Data Management Policy - Maha Capital Partners

Issued: October 13, 2021
Updated: March 02, 2025

The following statement was established by Maha Capital Partners LLC (“MCP LLC”) and may be made available to any data subject whose data is likely to be collected, received, stored, recorded, used, consulted or otherwise processed by MCP LLC for the purposes reminded within article 5 (“Description and purposes of data processing”) of its Personal Data Management Policy. It shall be made available on the internet website of MCP LLC and to any other person or party upon request addressed to MCP LLC.

Data Privacy Statement

In accordance with disclosure requirements set out under QFC’s Data Protection Regulations and QFCA’s Data Protection Rules, the following privacy statement (the “Data Privacy Statement”) provides an overview of how Maha Capital Partners LLC (the “Company”) uses information which it receives, collects, processes and/or holds in relation to natural persons and which meets the definition of “personal data” as described below.

The Company undertakes business activities and transactions in accordance with the terms of its QFCRA authorization, which includes providing investment management services to its customers by way of collective investment schemes in one or several jurisdictions.

As a QFC-licensed entity established in (and operating from) the QFC in the State of Qatar but which is also involved in providing its management services to clients or customers on behalf of funds or partnerships established in foreign jurisdictions (or in the QFC, as the case may be), the Company will be collecting and processing “personal data” (as defined below).

For the purposes of this document, the terms “personal data” refer to any information relating to an identified natural person or an identifiable natural person, i.e. a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity. For example (and without limitation), any reference to a birth date, an address, an e-mail address or phone number, a QID number or passport number shall be deemed to constitute a means of identification as per the previous sentence.

For the purposes and under the terms of this Data Privacy Statement, the following terms or acronyms shall have the following meaning or definition:

“CRO” means the QFC’s Companies Registration Office;

“DPO” means the QFC’s Data Protection Office, as established under article 32 of the DPO;

“DPR” means the QFC’s Data Protection Regulations 2021, as may be supplemented, amended, revised, restated and/or renewed from time to time; and “DP Rules” means the QFCA’s Data Protection Rules 2021, as may be supplemented, amended, revised, restated and/or renewed from time to time;

“QFC” means the Qatar Financial Centre, as created by Law no. (7) of 2005 (as revised, amended, restated and/or replaced from time to time);

“QFCA” means the Qatar Financial Centre Authority (QFCA); and

“QFCRA” means the Qatar Financial Centre Regulatory Authority (QFCRA).

(A) Who is legally responsible for the processing of your personal data and who can you contact about this subject?

In data protection law terminology, such role lies with the “data controller”. For the purposes and under the terms of this Data Privacy Statement, the data controller is namely:

Maha Capital Partners LLC

Ambassadors Street

QFC Tower 1

P.O. Box 24879

West Bay – Doha, State of Qatar

Tel.: +974 44043840

The Company is required to process your personal data fairly, lawfully and transparently in accordance with the DPR and DP Rules.

Should you have any queries, questions and/or complaints about the way in which your personal data is processed or in which you believe it is being processed, you may raise these with your usual customer relationship correspondent or manager at Maha Capital Partners LLC. Contrary to the EU’s General Data Protection Regulation, the DPR does not require the Company to appoint a dedicated internal data protection officer; however, the Company undertakes to provide you in any event with a swift answer to any submitted requests in relation to our management or processing of your personal data in a similar and professional fashion and has established internal procedures to such effect.

If you are an employee, officer, manager and/or director of the Company, you may raise these with the individual(s) within the Company who is(are) in charge of exercising the human resources (“HR”) duties and responsibilities of the Company and of managing such HR-related issues.

(B) From whom (and in relation to whom) does the Company collect or receive “personal data”?

The Company collects and processes certain categories of personal data, as a Data Controller, in relation to:

natural persons who are representatives (whether legal or other) of (i) the Company’s clients or investors (whether potential or effective), as well as of (ii) their beneficial owners and controlling persons and representatives of members (or affiliates) of the client’s group or organization, and (iii) any natural persons who represent or act in the name of their advisers, partners, auditors, insurers, agents, contractors and/or service providers (and of their group members or affiliates) (the “Client Data”); this category of data subjects refers to the clients or investors in funds or partnerships in which the Company is exercising (or intends to exercise) certain management powers or duties;

natural persons who are representatives (whether legal or other) of (i) the Company’s acquisition or investment targets, as well as of (ii) their beneficial owners and controlling persons and representatives of members or affiliates of such target’s group or organization, and (iii) any natural persons who represent or act in the name of their advisers, partners, auditors, insurers, agents, contractors and/or service providers (and of their group members or affiliates) (the “Transaction Data”); this category of data subjects refers to the acquisition or investment targets contemplated or purchased by the Company (or any of its affiliates, such as holding companies controlled by the Company) on behalf of the funds or partnerships in which the Company is exercising (or intends to exercise) certain management powers or duties;

natural persons who are representatives (whether legal or other) of (i) the Company’s advisers, agents, auditors, insurers, consultants, contractors and/or service providers, as well as of (ii) their beneficial owners and controlling persons and representatives of members or affiliates of such party’s group or organization (the “Service Provider Data”); this category of data subjects also refers to advisers, agents, auditors, insurers, contractors and/or service providers of a fund or partnership whose management powers or duties are (or intended to be) exercised by the Company;

natural persons who are (or who represent and/or act in the name of) a complainant, correspondent or enquirer towards the Company, including through its website (the “Correspondent Data”); this category of data subjects also refers to a complainant, correspondent or enquirer towards a fund or partnership whose management powers or duties are (or intended to be) exercised by the Company, including through such fund’s or partnership’s website; and:

natural persons who are employees, directors, officers or managers of the Company and of its affiliates (including of the parent company and beneficial owner of the Company), as well as their family relatives and connected persons (the “Employee Data”).

