2. Background and Purpose
3. First Eagle as a Data Controller
3.1 First Eagle will act as a Data Controller in respect of Personal Data provided to us by various individuals in connection with the management, operation and administration of First Eagle. Such individuals will generally be limited to the following:
(a) Shareholders / Unitholders in pooled vehicles and separate accounts for which First Eagle acts as investment manager;
(b) Directors, designated persons and other individuals performing “controlled functions” within First Eagle under regimes of applicable government regulators;
(c) Employees of service providers who provide services to First Eagle; and (d) Employees of First Eagle.
3.2 Personal Data is processed by First Eagle for the following purposes:1
6. Special Categories of Data
6.1 First Eagle will not ordinarily obtain or Process Special Categories of Data (“SCD”), however, if in the very limited circumstances where it does so (for example, in relation to any data relating to the health of a director of a First Eagle entity who is resident in the European Economic Area or Switzerland) it shall Process such Personal data in accordance with Data Protection Law.
7. Individual Data Subject Rights
7.1 Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):
(a) the right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
(b) the right of access to Personal Data;
(c) the right to amend and rectify any inaccuracies in Personal Data;
(d) the right to erase Personal Data (right to be forgotten);
(e) the right of data portability;
(f) the right to restrict Processing;
(g) the right to object to Processing; and
(h) the right to object to automated decision making, including profiling;
7.2 These Data Subject Rights will be exercisable by data subjects subject to limitations as provided for Data Protection Law. In certain circumstances it may not be feasible for First Eagle to discharge these rights, for example because of the structure of First Eagle or the way the Shareholder / Unitholder holds Shares / Units in a Fund. Data subjects may make a request to First Eagle to exercise any of the Data Subject Rights by contacting the Legal and Compliance Department at firstname.lastname@example.org. Requests shall be dealt with in accordance with Data Protection Law.
8. Data Security and Data Breach
8.1 First Eagle undertakes to hold any Personal Data provided by Shareholders / Unitholders in confidence and in accordance with the Data Protection Law. Accordingly, we and our service providers have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.
8.2 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by First Eagle will be dealt with in accordance with Data Protection Law and First Eagle’s Personal Data Security Breach Procedure (for use in connection with EU residents only).
9. Disclosing Personal Data
9.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data) and for the purposes of fraud prevention or investigation. In relation to Shareholders / Unitholders, First Eagle may be required to disclose Personal Data relating to U.S. Reportable Persons to the U.S. Internal Revenue Service for purposes of FATCA compliance.
9.2 We may also disclose Personal Data to delegates, professional advisors, service providers (e.g., investment managers, distributors, administrators and depositaries) regulatory bodies, auditors, technology providers and any of the respective related, associated or affiliated companies of the foregoing for the same or related purpose(s).
10. Data Retention
10.1 We will keep Personal Data for:
(a) the duration of the investment by an investor in a product or account managed by First Eagle and afterwards in accordance with First Eagle’s legal and regulatory obligations and any applicable record retention policy of First Eagle;
(b) such period as may be deemed by us to be necessary in light of applicable statutory limitation periods; and
11. Data Transfers outside the EEA
11.1 From time to time, First Eagle may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as the United Kingdom. If such transfer occurs, First Eagle will ensure that such processing of Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Model Contractual Clauses (as published by the European Commission) or ensuring that the recipient is Privacy Shield certified, if appropriate.
12. Further Information/Complaints Procedure
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller.
“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and any other laws which apply to First Eagle in relation to the Processing of Personal Data.
“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
“Personal Data” is any information relating to a living individual who is resident in the European Economic Area which allows the identification of that individual. Personal Data can include:
• a name, an identification number;
• details about an individual’s location; or
• any other information that is specific to that individual.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.