Data privacy notices

How we collect and use your personal information

Before we begin

As an HSBC Asset Management (UK) Limited client or investor, we may collect and use personal information about you or individuals connected with you eg; your directors, employees and/or agents.

This notice explains how we will use that information, who we might share it with, and what steps we’ll take to make sure it stays private and secure. This notice continues to apply even if your agreement with us ends.

This notice applies to any personal data we receive from you, create or obtain from other sources and explains how it will be used by us. If we’ve provided you with separate or further information about how we collect and use your personal information for a particular product or service, those terms will continue to apply to that service. If you interact with HSBC in a different context, eg as a banking customer or in a country outside the EU, separate terms will apply to that interaction.

It is important that you take the time to read and understand this notice so that you understand how we will use personal information relating to you, your directors, employees and/or agents and the applicable rights in relation to that personal information.

Wherever we’ve said ‘you’ or ‘your’, this means any individual who deals with us and if you are acting on behalf of a company, trust or pension fund for and on behalf of that company, trust or pension fund. (eg directors, employees, consultants, agents) or other people connected to your account. This notice only applies to information about individuals and not to information which is solely related to companies, trusts or pension funds.

Wherever we’ve said ‘we’ or ‘our’, this includes HSBC Asset Management (UK) Limited and other companies in the HSBC Group. For the purposes of data protection law, HSBC Asset Management (UK) Limited is the data controller in relation to your information.

What information we collect

The information we collect or have about you will come from different sources. It will include information relating to any of our investment products or services (including any you may have applied for or held previously) or information we generate to improve our service and to manage, administer and take decisions about your account. Some of it will come directly from you. Some of it may come from other HSBC companies. Some of it we may find from publicly available sources which we have lawfully accessed. Some of it will come from third parties or other organisations (eg fraud prevention agencies). Some information will be the result of combining different sets of information. We sometimes also record telephone conversations and monitor e-mail communications to resolve complaints, improve our service and in order to comply with our legal and regulatory requirements.

This information will include:

• Information that you provide to us. This includes:
  • information about you that you give us when entering into an investment management agreement with us, applying for shares or units in any fund, or by communicating with us, whether face-to-face, by phone, e-mail, or otherwise. The information you give us will include your (and/or if applicable, your financial adviser or employee’s) name, address, e-mail address and phone number, financial and tax status, tax residency or nationality if required by law; and
  • information concerning your identity (eg passport or identification information).
• Information we collect or generate about you. This includes:
  • client relationship information, payment and trade transactions information and other financial information;
  • geographic information;
  • information included in relevant customer documentation (eg record of advice) and other comparable information; and
  • marketing and sales information, such as details of the advice and services you receive.
• Information we obtain from other sources. This includes:
  • communications information (eg email information, third party information, chat information, instant messages, corporate and media broadcasts, disputes / litigation, correspondence between solicitors and stakeholders and transcripts or minutes); and
  • combined information from external sources (eg information pertaining to social interactions between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information and information from fraud avoidance systems).
    
    See Appendix 1

How we’ll use your information

We will collect information about you for various reasons as set out in this privacy notice, including to:

• manage and administer your accounts and holdings;
• provide you with information, products and services you may request from us;
• deliver our products and services;
• verify your identity as part of our client onboarding process;
• detect and prevent fraud and money laundering;
• identify politically exposed persons;
• carry out your instructions;
• improve our products and services;
• keep track of our conversations with you (by phone, in person, by email or any kind of communication);
• manage our relationship with you – including (if you agree or unless you tell use otherwise) telling you about our products, or carrying out market research, providing you with updated copies of our terms of business, this Privacy Notice and/or such other documentation;
• corresponding with solicitors, and third party intermediaries;
• assessing your investment requirements, and/or eligibility for certain investment products; and
• manage our internal operational requirements for risk management, system or product development and planning, insurance, audit and administrative purposes.

Processing for any of the above purposes is necessary to enable us to pursue our legitimate business interests (or the legitimate interests of one or more of our affiliates). It will also be necessary for other reasons, as outlined below.

We will only use your information where we have a lawful basis for using it. These lawful bases include where:

• we need to pursue our legitimate business interests, such as enforcing the terms and conditions of any agreement we have with you;
• we need to process the information to perform our obligations under our contract with you;
• we need to process the information to comply with a legal and regulatory obligations;
• we need to establish, exercise or defend our legal rights and / or for the purpose of (or in connection with) legal proceedings (including for the prevention of fraud); and
• we have your consent, including the use of cookies.

See Appendix 2

Even if you ask us not to use your information, we will continue to use your personal information in circumstances where (a) the law says we have to; (b) we need to for the purposes of performing a contract; (c) we have a public interest to do so; or (d) we have a legitimate business reason for doing so.

Tracking or recording what you say or do

We will record and keep track of conversations you have with us – including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other kinds of messaging in order to use these recordings to check your instructions to us, assess, analyse and improve our service, train our people, manage risk or to prevent and detect fraud and other crimes. We use closed circuit television (CCTV) in and around our offices for security purposes and so we may collect photos or videos of you, or record your voice through CCTV.

Who we share your information with

We will share your personal information with our affiliates or with entities external to HSBC Asset Management (UK) Limited where:

• we need to in order to enforce or apply the terms of use and other agreements that you have with us;
• we need to for the purposes of providing you with investment products and services you have requested (eg pursuant to an investment management agreement);
• we have a public or legal duty to do so eg to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights;
• we have a legitimate reason for doing so eg to manage risk, verify your identity, or assess your suitability for products and services, but only where our legitimate purpose is not outweighed by your rights;
• we have asked you for your permission to share it, and you’ve agreed;
• we need to ensure the safety and security of our data; or
• we need to for internal research and statistical analysis purposes.

We will transfer and disclose your information to the following categories of recipients where it is lawful to do so, and subject to the implementation of appropriate protections:

• other HSBC group companies and any sub-contractors, agents or service providers who work for, or provide services to, us or other HSBC group companies (including their employees, sub-contractors, directors and officers), such service providers will include any professional service providers, such as accountants, auditors, lawyers;
• anyone who deals with us in relation to your investment and agreement with us (eg financial adviser), the people you make payments to, your beneficiaries, intermediary, correspondent and agent banks, clearing houses, clearing or settlement systems, market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges, and any companies you hold securities in through us (eg stocks, bonds or options);
• other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies and debt recovery agents;
• any person, company or other entity that has an interest in or takes on the risk in relation to or in connection with the products or services that we provide to you;
• any prospective or new HSBC companies (eg if we restructure, or acquire or merge with other companies) – or any businesses that buy part or all of any HSBC company;
• to auditors, regulators  or dispute resolution bodies and to comply with their requests;
• other companies who do marketing or market research for us (but not without your permission);
• if there’s a dispute over a transaction, anyone else who’s involved;
• law enforcement, government, courts, or our regulators; or fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by clicking on this link https://www.cifas.org.uk/privacy-notice

Sharing Aggregated or Anonymised Information

We will share aggregated or anonymised information outside of HSBC with partners such as research groups, universities or advertisers. For example, we will share such information publicly to show trends about the general use of our services. However, you won’t be able to be individually identified from this information.

How long we’ll keep your information

How long we hold your personal information for will vary. The retention period will be determined by various criteria including:

• the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
• legal obligations – laws or regulation may set a minimum period for which we have to store your personal data.

Transferring your information overseas

Your information may be transferred to, and stored at, a destination outside the United Kingdom “UK” , including to locations which may not have the same level of protection for personal information. Where we transfer and process your personal information outside the UK, it is done in order to perform our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate business interests.

Where we transfer your information outside the UK, we will ensure that it is protected by us in a manner that is consistent with how your information will be protected by us in the UK. We will always do this in a way that is permissible under data protection law.

You can obtain more details of the protection given to your information when it is transferred outside the UK by contacting us in accordance with the “More details about your information” section below.

Your rights

You have a number of rights in relation to the information that we hold about you. These rights include:

• the right to obtain information regarding the processing of your information and access to the information which we hold about you;
• the right to withdraw your consent to our processing of your information at any time. Please note, however, that we may still be entitled to process your information if we have another legitimate reason for doing so;
• the right to receive some information electronically and/or request that we transmit the information to a third party where this is technically feasible. Please note that this right only applies to information which you have provided to us;
• the right to request that we rectify your information if it is inaccurate or incomplete;
• the right to request that we erase your information. Please note that there may be circumstances where you ask us to erase your information but we are legally entitled to retain it;
• the right to object to and the right to request that we restrict our processing of your information. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your information but we are legally entitled to continue processing your information and / or to refuse that request; and
• the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.

Please note, that none of the above rights are absolute; by that we mean that there may be exceptions which apply to the above rights and how they apply. You can exercise your rights by contacting us using the details set out in the “More details about your information” section below. You can find out more information about your rights by contacting the Information Commissioner’s Office, or by visiting their website at https://ico.org.uk/

What we expect from you

You are responsible for making sure the information you give us is accurate and up to date. And you must tell us if anything changes, as soon as possible. If we ask you for any information and you do not provide it to us, we may need to stop providing products and services to you.

If you give us any personal information that does not relate to you (eg information about your financial adviser and/or your employees), you must obtain the necessary consent to disclose such personal information, tell them what information you have given to us, and make sure they agree we can use it as set out in this notice. You must also tell them how they can see what information we have about them and correct any mistakes.

Some of the links on our websites lead to other HSBC or non-HSBC websites, with their own privacy and information protection policies, which may be different to this notice.

How we keep your information secure

We implement internal technical and organisational measures to keep your information safe and secure which may include encryption, anonymisation and physical security measures. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

More details about your information

If you have any questions about any of the information in this privacy notice, then please get in touch with your usual contact.