(C) What type of personal data might the Company hold about you and where do we source such data?

We only hold, process, collect, use and consult personal data in relation with you that is relevant in the context of the Company’s relationship with you, whether it is already commenced and ongoing or whether it is intended or contemplated in the future.

Some of this information is received from you directly. Some other of this data is collected from companies acting on your behalf. The Company may also search and obtain personal data from a range of other sources, namely (i) its contractors, service providers, agents or advisers, (ii) your former or current employer, (iii) other companies or financial institutions, or (iv) publicly available sources (i.e. media sources, registers of companies and assets, internet websites, professional media platforms) and providers of business-risk screening services, such as credit reference agencies, anti-fraud data bases, sanctions lists providers, risk providers and databases of news articles.

Client Data (in relation to investors/clients)

Names (first name, family name and any other usage name)

Gender

Date of birth

Place of birth

Birth certificate number

Civil status (married, single…)

Address, city and country of residence

Citizenship

Phone number and fax number

E-mail address

Picture of the person

Social security number, with place, agency and date of issuance and expiration date

Tax identification (or registration) number(s) and place of tax residency

Passport or identification document number, with place, authority and date of issuance and expiration date

Residency permit and/or visa card number, with place, authority and date of issuance and expiration date

Driver’s license number, with place, authority and date of issuance and expiration date

Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form

Designation or title of any professional functions attached to the natural person (whether past or present)

Identification number or other personal reference(s) which may be included in a electricity or other utility invoice evidencing use or consumption of such service

Bank account numbers and references and amount(s), asset(s) or instrument(s) held or contemplated

Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person

Evidence of source of wealth or funds which includes personal identification items

Financial information relating to a person’s profile such as employment, income, pension, investments, assets, liabilities, outgoings, creditworthiness, bank account details, investment objectives, knowledge of financial products and services, risk appetite level, capacity for loss

Transaction Data (in relation to investments)

Names (first name, family name and any other usage name)

Gender

Date of birth

Place of birth

Birth certificate number

Civil status (married, single…)

Address, city and country of residence

Citizenship

Phone number and fax number

E-mail address

Picture of the person

Tax identification (or registration) number(s) and place of tax residency

Passport or identification document number, with place, authority and date of issuance and expiration date

Residency permit and/or visa card number, with place, authority and date of issuance and expiration date

Driver’s license number, with place, authority and date of issuance and expiration date

Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form

Designation or title of any professional functions attached to the natural person (whether past or present)

Identification number or other personal reference(s) which may be included in a electricity or other utility invoice evidencing use or consumption of such service

Bank account numbers and references and amount(s), asset(s) or instrument(s) held or contemplated

Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person

Fingerprint data

Evidence of source of wealth or funds which includes personal identification items

Financial information relating to a person’s profile such as employment, income, pension, investments, assets, liabilities, outgoings, creditworthiness, bank account details, investment objectives, knowledge of financial products and services, risk appetite level, capacity for loss

Service Provider Data (in relation to service providers)

Names (first name, family name and any other usage name)

Gender

Date of birth

Place of birth

Birth certificate number

Civil status (married, single…)

Address, city and country of residence

Citizenship

Phone number and fax number

E-mail address

Picture of the person

Tax identification (or registration) number(s) and place of tax residency

Passport or identification document number, with place, authority and date of issuance and expiration date

Residency permit and/or visa card number, with place, authority and date of issuance and expiration date

Driver’s license number, with place, authority and date of issuance and expiration date

Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form

Designation or title of any professional functions attached to the natural person (whether past or present)

Identification number or other personal reference(s) which may be included in an electricity or other utility invoice evidencing use or consumption of such service

Bank account numbers and references and amount(s), asset(s) or instrument(s) held or contemplated

Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person

Evidence of source of wealth or funds which includes personal identification items

Financial information relating to a person’s profile such as employment, income, pension, investments, assets, liabilities, outgoings, creditworthiness, bank account details, investment objectives, knowledge of financial products and services, risk appetite level, capacity for loss

Correspondent Data (in relation to correspondents)

Names (first name, family name and any other usage name)

Gender

Date of birth

Place of birth

Birth certificate number

Civil status (married, single…)

Address, city and country of residence

Citizenship

Phone number and fax number

E-mail address

Picture of the person

Tax identification (or registration) number(s) and place of tax residency

Passport or identification document number, with place, authority and date of issuance and expiration date

Residency permit and/or visa card number, with place, authority and date of issuance and expiration date

Driver’s license number, with place, authority and date of issuance and expiration date

Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form

Designation or title of any professional functions attached to the natural person (whether past or present)

Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person

Online identification numbers and passwords, when connecting to or accessing the Company’s (or its affiliate’s) website(s).

