Privacy Notice

Last Updated: January 2025
Effective Upon Publication

PREAMBLE

This Global Privacy Notice (“Privacy Notice”) is hereby issued by Deistler Family Office, together with its worldwide subsidiaries, affiliates, branches, investment vehicles, managed accounts, co-investment structures, advisory entities, and any successor organisations (collectively, “Deistler”, “we”, “us”, “our”), and shall govern, regulate and describe, in comprehensive and legally binding form, the manner in which Personal Data is collected, processed, stored, transferred, disclosed or otherwise handled by Deistler, hereunder and thereafter, in the course of its global activities.

This Privacy Notice is drafted for applicability in all jurisdictions in which Deistler operates or may operate, including without limitation the European Union and EEA, United Kingdom, Switzerland, United States, Canada, Singapore, Hong Kong, United Arab Emirates (including DIFC and ADGM), Japan, Australia, Brazil, and any other jurisdiction in which Deistler conducts regulated or unregulated financial services.

This Privacy Notice is intended to comply with, and shall be interpreted pursuant to, applicable global data-protection and financial-sector regulatory requirements, including without limitation:

Regulation (EU) 2016/679 (the “GDPR”)
UK Data Protection Act & UK GDPR
Swiss Federal Act on Data Protection 2023 (“FADP”)
DIFC Data Protection Law
CCPA/CPRA (California)
GLBA & SEC Regulation S-P
MAS Privacy Principles & Cyber Hygiene Requirements
BaFin requirements under the KWG, ZAG, and MaRisk
FINMA Circulars (incl. Outsourcing, Operational Risks, Cloud, Governance)
FCA Handbook, SYSC, COBS & PRIN obligations
Hong Kong PDPO
Singapore PDPA
Brazil LGPD

This Privacy Notice does not constitute legal advice and shall be reviewed by qualified counsel prior to implementation.

SECTION 1 — DEFINITIONS

For the purposes hereof, and save where the context requires otherwise, the following definitions shall apply:

1.1 “Personal Data” shall mean any information relating to an identified or identifiable natural person (“Data Subject”), including but not limited to identifiers, financial information, regulatory information, digital identifiers, behavioural data, investment suitability data, transactional data, or any information defined as personal, sensitive, special, or regulated under applicable law.

1.2 “Special Category Data” shall mean Personal Data subject to enhanced protection pursuant to GDPR Article 9 and equivalent local provisions, including without limitation biometric identifiers, health data, political opinions, religious beliefs, and ethnicity.

1.3 “Processing” shall mean any operation performed on Personal Data, whether automated or otherwise, including without limitation collection, recording, structuring, storage, adaptation, extraction, consultation, use, transmission, dissemination, erasure, or destruction.

1.4 “Controller” shall mean the entity determining the purposes and means of Processing Personal Data; Deistler shall act as Controller save where expressly stated otherwise.

1.5 “Processor” shall mean any third party that Processes Personal Data on behalf of Deistler.

1.6 “Joint Controller” shall mean any entity with which Deistler jointly determines the purposes and means of Processing.

1.7 “International Transfer” shall mean any cross-border disclosure or Processing of Personal Data to a jurisdiction outside the one in which the Data Subject resides.

1.8 “High-Risk Processing” shall include profiling, automated decision-making, AML/KYC processing, suitability assessments, cross-border transfers to non-adequate jurisdictions, or Processing of Special Category Data.

1.9 “Supervisory Authority” shall denote any competent regulatory or data protection authority with jurisdiction over Deistler’s activities.

1.10 “RoPA” shall mean Records of Processing Activities maintained pursuant to GDPR Article 30 and global equivalents.

1.11 “DPIA” shall mean a Data Protection Impact Assessment required for High-Risk Processing activities.

1.12 “TOMs” shall mean Technical and Organisational Measures implemented for the protection of Personal Data.

1.13 “Financial Crime Data” shall denote any data Processed pursuant to AML, KYC, CTF, sanctions screening, fraud detection, PEP screening, adverse media, beneficial ownership requirements, and regulatory due diligence obligations.

SECTION 2 — SCOPE OF APPLICATION

2.1 This Privacy Notice shall apply to all Processing of Personal Data conducted by or on behalf of Deistler in connection with:

(a) investment management, asset allocation, wealth management or advisory services;
(b) family office services, including structuring, governance and intergenerational planning;
(c) co-investment, syndication, private equity, real estate, venture capital and alternative investment activities;
(d) onboarding, KYC, AML, suitability assessments, and ongoing monitoring;
€ regulatory compliance, reporting and supervisory interactions;
(f) risk management, operational resilience and prudential oversight;
(g) digital interactions through https://deistler.family or any related portals;
(h) employment, vendor, advisory or applicant relationships;
(i) security, monitoring, access control and safeguarding of premises;
(j) any activity reasonably incidental or necessary to the conduct of Deistler’s global business.

