Global Data Protection Policy
Introduction
In the Netherlands, data protection is governed under the supervision of authorities such as the Dutch Central Bank (De Nederlandsche Bank, “DNB”), the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, “AFM”) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP”). In other countries, data protection is subject to supervision of similar local authorities. As a result, we are bound to ensure that (i) there will be a high standard of technical and organisational security measures within our organisation and (ii) these technical and organisational security measures shall be applicable with regard to the Processing of the Personal Data of Clients and Employees.
The purpose for which Equanimity Stichting (hereinafter “Equanimity”) collects Personal Data revolves around its investment holdings’ business offerings, which is divided into the following sectors; Financial Technology, Commerce, Renewable Energy, Property Management and Development. Equanimity in itself does not offer any solutions directly to the public. Any reference to Equanimity in this policy is intended to refer to Saltroute B.V. and/or one of its sister companies. Saltroute operates a secure, networked orientated platform, which relies on the positive identification and authentication during interaction with Equanimity and it’s Clients. Equanimity provides personal financial management tools to its Clients and as such collects a variety of transactional data in order to present it to its Clients in a secure and confidential manner. Equanimity processes Personal Data of Clients and Employees as appropriate in connection with their business which includes, but is not limited to, the Processing of Personal Data in the context of the business relationship between Equanimity and its Clients on the one hand, and on the other, in the context of the relationship between Equanimity (as employer) and its Employees, and in relation to various supporting activities. Furthermore, Equanimity processes Personal Data for security purposes. Within the European Union the Processing of Personal Data is governed by the European Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “the GDPR”). GDPR is in effect from May 25th 2018 and ids repealing Directive 95/46/EC (the “Data Protection Directive”). This Global Data Protection Policy (the “Policy”) is based on the GDPR and applies to all Processing of Personal Data by Equanimity and includes exchanges of Personal Data within Equanimity and transfers to third parties. Equanimity is aware of the different levels of Personal Data protection provided in the countries where Equanimity and such Third-parties are located. Equanimity acknowledges that the lawful transfer of Personal Data within the European Union, the European Economic Area (“EEA”) and to those countries which have been qualified by the European Commission as ensuring an adequate level of protection does not pose a threat to the privacy rights of the Data Subjects as these countries have adopted similar data protection standards as those set in the Data Protection Directive. The implementation of this Policy within Equanimity aims at ensuring an adequate level of protection as stated in Preamble, paragraph 100 of the GDPR. This Policy establishes minimum standards for the Processing of Personal Data within Equanimity. Equanimity must therefore comply with this Policy, without prejudice to European and local legislation. This means that in addition to this Policy, local legislation relating to data protection will be observed. However, in case the level of protection ensured by local legislation is lower than the level of protection provided for in this Policy, this Policy shall prevail.
Definitions
In this Policy, unless the context clearly indicates a contrary intention, the words and phrases herein below defined shall have the meanings assigned to them (defined terms begin with capital letters), and cognate expressions shall bear corresponding meanings: “Client” includes the Data Subject with whom Equanimity (i) has entered into a legal relationship, (ii) may wish to enter into a legal relationship or (iii) used to have a legal relationship; or (iv) a Data Subject who contacted Equanimity; or (v) a Data Subject whose Personal Data is obliged to be processed by Equanimity in connection with contractual or legal obligations with a customer or a Third-party; “Data Subject” means any individual to whom the Personal Data relates; “Data Subject’s Consent” means any freely given specific and informed indication of his or her wishes by which the Data Subject signifies his or her agreement to Personal Data relating to him or her being processed;
“Data Controller” means the European Community institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by a specific European Community act, the controller or the specific criteria for its nomination may be designated by such Community act; “Data Register” means a register maintained by Equanimity that states all data collected, from whom, for which purpose and shared with whom;“Employee” includes any Data Subject potentially, currently or formerly employed by any Equanimity company. This includes temporary workers, contractors or trainees of any Equanimity company;
“Equanimity” means Fairvalue Besloten Vennootschap with registered trade name Equanimity, a company incorporated under the laws of the Netherlands with registration number 84590610, and its direct and indirect subsidiaries, affiliates and branches and any (other) entities in which Equanimity holds a controlling interest or exercises management control (“Equanimity company” shall have a corresponding meaning);
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
“Personal Data Transfer” means any disclosure of Personal Data by Equanimity to another Equanimity company, or by Equanimity to a Third-party; “Personal Data Filing System” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;“Policy” means this Global Data Protection Policy;
“Process” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Processing and Processed” shall have a corresponding meaning); “Processor” means any individual or legal person, public authority, agency or any other body, being either Equanimity or a Third-party, which processes Personal Data on behalf of Equanimity;
“Recipient” means a natural or legal person, public authority, agency or any other body to whom data is disclosed, whether a Third-party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients; “Sensitive Personal Data” means Personal Data revealing an individual’s religion or philosophy of life, race, political persuasion, health and sexual life, or Personal Data concerning trade union membership, criminal behaviour, or unlawful or objectionable conduct connected with a ban imposed with regard to such conduct; “Third Country” means any country other than the Netherlands; “Third-party” means any natural or legal person, public authority, agency or any other body other than the Data Subject, Equanimity, the Processor, the Data Controller and the persons who, under the direct authority of Equanimity or the Processor, are authorised to process Personal Data. 
Words importing the singular shall include the plural and vice versa, words importing the masculine gender shall include the other genders and vice versa and natural persons shall include juristic persons and vice versa.The head notes to the paragraphs of this Policy are inserted for purposes of reference only and shall not affect the interpretation of any provisions to which they relate. In the event that any definition (whether in this clause 2 or elsewhere in this Policy) contains substantive provisions, then such provisions shall be given effect to as if same were incorporated into the main body of this Policy. Where any term is defined within the context of any particular clause in this Policy, the term so defined, unless it is clear from the clause in question that the term so defined has limited application to the relevant clause, shall bear the meaning ascribed to it for all purposes in terms of this Policy, notwithstanding that that term has not been defined in this clause 2. Words and phrases defined in this Policy shall bear the same meanings in schedules or addenda to this Policy (if any), which do not themselves, contain their own definitions.
Overall policy statement
This Policy applies to the Processing of Personal Data by Equanimity and will be implemented through the procedures set out in Equanimity’s corporate policy. This means that this Policy is mandatory for all Employees of Equanimity. Equanimity shall, without prejudice to local legislation, comply with this Policy. This Policy is in force in addition to privacy policies or similar arrangements of Equanimity and local data protection legislation in force at the date hereof. If the terms of the Policy provide for a better level of data protection for Personal Data and Sensitive Personal Data, the terms of this Policy shall prevail. All existing policies, contracts, procedures and systems shall be made compliant with this Policy. The principles set out in this Policy will be further developed where required in order to facilitate the Policy’s implementation within Equanimity. Equanimity will decide whether the principles of this Policy need to be further developed and how this should occur. Any such further development will be compatible with the principles established in this Policy. Equanimity’s Employees will be provided with practical instructions on this Policy. Equanimity will submit a copy of this Policy to the European Commission’s Data Protection Supervisor and inform it of any amendments.
Limitation
Personal Data shall be Processed only for the specific purposes set out in 1.2 and 1.3 above and this clause 4, or for purposes which are compatible with these specific purposes. The Processing of Personal Data of Clients takes place in order to support efficient and effective management of Equanimity, especially in light of the following activities: assessing and accepting Clients, entering into and executing of agreements with Clients as well as carrying out payment transfers; performing analyses with respect to Personal Data for statistical, credit and scientific purposes; for commercial activities in order to establish a relationship with a Data Subject and/or continuing as well as extending a relationship with a Client; ensuring the security and integrity of the financial sector and the interests of Equanimity; complying with legal obligations. The Processing of Personal Data of Employees takes place in order to support efficient and effective management of Equanimity, especially in light of the following activities: supporting the activities of Equanimity aimed at a responsible, effective and efficient human resources management; ensuring the security and integrity of the financial sector and the interests of Equanimity; supporting the activities of Equanimity in relation to pension management; Complying with legal obligations. 