Version Published Date / Last Updated: 25 May 2018

Appendix 1 – Information we collect about you

• Contact details such as your name, date and place of birth, and nationality, postal address, telephone number, email address.
• Identification information such as passport ID, date of birth, picture, paper copy of identity.
• Client Relationship Data eg products and services held (including pricing information), channels and modes of interaction, interactions with HSBC (eg call history, digital communications, feedback etc.), client accounts, holding and location information.
• Payment Transactions Data: such as records from our payments processing systems that contain the information about executed transactions and includes order information (eg payment order), payment information and other information from the fulfilment of our contractual obligations (eg sales information in payments processing).
• Other Financial Data: including information regarding your financial situation (eg, tax status or the source of your assets).
• Risk Data / Ratings: Credit risk ratings and risk identification information (incl. vendor risk management), predicted transactional behaviour, client due diligence and periodic review results, financial crime risk management (FCRM)  rating (high/medium/low), external intelligence reports, screening alerts (eg Transaction Screening, Name Screening, AML), unusual activity information (to develop (SARs) / and UARs).
• Investigations Data (Information pertaining to results from investigations on internal HSBC business practices, processes and operations). Grey information eg allegations of wrongdoing, considered unproven, highly sensitive, may be structured or unstructured.
• Information about the products and services allocated to clients, as well as information about credit decisioning variables and assumptions, posted collateral, calculated exposures, and likelihood estimates that the client cannot meet the commitment it has entered into. Data pertaining to known or suspected risk associated with clients, acquired from external watchlists and internal risk intelligence systems (eg Risk / Case Management).
• Data and artefacts required to support compliance to regulations that require screening of clients, their transactions and detection of suspicious and unusual activity.  FCC Risk Data.
• Profile Data for KYC purposes such as Individual identity and reference information, information published on the internet or which has been received from external providers; publically available or internally collected identity and demographic reference information about individuals who may be HSBC customers, connected parties, prospects, stakeholders or not at all related with HSBC (eg, marketing lists) that contain personally identifiable information.
• Information Security Risk Data; External information used to manage the information security threat environment, including watchlists, lists of bad URLs and known bad IP addresses, threat and vulnerability alerts, and information breach intelligence reports and news. Known actors (cyber criminals), external email addresses, leaked information lists (eg external breaches which has employees involved), acquired credit card / account details.
• Other Financial Data: investment portfolio details, investment fund details.
• Other non HSBC financial information (excluding Market Trades and Payment Transactions).
• Market Trades: Information about exchanges in ownership of cash, securities or financial instruments between individuals or organizations through an exchange (i.e. organized market) or over the counter, which results in one or more transactions recorded in an account.  This may include Buy side or Sell side trades and positions.
• Communications Data: eg email information, third party information, chat information, instant messages, corporate and media broadcasts, disputes / litigation, correspondence between solicitors and stakeholders and transcripts or minutes.
• Information pertaining to results from investigations on internal HSBC business practices, processes and operations. Content and meta-data related to exchanges of information between and among individuals, organizations, workers, prospects, customers, other stakeholders and HSBC.  Electronically recorded communications in the form of voice, email, or chat; corporate media communications, operational communications between two or more individuals or organizations regarding any HSBC activity that is directly or indirectly supporting customer servicing, third-party relationship and fulfilment.
• Complaints information; including disputes / litigation (legal case and matter information including legal strategy, document production, deposition and court transcripts, legal billing and time booking information).
• Cookie Information: IP Address, Browser behaviour etc.
• User Activity Reports (UAR) and Suspicious Activity reports (SARs).

Appendix 2 – How we use the information

We will use your information for the following purposes:

1. Deliver our products and services, or process your transaction in order to meet your investment objectives: We will use your information to provide you with our products and services and to process your transactions.  We will do this in line with our legitimate interests, legal obligations and in order to perform our contract with you. 
2. Compliance with Laws and Regulations: comply with the law, or any relevant rules or regulations.  This may include to help detect or prevent crime (including terrorism, money laundering and other financial crimes), filing of relevant reports to regulators, disclosing information to authorities, regulators or government agencies to fulfil our legal obligations.  This is carried out to comply with legal obligations, because it is in the public interest, and because it is in our legitimate interest to do. 
3. Preventing and Detecting Crime: We will use your information to take measures to prevent crime including fraud monitoring and mitigation and fraud risk management, carrying out customer due diligence, name screening, transaction screening and customer risk identification, in order to comply with our legal obligations, because this is in the public interest to carry out and assess risk in our legitimate interest. We may share your information with fraud agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. Additionally we may take steps along with other financial institutions to help prevent financial crime and manage risk where we have a legitimate business interest or public interest to do so, such as where it is important to prevent or detect crime. We may be required to use your information to do this, even if you have asked us to stop using your information.  That could include (among other things):
   • screening, intercepting and investigating any payments, instructions or communications you send or receive (including drawdown requests and application forms);
   • investigating who you’re paying or who’s paying you eg checks on payments in and out of your account;
   • passing information to fraud prevention agencies, if we think you’ve given us false or inaccurate information, or we suspect fraud; 
   • combining the information we have about you with information from other HSBC companies; and
   • checking whether the people or organisations you’re paying or receiving payments from are who they say they are, and aren’t subject to any sanctions.
4. Security and Business Continuity: we take measures to aid business continuity, information security and we undertake physical security activities in order to fulfil our legal obligation and for internal risk strategy purposes as required in our legitimate interest.
5. Risk Management:  We will use your information to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer loss. This may include credit risk, traded risk, operational risk & insurance risk. We will do this to fulfil our legal obligation and also because we have a legitimate interest in using your information for these purposes. 
6. Product & Service Improvement: We will use your information to identify possible service and product improvements (including profitability) by analysing information.  The lawful basis for processing your information for this purpose is our legitimate interests.
7. Cookies: When using any web-based applications, we will ask for your consent to our use of cookies. The lawful basis for processing your information for this purpose is consent.  
8. Information as a product: Where we collect your information for another purpose, eg for client on boarding, we may share such information or analytics results with third parties including other HSBC entities where it is in our legitimate interest to do so.  The information may be presented as research whitepapers, the delivery of customer-specific information or insights back to same customer, credit checks, and anonymisation of information for the wider market. If we need to process your information for any other purpose, we will notify you with details of the new purpose (and obtain consent, if required) prior to that further processing.  
9. Protecting our legal rights:  We may need to use your information to protect our legal rights such as in the case of defending or the protection of legal rights and interests (eg collecting money owed; defending rights of intellectual property); court action; managing complaints or disputes; in the event of a restructuring of companies or other mergers or acquisition.   We would use this on the basis of legitimate business interests.

Data Protection Notice

When you completed the application form you provided personal information, which may constitute “personal data” within the meaning of the Data Protection Legislation.

Investors’ personal data will be used by the ICAV for the following purposes:

• to manage and administer an investor’s holding in the ICAV and any related accounts on an ongoing basis;
• to carry out statistical analysis and market research as the ICAV’s legitimate business interest; and
• to comply with legal and regulatory obligations applicable to the investor and the ICAV from time to time including applicable anti-money laundering and counter terrorist financing legislation. In particular, in order to comply with the Common Reporting Standard (as implemented in Ireland by Section 891E, Section 891F and Section 891G of the Taxes Consolidation Act 1997 and regulations made pursuant to those sections) and Foreign Account Tax Compliant Act, investors’ personal data (including financial information) may be shared with the Irish Revenue Commissioners. They in turn may exchange information (including personal data and financial information) with foreign tax authorities (including the US Internal Revenue Service and foreign tax authorities located outside the EEA). Please consult the Automatic Exchange of Information webpage on www.revenue.ie for further information in this regard.

Investors’ personal data may be disclosed by the ICAV to its delegates, professional advisors, service providers, regulatory bodies, auditors, technology providers and any duly authorised agents or related, associated or affiliated companies of the foregoing for the same purpose(s).

Investors’ personal data may be transferred to countries which may not have the same or equivalent data protection laws as Ireland. If such transfer occurs, the ICAV is required to ensure that such processing of investors’ personal data is in compliance with Data Protection Legislation and, in particular, that appropriate measures are in place such as entering into standard contractual clauses (as published by the European Commission). More information on the means of transfer of investors’ data and a copy of the relevant safeguards, can be found at https://www.assetmanagement.hsbc.com/privacy-policy.

Pursuant to the Data Protection Legislation, investors have a number of rights which may be exercised in respect of their personal data, ie:

• the right of access to personal data held by the ICAV;
• the right to amend and rectify any inaccuracies in personal data held by the ICAV;
• the right to erase personal data held by the ICAV;
• the right to data portability of personal data held by the ICAV;
• the right to request restriction of the processing of personal data held by the ICAV;
• the right to object to processing of personal data by the ICAV. In certain circumstances it may not be feasible for the ICAV to discharge these rights, for example, if the shareholder remains a shareholder in the ICAV or the manner in which the shareholder holds shares in a Fund; and
• the right to object to automated decision making, including profiling.

These rights will be exercisable subject to limitations as provided for in the Data Protection Legislation. Investors may make a request to the ICAV to exercise these rights by contacting ifsinvestorqueries@hsbc.com

Please note that personal data may be retained by the ICAV for the duration of an investor’s investment and afterwards in accordance with the ICAV’s legal and regulatory obligations.

The ICAV is a data controller within the meaning of the Data Protection Legislation and undertakes to hold any personal information provided by investors in confidence and in accordance with the Data Protection Legislation. Information on how to raise queries, requests or comments in respect of this notice or the way in which the ICAV uses investors’ personal data, can be found at http://www.global.assetmanagement.hsbc.com/privacy-notices. Note that investors have the right to lodge a complaint with the Office of the Data Protection Commissioner.

For the purpose of this notice Data Protection Legislation means: “the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Irish Data Protection Acts 1988 and 2018, the EU ePrivacy Directive 2002/58/EC (the “ePrivacy Directive”) and any other national data protection laws implementing, replacing or amending GDPR or ePrivacy Directive.”

How we collect and use your personal information

Before we begin

As an investor in our funds, we may collect and use personal information about you or individuals connected with you eg your directors, employees and/or agents.

This notice explains how we will use that information, who we might share it with, and what steps we’ll take to make sure it stays private and secure. This notice continues to apply even if your agreement with us ends.

This notice applies to any personal data we receive from you, create or obtain from other sources and explains how it will be used by us. If we’ve provided you with separate or further information about how we collect and use your personal information for a particular product or service, those terms will continue to apply to that service. If you interact with HSBC in a different context, eg as a banking customer or in a country outside the EU, separate terms will apply to that interaction.

It is important that you take the time to read and understand this notice so that you understand how we will use personal information relating to you, your directors, employees and/or agents and the applicable rights in relation to that personal information.

Wherever we’ve said ‘you’ or ‘your’, this means any individual who deals with us and if you are acting on behalf of a company, trust or pension fund for and on behalf of that company, trust or pension fund. (eg directors, employees, consultants, agents) or other people connected to your account. This notice only applies to information about individuals and not to information which is solely related to companies, trusts or pension funds.

Wherever we’ve said ‘we’ or ‘our’, this includes HSBC Asset Management (UK) Limited and other companies in the HSBC Group. For the purposes of data protection law, HSBC Asset Management (UK) Limited is the data controller in relation to your information.

What information we collect

The information we collect or have about you will come from different sources. It will include information relating to any of our investment products or services (including any you may have applied for or held previously) or information we generate to improve our service and to manage, administer and take decisions about your account. Some of it will come directly from you. Some of it may come from other HSBC companies. Some of it we may find from publicly available sources which we have lawfully accessed. Some of it may come from third parties or other organisations (eg fraud prevention agencies). Some information will be the result of combining different sets of information. We sometimes also record telephone conversations and monitor e-mail communications to resolve complaints, improve our service and in order to comply with our legal and regulatory requirements.