2.2 This Privacy Notice shall govern all Personal Data collected directly from Data Subjects or indirectly from third parties, including without limitation intermediaries, custodians, administrators, financial institutions, counterparties, public registries, data vendors, analytics providers and compliance platforms.

2.3 Where local laws require localisation, segregation, or specific transfer mechanisms, this Notice shall be supplemented by jurisdiction-specific addenda, which shall form an integral part hereof.

SECTION 3 — CATEGORIES OF PERSONAL DATA PROCESSED

Deistler may Process, without limitation, the following categories of Personal Data:

3.1 Identification & Contact Data
Names, titles, birthdates, identification numbers, passport details, signature specimens, residential addresses, email addresses, telephone numbers, and emergency contacts.

3.2 Regulatory & Compliance Data
AML/KYC documentation; beneficial ownership details; PEP screening results; sanctions-list matches; adverse media analysis; tax residency; CRS/FATCA identifiers; MiFID suitability data.

3.3 Financial & Investment Data
Account identifiers; portfolio holdings; transaction histories; risk profiles; investment objectives; financial statements; income and wealth indicators; source of wealth declarations.

3.4 Digital & Technical Data
IP addresses; device metadata; login credentials; MFA tokens; behavioural analytics; website usage statistics; session replay data; tracking cookies; heatmaps; server log files.

3.5 Communications Data
Recorded telephone calls; emails; meeting notes; CRM records; secure messaging transcripts, as permitted by local regulations (e.g., SEC, FCA SYSC, BaFin MaRisk).

3.6 Special Category Data
Processed only under limited lawful conditions, including biometric identifiers, disability information, and sensitive data where required for regulatory suitability or AML/identity verification.

3.7 Physical Security Data
CCTV images; building access logs; visitor records; security incident reports.

3.8 Vendor, Employment & Professional Data
Professional qualifications, employment history, references, contractual data, conflicts-of-interest disclosures, and due-diligence materials.

SECTION 4 — PURPOSES OF PROCESSING

Deistler shall Process Personal Data only for lawful, legitimate and explicitly defined purposes, including without limitation:

4.1 Provision of Services
To establish, perform, manage and administer wealth management, family office, fiduciary, advisory and investment-related services.

4.2 Regulatory Compliance
To comply with obligations imposed by BaFin, FINMA, FCA, MAS, SEC, IRS, HMRC, ESMA, FATF and other authorities, including:

AML/KYC/CTF compliance
transaction monitoring
suspicious activity reporting
suitability and appropriateness assessments
CRS/FATCA reporting
prudential risk reporting
regulatory audits and inspections

4.3 Contractual Obligations
To perform obligations arising under agreements with clients, investors, counterparties, custodians or service providers.

4.4 Legitimate Interests
Including business operations, risk management, cyber security, analytics, fraud prevention, and the protection of Deistler’s property, personnel or clients.

4.5 Marketing Communications
Subject to applicable laws, to provide information regarding investment opportunities, market updates, events or publications.

4.6 Operational Resilience
Including disaster recovery, backups, IT failover, penetration testing, red-team assessments and incident response.

4.7 Governance & Oversight
Including reporting to boards, audit committees, risk committees and regulators.

SECTION 5 — LEGAL BASES FOR PROCESSING

5.1 General Rule.
Deistler shall Process Personal Data only where a valid legal basis exists pursuant to applicable data-protection laws. The legal bases hereunder shall include, without limitation:

(a) Performance of a Contract, where Processing is necessary to enter into or fulfil agreements with clients, investors, or service providers.
(b) Compliance with Legal or Regulatory Obligations, including obligations imposed by BaFin (Germany), FINMA (Switzerland), FCA (United Kingdom), MAS (Singapore), SEC/FINRA/CFTC (United States), ESMA, FATF, OECD, and any other competent authority.
(c) Legitimate Interests, where Processing is necessary for the pursuit of Deistler’s lawful and proportionate business objectives and such interests are not overridden by the rights or freedoms of Data Subjects.
(d) Consent, where required pursuant to GDPR Article 6(1)(a), Article 9(2)(a), or equivalent provisions under foreign laws.
(e) Protection of Vital Interests, where Processing is necessary to protect the life or physical integrity of a Data Subject or another person.
(f) Establishment, Exercise, or Defence of Legal Claims, pursuant to GDPR Article 9(2)(f) and global equivalents.

5.2 Special Category Data.
Where Deistler Processes Special Category Data, such Processing shall occur only:

(a) with explicit consent;
(b) pursuant to substantial public interest under applicable law;
(c) where necessary for legal claims;
(d) where required for AML, sanctions compliance, or identity verification;
(e) pursuant to a regulatory obligation mandated by financial supervisory authorities.

