Last Updated: January 2025
Effective Upon Publication

PREAMBLE

This Global Privacy Notice (“Privacy Notice”) is hereby issued by Deistler Family Office, together with its worldwide subsidiaries, affiliates, branches, investment vehicles, managed accounts, co-investment structures, advisory entities, and any successor organisations (collectively, “Deistler”, “we”, “us”, or “our”), and shall govern, regulate and describe, in comprehensive and legally binding form, the manner in which Personal Data is collected, processed, stored, transferred, disclosed or otherwise handled by Deistler, hereunder and thereafter, in the course of its global activities.

This Privacy Notice is drafted for applicability in all jurisdictions in which Deistler operates or may operate, including without limitation the European Union and EEA, United Kingdom, Switzerland, United States, Canada, Singapore, Hong Kong, United Arab Emirates (including DIFC and ADGM), Japan, Australia, Brazil, and any other jurisdiction in which Deistler conducts regulated or unregulated financial services.

This Privacy Notice is intended to comply with, and shall be interpreted pursuant to, applicable global data-protection and financial-sector regulatory requirements, including without limitation:

• Regulation (EU) 2016/679 (the “GDPR”)
• UK Data Protection Act & UK GDPR
• Swiss Federal Act on Data Protection 2023 (“FADP”)
• DIFC Data Protection Law
• CCPA/CPRA (California)
• GLBA & SEC Regulation S-P
• MAS Privacy Principles & Cyber Hygiene Requirements
• BaFin requirements under the KWG, ZAG, and MaRisk
• FINMA Circulars (incl. Outsourcing, Operational Risks, Cloud, Governance)
• FCA Handbook, SYSC, COBS & PRIN obligations
• Hong Kong PDPO
• Singapore PDPA
• Brazil LGPD

This Privacy Notice does not constitute legal advice and shall be reviewed by qualified counsel prior to implementation.

SECTION 1 — DEFINITIONS

For the purposes hereof, and save where the context requires otherwise, the following definitions shall apply:

1.1 “Personal Data” shall mean any information relating to an identified or identifiable natural person (“Data Subject”), including but not limited to identifiers, financial information, regulatory information, digital identifiers, behavioural data, investment suitability data, transactional data, or any information defined as personal, sensitive, special, or regulated under applicable law.

1.2 “Special Category Data” shall mean Personal Data subject to enhanced protection pursuant to GDPR Article 9 and equivalent local provisions, including without limitation biometric identifiers, health data, political opinions, religious beliefs, and ethnicity.

1.3 “Processing” shall mean any operation performed on Personal Data, whether automated or otherwise, including without limitation collection, recording, structuring, storage, adaptation, extraction, consultation, use, transmission, dissemination, erasure, or destruction.

1.4 “Controller” shall mean the entity determining the purposes and means of Processing Personal Data; Deistler shall act as Controller save where expressly stated otherwise.

1.5 “Processor” shall mean any third party that Processes Personal Data on behalf of Deistler.

1.6 “Joint Controller” shall mean any entity with which Deistler jointly determines the purposes and means of Processing.

1.7 “International Transfer” shall mean any cross-border disclosure or Processing of Personal Data to a jurisdiction outside the one in which the Data Subject resides.

1.8 “High-Risk Processing” shall include profiling, automated decision-making, AML/KYC processing, suitability assessments, cross-border transfers to non-adequate jurisdictions, or Processing of Special Category Data.

1.9 “Supervisory Authority” shall denote any competent regulatory or data protection authority with jurisdiction over Deistler’s activities.

1.10 “RoPA” shall mean Records of Processing Activities maintained pursuant to GDPR Article 30 and global equivalents.

1.11 “DPIA” shall mean a Data Protection Impact Assessment required for High-Risk Processing activities.

1.12 “TOMs” shall mean Technical and Organisational Measures implemented for the protection of Personal Data.

1.13 “Financial Crime Data” shall denote any data Processed pursuant to AML, KYC, CTF, sanctions screening, fraud detection, PEP screening, adverse media, beneficial ownership requirements, and regulatory due diligence obligations.

SECTION 2 — SCOPE OF APPLICATION

2.1 This Privacy Notice shall apply to all Processing of Personal Data conducted by or on behalf of Deistler in connection with:

(a) investment management, asset allocation, wealth management or advisory services;
(b) family office services, including structuring, governance and intergenerational planning;
(c) co-investment, syndication, private equity, real estate, venture capital and alternative investment activities;
(d) onboarding, KYC, AML, suitability assessments, and ongoing monitoring;
€ regulatory compliance, reporting and supervisory interactions;
(f) risk management, operational resilience and prudential oversight;
(g) digital interactions through https://deistler.family or any related portals;
(h) employment, vendor, advisory or applicant relationships;
(i) security, monitoring, access control and safeguarding of premises;
(j) any activity reasonably incidental or necessary to the conduct of Deistler’s global business.

2.2 This Privacy Notice shall govern all Personal Data collected directly from Data Subjects or indirectly from third parties, including without limitation intermediaries, custodians, administrators, financial institutions, counterparties, public registries, data vendors, analytics providers and compliance platforms.

2.3 Where local laws require localisation, segregation, or specific transfer mechanisms, this Notice shall be supplemented by jurisdiction-specific addenda, which shall form an integral part hereof.

SECTION 3 — CATEGORIES OF PERSONAL DATA PROCESSED

Deistler may Process, without limitation, the following categories of Personal Data:

3.1 Identification & Contact Data
Names, titles, birthdates, identification numbers, passport details, signature specimens, residential addresses, email addresses, telephone numbers, and emergency contacts.

3.2 Regulatory & Compliance Data
AML/KYC documentation; beneficial ownership details; PEP screening results; sanctions-list matches; adverse media analysis; tax residency; CRS/FATCA identifiers; MiFID suitability data.

3.3 Financial & Investment Data
Account identifiers; portfolio holdings; transaction histories; risk profiles; investment objectives; financial statements; income and wealth indicators; source of wealth declarations.

3.4 Digital & Technical Data
IP addresses; device metadata; login credentials; MFA tokens; behavioural analytics; website usage statistics; session replay data; tracking cookies; heatmaps; server log files.

