Data and privacy

Northern Horizon Capital Data and Privacy Policy

This version is applicable as of 6th of December, 2022

1 Why should I read this Privacy Policy?

This Privacy Policy (the ‘Policy’) describes how Northern Horizon Capital group (hereafter referred to ‘Northern Horizon’, we’ or ‘us’) collects, uses, discloses, and stores your personal information and what statutory rights do you have under EU General Data Protection Regulation (‘GDPR’) and other applicable data protection laws. We may amend this Policy unilaterally from time to time. Any such amendments will be effective immediately upon publication.

2 Who is responsible for protecting my information?

Depending on the specific context described in Part 3 of this Policy, one or some entities listed below will control your data.

Northern Horizon Capital AIFM Oy
(further – NHC Finland)

Company number is: 2688311-2
Erottajankatu 15-17, 00130 Helsinki Finland
helsinki@nh-cap.com

Northern Horizon Capital AS
(further – NHC Estonia)

Company number is: 11025345
Tornimäe 2, 24th floor, 10145 Tallinn, Estonia
estonia@nh-cap.com

Northern Horizon Capital UAB
(further – NHC Lithuania)

Company number is: 300022971
Jogailos str. 4, 2nd floor, Business Centre 2000, LT-01116 Vilnius, Lithuania
vilnius@nh-cap.com

Northern Horizon Capital A/S
(further – NHC Denmark)

Company number is: 27599397
Christian IX’s Gade 2, 2nd floor, DK-1111 Copenhagen K, Denmark
copenhagen@nh-cap.com

Northern Horizon Capital AB
(further – NHC Sweden)

Company number is: 556882-6803
Regeringsgatan 52, 111 56 Stockholm, Sweden
stockholm@nh-cap.com

Northern Horizon Capital GmbH
(further – NHC Germany)

Company number is: HRB 110310 B
Jägerstraße 58-60, 10117 Berlin, Germany
berlin@nh-cap.com

Northern Horizon Aged Care IV GP S.a r.l.
(further – General Partner (ACIV))

R.C.S. Luxembourg: B 240.071
33, rue du Puits Romain L-8070 Bertrange
Grand Duchy of Luxembourg

Northern Horizon Nordic Aged Care GP S.a r.l.
(further – General Partner (NACF))

R.C.S. Luxembourg: B 204.825
33, rue du Puits Romain L-8070 Bertrange
Grand Duchy of Luxembourg

BPT Hansa LUX SICAV-SIF
(further – BPT Hansa)

R.C.S. Luxembourg B 122.072
2, Rue d’Alsace, L-1122 Luxembourg

 
3 Why do you collect and how do you use my information?

 3.1 To provide investment management services

Who is the controller of my data? NHC Estonia – regarding your investments into Baltic Horizon Fund;

NHC Finland, the General Partner (ACIV) or the General Partner (NACF), as the case might be – regarding your investments into Aged Care IV Fund, Nordic Aged Care Fund or other health care strategy funds;

BPT Hansa – regarding your investments into BPT Hansa.

When is this relevant for me? When you are considering investment or have invested into the investment vehicle(s) managed by us, or you are representative or ultimate beneficial owner (UBO) of a legal entity which is an investor.
What information do you collect about me? Name, surname (incl. representatives), address, your contact details (telephone number, email address), residency, personal identification code, banking details (bank account number, bank, SWIFT code), investment size, data related to professional, well-informed/qualified, or retail investor status (where relevant), transaction history, date of acquisition and redemption, number and records of transfer of shares/interests, investment preferences or restrictions and objectives, and other information on investments in investment vehicles managed by us.
What is your legal basis for collecting my information? We conclude and perform the contract with you (Art. 6 (1) (b) of GDPR)

We have a legal obligation (Art. 6 (1) (c) of GDPR).

Provision of data is a statutory and contractual requirement. If you fail to provide such data, we will not be able to provide investment management services, including arranging dividend distribution, convocation of general investor meetings, sending you notifications and perform other contractual obligations.

How long do you store information about me? As long as we provide a service to you plus 10 years after the end of a business relationship with you, unless otherwise required by law to deal with any legal matters (court action, regulatory investigation etc.)

