We are committed to protecting and respecting your privacy. This Policy explains how we collect, use and process your personal data in compliance with our legal obligations, including, where applicable, the UK GDPR, the Jersey Data Protection Laws and the Australian Privacy Act (all as defined below). For the purposes of the UK GDPR and the Jersey Data Protection Laws, we are controllers of personal data. This Policy applies to the personal data of investors (or their representatives), directors and employees, service providers (or their representatives) and website users whose personal data we may process. For the purposes of the Australian Privacy Act, “processing” includes using and disclosing.
Depending on how you interact with us or where you are located, different laws may be applicable to our processing of your personal data, such as Regulation (EU) 2016/679 General Data Protection Regulation as it forms part of the laws of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”), the Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018 (together, the “Jersey Data Protection Laws”), and the Privacy Act 1988 (Cth) (“Australian Privacy Act”).
2. What personal data do we collect?
In the course of our business, we may collect personal information about you that can help us directly or indirectly identify you (“personal data”). “Personal data”, for the purposes of this Policy, includes personal data as defined under the UK GDPR and the Jersey Data Protection Laws.
We may collect, use, store and transfer personal information from individuals that are employees, directors, officers or other representatives or agents of market counterparties, professional services and other service providers, trade associations, public bodies and other entities or undertakings.
Such personal data is typically limited in scope and may include the following:
- in relation to investors: name, postal address, email address, telephone number and other contact information, identity and nationality documentation, occupation and employer details, bank account details, tax identification numbers, social security or other unique identifier numbers, information about marketing and communication preferences, online identifiers (such as internet protocol (IP) addresses), usage data (such as interactions with our website or use of certain online tools), or other similar identifiers;
- in relation to employees, directors, officers or representatives: name, postal address, email address, telephone number and other contact information, biographical or professional information, identity and nationality documentation, bank account details, tax and social security identification numbers and next of kin information, and some special categories of personal data such as race or ethnicity, sexual orientation, health and sickness records;
- in relation to service providers: limited personal data of the individuals who are employees or other representatives of the service providers, such as names, email address, telephone number and other contact information; and
- in relation to website users, the categories may include name, email address, username, password, IP addresses.
3. How do we collect personal data?
We may collect personal data through a range of means. These may include (i) direct interactions, where a person provides personal data to us through correspondence or other direct methods of communication, including in the course of account applications, subscription agreements or other related documentation or transactions; (ii) through third-party service providers (for example, recruitment agents, investor’s brokerage or financial advisory firm, or consultants); or (iii) publicly available sources (where we receive personal data through a publicly available source such as a website or publicly-available registry) or sources designed to detect and prevent fraud or other violations of applicable laws and regulations.
4. Why do we process and how do we use your personal data?
We will only process personal data in circumstances where we have established a lawful basis to do so if and as required under applicable laws, including the UK GDPR and the Jersey Data Protection Laws. These circumstances include where the processing of the relevant data relates to a legitimate interest of Quinbrook, further described below. In such circumstances Quinbrook will have established that the processing is necessary for the relevant purpose, and where we are satisfied our interests are not overridden by the interests or fundamental rights or freedoms of the individuals concerned.
In accordance with the above, we have determined that the lawful bases for our processing of personal data are our legitimate interests to undertake activities necessary and ancillary to the carrying on of an investment management business, including where necessary for the purposes of carrying out activities relating to investments in the relevant fund, the administration of the relevant fund, the investment activities of the relevant fund, otherwise in furtherance of any contract entered into with respect to the activities of the relevant fund and entering into contractual arrangements in the context of our investment management business, to exercise and comply with our rights and obligations at law or under regulation where such obligations are not set out under the laws of the United Kingdom (“UK”) or Jersey, to establish, exercise or defend legal claims and in order to protect and enforce our (or another person’s) rights, property, or safety, or to assist others to do the same, and in order to provide information about our services and any investment products we offer. Our legitimate and overriding interests which may necessitate the use of personal data may also include protecting against fraud, including detecting fraud risks and managing risk exposure; verifying your identity and responding to your inquiries, and keeping records of our communications with you; and complying with industry standards and our policies, including administering and improving our website and internal operations such as testing, research, statistical and survey purposes.
In addition, we may also control or process personal data where the individuals have provided their consent, where necessary to comply with legal or regulatory obligations applicable to us, or in order to give effect to a contract, or to take necessary pre-contractual steps with a view to potentially entering into a contract (including in our capacity as an employer or a prospective employer), to the extent applicable.