3.5 Communications Data
Recorded telephone calls; emails; meeting notes; CRM records; secure messaging transcripts, as permitted by local regulations (e.g., SEC, FCA SYSC, BaFin MaRisk).

3.6 Special Category Data
Processed only under limited lawful conditions, including biometric identifiers, disability information, and sensitive data where required for regulatory suitability or AML/identity verification.

3.7 Physical Security Data
CCTV images; building access logs; visitor records; security incident reports.

3.8 Vendor, Employment & Professional Data
Professional qualifications, employment history, references, contractual data, conflicts-of-interest disclosures, and due-diligence materials.

SECTION 4 — PURPOSES OF PROCESSING

Deistler shall Process Personal Data only for lawful, legitimate and explicitly defined purposes, including without limitation:

4.1 Provision of Services
To establish, perform, manage and administer wealth management, family office, fiduciary, advisory and investment-related services.

4.2 Regulatory Compliance
To comply with obligations imposed by BaFin, FINMA, FCA, MAS, SEC, IRS, HMRC, ESMA, FATF and other authorities, including:

• AML/KYC/CTF compliance
• transaction monitoring
• suspicious activity reporting
• suitability and appropriateness assessments
• CRS/FATCA reporting
• prudential risk reporting
• regulatory audits and inspections

4.3 Contractual Obligations
To perform obligations arising under agreements with clients, investors, counterparties, custodians or service providers.

4.4 Legitimate Interests
Including business operations, risk management, cyber security, analytics, fraud prevention, and the protection of Deistler’s property, personnel or clients.

4.5 Marketing Communications
Subject to applicable laws, to provide information regarding investment opportunities, market updates, events or publications.

4.6 Operational Resilience
Including disaster recovery, backups, IT failover, penetration testing, red-team assessments and incident response.

4.7 Governance & Oversight
Including reporting to boards, audit committees, risk committees and regulators.

SECTION 5 — LEGAL BASES FOR PROCESSING

5.1 General Rule.
Deistler shall Process Personal Data only where a valid legal basis exists pursuant to applicable data-protection laws. The legal bases hereunder shall include, without limitation:

(a) Performance of a Contract, where Processing is necessary to enter into or fulfil agreements with clients, investors, or service providers.
(b) Compliance with Legal or Regulatory Obligations, including obligations imposed by BaFin (Germany), FINMA (Switzerland), FCA (United Kingdom), MAS (Singapore), SEC/FINRA/CFTC (United States), ESMA, FATF, OECD, and any other competent authority.
(c) Legitimate Interests, where Processing is necessary for the pursuit of Deistler’s lawful and proportionate business objectives and such interests are not overridden by the rights or freedoms of Data Subjects.
(d) Consent, where required pursuant to GDPR Article 6(1)(a), Article 9(2)(a), or equivalent provisions under foreign laws.
(e) Protection of Vital Interests, where Processing is necessary to protect the life or physical integrity of a Data Subject or another person.
(f) Establishment, Exercise, or Defence of Legal Claims, pursuant to GDPR Article 9(2)(f) and global equivalents.

5.2 Special Category Data.
Where Deistler Processes Special Category Data, such Processing shall occur only:

(a) with explicit consent;
(b) pursuant to substantial public interest under applicable law;
(c) where necessary for legal claims;
(d) where required for AML, sanctions compliance, or identity verification;
(e) pursuant to a regulatory obligation mandated by financial supervisory authorities.

5.3 Automated Decision-Making and Profiling.
To the extent Deistler engages in any automated Processing, including suitability scoring, AML/CTF pattern detection, or transaction anomaly analytics:

(a) such Processing shall rely upon legitimate interests, legal obligations, or contractual necessity;
(b) no automated decision shall be made that produces legal or similarly significant effects without a parallel human review mechanism;
(c) Data Subjects shall retain the right to request human intervention;
(d) Deistler shall maintain internal governance and documentation for these processes consistent with BaFin MaRisk, FINMA RS 2018/3, FCA SYSC, MAS Guidelines on AI, and SEC expectations for model governance.

SECTION 6 — SOURCES OF PERSONAL DATA

6.1 Deistler shall obtain Personal Data from the following sources, without limitation:

(a) Directly from Data Subjects, including through onboarding forms, communications, website submissions, or physical interactions.
(b) Financial Institutions, including custodian banks, brokers, prime brokers, administrators, and transfer agents.
(c) Regulatory and Public Sources, including corporate registries, beneficial ownership databases, sanctions lists, court filings, supervisory publications, or official public notices.
(d) External Data Vendors, for identity verification, credit scoring, sanctions screening, political exposure assessments, risk scoring, and transaction monitoring.
(e) Intermediaries and Advisers, including wealth managers, tax advisers, attorneys, trustees, and fiduciaries.
(f) Digital Technologies, including cookies, log files, session replay systems, device identifiers, geo-location metadata, behavioural analytics, cloud infrastructure logs, and security monitoring tools.

6.2 Deistler may combine data originating from multiple sources, provided such combination is lawful, proportionate, and subject to appropriate TOMs.

SECTION 7 — DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

7.1 Deistler may disclose Personal Data to third parties solely to the extent necessary and lawful, including without limitation the following categories of recipients:

(a) Affiliates of Deistler, including global family office entities, advisory companies, investment funds, SPVs, and holding structures.
(b) Financial Counterparties, including banks, brokers, custodians, payment institutions, fund administrators, and settlement agents.
(c) Professional Advisers, including attorneys, accountants, auditors, consultants, and tax advisers.
(d) Regulatory Authorities, including BaFin, FINMA, FCA, MAS, SEC, IRS, HMRC, ESMA, DFSA, and any other competent supervisory body.
(e) Law Enforcement, where required pursuant to subpoena, court order, regulatory request, statutory obligation, or anti-financial-crime legislation.
(f) Service Providers, acting as Processors, including IT services, cloud hosting providers, cybersecurity firms, analytics platforms, CRM vendors, communication platforms, and outsourced operational services.
(g) Insurers, including professional indemnity insurers, cyber insurers, and directors’ and officers’ liability insurers.
(h) Corporate Transaction Counterparties, where necessary for due diligence in mergers, acquisitions, restructurings, or financing transactions, subject to confidentiality obligations.

