Data Management Policy

Issued: October 13, 2021
Updated: October 13, 2021

The following statement was established by Maha Capital Partners LLC (MCP LLC”) and may be made available to any data subject whose data is likely to be collected, received, stored, recorded, used, consulted or otherwise processed by MCP LLC for the purposes reminded within article 5 (“Description and purposes of data processing”) of its personal data management policy (“Personal Data Management Policy). It shall be made available on the internet website of MCP LLC and to any other person or party upon request addressed to MCPLLC.

Data Privacy Statement

In accordance with disclosure requirements set out under QFC’s Data Protection Regulations and QFCA’s Data Protection Rules, the following privacy statement (the “Data Privacy Statement”) provides an overview of how Maha Capital Partners LLC (the “Company”) uses information which it collects, receives, stores, records, uses, consults, holds and/or otherwise processes in relation to natural persons and which meets the definition of “personal data” as described below.

The Company undertakes business activities and transactions in accordance with the terms of its QFCRA authorization, which includes providing investment management services to its customers by way of collective investment schemes in one or several jurisdictions.

As a QFC-licensed entity established in (and operating from) the QFC in the State of Qatar but which is also involved in providing its management services to clients or customers on behalf of funds or partnerships established in foreign jurisdictions (or in the QFC, as the case may be), the Company will be collecting and processing “personal data” (as defined below).

For the purposes of this document, the term “personal data” refers to any information relating to an identified natural person or an Identifiable Natural Person, i.e., a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity. For example (and without limitation), any reference to a birth date, an address, an e-mail address or phone number, a QID number or passport number shall be deemed to constitute a means of identification as per the previous sentence.

For the purposes and under the terms of this Data Privacy Statement, the following terms or acronyms shall have the following meaning or definition:

  • CRO” means the Companies Registration Office, as created by Law no. (7) of 2005;
  • CRS” means Common Reporting Standards, introduced by the Organization for Economic Co-operation and Development (OECD) to enhance cross-border tax compliance;
  • DPR” means the QFC’s Data Protection Regulations 2005, as may be supplemented, amended, revised, restated and/or renewed from time to time; and “DP Rules” means the QFCA’s Data Protection Rules 2005, as may be supplemented, amended, revised, restated and/or renewed from time to time;
  • FATCA” means Foreign Account Tax Compliance Act, a 2010 United States federal law setting out an information reporting and withholding regime;
  • QFC” means the Qatar Financial Centre, as created by Law no. (7) of 2005;
  • QFCA” means the Qatar Financial Centre Authority; and
  • QFCRA” means the Qatar Financial Centre Regulatory Authority.

(A) Who is legally responsible for the processing of your personal data and who can you contact about this subject?

In data protection law terminology, such role lies with the “data controller”. For the purposes and under the terms of this Data Privacy Statement, the data controller is namely:

Maha Capital Partners LLC
Ambassadors Street
QFC Tower 1
PO Box 24879
West Bay – Doha, State of Qatar
Tel.: +974 4404 3840

The Company is required to process your personal data fairly, lawfully and securely in accordance with the DPR and DP Rules.

Should you have any queries, questions and/or complaints about the way in which your personal data is processed or in which you believe it is being processed, you may raise these with your usual customer relationship correspondent or manager at Maha Capital Partners LLC. Contrary to the EU’s General Data Protection Regulation, the DPR does not require the Company to appoint a dedicated data protection officer (“DPO”); however, the Company undertakes to provide you in any event with a swift answer to any submitted requests in relation to our management or processing of your personal data in a similar and professional fashion and has established internal procedures to such effect.

If you are an employee, officer, manager and/or director of the Company, you may raise these with the individual(s) within the Company who is(are) in charge of exercising the human resources (“HR”) duties and responsibilities of the Company and of managing such HR-related issues.

(B) From whom (and in relation to whom) does the Company collect or receive “personal data”?