Employee Data (in relation to Employees)

Names (first name, family name and any other usage name)

Gender

Date of birth

Place of birth

Birth certificate number

Civil status (married, single…)

Address, city and country of residence

Citizenship

Phone number and fax number

E-mail address

Picture of the person

Tax identification (or registration) number(s) and place of tax residency

Passport or identification document number, with place, authority and date of issuance and expiration date

Residency permit and/or visa card number, with place, authority and date of issuance and expiration date

Entry and exit permit number or reference, with place, authority and date of issuance and expiration data, in relation to any immigration or circulation-related administrative or governmental formalities, steps or admissions;

Driver’s license number, with place, authority and date of issuance and expiration date

Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form

Designation or title of any professional functions attached to the natural person (whether past or present)

Identification number or other personal reference(s) which may be included in a electricity or other utility invoice evidencing use or consumption of such service

Bank account numbers and references and amount(s), asset(s) or instrument(s) held or contemplated

Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person

Fingerprint data (but always subject to the application of the terms of article 7 “Sensitive Personal Data” of the Company’s Personal Data Management Policy which set out restrictive purposes and conditions, as well as specific safeguards)

Prior criminal record extract data, including any identification number and description of absence of or content of convictions (but always subject to the application of the terms of article 7 “Sensitive Personal Data” of the Company’s Personal Data Management Policy which set out restrictive purposes and conditions, as well as specific safeguards)

Professional references and employment certificates (or equivalent), evaluation of his/her knowledge of financial products and services, risk-related knowledge and other professional know-how, skills, qualifications and competencies

Evidence of financial soundness which includes personal identification items such as creditworthiness

Financial information and data relating to a person’s profile such as (as a matter of example) bank account details

Medical and health data (but always subject to the application of the terms of article 7 “Sensitive Personal Data” of the Company’s Personal Data Management Policy which set out restrictive purposes and conditions, as well as specific safeguards)

(D) What will we use your personal data for, and does QFC Data Protection Regulations allow this?

The lawful basis for which personal data is processed are reminded below, being understood that each of these purposes are consistent with the specific grounds under QFC Data Protection Regulations which allow the Company to do this, namely:

for the performance of a contract to which a data subject is a party, or in order to take steps at the data subject’s request before entering into a contract,

for compliance with a legal or regulatory obligation or acting in the public interest,

where processing is necessary to protect your vital interests, or:

for the purposes of the “legitimate interests” pursued by the Company or by the third party or parties to whom the personal data is disclosed (except where such interests are overridden by the rights and legitimate interests of the data subject that require the data to be protected).

Another lawful basis is when the data subject concerned has given their consent to the processing of their personal data for one or more specific purposes.

The Company collects and processes Client Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

entering into an agreement (and performing any obligations and exercising any rights thereunder) with respect to investment(s) by such client or investor in a product, activity, transaction or service performed or provided by the Company in the area of fund management, and preparing the entry into such an agreement as well as maintaining it;

performing risk-based analysis covering the client’s profile, the transaction contemplated or entered into with such client/investor, including AML-CFT risk analysis, compliance with economic sanctions and other related evaluations, controls and verifications for fraud prevention, risk-management and risk-control related purposes;

performing the Company’s (or its fund’s or partnership’s) legal and/or regulatory duties, obligations and requirements, as set out under QFC law and under the applicable laws and regulations of the jurisdiction(s) in which the Company (and/or its managed fund or partnership) is established and operates, including (i) preparing and filing any tax reporting (whether under FATCA and CRS rules, or under any local tax obligations), and (ii) any reporting of suspicious transactions or activities with a financial intelligence unit (as the case may be), and (iii) enabling the Company to file reports, questionnaires and procedures which may be incurred by itself (including to QFCRA, QFCA, DPO and CRO) or by the fund or partnership under management (including to CIMA, CSSF or another competent regulator);

enabling the Company, and its managed funds or partnerships, to comply with their internal audit verifications and controls and with their external auditing obligations, policies and procedures, including when preparing its financial statements or those of the fund or partnership under management;

to obtain any insurance services, auditors’ services and other related arrangements which are necessary to ensure the Company’s (and the fund’s or partnership’s) obligations are properly implemented and carried out;

to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required; and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;

to participate in the administration of justice;

to establish and maintain the Company’s (and the fund’s or partnership’s) membership records;

information and data bank administration in relation to the provision of services by the Company;

advertising, marketing and public relations of the Company and of its managed funds or partnerships; and

provision to the client or investor of any financial services which the Company is authorized to provide under the terms of its authorization.

The Company collects and processes Transaction Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

entering into an agreement (and performing any obligations and exercising any rights thereunder) with respect to investment(s)/divestment(s) being prepared or executed by the Company (or any of its affiliates, such as a holding company over which it exercises control) on behalf of any fund or partnership which it manages or is intended to manage, and preparing the entry into such an agreement as well as maintaining it;

performing risk-based analysis covering the investment target’s profile and the features of the transaction contemplated or entered into with the buyer or seller of the investment target, including AML-CFT risk analysis, compliance with economic sanctions and other related evaluations, controls and verifications for fraud prevention, risk-management and risk-control related purposes;

informing the Company’s clients/investors and seeking their consent (when such case is applicable) in relation to the substance and terms of the investment(s)/divestment(s) by the Company (or any of its affiliates) on behalf of any fund or partnership which it manages or is intended to manage;

complying with the contractual obligations incurred by the Company under the terms of any fund-related or partnership-related arrangements or schemes to which the Company is party;

performing the Company’s (or its fund’s or partnership’s) legal and/or regulatory duties, obligations and requirements, as set out under QFC law and under the applicable laws and regulations of the jurisdiction(s) in which the Company (and/or its managed fund or partnership) is established and operates, including (i) preparing and filing any tax reporting (whether under FATCA and CRS rules, or under any local tax obligations), and (ii) any reporting of suspicious transactions or activities with a financial intelligence unit (as the case may be), and (iii) enabling the Company to file reports, questionnaires and procedures which may be incurred by itself (including to QFCRA, QFCA, DPO and CRO) or by the fund or partnership under management (including to CIMA, CSSF or another competent regulator);

enabling the Company, and its managed funds or partnerships, to comply with their internal audit verifications and controls and with their external auditing obligations, policies and procedures, including when preparing its financial statements or those of the fund or partnership under management;

to obtain any insurance services, auditors’ services and other related arrangements which are necessary to ensure the Company’s (and the fund’s or partnership’s) obligations are properly implemented and carried out;

to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required, and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;

to participate in the administration of justice;

to establish and maintain the Company’s (and the fund’s or partnership’s) membership records;

information and data bank administration in relation to the provision of services by the Company;

advertising, marketing and public relations of the Company and of its managed funds or partnerships; and

provision to the client or investor of any financial services which the Company is authorized to provide to its clients or investors under the terms of its authorization.

