GDPR Notice to the Non- Disclosure Agreement

This Notice applies to the disclosure of Data by the Disclosing Party and the processing of Data by the Receiving Party.

I. Definitions

For the purpose of this Notice, the capitalized terms below shall have the following

  • Controller” shall have the meaning given to it in the GDPR;
  • Data Protection Legislation” means any applicable law of the European Union or any of its Member States protecting Data, including, in particular, the GDPR;
  • GDPR” means Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the  rocessing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  • "Notice” means this GDPR notice ;
  • Data” includes all information which constitute “personal data” under the Data Protection Legislation [i.e. any information related to an identified or identifiable natural person (a “Data subject”)];
  • Data processing” shall have the meaning given to it under the GDPR;
  • Disclosing Party’s Data” means any Data about individuals (including without limitation, the owners, founders, directors, officers, delegates, agents, employees and support personnel of the Disclosing Party or its affiliates) (the “Individuals”) whose Data is processed by the Disclosing Party and/ or its Representatives, in each case, in connection with the Potential Transaction.
  • Potential Transaction” means that he Disclosing Party and Receiving Party have entered into a Non-Disclosure Agreement in consideration of a possible investment whereas the Disclosing Party is willing to disclose certain Data for the purpose of enabling the Receiving Party to determine whether to acquire an interest in one or more target investments, and following the making of such investment(s), to monitor the investment(s) in the manner typical for an investor owing interests in the same form and structure of the target investment(s).

II. Processing of Data

Any processing of Data under this Notice constitutes a processing of Data under the Data Protection Legislation. Each Party shall comply as Controller with the applicable requirements of Data Protection Legislation in relation to its respective processing of Data.

III. Role of the Disclosing Party and purposes of processing

The Disclosing Party processes the Data as a Controller in the context of the Potential Transaction. In particular, it discloses the Data to the Receiving Party prior to or in GDPR Notice related to the signing of an NDA 2021 2 connection with the Potential Transaction together with such confidential information which it may from time to time provide to the Receiving Party in whatever form without limitation, orally, in writing, electronic, physical or visual, on tape or disk, or by any
other means or in any other form or media (by way of example, and without limitation).

IV. Role of the Receiving Party and purposes of processing

The Receiving Party shall process the Data communicated to it by the Disclosing Party under this Notice as a Controller, specifically for the evaluation and consideration of the Potential Transaction.

V. Data Security

Each Party shall take the appropriate technical and organizational security measures that are necessary to protect the Data from accidental or unauthorized destruction, accidental loss, as well as from alteration, access and any other unauthorized processing of the Data. The Disclosing and the Receiving Party shall each be responsible for any legally
required notifications to the competent supervisory authorit(y)(ies) or affected individuals as a result of a security breach involving Data processed by it as a Controller.

VI. Information of Individuals

The Disclosing Party shall ensure that the Individuals to whom the Disclosing Party’s Data relates are properly informed in accordance with the Data Protection Legislation that Disclosing Party’s Data relating to them may be disclosed to the Receiving Party in connection with the Potential Transaction.

For this purpose, the Receiving Party hereby delegates to the Disclosing Party, which agrees, the following obligations of the Receiving Party under the Data Protection Legislation:

  • ensure that all Individual’s Data collected and/or processed by the Disclosing Party are accurate, complete and up-to-date;
  • confirms that the Individuals are properly informed about their rights and obligations under GDPR. For that purpose, the Disclosing Party shall provide the information below to the Individuals:
  • contact details at the Receiving Party for GDPR related requests, i.e.;
  • the categories of the Data processed by the Receiving Party and the fact that these Data have been obtained from them;
  • the purposes of the processing set out above as well as the legal basis for the processing (i.e. the legitimate interest of the Receiving Party in order to carry out the Potential Transaction;
  • the (categories of) recipients of their Data, i.e. the Receiving Party, its affiliates, branches, and service providers; GDPR Notice related to the signing of an NDA 2021 3
  • the fact that the Receiving Party may transfer Disclosing Party’s Data to a third country which does not provide an adequate level of protection for personal data, but has put in place appropriate safeguards to protect their Data and that they can obtain a copy of such appropriate safeguards by contacting the Receiving Party;
  • the fact that the Receiving Party will retain Personal Data for as long as needed or permitted in light of the purpose (s) for which it was obtained. The criteria used to determine the retention period includes: 
    • (i) the length of time the Receiving Party has on-going relationship with the Disclosing Party;
    • (ii) whether there is a legal obligation to which the Receiving Party is subject to; and
    • (iii) whether retention is advisable in light of the Receiving Party legal position (such as in regard to applicable statutes of litigation or regulatory investigations).;
  • the fact that when individuals communicate with the Receiving Party, to the extent permitted or required by applicable law, telephone conversations and electronic communications, including emails, maybe recorded and/or monitored for evidentiary, compliance and governance purposes; 
  • the Individuals’ rights under Data Protection Legislation, including the
    right to: 
    • (a) request access to, rectification and erasure of their Data as well as restriction of or objection to their processing;
    • (b) data portability;
    • (c) obtain a copy of the agreement embodying the adequate safeguard referred to in the present section with indication of the means to obtain such copy; and
    • (d) make a complaint to the competent supervisory authority.
  • develop and implement appropriate procedures for timely handling complaints or requests by Individuals to exercise their subject access or other rights under the GDPR as listed above and for cooperating with the Receiving Party and/or its affiliates or branches in the event the Receiving Party and/or its affiliates or branches receive such requests directly from the Individuals.

For any GDPR request, please contact: