Data Protection Policy for Clients

For the data protection and privacy policy of Chelton AB (Sweden), see further down.

 Scope and purpose

This Data Protection and Privacy Policy (’’Policy’’) applies to Chelton GmbH, Bahnhofstrasse 32, 6300 Zug (’’Company’’) and CheltonWealth.com when it processes personal data of clients and business partners (’’Clients).

This Policy sets out the obligations of the Company regarding data protection and the rights of the Clients in respect of their personal data under the Swiss Data Protection Act (’’DPA’’) and General Data Protection Regulation (’’GDPR’’), as amended from time to time (collective ’’Regulation’’).

The Regulation defines ’’personal data’’ as any information relating to an identified or identifiable natural person: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets out the procedures that are to be followed by the Company when dealing with personal data of Clients.

Company’s contact 

Since the company does not:

• process data on a large scale
• process data systematically
• process special categories of data (data on ethnic origins, sex, religion, etc.) or criminal data

it has not assigned a Data Protection Officer. However, in the event of questions relating to this Policy or the personal data processed, the Company can be contacted by email to service@chelton.ch

Legal basis for processing

The Company processes personal data in order to perform its obligations under the respective contract concluded with the Client, or for the purpose of other legitimate interest, or in order to comply with a legal duty imposed on the Company in connection with the applicable laws.

Information collected by the Company

The following personal data may be collected, held, and processed by the Company:

1. the Client’s name, ID or passport, telephone number(s), mailing address, email address and any other information (including KYC information) relating to the Client which the Client has provided to the Company;
2. name, ID or passport, telephone number(s), mailing address, email address and any other information (including KYC information) relating to employees, agents, officers, managers, owners, beneficial owners or other natural individuals relating to the entity the Client represents or works for or other third parties, which the Client has provided to the Company.

Ways of collecting personal data 

Generally, the Company may collect personal data in the following ways:

1. when the Client submits forms or applications to the Company;
2. when the Client submits requests to the Company;
3. when the Client uses the Company’s IT infrastructure;
4. when the Client asks to be included in an email or other mailing list;
5. when the Client responds to our initiatives; and
6. when the Client submits personal data to the Company for any other reason.

 The data protection principle

This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. All personal data must be:

1. processes lawfully, fairly, and transparently in relation to the Client;
2. collected for specified, explicit, and legitimate purpose and not further processed in a manner that is incompatible with those purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purpose for which they are processed, is erased or rectified without delay;
5. kept in a form which permits identification of the Client for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the Client;
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Privacy Impact Assessments

The Company shall carry out Privacy Impact Assessments when and as required under the Regulation.

Client’s rights

The Client has the following rights under the Regulation:

1. the right to be informed about the collection and use of the personal data by the Company;
2. the right of access to the personal data the Company holds about the Client;
3. the right to rectification if any personal data the Company holds about the Client is inaccurate or incomplete;
4. the right to be forgotten – i.e. the right to ask the Company to delete any personal data it holds about the Client;
5. the right to restrict (i.e. prevent) the processing of the personal data;
6. the right to data portability (obtaining a copy of the personal data to re-use with another service or organization);
7. the right to object to the Company using the personal data for particular purposes; and
8. rights regarding automated decision-making and profiling (where applicable).

Data protection measures

 The Company shall ensure that all its Employees, agents, freelancers, contractors, or other parties working on its behalf when processing data, will apply and implement the appropriate technical (e.g use of passwords; encryption of sensitive personal data; regular back-ups of secure networks, etc.) and organizational (e.g. access only on on a need to know basis; signing of NDAs by Employees where necessary, etc.) measures.

Transferring personal data to a country outside the EEA 

The Company does not transfer any personal data to countries outside of Switzerland.

Data breach notification

 All personal data breaches must be reported immediately to the Company by written notice or by email to service@chelton.ch  If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of the Client (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Company must ensure that the Swiss Federal Data Protection and Information Commissioner (’’FDPIC’’) and where applicable the competent Information Commissioner’s Office in the EU is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. With regard to data security breaches, the FDPIC must be informed immediately. In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of the Client, the Company must ensure that all affected Clients are informed of the breach directly and without undue delay.

Withdrawal of consent 

In the event consent was given, Clients have the right to withdraw such consent given at any time by sending a written notice or email to the Company to service@chelton.ch

Specific stipulations regarding the use of our website

At CheltonWealth.com, one of our main priorities is the privacy of our visitors. This paragraph contains types of information that are collected and recorded by CheltonWealth.com and how we use it.