The Company collects and processes Service Provider Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

exercising its fund management activities with respect to funds and partnerships under management (or whose management is contemplated) by the Company, in particular hiring, appointing and maintaining such service providers for the purposes of enabling the Company to enter into (or uphold) an agreement (i) with respect to investment(s) by any client or investor in a product, activity, transaction or service performed or provided by the Company in the area of fund management, or preparing the entry into such an agreement, and (ii) with respect to investment(s)/divestment(s) by the Company on behalf of any fund or partnership which it manages or is intended to manage, and preparing the entry into such an agreement as well as maintaining it;

performing risk-based analysis covering the Company’s clients and investors and any investment target’s profile and the features of the transaction contemplated or entered into with the buyer or seller of the investment target, including AML-CFT risk analysis, compliance with economic sanctions and other related evaluations, controls and verifications for fraud prevention, risk-management and risk-control related purposes;

verifying the competencies, reputation, quality and suitability of a service provider with respect to the appointed role or function which is being proposed or contemplated by the Company; performing extensive due diligence on the service provider’s organization, governance and control structure prior to (or upon) on-boarding of such service provider and in the ongoing course of business, whether in relation to services owed to the Company or to any funds or partnerships managed by the Company;

complying with the contractual obligations incurred by the Company under the terms of any fund-related or partnership-related arrangements or schemes to which the Company is party;

performing the Company’s (or its fund’s or partnership’s) legal and/or regulatory duties, obligations and requirements, as set out under QFC law and under the applicable laws and regulations of the jurisdiction(s) in which the Company (and/or its managed fund or partnership) is established and operates, including (i) preparing and filing any tax reporting (whether under FATCA and CRS rules, or under any local tax obligations), and (ii) any reporting of suspicious transactions or activities with a financial intelligence unit (as the case may be), and (iii) enabling the Company to file reports, questionnaires and procedures which may be incurred by itself (including to QFCRA, QFCA, DPO and CRO) or by the fund or partnership under management (including to CIMA, CSSF or another competent regulator);

enabling the Company, and its managed funds or partnerships, to comply with their internal audit verifications and controls and with their external auditing obligations, policies and procedures, including when preparing its financial statements or those of the fund or partnership under management;

to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required, and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;

to participate in the administration of justice;

to establish and maintain the Company’s (and the fund’s or partnership’s) service-provision records;

information and data bank administration in relation to the provision of services to the Company or to any of its related funds or partnerships; and

provision to the client or investor of any financial services which the Company is authorized to provide to its clients or investors under the terms of its authorization.

The Company collects and processes Correspondent Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

to analyze and manage the request, enquiry or complaint being received and to proceed to an appropriate analysis of the request, enquiry or complaint and provide relevant answers in due course;

to perform any legal or regulatory obligation with respect to the request, enquiry or complaint received, including with respect to any personal data management request or to any judicial or extra-judicial claim or dispute;

to perform any reporting or information/correspondence obligation owed to any competent authority, body or agency when the request, enquiry or complaint requires such reporting or information/correspondence;

to ensure that the Company is compliant with its own and with the fund’s/partnership’s own obligations under the contractual arrangements to which it is a party;

to fulfill any internal audit, external audit, insurance or other similar requirement, when the control, diligence or verification relates to the request, enquiry or complaint received by the Company or by any fund or partnership managed by the Company;

to pursue any marketing or advertisement objectives, when the correspondent has initiated such a request (or has answered a solicitation from the Company);

to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required, and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;

to participate in the administration of justice;

to establish and maintain the Company’s (and the fund’s or partnership’s) service-provision records;

information and data bank administration in relation to the provision of services by the Company or by any of its related funds or partnerships; and

provision to a client or investor of any financial services which the Company is authorized to provide to its clients or investors under the terms of its authorization.

The Company collects and processes Employee Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

to establish, maintain, amend, revise and terminate employment agreements or other similar undertakings or contractual documents with the relevant person (such as membership of a Board-related committee) with a view to formalizing and setting up a framework for such person’s employment, mandate or duties towards the Company (or towards any fund or partnership managed by the Company);

to perform any human resources-related duties and responsibilities during the course of such person’s employment (or equivalent role) with the Company, including at the step of dismissal, resignation or termination of such person’s employment or role;

to assess such person’s performance as employee, director, officer, manager or other role and to allocate any remuneration and to enter into remuneration-based arrangements with such persons, as the case may be;

to perform any legal and regulatory obligation of the Company in the areas of regulatory reporting, submission of individual “application forms” to the QFCA, CRO, DPO, QFCRA or other competent bodies or agencies permitted by law, in particular with respect to approval of any individual exercising a “controlled function” within the meaning of applicable law;

to proceed with any governmental and administrative steps and formalities in the area of such person’s admission and entry into the State of Qatar (or other relevant country for such person’s activities and functions), as well as to permit circulation and transportation of such person, and to comply with any immigration-related and/or corporate steps and formalities, and/or any visa, residency permit or circulation requirements, which may be useful or necessary in connection with any employee, manager, officer or director’s exercise of functions (including his/her hiring, appointment or nomination in any capacity whatsoever);

