Navaxx S.A. Privacy Policy

Last updated: September 2024

Thank you very much for your interest in our company. Navaxx S.A. attaches great importance to the protection of your personal data and data security. With this Privacy Policy, we are informing you about the processing of your personal data by us and the rights to which you are entitled in accordance with the EU General Data Protection Regulation (GDPR) applicable from 25 May 2018. The processing of personal data is always carried out in accordance with the GDPR and in compliance with the country-specific data protection regulations applicable to Navaxx S.A.
The Navaxx S.A. website can be used without providing any personal data. However, if the use of special services of our company via our website or the establishment of a direct contractual relationship or an indirect contractual relationship with us via third parties (e.g. through investment funds including their management companies) is desired as part of order data processing, the processing of personal data may become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, the processing will only take place with your consent. Nevertheless, Internet-based data transmissions can generally have security loopholes, so absolute protection cannot be guaranteed.

1. Definitions

The data protection declaration of Navaxx S.A. is based on the terms used in the GDPR. We use the following terms, among others, in this Privacy Policy:

a) Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Processing

Processing is any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

c) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of restricting its future processing.

d) Data Controller

The Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

e) Data Processor

The Data Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

f) Third party

A third party is a natural or legal person, public authority, agency or body other than the data subject, Data Controller, Data Processor and persons who, under the direct authority of the Data Controller or Data Processor, are authorised to process personal data.

g) Recipient

A recipient is a natural or legal person, public authority, agency or another body to which the personal data is disclosed, whether a third party or not. However, authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law are not considered recipients.

h) Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Who is responsible for data processing and who can I contact?

The Data Controller within the meaning of the GDPR is:
Navaxx S.A.
17 rue de Flaxweiler
L-6776 Grevenmacher
Tel.: +352-27173-700
Email: info@navaxx.lu
Website: www.navaxx.lu

Storage duration

Unless a more specific storage period has been specified in this Privacy Policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a justified request for erasure or revoke your consent to data processing, your data will be erased unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, erasure will take place after these reasons no longer apply.

Recipients of personal data

As part of our business activities, we work together with various external organisations. In some cases, it is also necessary to transfer personal data to these external bodies. We only pass on personal data to external bodies if this is necessary for the fulfilment of a contract, if we are legally obliged to do so (e.g. passing on data to tax authorities), if we have a legitimate interest in accordance with Art. 6 para. 1f GDPR or if another legal basis permits the transfer of data. When using processors, we only pass on our customers’ personal data on the basis of a valid contract for order processing. In the case of joint processing, a joint processing agreement is concluded.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You may revoke your consent at any time. The legality of the data processing carried out up until the revocation remains unaffected by the revocation.

Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)

If the data processing is based on Art. 6 para. 1e or 1f GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this Privacy Policy. If you file an objection, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims (objection pursuant to Art. 21 para. 1 GDPR). If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object, your personal data will subsequently no longer be used for the purpose of direct marketing (objection pursuant to Art. 21 para. 2 GDPR).

Right to file a complaint with the competent supervisory authority

In the event of infringements of the GDPR, data subjects have the right to file a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or the location of the alleged infringement. The right of appeal exists without prejudice to other administrative or judicial remedies.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a commonly used, machine-readable format. If you request the direct transfer of the data to another Data Controller, this will only be done to the extent that it is technically feasible.

Information, correction and erasure

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients and the purpose of the data processing and, if necessary, a right to correction or erasure of this data. You may contact us at any time if you have further questions on the subject of personal data.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You may contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

  • If you dispute the accuracy of your personal data stored by us, we usually need time to check this. For the duration of the review, you have the right to request that the processing of your personal data be restricted.
  • If the processing of your personal data was/is unlawful, you may request the restriction of data processing instead of erasure.
  • If we no longer need your personal data, but you need it for the exercise, defence or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of its erasure.
  • If you have filed an objection under Art. 21 para. 1 GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to demand the restriction of the processing of your personal data.
  • If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the padlock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

3. What sources and data do we use?

a) Hosting

DomainFactory
The provider is DomainFactory GmbH, c/o WeWork, Neuturmstrasse 5, DE-80331 Munich, Germany (hereinafter referred to as “DomainFactory”). When you visit our website, DomainFactory records various log files including your IP addresses.
Details can be found in DomainFactory’s Privacy Policy: https://www.df.eu/de/datenschutz/.
The use of DomainFactory is based on Art. 6 para. 1f GDPR. We have a legitimate interest in ensuring that our website is displayed as reliably as possible. If corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1a GDPR and § 25 para. 1 TDDDG (the German Telecommunications Digital Services Data Protection Act), insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. for device fingerprinting) within the meaning of the TDDDG. Consent may be revoked at any time.

