Data Privacy Statement

Introduction

OSMIA CONSULTING (the « Company ») is an independent consultancy company boutique based in Luxembourg.

The purpose of this Statement (the “Privacy Statement”) is to provide you with a full explanation of how the Company processes the personal data of its clients, its potential future clients or individuals linked otherwise the Company such as representatives, shareholders, beneficiaries or beneficial owners, contact persons, the Company’s website users or even the representatives of a legal person (the “Data”).

Your data is processed in accordance with the applicable legal provisions and notably Regulation (EU) no. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data (“GDPR”) and the related Luxembourg laws.

If you would like further information about data protection, this is available from the Luxembourg National Commission for Data Protection (abbreviated to CNPD) (https://cnpd.public.lu)

Who is responsible for processing your personal data?

OSMIA CONSULTING, located in 22, rue de l’Industrie, L-8399, Windhof, is responsible for processing your personal data.
You can find out more about us on www.osmia.consulting

At what moment is your personal data collected?

Although not exhaustive, examples of when some of your Data might be collected by the Company include the following:

  • if you become a client of the Company (this notion of client includes the counterparties to contracts concluded with the Company);

  • if you indicate your interest in our products and services by contacting us via the available channels or when you use them;

  • if you transmit to us a duly completed form;

  • if you use our on-line services;

  • if you respond to our invitations to events organized by the Company;

  • if you visit our offices and are filmed by our surveillance cameras;

  • if you publish your Data on social networks or websites with unrestricted access;

  • if databases are purchased or leased from professional data providers;

  • if your Data is published or transmitted by authorized third parties (Official Journal of the Grand Duchy of Luxembourg, agents or brokers) or in the press.

What are the purposes for which the Company has collected your data?

The Company processes your Data in the situations permitted by the law, in other words:

  • within the context of complying with regulatory and legal provisions to which the Company is subject;

  • within the context of precontractual measures before you become a client of the Company;

  • in order to proceed to the execution of the contract concluded by you and the Company;

  • for reasons relating to the legitimate interests of the Company;

  • for reasons relating to the specific legitimate interest of the Company to adopt direct marketing practices;

  • on the occasion of a specific request and based on clear and unequivocal information, if we obtain your consent to the sending of electronic communications.

Compliance with legal and regulatory provisions

In the exercise of its activity, the Company is obliged to respect certain legal and regulatory obligations which require your Data to be processed in a particular way. Processing of this nature might require the communication of your Data to the competent supervisory, judicial or administrative authorities, whether national, international, European or worldwide. Of course, we seek to ensure that your Data is only transmitted in circumstances where the Company is bound by these obligations.

Below is a non-exhaustive list of the legal and regulatory areas in which the Company is required to process your Data.

This list is subject to change:

  • Respecting

    • the rules in force on the embargos decided by the competent Luxembourg or international authorities, whether these decisions concern individuals, organizations or nationals of certain States. This might take place, for example, by the identification of the persons and assets concerned;

    • the rules on financial, tax, fraud or incident reporting to the prudential supervisory authorities;

    • the rules, injunctions and requests of the competent authorities relating to financial, operational, legal risk management, etc.

  • Contributing to

    • combating and preventing the financing of terrorism and money laundering by the identification of the clients, their representatives and beneficiaries;

  • Communicating

    • to the various supervisory, tax and legal authorities on the basis of official requests;

    • to the various competent authorities monitoring privacy protection on the basis of official requests or where imposed by the regulations;

    • to the various providers of financial, IT services or payment services, information;

  • Proceeding

    • to the recording of certain telephone conversations and certain electronic communications.

Precontractual measures before you become a client of the Company

Before a contract is concluded, regardless of the means of communication used and made available to you by the Company, the Company must analyze your request to see whether the envisaged contract can actually be concluded.

As part of this analysis, the Company will process your Data in order to progress your request and particularly to determine the conditions under which the contract could be concluded.

Contracts between the Company and its clients

In the execution of the contracts binding the Company and its client and also for terminated contracts, regardless of the communication channels used, the Company can, and must in certain cases, obtain and process the Data concerning its client for the following reasons:

  • observance of the administrative and accounting obligations of the Company;

  • assurance of providing the client with a quality service;

  • execution of contracts concluded between the Company and its client;

To carry out these different tasks and provide an optimal service, the Company must transmit or share the Data among its internal departments.

The Company might be required to process Data for additional purposes for the execution of contracts and, more generally, for the purposes of its relationship with its client.

Legitimate interests of the Company

While seeking to preserve a fair balance and duly account for your rights and freedoms, notably your right to protect your privacy, the Company processes your personal Data in the pursuit of its legitimate interests.

In this situation, the Company will always seek to limit to the maximum extent possible the impact of the processing envisaged in order to preserve this balance.