3.2 To perform the contract with you (including e.g. lease contract, directorship/management contract etc.) 

Who is the controller of my data? NHC Estonia – if you are investor, tenant, service provider, external Supervisory Board member or other counterparty of Baltic Horizon Fund or its subsidiaries’;

NHC Finland, the General Partner (ACIV) or the General Partner (NACF), as the case might be – if you are an investor, external Board member, tenant, service provider or other counterparty of Aged Care IV Fund, Nordic Aged Care Fund or other health care strategy funds or their subsidiaries;

BPT Hansa – if you are investor, tenant, service provider, external Board member or other counterparty of BPT Hansa or its subsidiaries’.

When is this relevant for me? When you have concluded an agreement with us, including subscription agreement, directorship/management agreement or rental agreement for premises owned by the fund companies.
What information do you collect about me? Name, surname (incl. representatives), address, your contact details (telephone number, email address), personal identification code, passport copy, banking details (bank account number, bank, SWIFT code); also, in respect of tenants – utility usage information and turnover;

If you are one of our directors, members of the Board of Directors – fit & proper information requited by regulator, including criminal records extracts.

What is your legal basis for collecting my information? We conclude and perform the contract with you (Art. 6 (1) (b) of GDPR).

We have a legal obligation (Art. 6 (1) (c) of GDPR).

Provision of data is a statutory and contractual requirement. If you fail to provide such data, we may not be able to perform the contract with you.

How long do you store information about me? As long as we have contractual relationship plus 10 years thereafter, unless otherwise required by law to deal with any legal matters (court action, regulatory investigation etc.)

3.3 To implement measures of anti-money laundering (AML), counter-terrorist financing (CTF), and sanction screening 

Who is the controller of my data? NHC Estonia, NHC Finland, the General Partner (ACIV), the General Partner (NACF), or BPT Hansa depending on which fund you have business relationships with, invested or consider investing into.
When is this relevant for me? When establishing and continuing business relationship with us (i.e. when you are considering investment or have invested into the investment vehicle(s) managed by us, or you are representative or ultimate beneficial owner (UBO) of a legal entity which is an investor, or you are our business partner).
What information do you collect about me? Name and surname, ID information (number, date of issuance, period of validity), date/place of birth, personal number, identification document, citizenship or citizenships, address, city, postal code, country of residence, information on source of wealth, services provided, director information, representative information, sample of signature, ultimate beneficial owner information, other AML/CTF information as established by legal acts.

Information on participation in politics – whether you are a politically exposed person (PEP), whether the ultimate beneficial owner of the company, their immediate family member, or a close associate is a PEP, and information on PEP’s prominent public functions, as well sanction information.

What is your legal basis for collecting my information? We have a legal obligation (Art. 6 (1) (c) of GDPR) – Art. 3(9) and Art. 20 of the EU Directive 2015/849 and corresponding national transpositions.

 Reasons of substantial public interest (Art. 9 (2) (g) of GDPR).

Provision of data is a statutory and contractual requirement, as well as public interest. If you fail to provide such data, we will not be able to provide services.

How long do you store information about me? As long as we have a business relationship with you and 10 years after the end of it, unless otherwise required by law to deal with any legal matters (court action, regulatory investigation etc.)

3.4 To report managers’ transactions and maintain insiders list 

When is it relevant to me? When you are declared being the insider of Baltic Horizon Fund or any of its subsidiaries, also when you’re discharging managerial responsibilities or you are closely associated with the persons who discharge managerial responsibilities[1], and we have to fulfil notification or reporting obligations under Market Abuse Regulation, including publishing your transactions regarding Baltic Horizon Fund financial instruments (if relevant).
What information do you collect about me? Name, surname, birth surname, personal & professional full home address, personal & professional phone number (home and mobile), personal ID, date of birth, date and time at which you were included into, as well as excluded from the insiders list, managers’ and their close associates list, reason why you were included into this list, number of Baltic Horizon Fund’s financial instruments owned, nature of the transaction(s) (acquisition, disposal etc.), details of the transaction (date, place, price, and volume), trading venue and the other information required by law.
What is your legal basis for collecting my information? We have a legal obligation (GDPR, Article 6 (1)(c)) – Art. 19 of Market Abuse Regulation (MAR)).
How long do you use or keep information about me? For the duration of your status of insider and /or manager, or close associate of those, and for 10 years after termination of it, unless otherwise required by law to deal with any legal matters (court action, regulatory investigation etc.).