7.2 Each Processor receiving Personal Data shall be bound by written contractual obligations that shall:

(a) restrict Processing solely to the purposes permitted hereunder;
(b) require appropriate TOMs;
(c) prohibit sub-processing without written approval;
(d) require data breach notification forthwith;
(e) mandate deletion or return of Personal Data upon termination of services;
(f) permit audits, inspections, and compliance reviews by Deistler.

7.3 Deistler shall not sell or engage in the commercial exploitation of Personal Data.

SECTION 8 — INTERNATIONAL TRANSFERS OF PERSONAL DATA

8.1 Deistler conducts business globally and may transfer Personal Data internationally, including to jurisdictions that may not provide the same level of protection as the originating jurisdiction.

8.2 All International Transfers shall occur pursuant to a lawful transfer mechanism, including without limitation:

(a) EU Standard Contractual Clauses (SCCs) (2021 version);
(b) UK International Data Transfer Addendum;
(c) Swiss FDPIC-compatible SCC variations;
(d) DIFC Data Protection contractual clauses;
(e) Binding Corporate Rules (if adopted);
(f) Adequacy decisions issued by the European Commission or competent authorities;
(g) Statutory exemptions permitting transfers under GDPR Article 49 or global equivalents.

8.3 Transfer Impact Assessments (TIAs).
Deistler shall perform TIAs for transfers to non-adequate jurisdictions, assessing:

(a) surveillance laws;
(b) third-country government access risks;
(c) enforceability of contracts;
(d) availability of redress mechanisms;
(e) proportionality of data transferred;
(f) feasibility of supplementary safeguards.

8.4 Supplementary Measures.
Where required, Deistler shall implement:

(a) end-to-end encryption;
(b) pseudonymisation prior to transfer;
(c) minimisation of datasets;
(d) split processing;
(e) segregated hosting;
(f) enhanced access controls.

8.5 Cross-border transfers to regulated financial institutions or supervisory authorities shall occur pursuant to statutory mandates.

SECTION 9 — DATA SECURITY MEASURES

9.1 Deistler shall implement TOMs appropriate to the risk level, consistent with:

• GDPR Article 32
• BaFin MaRisk
• BaFin BAIT
• FINMA Circular 2023/1 (Operational Risks / ICT)
• FCA SYSC & COBS
• MAS Technology Risk Management (TRM) Guidelines
• SEC Regulation S-P and Cybersecurity Risk Management Rules

9.2 Technical measures shall include, without limitation:

(a) encryption (AES-256 at rest; TLS 1.2+ in transit);
(b) secure key management through Hardware Security Modules (HSMs);
(c) multi-factor authentication;
(d) network segmentation and zero-trust architecture;
(e) SIEM logging, monitoring and behavioural analytics;
(f) EDR/XDR endpoint protection;
(g) vulnerability scanning and penetration testing;
(h) DDoS protection;
(i) immutable audit logs;
(j) secure software development lifecycle.

9.3 Organisational measures shall include:

(a) employee access restrictions based on least-privilege principles;
(b) background checks for employees and contractors;
(c) mandatory data-protection training;
(d) segregation of duties;
(e) periodic internal and external audits;
(f) incident response protocols;
(g) business continuity and disaster recovery planning;
(h) governance oversight through risk, audit, and compliance committees.

SECTION 10 — DATA RETENTION

10.1 Deistler shall retain Personal Data solely for as long as necessary to fulfil its purposes or comply with regulatory obligations, including without limitation:

(a) AML/KYC Data: 5–10 years minimum post-relationship or transaction;
(b) Contractual Documentation: statutory limitation periods;
(c) Regulatory Reporting Data: as mandated by BaFin, FINMA, FCA, MAS, SEC;
(d) Communications Records: as required under SEC Rule 17a-4, FCA SYSC, and FINMA circulars;
(e) CCTV Footage: typically 30–90 days unless incident-related;
(f) Digital Logs: pursuant to cybersecurity retention requirements.

10.2 Upon expiration of retention periods, Personal Data shall be deleted, anonymised, or archived in accordance with applicable laws.

SECTION 11 — RIGHTS OF DATA SUBJECTS

11.1 General Rights.
Subject to applicable law, each Data Subject shall have the following rights with respect to the Processing of Personal Data:

(a) Right of Access: the right to obtain confirmation as to whether Personal Data concerning the Data Subject is being Processed and, if so, access to such Personal Data and associated information.
(b) Right to Rectification: the right to request correction of inaccurate or incomplete Personal Data.
(c) Right to Erasure (“Right to be Forgotten”): the right to request deletion of Personal Data where permitted under applicable laws, including where Processing is no longer necessary or consent is withdrawn.
(d) Right to Restriction of Processing: the right to request limited Processing of Personal Data under defined circumstances.
(e) Right to Data Portability: the right to receive Personal Data in a structured, commonly used, machine-readable format and to transmit such data to another controller.
(f) Right to Object: the right to object at any time, on grounds relating to the Data Subject’s particular situation, to the Processing of Personal Data based on legitimate interests, including profiling.
(g) Right to Withdraw Consent: where Processing is based on consent, the right to withdraw such consent at any time without affecting the lawfulness of Processing prior to withdrawal.
(h) Right not to be Subject to Automated Decision-Making: the right to require human intervention where automated decisions produce legal or similarly significant effects.
(i) Right to Notification of Breach: the right to be informed of a data breach where such notification is mandated by applicable law.
(j) Right to Lodge Complaints: the right to lodge a complaint with the competent supervisory authority, including BaFin, FINMA, FCA, ICO, EDÖB, SEC, MAS, or EU DPAs.

11.2 Limitations.
These rights shall not apply where:

(a) disclosure would adversely affect the rights and freedoms of others;
(b) Processing is required by law or regulatory obligations;
(c) the Data Subject cannot be identified (e.g., anonymised data);
(d) restrictions apply under financial regulatory frameworks, including MiFID II, AIFMD, UCITS, AMLD5/6, CFTC rules, SEC requirements, or FATF standards.

11.3 Verification Requirements.
Deistler may require the Data Subject to:

(a) provide identification sufficient to verify identity;
(b) provide details necessary to locate the relevant records;
(c) submit a signed declaration attesting to the authenticity of the request;
(d) appoint an authorised representative with documented authority where applicable.