Criteria for legitimate processing of personal data
Personal Data may only be Processed if at least one of the following criteria applies: the Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract; the Processing is necessary for compliance with a legal obligation to which the Equanimity company is subject; the Processing is necessary in order to protect the vital interests of the Data Subject; the Data Subject has unambiguously given his specific and informed consent to the Processing; or the Processing is necessary for the purposes of the legitimate interests pursued by the Equanimity company or by the Third-party or Parties to whom Personal Data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the Data Subject. In case the consent of a Data Subject is required, Equanimity shall ensure that the Data Subject unambiguously provides his informed, specific and free consent to the Processing of Personal Data. To this end, Equanimity shall inform the Data Subjects of the purposes of the Processing for which consent is required, of the possible consequences of the Processing for the Data Subject as well as of such other information insofar as necessary to ensure a fair Processing of such Personal Data. Equanimity shall not seek the consent of Employees for Processing their Personal Data which is directly or indirectly connected to the employment of such Employee, unless there is clear records documenting the consent and such processing is necessary for the performance of the contract or for the purposes of the employer's legitimate interests of the relevant Equanimity company or to the extent it follows from applicable (domestic or foreign) law. Where specific and informed consent has been granted, the Data Subject may withdraw such consent at all times. In that case, Equanimity shall cease the Processing of the relevant Personal Data without undue delay upon receipt of such withdrawal. Where specific and informed consent has been provided by an Employee, no negative consequences will follow from withdrawing such consent, except where consent has been obtained mandatory by applicable (domestic or foreign) law. Equanimity shall determine the maximum period for which Personal Data shall be retained in a Personal Data Filing System, for which applicable local laws will be taken into account. The retention period shall not be longer than the time necessary to achieve the purposes for which the Personal Data have been collected or further processed. Once this period has lapsed, Equanimity shall ensure that the Personal Data is either: deleted anonymised, so they can still be used for statistical purposes; or transferred to an archive, where they can be used for historical, scientific or statistical purposes, dispute resolution, investigations or general archiving purposes. Access to these Personal Data will only be granted to an authorised limited number of Employees. 