This information will include:

• Information that you provide to us. This includes:
  • information about you that you give us when entering into an agreement with us, applying for shares or units in any fund, or by communicating with us, whether face-to-face, by phone, e-mail, or otherwise. The information you give us will include your (and/or if applicable, your financial adviser or employee’s) name, address, e-mail address and phone number, financial and tax status, tax residency or nationality if required by law;
  • information concerning your identity (eg passport or identification information);
  • information about your employment status (employed, retired, or receiving benefits); and/or
  • other information about your sources of wealth/income will be collected where necessary to assess your investment requirements, and or eligibility for certain investment products.
• Information we collect or generate about you. This includes:
  • client relationship information, payment and trade transactions information and other financial information;
  • geographic information;
  • information included in relevant customer documentation (eg record of advice) and other comparable information; and
  • marketing and sales information, such as details of the advice and services you receive.
• Information we obtain from other sources. This includes:
  • communications information (eg email information, third party information, chat information, instant messages, corporate and media broadcasts, disputes / litigation, correspondence between solicitors and stakeholders and transcripts or minutes); and
  • combined information from external sources (eg information pertaining to social interactions between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information and information from fraud avoidance systems).
    
    See Appendix 1

How we’ll use your information

We will collect information about you for various reasons as set out in this privacy notice, including to:

• manage and administer your accounts and holdings;
• provide you with information, products and services you may request from us;
• deliver our products and services;
• verify your identity as part of our client onboarding process;
• detect and prevent fraud and money laundering;
• identify politically exposed persons;
• carry out your instructions;
• improve our products and services;
• keep track of our conversations with you (by phone, in person, by email or any kind of communication);
• manage our relationship with you – including (if you agree or unless you tell use otherwise) telling you about our products, or carrying out market research, providing you with updated copies of our terms of business, this Privacy Notice and/or other such documentation;
• corresponding with solicitors, and third party intermediaries;
• assessing your investment requirements, and/or eligibility for certain investment products;
• to process your subscriptions, switch, conversion or redemption instructions;
• to enable payments to be made and/or currency converted in relation to your investments;
• to notify you about changes to your investment (such as change in the name of an investment fund), or to assist you exercise your rights in relation to your investments (such as any voting rights which you may have); and/or to evidence your ownership of your investments; and/or
• to manage the investments appropriately including maintaining a register of investors, determining and then actioning the outcomes of investor votes; and
• manage our internal operational requirements for risk management, system or product development and planning, insurance, audit and administrative purposes.

Processing for any of the above purposes is necessary to enable us to pursue our legitimate business interests (or the legitimate interests of one or more of our affiliates). It will also be necessary for other reasons, as outlined below.

We will only use your information where we have a lawful basis for using it. These lawful bases include where:

• we need to pursue our legitimate business interests, such as enforcing the terms and conditions of any agreement we have with you;
• we need to process the information to perform our obligations under our contract with you;
• we need to process the information to comply with a legal and regulatory obligations;
• we need to establish, exercise or defend our legal rights and / or for the purpose of (or in connection with) legal proceedings (including for the prevention of fraud); and
• we have your consent, including the use of cookies.

See Appendix 2

Even if you ask us not to use your information, we will continue to use your personal information in circumstances where (a) the law says we have to; (b) we need to for the purposes of performing a contract; (c) we have a public interest to do so; or (d) we have a legitimate business reason for doing so.

Tracking or recording what you say or do

We will record and keep track of conversations you have with us – including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other kinds of messaging in order to use these recordings to check your instructions to us, assess, analyse and improve our service, train our people, manage risk or to prevent and detect fraud and other crimes. We use closed circuit television (CCTV) in and around our offices for security purposes and so we may collect photos or videos of you, or record your voice through CCTV.

Who we share your information with

We will share your personal information with our affiliates or with entities external to HSBC Asset Management (UK) Limited where:

• we need to in order to enforce or apply the terms of use and other agreements that you have with us;
• we need to for the purposes of providing you with investment products and services you have requested (eg pursuant to an investment management agreement);
• we have a public or legal duty to do so eg to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights;
• we have a legitimate reason for doing so eg to manage risk, verify your identity, or assess your suitability for products and services, but only where our legitimate purpose is not outweighed by your rights;
• we have asked you for your permission to share it, and you’ve agreed;
• we need to ensure the safety and security of our data; or
• we need to for internal research and statistical analysis purposes.

We will transfer and disclose your information to the following categories of recipients where it is lawful to do so, and subject to the implementation of appropriate protections:

• other HSBC group companies and any sub-contractors, agents or service providers who work for, or provide services to, us or other HSBC group companies (including their employees, sub-contractors, directors and officers), such service providers will include any professional service providers, such as accountants, auditors, lawyers;
• anyone who deals with us in relation to your investment and agreement with us (eg financial adviser), the people you make payments to, your beneficiaries, intermediary, correspondent and agent banks, clearing houses, clearing or settlement systems, market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges, and any companies you hold securities in through us (eg stocks, bonds or options);
• other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies and debt recovery agents;
• any person, company or other entity that has an interest in or takes on the risk in relation to or in connection with the products or services that we provide to you;
• any prospective or new HSBC companies (eg if we restructure, or acquire or merge with other companies) – or any businesses that buy part or all of any HSBC company;
• to auditors, regulators or dispute resolution bodies and to comply with their requests;
• other companies who do marketing or market research for us (but not without your permission);
• if there’s a dispute over a transaction, anyone else who’s involved;
• law enforcement, government, courts, or our regulators; or fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by clicking on this link https://www.cifas.org.uk/privacy-notice

Sharing Aggregated or Anonymised Information

We will share aggregated or anonymised information outside of HSBC with partners such as research groups, universities or advertisers. For example, we will share such information publicly to show trends about the general use of our services. However, you won’t be able to be individually identified from this information.

How long we’ll keep your information

How long we hold your personal information for will vary. The retention period will be determined by various criteria including:

• the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
• legal obligations – laws or regulation may set a minimum period for which we have to store your personal data.

Transferring your information overseas

Your information may be transferred to, and stored at, a destination outside the United Kingdom “UK” , including to locations which may not have the same level of protection for personal information. Where we transfer and process your personal information outside the UK , it is done in order to perform our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate business interests.

Where we transfer your information outside the UK , we will ensure that it is protected by us in a manner that is consistent with how your information will be protected by us in the UK . We will always do this in a way that is permissible under data protection law.

You can obtain more details of the protection given to your information when it is transferred outside the UK by contacting us in accordance with the “More details about your information” section below.

Your rights

You have a number of rights in relation to the information that we hold about you. These rights include:

• the right to obtain information regarding the processing of your information and access to the information which we hold about you;
• the right to withdraw your consent to our processing of your information at any time. Please note, however, that we may still be entitled to process your information if we have another legitimate reason for doing so;
• the right to receive some information electronically and/or request that we transmit the information to a third party where this is technically feasible. Please note that this right only applies to information which you have provided to us;
• the right to request that we rectify your information if it is inaccurate or incomplete;
• the right to request that we erase your information. Please note that there may be circumstances where you ask us to erase your information but we are legally entitled to retain it;
• the right to object to and the right to request that we restrict our processing of your information. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your information but we are legally entitled to continue processing your information and / or to refuse that request; and
• the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.

Please note, that none of the above rights are absolute; by that we mean that there may be exceptions which apply to the above rights and how they apply. You can exercise your rights by contacting us using the details set out in the “More details about your information” section below. You can find out more information about your rights by contacting the Information Commissioner’s Office, or by visiting their website at https://ico.org.uk/.

What we expect from you

You are responsible for making sure the information you give us is accurate and up to date. And you must tell us if anything changes, as soon as possible. If we ask you for any information and you do not provide it to us, we may need to stop providing products and services to you.

If you give us any personal information that does not relate to you (eg information about your financial adviser and/or your employees), you must obtain the necessary consent to disclose such personal information, tell them what information you have given to us, and make sure they agree we can use it as set out in this notice. You must also tell them how they can see what information we have about them and correct any mistakes.

Some of the links on our websites lead to other HSBC or non-HSBC websites, with their own privacy and information protection policies, which may be different to this notice.

How we keep your information secure

We implement internal technical and organisational measures to keep your information safe and secure which may include encryption, anonymisation and physical security measures. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

More details about your information

If you would like further information on any of the information above, please address questions, comments and requests to us at HSBCenquiries@ntrs.com or 0800 358 3011.

This Privacy Notice may be updated from time to time, please see the latest version here: https://www.global.assetmanagement.hsbc.com/privacy-policy

Version Published Date / Last Updated: 25 May 2018

Appendix 1 – Information we collect about you

• Contact details such as your name, date and place of birth, and nationality, postal address, telephone number, email address
• Identification information such as passport ID, date of birth, picture, paper copy of identity
• Client Relationship Data eg products and services held (including pricing information), channels and modes of interaction, interactions with HSBC (eg call history, digital communications, feedback etc.), client accounts, holding and location information
• Payment Transactions Data: such as records from our payments processing systems that contain the information about executed transactions and includes order information (eg payment order), payment information and other information from the fulfilment of our contractual obligations (eg sales information in payments processing)
• Other Financial Data: including information regarding your financial situation (eg, tax status or the source of your assets)
• Risk Data / Ratings: Credit risk ratings and risk identification information (incl. vendor risk management), predicted transactional behaviour, client due diligence and periodic review results, financial crime risk management (FCRM) rating (high/medium/low), external intelligence reports, screening alerts (eg Transaction Screening, Name Screening, AML), unusual activity information (to develop (SARs) / and UARs)
• Investigations Data (Information pertaining to results from investigations on internal HSBC business practices, processes and operations). Grey information eg allegations of wrongdoing, considered unproven, highly sensitive, may be structured or unstructured
• Information about the products and services allocated to clients, as well as information about credit decisioning variables and assumptions, posted collateral, calculated exposures, and likelihood estimates that the client cannot meet the commitment it has entered into. Data pertaining to known or suspected risk associated with clients, acquired from external watchlists and internal risk intelligence systems (eg Risk / Case Management)
• Data and artefacts required to support compliance to regulations that require screening of clients, their transactions and detection of suspicious and unusual activity. FCC Risk Data
• Profile Data for KYC purposes such as Individual identity and reference information, information published on the internet or which has been received from external providers; publically available or internally collected identity and demographic reference information about individuals who may be HSBC customers, connected parties, prospects, stakeholders or not at all related with HSBC (eg, marketing lists) that contain personally identifiable information
• Information Security Risk Data; External information used to manage the information security threat environment, including watchlists, lists of bad URLs and known bad IP addresses, threat and vulnerability alerts, and information breach intelligence reports and news. Known actors (cyber criminals), external email addresses, leaked information lists (eg external breaches which has employees involved), acquired credit card / account details
• Other Financial Data: investment portfolio details, investment fund details
• Other non HSBC financial information (excluding Market Trades and Payment Transactions)
• Market Trades: Information about exchanges in ownership of cash, securities or financial instruments between individuals or organizations through an exchange (ie organized market) or over the counter, which results in one or more transactions recorded in an account. This may include Buy side or Sell side trades and positions
• Communications Data: eg email information, third party information, chat information, instant messages, corporate and media broadcasts, disputes / litigation, correspondence between solicitors and stakeholders and transcripts or minutes
• Information pertaining to results from investigations on internal HSBC business practices, processes and operations. Content and meta-data related to exchanges of information between and among individuals, organizations, workers, prospects, customers, other stakeholders and HSBC. Electronically recorded communications in the form of voice, email, or chat; corporate media communications, operational communications between two or more individuals or organizations regarding any HSBC activity that is directly or indirectly supporting customer servicing, third-party relationship and fulfilment
• Complaints information; including disputes / litigation (legal case and matter information including legal strategy, document production, deposition and court transcripts, legal billing and time booking information)
• Cookie Information: IP Address, Browser behaviour etc
• User Activity Reports (UAR) and Suspicious Activity reports (SARs)

