RSM collects and processes personal data (i.e. information relating to an identified or identifiable natural person) relating to its customers in accordance with the applicable legislation, i.e. the Regulation EU 2016/679 of the European Parliament and of the Council of 27th April 2016, (the “GDPR”).
RSM only collects and/or processes the information required by applicable laws, respectively useful for the execution of its mission, as “Data Processor” or “Data Controller” in the meaning of the GDPR.
RSM’s clients are data controllers and determine the purposes and means of the personal data processing. As subcontractor in charge of services to be provided to them (e.g. domiciliation, accounting and tax services for RSM Tax & Accounting Luxembourg, central administration services to funds clients for RSM Financial Services Luxembourg or AIFM services for RSM Fund Management Luxembourg, or salary calculation for RSM Cosal), RSM is data processor and processes personal data on behalf of, on instructions from and under the authority of its clients.
When RSM acts as Data Processor, an agreement regulating the personal data processing is concluded with its customers.
In this regard, please find below a description of this specific legal data processing:
1. What are the Personal Data processed?
RSM may process the following categories of Personal Data:
- Contact information such as address, email address, phone number;
- Data relating to civil status such as last and first names, nationality, tax residence;
- Data relating to the professional situation of natural persons such as job title, professional background and skills; and
- Financial data such as financial participations in the share capital of companies.
2. Why are the Personal Data Processed?
The Personal Data are processed by RSM to meet its regulatory obligations (including conducting due diligence and cooperating with competent authorities, but also preventing and detecting any financial fraud, corruption and financing of terrorism activities) and to be in a position to execute its engagement.
RSM informs its clients of those requirements before processing, unless that laws, regulations or circulars prohibit such information on important grounds of public interest.
3. Who may access the Personal Data?
The Personal Data are processed by RSM employees in the framework of the objectives above described.
Furthermore, RSM may share the Personal Data with:
- within all Luxembourg RSM companies (i.e. RSM Tax & Accounting Luxembourg, RSM Financial Services Luxembourg, RSM Fund Management Luxembourg, RSM Audit Luxembourg and RSM Cosal Luxembourg,);
- relevant regulators and, more generally any competent authority, when RSM is required to do so; and
- third party service providers (e.g. for IT purposes and storage systems).
The Company hereby grants a generic written authorisation to RSM to use Data Processors for processing personal data:
- to the extent necessary for RSM to fulfil its contractual obligations under the Agreement and the Addendum; and
- as far as RSM remains responsible for any act or omission of its Data Processors.
As a consequence, RSM is allowed to engage Data Processors for carrying out specific processing activities.
4. How long are the Personal Data stored?
RSM retains the Personal Data in accordance with the legal retention periods applicable in Luxembourg or where required for RSM to assert or defend against legal claims until the end of the relevant retention period or until the claim in question have been settled.
- the AML/KYC obligations related documents will be kept for five (5) years from the end of the contractual relationship with the Company or any other longer period required by the law; and
- RSM may in addition retain the Personal Data for legitimate interest for specific purpose for a period of ten (10) years.
Moreover, the Personal Data will be deleted when:
- they are no longer reasonably required for the purpose they were initially collected for; or/and
- RSM is not legally required or otherwise permitted to continue storing them.
5. What are your rights?
Pursuant to the GDPR, you (i.e. each client or client’s staff or representatives, to the extent applicable to each relevant natural person) have the following rights with respect to the processing of the Personal Data:
- To access and, where applicable to obtain copies of the Personal Data;
- To request the rectification or correction of the Personal Data if they are incomplete or incorrect;
- To require deletion of the Personal Data, unless whether there is a legitimate reason for RSM to justify storing them;
- To require that the processing of the Personal Data be limited, if applicable; and
- To object at any time to the processing of the Personal Data, if applicable.