​
Data quality, proportionality and relevance
Personal Data shall be:
collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of personal data for historical, statistical or scientific purposes shall not be considered incompatible provided that the controller provides appropriate safeguards, in particular to ensure that the data are not processed for any other purposes or used in support of measures or decisions regarding any particular individual; adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified; kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. Equanimity shall lay down that personal data which is to be stored for longer periods for historical, statistical or scientific use should be kept either in anonymous form only or, if that is not possible, only with the identity of the Data Subjects encrypted. In any event, the data shall not be used for any purpose other than for historical, statistical or scientific purposes. Without prejudice to the provisions of the foregoing provisions of clause 6.1, traffic data relating to Clients, which is processed and stored to establish calls and other connections over Equanimity’s communications service shall be erased or made anonymous upon termination of the call or other connection, unless specific and informed consent has been given by the Data Subject to store such data for its own use and/or Equanimity’s analysis. If necessary, traffic data as indicated in a list agreed by the European Data Protection Supervisor may be processed for the purpose of telecommunications budget and traffic management, including the verification of authorised use of the telecommunications systems. This data shall be erased or made anonymous as soon as possible and no later than six months after collection, unless it needs to be kept for a longer period to establish, exercise or defend a right in a legal claim pending before a court, or specific and informed consent has been given by the Data Subject to store such data for its own use and/or Equanimity’s analysis. Processing of traffic and billing data shall only be carried out by persons handling billing, traffic or budget management. Clients using Equanimity’s communication service shall have the right to receive non-itemised bills or other records of calls made.

​
Transparency
Equanimity must provide the Data Subject at the time of collection of the Personal Data with information as to: a) the purposes of the Processing; b) the identity of the Equanimity company; c) other information insofar as this is necessary to ensure fair Processing. If Equanimity has not collected Personal Data directly from the Data Subject, the above information must be provided before the Processing of the Personal Data but ultimately at the time of recording of the Personal Data or when the information is intended to be disclosed to Third Parties at the time of disclosure. Notwithstanding clause 16 of this Policy, Equanimity does not have to provide the information set forth above in so far the information was already known to the Data Subject or in so far the provision of such information proves impossible or would involve a disproportionate effort. This Policy will be published on Equanimity’s website and intranet. 

​
Security and confidentiality
Equanimity shall take appropriate technical and organisational security measures to protect Personal Data against unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing in accordance with adequate internal instructions adopted by Equanimity. Where local laws prescribe specific instructions and measures to be adopted for the purposes of this clause, local laws will prevail. Where Personal Data is Processed by automated means, measures shall be taken as appropriate in view of the risks in particular with the aim of: preventing any unauthorised person from gaining access to computer systems processing Personal Data; preventing any unauthorised reading, copying, alteration or removal of storage media; preventing any unauthorised memory inputs as well as any unauthorised disclosure, alteration or erasure of stored Personal Data; preventing unauthorised persons from using data-processing systems by means of data transmission facilities; ensuring that authorised users of a data-processing system can access no Personal Data other than those to which their access right refers; recording which Personal Data has been communicated, at what times and to whom; ensuring that it will subsequently be possible to check which personal data has been processed, at what times and by whom; ensuring that Personal Data being processed on behalf of Equanimity by Third-parties can be processed only in the manner prescribed by the contracting institution or body; ensuring that, during communication of Personal Data and during transport of storage media, the data cannot be read, copied or erased without authorisation; designing the organisational structure within an institution or body in such a way that it will meet the special requirements of data protection. Equanimity shall take appropriate technical and organisational measures to safeguard the secure use of the telecommunications networks and terminal equipment, if necessary in conjunction with the providers of publicly available telecommunications services or the providers of public telecommunications networks. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented. In the event of any particular risk of a breach of the security of the network and terminal equipment, Equanimity shall inform its Clients of the existence of that risk and of any possible remedies and alternative means of communication. In the event of a breach of the security and data protection Equanimity shall inform the Dutch Data Protection Authority, AP and will take all necessary measures to mitigate the breach. In the event of a higher risk associated with data processing, in accordance e with the GDPR a privacy impact assessment (PIA) will be set up.
Personal data transfers between Equanimity companies
Equanimity aims at ensuring that an adequate and consistent level of protection is in place when Personal Data is transferred between Equanimity companies. Equanimity will transfer Personal Data to other Equanimity companies abiding by the rules established in this Policy. Personal Data shall only be transferred to and further processed by Processors that are Equanimity where it has been established that Personal Data will be processed in accordance with the instructions of a Equanimity company acting as a Data Controller. 