Appendix 2 – How we use the information

We will use your information for the following purposes:

1. Deliver our products and services, or process your transaction in order to meet your investment objectives: We will use your information to provide you with our products and services and to process your transactions. We will do this in line with our legitimate interests, legal obligations and in order to perform our contract with you
2. To provide investment products and services: communicate with you about your investment, administer and process your investments including any subscription, switch, conversion and/or redemption instructions, enabling the payments from investments and any currency conversion which may be required, managing a register of investors, which actions are undertaken in order to comply with our contract with you. Additionally, we may use your personal information in order to organise general meetings and extraordinary general meetings of the funds you may be invested in, determining the outcome of investor votes; assessing eligibility for certain investments, all of which are undertaken in order that we can comply with legal obligations placed on us
3. Compliance with Laws and Regulations: comply with the law, or any relevant rules or regulations. This may include to help detect or prevent crime (including terrorism, money laundering and other financial crimes), filing of relevant reports to regulators, disclosing information to authorities, regulators or government agencies to fulfil our legal obligations. This is carried out to comply with legal obligations, because it is in the public interest, and because it is in our legitimate interest to do
4. Preventing and Detecting Crime: We will use your information to take measures to prevent crime including fraud monitoring and mitigation and fraud risk management, carrying out customer due diligence, name screening, transaction screening and customer risk identification, in order to comply with our legal obligations, because this is in the public interest to carry out and assess risk in our legitimate interest. We may share your information with fraud agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. Additionally we may take steps along with other financial institutions to help prevent financial crime and manage risk where we have a legitimate business interest or public interest to do so, such as where it is important to prevent or detect crime. We may be required to use your information to do this, even if you have asked us to stop using your information. That could include (among other things):
   • screening, intercepting and investigating any payments, instructions or communications you send or receive (including drawdown requests and application forms);
   • investigating who you’re paying or who’s paying you eg checks on payments in and out of your account;
   • passing information to fraud prevention agencies, if we think you’ve given us false or inaccurate information, or we suspect fraud;
   • combining the information we have about you with information from other HSBC companies; and
   • checking whether the people or organisations you’re paying or receiving payments from are who they say they are, and aren’t subject to any sanctions.
5. Security and Business Continuity: we take measures to aid business continuity, information security and we undertake physical security activities in order to fulfil our legal obligation and for internal risk strategy purposes as required in our legitimate interest
6. Risk Management: We will use your information to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer loss. This may include credit risk, traded risk, operational risk and insurance risk. We will do this to fulfil our legal obligation and also because we have a legitimate interest in using your information for these purposes
7. Product and Service Improvement: We will use your information to identify possible service and product improvements (including profitability) by analysing information. The lawful basis for processing your information for this purpose is our legitimate interests
8. Cookies: When using any web-based applications, we will ask for your consent to our use of cookies. The lawful basis for processing your information for this purpose is consent
9. Information as a product: Where we collect your information for another purpose, eg for client on boarding, we may share such information or analytics results with third parties including other HSBC entities where it is in our legitimate interest to do so. The information may be presented as research whitepapers, the delivery of customer-specific information or insights back to same customer, credit checks, and anonymisation of information for the wider market. If we need to process your information for any other purpose, we will notify you with details of the new purpose (and obtain consent, if required) prior to that further processing
10. Protecting our legal rights: We may need to use your information to protect our legal rights such as in the case of defending or the protection of legal rights and interests (eg collecting money owed; defending rights of intellectual property); court action; managing complaints or disputes; in the event of a restructuring of companies or other mergers or acquisition. We would use this on the basis of legitimate business interests

Processing of Personal Data on behalf of HSBC UCITS Common Contractual Fund (the CCF)

Dear Unitholder

This notice sets out important information in relation to the processing of Personal Data by, or on behalf of, the CCF in accordance with the Data Protection Legislation.

1. Definitions

Unless otherwise defined herein, defined terms shall have the meaning ascribed to them in the Prospectus of the Company.

Data Protection Legislation means the Irish Data Protection Acts 1988 and 2003, EU Data Protection Directive 95/46/EC and the EU Privacy & Electronic Communications Directive 2002/58/EC, any relevant amendments and replacement legislation including the EU General Data Protection Regulation (EU) 2016/679, European Commission decisions, binding EU and national guidance and all national implementing legislation.

GDPR means Regulation (EU) 2016/679 known as the General Data Protection Regulation, which comes into force on 25 May 2018.

Personal Data means any data relating to a living individual who can be identified directly from that data or indirectly in conjunction with other information in accordance with the Data Protection Legislation.

2. Data Use

Personal Data may be provided to the CCF in connection with your investment in the Company. The Manager on behalf of the CCF may hold some or all of the following types of Personal Data in relation to you as a Unitholder and/or prospective investor (and your directors, officers, employees and/or beneficial owners): name, address/other contact details (telephone, email address), date/place of birth, gender, tax number, FATCA or CRS status, nationality, bank details, photographic ID, proofs of address (usually utility bills) as furnished by you as a Unitholder or prospective investor when completing the application form for subscription of shares in the CCF or to keep that information up to date. The Manager on behalf of the CCF or its delegate or service provider may also obtain further Personal Data on those individuals by way of PEP (Politically Exposed Person) checks, sanctions checks, negative news checks and screening checks. The Company is obliged to verify the Personal Data and carry out ongoing monitoring.

Where you have furnished Personal Data in respect of your officers, employees and beneficial owners to the Company, you must furnish the information in this notice on data protection to them.

In the course of business, the Manager on behalf of the CCF may collect, record, store, adapt, transfer and otherwise process Personal Data. The Manager on behalf of the CCF is a data controller within the meaning of Data Protection Legislation and will hold any Personal Data provided by or in respect of investors in accordance with Data Protection Legislation.

The Manager on behalf of the CCF and/or any of its delegates or service providers and its or their duly authorised agents (including the Administrator, Depositary, Investment Manager, Distributor, paying, correspondent or representative agents, Auditor and Tax Advisers) may process a Unitholder's and/or prospective investor's Personal Data for any one or more of the following purposes and on the following legal bases:

1. to operate the CCF and the Funds, including managing and administering a Unitholder's investment in the CCF or a Fund, including for transfer agency or analysis, and any related accounts on an on-going basis which enables the CCF to satisfy the contractual duties and obligations to the Unitholder or investor and any processing necessary for the preparation of the contract with the Unitholder or investor;
2. to comply with any applicable legal, tax or regulatory obligations or guidance applicable to Unitholders or investors or the CCF, for example, under the the Central Bank UCITS Regulations, the UCITS Regulations, anti-money laundering and counter¬terrorism and tax legislation, requirements or guidance, including FATCA and CRS (as defined below) and/or fraud prevention; crime detection, prevention and investigation;
3. for any other legitimate business interests' of the CCF or a third party to whom Personal Data is disclosed, where such interests are not overridden by the interests of the investor, including for statistical analysis, market research purposes and to perform financial and/or regulatory reporting.

Please note that you have a right to object to the processing of your Personal Data where that processing is carried out for our legitimate interests.

The Manager of the CCF and/or any of its appointees, delegates or service providers may disclose or transfer Personal Data, whether in Ireland or elsewhere (including entities situated in countries outside of the EEA), to other delegates, duly appointed agents and service providers in respect of the CCF (and any of their respective related, associated or affiliated companies or sub-delegates) and to third parties including advisers, regulatory bodies, taxation authorities, auditors, and technology providers or to its service providers or delegates for the purposes specified above.

The Manager on behalf of the CCF and/or any of its appointees, delegates and service providers will not transfer Personal Data to a country outside of the EEA, unless that country ensures an adequate level of data protection or appropriate safeguards are in place. The European Commission has prepared a list of countries that are deemed to provide an adequate level of data protection which, to date, includes Switzerland, Guernsey, Argentina, the Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay. Further countries, including the United Kingdom may be added to this list by the European Commission at any time. The US is also deemed to provide an adequate level of protection where the US recipient of the data is privacy shield-certified. If a third country such as the United Kingdom, is not considered to provide an adequate level of data protection by the European Commission, then the Company and/or any of its appointees, delegates and service providers will ensure it puts in place appropriate safeguards, such as the model clauses (which are standardised contractual clauses, approved by the European Commission) or binding corporate rules, or relies on one of the derogations provided for in Data Protection Legislation. In the event that data is transferred to any such countries outside of the EEA details will be made available via https://www.global.assetmanagement.hsbc.com/privacy-policy.

Please note that Personal Data will be retained by or on behalf of CCF for the duration of a Unitholder's investment and otherwise in accordance with applicable legal obligations. The Manger on behalf of the CCF will take all reasonable steps to destroy or erase the data from its systems when they are no longer required.

Unitholders and investors have a right of access to their Personal Data kept by or on behalf of the CCF, the right to amend and rectify any inaccuracies in their Personal Data held by or on behalf of the CCF, the right to data portability of their personal data held by or on behalf of the CCF and the right to object to the processing of their Personal Data where that processing is carried out for our legitimate interests, subject in each case to any restrictions imposed by Data Protection Legislation and any statutory obligations to retain information, including but not limited to, any anti-money laundering, counter-terrorism, or tax legislation. Where specific processing is based on an investor's consent, that investor has the right to withdraw it at any time. For further information in relation to your data protection rights refer to the website of the Office of the Data Protection Commissioner at www.dataprotection.ie.

Where processing is carried out on behalf of the CCF, the Manager on behalf of the CCF shall engage a data processor, within the meaning of Data Protection Legislation, which implements appropriate technical and organisational security measures in a manner that such processing meets the requirements of Data Protection Legislation and ensures the protection of the rights of investors. The Manager on behalf of the CCF will enter into a written contract with the data processor which will set out the data processor's specific mandatory obligations laid down in Data Protection Legislation.

As part of the CCF's business and ongoing monitoring, the Manager or its delegate on behalf of the CCF may from time to time carry out automated decision-making in relation to investors, including, for example, profiling of investors in the context of anti-money laundering reviews, and this may result in an investor being identified to the revenue authorities, law enforcement authorities and to other entities where required by law, and the Company terminating its relationship with the investor.

