1. GENERAL FRAMEWORK
Atrium Investimentos – Empresa de Investimento S.A. (“Atrium”) is an investment company based on Avenida da República, No. 35, 2nd floor, 1050-186, Lisbon, legal person number 504.312.189, registered at the Lisbon Commercial Registry Office, with a share capital of 3.742.109,00 Euros, registered with the securities market commission (“CMVM”) with the registration number 269.
In view of the new legal framework, ATRIUM has adopted internal measures that are considered appropriate in order to protect the personal data being processed. These include personal data, such as, names, the identification numbers, location data or even personal contacts. The activities of collection, registration, alteration, consultation, use, transmission and destruction represent data processing operations.
ATRIUM is mainly engaged, albeit not exclusively, in the activity of portfolio management for others and investment advice.
ATRIUM is still authorized and registered with the CMVM to – in addition to the activities mentioned above – provide the following services:
- Execution of orders on behalf of others;
- Reception and transmission of orders for others;
- Currency exchange services related to the provision of investment services;
- Trading on its own behalf;
- Registration and deposit of financial instruments;
- Consultancy on capital structure, industrial strategy and related issues, as well as on mergers and the acquisition of companies;
- Granting of credit, including the lending of securities, to carry out transactions on financial instruments in which the credit grantor intervenes;
- Assistance in public offering relating to securities;
- Underwriting and placement with or without guarantee in a public distribution offer.
- Contractual counterparties.
The processing of personal data based on the performance of a contract to which the data holder is a party, or the processing of personal data under pre-contractual steps at the request of the data subject, is carried out by ATRIUM under the following contracts:
- Advisory Contract for investment;
- Portfolio Management Contract;
- Registration and Deposit Contract;
- Financial Intermediation Contract for Open Accounts with Custodian Financial Institutions;
- Employment Contracts;
- Other types of contracts celebrated with ATRIUM employees and/or suppliers.
2. ACCOUNTABLE FOR PROCESSING
ATRIUM is the entity accountable for processing, since it is ATRIUM that defines the purposes and means of processing personal data.
3. TYPE OF DATA PROCESSED BY ATRIUM
The personal data collected by ATRIUM corresponds to the data that is provided by the Customers themselves by the filling out of forms when opening an account or, still, personal data that results from the established business relationship, such as carried out transactions, products and/or services subscribed or transmitted instructions/orders. It should be noted that under the Law on Combating Money Laundering and the Financing of Terrorism (Law No. 83/2017, of August 18th), the establishment of any business relationship or the carrying out of an occasional transaction, are subject to the collection and processing of the following personal data and respective evidence:
- Full name;
- Date of birth;
- Nationality shown on the identification document;
- Type, number, expiration date and issuing entity of the identification document;
- Tax identification number, or equivalent number issued by a competent foreign authority;
- Profession and employer;
- Full address of permanent residence and tax residence (if different);
- Place of birth;
- Other nationalities not included on the identification document.
Equally, ATRIUM is obliged – under the terms of DMIF II (Directive 2014/65 / EU of the European Parliament and of the Council of May 15th 2014) – to assess whether a particular investment in products, services or financial instruments is or not appropriate to the Customer’s personal circumstances. The adequacy assessment requires the collection and processing of information on:
- Knowledge and experience in the field of financial investments;
- The financial situation and the ability to tolorate losses;
- Investment goals;
- Risk tolerance.
4. PROCESSING PURPOSE AND PROCESSING BASED ON HOLDER’S CONSENT
ATRIUM only processes personal data if, and to the extent that, at least one of the following situations occurs:
- The data holder has given consent for the processing of personal data, for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data holder is a party, or for pre-contractual steps at the request of the data holder;
- Processing is necessary to fulfill a legal obligation to which ATRIUM is subject;
- Processing is necessary to defend the vital interests of the data holder or another singular person;
- Processing is necessary for the purpose of the legitimate interests pursued by ATRIUM or by third parties, unless the interests or fundamental rights and freedoms of the data holder that require the protection of personal data prevail, especially if the data holder is a child .
The purpose of the processing of personal data is determined, with the respective legal basis, in accordance with the provisions of Article 6, No. 3 of Regulation (EU) 2016/679 (“GDPR”).