​
Personal data transfers between Equanimity and a Third-party.
Equanimity transfers Personal Data to Third-Parties. The details of the Third-Party and the purpose of the transfer is stated in Equanimity’s Data Register for each Third-Party that Personal Data is transferred to including the Personal Data that is transferred. A copy of the Data Register is available on request to any Client. To request a copy, please refer to the contact details listed below in paragraph 26.
Personal data transfers to parties outside the EEA
Equanimity establishes the following measures to ensure that Personal Data Transfers to, and further Processing by, Third-parties who may be established either in Third Countries, offering an adequate level of protection, or in Third Countries not offering an adequate level of protection, observe the principles established in the Data Protection Directive. Personal Data shall only be transferred to and further processed by a Third-party Processor who is not a Equanimity company in a Third Country where: arrangements have been made to require such Processor to Process Personal Data only in accordance with the instructions of Equanimity; sufficient guarantees are in place in respect of technical and organisational security and fulfilling the security obligations incumbent on Equanimity under the GDPR. a service level agreement has been concluded between Equanimity and such Processor whereby the terms and conditions are set out demanding a minimum standard that the Processor agrees to adhere to, including the provisions established in the European Commission’s model contractual clauses for Data Processors established in Third Countries contained in decision C(2004) 5721 for countries that do offer an adequate level of protection; and C(2010) 593 for countries that do not offer an adequate level of protection. The transfer to Third-parties (including a Processor who is not Equanimity or a public authority) in Third Countries not offering an adequate level of protection may only take place provided that the transfer is based at least on one of the following grounds and that the further limitations established in this clause are abided by: the transfer is necessary for the performance of a contract between the Data Subject and Equanimity or the implementation of pre-contractual measures taken in response to the Data Subject’s request; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between Equanimity and a Third-party; the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims. Any transfer on this ground shall be authorised by Compliance in consultation with Legal. If Legal and Compliance allow the transfer, prior to such transfer additional appropriate measures to ensure that the privacy rights of Data Subjects are protected will be taken, if deemed necessary after consultation with the Dutch Data Protection Authority; the transfer is necessary in order to protect the vital interest of the Data Subject; the transfer is made from a public register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in local laws for consultation are met; the transfer is required by any foreign or domestic law to which Equanimity is subject. Any transfer on this ground shall be authorised by Equanimity’s Compliance division in consultation with Legal division and/or external corporate lawyers. If Legal and Compliance allow the transfer, prior to such transfer additional appropriate measures will be taken to ensure that the privacy rights of Data Subjects are protected, if deemed necessary after consultation with the Dutch Data Protection Authority; the transfer is required for upholding a legitimate business interest of Equanimity, except where the interests or fundamental rights and freedoms of the Data Subject, in particular the right to protection of individual privacy, prevail. This ground may be relied upon if appropriate safeguards are in place, such as the adoption of adequate arrangements or individual agreements or the signature of a contract based on the standard terms referred to in 11.1.3 above between Equanimity and the Third-party or having related companies who will process Personal Data on behalf of Equanimity in a country not ensuring an adequate level of protection. Equanimity may rely on the Data Subject’s specific and informed consent for the transfer, without prejudice of the provisions of clause 5.2 of this Policy. Where consent will be relied on according to this clause the following information shall be provided to the Data Subjects before such consent is provided: a) the purposes of the transfer, b) the identity of the party responsible for the transfer, c) the parties to whom data will be provided and the countries in which these are located, d) whether the Third Countries where Personal Data will be sent ensure an adequate level of protection e) the categories of Personal Data that will be transferred. 

