The purpose of this privacy policy notice is to provide you with information on our use of your personal data in accordance with the EU data protection regime introduced by the General Data Protection Regulation (Regulation 2016/679, the "Data Protection Legislation").
We care about your privacy and have the ambition to maintain a high level of data protection. In the abbreviated version of Nyhavn Capital's Privacy Policy below, we describe how your personal data is collected and used. Here you will also see what rights you have if your personal data has been registered. 
What is personal data and processing of personal data?
Personal Data is defined as any information relating to an identified or identifiable natural person (‘Data Subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, economic, cultural or social identity of that natural person.  
Processing is defined as any operation or set of operations which is performed on personal data or  sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Who is responsible for the collected personal data?
Nyhavn Capital AB, org.nr 559264-9783, Kungsgatan 64, 111 22 Stockholm, Sweden, is the data controller for the Company's processing of personal data.
What personal data is processed?
In order for the Company to perform its offered services, it processes the following categories of personal data;
-    Name, 
-    Business contact details, and
-    Data obtained from global sanctions and Politically Exposed Persons (‘PEP’) lists.
Personal data is collected on the following categories of individuals for the purposes of establishing a business relationship and Know Your Customer and anti-money laundering procedures;
-    Employees representing institutional clients or service providers, and
-    Directors, officers and owners of corporate or institutional clients.
Where is personal data collected from?
In addition to the information provided by the Data Subject before, during or after the establishment of a business relationship, personal data may also be collected from other parties, such as:
-    Address information from public registers,
-    Information required to obtain customer due diligence under anti-money laundering rules,
-    Other information from public sources, such as social media, enquiry services or rating agencies, or
-    The Company's own assessments and recommendations related to the performance of investment services.
Sharing personal data with other parties
We are restrictive in sharing personal data with other parties, but sometimes it is necessary for the business to be carried out efficiently and correctly.
In cases where it is necessary to be able to offer the investment services, personal data is shared with companies that are so-called data processors of the Company. They process the information on our behalf and according to our instructions. The Company has personal data processors who perform:
-    Anti-money laundering control (obtaining customer due diligence at the start of a business relationship),
-    Marketing (print and distribution, social media, media agencies), or
-    IT services (companies that handle the necessary operation, technical support and maintenance of our IT solutions).
All data processors are checked to ensure that they can provide sufficient guarantees regarding the security and confidentiality of personal data.
Where is personal data processed?
The Company's own IT systems are located within the EU/EEA. However, in the case of system support and maintenance, it may be necessary to transfer the information to a country outside the EU/EEA. Regardless of the country in which the personal data is processed, all reasonable legal, technical and organisational measures are taken to ensure that the level of protection is the same as within the EU/EEA.
How long is the personal data stored?
The personal data is not stored for longer than is necessary for the respective purpose. This could be for up to ten years in accordance with the legal requirements for specific types of personal data.
What rights do you have as a data subject?
Right of access 
You have the right to access your data in the form of a register extract. 
Right to rectification
If the personal data we have registered about you is incorrect or incomplete, you have the opportunity to request correction or supplementation.
Right to erasure
It is possible to request the deletion of your personal data if:
-    The data are no longer necessary in relation to the purposes for which they were collected or processed,
-    There are objections to a balancing of interests, based on an assessment of the Company's legitimate interest and the Data Subject's reasons for objection,
-    Personal data has been used for direct marketing purposes that you do not want,
-    The personal data is processed in an unlawful manner.
The Company may reject your request for erasure if there are legal obligations that prevent deletion. These obligations come from accounting and tax legislation, banking and anti-money laundering legislation. It may also happen that the processing is necessary, for example, a dispute or a court process. If it is not possible to comply with a request for erasure, the personal data will be blocked from any use other than for the purpose that prevents the requested deletion.
Right to restriction
You have the right to request that the processing of your personal data be restricted. This applies primarily if the personal data is stated to be incorrect and in such cases refers to the time needed to verify whether it is correct.
Right to object to certain types of processing
It is always possible to avoid direct marketing and to object to all processing of personal data that is based on a balance of interests.
Right to data portability
If the right to process personal data is based either on consent or on the performance of a contract, it is possible to request that the data that you have provided to us be transferred to another data controller (so-called data portability). 
Handling of social security numbers
Personal identity numbers are only processed when it is justified with regard to the purpose and necessary for secure identification or if there is some other clear and justified reason.
How is personal data protected?
IT systems are used to protect confidentiality, integrity and access to personal data. Special security measures have been taken to protect your personal data against unlawful or unauthorised processing (such as unlawful access, loss, destruction or damage). Only persons who need to process the personal data in order for the purpose of the personal data to be fulfilled have access to it.
The Swedish Authority for Privacy Protection is the supervisory authority
The Swedish Authority for Privacy Protection (formerly the Swedish Data Protection Authority) is responsible for monitoring the application of the legislation, and anyone who believes that a company is handling personal data incorrectly can file a complaint with the authority. Read more on www.imy.se
Contact regarding personal data
Contact the Company's person responsible for personal data via the e-mail address compliance[@]nyhavn-capital.com

​

Updated 2024-01-15