We may from time to time control or process personal data in respect of the relevant fund’s marketing, and advertising the relevant fund and/or other investment vehicles and/or related services. In certain circumstances, we may send communications about our services, events and other marketing communications to you. If you do not wish your personal data to be processed for marketing purposes you may have the right to opt out of such processing, as described further below (Section 8 “Your Rights”).
In addition to the uses described above, in some circumstances, we may use personal data provided to us to establish, exercise or defend legal claims, including responding to a judicial process, law enforcement or governmental agency.
We will only use personal data for the purposes that it has been collected for, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose of the control or processing. Any person requiring information with respect to any additional purpose for which personal data may be controlled or processed may obtain such information by contacting us at the address set out below. If we need to control or process personal data for an unrelated purpose, we will use our reasonable endeavours to notify affected persons and to explain the basis on which we are permitted to undertake the same.
Should you have concerns regarding our use of your data described above, please contact us. In certain circumstances you may be entitled to object. We have set out further information about your rights in this Policy.
5. Who do we share with and disclose to your personal data?
In order to run our business and provide services to you, we may share personal data within the group.
We may also share personal data with certain third parties for the purposes set out above. The relevant third parties with whom such personal data may be shared include entities appointed to provide services to us and our affiliates, or those entities’ group companies (including administrators, banks, auditors, law firms, consultants and placement agents; regulatory, legal and tax authorities, including governmental organisations and self-regulatory organisations; and third parties in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganisation, dissolution, or liquidation). Further details of the third parties with whom personal data may be shared are available on request, by contacting us at the address set out below. Wherever possible, we will only disclose personal data to a third party in circumstances where that third party has agreed to respect the security and confidentiality of personal data and treat it in accordance with applicable law. We will seek to ensure that third parties to whom any personal data may be disclosed will not use personal data for their own purposes and only process personal data for specified purposes and otherwise in accordance with our instructions and/or with applicable laws, including the UK GDPR and the Jersey Data Protection Laws.
We may also disclose personal data about you to a third party at your request or direction or with your consent.
6. International transfers of personal data
Our activities are such that it may be necessary for personal data to be transferred and/or processed outside the jurisdiction in which we collected the personal data (“Local Jurisdiction”). The countries in which such recipients are likely to be located include UK, Jersey, Australia and United States of America.
In circumstances where we transfer personal data outside the Local Jurisdiction, we will seek to ensure a similar degree of protection is afforded to it by ensuring that personal data is generally transferred only to persons in countries outside the Local Jurisdiction in one of the following circumstances:
- to persons and undertakings in countries that have been deemed to provide an adequate level of protection for personal data by the relevant regulatory or other governmental body in the Local Jurisdiction;
- to persons and undertakings to whom the transfer of such personal data is made pursuant to a contract that is compliant with the standard data protection clauses for the transfer of personal data to third countries from time to time approved by the relevant regulatory or other governmental body in the Local Jurisdiction;
- to persons and undertakings outside of the Local Jurisdiction pursuant to other appropriate safeguards for the transfer of personal data, or otherwise in accordance with applicable laws of the Local Jurisdiction; and
- only on one of the conditions allowed under the applicable laws of the Local Jurisdiction (including, where applicable, the UK GDPR and the Jersey Data Protection Laws) in the absence of an adequacy decision or appropriate safeguards.
Further information on specific mechanisms utilised by Quinbrook transferring personal data outside the Local Jurisdiction and the countries to which such transfer may be made (which may include, but are not limited to Australia and the United States) may be obtained upon request, by contacting us at the address set out below.
7. Security and retention of personal data
We maintain physical, electronic, and procedural safeguarding arrangements to protect your personal data. Access to personal data is restricted on a need-to-know basis and to those employees and representatives who have been advised as to the proper handling of such data. We take reasonable steps and use security measures appropriate to the nature of the information in compliance with applicable laws to protect your personal data against unauthorised access and exfiltration, acquisition, theft, misuse, unauthorised modification, interference or disclosure. Given the nature of information security, there is no guarantee that such safeguards will always be successful.
We seek to maintain accurate, up to date data, and correct inaccurate information on a timely basis. Please also see below information about your right to rectification.
We will retain personal data for as long as necessary to fulfil the purposes for which it has been collected. This will include any period of retention required to satisfy any applicable legal, regulatory, taxation, accounting, regulatory or reporting requirements. In addition, some data may be retained with a view to potential litigation or complaints (subject to applicable limitation periods).