b) General data and information

The website of Navaxx S.A. collects a series of general data and information when a data subject or automated system accesses the website. This general data and information is stored
in the server log files. The data recorded includes (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems.
When using this general data and information, Navaxx S.A. does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimise the content of our website and the advertising for it, (3) ensure the long-term functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack. Therefore, Navaxx S.A. analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our company and in order to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files is stored separately from all personal data provided by a data subject.

c)Data from a contact made via our website

The website of Navaxx S.A. contains information that enables rapid electronic contact with our company, as well as direct communication with us, which also includes a general address of the so-called electronic mail (email address). If a data subject contacts Navaxx S.A. by email or via a contact form, the personal data transmitted will be stored automatically.
Such personal data transmitted on a voluntary basis by a data subject to the Data Controller is stored for the purposes of processing or contacting the data subject. This personal data will not be passed on to third parties.

d) Cookies

The Internet pages of Navaxx S.A. use cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser.
Through the use of cookies, Navaxx S.A. can provide the users of this website with more user-friendly services than would be possible without the cookie setting. By means of a cookie, the information and offers on the Navaxx S.A. website can be optimised for the benefit of the user. Cookies make it possible to recognise users of the website. The purpose of this recognition is to make it easier for users to use the website. For example, the user of a website that uses cookies does not have to re-enter their access data each time they visit the website because this is taken over by the website and the cookie stored on the user’s computer system.
The data subject can prevent the setting of cookies by our website at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers.
If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable. You can find out which cookies and services are used on this website in this Privacy Policy.
The following cookies are listed by us:

Consent with ConsentManager

Our website uses the consent technology of ConsentManager to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in compliance with data protection regulations. The provider of this technology is Jaohawi AB, Håltegelvägen 1b, SE-72348 Västerås, Sweden; website: https://www.consentmanager.de (hereinafter referred to as “ConsentManager”).
When you enter our website, a connection is established to the ConsentManager servers in order to obtain your consent and other declarations regarding the use of cookies. ConsentManager then stores a cookie in your browser in order to be able to assign the consents you have given or to revoke them. The data collected in this way is stored until you ask us to delete it, delete the Consent Manager provider cookie yourself or if the purpose for storing the data no longer applies. Mandatory statutory retention obligations remain unaffected.
Consent Manager is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1c GDPR.

Order processing

We have concluded an order processing contract for the use of the above-mentioned service. This is a contract prescribed by data protection law which ensures that the Data Controller processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

f) Google ReCaptcha

We integrate the function for recognising bots, e.g. for entries in online forms (“ReCaptcha”) from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Privacy Policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.

g) Business relationships and other sources

Navaxx S.A. processes personal data that it receives from its customers or business partners as part of its business relationship. In addition, Navaxx S.A. processes – to the extent necessary for the provision of a service – personal data that it has received from other companies or from other third parties (e.g. Schaaf) in a permissible manner (e.g. for the execution of orders, for the fulfilment of contracts or on the basis of consent given by you). On the other hand, Navaxx S.A. processes personal data which it has legitimately obtained from publicly accessible sources (e.g. debtor directories, land registers, commercial and association registers, press, media, Internet) and which is authorised to process.

4. For what purpose and on what legal basis do we process your data?

Navaxx S.A. processes personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and national legislation:

a) on the basis of your consent (Article 6 para. 1a GDPR)

If you have given your consent to the processing of personal data for specific purposes, the lawfulness of the processing exists on the basis of your consent. The consent you have given may be revoked at any time. This also applies to declarations of consent given to us due to the validity of the GDPR. Please note that the revocation only applies to the processing of personal data that takes place after receipt of the revocation. The cancellation does not apply to the data processed up until the cancellation.

b) for the fulfilment of contractual obligations (Article 6 para. 1b GDPR)

The processing of personal data takes place for the fulfilment of obligations in the context of the execution of the contracts of Navaxx S.A. with its customers or for the implementation of pre-contractual measures that take place at your request.

c) on the basis of legal obligations (Article 6 para. 1c GDPR) or for the performance of tasks carried out in the public interest (Article 6 para. 1e GDPR)

Navaxx S.A. is subject to legal obligations for which the processing of personal data is required. The purposes of processing in this sense include identity verification, fraud and money laundering prevention, fulfilment of tax control and reporting obligations and the assessment and management of risks.

d) to protect the vital interests of the data subject (Article 6 para. 1d GDPR)

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and their name, age, health insurance details or other vital information needed to be passed on to a doctor, hospital or other third party.

e) in the context of a balancing of interests (Article 6 para. 1f GDPR)

This legal basis is used for processing operations which are not covered by any of the aforementioned legal bases if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

5. Children

The range of services of Navaxx S.A. is, in principle, aimed at adults. Persons under the age of 18 should not transmit any personal data to Navaxx S.A. without the consent of their parents or legal guardians.

