Privacy Notice – Personal Data Regarding Clients

Chelton AB

This privacy notice contains information to you as a client about Chelton AB’s processing of personal data.

The personal data controller for the processing of data that occurs within the operations is Chelton AB, reg.no. 559056-6641, Föreningsgatan 28, 211 65 Malmö (”Chelton”).

Chelton conducts "other financial activities" pursuant to 1 § 2 pt. of the Currency Exchange and Other Financial Activities Act (1996:1006) (Sw: lag (1996:1006) om valutaväxling och annan finansiell verksamhet) as a registered financial institution (Insitution number with Finansinspektionen: 70413). The business activities of Chelton is to provide to its clients a discretionary currency management service.

Peter Borggren is the contact person for questions about Chelton’s processing of personal data. Questions and remarks regarding Chelton’s processing of personal data can be directed to the contact person.

Peter Borggren
peter@cheltonwealth.se
+46 (0)70 744 43 62

Chelton processes personal data as further described below within

  1. marketing of its currency management services,
  2. conducting legally required client knowledge measures, and
  3. execution of its currency management services.

Further, Chelton also processes personal data related to employees, potential employees, service providers etc. which however is not covered in this document.

 

2.1 Marketing of the currency management services

General
Chelton markets its currency management services through direct marketing measures towards potential clients.

Purpose and legal grounds
Chelton’s processing personal data within the marketing activities is based on legitimate interest.

Chelton’s potential clients consist of both physical persons and legal entities. In the case of legal entities, the personal data is for example processed regarding the legal entity’s contact persons, authorized signatories, owners etc. The legal basis in such cases is legitimate interest that derives from the relation with the client (the legal entity).

Within its marketing activities Chelton might receive and handle lists of potential clients (the “Prospect lists”) for marketing of the currency management services to these potential clients. Processing of personal data within Prospect lists is based on legitimate interest. When a potential client from a Prospect list is contacted and that client express that it is not interested in the currency management services offered by Chelton, that client’s personal data shall be sorted out and deleted. Personal data regarding clients that in contacts with Chelton have expressed interest in the currency management services will be processed for further marketing purpose.

Categories of personal data
Chelton processes the following categories of personal data.

When the client is a legal entity:

  • contact information such as name, address, email address, and phone numbers of contact persons, authorized signatories, owners and others, and
  • financial information, mainly the client’s investments.

When the client is a private individual:

  • name, address, phone numbers and email address,
  • potential attorney, and
  • financial information, mainly the client’s investments.

The personal data is registered in Chelton’s CRM system, e-mail system and where applicable in form of meeting minutes.

Recipient of personal data
Those who may receive the personal data, besides Chelton’s employees, include where applicable external IT suppliers.

Storage of personal data
Chelton applies routines for sorting out and deleting personal data where the client has revoked its consent, there is no longer any need of the personal data, the personal data is obsolete, etc.

 

2.2 Conducting legally required client knowledge measures

General
As a registered financial institution Chelton is required to comply with the Act (2017:630) on Measures Against Money Laundering and Terrorism Financing (Sw: lagen (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism) (the “AML Act”). The AML Act states, inter alia, a requirement for Chelton to obtain client knowledge (KYC) before a business relationship is commenced and thereafter during the duration of the business relationship.

Purpose and legal grounds
The purpose of the processing of personal data in question is to comply with the AML Act regarding client knowledge. The basis for Chelton’s KYC measures, for which personal data is processed, is thus a legal requirement. Chelton’s client knowledge procedure includes verifying the identity of representatives of the legal person and, where applicable, the beneficial owner, as well as checking whether the beneficial owner (legal person) or client (natural person) constitutes a so-called PEP (Politically Exposed Person), and whether the representative, beneficial owner or client is inserted on a sanction list. Further on, Chelton checks the purpose and type of the business relationship as well as the origin of the assets that are managed by Chelton.

Categories of personal data
Chelton processes the following categories of personal data when conducting client knowledge measures.

When the client is a legal entity:

  • contact information such as name, address, email address, and phone numbers of contact persons,
  • authorized signatories,
  • owners and others,
  • ID-information (such as copies of passport or ID-documents),
  • PEP-position (including profession/title) of representatives and beneficial owners,
  • if a representative or beneficial owner is inserted on a sanction list, and
  • financial information, mainly the client’s investments.