Despite this, if you have objections to this processing, you may exercise your right of opposition based on the conditions and limits described in the section “What are your rights”.

Personal Data is therefore processed with a view to:

personalizing our services;

  • analyzing and managing risks and actuarial or statistical calculations;

  • Managing claims or disputes;

  • Archiving and evidential requirements

  • Carrying out the preventive and operational management of physical and information security;

  • Preventing offenses

  • coordinating clients and client groups to improve synergies and general efficiency within the Company;

  • using cookies which are necessary for browsing our websites and other platforms accessible to you. To find out more about cookies, their use and the modification of your parameters, please read our cookies policy available at the website: www.osmia.consulting.

  • improving operations within the Company, its quality of service and its processes, notably:

    • by ensuring the ongoing training of our representatives, which involves the recording of certain telephone conversations;

    • by centralizing the management of clients particularly in order to establish more detailed profiles;

    • by developing segmentation operations based on individual or group profiles, particularly in order to improve our relationship management. This situation might arise, for example, where we make a distinction between “individual” and “corporate” profiles

Legitimate interest of the Company in adopting direct marketing practices

The Company also processes your Data for segmentation purposes, so as to be able to offer you suitable and personalized products or services corresponding to your professional or private situation and accounting for the history of your relationship with the Company.

Processing like this might arise where the Company:

  • evaluates your socio-economic, demographic or family status, notably by identifying key moments at which specific products or services could be offered to you;

  • studies the efficacy of its advertising and marketing campaigns;

  • evaluates your key interests and purchasing behavior as a client;

  • improves the forms and communication channels available to you by automatically certain entering data obtained previously and then asking you to confirm the data;

  • prepares personalized product and service offers;

  • sends personalized advertising by post or by telephone.

As part of developing personalized products and services, the Company might also provision is database using specialist external companies.

Your consent to sending electronic communications

After asking you for your specific consent, the Company may process your personal Data, particularly your mobile telephone number and your e-mail address, in order to send you invitations to events, advertising or personalized offers as part of direct marketing campaigns or via newsletters.

If you no longer wish to receive electronic communications, the Company always provides you with the possibility of opposing this processing of your Data at no charge.

The Company shall be responsible for handling all requests from you regarding the processing of your personal data.

What type of data is processed by the Company

  • Your identification Data

  • Your contact details

  • Your marital / family status

  • Your overall financial situation

  • Your key interests

  • Audio visual data (camera, telephone)

  • Data from public sources

  • Data from cookies

In accordance with law, the Company does not, in principal, process data of certain categories, namely those concerning your racial or ethnic origin, your political opinions, your religion or philosophical beliefs, your union memberships, your health or your sexual preferences. Neither will we process data relating to criminal sentences and offences except when compelled to do so by law, notably under the regulations on combating money laundering and the financing of terrorism. None Genetic or biometric data is not processed or used by the Company within the scope of its product or service offers. If we were required to process Data of this nature, we would only do so in accordance with the conditions and requirements set down in law and informing you specifically beforehand of the purposes of the processing.

Who will the Company share your data with?

Supervisory authorities and public authorities

The Company is obliged, by virtue of the regulations in force, to communicate certain Data (information or documents concerning its clients, their beneficiaries and/or beneficial owners, their accounts) to supervisory authorities and public authorities such as:

  • public authorities, national and international regulators, supervisory authorities, tax authorities and other similar foreign, European or international authorities;

  • more generally, any judicial or administrative authority;

Sub-contracting and specialist third parties

The Company might decide to communicate your Data to third party entities if it decides to sub-contract certain services to specialist third parties or if based on a legitimate interest.

The communication of your Data in this situation is always within the limits strictly necessary to enable the services concerned to be provided by these sub-contractors. We also place great attention on the choice of these specialist third parties. Based on the above, the Company notably currently shares your data in the following circumstances:

  • management of disputes with the involvement of legal firms or enforcement officers;

  • creation and maintenance of the Company’s computer applications and tools;

  • marketing of its activities;

  • organization of events;

  • management of client communications;

  • regulatory reporting;

  • settlement of financial transactions.

Transfer of Data outside the European Economic Area (EEA)

Due to our activities, the Company might be required to communicate Data outside the EEA.

In this situation, the Company will only communicate Data to countries which do not guarantee adequate protection strictly in the cases set out in the General Data Protection Regulation (GDPR).

The Company will therefore adopt all appropriate measures to guarantee that your Data is duly protected in the destination country, notably by ensuring the protection of personal Data is guaranteed by appropriate contractual provisions or by any other means offering an adequate level of security.

How long is your Data conserved for?

The Company conserves your Data for the time necessary to accomplish the purposes for which your Data was collected, but also to fulfil its legal and tax obligations, for evidentiary purposes, or to respond to information requests from the competent authorities.