to comply with any legal or regulatory obligation, including “screening” of any employee, manager, officer or director’s past or present presence on international sanctions’ lists, verification of their prior criminal records and analysis of their professional profile (i.e. CV and other related documents) for the purposes of determining suitability, fitness and competencies, and fraud prevention purposes;

to prepare and implement salary paychecks, salary information and pay slips, and to settle such owed amounts by any banking means permitted;

to obtain, uphold and amend (where necessary) health insurance coverage for any employee, manager, officer or director;

to ensure that the Company is compliant with its own and with the fund’s/partnership’s own obligations under the contractual arrangements to which it is a party;

to fulfill any internal audit, external audit, insurance or other similar requirement;

to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required, and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;

to participate in the administration of justice;

to establish and maintain the Company’s (and the fund’s or partnership’s) service-provision records;

information and data bank administration in relation to the provision of services by the Company or by any of its related funds or partnerships; and

provision to a client or investor of any financial services which the Company is authorized to provide to its clients or investors under the terms of its authorization.

For the sake of clarity, such grounds for processing which have been described above expressly set out the “legitimate interests” of the Company, as well as those of other persons to whom the data are likely to be disclosed in accordance with paragraph (F) below, as well as the obligations applicable to the Company in relation thereto.

If the Company wishes to process your personal data in a way not covered by the legally permitted justifications which are described above, the Company will need to obtain your consent first (being understood however that no such consent is required when the justifications above are met) and, in such circumstances, you are entirely free to give your consent or not. However, if your consent has been required by the Company and that you choose not to provide it, there may be circumstances where the Company will not be able to provide services, products, transactions or enter into (or uphold) a business relationship or activity with you or with any of your related persons or entities. Where and once you give your consent, you are entitled to withdraw it at any time. Withdrawing your consent does not render the Company’s prior handling/processing of your personal data before consent withdrawal unlawful and it might also have a direct impact on the Company’s ability to continue to provide any of the services, products, transactions and/or activities in the same way in the future, as further described in paragraph (K) below.

(E) Does the Company collect and process any “sensitive” personal data?

As a general policy, the Company does not and will not collect nor receive any “sensitive personal data” regarding any data subject, as defined expressly under Article 39 of the DPR, i.e. concerning such data subject’s personal data revealing or relating to racial or ethnic origin (excluding, for the sake of clarity, citizenship or country of nationality), political affiliations or opinions, religious or philosophical beliefs, trade-union or organizational membership, criminal records, health and sex life, or genetic and biometric data used to identity an individual.

As an exception to the above, the Company may however receive and process “health data” relating to its employees, managers, officers and directors (“Employees”) and their relatives, for the limited purposes^[1] of:

arranging for the provision and maintenance of health insurance coverage to such Employee and his/her family (without any intervention, assessment, consultation nor use whatsoever by the Company of/over the content of such documents),

enabling the Company to comply with its obligations and exercising its rights in the field of employment law, and:

identifying, monitoring and mitigating the risk of Covid-19-related (or of other diseases or virus-related) contamination(s) of one or several of its Employees, with the exclusive objective of ensuring that the collective health of its Employees is globally protected and that such risk is properly mitigated.

Such health data concerns the medical assessment and control of such person’s health status, the prescriptions of medical examinations (and results of such examinations) and the different biological and medical conditions of the Employees and of their relatives.

As a second exception to the above, the Company may also receive and process criminal records extracts from its Employees, for the sole purposes^[2] of ensuring compliance by the Company with its integrity-related and fitness-related obligations and conducting verifications and controls in relation thereto.

As a third exception to the above, the Company processes fingerprint data from its Employees, for the sole purposes of operating the access rights to the Company’s premises and offices.

Such personal data must be collected directly from the Employee – and treated and recorded – solely by the individual, department, division, unit or function of the Company in charge of managing or exercising the human-resources (HR) activities of the Company, and may not be shared with any other person. No automated treatment may be conducted over such data. The health data shall be processed in accordance with the terms of the Company’s Personal Data Management Policy (in particular its article 6) which is made available to all Employees of the Company. Employees’ criminal records may be made available by HR to the Company’s MLRO and COF for performance of their respective duties, as well as any internal or external auditor and regulatory, supervisory or controlling authority, agency or body holding effective jurisdiction over the Company’s affairs, business and operations. Fingerprint data is by the Company solely collected for the purposes of operating the electronic access system which authorizes access to the Company’s premises and offices and shall never be shared nor disclosed to any third party whatsoever.

Receipt, collection, processing and/or recording of any other “sensitive” personal data by the Company is prohibited.

If any processing of other/additional “sensitive personal data” were to be ever contemplated in the future by the Company, a prior assessment would be conducted internally prior to any such processing being undertaken with a view to determining whether application for permit to the DPO is required or whether the processing would meet any of the eligibility criteria set out under article 12(1) of the DPR without requiring prior permit from the DPO, as per article 12(2) of the DPR (as supplemented by article 2 of the DP Rules). If any permit from the DPO is determined as being required by the Company, the permit request prepared by the Company must always match the mandatory set of minimum information contained in article 2 of the DP Rules.

(F) Who might we share your personal data with?