The Company collects and processes certain categories of personal data, as a Data Controller, in relation to:

  • natural persons who are representatives (whether legal or other) of (i) the Company’s clients or investors (whether potential or effective), as well as of (ii) their beneficial owners and controlling persons and representatives of members (or affiliates) of the client’s group or organization, and (iii) any natural persons who represent or act in the name of their advisers, partners, auditors, insurers, agents, contractors and/or service providers (and of their group members or affiliates) (the “Client Data”); this category of data subjects refers to the clients or investors in funds or partnerships in which the Company is exercising (or intends to exercise) certain management powers or duties;
  • natural persons who are representatives (whether legal or other) of (i) the Company’s acquisition or investment targets, as well as of (ii) their beneficial owners and controlling persons and representatives of members or affiliates of such target’s group or organization, and (iii) any natural persons who represent or act in the name of their advisers, partners, auditors, insurers, agents, contractors and/or service providers (and of their group members or affiliates) (the “Transaction Data”); this category of data subjects refers to the acquisition or investment targets contemplated or purchased by the Company (or any of its affiliates, such as holding companies controlled by the Company) on behalf of the funds or partnerships in which the Company is exercising (or intends to exercise) certain management powers or duties;
  • natural persons who are representatives (whether legal or other) of (i) the Company’s advisers, agents, auditors, insurers, consultants, contractors and/or service providers, as well as of (ii) their beneficial owners and controlling persons and representatives of members or affiliates of such party’s group or organization (the “Service Provider Data”); this category of data subjects also refers to advisers, agents, auditors, insurers, contractors and/or service providers of a fund or partnership whose management powers or duties are (or intended to be) exercised by the Company;
  • natural persons who are (or who represent and/or act in the name of) a complainant, correspondent or enquirer towards the Company, including through its website (the “Correspondent Data”); this category of data subjects also refers to a complainant, correspondent or enquirer towards a fund or partnership whose management powers or duties are (or intended to be) exercised by the Company, including through such fund’s or partnership’s website; and
  • natural persons who are employees, directors, officers or managers of the Company and of its affiliates (including of the parent company and beneficial owner of the Company), as well as their family relatives and connected persons (the “Employee Data”).

(C) What type of personal data might the Company hold about you and where do we source such data?

We only hold, process, collect, use and consult personal data in relation with you that is relevant in the context of the Company’s relationship with you, whether it is already commenced and ongoing or whether it is contemplated in the future.

Some of this information is received from you directly. The Company may also search and obtain personal data from a range of other sources, namely (i) its contractors, service providers, agents or advisers, (ii) your former or current employer, (iii) other companies or financial institutions, or (iv) publicly available sources (i.e., media sources, registers of companies and assets, internet websites, professional media platforms) and providers of business-risk screening services, such as credit reference agencies, anti-fraud data bases, sanctions lists and risk providers and databases of news articles.

Client Data (in relation to investors/clients)

  • Names (first name, family name and any other usage name)
  • Gender
  • Date of birth
  • Place of birth
  • Birth certificate number
  • Civil status (married, single, etc.)
  • Address, city and country of residence
  • Citizenship
  • Phone number and fax number
  • E-mail address
  • Picture of the person
  • Social security number, with place, agency and date of issuance and expiration date
  • Tax identification (or registration) number(s) and place of tax residency
  • Passport or identification document number, with place, authority and date of issuance and expiration date
  • Residency permit and/or visa card number, with place, authority and date of issuance and expiration date
  • Driver’s license number, with place, authority and date of issuance and expiration date
  • Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form
  • Designation or title of any professional functions attached to the natural person (whether past or present)
  • Identification number or other personal reference(s) which may be included in an electricity or other utility invoice evidencing use or consumption of such service
  • Bank account numbers and references and amount(s), asset(s) or instrument(s) held or contemplated
  • Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person
  • Evidence of source of wealth or funds which includes personal identification items
  • Criminal records
  • Financial information relating to a person’s profile such as employment, income, pension, investments, assets, liabilities, outgoings, creditworthiness, bank account details, investment objectives, knowledge of financial products and services, risk appetite level, capacity for loss

Transaction Data (in relation to investments)

  • Names (first name, family name and any other usage name)
  • Gender
  • Date of birth
  • Place of birth
  • Birth certificate number
  • Civil status (married, single, etc.)
  • Address, city and country of residence
  • Citizenship
  • Phone number and fax number
  • E-mail address
  • Picture of the person
  • Tax identification (or registration) number(s) and place of tax residency
  • Passport or identification document number, with place, authority and date of issuance and expiration date
  • Residency permit and/or visa card number, with place, authority and date of issuance and expiration date
  • Driver’s license number, with place, authority and date of issuance and expiration date
  • Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form
  • Designation or title of any professional functions attached to the natural person (whether past or present)
  • Identification number or other personal reference(s) which may be included in an electricity or other utility invoice evidencing use or consumption of such service
  • Bank account numbers and references and amount(s), asset(s) or instrument(s) held or contemplated
  • Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person
  • CVs
  • Fingerprint data
  • Evidence of source of wealth or funds which includes personal identification items
  • Criminal records
  • Financial information relating to a person’s profile such as employment, income, pension, investments, assets, liabilities, outgoings, creditworthiness, bank account details, investment objectives, knowledge of financial products and services, risk appetite level, capacity for loss