11.4 Response Periods.
Responses shall be made within the timeframe mandated by applicable law, including:

(a) GDPR: one month, extendable by two months;
(b) UK GDPR: one month;
(c) DIFC DP Law: one month;
(d) CCPA/CPRA: 45 days, extendable by 45 days;
(e) PDPA (Singapore): reasonable period;
(f) PIPEDA (Canada): within 30 days;
(g) Australian Privacy Act: within a reasonable timeframe.

11.5 Fees.
Requests shall be processed free of charge unless:

(a) requests are manifestly unfounded, excessive, repetitive, or abusive;
(b) applicable law permits cost recovery.

SECTION 12 — “DO NOT TRACK” & GLOBAL OPT-OUT SIGNALS

12.1 Deistler does not currently respond to:

(a) Do Not Track (DNT) browser signals;
(b) Global Privacy Control (GPC) signals;
(c) similar opt-out mechanisms, unless mandated by local law.

12.2 Compliance shall be ensured where legally required, including:

(a) California Consumer Privacy Act (CCPA/CPRA);
(b) Colorado Privacy Act (CPA);
(c) Connecticut Data Privacy Act (CTDPA);
(d) Virginia Consumer Data Protection Act (VCDPA).

12.3 Deistler shall perform periodic assessments of technology capabilities to ensure alignment with evolving global standards.

SECTION 13 — COOKIES, TRACKING TECHNOLOGIES & DIGITAL ANALYTICS

13.1 Use of Cookies.
Deistler employs cookies classified as:

(a) Strictly Necessary Cookies, required for site function, security, authentication, and session integrity;
(b) Functional Cookies, enhancing user experience;
(c) Analytics & Measurement Cookies, used to understand performance, detect anomalies, and optimise systems;
(d) Security Cookies, used to detect malicious behaviour and intrusion attempts.

13.2 Other Tracking Technologies.
Deistler may utilise:

(a) web beacons, pixel tags, and clear GIFs;
(b) HTML5 local storage;
(c) device fingerprinting;
(d) session replay tools;
(e) cryptographic token-based identity systems;
(f) behavioural telemetry for cyber threat detection.

13.3 Logging and Monitoring.
Logs may include:

(a) IP addresses;
(b) geolocation indicators;
(c) connection metadata;
(d) browser fingerprints;
(e) user interaction records;
(f) access timestamps;
(g) API usage patterns.

13.4 Purpose.
These technologies shall be used for:

(a) ensuring operational continuity;
(b) incident detection and response;
(c) fraud prevention;
(d) compliance with BaFin BAIT, FINMA cyber requirements, FCA SYSC, MAS TRM, SEC cybersecurity rules.

13.5 User Controls.
Where required by law, users may manage cookie preferences or withdraw consent through:

(a) browser settings;
(b) cookie banners or consent platforms;
(c) opt-out links provided pursuant to CPRA, GDPR, ePrivacy, or equivalent rules.

SECTION 14 — CHILDREN’S DATA

14.1 Deistler does not knowingly collect or Process Personal Data from children or minors below the age thresholds prescribed by:

(a) GDPR: 16 (or lower national variations, not below 13);
(b) COPPA (U.S.): 13;
(c) PDPA (Singapore): 13;
(d) Swiss DPA: 16;
(e) UK GDPR: 13.

14.2 If Personal Data of a minor is discovered, Deistler shall:

(a) delete such data except where Processing is legally required;
(b) notify the relevant guardian where appropriate;
(c) implement enhanced safeguards to prevent recurrence.

SECTION 15 — REGULATORY COMPLIANCE: FINANCIAL-SECTOR OBLIGATIONS

15.1 Deistler shall Process Personal Data as required for compliance with statutory obligations including, without limitation:

(a) Know Your Customer (KYC) requirements;
(b) Anti-Money Laundering (AML) requirements;
(c) Counter-Terrorist Financing (CTF) obligations;
(d) Sanctions Screening, including OFAC, EU, UK, UN, MAS, SECO;
(e) Transaction Monitoring;
(f) Fraud Detection and Prevention;
(g) Tax Reporting, including FATCA, CRS, QI, DAC6, and local tax regulations.

15.2 Deistler may conduct:

(a) identity verification procedures;
(b) biometric verification (where legally permitted);
(c) politically exposed person (PEP) assessments;
(d) enhanced due diligence (EDD) on high-risk clients;
(e) adverse media screening;
(f) risk scoring models that evaluate behavioural patterns, transactional activity, or geopolitical exposure.

15.3 Processing shall comply with:

• EU AMLD 4/5/6
• BaFin GwG & MaRisk
• FINMA AML Ordinance
• FCA Financial Crime Guide
• MAS AML/CFT Notices
• SEC/FINRA AML rules
• CFTC customer due diligence obligations

15.4 These compliance obligations may override certain Data Subject rights.

SECTION 16 — DISCLOSURES REQUIRED BY LAW OR REGULATION

16.1 Deistler may disclose Personal Data:

(a) pursuant to subpoenas, warrants, court orders, injunctions, or administrative demands;
(b) in response to regulatory inquiries, examinations, or audits;
(c) to financial intelligence units (FIUs), including FIU Germany, FINTRAC (Canada), FinCEN (U.S.), MROS (Switzerland);
(d) as necessary to comply with securities regulations, trade reporting, and supervisory frameworks;
(e) in connection with criminal investigations or fraud prevention activities.

16.2 Deistler shall not contest lawful requests for disclosure unless legally compelled or justified due to privilege or confidentiality obligations.

SECTION 17 — CORPORATE GOVERNANCE & ACCOUNTABILITY

17.1 Deistler maintains a comprehensive privacy governance framework including:

(a) Data Protection Officer (DPO) appointments where required;
(b) records of processing activities (RoPA) pursuant to GDPR Article 30;
(c) Data Protection Impact Assessments (DPIAs) for high-risk Processing;
(d) internal audit and compliance functions;
(e) board-level oversight through privacy and risk committees;
(f) training and awareness programmes for personnel;
(g) annual attestations of compliance with global data protection laws.