Where necessary to fulfil your instructions or requests to the Company and/or for any other purposes outlined in paragraph (D) of this Data Privacy Statement, we may share your personal data with a range of recipients which are the following:

any judicial, governmental, administrative, tax, accounting and/or regulatory authority, body or agency (including any supervisory or controlling authority, body or agency) or court,

service providers (including any custodian, depository or administrator), contractors, advisers, insurers, reinsurers, insurance brokers, auditors and/or agents – and companies within their group and their sub-contractors – who need to obtain or access such information to provide their services or exercise their duties or responsibilities, including any credit reference agencies, IT-related processors or agents, background screening providers, payment and settlement service providers or banking institutions, professional advisers and potential purchasers of the Company’s business or assets (or those under management by the Company), and

to third parties where necessary or required to enable the Company to perform its obligations, whether legal, regulatory or contractual (including to any affiliates of the Company or to funds or partnerships and their service providers and partners for which the Company is acting as manager or equivalent).

In particular, the Company has established, with respect to the “categories of recipients to whom the personal data have been or will be disclosed” as defined under article 3(E) of the DP Rules, that:

Client Data may be provided to (i) the Company’s (or any of its managed funds’) auditors, insurers, re-insurers or insurance brokers, (ii) the Company’s (or any of its managed funds’) competent supervisory, tax, governmental, corporate or regulatory authorities, agencies or bodies, (iii) counterparties in relation to prospective investment transactions or purchases relating to any managed funds (or funds intended to be managed), (iv) any providers, vendors or consultants who are appointed or contemplated to be appointed for any workstreams relevant to the purposes mentioned in item (iii) of this paragraph;

Transaction Data may be provided to (i) the Company’s (or any of its managed funds’) auditors and insurers, re-insurers or insurance brokers, (ii) the Company’s (or any of its managed funds’) competent supervisory, tax, governmental, corporate or regulatory authorities, agencies or bodies, (iii) any prospective or existing investors in a managed fund whose affairs are managed by the Company, (iv) any providers, vendors or consultants who are appointed or contemplated to be appointed for any workstreams relevant to the purposes mentioned in item (iii) of this paragraph;

Correspondent Data may be provided to (i) the Company’s (or any of its managed funds’) auditors, (ii) the Company’s (or any of its managed funds’) competent supervisory, tax, governmental, corporate or regulatory authorities, agencies or bodies, (iii) any prospective or existing investors in a managed fund whose affairs are managed by the Company, (iv) any providers, vendors or consultants who are appointed or contemplated to be appointed for any workstreams relevant to the purposes mentioned in item (iii) of this paragraph;

Employee Data may be provided to (i) the Company’s (or any of its managed funds’) auditors and insurers, re-insurers or insurance brokers, (ii) the Company’s (or any of its managed funds’) competent supervisory, tax, governmental, corporate or regulatory authorities, agencies or bodies, (iii) any prospective or existing investors in a managed fund whose affairs are managed by the Company, (iv) any providers, vendors or consultants who are appointed or contemplated to be appointed for any workstreams relevant to the purposes mentioned in item (iii) of this paragraph;

In case of disclosure to any other person or party (other than outlined above), the Company shall request to obtain your prior consent to such disclosure.

In any case where the Company is sharing your personal data with a third-party data controller, the use of that data by the third party shall be subject to that third party’s own privacy policies.

(G) Will we transfer your personal data to other jurisdictions (outside of the QFC)?

We will only disclose information about you as permitted under the contractual terms in place with you or, by default, with our client confidentiality obligations and the terms of the DPR. The Company is active globally and undertakes management activities of funds or partnerships located in foreign jurisdictions (and enters into investments and divestments in foreign jurisdictions) and may, consequently, transfer your personal data to foreign jurisdictions (outside of the QFC) when necessary.

However, such transfers shall always be made in compliance with the terms of the Company’s Personal Data Management Policy, which requires such transfer(s) to be made to:

a country which is on the list of pre-authorized jurisdictions (because considered as having an “adequate level of protection” as defined under DPR) and which has been assessed by the DPO as having such “adequate level of protection” in accordance with article 23 of the DPR;

when it is to a country which is not on such list of pre-authorized jurisdictions, the transfer must be performed only for a limited list of reasons, which are described in article 24(1) of DPR and include inter alia (i) the performance of a contract between the data subject and the data controller, or the implementation of pre-contractual measures taken at the data subject’s request, (ii) when the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Company (as data controller) and a third party, or (iii) when the transfer is necessary to comply with a legal obligation; or

a country outside of the QFC, when a permit has been obtained from the DPO to such effect.

A request may be made to the Company (at the contact details mentioned under paragraph (A) of this Data Privacy Statement) to obtain a copy of “appropriate safeguards” which the Company has put in place with a recipient located in a country that does not meet the first two categories mentioned above.

In a more general manner, the Company seeks to limit such transfers to the extent strictly necessary for the conduct of its activities and the implementation of its obligations.

(H) What other steps has the Company taken to protect your personal data?

The Company has implemented operational security measures set out in its information security policy (the “Information Security Policy”) which also applies expressly to protection of personal data.

Under the Information Security Policy, it is established in particular that:

access to any files which contain personal data is strictly reserved to those individuals within the Company who need-to-access such data for the purposes of performing their professional duties or responsibilities as authorized by the Company;

no extraction or copy of personal data may be performed from such files unless certain pre-requisite conditions have been met;

no transfer or sharing of such personal data may be performed unless the conditions set out under article 6.3 of the Company’s Personal Data Management Policy have been met and, when applicable, those set out in relation to transfer outside of the QFC (see paragraph (G) above);

data integrity protection measures from an IT-security standpoint have been adopted and implemented by the Company to protect its data, including any personal data processed; and

‘back-up’ security measures have been implemented from an IT-security standpoint for the purposes of protecting the Company against any loss, destruction or alteration of personal data.