Service Provider Data (in relation to service providers)

  • Names (first name, family name and any other usage name)
  • Gender
  • Date of birth
  • Place of birth
  • Birth certificate number
  • Civil status (married, single, etc.)
  • Address, city and country of residence
  • Citizenship
  • Phone number and fax number
  • E-mail address
  • Picture of the person
  • Tax identification (or registration) number(s) and place of tax residency
  • Passport or identification document number, with place, authority and date of issuance and expiration date
  • Residency permit and/or visa card number, with place, authority and date of issuance and expiration date
  • Driver’s license number, with place, authority and date of issuance and expiration date
  • Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form
  • Designation or title of any professional functions attached to the natural person (whether past or present)
  • Identification number or other personal reference(s) which may be included in an electricity or other utility invoice evidencing use or consumption of such service
  • Bank account numbers and references and amount(s), asset(s) or instrument(s) held or contemplated
  • Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person
  • CVs
  • Evidence of source of wealth or funds which includes personal identification items
  • Criminal records
  • Financial information relating to a person’s profile such as employment, income, pension, investments, assets, liabilities, outgoings, creditworthiness, bank account details, investment objectives, knowledge of financial products and services, risk appetite level, capacity for loss

Correspondent Data (in relation to correspondents)

  • Names (first name, family name and any other usage name)
  • Gender
  • Date of birth
  • Place of birth
  • Birth certificate number
  • Civil status (married, single, etc.)
  • Address, city and country of residence
  • Citizenship
  • Phone number and fax number
  • E-mail address
  • Picture of the person
  • Tax identification (or registration) number(s) and place of tax residency
  • Passport or identification document number, with place, authority and date of issuance and expiration date
  • Residency permit and/or visa card number, with place, authority and date of issuance and expiration date
  • Driver’s license number, with place, authority and date of issuance and expiration date
  • Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form
  • Designation or title of any professional functions attached to the natural person (whether past or present)
  • Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person
  • Online identification numbers and passwords, when connecting to or accessing the Company’s (or its affiliate’s) website(s)

Employee Data(in relation to Employees)

  • Names (first name, family name and any other usage name)
  • Gender
  • Date of birth
  • Place of birth
  • Birth certificate number
  • Civil status (married, single, etc.)
  • Address, city and country of residence
  • Citizenship
  • Phone number and fax number
  • E-mail address
  • Picture of the person
  • Tax identification (or registration) number(s) and place of tax residency
  • Passport or identification document number, with place, authority and date of issuance and expiration date
  • Residency permit and/or visa card number, with place, authority and date of issuance and expiration date
  • Entry and exit permit number or reference, with place, authority and date of issuance and expiration data, in relation to any immigration or circulation-related administrative or governmental formalities, steps or admissions
  • Driver’s license number, with place, authority and date of issuance and expiration date
  • Signature specimen or signature on executed pages (and handwritten initials), in paper or electronic form
  • Designation or title of any professional functions attached to the natural person (whether past or present)
  • Identification number or other personal reference(s) which may be included in an electricity or other utility invoice evidencing use or consumption of such service
  • Bank account numbers and references and amount(s), asset(s) or instrument(s) held or contemplated
  • Delegation of powers describing the specific powers or authority entrusted to a natural person, or employment agreement of such person
  • CVs
  • Fingerprint data
  • Prior criminal record extract data, including any identification number and description of absence of or content of convictions
  • Professional references and employment certificates (or equivalent), evaluation of their knowledge of financial products and services, risk-related knowledge and other professional know-how, skills, qualifications and competencies
  • Evidence of financial soundness which includes personal identification items such as creditworthiness
  • Financial information and data relating to a person’s profile such as (as a matter of example) bank account details
  • Medical and health data (but always subject to the application of the terms of article 7 “Sensitive Personal Data” of the Company’s Personal Data Management Policy which set out restrictive purposes and conditions, as well as specific safeguards)

(D) What will we use your personal data for, and does QFC Data Protection Regulations allow this?

The authorized purposes for which personal data is processed are reminded below, being understood that each of these purposes are consistent with the specific grounds under QFC Data Protection Regulations which allow the Company to do this, namely:

  • for the performance of a contract,
  • for compliance with a legal or regulatory obligation or acting in the public interest,
  • where processing is necessary to protect your vital interests, or
  • for the purposes of the “legitimate interests” pursued by the Company or by the third party or parties to whom the personal data is disclosed (except where such interests are overridden by compelling legitimate interests of the data subject in relation to such data subject’s particular situation).