When the client is a private individual:

  • name, address, social security number, phone numbers and email address,
  • potential attorney, 
  • Chelton positions,
  • ID-information (such as copies of passport or ID-documents),
  • PEP-position (including profession/title) and
  • if a client or representative is inserted on a sanction list,
  • account information, and
  • financial information, mainly the client’s investments.

The KYC process is carried out on a tool called Due PTL, which is provided by Due Compliance AB. The information is retrieved in the tool.

Chelton may also collect information from Bisnode or UC.

Recipient of personal data
Personal data is stored in Due PTL which is a tool provided by Due Compliance AB for this process. Personal data processed in connection to Chelton’s KYC measures is also stored in DropBox, which is Chelton’s cloud-based service for document storage. Furthermore, Chelton may share the information with other IT and system vendors that provide support for Chelton’s systems and cloud services. Chelton may also share information with the Financial Intelligence Unit within the Swedish Police if such disclosure is prescribed by law.

Storage of personal data
The personal data collected within the scope of KYC measures is stored during the ongoing business relationship and for five years from the termination thererof or such longer period of time that may be required by the AML Act.

 

2.3 Execution of the currency management services

General
The currency management service requires that the client has currency accounts at an account-/custody institute (the “Depositary”) where the assets that subject to the management service is deposited. Chelton and the client enters into an agreement regarding the currency management service and the client provides Chelton with a power of attorney to execute spot-fx transactions with the assets of the client at the Depositary within the agreed management mandate. Currency transactions are then conducted on a discretionary basis by Chelton by submitting spot-fix orders at the Depositary on behalf of the client. The currency management service is provided pursuant to the agreement with the client until the client terminates the agreement with Chelton.

Purpose and legal grounds
Chelton’s processing personal data within the execution of the currency management services is based on agreement with the client.

Categories of personal data
Chelton processes the following categories of personal data.

When the client is a legal entity:

  • contact information such as name, address, email address, and phone numbers of contact persons, authorized signatories, owners and others, and
  • financial information, mainly the client’s investments.

When the client is a private individual:

  • name, address, social security number, phone numbers and email address,
  • potential attorney, 
  • account information, and
  • financial information, mainly the client’s investments.

The personal data is registered in Chelton’s CRM system, e-mail system and where applicable in form of meeting minutes.

Recipient of personal data
Those who may receive the personal data, besides Chelton’s employees, include where applicable external IT suppliers.

Storage of personal data
Chelton stores personal data for so long the currency management agreement with the client is valid and thereafter for a period of 10 years after the termination of the agreement (pursuant to the general prescription period for claims (Sw: allmänna preskriptionsfristen).

Cookies are small text files containing letters and numbers sent from Chelton’s web server to be saved on the visitor’s web browser or device. On www.cheltonwealth.se, Chelton uses the following cookies:

  • Third party cookies (cookies established by a third party’s website). Chelton uses these primarily for analyses, for example Google Analytics.

The cookies used generally improve Chelton’s marketing activities. Chelton uses cookies for general analytical information regarding your usage of Chelton’s web page and to save certain functional settings such as language and other data. You can read more about cookies with regard Chelton on www.cheltonwealth.se.

As a visitor on Chelton’s website, you may consent to the usage and storage of cookies. You can at any time withdraw your consent to the use of cookies for the purposes stated above by adjusting your web browser’s settings to not consent to the use of cookies. If you select to not consent to the use of cookies, you can still access our web page, however, the use of certain functions and parts of our web page may be limited.

The right to access (so-called extract from the register)
You are entitled to be informed about the processing that Chelton perform regarding you. This must include a description of the purpose and legal basis of the processing, which categories of personal data it concerns and who receives the personal data. Chelton have compiled this information as outlined above for your ease of reference. An extract from the register means that you are provided with an overview of the processing so that you may understand if, and for what purpose, your personal data is processed.

Right to rectification, erasure or restriction
If you believe that Chelton have processed your personal data incorrectly, or that it may need to be rectified, you have the right to request that Chelton correct the data, and, if you do not want Chelton to continue processing the personal data, you have the right to request that Chelton erase the data. Chelton will rectify or delete the personal data if it is possible in respect of our purpose for the processing and the legal requirements that Chelton are under a duty to follow.

