Data Protection Policy
Fidux Trust Company Limited Gibraltar, Vienna, Madrid and UK, HFFT Alternative
Limited and all subsidiary companies, collectively known as ?the Group?. The
Group?s policy is to comply with the requirements under the General Data
Protection Regulation (GDPR) and all other relevant data protection legislation
which applies to the Group.
The Group wishes to provide its clients and other individuals (together ?the
data subjects?) with total confidence at all times that it operates to the
highest levels of confidentiality when managing documentation and information.
In providing its services (?the services?) the Group may collect, use, consult,
record, store, adapt, transfer or otherwise process Personal Data. The Group [or
?each company?] is considered as a ?data controller` and will at all times act
accordingly under the provisions of the data protection laws in force.
The term ?Personal Data? refers to the information a data subject provides to
the Group in the form of identity documents or copies thereof, proof of address,
source of wealth or income and source of funds to be used in the relationship,
contact details or other documents or information containing personal
information relating to a data subject. Such Personal Data will at all times be
kept securely whether in paper form or computerised. The Group operates
sophisticated anti-virus, anti-malware, anti-spam and advanced threat protection
technologies that strongly mitigate the risk of its IT systems being compromised
and all systems are regularly updated and actively monitored. Should the Group
need to exchange data between offices of the Group to provide any services such
exchange is exclusively through VPN encrypted connections.
Personal Data will only be processed by the Group to discharge its legal obligations
under any applicable law related to the performance of the services provided (e.g.
anti-money laundering and terrorist financing legislation), the carrying out of
activities necessary to perform the agreed services or in order to contact a data
subject. Personal Data is only requested by the Group in order to perform one or
more of these functions.
Any Personal Data provided by a data subject will only be transferred to a third
party to the extent the transfer is necessary to perform the services or to comply
with a legal obligation to which the Group is subject. Further, the Group may
transfer copies of Personal Data to third countries outside the EU which do not have
an adequacy decision by the European Commission if necessary for the performance of
the agreed services.
In relation to Personal Data which is held by the Group, in accordance with the data
protection laws a data subject has rights as follows: (a) to access a copy of the
Personal Data held by a data controller; and (b) to request the rectification of the
Personal Data in the event of error; (c) to have its Personal Data erased (?right to
be forgotten?) provided that the Group is not under an obligation, howsoever
arising, to keep the Personal Data; (d) to ask for the restriction of the processing
of Personal Data with the aim of limiting processing in the future; (e) to object at
any time to the processing activity; and (f) to have its Personal Data transmitted
directly from the Group to another data controller, where technically feasible
(?right to data portability?). These rights are enforceable by a data subject to the
extent they are compatible with legal and contractual obligations to which the Group
In accordance with legal and regulatory requirements, the Group will retain Personal
Data of a client for a period of five (5) years (for Fidux Management Services GmbH
this period is 7 years in order to comply with Austrian accounting rules) following
the termination of the relationship between the Group and the client. This period
may be extended by force of law, regulatory requirement or agreement between the
Where a data subject on which the Group holds Personal Data wishes to make a
complaint related to the processing activities of its Personal Data, it shall first
address the complaint to the relevant office of the Group (please see Contact
details on the website). If the complaint is unresolved, the individual may lodge a
complaint with the relevant data protection authority or supervisory authority
located in the Member State of their habitual residence, place of work, or where the
alleged infringement happened.
Should any party wish to know more about our data protection policy, or should data
subject wish to know what personal data is held by the Group please email on
email@example.com stating your full name and the Company in the Group with
whom you have the business relationship.