Privacy Policy

Background

PYN Fund Management Ltd (later also ”PYN” or ”Company”) manages PYN Elite Fund (non-UCITS) and in its activity processes personal data of the fund unit holders or the persons intending to be such, as well as personal data of the personnel and potentially of persons belonging to other interest groups.

Taking care of data protection is an essential part of Company’s activity, risk management and responsible activity principles. The basic principles of processing personal data and the significance of data protection in the company are defined in Privacy Policy. This Privacy Policy is the highest document that guides data protection in the company and it is visible to the entire personnel working in the organisation, interest groups and data subjects.

Data protection means taking into account the requirements concerning the processing of personal data and realising the protection of data subjects’ privacy and due process. Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to other factors specific to that natural person.

The principles of Privacy Policy are based on national, general and branch-related decrees, guidelines and standards that guide and obligate information security, data protection, the principles of good data management and the quality of data. The requirements of the EU General Data Protection Regulation and other applicable legislation (2016/679 EU) are obeyed in the processing of personal data.

Factors guiding data protection activity

Acquiring and processing data

We acquire data from the persons themselves and from reliable sources. The systems and services of the Company have been planned with paying attention to data protection. The personal data are only processed for the specified purposes that are expressed in privacy notices. There is a data protection organisation that processes data protection in our Company, and that follows and improves data protection issues. There are detailed guidelines concerning acquiring and processing data formed in the Company.

We only collect and process the personal data that are necessary for our operation. We only store those data for so long that is necessary for the defined purpose, unless the legislation requires to store the data longer. After this, the data are duly destroyed or anonymized.

Data subject’s rights

Data protection means protecting a person’s private life and as a controller we openly inform about the processing of personal data before starting the processing operations. The basic principle of data subject’s rights is guaranteeing the protection of personal data from unauthorised use of data or use that harms the person. The data subject’s rights are legislated in the EU General Data Protection Regulation and national legislation.

According to the data subject’s right to obtain data, new information that shall be reported to the data subject according to the General Data Protection Regulation is the period for which the personal data are stored and the contact details of possible data protection officer if such will be nominated in PYN later, as well as the possibility to lodge a complaint with a supervisory authority. The data subject has the right to check his or her data, to ask for corrections or additions and in some cases to obtain the erasure of personal data by contacting PYN Fund Management Ltd. The data subject has also the right to transmit his or her data from the filing system to another. Using the right to data portability requires that processing is based on data subject’s consent or contract and the processing is performed automatically. When the data subject uses this right, he or she has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The data subject has the right to object to processing his or her personal data in direct marketing purposes and some other situations mentioned in General Data Protection Regulation, after which his or her personal data shall not be processed in said purposes anymore. The data subject also has the right to withdraw his or her consent when the controller has to remove data concerning the data subject from its system unless there is no other statutory basis for processing.

Controller’s rights and duties

We take care of the data subject’s legal rights. In addition, we ensure that personal data are not processed without appropriate legal basis. We look after that personal data are only processed when appropriate requirements exist and that this will also be notified when planning new means of processing. Processing of data is purpose limited that is we define the purposes for which personal data is processed in advance. As a controller, we take care of the quality, necessity and correctness of data as well as data subject’s other rights.

Processing of personal data is planned and instructed in its entirety. The responsibilities and procedures concerning processing of personal data are documented in our internal rules. Privacy notices are composed of filing systems and the data subjects are informed in a way the legislation requires. According to accountability, we create necessary documentations and impact assessments.

We control the processing of personal data and are able to verify from log files also afterwards which personal data have been changed, added or deleted as well as when the measure has been conducted. Procedure is planned in advance. We also realise the technical and organisational measures that are necessary with which it is possible to ensure and indicate that in processing the legislation is obeyed. These measures are checked and updated when necessary.

Processor

We only use such processors that realise sufficient protective measures in order to enforce the appropriate technical and organisational tasks so that the processing fulfills the requirements of General Data Protection Regulation. The responsibility of the processor shall be specified by a contract that binds the processor in relation to controller. In the contract, there are defined at least the subject-matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects as well as the duties and rights of the controller.

Technical and organisational solutions to processing of data

Data security is an essential part of data protection’s realisation and a significant factor for the Company in storing the confidentiality of processed data. The legislation concerning data protection requires that the processing of personal data shall be secured and the personal data shall be protected from unauthorised processing.

By risk evaluation, we choose the technical protectioning solutions to protect the data that is in our possession and we have, according to the risk evaluation, constructed an organisational system to supervise, guide and realise daily processing of data in our company. We ensure the data protection level compatible with data protection policy by fulfilling auditions and reviews. The data system solutions in use and the technical realisation of data protection are documented.

We collect log files of the starting, changing and ending events with sufficient accuracy, which is a part of activity compatible with our control system.

Personal data may only be processed by those persons who need data to complete their work tasks. They are bound by confidentiality obligation that will also continue when the contract of employment or the contractual relation terminates.

Data protection training and guides

Data protection issues are a part of each new employees’ introduction and there will regularly be training of those issues to the Company’s employees. The Company has created separate instruction for processing of personal data.

Action when data protection becomes endangered

PYN Fund Management Ltd sees that every action that is against the laws regarding processing of data, this Privacy Policy or the guiding that is based on it risks data protection.

If it is doubted or noticed that data protection has become endangered, this will be investigated immediately. In addition, the data subject whose data protection has become endangered will be notified without delay when necessary. We will also notify to the supervisory authority of personal data breach. The notification to the supervisory authority will be made without undue delay, not later than within 72 hours of noticing the breach.

Offences and sanction

Each of those using the PYN Fund Management Ltd’s data processing systems is obliged to obey the accepted user guidelines and data protection guidelines, PYN Fund Management Ltd’s Privacy Policy and other guidance.

The noticed offences against guidances that are associated to the mentioned, are reported to the organisation’s management. If the activity risking data protection meets the features that are described as punishable action in the law, the issue will be handed over to the authorities for investigation. If the action in question does not fulfill the above-mentioned features but it risks data protection, a notification, a warning or termination of employment can follow as a consequence.

Informing the personnel, data subjects and interest groups

PYN Fund Management Ltd’s personnel will be informed of this Privacy Policy and its changes. Privacy Policy will be updated when necessary. Privacy Policy will also be published in the company’s website www.pyn.fi.

Ratifying Privacy Policy

PYN Fund Management Ltd’s Board of Directors has ratified this policy and accepts all changes in it.&nb