17.2 Senior management shall ensure accountability pursuant to:

• GDPR Article 5(2) (Accountability);
• BaFin MaRisk AT 5;
• FINMA governance requirements;
• FCA SYSC Senior Managers Regime (SMR);
• MAS Guidelines on Corporate Governance;
• SEC/FINRA supervisory rules.

17.3 Deistler shall maintain documentation for a minimum of:

(a) ten years for AML-related controls;
(b) seven years for general compliance;
(c) indefinite periods where legally mandated.

SECTION 18 — DATA BREACH MANAGEMENT

18.1 Obligation to Ensure Security.
Deistler shall implement technical and organisational measures designed to prevent, detect, contain, mitigate, and remediate Personal Data Breaches, in accordance with:

• GDPR Articles 33–34,
• UK DPA 2018,
• Swiss FADP,
• DIFC Data Protection Law,
• CCPA/CPRA,
• MAS TRM Guidelines,
• SEC Cybersecurity Rules,
• BaFin BAIT & MaRisk,
• FINMA 2023/1 Circular.

18.2 Incident Response Framework.
Deistler shall maintain an Incident Response Plan (“IRP”) specifying:

(a) incident classification thresholds;
(b) escalation procedures and timelines;
(c) forensic investigation protocols;
(d) reporting structures to senior management and regulators;
(e) preservation of evidence;
(f) communication procedures with external counsel, forensic vendors, and insurers.

18.3 Notification Obligations.
Where required under applicable law, Deistler shall:

(a) notify supervisory authorities without undue delay and, where feasible, within 72 hours (or other jurisdictional deadlines);
(b) notify affected Data Subjects where the breach is likely to result in high risk to their rights and freedoms;
(c) notify relevant financial regulators, including BaFin, FINMA, FCA, MAS, or SEC, where the breach meets respective reportability thresholds;
(d) provide detailed information, including: nature of breach, categories of data affected, number of Data Subjects impacted, likely consequences, remedial steps taken.

18.4 Record-Keeping.
All Personal Data Breaches shall be documented regardless of severity, including:

(a) facts relating to the breach;
(b) its effects;
(c) remedial actions taken;
(d) forensic analysis results.

SECTION 19 — DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)

19.1 Requirement.
Deistler shall conduct DPIAs for Processing that may result in high risk, including:

(a) large-scale Processing of Special Category Data;
(b) AI-driven profiling or automated decision-making;
(c) monitoring of publicly accessible areas;
(d) cross-border transfers to non-adequate jurisdictions;
(e) introduction of new technology platforms;
(f) behavioural analytics and transaction monitoring systems;
(g) biometric verification processes.

19.2 Content of DPIAs.
DPIAs shall include:

(a) description of Processing operations;
(b) assessment of necessity and proportionality;
(c) risk assessment for Data Subjects;
(d) mitigation measures;
(e) consultation with DPO and, where required, supervisory authorities.

SECTION 20 — RECORDS OF PROCESSING ACTIVITIES (ROPA)

20.1 Deistler shall maintain detailed ROPA in accordance with:

• GDPR Article 30,
• UK GDPR,
• DIFC DP Law,
• Swiss DPA obligations,
• MAS and SEC recordkeeping rules (where applicable).

20.2 ROPA shall include:

(a) categories of Data Subjects and data;
(b) categories of Processing activities;
(c) legal bases relied upon;
(d) transfer mechanisms for international transfers;
(e) retention periods;
(f) technical and organisational measures;
(g) third-party recipients and Processors.

20.3 ROPA shall be updated periodically and reviewed at least annually.

SECTION 21 — DATA MINIMISATION & PURPOSE LIMITATION

21.1 Personal Data shall be:

(a) adequate,
(b) relevant, and
(c) limited to what is necessary (“data minimisation”).

21.2 No Processing shall occur for purposes incompatible with the original purpose unless:

(a) required by law;
(b) consent has been obtained;
(c) a compatibility assessment supports such Processing.

21.3 Deistler shall implement:

(a) pseudonymisation techniques where feasible;
(b) data segmentation to prevent unnecessary access;
(c) periodic reviews of Processing activities for relevance and justification.

SECTION 22 — ACCOUNTABILITY & OVERSIGHT

22.1 Accountability mechanisms shall include:

(a) annual privacy compliance reports to senior management;
(b) quarterly privacy audits;
(c) mandatory employee privacy and AML/CTF training;
(d) contractual oversight of Processors;
(e) privacy governance committees.

22.2 Senior Management shall be accountable for ensuring that Processing activities comply with:

• GDPR,
• UK GDPR,
• BaFin MaRisk and BAIT,
• FINMA 2023/1,
• FCA SMCR,
• MAS TRM & PDPA requirements,
• SEC/FINRA supervisory expectations.

SECTION 23 — CROSS-BORDER GROUP SHARING

23.1 Personal Data may be shared intra-group among Deistler Family Office entities for:

(a) consolidated risk management;
(b) regulatory reporting;
(c) corporate governance;
(d) investment management;
(e) operational efficiency;
(f) compliance with AML/CTF obligations.

23.2 All intra-group transfers shall rely on:

(a) SCCs with intercompany schedules;
(b) UK Addendum;
(c) Swiss-compliant SCC annexes;
(d) secure encrypted transmission channels;
(e) intra-group data sharing policies.

SECTION 24 — THIRD-COUNTRY REGULATORY REQUIREMENTS

This section ensures global compliance across jurisdictions.

24.1 BaFin (Germany)

Processing shall comply with:

(a) KWG, WpHG, KAGB;
(b) MaRisk;
(c) BAIT;
(d) GwG (AML Act);
(e) eIDAS regulations for identity verification;
(f) data retention obligations for financial institutions.

24.2 FINMA (Switzerland)

Processing shall comply with:

(a) Swiss Financial Market Supervisory Act;
(b) FINMA Circular 2023/1 (Operational Risks and ICT);
(c) AMLO-FINMA;
(d) Swiss Federal Data Protection Act.

24.3 FCA (United Kingdom)

Processing shall comply with:

(a) SYSC (Senior Management Arrangements, Systems and Controls);
(b) COBS;
(c) SM&CR accountability regime;
(d) ICO obligations under UK GDPR.