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us through email at service@chelton.ch

• We are a Data Controller of your information
• Log Files

CheltonWealth.com follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services’ analytics. The information collected by log files include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information.

• Cookies and Web Beacons

Like any other website, CheltonWealth.com uses ‘cookies’. These cookies are used to store information including visitors’ preferences, and the pages on the website that the visitor accessed or visited. The information is used to optimize the users’ experience by customizing our web page content based on visitors’ browser type and/or other information. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

Implementation of policy 

This Policy shall form part of the respective contract concluded between the Company and the Client.

PRIVACY NOTICE – PERSONAL DATA REGARDING CLIENTS

Valid as of the April 12, 2023

CHELTON AB

This privacy notice contains information to you as a client about Chelton AB’s processing of personal data.

1. (Personal data) controller

The personal data controller for the processing of data that occurs within the operations is Chelton AB, reg.no. 559056-6641, Föreningsgatan 28, 211 65 Malmö (”Chelton”).

Chelton conducts “other financial activities” pursuant to 1 § 2 pt. of the Currency Exchange and Other Financial Activities Act (1996:1006) (Sw: lag (1996:1006) om valutaväxling och annan finansiell verksamhet) as a registered financial institution (Insitution number with Finansinspektionen: 70413). The business activities of Chelton is to provide to its clients a discretionary currency management service.

Peter Borggren is the contact person for questions about Chelton’s processing of personal data. Questions and remarks regarding Chelton’s processing of personal data can be directed to the contact person.

Peter Borggren
info@cheltonwealth.se
+46 (0)70 744 43 62

2. Information regarding Chelton’s processing of personal data

Chelton processes personal data as further described below within

• marketing of its currency management services,
• conducting legally required client knowledge measures, and
• execution of its currency management services.

Further, Chelton also processes personal data related to employees, potential employees, service providers etc. which however is not covered in this document.

2.1 Marketing of the currency management services

General

Chelton markets its currency management services through direct marketing measures towards potential clients.

Purpose and legal grounds

Chelton’s processing personal data within the marketing activities is based on legitimate interest.

Chelton’s potential clients consist of both physical persons and legal entities. In the case of legal entities, the personal data is for example processed regarding the legal entity’s contact persons, authorized signatories, owners etc. The legal basis in such cases is legitimate interest that derives from the relation with the client (the legal entity).

Within its marketing activities Chelton might receive and handle lists of potential clients (the “Prospect lists”) for marketing of the currency management services to these potential clients. Processing of personal data within Prospect lists is based on legitimate interest. When a potential client from a Prospect list is contacted and that client express that it is not interested in the currency management services offered by Chelton, that client’s personal data shall be sorted out and deleted. Personal data regarding clients that in contacts with Chelton have expressed interest in the currency management services will be processed for further marketing purpose.

Categories of personal data

Chelton processes the following categories of personal data.

When the client is a legal entity:

• contact information such as name, address, email address, and phone numbers of contact persons, authorized signatories, owners and others, and
• financial information, mainly the client’s investments.

When the client is a private individual:

• name, address, phone numbers and email address,
• potential attorney, and
• financial information, mainly the client’s investments.

The personal data is registered in Chelton’s CRM system, e-mail system and where applicable in form of meeting minutes.

Recipient of personal data

Those who may receive the personal data, besides Chelton’s employees, include where applicable external IT suppliers.

Storage of personal data

Chelton applies routines for sorting out and deleting personal data where the client has revoked its consent, there is no longer any need of the personal data, the personal data is obsolete, etc.

2.2 Conducting legally required client knowledge measures

General

As a registered financial institution Chelton is required to comply with the Act (2017:630) on Measures Against Money Laundering and Terrorism Financing (Sw: lagen (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism) (the “AML Act”). The AML Act states, inter alia, a requirement for Chelton to obtain client knowledge (KYC) before a business relationship is commenced and thereafter during the duration of the business relationship.

Purpose and legal grounds

The purpose of the processing of personal data in question is to comply with the AML Act regarding client knowledge. The basis for Chelton’s KYC measures, for which personal data is processed, is thus a legal requirement. Chelton’s client knowledge procedure includes verifying the identity of representatives of the legal person and, where applicable, the beneficial owner, as well as checking whether the beneficial owner (legal person) or client (natural person) constitutes a so-called PEP (Politically Exposed Person), and whether the representative, beneficial owner or client is inserted on a sanction list. Further on, Chelton checks the purpose and type of the business relationship as well as the origin of the assets that are managed by Chelton.

Categories of personal data

Chelton processes the following categories of personal data when conducting client knowledge measures.

