Data protection policy

1. Purpose. Definitions

This Policy sets out the general principles that should govern all activities or initiatives carried out by Novicap and that may affect the right to privacy of “interested parties”.

The approval of this policy is the result of Novicap’s will to comply with privacy and personal data protection in three basic areas:

Privacy: Novicap guarantees respect for the right to privacy and the right to the protection of personal data of the interested parties.
Transparency: Novicap ensures that the Data Subjects have all the information about what personal data of theirs are processed, how and for what purpose they are used, as well as the basis that legitimizes their processing by complying with all the obligations of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the GDPR) as well as any other regulations on data protection in force or affecting the right to privacy that is approved in any of the States in which Novicap has a presence.
Computer security: Novicap has all the necessary security measures to prevent a breach of systems and / or unauthorized access by third parties to the data held.

This Policy shall be approved by the Board of Directors of Honey Badger Capital Ltd, which is the competent body to approve the corporate policies and the policies of the entities that are part of Novicap.

In accordance with the GDPR, and for the purposes of this Policy, the following definitions shall be taken into account:

Novicap: For the purposes of this Policy, Novicap means Highbury Fields Services S.L., Novicap Spain S.L., Novicap Ltd and Honey Badger Capital Ltd (hereinafter, for ease of reading “Novicap”).
Right to privacy and protection of personal data: This is the fundamental right of any Stakeholder to have their private and family sphere respected, including their communications, deciding when and in what way their personal information can be used, including information derived from the use of the Internet and the different technological advances. It also implies that such information must be adequately protected.
Personal data: any information relating to an identified or identifiable natural person. An identifiable natural person is any person whose identity can be established, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated procedures, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling: any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects relating to that natural person’s professional performance, financial situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymization: the processing of personal data in such a way that it can no longer be attributed to a data subject without the use of additional information, provided that such additional information is separately identified and subject to technical and organizational measures designed to ensure that the personal data is not attributed to an identified or identifiable natural person.
Anonymization: process by which data that could directly or indirectly identify specific individuals are eliminated, thus maintaining only those types of data that cannot be associated, in any way, with the person who owns them.
File: any structured set of personal data, accessible according to specific criteria, whether centralized, decentralized or distributed functionally or geographically.
Controller: the natural or legal person, authority, service or other body which, alone or jointly with others, determines the purposes and means of processing; if Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its nomination may be laid down by Union or Member State law.
Data processor: natural or legal person, authority, service or other body processing personal data on behalf of the controller.
Recipient: natural or legal person, public authority, service or other body to whom personal data are communicated, whether or not a third party is concerned. – Consent of the data subject: any freely given, specific, informed and unambiguous expression of will by which the data subject agrees, either by a declaration or by a clear affirmative action, to the processing of personal data concerning him/her.
Legitimate interest: legal basis of a controller or third party to carry out data processing, provided that the interests or the rights and freedoms of the data subject are not overriding, taking into account the reasonable expectation of the data subject based on his or her relationship with the controller or third party.
Breach of security of personal data: any breach of security resulting in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication of or access to such data.
Cookies: file that is stored on a computer or mobile device when accessing certain web pages allowing to store and retrieve information about the browsing habits of a user or their equipment.

2. Scope

The Policy is applicable to Novicap companies that carry out processing operations that may affect the privacy rights of “Data Subjects”. The Novicap companies to which this Policy applies are attached as Annex 1.

This Policy is mandatory for members of the Board of Directors, employees, managers, agents, collaborators or persons who provide services to Novicap (hereinafter “Data Subjects”). Suppliers providing services to Novicap must respect the principles set forth in this Policy.