[1] Persons discharging managerial responsibilities in relation to Baltic Horizon Fund or close associates of those persons as those terms are defined in Article 3(1) (25-26) of Market Abuse Regulation (Regulation (EU) No 596/2014)

3.5 To develop and maintain a business relationship 

Who is the controller of my data? Any Northern Horizon entity
When is this relevant for me? When you have a business relationship with or contact us.

When you attend the events, conferences, meetings, or webinars organized by us.

What information do you collect about me? Name, surname, represented company, email address, telephone number, job title or job function, your inquiries, documents attached to inquiries, other communication with you, as well as attended Northern Horizon events, webinars or conferences.
What is your legal basis for collecting my information? We have a legitimate interest (to develop and maintain business relationship) (Art. 6 (1) (b) of GDPR).
How long do you store information about me? As long as we have a business relationship or communication with you and 10 years after the end of it.

3.6 To provide information about Northern Horizon Group 

Who is the controller of my data? Any Northern Horizon Group entity
When is this relevant for me? When we want to increase awareness of Northern Horizon Group.
What information do you collect about me? Name, surname, email address, phone number, selected emails as well as information related to which fund(s) the investor has invested in.
What is your legal basis for collecting my information? We have your consent (Art. 6 (1) (a) of GDPR).

We have a legitimate interest (to increase awareness of Northern Horizon Group) (Art. 6 (1) (f) of GDPR).

How long do you store information about me? As long as we have a business need, or after you give your consent unless you withdraw your consent earlier.

3.7 To distribute press releases 

Who is the controller of my data? Respective Northern Horizon Group entity
When is this relevant for me? When you have subscribed for press releases (Nasdaq announcements) with information concerning Baltic Horizon Fund on the Baltic Horizon website or on Nasdaq Baltic website.

When we share a press release with information concerning funds managed by Northern Horizon group.

What information do you collect about me? Name, surname, e-mail.
What is your legal basis for collecting my information? We have your consent (Art. 6 (1) (a) of GDPR).

We have a legitimate interest (to increase our publicity) (Art. 6 (1) (b) of GDPR).

How long do you store information about me? As long as we have your consent (for Baltic Horizon press releases) and 1 year thereafter, otherwise as long as we have a business need.

3.8 To manage our social media profiles (for Northern Horizon and for Baltic Horizon) 

Who is the controller of my data? NHC Denmark, NHC Estonia, NHC Lithuania
When is this relevant for me? When you interact with us in our social media profiles. We use various social media platforms, for example, for communication and marketing purposes or for recruitment. While we are responsible for the content we publish using social media platforms, Northern Horizon is not responsible for managing the social media platforms (such as creating user statistics or placing cookies).
What information do you collect about me? When using these social media platforms, you are obliged to adhere to the legal and privacy terms imposed by the social media platform providers. Such providers collect personal data about you, including statistical and analytical data regarding your use of the social media platforms, such as an overview of pages you have accessed, “likes,” recent visits, posts you publish or find interesting. If you require access to such data or want to invoke one of your other rights (such as the right to object to the processing of your data), you should contact the social media platform provider.

Some social media providers provide Northern Horizon with aggregate data relevant for our pages, such as the amount of “likes” triggered by our content or the amount of posts, visitors to our site, links that are clicked and the like.

Google Analytics

We use Google Analytics to provide reporting, visualizations and analysis of data. Your personal data will be processed by Google for the following purposes: (i) to capture web metrics within our site (e.g. pages viewed and links clicked); (ii) to analyze and understand overall site traffic information; (iii) to capture metrics about our online marketing campaigns.

What is your legal basis for collecting my information? Your consent (Art. 6 (1) (a) of GDPR).
How long do you store information about me? 5 (five) years from the moment you interacted with our social media profiles.