Unitholders and investors are required to provide their Personal Data for statutory and contractual purposes. Failure to provide the required Personal Data will result in the Manager on behalf of the CCF being unable to permit, process, or release the investor's investment in the Funds and this may result in the termination the relationship with the investor. Investors have a right to lodge a complaint with the Data Protection Authority if they are unhappy with how their Personal Data is being handled.

Any questions about the operation of this data protection policy should be referred in the first instance to HSBC_TA_Queries@ntrs.com or +353 1 434 5163.

We thank you for your continued support of the CCF.

Data Protection Notice

When you completed the application form you provided personal information, which may constitute “personal data” within the meaning of the Data Protection Legislation.

Investors’ personal data will be used by the Company for the following purposes:

• to manage and administer an investor’s holding in the Company and any related accounts on an ongoing basis;
• to carry out statistical analysis and market research as the Company’s legitimate business interest; and
• to comply with legal and regulatory obligations applicable to the investor and the Company from time to time including applicable anti-money laundering and counter terrorist financing legislation. In particular, in order to comply with the Common Reporting Standard (as implemented in Ireland by Section 891E, Section 891F and Section 891G of the Taxes Consolidation Act 1997 and regulations made pursuant to those sections) and Foreign Account Tax Compliant Act, investors’ personal data (including financial information) may be shared with the Irish Revenue Commissioners. They in turn may exchange information (including personal data and financial information) with foreign tax authorities (including the US Internal Revenue Service and foreign tax authorities located outside the EEA). Please consult the Automatic Exchange of Information webpage on www.revenue.ie for further information in this regard.

Investors’ personal data may be disclosed by the Company to its delegates, professional advisors, service providers, regulatory bodies, auditors, technology providers and any duly authorised agents or related, associated or affiliated companies of the foregoing for the same purpose(s).

Investors’ personal data may be transferred to countries which may not have the same or equivalent data protection laws as Ireland. If such transfer occurs, the Company is required to ensure that such processing of investors’ personal data is in compliance with Data Protection Legislation and, in particular, that appropriate measures are in place such as entering into standard contractual clauses (as published by the European Commission). More information on the means of transfer of investors’ data and a copy of the relevant safeguards, can be found at https://www.assetmanagement.hsbc.com/privacy-policy.

Pursuant to the Data Protection Legislation, investors have a number of rights which may be exercised in respect of their personal data, ie:

• the right of access to personal data held by the Company;
• the right to amend and rectify any inaccuracies in personal data held by the Company;
• the right to erase personal data held by the Company;
• the right to data portability of personal data held by the Company;
• the right to request restriction of the processing of personal data held by the Company;
• the right to object to processing of personal data by the Company. In certain circumstances it may not be feasible for the Company to discharge these rights, for example, if the shareholder remains a shareholder in the Company or the manner in which the shareholder holds shares in a Fund; and
• the right to object to automated decision making, including profiling.

These rights will be exercisable subject to limitations as provided for in the Data Protection Legislation. Investors may make a request to the Company to exercise these rights by contacting ifsinvestorqueries@hsbc.com

Please note that personal data may be retained by the Company for the duration of an investor’s investment and afterwards in accordance with the Company’s legal and regulatory obligations.

The Company is a data controller within the meaning of the Data Protection Legislation and undertakes to hold any personal information provided by investors in confidence and in accordance with the Data Protection Legislation. Information on how to raise queries, requests or comments in respect of this notice or the way in which the Company uses investors’ personal data, can be found at http://www.global.assetmanagement.hsbc.com/privacy-notices. Note that investors have the right to lodge a complaint with the Office of the Data Protection Commissioner.

For the purpose of this notice Data Protection Legislation means: “the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Irish Data Protection Acts 1988 and 2018, the EU ePrivacy Directive 2002/58/EC (the “ePrivacy Directive”) and any other national data protection laws implementing, replacing or amending GDPR or ePrivacy Directive.”

Data Protection Notice

When you completed the application form you provided personal information, which may constitute “personal data” within the meaning of the Data Protection Legislation.

Investors’ personal data will be used by the Company for the following purposes:

• to manage and administer an investor’s holding in the Company and any related accounts on an ongoing basis;
• to carry out statistical analysis and market research as the Company’s legitimate business interest; and
• to comply with legal and regulatory obligations applicable to the investor and the Company from time to time including applicable anti-money laundering and counter terrorist financing legislation. In particular, in order to comply with the Common Reporting Standard (as implemented in Ireland by Section 891E, Section 891F and Section 891G of the Taxes Consolidation Act 1997 and regulations made pursuant to those sections) and Foreign Account Tax Compliant Act, investors’ personal data (including financial information) may be shared with the Irish Revenue Commissioners. They in turn may exchange information (including personal data and financial information) with foreign tax authorities (including the US Internal Revenue Service and foreign tax authorities located outside the EEA). Please consult the Automatic Exchange of Information webpage on www.revenue.ie for further information in this regard.

Investors’ personal data may be disclosed by the Company to its delegates, professional advisors, service providers, regulatory bodies, auditors, technology providers and any duly authorised agents or related, associated or affiliated companies of the foregoing for the same purpose(s).

Investors’ personal data may be transferred to countries which may not have the same or equivalent data protection laws as Ireland. If such transfer occurs, the Company is required to ensure that such processing of investors’ personal data is in compliance with Data Protection Legislation and, in particular, that appropriate measures are in place such as entering into standard contractual clauses (as published by the European Commission). More information on the means of transfer of investors’ data and a copy of the relevant safeguards, can be found at https://www.assetmanagement.hsbc.com/privacy-policy.

Pursuant to the Data Protection Legislation, investors have a number of rights which may be exercised in respect of their personal data, ie:

• the right of access to personal data held by the Company;
• the right to amend and rectify any inaccuracies in personal data held by the Company;
• the right to erase personal data held by the Company;
• the right to data portability of personal data held by the Company;
• the right to request restriction of the processing of personal data held by the Company;
• the right to object to processing of personal data by the Company. In certain circumstances it may not be feasible for the Company to discharge these rights, for example, if the shareholder remains a shareholder in the Company or the manner in which the shareholder holds shares in a Fund; and
• the right to object to automated decision making, including profiling.

These rights will be exercisable subject to limitations as provided for in the Data Protection Legislation. Investors may make a request to the Company to exercise these rights by contacting HSBC.Dealingteam@bnymellon.com.

Please note that personal data may be retained by the Company for the duration of an investor’s investment and afterwards in accordance with the Company’s legal and regulatory obligations.

The Company is a data controller within the meaning of the Data Protection Legislation and undertakes to hold any personal information provided by investors in confidence and in accordance with the Data Protection Legislation. Information on how to raise queries, requests or comments in respect of this notice or the way in which the Company uses investors’ personal data, can be found at http://www.global.assetmanagement.hsbc.com/privacy-notices. Note that investors have the right to lodge a complaint with the Office of the Data Protection Commissioner.

For the purpose of this notice Data Protection Legislation means: “the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Irish Data Protection Acts 1988 and 2018, the EU ePrivacy Directive 2002/58/EC (the “ePrivacy Directive”) and any other national data protection laws implementing, replacing or amending GDPR or ePrivacy Directive.”

How we collect and use your personal information

Before we begin

As an HSBC Alternative Investments Limited client, we may collect and use personal information about you or individuals connected with you e.g; your directors, employees and/or agents.

This notice explains how we will use that information, who we might share it with, and what steps we’ll take to make sure it stays private and secure. This notice continues to apply even if your agreement with us ends.

This notice applies to any personal data we receive from you, create or obtain from other sources and explains how it will be used by us. If we’ve provided you with separate or further information about how we collect and use your personal information for a particular product or service, those terms will continue to apply to that service. If you interact with HSBC in a different context, eg as a banking customer or in a country outside the EU, separate terms will apply to that interaction.

It is important that you take the time to read and understand this notice so that you understand how we will use personal information relating to you, your directors, employees and/or agents and the applicable rights in relation to that personal information.

Wherever we’ve said ‘you’ or ‘your’, this means any individual who deals with us and if you are acting on behalf of a company, trust or pension fund for and on behalf of that company, trust or pension fund. (eg directors, employees, consultants, agents) or other people connected to your account. This notice only applies to information about individuals and not to information which is solely related to companies, trusts or pension funds.

What information we collect

The information we collect or have about you will come from different sources. It will include information relating to any of our investment products or services (including any you may have applied for or held previously) or information we generate to improve our service and to manage, administer and take decisions about your account. Some of it will come directly from you. Some of it may come from other HSBC companies. Some of it we may find from publicly available sources which we have lawfully accessed. Some of it will come from third parties or other organisations (eg fraud prevention agencies). Some information will be the result of combining different sets of information. We sometimes also record telephone conversations and monitor e-mail communications to resolve complaints, improve our service and in order to comply with our legal and regulatory requirements.

This information will include:

• Information that you provide to us. This includes:
  • information about you that you give us when entering into an investment management agreement with us, applying for shares or units in any fund, or by communicating with us, whether face-to-face, by phone, e-mail, or otherwise. The information you give us will include your (and/or if applicable, your financial adviser or employee’s) name, address, e-mail address and phone number, financial and tax status, tax residency or nationality if required by law;
  • information concerning your identity (eg passport or identification information);
• Information we collect or generate about you. This includes:
  • client relationship information, payment and trade transactions information and other financial information;
  • geographic information;
  • information included in relevant customer documentation  (eg record of advice) and other comparable information;
  • marketing and sales information, such as details of the advice and services you receive;
• Information we obtain from other sources. This includes:
  • communications information (eg email information, third party information, corporate and media broadcasts, disputes / litigation, correspondence between solicitors and stakeholders and transcripts or minutes); and
  • combined information from external sources (eg information pertaining to social interactions between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information  and information from fraud avoidance systems).

See Appendix 1 for additional details.

How we’ll use your information

We will collect information about you for various reasons as set out in this privacy notice, including to:

• manage and administer your accounts and holdings;
• provide you with information, products and services you may request from us;
• deliver our products and services;
• verify your identity as part of our client onboarding process;
• detect and prevent fraud and money laundering;
• identify politically exposed persons;
• carry out your instructions;
• improve our products and services;
• keep track of our conversations with you (by phone, in person, by email or any kind of communication);
• manage our relationship with you – including (if you agree or unless you tell use otherwise) telling you about our products, or carrying out market research, providing you with updated copies of our terms of business, this Privacy Notice and/or such other documentation;
• corresponding with solicitors, and third party intermediaries;
• assessing your investment requirements, and/or eligibility for certain investment products; and
• manage our internal operational requirements for risk management, system or product development and planning, insurance, audit and administrative purposes.

Processing for any of the above purposes is necessary to enable us to pursue our legitimate business interests (or the legitimate interests of one or more of our affiliates). It will also be necessary for other reasons, as outlined below.