​
Conflict of laws
Where the terms of this Policy offer a higher level of protection to the Data Subjects than the provisions of applicable local laws, the terms of this Policy shall apply. Where provisions of local law offer a higher level of protection to Data Subjects, the provisions of the relevant local law will apply. A Equanimity company or Employee shall promptly inform Equanimity when it has reasons to believe that the legislation applicable to it, or any future legislation that comes into force, may prevent it from fulfilling its obligations under this Policy or under the Data Protection Directive and that would have a substantial adverse effect on the guarantees provided for under the Policy or under the Data Protection Directive. In this case, Legal will consult with local counsel how to proceed on a case by case basis. Where considered necessary, Equanimity shall inform the Dutch Data Protection Authority or other competent authorities.
Right of access, rectification, erasure and blocking of personal data
Data Subjects shall have the right to access their Personal Data. In the event the Personal Data of the Data Subjects are incorrect or are not Processed in compliance with applicable law or this Policy, Data Subjects have the right to have their Personal Data corrected, erased or blocked as appropriate. Data Subjects shall address requests for access, rectification, erasure or blocking to the Equanimity company in the country of their residence or, if no Equanimity company is established in such country, to Equanimity. The Data Subject shall have the right to obtain from Equanimity the blocking of Personal Data where: their accuracy is contested by the Data Subject, for a period enabling Equanimity to verify the accuracy, including the completeness, of the Personal Data, or; Equanimity no longer needs them for the accomplishment of its tasks but they have to be maintained for purposes of proof, or; the processing is unlawful and the Data Subject opposes their erasure and demands their blocking instead. In Equanimity’s Personal Data Filing System blocking shall in principle be ensured by technical means. The fact that Personal Data is blocked shall be indicated in the system in such a way that it becomes clear that the Personal Data blocked pursuant to this clause shall, with the exception of their storage, only be processed for purposes of proof, or with the Data Subject's specific and informed consent, or for the protection of the rights of a Third-party. The Data Subject who requested and obtained the blocking of his or her data shall be informed by Equanimity before the Personal Data is unblocked. In the event that a Data Subjects submits a request for access to their Personal Data, the local Equanimity company shall provide the Data Subject with the following information (except if the data Subject already has the information) as soon as possible, but in any event no later than three months after receipt of the request: communication in an intelligible form of the data undergoing Processing; confirmation as to whether or not data relating to the Data Subject are being processed; the existence of the right of access to, and the right to rectify, the data concerning the Data Subject; whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply; the purposes of the Processing; the identity of the Data Controller; the Recipients and/or categories of Recipients; the categories of Personal Data Subject of the Processing; the categories of Recipients of the Personal Data; the available information about the origin of the Personal Data; any further information such as: the legal basis of the processing operation for which the data is intended; the time-limits for storing the data; the right to have recourse at any time to the European Data Protection Supervisor; the origin of the data, except where the controller cannot disclose this information for reasons of professional secrecy. Insofar as such further information is necessary, having regard to the specific circumstances in which the data is processed, to guarantee fair processing in respect of the Data Subject. Notwithstanding clause 17, requests for access, correction, erasure or blocking may be denied if (i) the Data Subject is abusing his rights under this Policy and the Directive on Data Protection, (ii) the request for access, correction, erasure or blocking are unspecified or unreasonable; or (iii) Equanimity is obliged not to do so according to applicable law. Prior to providing access to Data Subjects to which a Third-party may be expected to object, the Equanimity company having received the request for access shall give the Third-party an opportunity to express its views where the information mentioned in clause 13.3 of this Policy contains data concerning that Third-party unless this appears to be impossible or would involve a disproportionate effort. In case of transfer of Personal Data within Equanimity or a Third-Party, the exporting Equanimity company shall undertake to assist the Data Subjects in exercising its rights vis-à-vis the recipient Equanimity company, or Third-Party. Further to the request of a Data Subject, the exporting Equanimity company shall investigate such requests and shall undertake appropriate action to review and where necessary grant such requests. 