3. Main principles

The general principles that Novicap applies to the processing of Stakeholder information are as follows:

Principle of lawfulness, loyalty and transparency: The Obligated Parties, and Novicap in general, treats the personal data of the Interested Parties based on any of the legitimate bases that are provided for in the RGPD, the rest of personal data protection regulations and any other regulations that may affect the right to privacy, informing you promptly, adequately and sufficiently, what is the basis that justifies the processing of your personal data. To do this, Novicap has implemented appropriate organizational measures to ensure that before starting the treatment that may affect the right of privacy and the right to protection of personal data, a legal and technical analysis is performed to establish the legitimate basis for the treatment.
Principio de transparencia: Principle of transparency: Novicap complies with the principle of transparency, since it has incorporated in its contracts a clause of personal data protection in which the interested parties are informed of the way in which their personal data will be used. Specifically, they are informed of: (i) Identity and details of the person responsible; (ii) Contact details of the Privacy and Data Protection Delegate and how you can contact him/her; (iii) what personal data will be processed and what processing is carried out with your personal data, as well as the legitimate basis for such processing; (iv) which processing is necessary for the maintenance of the contractual relationship and which is voluntary, giving you the opinion at that time to authorize or not the voluntary ones, and informing you how you can revoke, and manage, the permissions you have given Novicap for the processing of your personal data at any time; (v) the storage period of your personal data; (vi) what your rights are and where you can exercise them; (vii) your right to submit a complaint to the supervisory authority; (viii) the recipients and categories of recipients of your data; (ix) if there were international transfers of personal data, to which country such transfer is made, and the guarantee that the transfer would be made with adequate safeguards and similar to those of the GDPR; (x) the origin of your personal data; (xii) where you can obtain additional information about the processing of your personal data.
Purpose limitation principle: Personal data processed by Novicap are only processed for the purposes for which they were expressly collected and are not processed for any other purpose. This principle implies that, in relation to the collection and further processing of personal data, the following principles must be taken into account: (i) the collection of personal data must be done for specific, explicit and legitimate purposes; (ii) Stakeholders must be clearly informed about such purposes at the time of data collection; (iii) Data may only be processed for the purposes for which they were first obtained; (iv) When data are to be processed for purposes other than the original ones, Stakeholders must be informed again and the lawfulness of the processing is guaranteed.
Principle of minimization of personal data: Novicap only collects, processes and stores personal data necessary for the achievement of the purposes of processing that have been defined and about which the data subjects have been informed. Before initiating any new processing or modifying an existing one, Novicap will analyze which data are necessary for the purpose for which the processing is carried out. In any case, the data subjects are guaranteed that only the data strictly necessary for the processing will be collected.
Principle of accuracy: The data processed by Novicap are accurate and up to date. Without prejudice to the data subjects’ rights of deletion and rectification, Novicap takes reasonable steps to rectify or delete data that may be inaccurate or unsuitable for the purposes for which it is processed.
Retention period: Personal data are kept for the time necessary to execute the purposes for which they were collected. After this period the data are blocked during the period of limitation of legal actions, in order that Novicap can exercise such actions or defend against them or in any administrative proceedings that may be initiated and can only be unlocked and treated again for this reason.
Principle of integrity and confidentiality: Personal data are processed in such a way as to ensure an adequate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the implementation of appropriate technical or organizational measures. Those involved in the processing of data shall be bound by a duty of secrecy even after the termination of their relationship with Novicap.
Principle of proactive responsibility: In relation to the processing of personal data, all decision-making processes, measures adopted and procedures carried out are documented in order to be able to demonstrate compliance with data protection and privacy laws and to inform all “obligated parties” of all their obligations.

4. Stakeholders’ Rights

Interested parties have the right to exercise at any time, under the terms provided by the regulations in force at any time, the rights of access, rectification or deletion of data, as well as to request the limitation or opposition of the processing or request the portability of their data.

Likewise, they have the right to consult, modify and delete their personal data, as well as to revoke the consent given at any time.

These rights can be exercised by sending an email to [email protected] requesting the exercise of these rights along with the ID card or identity document of the applicant. Once the request has been sent via email by the Interested Party, Novicap will confirm and notify the same and will be contacted to inform that the exercise of your right has been carried out, modifying and / or deleting your personal data.

In addition, we inform you that you can always turn to the Spanish Data Protection Agency (www.aepd.es) to request its guardianship or file a complaint regarding the processing of your personal data. The following are the general rights that the Stakeholders have that guarantee the security and integrity of the Stakeholders:

Rights of access, rectification, deletion, opposition, limitation of processing and portability: Novicap has implemented appropriate measures to ensure within the organization the proper exercise of the rights of access, rectification, deletion, opposition, limitation of processing and portability with respect to personal data of data subjects. To this end, through the data protection clause, the data subjects are informed where and how they can exercise their rights, as well as the right to file a complaint with the competent supervisory authority.
Right to privacy from the design: Novicap protects the right to privacy and by default from the design of projects and products. Any new initiative or treatment that is intended to be carried out must perform a legal and technical analysis to assess the feasibility of this new initiative or treatment, analyze all the risks that may be generated and if necessary, define all the measures to be applied to ensure the right to privacy of stakeholders.