The Company collects and processes Client Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

  • entering into an agreement (and performing any obligations and exercising any rights thereunder) with respect to investment(s) by such client or investor in a product, activity, transaction or service performed or provided by the Company in the area of fund management, and preparing the entry into such an agreement as well as maintaining it;
  • performing risk-based analysis covering the client’s profile, the transaction contemplated or entered into with such client/investor, including AML-CFT risk analysis, compliance with economic sanctions and other related evaluations, controls and verifications for fraud prevention, risk-management and risk-control related purposes;
  • performing the Company’s (or its fund’s or partnership’s) legal and/or regulatory duties, obligations and requirements, as set out under QFC law and under the applicable laws and regulations of the jurisdiction(s) in which the Company (and/or its managed fund or partnership) is established and operates, including (i) preparing and filing any tax reporting (whether under FATCA and CRS rules, or under any local tax obligations), and (ii) any reporting of suspicious transactions or activities with a financial intelligence unit (as the case may be), and (iii) enabling the Company to file reports, questionnaires and procedures which may be incurred by itself (including to QFCRA, QFCA and CRO) or by the fund or partnership under management (including to CIMA, CSSF or another competent regulator);
  • enabling the Company, and its managed funds or partnerships, to comply with their internal audit verifications and controls and with their external auditing obligations, policies and procedures, including when preparing its financial statements or those of the fund or partnership under management;
  • to obtain any insurance services, auditors’ services and other related arrangements which are necessary to ensure the Company’s (and the fund’s or partnership’s) obligations are properly implemented and carried out;
  • to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required; and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;
  • to participate in the administration of justice;
  • to establish and maintain the Company’s (and the fund’s or partnership’s) membership records;
  • information and data bank administration in relation to the provision of services by the Company;
  • advertising, marketing and public relations of the Company and of its managed funds or partnerships; and
  • provision to the client or investor of any financial services which the Company is authorized to provide under the terms of its authorization.

The Company collects and processes Transaction Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

  • entering into an agreement (and performing any obligations and exercising any rights thereunder) with respect to investment(s)/divestment(s) by the Company (or any of its affiliates, such as a holding company over which it exercises control) on behalf of any fund or partnership which it manages or is intended to manage, and preparing the entry into such an agreement as well as maintaining it;
  • performing risk-based analysis covering the investment target’s profile and the features of the transaction contemplated or entered into with the buyer or seller of the investment target, including AML-CFT risk analysis, compliance with economic sanctions and other related evaluations, controls and verifications for fraud prevention, risk-management and risk-control related purposes;
  • informing the Company’s clients/investors and seeking their consent (when such case is applicable) in relation to the substance and terms of the investment(s)/divestment(s) by the Company on behalf of any fund or partnership which it manages or is intended to manage;
  • complying with the contractual obligations incurred by the Company under the terms of any fund-related or partnership-related arrangements or schemes to which the Company is party;
  • performing the Company’s (or its fund’s or partnership’s) legal and/or regulatory duties, obligations and requirements, as set out under QFC law and under the applicable laws and regulations of the jurisdiction(s) in which the Company (and/or its managed fund or partnership) is established and operates, including (i) preparing and filing any tax reporting (whether under FATCA and CRS rules, or under any local tax obligations), and (ii) any reporting of suspicious transactions or activities with a financial intelligence unit (as the case may be), and (iii) enabling the Company to file reports, questionnaires and procedures which may be incurred by itself (including to QFCRA, QFCA and CRO) or by the fund or partnership under management (including to CIMA, CSSF or another competent regulator);
  • enabling the Company, and its managed funds or partnerships, to comply with their internal audit verifications and controls and with their external auditing obligations, policies and procedures, including when preparing its financial statements or those of the fund or partnership under management;
  • to obtain any insurance services, auditors’ services and other related arrangements which are necessary to ensure the Company’s (and the fund’s or partnership’s) obligations are properly implemented and carried out;
  • to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required, and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;
  • to participate in the administration of justice;
  • to establish and maintain the Company’s (and the fund’s or partnership’s) membership records;
  • information and data bank administration in relation to the provision of services by the Company;
  • advertising, marketing and public relations of the Company and of its managed funds or partnerships; and
  • provision to the client or investor of any financial services which the Company is authorized to provide to its clients or investors under the terms of its authorization.