​
Sensitive Personal Data
Equanimity shall not Process Sensitive Personal Data, except where:
the Data Subject has given specific and informed consent, or;
the Processing is required or authorised by domestic law, or;
the Processing is necessary for the establishment, exercise or defence of legal claims, or; the Processing is necessary to protect the vital interests of the Data Subject, or; the Processing is necessary to comply with an obligation of international public law, or; the Processing is necessary with a view to an important public interest, where appropriate measures have been put in place to protect individual privacy and this is provided for by foreign or domestic law or the relevant Data Protection Authority has granted an exemption. the Personal Data has been made manifestly public by the Data Subject. 
 Notwithstanding clause 13.1 of the Policy and the provisions or restrictions of local laws on the Processing of health related data, Equanimity may process health related Personal Data of Employees only for (a) the proper implementation of law provisions, pensions, pension regulations or collective agreements which create rights dependent on the state of health of the Employee, or (b) the reintegration of or support for Employees or persons entitled to benefit in connection with sickness or work incapacity. Employee health related data will be treated as confidential. Notwithstanding clause 13.1 of the Policy and the provisions or restrictions of local laws on the Processing of health related data, Equanimity may process health related Personal Data of Clients, subject to the provisions of clauses 13.3 up to and including 13.9 of this Policy. Equanimity may process Personal Data relating to a person’s state of health insofar as this is necessary for: the assessment of a Client, the approval of a Client, the execution of an agreement with a Client and the settlement of payment transactions. Personal Data regarding a person’s state of health that are processed in order to make an assessment of a Client, in connection with the acceptance of a Client, the execution of an agreement with a Client with regard to a specific product or the settlement of a claim for damages of a Client shall not be used without the Client’s specific and informed consent for the assessment of a Client, the acceptance of a Client, the execution of an agreement with a Client for another product or the settlement of another claim for damages. If, in connection with the acceptance and/or the handling of claims a Client is requested to undergo a medical examination or an additional examination, Equanimity shall point out in the medical examiner’s documents and forms the importance of the identification in order to prevent mistaken identity. The Client shall then be informed that he has the right to make it known in writing that he wishes to be informed of the results and conclusion of the examination. Unless it concerns an insurance policy concluded under civil law, the Client has the right to demand that he shall be the first to be informed of this information in order that he may decide that the results and conclusions are not be communicated to others. The collection of Personal Data regarding a person’s state of health by a medical advisor of Equanimity from other parties than the Client shall only take place after the Client has given his permission and issued an authorisation for this. This authorisation may not be of a general nature, but must concern the Processing in connection with a concrete issue. The Client must be informed about the nature of the to be requested information as well as about the purpose thereof. This must be apparent from the authorisation. The information regarding a person’s state of health shall only be processed by persons who are bound to secrecy by virtue of their office, profession or legal regulations or by virtue of an agreement, except insofar as they are obliged to disclose this information by law or their task requires that this information should be disclosed to others who are authorised to process this information. Health related data will be handled confidentially. Access will only be granted to authorised persons within the organisation. Notwithstanding the provisions of clause 13.1 and any relevant specific provisions of national law prohibiting or imposing extra requirements to the Processing of criminal behaviour related personal data, criminal Personal data may be processed according to in accordance with clauses 13.11 up to and including clause 13.14. Equanimity may process Personal Data relating to criminal offences insofar as this is necessary for: 
(a) the assessment of a Client, the acceptance of a Client, the execution of an agreement with a Client and the settlement of payment transactions; 
(b) safeguarding the security and integrity of the financial sector, including also detecting, preventing, investigating and combating (attempted) (criminal or objectionable) conducts directed at the sector which Equanimity is part of, at the group to which Equanimity belongs, at Equanimity itself, at its Clients and Employees, as well as the use of and the participation in warning systems; or (c) to comply with legal obligations. In view of a sound acceptance Policy, Equanimity may enquire about facts relating to a possible criminal record of persons to be insured and others whose interest are also insured in the applied for insurance policy (including directors and shareholders of legal entities), insofar as these facts relate to a period of eight years prior to the date of the insurance application. In this regard, the disclosed criminal record may only be used for the assessment of the insurance application and legally obtained data relating to a criminal record may be used in connection with invoking non-compliance with the disclosure obligations. The prohibition on Processing other Sensitive Categories of Personal Data does not apply insofar as this is necessary in addition to the Processing of Personal Data relating to a criminal offence for purposes for which this Personal Data is being processed. Personal data that: relate to criminal offences that were perpetrated, or that, based on facts and circumstances of the case, are expected to be perpetrated, against one of the Equanimity companies; or serve to detect possible criminal conduct towards Equanimity, can be disclosed by Equanimity, provided that the information is only disclosed to officers who require this information in connection with the performance of their duties as well as to the police and judicial authorities. 

​
Direct marketing
By “direct marketing” it is meant the transmission of unsolicited information by Equanimity or a Third-party to a Data Subject for commercial or charitable purposes.
Processing of Personal Data through automated means (opt-in) 
Where Personal Data is Processed for direct marketing purposes through the use of automated means, electronic mail, or mobile services, Equanimity shall obtain the consent of Data Subjects, except where these have provided their Personal Data to Equanimity in the context of the sale of a Equanimity product or service. This is subject to the condition that: (i) when the Personal Data was obtained from the Data Subject, the possibility was explicitly offered to lodge an objection free of charge against the use of this Personal Data; and (ii) if the Data Subject has not made any use of this, at the time of each communication, the Data Subject shall explicitly be offered the possibility to lodge an objection free of charge against the further use of the Personal Data. Processing of Personal Data through non automated means (opt-out) 
Where Personal Data is Processed for direct marketing purposes through the use other means than specified in clause 14.1 of this Policy, such as non- automated means such as, telephone non automatic calling and letters sent by post, the relevant Equanimity company shall (i) provide the Data Subjects at least with the possibility to opt-out from such use and (ii) not direct unsolicited commercial communications at Data Subjects enlisted with the so called “opt out” registries if required by law. Right to object 
In the case a Data Subject objects to the use of his Personal Data for direct marketing purposes, his Personal Data shall be blocked for such use as soon as possible after the objection has been received by the relevant Equanimity company. 