When the client is a legal entity:

• contact information such as name, address, email address, and phone numbers of contact persons,
• authorized signatories,
• owners and others,
• ID-information (such as copies of passport or ID-documents),
• PEP-position (including profession/title) of representatives and beneficial owners,
• if a representative or beneficial owner is inserted on a sanction list, and
• financial information, mainly the client’s investments.

When the client is a private individual:

• name, address, social security number, phone numbers and email address,
• potential attorney,
• Chelton positions,
• ID-information (such as copies of passport or ID-documents),
• PEP-position (including profession/title) and
• if a client or representative is inserted on a sanction list,
• account information, and
• financial information, mainly the client’s investments.

The KYC process is carried out on a tool called Due PTL, which is provided by Due Compliance AB. The information is retrieved in the tool.

Chelton may also collect information from Bisnode or UC.

Recipient of personal data

Personal data is stored in Due PTL which is a tool provided by Due Compliance AB for this process. Personal data processed in connection to Chelton’s KYC measures is also stored in DropBox, which is Chelton’s cloud-based service for document storage. Furthermore, Chelton may share the information with other IT and system vendors that provide support for Chelton’s systems and cloud services. Chelton may also share information with the Financial Intelligence Unit within the Swedish Police if such disclosure is prescribed by law.

Storage of personal data

The personal data collected within the scope of KYC measures is stored during the ongoing business relationship and for five years from the termination thererof or such longer period of time that may be required by the AML Act.

2.3 Execution of the currency management services

General

The currency management service requires that the client has currency accounts at an account-/custody institute (the “Depositary”) where the assets that subject to the management service is deposited. Chelton and the client enters into an agreement regarding the currency management service and the client provides Chelton with a power of attorney to execute spot-fx transactions with the assets of the client at the Depositary within the agreed management mandate. Currency transactions are then conducted on a discretionary basis by Chelton by submitting spot-fix orders at the Depositary on behalf of the client. The currency management service is provided pursuant to the agreement with the client until the client terminates the agreement with Chelton.

Purpose and legal grounds

Chelton’s processing personal data within the execution of the currency management services is based on agreement with the client.

Categories of personal data

Chelton processes the following categories of personal data.

When the client is a legal entity:

• contact information such as name, address, email address, and phone numbers of contact persons, authorized signatories, owners and others, and
• financial information, mainly the client’s investments.

When the client is a private individual:

• name, address, social security number, phone numbers and email address,
• potential attorney,
• account information, and
• financial information, mainly the client’s investments.

The personal data is registered in Chelton’s CRM system, e-mail system and where applicable in form of meeting minutes.

Recipient of personal data

Those who may receive the personal data, besides Chelton’s employees, include where applicable external IT suppliers.

Storage of personal data

Chelton stores personal data for so long the currency management agreement with the client is valid and thereafter for a period of 10 years after the termination of the agreement (pursuant to the general prescription period for claims (Sw: allmänna preskriptionsfristen).

3. Use of cookies

Cookies are small text files containing letters and numbers sent from Chelton’s web server to be saved on the visitor’s web browser or device. On www.cheltonwealth.se, Chelton uses the following cookies:

• Third-party cookies (cookies established by a third party’s website). Chelton uses these primarily for analyses, for example Google Analytics.

The cookies used generally improve Chelton’s marketing activities. Chelton uses cookies for general analytical information regarding your usage of Chelton’s web page and to save certain functional settings such as language and other data. You can read more about cookies with regard Chelton on www.cheltonwealth.se.

As a visitor on Chelton’s website, you may consent to the usage and storage of cookies. You can at any time withdraw your consent to the use of cookies for the purposes stated above by adjusting your web browser’s settings to not consent to the use of cookies. If you select not to consent to the use of cookies, you can still access our web page, however, the use of certain functions and parts of our web page may be limited.

4. The rights of the data subject

The right to access (so-called extract from the register)

You are entitled to be informed about the processing that Chelton perform regarding you. This must include a description of the purpose and legal basis of the processing, which categories of personal data it concerns and who receives the personal data. Chelton have compiled this information as outlined above for your ease of reference. An extract from the register means that you are provided with an overview of the processing so that you may understand if, and for what purpose, your personal data is processed.

Right to rectification, erasure, or restriction

If you believe that Chelton have processed your personal data incorrectly, or that it may need to be rectified, you are entitled to request that Chelton correct the data, and, if you do not want Chelton to continue processing the personal data, you are entitled to request that Chelton erase the data. Chelton will rectify or delete the personal data if it is possible in respect of our purpose for the processing and the legal requirements that Chelton are under a duty to follow.