The Company collects and processes Service Provider Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

  • exercising its fund management activities with respect to funds and partnerships under management (or whose management is contemplated) by the Company, in particular hiring, appointing and maintaining such service providers for the purposes of enabling the Company to enter into (or uphold) an agreement (i) with respect to investment(s) by any client or investor in a product, activity, transaction or service performed or provided by the Company in the area of fund management, or preparing the entry into such an agreement, and (ii) with respect to investment(s)/divestment(s) by the Company on behalf of any fund or partnership which it manages or is intended to manage, and preparing the entry into such an agreement as well as maintaining it;
  • performing risk-based analysis covering the Company’s clients and investors and any investment target’s profile and the features of the transaction contemplated or entered into with the buyer or seller of the investment target, including AML-CFT risk analysis, compliance with economic sanctions and other related evaluations, controls and verifications for fraud prevention, risk-management and risk-control related purposes;
  • verifying the competencies, reputation, quality and suitability of a service provider with respect to the appointed role or function which is being proposed or contemplated by the Company; performing extensive due diligence on the service provider’s organization, governance and control structure prior to (or upon) on-boarding of such service provider and in the ongoing course of business, whether in relation to services owed to the Company or to any funds or partnerships managed by the Company;
  • complying with the contractual obligations incurred by the Company under the terms of any fund-related or partnership-related arrangements or schemes to which the Company is party;
  • performing the Company’s (or its fund’s or partnership’s) legal and/or regulatory duties, obligations and requirements, as set out under QFC law and under the applicable laws and regulations of the jurisdiction(s) in which the Company (and/or its managed fund or partnership) is established and operates, including (i) preparing and filing any tax reporting (whether under FATCA and CRS rules, or under any local tax obligations), and (ii) any reporting of suspicious transactions or activities with a financial intelligence unit (as the case may be), and (iii) enabling the Company to file reports, questionnaires and procedures which may be incurred by itself (including to QFCRA, QFCA and CRO) or by the fund or partnership under management (including to CIMA, CSSF or another competent regulator);
  • enabling the Company, and its managed funds or partnerships, to comply with their internal audit verifications and controls and with their external auditing obligations, policies and procedures, including when preparing its financial statements or those of the fund or partnership under management;
  • to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required, and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;
  • to participate in the administration of justice;
  • to establish and maintain the Company’s (and the fund’s or partnership’s) service provision records;
  • information and data bank administration in relation to the provision of services to the Company or to any of its related funds or partnerships; and
  • provision to the client or investor of any financial services which the Company is authorized to provide to its clients or investors under the terms of its authorization.

The Company collects and processes Correspondent Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

  • to analyze and manage the request, enquiry or complaint being received and to proceed to an appropriate analysis of the request, enquiry or complaint and provide relevant answers in due course;
  • to perform any legal or regulatory obligation with respect to the request, enquiry or complaint received, including with respect to any personal data management request or to any judicial or extra-judicial claim or dispute;
  • to perform any reporting or information/correspondence obligation owed to any competent authority, body or agency when the request, enquiry or complaint requires such reporting or information/correspondence;
  • to ensure that the Company is compliant with its own and with the fund’s/partnership’s own obligations under the contractual arrangements to which it is a party;
  • to fulfill any internal audit, external audit, insurance or other similar requirement, when the control, diligence or verification relates to the request, enquiry or complaint received by the Company or by any fund or partnership managed by the Company;
  • to pursue any marketing or advertisement objectives, when the correspondent has initiated such a request (or has answered a solicitation from the Company);
  • to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required, and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;
  • to participate in the administration of justice;
  • to establish and maintain the Company’s (and the fund’s or partnership’s) service- provision records;
  • information and data bank administration in relation to the provision of services by the Company or by any of its related funds or partnerships; and
  • provision to a client or investor of any financial services which the Company is authorized to provide to its clients or investors under the terms of its authorization.