We will only use your information where we have a lawful basis for using it. These lawful bases include where:

• we need to pursue our legitimate business interests, such as enforcing the terms and conditions of any agreement we have with you;
• we need to process the information to perform our obligations under our contract with you;
• we need to process the information to comply with a legal and regulatory obligations;
• we need to establish, exercise or defend our legal rights and / or for the purpose of (or in connection with) legal proceedings (including for the prevention of fraud); and
• we have your consent, including the use of cookies.

See Appendix 2 for additional details.

Even if you ask us not to use your information, we will continue to use your personal information in circumstances where (a) the law says we have to; (b) we need to for the purposes of performing a contract; (c) we have a public interest to do so; or (d) we have a legitimate business reason for doing so.

Tracking or recording what you say or do

We will record and keep track of conversations you have with us – including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other kinds of messaging in order to use these recordings to check your instructions to us, assess, analyse and improve our service, train our people, manage risk or to prevent and detect fraud and other crimes. We use closed circuit television (CCTV) in and around our offices for security purposes and therefore collect photos or videos, or record the voices of people who attend our offices through CCTV.

Who we share your information with

We will share your personal information with our affiliates or with entities external to HSBC Alternative Investments Limited where:

• we need to in order to enforce or apply the terms of use and other agreements that you have with us;
• we need to for the purposes of providing you with investment products and services you have requested (eg pursuant to an investment management agreement);
• we have a public or legal duty to do so eg to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights;
• we have a legitimate reason for doing so eg to manage risk, verify your identity, or assess your suitability for products and services, but only where our legitimate purpose is not outweighed by your rights;
• we have asked you for your permission to share it, and you’ve agreed;
• we need to ensure the safety and security of our data; or
• we need to for internal research and statistical analysis purposes.

We will transfer and disclose your information to the following categories of recipients where it is lawful to do so, and subject to the implementation of appropriate protections:

• other HSBC group companies and any sub-contractors, agents or service providers who work for, or provide services to, us or other HSBC group companies (including their employees, sub-contractors, directors and officers), such service providers will include any professional service providers, such as accountants, auditors and lawyers;
• anyone who deals with us in relation to your investment and agreement with us (eg financial adviser), the people you make payments to, your beneficiaries, intermediary, correspondent and agent banks, clearing houses, clearing or settlement systems, market counter parties, upstream withholding agents, swap or trade repositories, stock exchanges, and any companies you hold securities in through us (eg stocks, bonds or options);
• other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies and debt recovery agents;
• any person, company or other entity that has an interest in or takes on the risk in relation to or in connection with the products or services that we provide to you;
• any prospective or new HSBC companies (eg if we restructure, or acquire or merge with other companies) – or any businesses that buy part or all of any HSBC company;
• to auditors, regulators  or dispute resolution bodies and to comply with their requests;
• other companies who do marketing or market research for us (but not without your permission);
• if there’s a dispute over a transaction, anyone else who’s involved;
• law enforcement, government, courts, or our regulators; or
• fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by clicking on this link https://www.cifas.org.uk/privacy-notice

Sharing Aggregated or Anonymised Information

We will share aggregated or anonymised information outside of HSBC with partners such as research groups, universities or advertisers. For example, we will share such information publicly to show trends about the general use of our services. However, you won’t be able to be individually identified from this information.

How long we’ll keep your information

How long we hold your personal information for will vary. The retention period will be determined by various criteria including:

• the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
• legal obligations – laws or regulation may set a minimum period for which we have to store your personal data.

Transferring your information overseas

Your information may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”), including to locations which may not have the same level of protection for personal information. Where we transfer and process your personal information outside the EEA, it is done in order to perform our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate business interests.

Where we transfer your information outside the EEA, we will ensure that it is protected by us in a manner that is consistent with how your information will be protected by us in the EEA. We will always do this in a way that is permissible under data protection law.

You can obtain more details of the protection given to your information when it is transferred outside the EEA by contacting us in accordance with the “More details about your information” section below.

Your rights

You have a number of rights in relation to the information that we hold about you. These rights include:

• the right to obtain information regarding the processing of your information and access to the information which we hold about you;
• the right to withdraw your consent to our processing of your information at any time. Please note, however, that we may still be entitled to process your information if we have another legitimate reason for doing so;
• the right to receive some information electronically and/or request that we transmit the information to a third party where this is technically feasible. Please note that this right only applies to information which you have provided to us;
• the right to request that we rectify your information if it is inaccurate or incomplete;
• the right to request that we erase your information. Please note that there may be circumstances where you ask us to erase your information but we are legally entitled to retain it;
• the right to object to and the right to request that we restrict our processing of your information. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your information but we are legally entitled to continue processing your information and / or to refuse that request; and
• the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.

Please note, that none of the above rights are absolute; by that we mean that there may be exceptions which apply to the above rights and how they apply. You can exercise your rights by contacting us using the details set out in the “More details about your information” section below. You can find out more information about your rights by contacting the Information Commissioner’s Office, or by visiting their website at https://ico.org.uk/

What we expect from you

You are responsible for making sure the information you give us is accurate and up to date. And you must tell us if anything changes, as soon as possible. If we ask you for any information and you do not provide it to us, we may need to stop providing products and services to you.

If you give us any personal information that does not relate to you (eg information about your financial adviser and/or your employees), you must obtain the necessary consent to disclose such personal information, tell them what information you have given to us, and make sure they agree we can use it as set out in this notice. You must also tell them how they can see what information we have about them and correct any mistakes.

Some of the links on our websites lead to other HSBC or non-HSBC websites, with their own privacy and information protection policies, which may be different to this notice.

How we keep your information secure

We implement internal technical and organisational measures to keep your information safe and secure which may include encryption, anonymisation and physical security measures. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

More details about your information

If you would like further information on any of the information above, please address questions, comments and requests to the HSBC Alternative Investments Limited Product team at hailproductdevelopment@hsbc.com.

This Privacy Notice may be updated from time to time, please see the latest version here https://www.global.assetmanagement.hsbc.com/privacy-policy

Last updated: May 2018

Appendix 1 – Information we collect about you

• Contact details such as your name, date and place of birth, and nationality, postal address, telephone number, email address;
• Identification information such as passport ID, date of birth, picture, paper copy of identity;
• Client Relationship Data eg products and services held (including pricing information), channels and modes of interaction, interactions with HSBC (eg call history, digital communications,  feedback etc.), client accounts, holding and location information;
• Payment Transactions Data: such as records from our payments processing systems that contain the information about executed transactions and includes order information (eg payment order), payment information and other information from the fulfilment of our contractual obligations (eg sales information in payments processing);
• Other Financial Data: including information regarding your financial situation (eg, tax status or the source of your assets);
• Risk Data / Ratings: Credit risk ratings and risk identification information (incl. vendor risk management), predicted transactional behaviour, client due diligence and periodic review results, financial crime risk management (FCRM)  rating (high/medium/low), external intelligence reports, screening alerts eg Transaction Screening, Name Screening, AML), unusual activity information (to develop (SARs) / and UARs;
• Investigations Data (Information pertaining to results from investigations on internal HSBC business practices, processes and operations). Grey information (eg allegations of wrongdoing, considered unproven, highly sensitive, may be structured or unstructured.)
• Information about the products and services allocated to clients, as well as information about credit decisioning variables and assumptions, posted collateral, calculated exposures, and likelihood estimates that the client cannot meet the commitment it has entered into. Data pertaining to known or suspected risk associated with clients, acquired from external watchlists and internal risk intelligence systems (eg Risk / Case Management).
• Data and artefacts required to support compliance to regulations that require screening of clients, their transactions and detection of suspicious and unusual activity.  FCC Risk Data.
• Profile Data for KYC purposes such as Individual identity and reference information, information published on the internet or which has been received from external providers; publically available or internally collected identity and demographic reference information about individuals who may be HSBC customers, connected parties, prospects, stakeholders or not at all related with HSBC (eg, marketing lists) that contain personally identifiable information.
• Information Security Risk Data; External information used to manage the information security threat environment, including watchlists, lists of bad URLs and known bad IP addresses, threat and vulnerability alerts, and information breach intelligence reports and news. Known actors (cyber criminals), external email addresses, leaked information lists (eg external breaches which has employees involved), acquired credit card / account details;
• Other Financial Data: investment portfolio details, investment fund details
• Other non HSBC financial information (excluding Market Trades and Payment Transactions);
• Market Trades: Information about exchanges in ownership of cash, securities or financial instruments between individuals or organizations through an exchange (ie organized market) or over the counter, which results in one or more transactions recorded in an account.  This may include Buy side or Sell side trades and positions.
• Communications Data: eg email information, third party information, chat information, instant messages, corporate and media broadcasts, disputes / litigation, correspondence between solicitors and stakeholders and transcripts or minutes.
• Information pertaining to results from investigations on internal HSBC business practices, processes and operations. Content and meta-data related to exchanges of information between and among individuals, organizations, workers, prospects, customers, other stakeholders and HSBC.  Electronically recorded communications in the form of voice, email, or chat; corporate media communications, operational communications between two or more individuals or organizations regarding any HSBC activity that is directly or indirectly supporting customer servicing, third-party relationship and fulfillment.
• Complaints information; including disputes / litigation (legal case and matter information including legal strategy, document production, deposition and court transcripts, legal billing and time booking information).
• Cookie Information: IP Address, Browser behaviour etc.
• User Activity Reports (UAR) and Suspicious Activity reports (SARs).

Appendix 2 – How we use the information

We will use your information for the following purposes:

1. Deliver our products and services, or process your transaction in order to meet your investment objectives: We will use your information to provide you with our products and services and to process your transactions.  We will do this in line with our legitimate interests, legal obligations and in order to perform our contract with you. 
2. Compliance with Laws and Regulations: comply with the law, or any relevant rules or regulations.  This may include to help detect or prevent crime (including terrorism, money laundering and other financial crimes), filing of relevant reports to regulators, disclosing information to authorities, regulators or government agencies to fulfill our legal obligations.  This is carried out to comply with legal obligations, because it is in the public interest, and because it is in our legitimate interest to do. 
3. Preventing and Detecting Crime: We will use your information to take measures to prevent crime including fraud monitoring and mitigation and fraud risk management, carrying out customer due diligence, name screening, transaction screening and customer risk identification, in order to comply with our legal obligations, because this is in the public interest to carry out and assess risk in our legitimate interest. We may share your information with fraud agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. Additionally we may take steps along with other financial institutions to help prevent financial crime and manage risk where we have a legitimate business interest or public interest to do so, such as where it is important to prevent or detect crime. We may be required to use your information to do this, even if you have asked us to stop using your information.  That could include (among other things):
   • screening, intercepting and investigating any payments, instructions or communications you send or receive (including drawdown requests and application forms);
   • investigating who you’re paying or who’s paying you eg checks on payments in and out of your account;
   • passing information to fraud prevention agencies, if we think you’ve given us false or inaccurate information, or we suspect fraud; 
   • combining the information we have about you with information from other HSBC companies;
   • checking whether the people or organisations you’re paying or receiving payments from are who they say they are, and aren’t subject to any sanctions.
4. Security and Business Continuity: we take measures to aid business continuity, information security and we undertake physical security activities in order to fulfil our legal obligation and for internal risk strategy purposes as required in our legitimate interest.
5. Risk Management:  We will use your information to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer loss. This may include credit risk, traded risk, operational risk & insurance risk. We will do this to fulfill our legal obligation and also because we have a legitimate interest in using your information for these purposes. 
6. Product & Service Improvement: We will use your information to identify possible service and product improvements (including profitability) by analysing information.  The lawful basis for processing your information for this purpose is our legitimate interests.
7. Cookies: When using any web-based applications, we will ask for your consent to our use of cookies. The lawful basis for processing your information for this purpose is consent.  
8. Information as a product: Where we collect your information for another purpose, eg for client on boarding, we may share such information or analytics results with third parties including other HSBC entities where it is in our legitimate interest to do so.  The information may be presented as research whitepapers, the delivery of customer-specific information or insights back to same customer, credit checks, and anonymisation of information for the wider market. If we need to process your information for any other purpose, we will notify you with details of the new purpose (and obtain consent, if required) prior to that further processing.  
9. Protecting our legal rights:  We may need to use your information to protect our legal rights such as in the case of defending or the protection of legal rights and interests (eg collecting money owed; defending rights of intellectual property); court action; managing complaints or disputes; in the event of a restructuring of companies or other mergers or acquisition.   We would use this on the basis of legitimate business interests.

