Policy Relating to the Processing of Personal Data

Cascada Partners S.A. has considered the importance of your privacy and its protection. This policy explains how Cascada Partners S.A. and its affiliates, agents and representatives (“Cascada”) will process your personal information.

If you contact us or if you work with us, we will most likely end up having possession of and processing your personal data.

Who will process your personal data?

Your personal data will be processed by Cascada Partners S.A., a Romanian joint-stock company, having the trade registry number J40/19525/2022 and the sole registration code 46940021, with its head-office at 4-10 Muntii Tatra Street, 1st floor, office 3, sector 1, Bucharest, Romania (“Cascada”).

As per the GDPR, Cascada is the personal data controller. In such capacity, Cascada can be contacted in writing at 75-77 Buzesti Street, 10th floor, sector 1, Bucharest, Romania and electronically at the following e-mail address: [email protected].

What personal data do we collect and for what purpose?

a. General and marketing

When contacting us online, via telephone, in writing or otherwise you may voluntarily provide personal data about yourself to us including your name and contact details (e.g. your address, email address and telephone number). We will use such information to contact you and answer any questions addressed to us.

Provided we obtain your consent, we may use such data for marketing purposes, i.e. communicating to you news items, information about planned events and other information in which you may be interested.

b. Information about job applicants

If you apply for or enquire about a job with us we may also ask you to provide details of your previous job title, your employment history, a copy of your CV and references – and we may also seek references and carry out checks with third parties if appropriate for the role you have applied for. This processing is justified by our legitimate interests to carry out effective recruitment.

c. Information about management and employees at our portfolio companies

When we acquire a business, we will obtain some information about the employees and other staff who work in that business to carry out and improve our business in the pursuit of our legitimate interest.

d. Information about investors / potential investors / those who work for or are connected with investors

If you (or an institutional investor or investment vehicle with which you are associated) consider investing with us, you may also provide us with your financial information and various other necessary personal data. This processing will be justified by the performance of a contract concluded with you, or for the purpose of corresponding with you for business purposes, providing any support you may require or to process an investment application in accordance with our legitimate interests. In certain circumstance, we may also process your personal data for the purpose of complying with our KYC-AML obligations.

e. Information about individuals who are our suppliers or other business contacts (and individuals employed by our suppliers and business contacts)

If you provide services to us or have a business dealing with us (or are employed or engaged by an entity which provides services or has a business dealing with us), we may acquire your name, contact details, some employment information and we may acquire copies of ID documents or similar information, for the purpose of corresponding with you, carrying out and improving our business, analyzing the use of our website and services in the pursuit of our legitimate interests.

How long do we keep your personal data?

As a rule, we will keep your personal data for a period of 3 (three) years, but, depending on the actual purpose for which we process such data, we may be required to keep it for longer periods, in order for us to be able to exercise our legitimate interests (provided, however, that no mandatory legal time limits are exceeded). Data processed based on consent will be kept as long as the consent is valid.

What is the source of the personal data we process?

We may obtain your personal data when you provide it to us or in the ordinary course of our relationship with you. We may also obtain your personal data from our affiliates or from contractors, advisors and other providers of services to us or to our affiliates.

We may collect personal data that you manifestly choose to make public, including via social media (e.g., we may collect information from your social media profile(s), to the extent that you choose to make your profile publicly visible).

We may receive your personal data from third parties who provide it to us (e.g., credit reference agencies; law enforcement authorities; etc.).

With whom do we share your personal data?

Your data may be made available to entities and bodies authorized to process such data on the basis of legal regulations. Your personal data may also be transferred to the entities with which Cascada is affiliated, to their contractors (and their representatives), as well as business partners and service providers of Cascada, in particular advisors, law offices, notarial and tax advisory offices, IT service providers, marketing service providers, services in the scope of archiving and destruction of documents, finance and accounting services and insurance services, whereas such entities process data on the basis of an agreement with Cascada and in accordance with its order.

We do not expect that your personal data will be transferred to third countries situated outside the European Economic Area. Should this be required, the transfer shall take place in accordance with the permitted transfer mechanisms regarding the protection of personal data, in particular on the basis of standard clauses of protection adopted by the European Commission.

Automated decision-making

Personal data shall not be processed in an automated manner to make decisions, including in order to perform profiling.

What rights do you have?

The GDPR grants you certain rights in relation to your personal data processed by us, namely:

i. the right to receive information on the processing of your personal data;

ii. the right to request access to personal data owned and processed by Cascada;

iii.  the right to rectify / complete these data if they are inaccurate / incomplete;

iv. the right to object to the processing of personal data;

v. the right to withdraw your consent in those cases where the processing of data by Cascada is based on this legal basis (however without affecting the legality of the processing executed based on such consent before its withdrawal);

vi. the right to request the deletion of personal data;

vii. the right to request the restriction of the processing of personal data;

viii. the right to portability of personal data.

Complaints

In addition to the rights mentioned in the section titled “What rights do you have?”, you also have the right to lodge a complaint with a supervisory authority. In Romania, the supervisory authority is The National Supervisory Authority for Personal Data Processing (AutoritateaNațională de Supraveghere a PrelucrăriiDatelor cu Caracter Personal), with the website: https://www.dataprotection.ro/.

Other information

This information notice may be updated from time to time, in case, inter alia, changes in legislation or in the manner we process your personal data will occur. Any such updated version will be published here.

If you contact us, you will be assumed to be aware of and agree with the content of this information notice at the date of the contact. If you continue to work with us after your initial contact, you will be assumed to also be aware of and agree with the content of any updated version.