Subsequently, this initiative or treatment must be reviewed and approved by the Data Protection Officer.

Once approved the new initiative or treatment Novicap ensures that all organizational and security measures are taken as necessary to ensure that once implemented continues to respect the privacy rights of data subjects, proceeding to periodic reviews necessary to ensure that they have implemented all measures both legal and technical defined.

General protection rights to the interested parties: all Novicap contracts include a data protection clause in which the interested parties are informed of the general processing carried out by Novicap. Specifically, you are informed of the processing that is necessary for the proper execution of the contractual relationship and those treatments that are voluntary.
The right to a general prohibition on the processing of specially protected categories of personal data, subject to exceptions: The following are considered special categories: (i) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) Genetic data; (iii) Biometric data aimed at uniquely identifying a natural person; (iv) Data concerning health; (v) Data concerning the sex life or sexual orientations of a natural person.

Novicap will only process special categories of personal data when it is necessary for the exercise of its activity and for the provision of services requested by the Stakeholders and will do so only in those cases in which the RGPD or the applicable sectoral legislation authorizes it, applying in the treatment all the organizational measures and security that are appropriate and informing the data subject of such treatment.

Prohibition of processing of personal data relating to criminal convictions and offenses: Controllers and/or processors subject to this Policy may only process personal data relating to criminal convictions or offenses, as well as related precautionary and security procedures or measures, for the purposes of prevention, investigation, detection or enforcement of criminal sanctions and provided that it is covered by a rule of Union Law, national legislation or other rules of legal rank.

5. Transmission of personal data

Novicap will only communicate the data of the Interested Parties to other responsible parties in the following cases:

Communication of data for compliance with a legal obligation. The data of the Interested Parties are only communicated to the Administrations, Authorities and Public Bodies, Novicap companies when required by the applicable regulations.
Communication of data to Novicap its subsidiaries and investees, so that these companies can contact the Stakeholders and inform them of their products and for monitoring, control and risk analysis of the products and services contracted or when the person responsible has a legitimate interest in communicating the data to Novicap companies (administrative purposes, fraud prevention). This communication will be based on the legitimate basis in accordance with the regulations in force and taking into account the purposes of the processing.
Communication of data for the execution of the contractual relationship. Novicap, for the proper provision of its services to Stakeholders requires the hiring of various suppliers who, for the provision of the service, may need access to personal data of Stakeholders. Novicap guarantees that a responsible selection of suppliers is carried out and that they accept the principles of this policy.

6. Suppliers

Novicap has an internal supplier evaluation procedure, which ensures that suppliers are only hired when they offer sufficient guarantees to implement appropriate technical and organizational measures to respect the privacy rights of data subjects.

All suppliers providing services to Novicap have signed a contract regulating the obligations and security measures to be applied in each data processing performed.

Novicap may contract services that are provided outside the European Economic Area and therefore involves an International Data Transfer, only when strictly necessary and always with suppliers that ensure that such transfer will be made in accordance with the provisions of current regulations and countries that have adequate guarantees of protection. In this case, Novicap will inform of the existence of this transfer to all interested parties.

7. Training

Novicap develops and implements a training plan on data protection and privacy aimed at all the Parties bound by this Policy that aims to consolidate a culture of compliance in privacy matters within the organization. The content and scope of the training of each obliged subject will depend on the degree of involvement that it has in the development of personal data processing operations, being able to define different groups of employees for this purpose ensuring that everyone has an adequate level of knowledge about their obligations and responsibilities.

8. Implementation of the Policy in Novicap companies

The competent bodies of the Novicap companies subject to this Policy shall adopt the necessary resolutions for its effective and binding implementation.

The competent bodies of the companies subject to this Policy shall adopt the necessary resolutions to develop and approve the necessary procedures and plans on privacy matters.

In the event of contradiction between the provisions of this Policy and the provisions of the regulations affecting the right to privacy or data protection law applicable at any time, the latter shall prevail.