The Company collects and processes Employee Data (as defined in paragraph (B) of this Data Privacy Statement) for one or several of the following purposes:

  • to establish, maintain, amend, revise and terminate employment agreements or other similar undertakings or contractual documents with the relevant person (such as membership of a Board-related committee) with a view to formalize and set up a framework for such person’s employment, mandate or duties towards the Company (or towards any fund or partnership managed by the Company);
  • to perform any human resources-related duties and responsibilities during the course of such person’s employment (or equivalent role) with the Company, including at the step of dismissal, resignation or termination of such person’s employment or role;
  • to assess such person’s performance as employee, director, officer, manager or other role and to allocate any remuneration and to enter into remuneration-based arrangements with such persons, as the case may be;
  • to perform any legal and regulatory obligation of the Company in the areas of regulatory reporting, submission of individual “application forms” to the QFCA, CRO, QFCRA or other competent bodies or agencies permitted by law, in particular with respect to approval of any individual exercising a “controlled function” within the meaning of applicable law;
  • to proceed with any governmental and administrative steps and formalities in the area of such person’s admission and entry into the State of Qatar (or other relevant country for such person’s activities and functions), as well as to permit circulation and transportation of such person, and to comply with any immigration-related and/or corporate steps and formalities, and/or any visa, residency permit or circulation requirements, which may be useful or necessary in connection with any employee, manager, officer or director’s exercise of functions (including their hiring, appointment or nomination in any capacity whatsoever);
  • to comply with any legal or regulatory obligation, including “screening” of any employee, manager, officer or director’s past or present presence on international sanctions’ lists, verification of their prior criminal records and analysis of their professional profile (i.e., CV and other related documents) for the purposes of determining suitability, fitness and competencies, and for fraud prevention purposes;
  • to prepare and implement salary paychecks, salary information and pay slips, and to settle such owed amounts by any banking means permitted;
  • to obtain, uphold and amend (where necessary) health insurance coverage for any employee, manager, officer or director;
  • to ensure that the Company is compliant with its own and with the fund’s/partnership’s own obligations under the contractual arrangements to which it is a party;
  • to fulfill any internal audit, external audit, insurance or other similar requirement;
  • to participate or engage in a lawsuit in the legitimate defense of the Company’s interests, when such case is required, and to establish, exercise or defend its legal rights or for the purposes of legal proceedings;
  • to participate in the administration of justice;
  • to establish and maintain the Company’s (and the fund’s or partnership’s) service- provision records;
  • information and data bank administration in relation to the provision of services by the Company or by any of its related funds or partnerships; and
  • provision to a client or investor of any financial services which the Company is authorized to provide to its clients or investors under the terms of its authorization.

If the Company wishes to process your personal data in a way not covered by the legally permitted justifications which are described above, the Company will need to obtain your consent first. Where you give your consent, you are entitled to withdraw it at any time. Withdrawing your consent does not render the Company’s prior handling/processing of your personal data unlawful and it might also have a direct impact on the Company’s ability to continue to provide any of the services, products, transactions and/or activities in the same way in the future, as further described in article 11 below.

(E) Does the Company collect and process any “sensitive” personal data?

As a general policy, the Company does not and will not collect nor receive any “sensitive personal data” regarding any data subject, i.e., concerning such data subject’s personal data revealing or relating to racial or ethnic origin (excluding, for the sake of clarity, citizenship or country of nationality), political opinions, religious or philosophical beliefs, trade-union membership, health and sexual orientation or activities.

As an exception to the above, the Company may however receive and process “health data” relating to its employees, managers, officers and directors (“Employees”) and their relatives, for the limited purposesof:

(i) arranging for the provision and maintenance of health insurance coverage to such Employee and their family,

(ii) enabling the Company to comply with its obligations and exercising its rights in the field of employment law, and:

(iii) identifying, monitoring and mitigating the risk of Covid-19-related (or of other diseases or virus-related) contamination(s) of one or several of its Employees, with the exclusive objective of ensuring that the collective health of its Employees is globally protected and that such risk is properly mitigated.

Such health data concerns the medical assessment and control of such person’s health status, the prescriptions of medical examinations (and results of such examinations) and the different biological and medical conditions of the Employees and of their relatives. Such personal data must be collected directly from the Employee – and treated and recorded – solely by the individual, department, division, unit or function of the Company in charge of managing or exercising the HR activities of the Company, and may not be shared with any other person. The health data shall be processed in accordance with the terms of the Company’s Personal Data Management Policy (in particular article 6) which is made available to all Employees of the Company.

Receipt, collection, processing and/or recording of any other “sensitive” personal data by the Company is prohibited.

(F) Who might we share your personal data with?