In addition, as required by article 28 of DPR, the Company must, where processing is carried out on its behalf (including by way of appointing an IT-related contractor or service provider which performs storage/cloud services or any back-up server system services), choose a data processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

As a consequence, the Company has ensured that the Information Security Policy also requires that (i) the selection of the IT-related contractors or service providers is performed on the basis of criteria which includes the above-described criteria, (ii) the relevant contractual arrangements relating to such appointment set out the appropriate protection measures, and (iii) due diligences are carried out on a regular basis with such contractor or service provider by the Company with a view to ensuring that the contractually contemplated protection measures are effectively implemented by such party.

Last, the Company will review your personal data from time to time and will use reasonable efforts with a view to ensuring that it remains up-to-date and accurate. However, the Company expects and requires that you, as data subject, notify the Company promptly in the event of any change(s) in your personal circumstances, profile or any other feature or element of personal data, so that the Company can keep such data up-to-date and accurate.

(I) How long will we keep your personal data for?

In general terms, we must retain your personal data as long as necessary for the purposes for which we obtained it and not for any longer periods. As a result of the various legal, regulatory, tax and audit-related obligations to which it is subject as well as litigation risks which it incurs, the Company has established as a general principle that recording of your personal data for a further period of 6 years after the end of the relationship (including the expiry of any post-expiration liability periods), the last date of correspondence and/or the termination of the service or employment may be legitimately conducted by the Company.

(J) Will the Company use your personal data for “direct marketing purposes”?

We will not use your personal data for direct marketing purposes i.e. to directly approach you or other clients with a proposal of services and/or to enter into a transaction or service, but your personal data may be used indirectly, within the Company, to prepare and perform strictly internal economic and risk-related analysis on the Company’s performance and income, its types of clients or investors, their areas of activity and the features of their profiles, with a view to enabling the Company to anticipate its upcoming business plans and prospects.

(K) Are you under any obligation to provide the Company with your personal data?

You are not required by law to provide personal data to the Company. However, provision of personal data is required by the Company to carry out its activities, services and transactions and to comply with its legal, regulatory and contractual obligations. Consequently, not providing certain data (or failure to provide them in a timely fashion or to respond to such request from the Company) may (i) prevent the Company from performing its obligations and/or exercising its rights under a contract or transaction and/or providing its services to any client or investor, and/or (ii) reduce and impair the ability of the Company to effectively and properly perform its duties or responsibilities and execute its obligations under arrangements to which it is a party with a third party (including any employee or service provider).

As an example, the Company is under the obligation to verify the identity of its clients and this inevitably requires it to collect personal data to such effect from current and prospective clients. In the absence of such information, entry into relationship (i.e. client on-boarding) and/or continuation of the relationship cannot be performed by the Company.

(L) What are your rights as a “data subject”?

Right of information and access

Articles 16 of DPR provides that a data subject has the right to require and obtain from the Company upon request, at reasonable intervals and without excessive delay or expense:

confirmation as to whether personal data relating to him/her is being processed and, if so, a copy of the Data Privacy Statement; which, for sake of clarity, complies with article 4 of the DP Rules, as it includes in particular information as to the purposes of the processing, the lawful basis of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data has been or will be disclosed, the period for which the Company intends to retain the personal data or criteria used to determine such period, a statement reminding each data subject of their respective rights, a statement reminding the data subject’s rights to lodge a complaint with the DPO if they consider that the processing of personal data relating to them infringes the DPR and, last, the absence of any automated decision-making used by the Company);

communication to him/her in an intelligible form of the personal data about such data subject(s) undergoing processing and of any available information as to their source; and

if personal data of the data subject(s) are transferred to another jurisdiction, information about the appropriate safeguards that apply to such transfer.

Right to rectify

Article 17 of the DPR provides that a data subject has the right to have the Company rectify inaccurate personal data about the data subject “without undue delay”. Such data subject also has the right to have the Company complete the personal data being processed that it deems incomplete (taking into account the purposes of the processing), including by incorporating a supplementary statement made by the data subject.

Where rectification is not feasible for technical reasons, the Company is not obligated to rectify the personal data if it can demonstrate that (i) the personal data was obtained from the data subject directly, and (ii) the Data Privacy Statement provided to the data subject at the time where personal data was first collected from it included explicit, clear and prominent information as to the manner of processing of the data and expressly stated that rectification of personal data at the request of the data subject would not be feasible.

Right to erase

Article 18 of the DPR provides that a data subject has the right to have the Company erase personal data about the data subject which the Company holds “without undue delay”, if:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

the data subject withdraws consent to the processing and there is no other legal grounds for the processing (as mentioned by article 10 of the DPR);

the data subject objects to processing;

the personal data have been unlawfully processed; or

the personal data must be erased to comply with a legal obligation to which the Company is subject.

The obligation to erase does not apply to the extent that processing is necessary to comply with a legal obligation of the Company, in the exercise of official authority vested in the Company, for reasons of public interest or to establish, pursue or defend a legal claim.

Where erasure is not feasible for technical reasons, the Company is not obligated to erase the personal data if it can demonstrate that (i) the personal data was obtained from the data subject directly, and (ii) the Data Privacy Statement provided to the data subject at the time where personal data was first collected from it included explicit, clear and prominent information as to the manner of processing of the data and expressly stated that erasure of personal data at the request of the data subject would not be feasible.

Right to object

Article 19 of the DPR provides that a data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which was/is made on the grounds of (i) being necessary to perform a task carried out in the public interest, or (ii) being necessary for the purposes of the legitimate interests of the Company (as data controller) or another person to whom the data are disclosed.

