GDPR Privacy Policy

This GDPR Privacy Policy supplements our general Privacy Policy and provides specific information about how Berdain LLP ("Berdain LLP," "we," "us," or "our") processes the personal data of individuals located in the European Economic Area (EEA) and the United Kingdom (UK), in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation (UK GDPR), collectively referred to as "GDPR."

Berdain LLP is a Data Controller for the personal data we process. Our registered address is 5 Saint John's Lane, London, EC1M 4BH, United Kingdom. Our domain is https://berdain-llp.com and our email is info@berdain-llp.com.

1. Principles of Data Processing

We adhere to the following principles when processing personal data:

• Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner.
• Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data Minimisation: Personal data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
• Accuracy: Personal data is accurate and, where necessary, kept up to date.
• Storage Limitation: Personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
• Accountability: We are responsible for, and able to demonstrate compliance with, the above principles.

2. Legal Basis for Processing Personal Data

We rely on the following legal bases for processing your personal data under GDPR:

• Performance of a Contract (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (e.g., providing company formation services, setting up bank accounts).
• Compliance with a Legal Obligation (Art. 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which we are subject (e.g., KYC, AML/CTF regulations, tax reporting, FATCA, sanctions screening).
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (e.g., improving our services, preventing fraud, maintaining security of our systems, internal administration, marketing activities where legitimate interest applies). We conduct a legitimate interest assessment to ensure your rights are protected.
• Consent (Art. 6(1)(a) GDPR): We may rely on your explicit consent for certain processing activities, particularly for sending marketing communications or for processing special categories of personal data where no other legal basis applies. Where consent is the legal basis, you have the right to withdraw your consent at any time.

3. Categories of Personal Data Processed

In addition to the categories listed in our general Privacy Policy, we specifically highlight the following under GDPR:

• Special Categories of Personal Data: In rare instances, and only when strictly necessary for compliance with legal obligations (e.g., AML/CTF regulations that require screening against politically exposed persons lists which may reveal political opinions, or sanctions lists that may imply trade union membership or health data), or with your explicit consent, we may process special categories of personal data (e.g., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, or data concerning a natural person's sex life or sexual orientation).
• Data Relating to Criminal Convictions and Offences: As part of our due diligence and AML/CTF obligations, we may process data relating to criminal convictions and offences, but only to the extent permitted by law and with appropriate safeguards.

4. Your Data Protection Rights under GDPR

Under GDPR, you have the following rights regarding your personal data:

• Right to Information (Articles 13 & 14): You have the right to be informed about the collection and use of your personal data, including the purposes of processing, the legal basis, and recipients of the data. This Privacy Policy serves to fulfill this right.
• Right of Access (Article 15): You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain information about the processing.
• Right to Rectification (Article 16): You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
• Right to Erasure ("Right to be Forgotten") (Article 17): You have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. This right is not absolute and applies in specific circumstances (e.g., data no longer necessary for the purpose, withdrawal of consent, unlawful processing).
• Right to Restriction of Processing (Article 18): You have the right to request the restriction of processing of your personal data in certain situations (e.g., if you contest the accuracy of the data, or the processing is unlawful but you oppose erasure).
• Right to Data Portability (Article 20): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or on a contract and is carried out by automated means.
• Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent (Article 7(3)): Where we rely on your consent for processing your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint with a Supervisory Authority (Article 77): You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.

To exercise any of these rights, please contact us at info@berdain-llp.com. We will respond to your request within one month, which may be extended by two further months where necessary, taking into account the complexity and number of the requests.

5. International Data Transfers

As a global offshore services provider, Berdain LLP may transfer your personal data outside the EEA and UK to jurisdictions where our services are provided or where our trusted third-party service providers are located. These countries may not have the same data protection laws as the EEA or UK.

When such transfers occur, we ensure that appropriate safeguards are in place to protect your personal data, in accordance with GDPR requirements. These safeguards include:

• Adequacy Decisions: Transferring personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission or the UK government.
• Standard Contractual Clauses (SCCs): Implementing Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner's Office (ICO) for transfers to countries without an adequacy decision. These clauses provide contractual obligations for data protection between the data exporter and data importer.
• Binding Corporate Rules (BCRs): For transfers within our corporate group, if applicable, we may rely on Binding Corporate Rules approved by supervisory authorities.
• Explicit Consent: In specific situations, we may transfer data based on your explicit consent, after having informed you of the possible risks of such transfers for you due to the absence of an adequacy decision and appropriate safeguards.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this GDPR Privacy Policy.

6. Data Protection Officer (DPO)

Berdain LLP is not legally required to appoint a Data Protection Officer. For any questions or concerns regarding your data protection rights or this policy, please contact us directly using the details below.

7. Changes to This GDPR Privacy Policy

We may update this GDPR Privacy Policy from time to time to reflect changes in legal requirements or our data processing practices. We will notify you of any material changes by posting the updated policy on our website with a new "Last Updated" date. We encourage you to review this policy periodically.

8. Contact Us

If you have any questions or concerns about this GDPR Privacy Policy or our data protection practices, please contact us at: