Privacy Policy

Important Information
Penta Capital LLP (“Penta”) is committed to protecting and respecting the confidentiality, integrity and security of personal information about individuals whose data we hold.

This policy sets out the basis on which any personal data we collect from you (“you”, “your”) or that you provide to us, will be processed by us, and how Penta complies with its responsibilities under applicable data protection laws, including, when and to the extent in force, the General Data Protection Regulation (Regulation (EU) 2016/679). Please read this policy carefully.

Data controller
For the purpose of the Data Protection Laws, the data controller of your personal information is Penta Capital LLP of 150 St Vincent Street, Glasgow G2 5NE.

We have appointed a Data Privacy Manager who is responsible for overseeing compliance with Data Protection Laws and this privacy policy.

Personal data – business contacts, suppliers and professional advisers
If you have contacted Penta, for example from a previous meeting or communication, or have previously provided supplies or services to Penta, we may store limited amounts of personal information relating to you, such as your name, job title, employer, contact details and details of any previous service or advice. We will collect and store this personal information for the purposes of:

• recording details of previous interactions, service or advice,
• organising meetings with you;
• providing periodic business updates; and
• other communication of a professional nature.

In accordance with the Data Protection Laws, our legal basis for collecting and storing personal information about you is that such processing is necessary for our legitimate interests in running and promoting our business.

Personal data – actual / potential management teams
If you are involved in a transaction that Penta and/or the funds that it manages enters into, or a potential transaction that Penta is considering, we may keep certain limited amounts of your personal information. This might include information relating to your CV, details of your previous employment history, your financial status and dealings, your nationality (including copies of identity documents, such as a passport), references provided by third parties, and results of other due diligence we may have conducted. We collect and store this information for the purposes of:

• assessing actual / potential transactions;
• assessing your suitability for involvement in a transaction
• administering any transaction that we are involved with;
• complying with our regulatory and legal obligations, including to verify your identity and comply with money laundering and related regulation, and assessing and managing risk;
• safeguarding our own legal rights and interests;
• seeking and receiving advice from our professional advisors; and
• providing business updates.

In accordance with the Data Protection Laws, our legal basis for collecting and storing personal information about you is that such processing is necessary for our legitimate interests in running and promoting our business. For any matter or transaction that you are involved in, it may also be necessary for us to process your personal information for performing that transaction, completing related contracts and to comply with our relevant regulatory and legal duties.

Lawful basis for processing
Data Protection Laws only permit us to process your personal data to the extent that one of the lawful bases set out in the Data Protection Laws applies to that processing. In processing your personal data, we rely principally on the basis that processing is necessary for the purposes of our legitimate interests in running and promoting our business, and those are not overridden by your interests or your fundamental rights or freedoms.

In certain circumstances, we may rely on one of the following lawful bases for our processing namely:-

(i) processing is necessary for the performance of a contract entered into between us, or to be entered into between us; or
(ii) processing is required for compliance with a legal obligation of ours; or
(iii) your consent.

We may process your personal data relying on more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us using the contact details set out below (see Contact Us) if you need details about the specific lawful basis on which we are relying on to process your personal data.

Your right to opt out
You may at any time by contacting us using the contact details below (see ‘Contact Us’ below), object to our processing your personal data for direct marketing purposes. You will also be given the option to unsubscribe from marketing on each marketing communication you receive from us. If you do unsubscribe or opt out of marketing, we shall no longer use your personal data for that purpose.

Accuracy of personal data
We try to ensure that the information we hold about you is accurate and kept up-to-date by contacting you at regular intervals. However, if you believe that any information we are holding about you is inaccurate, out-of-date or incomplete, please contact us by using the contact details as set out below (see ‘Contact Us’ below). We will promptly correct or delete any information found to be incorrect.

Security
We have put in place what we consider to be appropriate security measures against unlawful or unauthorised processing of your personal data we hold, and against the accidental loss of, or damage to, your personal data.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Disclosure of your personal information
We may disclose your personal data to third parties who are providing services to us.

We may also disclose personal data we hold to third parties:

a) in circumstances where we are considering an investment or have concluded and investment, we may share your information with prospective finance providers, co-investors and investors in Penta funds
b) in the event that we sell any business or assets, we may disclose personal data we hold to the prospective buyer of such business or assets; and/or
c) if we are under a duty to disclose or share your personal data in order to comply with any legal obligation. This could include for example exchanging information with other companies and organisations for the purposes of anti-money laundering, fraud protection and credit risk reduction.

To the extent we transfer any of your personal data to any third party, we will only do so if that third party puts in place appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, the personal data.

Transferring personal data outside the EEA
We do not intend to transfer any personal data we hold about you to a country outside the European Economic Area (“EEA”). If we do transfer any of your personal data outside the EEA, we will ensure that at least one of the following safeguards is implemented:

• the personal data is transferred only to a country that has been deemed to provide an adequate level of protection for personal data by the European Commission;
• we have put in place with the transferee specific contracts approved by the European Commission which give personal data the same protection it has in Europe; or
• where the transferee is based in the US, the transferee is registered with the Privacy Shield (which requires the transferee to provide similar protection to that required for personal data in Europe).

Retention of Data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Your right to access your personal information and your other rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data as follows:

• to request access to your personal data (commonly known as a “data subject access request”);
• to request correction of the personal data that we hold about you;
• to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;
• to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.;
• to request restriction of processing your personal data.;
• to request transfer of your personal data to you or to a third party. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you; or
• to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us by using the contact details set out under ‘Contact Us’ below.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

If you wish to exercise any of those rights we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Links to other websites
Our website may, from time to time, contain links to and from the websites of our partner networks, portfolio companies and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Changes to this policy
We may make changes to this data protection policy at any time. Any changes we make will be posted on this page and, where appropriate, notified to you in writing. Please refer back to this page regularly to see any changes or updates to this policy.

Contact Us
If you have any queries about this policy or your personal data, or you wish to submit an access request or raise a complaint about the way your personal information has been handled, please do so in writing and address this to Paul Cassidy, at Penta Capital LLP of 150 St Vincent Street, Glasgow G2 5NE or by email to cassidy@pentacapital.com.

Complaints
If you are not satisfied with our response to any queries or complaints you raise with us or believe we are not processing your personal data not in accordance with the Data Protection Laws you can complain to the Information Commissioner’s Office (https://ico.org.uk/).

May 2018