​
Automated decision making
Equanimity employs various automated business rules for risk and price based decisions. Data Subjects are entitled to query a decision and request the logic implemented to derive the decision, which is based solely on automated Processing of Personal Data, unless: the decision is taken in the course of the entering into or performance of a contract which contract was requested by the Data Subject and the decision was positive for the Data Subject; other measures are taken to safeguard the Data Subject’s legitimate interests, such as arrangements allowing the Data Subject to express his point of view or; the decision is authorised by law.
Compelling business interests
The requirements of clauses 4, 7 and 12, may be set aside if in the specific circumstances of the case at hand (especially in case of regulatory compliance) a pressing need exists which outweighs the fundamental rights and freedoms of the Data Subject in order to: protect the legitimate business interests of Equanimity, including: the security of an Employee; the protection of its trade secrets and reputation; the uninterrupted continuity of its business operations; the protection of confidentiality in for instance an (intended) sale or merger or acquisition of (its) business operations; involvement of trusted advisors or consultants for legal, tax, insurance or business consultancy purposes; prevent, detect, prosecute (including to cooperate with public authorities) breaches of (criminal) law or breaches of the terms of employment or other company rules or codes; protect and defend the rights and freedoms of Equanimity, its staff or other persons (including the Data Subject) hereinafter “Compelling (Business) Interests”); or protect the rights and freedoms of the Data Subjects or of a Third-party. The provisions of clause 13 may in specific cases be set aside if in the specific circumstances of the case at hand a pressing need thereto exists which outweighs the interests of the Data Subject for Compelling (Business) Interests described in clauses 16.1 only. 

​
Supervision and compliance
Each Equanimity company shall designate a Data Protection Officer in accordance with Section 4 of the GDPR. Equanimity is aware of the provisions, requirements and limitations of term and restrictions of dismissal stated in Section 4 of the the GDPR and shall appoint a qualified Data Protection Officer, whom shall be registered with the European Data Protection Supervisor. The Data Protection Officer shall be selected on the basis of his or her personal and professional qualities and, in particular, his or her expert knowledge of data protection. The selection of the Data Protection Officer shall not be liable to result in a conflict of interests between his or her duty as Data Protection Officer and any other official duties, in particular in relation to the application of the provisions of the Data Protection Directive. Equanimity shall give prior notice, containing the information stipulated by Article 38 of the GDPR to the Data Protection Officer of any Processing operation or set of such operations intended to serve a single purpose or several related purposes. The Data Protection Officer shall maintain a register containing the information referred to in 18.5 above of all Data Processors, which will be available for inspection by the European Commission Data Protection Supervisor. Equanimity will regularly (at least on an annual basis) audit its systems used to Process Personal Data to ensure compliance with this Policy. Equanimity shall ensure that internal audits will take place on a regular basis within Equanimity. Equanimity shall ensure that those Employees that are responsible for ensuring compliance with data protection principles shall comply with this Policy and educate and inform them about the consequences of non-compliance. Equanimity shall develop and provide special training for Equanimity employees to promote privacy awareness and familiarity with the rules established in the Policy. A global complaint procedure for the effective protection of the rights established in this Policy will be set up upon implementation of the Policy. This global complaint procedure will be available to Employees and Clients of Equanimity. 

​
Third-party beneficiary
The Data Subjects can enforce all obligations of Equanimity contained in this Policy which directly relate to the lawful or fair Processing of their Personal Data as Third-party beneficiaries. Any Equanimity company shall make available, upon request, a copy of this Policy to Data Subjects who are Third-party beneficiaries under this clause.