5.3 Automated Decision-Making and Profiling.
Deistler may utilise automated systems for AML screening, transaction monitoring, and risk profiling. Where such Processing produces legal effects or significantly affects a Data Subject, Deistler shall provide meaningful information about the logic involved and the right to human intervention, pursuant to GDPR Article 22 and equivalent laws.

SECTION 6 — DATA SHARING AND DISCLOSURE

6.1 Intra-Group Transfers.
Personal Data may be shared among Deistler entities globally for centralised administration, risk management, compliance, and service delivery, subject to intra-group data transfer agreements.

6.2 Third-Party Recipients.
Deistler may disclose Personal Data to:

(a) custodians, prime brokers, depositaries, administrators, transfer agents;
(b) auditors, legal counsel, tax advisors, consultants;
(c) IT service providers, cloud hosts, cybersecurity vendors;
(d) regulatory authorities, tax authorities, law enforcement agencies, courts, tribunals;
(e) counterparties, exchanges, clearing houses, trade repositories.

6.3 Confidentiality Obligations.
All third-party recipients shall be subject to strict confidentiality and data-protection obligations, either by contract or by law.

SECTION 7 — INTERNATIONAL DATA TRANSFERS

7.1 Cross-Border Flows.
Given Deistler’s global nature, Personal Data may be transferred to, stored in, or accessed from jurisdictions outside the EEA, UK, or Switzerland, including jurisdictions that may not provide an equivalent level of data protection.

7.2 Transfer Mechanisms.
Where Personal Data is transferred to a “third country” not deemed adequate by the European Commission (or relevant authority), Deistler shall implement appropriate safeguards, including:

(a) Standard Contractual Clauses (SCCs) approved by the European Commission / UK ICO / Swiss FDPIC;
(b) Binding Corporate Rules (BCRs);
(c) Reliance on specific derogations (e.g., performance of a contract, legal claims, consent);
(d) Transfer Impact Assessments (TIAs) to evaluate the risk of government access in the recipient jurisdiction.

SECTION 8 — DATA RETENTION AND DESTRUCTION

8.1 Retention Periods.
Personal Data shall be retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws (e.g., 5-10 years for AML/tax/regulatory records).

8.2 Destruction.
Upon expiry of the applicable retention period, Personal Data shall be securely deleted, anonymised, or destroyed in accordance with Deistler’s data destruction policies and NIST/ISO standards.

SECTION 9 — DATA SECURITY AND INTEGRITY

9.1 Security Measures.
Deistler implements robust technical and organisational measures (TOMs) to protect Personal Data against unauthorised access, loss, alteration, or destruction, including:

(a) encryption of data at rest and in transit;
(b) multi-factor authentication (MFA) and strict access controls;
(c) network segmentation, firewalls, and intrusion detection systems;
(d) regular penetration testing and vulnerability scanning;
(e) physical security controls at data centres and offices;
(f) staff training and awareness programmes.

9.2 Incident Response.
Deistler maintains a comprehensive Data Breach Response Plan to detect, investigate, contain, and report personal data breaches to Supervisory Authorities and Data Subjects within statutory timeframes (e.g., 72 hours under GDPR).

SECTION 10 — RIGHTS OF DATA SUBJECTS

10.1 Rights.
Subject to applicable law, Data Subjects may have the right to:

(a) Access: Request a copy of their Personal Data;
(b) Rectification: Correct inaccurate or incomplete data;
(c) Erasure (“Right to be Forgotten”): Request deletion of data, subject to regulatory retention obligations;
(d) Restriction: Limit the Processing of data;
(e) Portability: Receive data in a structured, machine-readable format;
(f) Objection: Object to Processing based on legitimate interests or for direct marketing;
(g) Withdraw Consent: Withdraw consent at any time (without affecting the lawfulness of prior Processing);
(h) Complaint: Lodge a complaint with a Supervisory Authority.

10.2 Exercise of Rights.
Requests to exercise these rights should be submitted to the Data Protection Officer (DPO) at the contact details below. Deistler may require identity verification before processing such requests.

SECTION 11 — COOKIES AND TRACKING TECHNOLOGIES

11.1 Usage.
Deistler uses cookies, pixels, and similar technologies to enhance website functionality, analyse usage, and improve security. Please refer to our Cookie Policy for detailed information.

SECTION 12 — UPDATES AND AMENDMENTS

12.1 Revisions.
Deistler reserves the right to amend this Privacy Notice at any time to reflect changes in law, regulation, or business practices. Updated versions will be published on the Website with a revised “Last Updated” date.

SECTION 13 — CONTACT AND DPO

13.1 Contact Details.
For all inquiries regarding this Privacy Notice or data protection matters, please contact:

Deistler Family Office
Data Protection Officer (DPO)
Email: [email protected]

13.2 Supervisory Authorities.
Data Subjects also have the right to contact their local data protection authority (e.g., Hesse Data Protection Commissioner in Germany, ICO in the UK, FDPIC in Switzerland).