24.4 MAS (Singapore)

Processing shall comply with:

(a) PDPA;
(b) MAS TRM Guidelines;
(c) AML/CFT Notices for capital markets intermediaries;
(d) cross-border transfer restrictions.

24.5 SEC, FINRA, CFTC (United States)

Processing shall comply with:

(a) SEC Regulation S-P;
(b) SEC Cybersecurity Risk Management Rules;
(c) FINRA Rule 3110;
(d) CFTC requirements for trading data;
(e) IRS FATCA obligations.

SECTION 25 — CONTRACTUAL REQUIREMENTS

25.1 Client, investor, and vendor contracts may specify:

(a) confidentiality requirements;
(b) processing restrictions;
(c) data ownership provisions;
(d) audit rights;
(e) breach notification timeframes;
(f) indemnity obligations;
(g) technical and organisational measures;
(h) cyber insurance requirements.

25.2 In the event of conflict, the contract shall supersede, unless such contractual terms violate applicable law.

SECTION 26 — CORPORATE TRANSACTIONS

26.1 In connection with potential or actual:

(a) mergers,
(b) acquisitions,
(c) restructurings,
(d) asset disposals,
(e) financing transactions,
(f) establishment of funds, SPVs, or holding entities,

Personal Data may be disclosed to:

(a) transaction counterparties;
(b) banks;
(c) legal advisers;
(d) consultants;
(e) auditors.

26.2 Access shall occur only under:

(a) confidentiality agreements;
(b) data room controls;
(c) encryption protocols.

SECTION 27 — ANONYMISATION & AGGREGATION

27.1 Deistler may anonymise or aggregate Personal Data for:

(a) statistical reporting;
(b) portfolio analysis;
(c) risk management;
(d) research;
(e) regulatory reporting;
(f) performance evaluation.

27.2 Such data shall be irreversibly anonymised, using:

(a) de-identification;
(b) generalisation;
(c) suppression;
(d) noise injection;
(e) k-anonymity or l-diversity techniques.

27.3 Anonymised data is not subject to this Privacy Notice.

SECTION 28 — DIRECT MARKETING, INVESTOR COMMUNICATIONS & RESEARCH DISTRIBUTION

28.1 Marketing Restrictions.
Deistler shall not engage in unsolicited marketing in jurisdictions where such activity is restricted, including:

(a) EU ePrivacy Directive and national implementations;
(b) UK Privacy and Electronic Communications Regulations (PECR);
(c) U.S. CAN-SPAM Act;
(d) Singapore’s PDPA Do-Not-Call Registry;
(e) Swiss UCA;
(f) other regional regulations.

28.2 Permitted Communications.
Deistler may distribute:

(a) regulatory disclosures;
(b) fund reports;
(c) investor notices;
(d) risk updates;
(e) transaction-related communications;
(f) market commentary and research;
(g) performance analyses.

28.3 Lawful Bases for Marketing Communications.
Such communications shall be provided based on:

(a) contractual necessity (e.g., investor notices);
(b) legitimate interest (e.g., professional communications to regulated institutions);
(c) explicit consent where required.

28.4 Right to Opt-Out.
Data Subjects may at any time request cessation of:

(a) marketing communications;
(b) newsletters;
(c) market commentaries;
(d) event invitations.

28.5 Distributor & Intermediary Compliance.
Any intermediary distributing Deistler communications shall comply with:

(a) MiFID II inducements and marketing rules;
(b) AIFMD distribution requirements;
(c) UCITS marketing directives;
(d) SEC/FINRA advertising rules;
(e) FCA COBS marketing supervision;
(f) MAS Guidelines on Fair Dealing.

SECTION 29 — WEBSITE OPERATIONS & DIGITAL SERVICES

29.1 Digital Infrastructure.
The website https://deistler.family and related digital platforms shall be operated under secure protocols and governed by:

(a) data minimisation;
(b) encryption;
(c) access controls;
(d) intrusion detection systems.

29.2 Server Logs.
Server logs shall record:

(a) IP addresses;
(b) device identifiers;
(c) session timestamps;
(d) request paths;
(e) error reports;
(f) authentication events.

29.3 Cybersecurity Monitoring.
Digital systems may employ:

(a) behavioural heuristics;
(b) machine-learning threat detection;
(c) malware scanning;
(d) penetration testing;
(e) vulnerability assessments;
(f) DDoS mitigation systems.

29.4 Consent Management Platform (CMP).
Where mandated by law, a CMP shall:

(a) collect consent for cookies;
(b) store consent signals;
(c) provide revocation options;
(d) allow granular preferences;
(e) comply with TCF 2.2 (where applicable).

29.5 Third-Party Integrations.
Digital services may include:

(a) analytics systems;
(b) cloud infrastructure;
(c) secure messaging tools;
(d) AI-based risk engines;
(e) content delivery networks (CDNs).

Such providers shall act as Processors under binding contractual obligations.

SECTION 30 — USE OF ARTIFICIAL INTELLIGENCE & MACHINE LEARNING

30.1 AI Processing Activities.
Deistler may employ automated systems for:

(a) AML/CTF monitoring;
(b) transaction anomaly detection;
(c) fraud prevention;
(d) document classification;
(e) portfolio analytics;
(f) risk modelling;
(g) market pattern recognition.

30.2 Governance Requirements.
AI shall be governed by:

(a) human oversight mechanisms;
(b) fairness and bias controls;
(c) audit trails;
(d) model versioning;
(e) explainability protocols;
(f) adherence to MAS FEAT principles;
(g) SEC algorithmic trading supervision obligations;
(h) FCA AI governance expectations;
(i) EU AI Act compliance where applicable.

30.3 Automated Decisions.
No exclusively automated decision shall produce legal or similarly significant effects without:

(a) human review;
(b) justification based on legal or contractual requirements;
(c) risk assessments.

30.4 Data Used for AI.
Training datasets may include anonymised or synthetic data where feasible.

SECTION 31 — SOCIAL MEDIA MONITORING & EXTERNAL COMMUNICATIONS

31.1 Deistler may monitor public social media posts for:

(a) reputational risk;
(b) market abuse monitoring;
(c) regulatory compliance;
(d) fraud detection;
(e) threat intelligence.

31.2 Monitoring shall comply with:

• MAR (Market Abuse Regulation),
• FCA market conduct rules,
• SEC Market Surveillance expectations.