Data Protection Notice

When you completed the application form you provided personal information, which may constitute “personal data” within the meaning of the Data Protection Legislation.

Investors’ personal data will be used by the Company for the following purposes:

• to manage and administer an investor’s holding in the Company and any related accounts on an ongoing basis;
• to carry out statistical analysis and market research as the Company’s legitimate business interest; and
• to comply with legal and regulatory obligations applicable to the investor and the Company from time to time including applicable anti-money laundering and counter terrorist financing legislation. In particular, in order to comply with the Common Reporting Standard (as implemented in Ireland by Section 891E, Section 891F and Section 891G of the Taxes Consolidation Act 1997 and regulations made pursuant to those sections) and Foreign Account Tax Compliant Act, investors’ personal data (including financial information) may be shared with the Irish Revenue Commissioners. They in turn may exchange information (including personal data and financial information) with foreign tax authorities (including the US Internal Revenue Service and foreign tax authorities located outside the EEA). Please consult the Automatic Exchange of Information webpage on www.revenue.ie for further information in this regard.

Investors’ personal data may be disclosed by the Company to its delegates, professional advisors, service providers, regulatory bodies, auditors, technology providers and any duly authorised agents or related, associated or affiliated companies of the foregoing for the same purpose(s).

Investors’ personal data may be transferred to countries which may not have the same or equivalent data protection laws as Ireland. If such transfer occurs, the Company is required to ensure that such processing of investors’ personal data is in compliance with Data Protection Legislation and, in particular, that appropriate measures are in place such as entering into standard contractual clauses (as published by the European Commission). More information on the means of transfer of investors’ data and a copy of the relevant safeguards, can be found at https://www.assetmanagement.hsbc.com/privacy-policy.

Pursuant to the Data Protection Legislation, investors have a number of rights which may be exercised in respect of their personal data, ie:

• the right of access to personal data held by the Company;
• the right to amend and rectify any inaccuracies in personal data held by the Company;
• the right to erase personal data held by the Company;
• the right to data portability of personal data held by the Company;
• the right to request restriction of the processing of personal data held by the Company;
• the right to object to processing of personal data by the Company. In certain circumstances it may not be feasible for the Company to discharge these rights, for example, if the shareholder remains a shareholder in the Company or the manner in which the shareholder holds shares in a Fund; and
• the right to object to automated decision making, including profiling.

These rights will be exercisable subject to limitations as provided for in the Data Protection Legislation. Investors may make a request to the Company to exercise these rights by contacting ifsinvestorqueries@hsbc.com.

Please note that personal data may be retained by the Company for the duration of an investor’s investment and afterwards in accordance with the Company’s legal and regulatory obligations.

The Company is a data controller within the meaning of the Data Protection Legislation and undertakes to hold any personal information provided by investors in confidence and in accordance with the Data Protection Legislation. Information on how to raise queries, requests or comments in respect of this notice or the way in which the Company uses investors’ personal data, can be found at http://www.global.assetmanagement.hsbc.com/privacy-notices. Note that investors have the right to lodge a complaint with the Office of the Data Protection Commissioner.

For the purpose of this notice Data Protection Legislation means: “the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Irish Data Protection Acts 1988 and 2018, the EU ePrivacy Directive 2002/58/EC (the “ePrivacy Directive”) and any other national data protection laws implementing, replacing or amending GDPR or ePrivacy Directive.”

How we collect and use your personal information

As an investor in a fund or product of which HSBC Management (Guernsey) Limited is a ‘data controller’ (as defined under the General Data Protection Regulation ((EU) 2016/679) (GDPR) and The Data Protection (Guernsey) Law, 2017 (the Data Protection Law)) we are responsible for deciding how we hold and use personal information about you. We may collect and use personal information about you or individuals connected with you eg; your directors, employees and/or agents.

This notice explains how we will use that information, who we might share it with, and what steps we’ll take to make sure it stays private and secure. This notice continues to apply even if your agreement with us ends.

This notice applies to any personal data we receive from you, create or obtain from other sources and explains how it will be used by us. If we’ve provided you with separate or further information about how we collect and use your personal information for a particular product or service, those terms will continue to apply to that service. If you interact with HSBC in a different context, eg as a banking customer or in a country outside the EU, separate terms will apply to that interaction.

It is important that you take the time to read and understand this notice so that you understand how we will use personal information relating to you, your directors, employees and/or agents and the applicable rights in relation to that personal information.

Before we begin

Wherever we’ve said ‘you’ or ‘your’, this means any individual who deals with us and if you are acting on behalf of a company, trust or pension fund for and on behalf of that company, trust or pension fund. (eg directors, employees, consultants, agents) or other people connected to your account. This notice only applies to information about individuals and not to information which is solely related to companies, trusts or pension funds.

Wherever we’ve said ‘we’ or ‘our’, this includes HSBC Management (Guernsey) Limited and other companies in the HSBC Group. For the purposes of data protection law, HSBC Management (Guernsey) Limited is the data controller in relation to your information.

What information we collect

The information we collect or have about you might come from different sources. It may include information relating to any of our investment products or services (including any you may have applied for by completion of an application form, subscription agreement (or equivalent), or held previously) or information we generate to improve our service and to manage, administer and take decisions about your account. Some of it will come directly from you, for example, client due diligence documentation or other correspondence by you with us by phone, email or otherwise. Some of it might come from other HSBC companies. Some of it we might find from publicly available sources which we have lawfully accessed. Some of it might come from third parties or other organisations (eg fraud prevention agencies). Some information may be the result of combining different sets of information. We sometimes also record telephone conversations and monitor e-mail communications to resolve complaints, improve our service and in order to comply with our legal and regulatory requirements.

This information may include:

• Information that you provide to us. This includes:
  • information about you that you give us when completing an application form, subscription agreement (or equivalent) with us, applying for shares or units in any fund, or by communicating with us, whether face-to-face, by phone, e-mail, or otherwise. The information you give us may include your (and/or if applicable, your financial adviser or employee’s) name, address, e-mail address and phone number, financial and tax status;
  • information concerning your identity (eg passport or identification information);
• Information we collect or generate about you. This includes:
  • client relationship information, payment and trade transactions information and other financial information;
  • geographic information;
  • information included in relevant customer documentation (eg record of advice) and other comparable information;
  • marketing and sales information, such as details of the advice and services you receive;
• Information we obtain from other sources. This includes:
  • communications information (eg email information);
  • entities in which you or someone connected to you has an interest;
  • your legal and/or financial advisors;
  • other financial institutions who hold and process your personal data to satisfy their own regulatory requirements; and
  • combined information from external sources (eg information pertaining to social interactions between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information and information from fraud avoidance systems).

See Appendix 1 for additional details.

How we’ll use your information

We will collect information about you for various reasons as set out in this privacy notice, including to:

• manage and administer your accounts and holdings;
• provide you with information, products and services you may request from us;
• verify your identity as part of our client onboarding process;
• detect and prevent fraud and money laundering;
• identify politically exposed persons;
• carry out your instructions;
• improve our products and services;
• keep track of our conversations with you (by phone, in person, by email or any kind of communication);
• manage our relationship with you – including (if you agree or unless you tell use otherwise) telling you about our products, or carrying out market research;
• corresponding with solicitors, and third party intermediaries;
• manage our internal operational requirements for risk management, system or product development and planning, insurance, audit and administrative purposes; and
• liaising with or reporting to any regulatory authority (including tax authorities) with whom a fund either is required to cooperate, report to or with whom it decides or deems appropriate to cooperate in relation to an investment, and which has jurisdiction over the Fund or its investments notwithstanding that such processing may be undertaken by a party who is located in a territory which is outside of the European Economic Area (which for the purposes of this Notice includes the Bailiwick of Guernsey, the "EEA") and which does not offer an adequate level of protection for the rights and freedoms of data subjects which is equivalent to those data protection standards afforded within the EEA.

Processing for any of the above purposes is necessary to enable us to pursue our legitimate business interests (or the legitimate interests of one or more of our affiliates) provided that your fundamental rights do not override these interests. It may also be necessary for other reasons, as outlined below. We will only use your information where we have a lawful basis for using it. These lawful bases include where:

• we need to pursue our legitimate business interests, such as enforcing the terms and conditions of any agreement we have with you;
• we need to process the information to perform our obligations under our contract with you;
• we need to process the information to comply with a legal and regulatory obligations;
• we need to establish, exercise or defend our legal rights and / or for the purpose of (or in connection with) legal proceedings (including for the prevention of fraud); and
• we have your consent, including the use of cookies.

See Appendix 2 for additional details.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

Even if you ask us not to use your information, we may continue to use your personal information in circumstances where (a) the law says we have to; (b) we need to for the purposes of performing a contract; (c) we have a public interest to do so; or (d) we have a legitimate business reason for doing so.

Tracking or recording what you say or do

We may record and keep track of conversations you have with us – including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other kinds of messaging in order to use these recordings to check your instructions to us, assess, analyse and improve our service, train our people, manage risk or to prevent and detect fraud and other crimes.

Who we might share your information with

We may share your personal information with our affiliates or with entities external to HSBC Management (Guernsey) Limited where:

• we need to in order to enforce or apply the terms of use and other agreements that you have with us;
• • we need to for the purposes of providing you with investment products and services you have requested (eg pursuant to an investment management agreement);
• we have a public or legal duty to do so eg to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights;
• we have a legitimate reason for doing so eg to manage risk, verify your identity, or assess your suitability for products and services;
• we have asked you for your permission to share it, and you’ve agreed;
• we need to ensure the safety and security of our data; or
• we need to for internal research and statistical analysis purposes.

