Swiss Advisors 1973

Privacy

NOTICE
on the processing of your personal data.

Dear Client, We wish to inform you that, pursuant to Article4(5) of the Swiss Data Protection Act (DPA) and, where applicable, Articles 13and 14 of Regulation (UE) 2016/679 (GDPR), the personal data you provide or that we collect within the context of our activities will be processed in accordance with the principles set forth in the aforesaid regulations and with the stringent confidentiality requirements to which our business activities are subject. Please note that the EU Regulation is only applicable to the processing of personal data within the territorial scope asset out in Article 3 of the GDPR, that is to say:

a) the processing of data in the context of the activities of an establishment in the EU;
b) the offering of goods or services to natural persons in the EU;
c) the monitoring of the behaviour of natural persons within the EU.

Veco Group SA and its subsidiaries do not have a business establishment in the EU. The company may occasionally process personal data of data subjects as part of a general monitoring activity.

1. Definitions
For the purposes of this notice:

a) 'data subject' means an identified or identifiable natural person to whom one or more items of personal data refer;
b) 'personal data' means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
c) 'data requiring particular protection' or' particular data' mean sensitive data such as data concerning a person's private life, social assistance measures, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, biometric data or data concerning health;
d) 'data on criminal convictions and offences or concerning security measures' means personal data revealing criminal convictions or administrative sanctions for offences committed or information about charges pending or a person's status as defendant or as the subject of investigations in criminal proceedings;
e) 'processing' means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
f) «data controller»:the subsidiary of Veco Group SA, Via Lavizzari 4, 6900 Lugano.

2. Categories of personal data processed
In the context of our activities, we process the following categories of personal data:
a) ordinary personal data, with specific reference to: personal and contact details (specifically: name and surname, date of birth, nationality, place of origin, private and business addresses, photocopy of passport or identity card, private and business mobile and land-line telephone/fax numbers, e-mail addresses, video/teleconferencing service identifiers, job, employer, role, academic and professional qualifications, etc.), personal interests, tax data, billing data, accounting data;
b) particular categories of personal data(specifically: information about business activities, the origin of funds, family members, etc.), and information concerning any convictions and offences or related security measures. Such data will only be processed insofar as necessary in relation to the client's requests, and where required by law, in accordance with the applicable legislation governing the protection of personal data, and any binding instructions issued by the competent supervisory authority.

3. Purposes and legal basis for processing personal data and schedule
Your personal data will be processed for the following purposes:

3.1. Compliance with legal obligations
Some of your personal data (specifically: your name, surname, address, date and place of birth, tax code, a photocopy of your identity document) will be collected in order to comply with the law, regulations and sector-specific rules, or instructions issued by supervisory or regulatory authorities or bodies. Such data will be processed in order to:

a) identify the data subject and carry out the appropriate checks in the context of detecting and preventing money laundering, terrorist financing and fraud;
b) comply with all monitoring, reporting and/or recording requirements (specifically: AUI, CRS, FATCA, QI, etc.);
c) fulfil administrative-accounting and fiscal obligations.  Personal data processed for the above purposes may be retained for up to 10 years from the date of termination of the contractual relationship.

3.2. Purposes strictly related and instrumental to the management of contractual relationships  Some personal data - such as data collected prior to signing the contract - are necessary in order to manage business relations with you as a client or for the performance of contractual obligations and to meet your specific requests. There is no obligation to provide the personal data required for such purposes. You may therefore choose not to provide these data. However, that may undermine the management and/or continuation of the contractual relationship with you or the execution of the operations you have requested. Such data will be processed in order to:

a) establish and verify your identity and the suitability thereof in respect of our criteria;
b) establish a contractual relationship with you and ensure the correct execution of the related operations;
c) manage the billing of services provided to you and the related expenses;
d) provide customer support activities. Personal data processed for the above purposes may be retained for 10 years from the date of termination of the contractual relationship (in line with the ordinary limitation period).

3.3. Data processed on the basis of the data subject's consent  Subject to your consent and until you object, the Company could process your personal data for the purposes of direct marketing and profiling, especially in relation to newsletters, meetings, promotional offers, market research, informative material, satisfaction surveys, commercial and advertising material or in connection with events and initiatives, especially conferences and meetings open to the public. The Company does not carry out such activities for relations to Interested parties, possibly subject to profiling following behaviour monitoring, whose data, if collected, are used only for general analysis of the origin of contacts and the type of services object of interest. Processing will be carried out by automated means, e-mail, operator telephone calls, text messages, chat rooms and paper-based mail, on the following personal data: name, surname, private address, telephone number, fax 3 number, e-mail address, social media profile, cookies, technical identifiers (IP, unique mobile device identifiers, etc.). Data processed for the above purposes may be retained for the entire period of the mandate and for up to 3 years from the date of termination of the main contractual relationship or of the service requested (e.g., newsletter). Providing such data is optional albeit necessary for the above purpose. If you do not provide such data we will be unable to contact you for direct marketing initiatives based on your interests. This will, however, not have any negative consequences for the purposes set forth under points 3.1 – 3.3 above.

4. Recipients to whom your personal data may be disclosed
For the above purposes, your data may be disclosed to the following categories of subjects, in Switzerland or abroad, including outside the European Union, in their capacity as controllers in respect of such data (the list is not exhaustive):

a) company bodies;
b) companies that provide banking, financial and/or fiduciary services;
c) service companies for the collection, registration and processing of data from documents or media sent to you and concerning payments, bills, cheques and other securities;
d) auditors;
e) lawyers and notary publics;
f) government, supervisory and tax authorities;
g) national and international system management companies for audits and controls in the framework of the prevention and detection of money laundering, terrorist financing and fraud;

For the above purposes, your data may be made available to the following categories of subjects, in Switzerland or abroad, including outside the European Union, in their capacity as processors:

a) service companies for the collection, registration and processing of data from documents or media sent to you and concerning payments, bills, cheques and other securities;
b) companies involved in sending, enveloping and sorting correspondence to clients;
c) subjects involved in filing documentation concerning relations with you as a client;
d) subjects who provide consultancy services on our behalf;
e) companies that provide operational services, especially IT and back-office/operations;
f) companies that provide security and facility management services at our premises.