Objection to processing conducted upon other “lawful grounds” (such as performance of contractual obligations, etc…) does not require to be complied with by the Company.

Upon receipt of such request from the data subject, the Company must not continue to process such personal data unless it can demonstrate that (i) there are compelling legitimate grounds for the processing that override the interests, rights and legitimate interests of the data subject, or (ii) if the processing is necessary to establish, pursue or defend a legal claim.

While the Company does not process any personal data for direct marketing purposes, it is noted that article 19(3) of the DPR offers the possibility to any data subject to object to processing on such grounds.

Right to require restriction of processing

Article 20 of the DPR provides that any data subject has the right to require the Company to restrict processing if:

the data subject contests the accuracy of the personal data (in which case the restriction shall only apply for as long as it takes the Company to verify the accuracy of the personal data);

the processing is unlawful and the data subject opposes the erasure of the personal data and requires the restriction of their use instead;

the Company no longer needs the personal data for the purposes of the processing, but the personal data are required by the data subject for the establishment, exercise or defense of a legal claim; or

the data subject has objected to processing in accordance with the objection right mentioned above, pending the verification as to whether the legitimate grounds of the Company override those of the data subject.

When the processing has been restricted in accordance with the above – and with the exception of storage – the relevant personal data can only be processed (i) with the data subject’s prior consent, (ii) for the establishment, exercise or defense of a legal claim, (iii) for the protection of the rights of another natural or legal person, or (iv) for reasons of public interest.

Right to Data Portability

Article 21 of the DPR provides that, without any prejudice to its right to obtain erasure (as described in the “right to erase” above), any data subject has the right to receive personal data about them, which they have provided to the Company (or another data controller), in a structured, commonly used and machine-readable format, if (i) the processing is based on lawful grounds of their consent or on a contract performance ground, and that (ii) the processing is carried out “by automated means” (which would likely broadly cover any IT-system storage system).

In exercising his/her right to data portability, the data subject has the right to request from the Company that the personal data be transmitted directly from the Company to another data controller “if technically feasible”.

However, this portability right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company and the exercise of this portability right “must not adversely affect the rights and legitimate interests of others”.

Refusal of Automated Individual Decision-Making

Article 22 of the DPR provides that any data subject has the right not to be subjected to a decision that is based solely on automated processing, including profiling, if the decision would have a legal effect on them or would otherwise significantly affect them.

Such right to refuse does not apply if the relevant decision is necessary to enter into or perform a contract between the data subject and the Company (or another data controller) or if the data subject has given their explicit written consent to the decision being based solely on automated processing; provided that, in those cases, the Company must have implemented “suitable measures to safeguard the data subject’s rights and legitimate interests”, such as the data subject being able to obtain a human intervention by the Company’s staff, the data subject expressing their point of view and its rights to contest the relevant decision.

In addition, such right to refuse does not apply if the decision is made pursuant to laws or regulations applicable to the Company (as data controller).

As general principle, the Company does not conduct nor implement any individual decision-making, with respect to any data subject, which is “based solely on automated processing” and has indicated such information expressly in paragraph (M) below of its Data Privacy Statement.

For exercising any of its rights above, the data subject must contact the Company’s usual contact as described and via the details set out within paragraph (A) of this Data Privacy Statement. The Company shall perform its reasonable efforts with a view to providing a response to the data subject without undue delay and, at latest, within thirty (30) days of receipt of such request.

Last, in accordance with article 34 of the DPR, any data subject may lodge a complaint in relation to his/her personal data to the QFC’s personal data protection regulator, i.e. the Data Protection Office or “DPO” if it considers that the processing of personal data relating to such data subject has infringed the provisions of the DPR – address of DPO: Ambassadors Street, Qatar Financial Centre (QFC) Tower 1, West Bay, PO Box 23245, Doha, Qatar, telephone: +974 4496 7777. Any claim lodged with DPO must include the mandatory information required by article 10 (paragraphs (A) to (E)) of the DP Rules.

(M) Does the Company conduct “automated decision-making” (as per article 22 of the DPR) based solely on your personal data?

The Company does not conduct “automated decision-making” using solely personal data which it has processed.

(N) To whom should this Data Privacy Statement be made available?

This Data Privacy Statement is made publicly available on the Company’s website, at the following weblink: https://mahacapital.com/data-management-policy/ and should be disclosed to any data subject whose personal data is collected or processed by the Company.

If you are yourself a data subject, the processing of personal data by the Company is directly relevant to you.

If you are not directly the data subject but are providing or making available personal data to the Company on behalf of any natural persons for any reasons whatsoever (for example – and without limitation – in relation to your investment in a fund or partnership managed by the Company, or in relation to a service which you provide or will provide to the Company…), such as on behalf of an employee, director, trustee, representative, shareholder, investor, client, beneficial owner or agent, this Data Privacy Statement will be relevant to those individuals and you must transmit this Data Privacy Statement to such individuals or otherwise advise them of its content.

(O) Changes to this Data Privacy Statement

The Company may update, revise, restate, supplement and/or replace this Data Privacy Statement from time to time in order to clarify it, add certain operational information and/or remain consistent with the content of applicable laws and regulations or incorporate certain changes in the Company’s organization, systems or practical rules.

Any amended or replaced version shall be made available to all data subjects on the Company’s internet website, at the following weblink: https://mahacapital.com/data-management-policy/

The Company may also notify you in other ways about the processing of your personal data, such as a specific product or investment documentation and/or online notifications.

¹ It is important to note that such purposes are consistent with the terms of article 8(1), paragraphs (B), (C), (F) and (I) of DPR.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.