We may transfer and disclose your information to:

• other HSBC group companies and any sub-contractors, agents or service providers who work for, or provide services to, us or other HSBC group companies (including their employees, sub-contractors, directors and officers);
• anyone who deals with us in relation to your investment and agreement with us (eg financial adviser), the people you make payments to, your beneficiaries, intermediary, correspondent and agent banks, clearing houses, clearing or settlement systems, market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges, and any companies you hold securities in through us (eg stocks, bonds or options);
• other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies and debt recovery agents;
• any person, company or other entity that has an interest in or takes on the risk in relation to or in connection with the products or services that we provide to you;
• any prospective or new HSBC companies (eg if we restructure, or acquire or merge with other companies) – or any businesses that buy part or all of any HSBC company;
• to auditors, regulators or dispute resolution bodies and to comply with their requests;
• other companies who do marketing or market research for us (but not without your permission);
• if there’s a dispute over a transaction, anyone else who’s involved;
• law enforcement, government, courts, or our regulators; or
• fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by clicking on this link https://www.cifas.org.uk/privacy-notice

Sharing Aggregated or Anonymised Information

We may share aggregated or anonymised information outside of HSBC with partners such as research groups, universities or advertisers. For example, we may share such information publicly to show trends about the general use of our services. However, you won’t be able to be individually identified from this information.

How long we’ll keep your information

How long we hold your personal information for will vary. The retention period will be determined by various criteria including:

• the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
• legal obligations – laws or regulation may set a minimum period for which we have to store your personal data.

Transferring your information overseas

Your information may be transferred to, and stored at, a destination outside the European Economic Area (for the purposes of this Privacy Notice, the European Economic Area includes the Bailiwicks of Guernsey and Jersey) (“EEA”), including to locations which may not have the same level of protection for personal information. We may need to transfer your information in this way to perform our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate business interests.

Where we transfer your information outside the EEA, including to India, we will ensure that it is protected by us in a manner that is consistent with how your information will be protected by us in the EEA. We will always do this in a way that is permissible under data protection law.

You can obtain more details of the protection given to your information when it is transferred outside the EEA by contacting us in accordance with the “More details about your information” section below.

Your rights

You have a number of rights in relation to the information that we hold about you. These rights include:

• the right to obtain information regarding the processing of your information and access to the information which we hold about you;
• in certain circumstances, the right to withdraw your consent to our processing of your information at any time. Please note, however, that we may still be entitled to process your information if we have another legitimate reason for doing so;
• in some circumstances, the right to receive some information electronically and/or request that we transmit the information to a third party where this is technically feasible. Please note that this right only applies to information which you have provided to us;
• the right to request that we rectify your information if it is inaccurate or incomplete;
• the right to request that we erase your information in certain circumstances. Please note that there may be circumstances where you ask us to erase your information but we are legally entitled to retain it;
• the right to object to and the right to request that we restrict our processing of your information in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your information but we are legally entitled to continue processing your information and / or to refuse that request; and
• the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.

You can exercise your rights by contacting us using the details set out in the “More details about your information” section below. You can find out more information about your rights by contacting the Data Protection Authority, or by visiting their website at https://odpa.gg/

What we expect from you

You are responsible for making sure the information you give us is accurate and up to date. And you must tell us if anything changes, as soon as possible. If we ask you for any information and you do not provide it to us, we may need to stop providing products and services to you.

If you give us any personal information that does not relate to you (eg information about your financial adviser and/or your employees), you must obtain the necessary consent to disclose such personal information, tell them what information you have given to us, and make sure they agree we can use it as set out in this notice. You must also tell them how they can see what information we have about them and correct any mistakes.

Some of the links on our websites lead to other HSBC or non-HSBC websites, with their own privacy and information protection policies, which may be different to this notice.

How we keep your information secure

We implement internal technical and organisational measures to keep your information safe and secure which may include encryption, anonymisation and physical security measures. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

More details about your information

If you would like further information on any of the information above, please address questions, comments and requests to HSBC Securities Services (Ireland) DAC at dubafsinvestor@hsbc.com.

This Privacy Notice may be updated from time to time, please see the latest version here https://www.global.assetmanagement.hsbc.com/privacy-policy

Last updated: May 2018

Appendix 1 – Information we collect about you

• Contact details such as your name, date and place of birth, and nationality, postal address, telephone number, email address;
• Identification information such as passport ID, date of birth, picture, paper copy of identity;
• Client Relationship Data eg products and services held (including pricing information), channels and modes of interaction, interactions with HSBC (eg call history, digital communications, feedback etc.), client accounts, holding and location information,
• Payment Transactions Data: such as records from our payments processing systems that contain the information about executed transactions and includes order information (eg payment order), payment information and other information from the fulfillment of our contractual obligations (eg sales information in payments processing);
• Other Financial Data: including information regarding your financial situation (eg, tax status or the source of your assets);
• Risk Data / Ratings: Credit risk ratings and risk identification information (incl. vendor risk management), predicted transactional behaviour, client due diligence and periodic review results, financial crime risk management (FCRM) rating (high/medium/low), external intelligence reports, screening alerts (eg Transaction Screening, Name Screening, AML), unusual activity information (to develop (SARs) / and UARs).
• Investigations Data (Information pertaining to results from investigations on internal HSBC business practices, processes and operations). Grey information (eg allegations of wrongdoing, considered unproven, highly sensitive, may be structured or unstructured.)
• Information about the products and services allocated to clients, as well as information about credit decisioning variables and assumptions, posted collateral, calculated exposures, and likelihood estimates that the client cannot meet the commitment it has entered into. Data pertaining to known or suspected risk associated with clients, acquired from external watchlists and internal risk intelligence systems (eg Risk / Case Management).
• Data and artefacts required to support compliance to regulations that require screening of clients, their transactions and detection of suspicious and unusual activity. FCC Risk Data.
• Profile Data for KYC purposes such as Individual identity and reference information, information published on the internet or which has been received from external providers; publically available or internally collected identity and demographic reference information about individuals who may be HSBC customers, connected parties, prospects, stakeholders or not at all related with HSBC (eg, marketing lists) that contain personally identifiable information.
• Social Data: Data pertaining to social interactions between individuals, organizations, prospects and other stakeholders acquired from external information aggregators. The information is typically user generated / and or provided by and includes information from sources such as Linked In, Facebook, Google Plus, Twitter, etc. as well as information from social media analytics tools such as Radian 6
• Information Security Risk Data; External information used to manage the information security threat environment, including watchlists, lists of bad URLs and known bad IP addresses, threat and vulnerability alerts, and information breach intelligence reports and news. Known actors (cyber criminals), external email addresses, leaked information lists (eg external breaches which has employees involved), acquired credit card / account details;
• Other Financial Data: investment portfolio details, investment fund details Other non HSBC financial information (excluding Market Trades and Payment Transactions);
• Market Trades: Information about exchanges in ownership of cash, securities or financial instruments between individuals or organizations through an exchange (ie organized market) or over the counter, which results in one or more transactions recorded in an account. This may include Buy side or Sell side trades and positions.
• Communications Data: eg email information, third party information, chat information, instant messages, corporate and media broadcasts, disputes / litigation, correspondence between solicitors and stakeholders and transcripts or minutes.
• Information pertaining to results from investigations on internal HSBC business practices, processes and operations. Content and meta-data related to exchanges of information between and among individuals, organizations, workers, prospects, customers, other stakeholders and HSBC. Electronically recorded communications in the form of voice, email, or chat; corporate media communications, operational communications between two or more individuals or organizations regarding any HSBC activity that is directly or indirectly supporting customer servicing, third-party relationship and fulfillment.
• Complaints information; including disputes / litigation (legal case and matter information including legal strategy, document production, deposition and court transcripts, legal billing and time booking information).
• Cookie Information: IP Address, Browser behaviour etc.
• User Activity Reports (UAR) and Suspicious Activity reports (SARs).

Appendix 2 – How we use the information

We will use your information for the following purposes:

1. Deliver our products and services, or process your transaction in order to meet your investment objectives: We will use your information to provide you with our products and services and to process your transactions. We will do this in line with our legitimate interests, legal obligations and in order to perform our contract with you.
2. Compliance with Laws and Regulations: comply with the law, or any relevant rules or regulations. This may include to help detect or prevent crime (including terrorism, money laundering and other financial crimes), filing of relevant reports to regulators, disclosing information to authorities, regulators or government agencies to fulfill our legal obligations. This is carried out to comply with legal obligations, because it is in the public interest, and because it is in our legitimate interest to do.
3. Preventing and Detecting Crime: We will use your information to take measures to prevent crime including fraud monitoring and mitigation and fraud risk management, carrying out customer due diligence, name screening, transaction screening and customer risk identification, in order to comply with our legal obligations, because this is in the public interest to carry out and assess risk in our legitimate interest. We may share your information with fraud agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. Additionally we may take steps along with other financial institutions to help prevent financial crime and manage risk where we have a legitimate business interest or public interest to do so, such as where it is important to prevent or detect crime. We may be required to use your information to do this, even if you have asked us to stop using your information. That could include (among other things):
   • screening, intercepting and investigating any payments, instructions or communications you send or receive (including drawdown requests and application forms);
   • investigating who you’re paying or who’s paying you eg checks on payments in and out of your account;
   • passing information to fraud prevention agencies, if we think you’ve given us false or inaccurate information, or we suspect fraud;
   • combining the information we have about you with information from other HSBC companies;
   • checking whether the people or organisations you’re paying or receiving payments from are who they say they are, and aren’t subject to any sanctions.
4. Security and Business Continuity: we take measures to aid business continuity, information security and we undertake physical security activities in order to fulfill our legal obligation and for internal risk strategy purposes as required in our legitimate interest.
5. Risk Management: We will use your information to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer loss. This includes credit risk, traded risk, operational risk & insurance risk. We will do this to fulfill our legal obligation and also because we have a legitimate interest in using your information for these purposes.
6. Product & Service Improvement: We will use your information to identify possible service and product improvements (including profitability) by analysing information. The lawful basis for processing your information for this purpose is our legitimate interests.
7. Cookies: When using any web-based applications, we will ask for your consent to our use of cookies. The lawful basis for processing your information for this purpose is consent.
8. Information as a product: Where we collect your information for another purpose, eg for client on boarding, we may share such information or analytics results with third parties including other HSBC entities where it is in our legitimate interest to do so. The information may be presented as research whitepapers, the delivery of customer-specific information or insights back to same customer, credit checks, and anonymisation of information for the wider market. If we need to process your information for any other purpose, we will notify you with details of the new purpose (and obtain consent, if required) prior to that further processing.
9. Protecting our legal rights: We may need to use your information to protect our legal rights such as in the case of defending or the protection of legal rights and interests (eg collecting money owed; defending rights of intellectual property); court action; managing complaints or disputes; in the event of a restructuring of companies or other mergers or acquisition. We would use this on the basis of legitimate business interests.