31.3 Private messages shall not be accessed unless:

(a) legally permitted;
(b) expressly provided by the Data Subject;
(c) required for fraud detection or AML investigations.

SECTION 32 — RECORDKEEPING REQUIREMENTS ACROSS REGULATORS

Regulators impose extensive retention and recordkeeping obligations.

32.1 SEC (U.S.) Requirements

Under:

• SEC Rule 17a-4,
• SEC Regulation S-P,
• SEC Cybersecurity Risk Management Rules,
• Investment Advisers Act requirements,

records may be stored for:

(a) 5–7 years minimum;
(b) permanently for certain categories (e.g., fund formation documents).

32.2 FCA (UK)

Under SYSC, COBS, and SMCR:

(a) records may be kept for 5–10 years;
(b) communications may require surveillance.

32.3 BaFin (Germany)

Under:

• KWG,
• WpHG,
• KAGB,
• MaRisk,
• BAIT,

records may be retained for:

(a) 5–10 years;
(b) longer where connected to AML obligations.

32.4 FINMA (Switzerland)

Under:

• FINMA Circulars,
• AMLO-FINMA,
• Swiss Code of Obligations,

retention may be:

(a) 10 years minimum.

32.5 MAS (Singapore)

Under:

• MAS Notice SFA04-N02 (AML/CFT),
• TRM Guidelines,
• PDPA,

retention is:

(a) at least 5 years for AML/KYC;
(b) longer for regulatory purposes.

SECTION 33 — TAX REPORTING, INVESTOR IDENTIFICATION & SHARING

33.1 Personal Data may be shared with tax authorities pursuant to:

(a) FATCA;
(b) CRS;
(c) DAC6;
(d) bilateral tax treaties;
(e) local tax compliance obligations.

33.2 Disclosures may include:

(a) identifying information;
(b) account balances;
(c) transaction histories;
(d) beneficial ownership records;
(e) controlling persons;
(f) UBO registers.

SECTION 34 — SANCTIONS, EXPORT CONTROLS & GEOPOLITICAL COMPLIANCE

34.1 Processing may include checks against:

(a) OFAC SDN List;
(b) EU Sanctions Lists;
(c) UK HMT Sanctions List;
(d) UN Sanctions Lists;
(e) SECO Swiss sanctions lists;
(f) MAS Sanctions Lists.

34.2 Deistler may suspend or terminate relationships where sanctions exposure is identified.

34.3 Deistler may report findings to competent authorities.

SECTION 35 — SUPPLIERS, VENDORS & OUTSOURCING

35.1 All vendors shall enter into binding Data Processing Agreements.

35.2 Vendors may include:

(a) cloud hosting providers;
(b) privileged access management (PAM) platforms;
(c) cybersecurity incident responders;
(d) communications and CRM services;
(e) transaction monitoring providers;
(f) custodians and fund administrators.

35.3 Outsourcing shall comply with:

• EBA Outsourcing Guidelines,
• BaFin MaRisk AT 9,
• FINMA Outsourcing Circular,
• FCA SYSC outsourcing requirements,
• MAS Outsourcing Guidelines.

SECTION 36 — PHYSICAL SECURITY

36.1 Physical premises shall employ:

(a) CCTV systems;
(b) biometric access controls;
(c) multi-layer facility authentication;
(d) visitor logs;
(e) restricted access zones;
(f) alarm systems;
(g) retention-limited security recordings.

36.2 CCTV footage may be used for:

(a) safety;
(b) crime prevention;
(c) regulatory investigations;
(d) internal security.

SECTION 37 — HR & EMPLOYEE DATA PROCESSING

37.1 Employee Personal Data may include:

(a) identification;
(b) background checks;
(c) payroll records;
(d) performance evaluations;
(e) conduct investigations;
(f) training certifications.

37.2 Processing shall comply with:

• labour law;
• AML/KYC requirements where employees handle client data;
• regulatory fitness and propriety assessments (e.g., FCA SMCR, BaFin fit & proper tests).

37.3 Employee data may be retained beyond employment termination where required.

SECTION 38 — AML / CFT / KYC PROCESSING

38.1 Deistler shall Process Personal Data to fulfil Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), and Know-Your-Customer (KYC) obligations under:

(a) EU AMLD5 & AMLD6;
(b) German GwG;
(c) Swiss AMLO-FINMA;
(d) UK Money Laundering Regulations;
(e) MAS Notice SFA04-N02;
(f) U.S. Bank Secrecy Act;
(g) FinCEN and OFAC rules;
(h) FATF Recommendations.

38.2 Processing may include:

(a) identity verification;
(b) beneficial ownership checks;
(c) politically exposed person (PEP) screening;
(d) sanctions screening;
(e) adverse media checks;
(f) transaction monitoring;
(g) suspicious activity reporting.

38.3 Deistler may share relevant information with competent authorities where legally mandated.

SECTION 39 — MARKET ABUSE MONITORING

39.1 Deistler shall Process Personal Data to comply with:

(a) EU Market Abuse Regulation (MAR);
(b) UK MAR;
(c) FINMA Market Conduct Guidelines;
(d) SEC and FINRA market abuse regulations.

39.2 Processing activities may include:

(a) insider trading surveillance;
(b) trade reconstruction;
(c) communications monitoring;
(d) employee dealing controls.

39.3 Deistler may provide Personal Data to regulators during investigations.

SECTION 40 — AUTOMATED SURVEILLANCE & COMMUNICATIONS MONITORING

40.1 Monitoring may include:

(a) email surveillance;
(b) voice recording (where permitted);
(c) messaging system audits;
(d) Bloomberg or Reuters chat logs;
(e) trade surveillance patterns;
(f) conduct-risk reviews.

40.2 Such monitoring is required under:

• MiFID II,
• SEC Rule 17a-4,
• FCA SYSC,
• FINMA guidelines.

40.3 Employees, contractors, and authorised users shall be informed of monitoring where required by law.

SECTION 41 — CHILDREN’S DATA

41.1 Deistler does not knowingly collect Personal Data from minors, defined according to jurisdiction (e.g., under 13 in the U.S., under 16 in the EU unless parental consent is obtained).