3.9 To ensure the security of our website and improve it 

Who is the controller of my data? NHC Denmark

NHC Lithuania

When is this relevant for me? When you visit our website.
What information do you collect about me? Browser name and type, operating system used, referred URL, host name of the accessing computer, time of the server request, IP address.
What is your legal basis for collecting my information? We have a legitimate interest (to ensure website security and operation) (Art. 6 (1) (f) of GDPR).
How long do you store information about me? 10 years after your last visit to our website.

3.10 To carry out the selection of potential employees 

Who is the controller of my data? Any relevant Northern Horizon entity
When is this relevant for me? When we receive your application for a job position (including via form on Northern Horizon website), you give us your consent for storing your CV, or we contact you based on the information you publicly disclose online.
What information do you collect about me? Full name, email, phone number, CV, work experience, references, other information you provide us with.
What is your legal basis for collecting my information? We have your consent (Art. 6 (1) (f) of GDPR).

We have the intention to form a contract with you (Art. 6 (1) (b) of GFPR).

We have a legitimate interest (to carry out the recruitment process) (Art. 6 (1) (f) of GDPR).

In case you apply for a particular position, provision of data is a requirement necessary to enter into a contract.

How long do you store information about me? 3 years after the end of the relevant recruitment process.

5 years after you give us your consent or publicly disclose your information online.

3.11 To fulfil accounting requirements 

Who is the controller of my data? Any relevant Northern Horizon  entity
When is this relevant for me? When we have a transaction or relationship with you that is subject to accounting requirements (including your directorships or supervisory board member positions where you receive remuneration from us).
What information do you collect about me? Full name, email address, telephone number, bank account number, address, signature, invoices, reports, accounting documents, payments, paid amounts, other information we are statutorily required to collect.
What is your legal basis for collecting my information? We have a legal obligation (Art. 6 (1) (c) of GDPR).

Provision of data is a statutory requirement. If you fail to provide such data, we will not be able to have a relationship with you.

How long do you store information about me? 10 years following a transaction.

3.12 To defend our rights and interests, address the claims 

Who is the controller of my data? Any Northern Horizon entity
When is this relevant for me? In case we become a party to a legal process which you are subject to, or we are statutorily required to collect or provide information about you, or you raised a concern through our “Voice your concern” tool on our website.
What information do you collect about me? All of the aforementioned information, accounting and legal case files, legal documents, other information you provide us with, additional information that we are statutorily required to collect and/or provide.

Should the need be, information about criminal offenses and convictions.

What is your legal basis for collecting my information? We have a legal obligation (Art. 6 (1) (c) of GDPR).

We have a legitimate interest (to protect our rights and interests) (Art. 6 (1) (f) of GDPR)

We exercise, or defense of legal claims (Art. 9 (2) (f) of GDPR).

We have your consent (Art. 6 (1) (f) of GDPR) in case of :Voice your concern” tool..

Provision of data may be a statutory requirement.

How long do you store information about me? If you are our current client: 10 years following the end of the contractual relationship with us or, whichever is longer, for the duration of the legal process and 3 years after a final authority decision came into full force.

In other cases when you become a party to a legal process: for the duration of the legal process and 3 years after a final authority decision came into full force.

4 Where do you collect my data from?

We collect most of the data from you (to establish and implement the agreement with you, in particularly to identify you as a counterparty, to correspond with you, to carry out the settlement of accounts etc.). In addition, for certain purposes, we may receive data from other sources as explained below.

Data source Purpose of collecting data
Estonian central securities depository or Swedish central securities depository (in case of your investments into Baltic Horizon Fund) To provide investment management services (see Section 3.1. above).
AML / CTF service providers To implement measures of anti-money laundering (AML), counter-terrorist financing (CTF), and sanction screening (see Section 3.3. above)
International and local databases To implement measures of anti-money laundering (AML), counter-terrorist financing (CTF), and sanction screening (see Section 3.3. above)
From person(s) discharging managerial position with us, if you are close associate of them To publish managers’ transactions and maintain insiders, managers and their close associates lists (see Section 3.4. above)
Placement agents To provide information about Northern Horizon (see Section 3.6. above)
Social media service providers or marketing service providers To provide information about Northern Horizon (see Section 3.6. above)