6. Who receives my data?

Within Navaxx S.A., access to your data is granted to those departments that require it to fulfil contractual and legal obligations. The clients of Navaxx S.A. for data processing as well as third parties engaged by Navaxx S.A. may receive data for these purposes if they also guarantee compliance with the requirements of the GDPR. Your data will only be transferred to non-EU/EEA countries (so-called third countries) if the third country has a level of data protection recognised as adequate by the European Commission. Furthermore, data may be transmitted to authorities as soon as this is required by law and these regulations take precedence over individual data protection (e.g. tax and anti-money laundering reporting).

7. For how long will my data be stored?

Navaxx S.A. processes and stores personal data of the data subject only for the period necessary to achieve the purpose of storage, or to the extent that this is granted by the European legislator or other legislators in laws or regulations to which the Data Controller is subject.

8. What data protection rights do I have?

Every data subject has the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability under Article 20 GDPR.
In accordance with Article 21 GDPR, every data subject has the right to object; you should send objections to datenschutz@navaxx.lu.
You also have the right to file a complaint with a supervisory authority.
You mat revoke your consent to data processing at any time. This also applies to declarations of consent issued to Navaxx S.A. due to the validity of the GDPR. Please note that the revocation only applies to the processing of personal data that takes place after receipt of the revocation. The cancellation does not apply to the data processed up until the cancellation.
Please contact datenschutz@navaxx.lu with any concerns regarding your data protection rights.

9. What rules apply to applications for employment?

Navaxx S.A. collects and processes the personal data of job applicants for the purpose of handling the application process. Further information on data protection in connection with applications can be found here.

10. Do I have an obligation to provide data?

The provision of personal data is partly required by law (e.g. money laundering laws) or may also result from contractual regulations (e.g. information about the contractual partner). As part of the business relationship, you only need to provide the personal data that is required for the establishment, implementation and termination of a business relationship or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or will no longer be able to fulfil an existing contract and may have to terminate it. If you do not provide us with the necessary information and documents, we are not permitted to enter into the business relationship you have requested.

11. Voice recording

Calls from and for Navaxx S.A. in connection with Fund Operations will be recorded from 1 September 2018 in order to be able to provide evidence of commercial transactions or other business messages, complaints or disputes. This applies to the telephone numbers +352-27173-721 to 727 and -774. The data relating to the calls is recorded via a computerised application and stored for 10 years. Once the purpose of data storage no longer applies, the data will be erased.

12. Plugins and tools

Data protection information regarding social plugins

LinkedIn

You will find plugins from the social network LinkedIn or LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (hereinafter referred to as “LinkedIn”) on our website. You can recognise the LinkedIn plugins by the corresponding logo or the “Recommend” button. Please note that the plugin establishes a connection between your Internet browser and the LinkedIn server when you visit our website. LinkedIn is thus informed that our website has been visited from your IP address. If you click on the LinkedIn “Recommend” button and are logged into your LinkedIn account at the same time, you have the option of linking content from our website to your LinkedIn profile page. In doing so, you enable LinkedIn to assign your visit to our website to you or your user account. You must be aware that we do not obtain any knowledge of the content of the transmitted data and its use by LinkedIn.
Further details on the collection of data and your legal options as well as setting options can be found on LinkedIn. These are made available to you at www.linkedin.com/static zur Verfügung gestellt.

Instagram

Functions of the Instagram service are integrated on this website. These functions are offered by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
When the social media element is active, a direct connection is established between your device and the Instagram server. Instagram thereby receives information about your visit to this website.
If you are logged into your Instagram account, you can link the content of this website to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate your visit to this website with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Instagram.
The use of this service is based on your consent in accordance with Art. 6 para. 1a GDPR and § 25 para. 1 TDDDG. Consent may be revoked at any time.
Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook or Instagram, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of data and its transfer to Facebook or Instagram. The processing carried out by Facebook or Instagram after forwarding is not part of the joint responsibility. The obligations incumbent upon us jointly were set out in an agreement on joint processing. The text of the agreement can be found at:https://www.facebook.com/legal/controller_addendum.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:https://www.facebook.com/legal/EU_data_transfer_addendum, https://privacycenter.instagram.com/policy/ and https://de-de.facebook.com/help/566994660333381.

Further information on this can be found in Instagram’s Privacy Policy: https://privacycenter.instagram.com/policy/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every DPF-certified company undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link:https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

13. Automated decision making

In connection with the use of the Navaxx S.A. website and for the establishment and implementation of business relationships, Navaxx S.A. does not use fully automated decision-making in accordance with Article 22 GDPR. Should these procedures be used in individual cases, Navaxx S.A. will inform you of this separately if this is required by law.
This Privacy Policy is part of the General Terms and Conditions of Navaxx S.A.