Where necessary to fulfil your instructions or requests to the Company and/or for any other purposes outlined in paragraph (D) of this Data Privacy Statement, we may share your personal data with a range of recipients which are the following:

  • any judicial, governmental, administrative, tax, accounting and/or regulatory authority, body or agency (including any supervisory or controlling authority, body or agency) or court;
  • service providers (including any custodian, depository or administrator), contractors, advisers, insurers, auditors and/or agents – and companies within their group and their sub-contractors – who need to obtain or access such information to provide their services or exercise their duties or responsibilities, including any credit reference agencies, IT-related processors or agents, background screening providers, payment and settlement service providers or banking institutions, professional advisers and potential purchasers of the Company’s business or assets (or those under management by the Company);
  • to third parties where necessary or required to enable the Company to perform its obligations, whether legal, regulatory or contractual (including to any affiliates of the Company or to funds or partnerships and their service providers and partners for which the Company is acting as manager or equivalent).

In case of disclosure to any other person or party (other than outlined above), the Company shall request to obtain your prior consent to such disclosure.

In any case where the Company is sharing your personal data with a third-party data controller, the use of that data by the third party shall be subject to that third party’s own privacy policies.

(G) Will we transfer your personal data to other jurisdictions (outside of the QFC)?

We will only disclose information about you as permitted under the contractual terms in place with you, client confidentiality obligations and the terms of the DPR. The Company is active globally and undertakes management activities of funds or partnerships located in foreign jurisdictions (and enters into investments and divestments in foreign jurisdictions) and may, consequently, transfer your personal data to foreign jurisdictions (outside of the QFC) when necessary.

However, such transfers shall always be made in compliance with the terms of the Company’s Personal Data Management Policy, which requires it to be made:

  • to a country which is on the list of pre-authorized jurisdictions (considered as having an “adequate level of protection” as defined under DPR) or which has been further assessed by the Company as having such “adequate level of protection” in accordance with rule 9.2(B) of DPR as supplemented by rule 3.1, paragraphs (2), (3) and (4) of the DP Rules; or
  • when it is to a country which is not in either of the above-mentioned cases, the transfer must be performed only for a limited list of reasons, which are described in article 10(1) of DPR and include “upholding the legitimate interests” of the Company, and a prior notice must be served to the QFCA as described in article 17(2)(B) of DPR as supplemented by rule 4.2.1 of the DP Rules.

In a more general manner, the Company seeks to limit such transfers to the extent strictly necessary for the conduct of its activities and the implementation of its obligations.

(H) What other steps has the Company taken to protect your personal data?

The Company has implemented operational security measures set out in its information security policy (the “Information Security Policy”) which also applies expressly to the protection of personal data.

Under the Information Security Policy, it is established in particular that:

  • access to any files which contain personal data is strictly reserved to those individuals within the Company who need-to-access such data for the purposes of performing their professional duties or responsibilities as authorized by the Company;
  • no extraction or copy of personal data may be performed from such files unless certain pre-requisite conditions have been met;
  • no transfer or sharing of such personal data may be performed unless the conditions set out under article 6.3 of the Company’s Personal Data Management Policy have been met and, when applicable, those set out in relation to transfer outside of the QFC (see paragraph (G) above); and
  • ‘back-up’ security measures have been implemented from an IT-security standpoint for the purposes of protecting the Company against any loss, destruction or alteration of personal data.

In addition, as required by article 14(3) of DPR, the Company must, where processing is carried out on its behalf (including by way of appointing an IT-related contractor or service provider which performs storage/cloud services or any back-up server system services), choose a data processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

As a consequence, the Company has ensured that the Information Security Policy also requires that (i) the selection of the IT-related contractors or service providers is performed on the basis of criteria which includes the above-described criteria, (ii) the relevant contractual arrangements relating to such appointment set out the appropriate protection measures, and (iii) due diligences are carried out on a regular basis with such contractor or service provider by the Company with a view to ensure that the contractually contemplated protection measures are effectively implemented by such party.

Last, the Company will review your personal data from time to time and will use reasonable efforts with a view to ensure that it remains up-to-date and accurate. However, the Company expects and requires that you, as data subject, notify the Company promptly in the event of any change(s) in your personal circumstances, profile or any other feature or element of personal data, so that the Company can keep such data up-to-date and accurate.

(I) How long will we keep your personal data for?

In general terms, we must retain your personal data as long as necessary for the purposes for which we obtained it. However, as a result of the various legal, regulatory,tax and audit-related obligations to which it is subject as well as litigation risks which it incurs, the Company has established as a general principle that recording of your personal data for a further period of 6 years after the end of the relationship, the last date of correspondence and/or the termination of the service or employment may be legitimately conducted by the Company.

(J) Will the Company use your personal data for “direct marketing purposes”?