To distribute press releases (see Section 3.7. above)

To manage our social media profiles (see Section 3.8. above)

To carry out the selection of potential employees (see Section 3.10. above)

HR service providers To carry out the selection of potential employees (see Section 3.10. above)
Law enforcement authorities, courts To defend our rights and interests in legal proceedings (see Section 3.12. above).
Parties that are subject or related to legal processes To defend our rights and interests in legal proceedings (see Section 3.12. above).
5 Who do you share my data with?

We share your data with data recipients, both within and outside the European Economic Area (EEA), in cases where necessary for the above-described purposes and allowed in accordance with applicable laws.

No Category of the information recipient Location of the recipient In case data are transferred outside the EEA, what is the legal basis for such transfer?
1.1. Other Northern Horizon group companies Denmark (EU), Lithuania (EU), Finland (EU), Estonia (EU), Sweden (EU), Germany (EU) N/A
1.2. AML / CTF and identification service providers, depositaries, central fund administration, central securities depositaries Luxembourg (EU), Estonia, Sweden (EU) N/A
1.3. Insurance service providers Lithuania (EU) N/A
1.4. Accounting and other financial service providers Lithuania (EU), Finland (EU), Estonia (EU), Denmark, Sweden, Germany, Luxembourg N/A
1.5. Software service and maintenance service providers EU N/A
1.6. Communication service providers Lithuania (EU), Estonia (EU), Finland (EU), Sweden (EU), Denmark (EU), Germany (EU) N/A
1.7. Parcel delivery service providers EU N/A
1.8. Social media service providers US EU Standard Contractual Clauses
1.9. Marketing and PR service providers Lithuania (EU), Estonia (EU), Latvia (EU), Finland (EU), Sweden (EU), Denmark (EU), Germany (EU), N/A
1.10. Compliance and legal service providers EU N/A
1.11. Third party acquirers Worldwide EU Standard Contractual Clauses
1.12. Placement agents, financial, tax and legal advisors EU, UK N/A
1.13. State institutions and regulatory authorities EU, UK N/A

6 What statutory rights do I have regarding my data?

Subject to conditions, limitations, and exceptions established by statutory data protection provisions, you have the rights listed below:

My right When is this right applicable to me?
Right of access when you seek to obtain confirmation as to whether we collect or otherwise process personal data concerning you, and, where that is the case, access to the personal data and the information about the data processing.
Right to rectification when you seek to obtain from us the rectification of inaccurate personal data concerning you.
Right to erasure (‘right to be forgotten”) – when personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– when you withdraw consent on which the processing is based and there is no other legal ground for the processing;

– when you object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes;

– where the personal data have been unlawfully processed;

– where the personal data have to be erased for compliance with a legal obligation;

– where the personal data have been collected in relation to the offer of information society services directly to a child and subject to a consent.

Right to restriction of processing – where the accuracy of the personal data is contested by you;

– where the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

– where we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;

– where you have objected to processing.

Right to data portability where you seek to receive the data you have provided in a structured, commonly used and machine-readable form or to transmit those data to another controller, the processing is based on consent or on a contract and is carried out by automated means.
Right to object where the collection and use is based on a task carried out in the public interest or in the exercise of official authority vested or legitimate interest, including profiling, as explained in Section 3 of this Privacy Policy, or where you object to the collection of your personal data for direct marketing purposes.
Right to withdraw consent where the processing is based on consent, as explained in Section 3 of this Privacy Policy, and you seek to withdraw it at any time.
Right to lodge a complaint where you want to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the GDPR.
7 Do you engage in automated individual decision-making, including profiling?

No, we do not make decisions based solely on automated processing, including profiling, which would produce legal effects concerning you.

8 Does your website use cookies or similar tracking technologies?
9 How can I contact your data protection officers?

If you have any questions, comments, or complaints regarding how we collect, use, and store your personal information, our data protection officers are ready to help you. If you need their help, you may contact them at any time via dataprotection@nh-cap.com.