Compliancy procedures
If the Data Subject is of the opinion that Equanimity is not complying with the Policy or the privacy rights of the Data Subject are infringed according to applicable data protection legislation, the Data Subject may lodge a complaint. The Data Subject’s complaint must be lodged according to the complaint procedure for Clients or Employees, as applicable, adopted in every country where Equanimity is present. The country specific complaint procedure for Clients and Employees must comply with respectively with Equanimity’s corporate policy and applicable local law. A complaint shall be lodged by the Data Subject in accordance with the complaint procedure from the country where; the Data Subject has its habitual place of residence, or the Equanimity company which allegedly infringed the Policy or the Data Subject’s privacy rights is located, or the Equanimity company employing the Data Subject, who qualifies as Employee, is located. In the event that a Equanimity company wrongfully receives a complaint as referred to in this clause, such Equanimity company shall assist the Data Subject in lodging the complaint to Equanimity company which is charged with dispatching the complaint. Should the Data Subject be unsatisfied about the handling of the complaint, the Data Subject may address such concern to Equanimity by emailing complaints@Equanimity.co or calling +31 20 809 7511.
Right to be forgotten
In accordance with the mentioned conditions in article 17 of the GDPR the data subject will have the right to be forgotten. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.
In reference to the right to be forgotten by Data Subjects, the by Dutch law required retention period for personal data such as financial and customer identity data will be taken into regard. Equanimity shall comply with the minimum period for which Personal and Financial Data shall be retained in a Personal and Financial Data Filing System, for which applicable local laws will be taken into account. The retention period shall not be longer than the minimum period mentioned by local law or necessary to achieve the purposes for which the Personal and Financial Data have been collected or further processed. For Equanimity, in accordance with Dutch law, the following minimum retention periods apply: For Personal Data about the identity of a client, natural or legal person, for the prevention of money laundering and terrorism, the minimum retention period is 5 years upon registration of the data. For Financial Data such as Accounting, administration and finance documents (e.g. annual accounts, profit and loss accounts, debtors and creditors administration, inventory records, salary administration), the minimum retention period is 7 years upon creation of the document. Equanimity notes that it is crucial for a financial institution to retain this information for the length of the minimum retention period and/or as long as necessary to be able to prove the integrity of its balance sheet, of the processed transactions and for the prevention of money laundering, fraud detection, etc. In case the customer has revoked his consent and has requested for data erasure, processing of personal (financial) data for marketing purposes is no longer allowed, however due to the mentioned obligations the data itself cannot be erased instantly.
Liability
A Data Subject who has suffered direct damages as a result of any violation of the provisions of this Policy that directly relate to the lawful or fair Processing of his Personal Data, and only to the extent that the Data Subject can show that; it has suffered damage and the occurrence of such damage originates in the violation of the Policy, is entitled to receive compensation for the damage suffered. Equanimity and the relevant Equanimity company shall be jointly and severally liable for any direct damage suffered by the Data Subject resulting from any violation of this Policy by Equanimity or any Equanimity company. Equanimity or the relevant Equanimity company may be exempted from this liability only if they prove that neither of them is responsible for the violation of those provisions. If a Equanimity company is held liable before the competent courts, or mediation or arbitration institutions to which Equanimity are subject, by a Data Subject for a violation of this Policy by Equanimity, this Equanimity company will, to the extent to which it is liable, indemnify Equanimity for any costs, charge, damages, expense or loss it has incurred. 

​
Enforcement of rights and mechanisms
The Data Subject has the right to address the courts or other competent authorities, including the Data Protection Authority in the Netherlands.
The provisions of this clause 21 apply without prejudice to the substantive rights and remedies or the dispute settlement procedures which are available to a Data Subject in accordance with other provisions of national or international law. All Equanimity companies are obliged to cooperate with the competent Data Protection Authority and any other lawful investigation or inquiry by a competent authority. The Equanimity company shall in a reasonable time and to the extent reasonably possible assist other Equanimity companies if this assistance is required in order to handle any request or complaint or claim of a Data Subject.
Notwithstanding the rights of the Data Subject as set forth in the above paragraphs of this Policy, the Dutch Data Protection Authority and the Dutch courts shall at all times be competent to supervise compliance with this Policy. Both the Dutch Data Protection Authority and the Dutch courts shall rule in accordance with Dutch law.
Data originating from countries outside EEA
​

Where a Equanimity company is established in a country outside the EEA Processes domestic Personal Data not originating in EEA countries, such Equanimity company may decide whether it will apply the level of protection set out in this Policy. Such Processing of Personal Data will as a minimum ensure that it complies with applicable local laws. 

Amendments to this global data protection policy
The date of publication of this global data protection policy is 20 October 2025. Equanimity is not entitled to make any amendments to this Policy, or the purpose for which it collects Personal Data, as set out in 1.2, 1.3 and 4 hereof, without obtaining the consent of the Data Subjects. Any relevant amendments to this Policy shall be published and Data Subjects will be properly informed of the change.
The amendments shall only come into effect relative to each Client, after the amended Policy has been published in accordance with the relevant parts of Equanimity’s corporate policy and the Data Subject’s Consent has been obtained. Equanimity will inform the Data Protection Supervisor of any amendment to this Policy.

Inquiries
Inquiries relating to this Policy should be directed to:
The Data Protection Officer
Saltroute B.V.
Keizersgracht 62, 1015 CS, Amsterdam, the Netherlands
E-mail: info@equanimity.co
Telephone: +31 20 809 7511