Please also note the following:
a) we will not transfer your personal data to other countries outside Switzerland, except by virtue of a legal obligation or when necessary in the performance of the contract with you, as duly instructed by you;
b) activities in connection with the corporateIT system (specifically: servers, firewalls, e-mail, website, back-up) have been outsourced to a leading Swiss provider in the sector; data are stored in Switzerland and can only be accessed by authorised personnel; c) your personal data will not be disclosed to unspecified subjects.

5. Data processing methods used
The data you provide may be processed by automated means, in writing or using electronic or telematic tools, including tape recordings and the use of other equivalent storage media, based on procedures and systems completely in line with the purposes referred to above and such as to guarantee security and confidentiality as required by the applicable regulations. The data in question may also be stored and retained in printed or electronic form, recorded on tape or other equivalent storage media, in the case of recorded telephone calls. Personal data may be stored on servers located in Switzerland in accordance with the laws in force and with full assurance of compliance with security and confidentiality requirements. You may obtain a copy of your personal data by sending a written request addressed to the controller, at the e-mail addresscompliance@vecogroup.ch, or the postal address of our registered office.

6. Transfer of personal data to countries outside the European Union or to the European economic area.
It is assumed that the data are transferred abroad exclusively by virtue of a legal obligation or if this is necessary to fulfil the contract with the Customer, respectively on his instruction. In particular, data may be transferred where necessary to the execution of a contract concluded between the data subject and the data controller, or the execution of pre-contractual measures taken at the request of the data subject; or where the transfer is necessary for the conclusion or execution of a contract between the data controller and another natural or legal person in favor of the data subject; or the transfer is necessary for important reasons of public interest; or the transfer is necessary to ascertain, exercise or defend a right in court; or the transfer is necessary to protect the vital interests of the person concerned or of other persons, if the person concerned finds himself in the physical or legal incapacity to give his consent; or the transfer is made from a register which, under Union or MemberState law, aims to provide information to the public and can be consulted by both the general public and anyone able to demonstrate a legitimate interest ,only on condition that the requirements for consultation provided for by Union or Member State law are met.

7. Sources from which personal data originate
In line with the provisions of Article 14 of theSwiss DPA and point (f) of Article 14(2) of the GDPR, we will not only process personal data provided directly by you but also other data obtained in other ways, for example from public and/or private databases. More specifically we use, for our clients, databases to gather the information we need in order to comply with legal requirements in the context of prevention and detection of money laundering, terrorist financing and fraud (e.g. the World-Check database). All information and personal data obtained through such databases will be processed and retained exclusively by our company.

8. Rights of the data subject
Pursuant to Article 8 of the Swiss DPA, data subjects have the right to verify the correctness of their personal data, and to request the modification, rectification and/or updating of such data. Upon written request, the data subject has the right to be informed as to whether and how any personal data concerning him or her are being processed. Data subjects are also entitled to withdraw their consent to the processing of their personal data. In some specific cases, where prescribed by law, access to data may be denied. Data subjects have the right to obtain advice on the protection of personal data from the Federal Data Protection andInformation Commissioner ("Federal Commissioner"), and to report illegal data processing activities when:

a) the processing methods used could adversely affect the personal status of a considerable number of people (system error);
b) records of data collection activities must be kept (Article 11(a) of the Swiss DPA);
c) there is an obligation to notify in accordance with Article6 (3) of the Swiss DPA. The Federal Commissioner can be contacted at the addresses shown on www.edoeb.admin.ch/edoeb/it/home/l-ifpdt/contatto.html. In case of subjecting the processing of personal data to the GDPR following profiling created on monitoring pursuant to art. 3para. 2 lit. b GDPR, you may exercise your rights as envisaged under Articles15, 16, 17, 18, 19, 20, 21, 22 of said GDPR.

The data subject has the right to obtain from the controller, within the limits established by the Regulation, free access to the personal data concerning him or her, erasure of such data, the rectification of inaccurate data, the completion of incomplete data, the restriction of processing to storage only, and the right to object to processing, the cancellation (right to be forgotten) and the portability of your data. Where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract and data processing is carried out by automated means, the data subject is entitled to receive such personal data in a free structured, commonly used, machine-readable format and, where technically feasible, to transmit the personal data to another controller. The data subject has the right to withdraw his or her consent at 5 any time in accordance with point (a) of Article6(1) or point (a) of Article 9(2) of the GDPR without affecting the lawfulness of processing based on said consent before its withdrawal. The data subject has the right to lodge a complaint with the competent supervisory authority in the Member State of his or her habitual residence or place of work or place of the alleged infringement.In any case, whichever regulation is applicable, rights must be exercised in writing by notifying the controller at the e-mail address compliance@vecogroup.ch, or the postal address of our registered office.

9. Controller / DPO / Persons authorised to process personal data  The controller is the subsidiary of Veco GroupSA (registered office in Lugano, Via Lavizzari 4) E-mail address: compliance@vecogroup.chTelephone number: +41 91 911 71 11 Persons authorised to process personal data pursuant to Article 29 of the GDPR are the company's employees and co-workers, who will process said data according to the principles of confidentiality and security established by the applicable regulations.