In this situation, we undertake not to conserve your Data beyond the time period necessary to accomplish the purposes for which it was collected.

Security of your Data

The Company adopts the necessary measures, particularly organizational and technical, to ensure the confidentiality, integrity and availability and resilience of the Data, systems and processing services under its control and their processing security in accordance with legal requirements.

Our staff will only access your Data if relevant to accomplishing their missions.

Our employees are bound by strict professional discretion and are obligated to respect the confidentiality of your Data.

Our premises and access to our servers and networks are strictly protected and we place particular care on the choice of our providers and commercial partners, to ensure that any Data transfer or processing by those parties is completely secure.

Technical protection measures are also implemented by the Company to offer an ever-increasing level of security for your Data.

These measures might notably consist of the encryption of your Data and the installation of firewalls or antivirus systems.

What are your rights?

Right to access and receive your Data

You can obtain your personal Data and ask us the following information: whether we are processing your Data or not; the purposes for which your Data is processed; the different Data categories processed; the recipients to which it is communicated and the way in which we obtained your Data. This right can be exercised notwithstanding Data already available via other channels and subject to respecting the rights of third parties.

If your Data is processed by an automated system, this right also enables you to ask the Company to provide you with the Data it holds about you in a structured format which is machine accessible and readable.

Right to have your Data corrected

You can always ask us to correct your Data if you find it is incomplete or incorrect.

With a view to keeping your Data completely up-to-date and provide you with a quality service, we would ask you to inform us of any change (such as a house move, renewal of your identity card, etc.).

Right to have your Data deleted

You can ask the Company to delete your Data or render it unusable based on the reasonable technical resources available to it.

However, the Company can refuse to carry out the deletion if it must continue to process your Data for imperative reasons, notably if the Data is necessary for the Company to fulfil its legal obligations, for evidentiary purposes to retain a history of transactions or to fulfil its contractual obligations.

Right to oppose the processing of your Data

You can oppose the processing of your Data by the Company. If this processing is based on the legitimate interest of the Company, the Company might, however, refuse this request for an imperative reason, notably in circumstances in which the processing of the Data is necessary in order to prevent fraud or money laundering, for example. We would also draw your attention to the fact that your opposition to the processing of your Data for reasons other than direct marketing might result in the Company terminating its contractual relationship with you or refusing to execute a transaction.

Right to withdraw your consent

You can withdraw the consent given to the Company to process your Data at any time. However, if you and the Company are still under contract, the Company might, after weighing up its own and your interests, continue to process some of your Data.

Right to the portability of your Data

Where we process your Data on the basis of your consent or the existence of a contract, you can ask us to transmit your Data directly to another data controller if this is technically feasible for the Company.

Right to restrict the processing of your Data

You can ask for the processing of your Data to be restricted in certain specific cases.

Right to oppose communications for advertising purposes (direct marketing)

You can oppose the processing of your Data for direct marketing purposes on request and at no charge.

If you exercise this right, the Company will stop sending your advertising communications to your e-mail address, your postal address or your telephone, based on your request. Your request will be processed as soon as possible.

How can you send us a request relating to Data Privacy?

General request

Any request relating to the exercise of your rights may be made and addressed in writing to the Company at any time and at no charge.

Simply send us a dated and signed request written clearly and precisely. We would ask you to attach a copy of your identity card so that we are sure that no one is exercising your rights in your name. We reserve the right to make direct contact with you to verify the authenticity of the request.

You can send your request via the different channels made available to you:

  • by post, with a copy of your identity document, to our data protection officer (“DPO” or “Data Privacy Officer”) at the following address:
    OSMIA CONSULTING
    c/o Data Privacy Officer
    Rue de l’Industrie 22,
    L-8399 Windhof

  • by sending an e-mail with a copy of your identity card to the address privacy@osmia.consulting

Request concerning direct marketing activities

You can send your request via the different channels made available to you by the Company:

  • by clicking on the “Unsubscribe” link in one of the e-mails or electronic newsletters sent by to the Company;

  • by post, with a copy of your identity document, to our data protection officer (“DPO” or “Data Privacy Officer”) at the following address:
    OSMIA CONSULTING
    c/o Data Privacy Officer
    Rue de l’Industrie 22,
    L-8399 Windhof

  • by sending an e-mail with a copy of your identity card to the address: privacy@osmia.consulting

Right to file a complaint

In the event of a dispute concerning the processing of your Data, you can contact the Company by post, at the address:

OSMIA CONSULTING
c/o Data Privacy Officer
Rue de l’Industrie 22,
L-8399 Windhof

You are entitled to file a complaint with the Luxembourg National Data Protection Commission:

Amendment of this privacy statement

We may amend this Privacy Statement from time to time to ensure that you are fully informed about all processing activities and our compliance with applicable data protection legislation.