Privacy Policy

STICHTING WIRECARD INVESTORS CLAIM

Most recent update: June 2023

This privacy policy contains important information as it sets out how we, Stichting Wirecard Investors Claim (“SWIC”), handle your personal data when you visit our website or use our services (“user”, “you”). Feel free to contact us in case you have any questions.

1 About us

1.1 SWIC (“we”, “us”, “our”) is a Dutch non-for-profit foundation that devotes itself to obtain adequate compensation on behalf of the injured parties that have incurred damages because of the accounting fraud at Wirecard AG and its subsidiaries. SWIC attaches great importance to the protection of your personal data.

1.2 This privacy policy explains to you how we collect, use, save, share, transfer or otherwise process your personal data when you visit our website, make use of our claim and redress services or when you contact us.

2 Scope

The scope of this privacy policy is limited to processing activities to which the General Data Protection Regulation (“GDPR”) and its national implementation acts apply.

3 Responsibility

3.1 We will only process personal data in accordance with the applicable privacy legislation and as described in this privacy policy.

3.2 The website includes links to website of third parties. We are not responsible for the content of these websites, services provided by these third parties, or their compliance with the applicable privacy legislation.

4 How do we obtain your personal data?

4.1 We obtain your personal data in various ways:

We obtain information actively provided by you. For example, if you contact us, if you sign up for our newsletter or if you provide information to us in the course of our claim and redress services.

We obtain some information automatically when you visit our website. For example, we automatically obtain information about you via cookies when you visit our website.

We also obtain information from third parties. For example, we may request information about your company from the Trade Register of the Chamber of Commerce.

4.2 It may be that providing certain personal data to us is a statutory or contractual requirement, a requirement necessary to enter into a contract, or that you are otherwise obliged to provide the data to us. If that is the case, we will inform you thereof separately, and will also explain the possible consequences if you fail to provide such personal data to us.

5 Security

5.1 It depends on the processing activity, which personal data we process about you, for which purposes and based on which legal ground. Please find an overview below.

Activity	Categories of personal data processed	Legal ground(s) for processing and purposes for processing
Visiting our website	IP address Currently, we only use technical cookies on our website. In case this changes in the future, we will inform you thereof accordingly.	We collect these personal data on the basis of our legitimate interests, namely improving our online services. This is the case with regard to technical cookies necessary for the functioning of the website and several analytic cookies that are not used to treat you differently from other users. We process your personal data for purposes of (i) improving our website, (ii) being able to provide you with consistent service across all your devices and (iii) enhancing our security and protecting your information.
Engaging us to offer you our claim and redress services, possibly by creating an account on our website	In case of natural persons: Your IP addressYour name, e-mail address and telephone numberYour address Your date of birthYour place of birthYour bank account numberYour swift/bic numberName of the bank account holderAny information that is listed in productions that are uploaded by you such as transaction receipts, securities account statements and CSV overviews. In case of legal persons: All information as listed above under ‘natural persons’ in so far as relevant (with regard to the Ultimate Beneficial Owner or other (natural) person legally allowed to join the claim on behalf of the company) Name of the companyRegistration number of the relevant chamber of commerce register and an excerptFirst and last name of the authorized representative being legally allowed to join the claim on behalf of the companyPosition of said authorized representativeProof of authorityExcerpt from the register of associationArticles of association	We collect these personal data as this is necessary for the performance of a contract with you. We process your personal data for the purposes of (i) your participation in the applicable claim procedure(s) regarding which SWIC aims to retrieve compensation, (ii) possibly contacting you to optimize your and our position in the claim procedure(s) and (iii) storing your personal data in your personal data account, which prevents you from having to share your data multiple times.
Communication with you	Your name, e-mail address and telephone numberThe content of your messages to usInformation with regard to the follow-up of your questions and requests by us	We collect these personal data on the basis of our legitimate interests, namely to be able to improve our services provided to you and to be able to provide you with relevant information. We process your personal data for the purpose of (i) following up on your questions or requests, and (ii) to inform you about matters that may be of importance to you.
Newsletter	Your name and e-mail addressPreferences for receiving information, such as frequency and categories of information	We collect these personal data on the basis of your consent. We process your personal data for the purposes of (i) providing information with regard to services or matters that may be of importance to you, such as the use of our website and your account and/or the progress of the legal procedure(s).
Other general purposes	Any information we possibly have of you that is necessary for the relevant purpose of processing.	We collect these personal data as this might be necessary for compliance with a legal obligation that is applicable to us as a data controller or for purposes of our legitimate interests, namely carrying out our regular business activities and protecting our interests in case of conflicts. We process your personal data for purposes of (i) following requests of public authorities, (ii) conducting criminal investigations, prosecutions, trials and the execution of judgments, (iii) collaborating with third parties, (iv) conducting statistical or academic researches, or (v) other circumstances as stipulated by relevant laws and regulations.
Sending your claim calculation.	IP address, e-mail address, entered transaction data. Currently, we only use technical cookies on our website. In case this changes in the future, we will inform you thereof accordingly.	We collect these personal data on the basis of our legitimate interests, namely, to be able to provide you with relevant information. We process your personal data for the purpose of (i) following up on your request to have the calculation sent to you by e-mail, and (ii) to inform you about matters that may be of importance to you.

