authorities
- Tax Authorities
7. Transfer of Data to a Third Country or to an International Organization
In principle, we do not transfer data to third parties from a country outside the EU or to international organizations. We only make exceptions to this if you have given us your consent or if we are subject to a legal obligation to forward the data.
A transfer of data to offices in countries outside the European Union (so-called third countries) or to international organizations only happen, as far as
- it is necessary to fulfil our prudential obligations. This is the case, for example, with the obligation to document and store the correspondence (chats, messages, etc.) made via the chat function of Bloomberg LLC, New York, USA, when you contact us via Bloomberg Chat based on the BaFin Circular 5/2017 (GW) - "Appropriate business-related security systems within the meaning of § 25h (1) sentence 1 KWG" of 24.05.2017. The European Commission has decided that the US offers an appropriate level of data protection ("US Privacy Shield").
- it is necessary for the provision of our services in accordance with Article 49 (1b) GDPR (for example, a payment order).
- it is required by law enforcement treaties in accordance with Article 48 GDPR (e.g. tax reporting obligations).
- you have given us your consent to the transfer pursuant to Article 49 (1) (a) GDPR.
8. Rights of the Person concerned
- Right to delete the Stored Data
The deletion of your data takes place acc. the under para. 5.1.1, 5.2.1, 5.2.2 and 5.3.3 described rules. In general, we will erase the data if you so desire or have an appropriate claim, e.g. in case of loss of purpose, revocation of consent and in case of unlawful storage.
- Right of Data Portability
If you wish, we will provide you with the data you provided to us in CSV format as a structured, common and machine-readable format or, in this CSV format, send it to a third party (as controller) if technically possible.
- Right of Correction and Completion of the Stored Data
Of course we correct or complete your personal data immediately if we recognize that these are incorrect or incomplete or if you give us a corresponding notice.
- Right of Objection
At your disagreement we have to discontinue the data usage. This does not apply if we can demonstrate that we have prior legitimate grounds for processing that outweigh your interests, or the data is processed to assert, exercise or defend a claim.
- Right to Information
You have a right of information to us. The right to information includes information about the processing purposes, the categories of personal data, the categories of recipients to whom the data of the person concerned have been disclosed, the planned retention period, the right of rectification, cancellation, limitation of processing, opposition or data portability the existence of a right of appeal, the source of your data if it was not collected from us, and the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details.
- Right of Appeal
You have the right to complain to a regulator. As a rule, the person concerned may turn to the supervisory authority at his usual place of residence or work or at the domicile of the provider.
- Right to Restriction of Processing
In certain circumstances, you may request that we restrict the processing of your personal information. This means that in the future we will only store your data and will not be able to carry out any further processing activities until (i) one of the conditions listed below has been resolved, (ii) you give your consent or (iii) further processing is necessary to enforce legal claims to make, exercise or defend, protect the rights of others, or if it is necessary for the legitimate public interest of the EU or a member state. You may request that we restrict the processing of your personal information in the following circumstances:
- If you deny the accuracy of your personal information. In this case, we will restrict the processing of your personal data until the accuracy of the data has been verified.
- If you object to the processing of your personal information by us due to legitimate interest. In this case, you may request that the data be restricted while we review the increased worthiness of protection of our interests in the processing of your personal information.
- If we are unlawful in processing your data, you prefer to restrict our processing rather than having the data deleted.
- If the data is no longer needed for the purposes of processing, however, you will need that information to assert, exercise or defend your rights.
9. Obligations to provide the Data
With regard to the data according to para. 5.1 (IP address and other data as well as cookies) we are entitled to process this data due to legal authorization (§ 15 Abs. 1, Abs. 3 TMG).
- In relation to the IP addresses and the other data, you have no right during the usage process to object to the processing. You may object to the processing of the IP addresses and other data after the end of the usage process, unless there are legitimate reasons for continuing the processing.
- You can object to the cookies at any time, in particular by objecting to our terms of use when accessing the website.
With regard to para. 5.2 (newsletter and email contact) and para. 5.3 you must provide the specific personal data required to enter into a business relationship and fulfil its contractual obligations, or that we are required to collect by law. Without this data, we will generally have to refuse to conclude the contract or to execute an order or to be unable to complete an existing contract and possibly terminate it. In particular, we are required by the money laundering regulations to identify you or the persons acting for you and beneficial owners prior to the establishment of a business relationship, for example by means of your identity card, and to record and record your name, place of birth, date of birth, nationality as well as your address and identity card data. In order for us to be able to fulfil this legal obligation, you must provide us with the necessary information and documents pursuant to Section 11 (6) of the Money Laundering Act (GwG) and immediately notify us of any changes resulting from the business relationship. If you do not provide us with the necessary information and documents, we may not take up or continue the business relationship you have requested.
10. No Automated Decision Making
We do not use fully automated decision-making including profiling according to article 22 GDPR. By the mere use of the website, no decisions have to be made by us against the users anyway. Also related to the others in section 5 data uses, there are no automatic processes that influence the decisions that are made to those affected. Should such fully automated decision-making be used by us in the future, you will be informed about this separately, if this is required by law.
11. Changes to this Privacy Policy
This Privacy Policy may change from time to time. Any changes to this privacy policy will be published by the Provider on this website. In addition, older versions of this Privacy Policy will be kept in an archive for your traceability.
The data protection measures are always subject to technical innovations. For this reason, we ask you kindly to inform yourself about our data protection measures at regular intervals by viewing our privacy policy published on this website.