41.2 If such data is inadvertently collected, it shall be deleted unless retention is legally required.

SECTION 42 — INTERNATIONAL REGIONAL NOTICES

42.1 United States — Federal and State Laws

42.1.1 U.S. Federal Laws Applicable:

(a) Gramm-Leach-Bliley Act (GLBA);
(b) SEC Regulation S-P;
(c) CFTC rules;
(d) FINRA supervision obligations;
(e) Bank Secrecy Act;
(f) USA PATRIOT Act.

42.1.2 State-Level Privacy Laws (multi-state compliance)

Deistler complies with applicable sections of:

(a) California CCPA/CPRA;
(b) Colorado Privacy Act;
(c) Virginia CDPA;
(d) Utah Consumer Privacy Act;
(e) Connecticut Data Privacy Act;
(f) New York SHIELD Act;
(g) Illinois Biometric Information Privacy Act (BIPA);
(h) Texas Data Privacy and Security Act.

California Resident Rights Summary

Residents may request:

(a) access;
(b) deletion;
(c) correction;
(d) opt-out of sale/sharing;
(e) opt-out of automated decision-making;
(f) limit use of sensitive data.

42.2 Europe (EU / EEA)

Processing shall comply with:

(a) GDPR;
(b) MiFID II;
(c) AIFMD;
(d) UCITS directives;
(e) EBA/ESMA guidelines;
(f) local national implementations.

Supervisory authorities vary by Member State.

42.3 United Kingdom

Under:

(a) UK GDPR;
(b) Data Protection Act 2018;
(c) FCA guidelines;
(d) SMCR regime.

42.4 Switzerland

Subject to:

(a) Swiss Federal Data Protection Act (FADP);
(b) FINMA requirements for financial institutions.

42.5 Middle East (UAE, DIFC, ADGM, Qatar)

(a) DIFC Data Protection Law;
(b) ADGM Data Protection Regulations;
(c) UAE Federal Data Protection Law No. 45 of 2021.

42.6 Asia-Pacific

42.6.1 Singapore

(a) PDPA;
(b) MAS TRM Guidelines;
(c) AML/CFT obligations.

42.6.2 Hong Kong

(a) PDPO;
(b) SFC conduct rules.

42.6.3 Japan

(a) APPI.

42.6.4 Australia

(a) Privacy Act;
(b) APPs;
(c) AUSTRAC AML obligations.

42.6.5 China

(a) PIPL;
(b) Cybersecurity Law.

China cross-border transfers may require:

(a) government security assessments;
(b) standard contracts;
(c) certification.

SECTION 43 — DATA SUBJECT REQUEST PROCEDURES

43.1 Upon receiving a request, Deistler shall:

(a) verify identity;
(b) log the request in internal systems;
(c) assess applicable rights based on jurisdiction;
(d) respond within statutory timelines (e.g., 30 days under GDPR);
(e) provide explanation where requests are refused;
(f) maintain audit trails.

43.2 Requests may be refused where:

(a) disclosure risks security;
(b) requests are manifestly excessive;
(c) data must be retained for legal claims;
(d) retention is required by law.

SECTION 44 — GOVERNING LAW & JURISDICTION

44.1 This Privacy Notice shall be governed by and construed in accordance with:

(a) the laws of the jurisdiction in which the relevant Deistler entity is established;
(b) mandatory applicable privacy and financial regulations.

44.2 Any disputes shall be brought exclusively before competent courts unless applicable law mandates arbitration or regulatory resolution.

SECTION 45 — CHANGES TO THIS PRIVACY NOTICE

45.1 Deistler may amend this Privacy Notice:

(a) to reflect changes in law;
(b) to reflect technological developments;
(c) to align with regulatory expectations.

45.2 Material changes shall be communicated via:

(a) website updates;
(b) investor communications;
(c) regulatory filings where required.

45.3 Continued use of services constitutes acceptance of revised terms.

SECTION 46 — DEFINITIONS

The following terms shall have the meanings set out below:

“Adequacy Decision” means a formal determination by a supervisory authority that a jurisdiction ensures essentially equivalent data protection.

“Controller” means the entity determining purposes and means of Processing.

“Data Subject” means an identified or identifiable natural person.

“Personal Data” means any information relating to a Data Subject.

“Processor” means an entity processing Personal Data on behalf of a Controller.

“Special Category Data” includes sensitive data such as biometric, racial, health, political, or religious information.

“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

“SCCs” means Standard Contractual Clauses adopted by authorities for cross-border transfers.

“Third Country” means any country outside applicable data protection jurisdictions.

“Transfer” means any cross-border transmission of Personal Data.

APPENDIX B — COUNTRIES TO WHICH PERSONAL DATA MAY BE TRANSFERRED

Transfers may occur to:

• EU Member States
• United Kingdom
• Switzerland
• United States
• Canada
• Australia
• Singapore
• Hong Kong
• Japan
• UAE / DIFC
• China
• Brazil
• India
• South Africa
• Norway
• Iceland
• Liechtenstein
• Any other jurisdiction where Deistler engages service providers or conducts regulated activities

APPENDIX C — CATEGORIES OF DATA SUBJECTS

1. Clients and Investors
2. Prospective Clients
3. Beneficial Owners
4. Employees
5. Contractors
6. Directors and Officers
7. Vendors and Consultants
8. Website Users
9. Event Attendees
10. Business Contacts
11. Professional Advisers

APPENDIX D — CATEGORIES OF PERSONAL DATA

1. Identification Data
2. Financial Data
3. Investment Data
4. Transaction Data
5. AML/KYC Data
6. Communications Data
7. Website Data
8. Employment Data
9. Sanctions & Screening Data
10. Compliance Data

APPENDIX E — TECHNICAL AND ORGANISATIONAL MEASURES

Measures include:

• encryption at rest & in transit;
• multi-factor authentication;
• network segmentation;
• privileged access controls;
• SIEM monitoring;
• endpoint threat detection;
• data leakage prevention;
• secure coding standards;
• employee training;
• disaster recovery plans;
• business continuity planning.

APPENDIX F — LEGAL BASES FOR PROCESSING

Processing relies on:

• consent;
• contractual necessity;
• legal obligation;
• legitimate interest;
• vital interest;
• public interest (where applicable).