We will not use your personal data for direct marketing purposes, i.e., to directly approach you or other clients with a proposal of services and/or to enter into a transaction or service, but your personal data may be used indirectly, within the Company, to prepare and perform strictly internal economic and risk-related analysis on the Company’s performance and income, its types of clients or investors, their areas of activity and the features of their profiles, with a view to enable the Company to anticipate its upcoming business plans and prospects.

(K) Are you under any obligation to provide the Company with your personal data?

You are not required by law to provide personal data to the Company. However, provision of personal data is required by the Company to carry out its activities, services and transactions and to comply with its legal, regulatory and contractual obligations. Consequently, not providing certain data (or failure to provide them in a timely fashion or to respond to such request from the Company) may (i) prevent the Company from performing its obligations and/or exercising its rights under a contract or transaction and/or providing its services to any client or investor, and/or (ii) reduce and impair the ability of the Company to effectively and properly perform its duties or responsibilities and execute its obligations under arrangements to which it is a party with a third party (including any employee or service provider).

As an example, the Company is under the obligation to verify the identity of its clients and this inevitably requires it to collect personal data to such effect from current and prospective clients. In the absence of such information, client on-boarding and/or continuation of the relationship cannot be performed by the Company.

(L) What are your rights as a “data subject”?

Any data subject has the right to require and obtain from the Company upon request, at reasonable intervals and without excessive delay or expense:

  • confirmation as to whether personal data relating to them is being processed and, if so, information at least as to the purposes of the processing, the categories of personal data concerned and the recipients or categories of recipients to whom the personal data is disclosed;
  • communication to them in an intelligible form of the personal data undergoing processing and of any available information as to the source; and
  • as appropriate, the rectification, erasure or blocking of personal data the processing of which does not comply with the provisions of the DPR.

Any data subject also has the right to:

  • object at any time on reasonable grounds relating to their particular situation to the processing of personal data relating to them; and
  • be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.

A data subject can consequently request either of the following:

  • a copy of their personal data held by the Company;
  • request and obtain rectifications on their personal data held by the Company; this is to correct any incomplete or inaccurate data;
  • erasure of their personal data (deletion, when there is no valid reason for the Company to continue to process it), i.e., the “right to be forgotten”;
  • blocking of processing of personal data; this enables a data subject to ask the Company to suspend the processing of their personal data, such as during the period of time it might take the Company to respond to a claim by the data subject that the data is inaccurate or incomplete or that the Company’s legitimate interests are outweighed by the data subject’s; and/or:
  • object to the processing of such data subject’s personal data; this enables the data subject to object to processing of the personal data and to be informed where the personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.

For these purposes, the data subject must contact the Company’s usual contact as described and via the details set out within paragraph (A) of this Data Privacy Statement.

Where there is a justified objection, the Company must remove that data subject’s personal data from any processing performed by the Company.

Last, a data subject may also submit a complaint in relation to their personal data to the QFC’s personal data protection regulator, i.e., the “QFCA” – address: Ambassadors Street, QFC Tower 1, PO Box 23245, West Bay – Doha, State of Qatar, Tel.: +974 4496 7777. Any claim lodged with QFCA must include the mandatory information required by rule 5.1 of the DP Rules.

(M) To whom should this Data Privacy Statement be made available?

This Data Privacy Statement is made publicly available on the Company’s website, at the following weblink: mahacapital.com/data-management-policy/ and should be disclosed to any data subject whose personal data is collected or processed by the Company.

If you are yourself a data subject, the processing of personal data by the Company is directly relevant to you.

If you are not directly the data subject but are providing or making available personal data to the Company on behalf of any natural persons for any reasons whatsoever (for example – and without limitation – in relation to your investment in a fund or partnership managed by the Company, or in relation to a service which you provide or will provide to the Company, etc.), such as on behalf of an employee, director, trustee, representative, shareholder, investor, client, beneficial owner or agent, this Data Privacy Statement will be relevant to those individuals and you must transmit this Data Privacy Statement to such individuals or otherwise advise them of its content.

(N) Changes to this Data Privacy Statement

The Company may update, revise, restate, supplement and/or replace this Data Privacy Statement from time to time in order to clarify it, add certain operational information and/or remain consistent with the content of applicable laws and regulations or incorporate certain changes in the Company’s organization or practical rules.

Any amended or replaced version of this Data Privacy Statement shall be made available to all data subjects on the Company’s internet website.

The Company may also notify you in other ways about the processing of your personal data, such as a specific product or investment documentation and/or online notifications.


1 It is important to note that such purposes are consistent with the terms of article 8(1), paragraphs (B), (C), (F) and (I) of DPR.

error: Content is protected