If you believe that the personal data Chelton store about you is inaccurate, that Chelton’s processing is illegal or that Chelton do not need the data for a specific purpose, you have the right to request that Chelton restrict its processing of your personal data. You can also request that Chelton shall restrict the process of your personal data while Chelton investigate whether your request to exercise any other rights can be granted.

However, it should be noted that the right to rectification or erasure may be limited in some cases, as Chelton is a registered financial institution and hence required by law to store certain information.

The right to object in certain circumstances

You are entitled to object at any time to the processing of your personal data if the legal basis for the processing consists of the performance of a task in the public interest, or a balancing of interests. If you object, Chelton will examine whether its interest in processing your data outweighs your interest in not having your personal data processed.

You also have the right to object at any time to the processing of your personal data on the grounds of direct marketing.

The right to data portability

You are entitled to retain the personal data that has been provided to Chelton and have the right to transfer this data to another personal data controller subject to:

1. it is being technically feasible; and
2. the legal basis for the processing consists of consent, or that the processing was necessary for the fulfilment of an agreement.

The right to withdraw consent

If the processing of personal data is based on consent, you are entitled to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

The right to lodge a complaint regarding the processing of personal data

You always have the right to contact the Swedish Authority for Privacy Protection to lodge a complaint linked to Chelton’s processing of personal data. Below you will find the contact information for the Swedish Authority for Privacy Protection.

Telephone number: 08-657 61 00
Email address: imy@imy.se

If you, as a data subject, wish to exercise your rights or have a response to other questions, you can find Chelton’s contact information set out in Section 1. You are entitled to contact Chelton as an alternative to contacting the Swedish Authority for Privacy Protection.

5. How Chelton protects your personal data

Chelton uses IT systems to protect the secrecy, privacy, and access to personal data. Chelton has performed certain security measures to protect your personal data against unlawful or unauthorized processing (such as unlawful access, loss, destruction, or damage). Access is provided to only authorized individuals that are required to process your personal data in order for Chelton to be able to fulfil the purposes set out above.

6. Transfer of data to third parties

Chelton always aim to only process personal data within the EU/EEA. Where appropriate, Chelton may share personal data with a third party in a country outside the EU/EEA, a so-called third country. In the event of a transfer to a third country, Chelton will ensure that such transfer is made in accordance with applicable data protection legislation, either by basing the transfer on an adequacy decision by the European Commission or by using the European Commission’s standard contractual clauses with organizational and technical safeguards.

Personal data may be transferred to the following recipients outside the EU/EEA:

Depositary

Chelton’s currency management service requires that the client has currency accounts at Axi Financial Services (UK) Limited (“Axi“) Axi is domiciled in the UK that is not a member of the EU/EEA. Forms and other documents for account opening may hence be transferred outside the EU/EEA, which is however only done after instruction of the client and subject to the client’s consent.

For more information about Axi’s processing of personal data, please refer to: https://www.axi.com/de/legal-documentation/privacy-policy

System providers

In the operation of Chelton’s business, we use Microsoft Office 365 as system provider. In connection with Microsoft receiving personal data about you, your personal data may be transferred to, for example, the United States. For more information about how Microsoft processes personal data see:

https://privacy.microsoft.com/en-us/privacystatement

To read more about the transfer of personal data to third countries and to access the standard contractual clauses, see:

https://learn.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses

Social media

social media platforms (Facebook, Instagram and LinkedIn), your personal data is also collected and processed by the companies providing such platforms (Meta and LinkedIn). When these companies receive personal data, data may also be transferred to the United States.

Facebook and Instagram

When using the services in question, your personal data will be processed by Meta Platforms Ireland Limited. For more information on the processing, transfer of personal data to third countries and to read the standard contractual clauses, see:

• https://www.facebook.com/privacy/policy/?entry_point=facebook_page_footer
• https://www.facebook.com/help/566994660333381?ref=dp&helpref=faq_content

LinkedIn

By using the service, your personal data is processed by LinkedIn Ireland Unlimited Company. For more information on the processing, transfer of personal data to third countries and to read the standard contractual clauses, see:

• https://www.linkedin.com/legal/privacy-policy
• https://www.linkedin.com/help/linkedin/answer/a1343190

8. Changes to this privacy notice

Chelton reserves the right to change and update this privacy notice. Chelton will provide information appropriately should the privacy notice be materially changed, or in the event that personal data is to be processed in another manner than what is stated in the privacy notice.