In determining the appropriate retention period for any personal data, we will consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of the data, the purpose for which the relevant data is being processed, the extent to which the purposes for which the relevant data is being processed can be achieved by other means and any applicable legal requirements. Without prejudice to the generality of the forgoing, we have determined that we will retain records for at least five years, in accordance with the rules, requirements and guidance of the FCA.
Details of retention periods applicable to personal data subject to the UK GDPR and the Jersey Data Protection Laws are available upon request, by contacting us at the address set out below. In some circumstances, a person may request that we delete any personal data retained by us. Further, in some circumstances, we may anonymise personal data for research or statistical purposes, in which case such information may be retained and utilised indefinitely without further notice.
8. Your rights
Under the UK GDPR, the Jersey Data Protection Laws and the Australian Privacy Act, persons whose data is processed by Quinbrook will have certain rights. You can exercise these rights by contacting us using the information below. You may be asked to provide some proof of identification so that we can verify that it is you making the request.
Specifically, if you are in the UK or Jersey, you have the following rights:
- Access. You have the right to know we collect certain personal data about you and to ask us for copies of your personal data. Please use the contact details provided at the end of this Policy.
- Rectification. You have the right to request that we correct your personal data you think is inaccurate or incomplete.
- Objection to processing. You have the right to object to processing in some circumstances, including where we are using your personal data for our legitimate interests and for direct marketing purposes, including by opting-out of marketing communications by contacting us at the address set out below.
- Erasure. You have the right to request that we erase the personal data we have collected about you in certain circumstances. The right to erasure is not absolute, and only applies if we no longer need your personal data to carry out the purpose that we collected it for; you have withdrawn your consent to our use of your personal data; you have objected to our use of your personal data and your interests outweigh our interests in using it; you believe we have processed your personal data unlawfully; or we have a legal obligation to erase your data. We will consider any request to erase personal data for any of the above reasons and endeavour to comply with the request to the extent permitted by law, but we may not always be able to comply with your request. If we are unable to comply with your request, we will contact you in writing.
- Restrict processing. You have the right to ask us to restrict the processing of your personal data in certain circumstances, including if you have concerns regarding the accuracy of your personal data, where you have made an objection to our use of your personal data; or if you believe we processed your personal data unlawfully, but you do not want us to delete it.
- Data portability. You have the right to receive a copy of the personal data that we collect about you in a way that is accessible and in a machine-readable format where the processing is based on your consent, the performance of a contract with you, or carried out by automated means. You have the right to request that such personal data be transmitted directly from us to another data controller, where technically feasible.
- Withdrawal of consent. You can withdraw your consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
In certain circumstances, Quinbrook may charge reasonable fees if any such request is clearly unfounded, repetitive or excessive, and otherwise in accordance with applicable law.
If you wish to make a complaint regarding our handling of your personal data, you can contact us at the details set out below.
We request that complaints about breaches of privacy be made in writing, so we can be sure about the details of the complaint. Our Head of Compliance and Financial Control deals with privacy complaints. We will attempt to confirm as appropriate and necessary with you your understanding of the conduct relevant to the complaint and what you expect as an outcome. We will inform you whether we will conduct an investigation, the name, title, and contact details of the investigating officer and the estimated completion date for the investigation process.
After we have completed our enquiries, we will contact you, usually in writing, to advise the outcome and invite a response to our conclusions about the complaint. If we receive a response from you, we will assess it and advise if we have changed our view.
You may also make a complaint to the relevant supervisory authority for data protection issues. In the UK this is the Information Commissioner’s Office (“ICO”). Contact details for the ICO may be found at www.ico.org.uk. In Australia this is the Office of the Australian Information Commissioner (OAIC). Details of how to lodge a complaint with the OAIC may be found at www.oaic.gov.au.
9. Links to other websites
Our website may contain links to third party websites. Any access to and use of such third party websites is not governed by this Policy, but, instead, is governed by the privacy policies of those third party websites. We are not responsible for the information practices of such third party websites.
10. Changes to this Policy
Our policies and procedures with respect to the control or processing of personal data may be amended from time to time. Similarly, the purposes for which we may control or process personal data may change from time to time. If any changes would require a material amendment to the information set out herein, details of such changes will be made available by posting a new version of this Policy on the website. We encourage you to check the website regularly for information about revisions to this Policy. If you object to the change to our Policy, then you must contact us by any of the methods set out below regarding your objection or you must not continue to use our services.
11. How to contact us
If you wish to request any information or have any questions regarding this Policy or its implementation, you may email us at [email protected] You may also write to us at:
Quinbrook Infrastructure Partners Limited
3rd Floor, 24 Savile Row, London, W1S 2ES
Attention: Data Protection Compliance