If you believe that the personal data Chelton store about you is inaccurate, that Chelton’s processing is illegal or that Chelton do not need the data for a specific purpose, you have the right to request that Chelton restrict its processing of your personal data. You can also request that Chelton shall restrict the process of your personal data while Chelton investigate whether your request to exercise any other rights can be granted.

However, it should be noted that the right to rectification or erasure may be limited in some cases, as Chelton is a registered financial institution and hence required by law to store certain information.

The right to object in certain circumstances
You have the right to object at any time to the processing of your personal data if the legal basis for the processing consists of the performance of a task in the public interest, or a balancing of interests. If you object, Chelton will examine whether its interest to process your data outweighs your interest in not having your personal data processed.

You also have the right to object at any time to the processing of your personal data on the grounds of direct marketing.

The right to data portability
You have the right to retain the personal data that have been provided to Chelton and have the right to transfer this data to another personal data controller subject to:

  1. it is being technically feasible; and
  2. the legal basis for the processing consists of consent, or that the processing was necessary for the fulfilment of an agreement.

The right to withdraw consent
If the processing of personal data is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

The right to lodge a complaint regarding the processing of personal data
You always have the right to contact the Swedish Authority for Privacy Protection in order to lodge a complaint linked to Chelton’s processing of personal data. Below you will find the contact information for the Swedish Authority for Privacy Protection.

Telephone number: 08-657 61 00
Email address: imy@imy.se

If you, as a data subject, wish to exercise your rights or have a response to other questions, you can find Chelton’s contact information set out in Section 1. You have the right to contact Chelton as an alternative to contacting the Swedish Authority for Privacy Protection.

Chelton uses IT systems to protect the secrecy, privacy, and access to personal data. Chelton has performed certain security measures to protect your personal data against unlawful or unauthorized processing (such as unlawful access, loss, destruction, or damage). Access is provided to only authorised persons that are required to process your personal data in order for Chelton to be able to fulfil the purposes set out above.

Chelton always aim to only process personal data within the EU/EEA. Where appropriate, Chelton may share personal data with a third party in a country outside the EU/EEA, a so-called third country. In the event of a transfer to a third country, Chelton will ensure that such transfer is made in accordance with applicable data protection legislation, either by basing the transfer on an adequacy decision by the European Commission or by using the European Commission's standard contractual clauses in combination with organizational and technical safeguards.

Personal data may be transferred to the following recipients outside the EU/EEA:

Depositary
Chelton’s currency management service requires that the client has currency accounts at Axi Financial Services Limited (“Axi") Axi is domiciled in the UK that is not a member of the EU/EEA. Forms and other documents for account opening may hence be transferred outside of the EU/EEA, which is however only done after instruction of the client and subject to the client’s consent.

For more information about Axi’s processing of personal data, please refer to: 
https://www.axi.com/uk/legal-documentation/privacy-policy

System providers
In the operation of Chelton’s business, we use Microsoft Office 365 as system provider. In connection with Microsoft receiving personal data about you, your personal data may be transferred to, for example, the United States. For more information about how Microsoft processes personal data see: 
https://privacy.microsoft.com/en-us/privacystatement

To read more about the transfer of personal data to third countries and to access the standard contractual clauses, see: 
https://learn.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses 

Social media
When you visit Chelton’s social media platforms (Facebook, Instagram and LinkedIn), your personal data is also collected and processed by the companies providing such platforms (Meta and LinkedIn). When these companies receives personal data, data may also be transferred to the United States.

Facebook and Instagram
When using the services in question, your personal data will be processed by Meta Platforms Ireland Limited. For more information on the processing, transfer of personal data to third countries and to read the standard contractual clauses, see: 
https://www.facebook.com/privacy/policy/?entry_point=facebook_page_footer
https://www.facebook.com/help/566994660333381?ref=dp&helpref=faq_content

LinkedIn
By using the service, your personal data is processed by LinkedIn Ireland Unlimited Company. For more information on the processing, transfer of personal data to third countries and to read the standard contractual clauses, see:
https://www.linkedin.com/legal/privacy-policy
https://www.linkedin.com/help/linkedin/answer/a1343190

Chelton reserves the right to change and update this privacy notice. Chelton will provide information in an appropriate manner should the privacy notice be materially changed, or in the event that personal data is to be processed in another manner than what is stated in the privacy notice.

Valid as of the May 01, 2023