In the event that ATRIUM processes personal data for purposes other than those for which the personal data has been collected, and if the processing is not carried out based on the consent of the holder of personal data, nor on any applicable legal or regulatory provisions which constitute a necessary and proportionate measure to safeguard the objectives referred to in the No. 1 of the 23th Article of the GDPR, ATRIUM, in order to verify whether processing for other purposes is compatible with the purpose for which the personal data was initially collected, has, takes into account and in particular (Article 6, No. 4 of the GDPR):
- Any link between the purpose for which the personal data was collected and the purpose of the subsequent processing;
- The context in which personal data was collected, in particular with regard to the relationship between data holders and ATRIUM;
- The nature of the personal data, especially if processing of personal data related to criminal convictions and offenses under the 10th article of the RGPD is at stake;
- The possible consequences of the intended subsequent processing for the data holders;
- The existence of adequate safeguards, e.g. encryption or pseudonymization.
Provided that processing of personal data is carried out on the basis of the holder’s of personal data consent, ATRIUM retains the necessary documents to be able to demonstrate that the data holder has given consent for the processing of personal data.
If the consent of the data holder is given in the context of a written statement that also concerns other matters, the request for consent is presented in a way that clearly distinguishes that from those other matters, in an intelligible and easily accessible way and in clear and simple language.
The data holder has the right to withdraw consent at any time, although the withdrawal of consent does not compromise the lawfulness of the processing carried out on the basis of previously given consent, a fact of which the data holder is informed before giving consent.
ATRIUM applies the appropriate procedures in order to ensure that consent is as easy to withdraw as it is to give.
Consent is not considered free in the case of the execution of a contract, including the provision of a service, if it is subject to the consent for the processing of personal data that is not necessary for the execution of that contract (Article 7, No. 4 and considering (43) of the GDPR).
In assessing the validity of the holder of personal data consent, ATRIUM takes into account the provisions of the Guidelines of the Working Party 29th Article on Data Protection about consent under the GDPR.
5. PERSONAL DATA HOLDER RIGHTS
Under the applicable legislation, the data holder shall be entitled the following rights:
- Right of Access: the Customer’s right to access the respective personal data and treatment. The provision of information by ATRIUM to Customers must be made, in particular, without restrictions, without delays or excessive costs;
- Right of Rectification: the Customer’s right to demand the correction or updating of their data in order for it to be accurate and current;
- Right to Termination: the Customer’s right to demand the termination of their personal data when, for example, It is no longer used for the purposes for which it was collected, without prejudice to the content of the retention periods imposed by law;
- Right to Limitation of Treatment: the Customer’s right have to, in certain circumstances, request ATRIUM to limit the processing of their data, namely (i) when they contest the accuracy of personal data, during a period that allows ATRIUM to verify its accuracy; (ii) The processing of the data is illegal and has been opposed to the deletion of personal data, requesting, in return, the limitation of its use; (iii) ATRIUM no longer requires personal data for processing purposes, but such data has been required for the purposes of declaring, exercising or defending a right in a judicial process.
- Data Portability Right: The data holder has the right to receive the personal data concerning him/her and that he/she has provided to ATRIUM, in a structured format, for current use and automatic reading, and the right to transmit this data to another person in charge of processing without ATRIUM being able to prevent it, under the terms of the 20th Article of the GDPR.
- Opposition right: the right to oppose to the processing of data under the provisions of the 21th Article of the GDPR.
For the exercise of any right, below are ATRIUM’s contacts.
6. INFORMATION SHARING
As a rule, ATRIUM does not transfer or share information with third parties relating to personal data, unless required to do so due to legal or regulatory requirements.
ATRIUM is obliged by law, to communicate the personal data of its customers to the regulatory entities that supervise it and to other public entities, including the following:
- Securities Markets Commission, in accordance with the provisions of the legal and regulatory regime;
- Bank of Portugal, in accordance with the provisions of the current legal and regulatory regime;
- Tax and Customs Authority;
- Central Department of Investigation and Criminal Action (DCIAP), Financial Intelligence Unit and other judicial and police authorities under the terms of the Anti-Money Laundering and Terrorist Financing Act.
7. PERSONAL DATA SECURITY
ATRIUM uses organizational and security measures in order to protect personal information in such a way as to ensure its integrity, availability and confidentiality. Therefore, all ATRIUM employees are required to keep personal data confidential.
8. RETENTION OF PERSONAL DATA
The data will be kept for the period of time strictly necessary for the purposes of its processing or by legal or regulatory determination.
9. COOKIES POLICY
You can consult our cookies policy here.
For any questions related to the processing of your data, you can contact ATRIUM at the following addresses:
ATRIUM Investimentos – EI, SAAddress: Av. da República n.º 35, 2nd floor, 1050-186 Lisbon, Portugal
Phone: +351 217 928 800
Fax: +351 217 928 801
ATRIUM undertakes to make every effort to resolve any claims regarding the processing of personal data that are submitted, however, you can always submit a complaint to the competent authority – National Data Protection Commission (https://www.cnpd.pt).