5.2 If and insofar your personal data is processed on the basis of legitimate interests, information can be obtained by you as to the so-called balancing test that was carried out to allow us to rely on this processing ground. This test shows why our legitimate interests outweigh your right to privacy in those specific cases. Please find our contact details below.

5.3 It may be that we intend to further process your personal data for a purpose other than those for which the personal data have been collected. In such case, we will provide you with information about the(se) other purpose(s) and all relevant further information prior to that further processing.

6 Sharing with third parties

6.1 For the provision of our services we share your personal data on a strictly need-to-know-basis with:

Activity	Recipients	Location
Visiting our website	Data processors engaged by us, such as IT service providers and hosting providers, such as: WPEngine, Cloudways, Catalyst Collective Redress Services Combell B.V.	Services are provided within the EU.
Engaging us to offer you our claim and redress services, possibly by creating an account on our website	Subcontractors or service providers such as (foreign) auditing companies, consulting and law firms, insurance companies and payment providers, such as; AKD N.V.Nieding+Barth Other parties involved in the claim; Data processors engaged by us, such as IT service providers, cloud services and hosting providers, such as: WPEngine, Catalyst Collective Redress Services, AWS SES.	Services are provided within the EU.
Communication with you	Data processors engaged by us, such as IT service providers, cloud services, and hosting providers, such as: Catalyst Collective Redress Services B.V.Google Cloud EMEA Limited	Services are provided within the EU.
Newsletter	Data processors engaged by us, such as IT service providers, cloud services, and hosting providers, such as: Catalyst Collective Redress Services B.V.	Services are provided within the EU.
Other general purposes	The recipients depend on the purposes of the processing activity. Where relevant, we will inform you of the applicable recipients in those cases.	The location in which the services are provided depends on the purposes of the processing activity.

6.2 We will only make information public under the following conditions and to the extent that security measures are generally accepted in the industry have been taken:

At your request, and only limited to the personal data that you have requested;
As required by relevant laws and regulations applicable to us;
If needed in case of a law suit or legal procedure.

7 Transfer to countries outside the EEA

7.1 SWIC does not involve parties that are located outside the European Economic Area (“EEA”) for the processing of your personal data. If this will be the case in the future, we will duly inform you of that matter and the procedure as explained below will apply.

7.2 Transfers of your personal data to a country outside the EEA may in the first place be legitimized on the basis of a so-called adequacy decision. This is a decision in which the European Commission states that e.g. a certain country offers a level of data protection similar to the GDPR. See this link for the current list of adequacy decisions. If and insofar as we transfer personal data with parties in countries outside the EEA to which no adequacy decision applies, we will agree with these parties to data protection provisions set by the European Commission, so called standard contractual clauses. A copy of the agreed standard contractual clauses can be requested by you.

8 Security

8.1 We take appropriate organizational and technical security measures to protect your personal data and to prevent misuse, loss or alteration thereof.

8.2 Examples of technical security measures taken by us are:

logical and physical security (e.g. safe, doorman, firewall, network segmentation);
technical control of the authorizations (as limited as possible) and keeping log files;
management of the technical vulnerabilities (patch management);
keeping software up-to-date (e.g. browsers, virus scanners and operating systems);
making back-ups to safeguard availability and accessibility of the personal data;
automatic erasure of outdated personal data;
encryption of personal data;
applying hashing or (other) pseudonymization methods to personal data; and
use secure storage facilities.

8.3 Examples of organizational security measures taken by us are:

assign responsibilities for information security;
promote privacy and security awareness;
establish procedures to test, assess and evaluate security measures periodically;
check logfiles regularly;
using a protocol for handling data breaches and other security incidents;
conclude confidentiality, data processing and data protection agreements;
assess whether the same objectives can be achieved with less personal data;
provide access to personal data to as few people within the organization as possible; and
define the decision-making and underlying considerations per processing.

9 Retention periods

9.1 We have the following retention terms in place:

Activity	Retention term
Visiting our website	7 days after the relevant visit.
Engaging us to offer you our claim and redress services, possibly by creating an account on our website	2 years after the foundation’s objectives have been achieved and any realized compensation has been fully distributed.
Communication with you	2 years after your query has been answered and/or solved.
Newsletter	Until you have withdrawn your consent. Upon withdrawal, your data will be deleted immediately.
Other general purposes	The retention terms depend on the purposes of the processing activity. Where relevant, we will inform you of the applicable retention terms in those cases.
Sending your claim calculation.	1 year after the claim calculation has been sent.

10 Your rights (incl. the right to object)

10.1 In relation to our processing of your personal data, you have the below privacy rights. For more information on your privacy rights, please be referred to this webpage of the European Commission.

Right to withdraw consent: In so far as our processing of your personal data is based on your consent (see above), you have the right to withdraw consent at any time.
Right of access: You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you (but not necessarily the documents themselves). We will then also provide you with further specifics of our processing of your personal data.
Right to rectification: You have the right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
Right to erasure: You have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where: (i) the personal data are no longer necessary, (ii) you have withdrawn your consent, (iii) you have objected to the processing activities, (iv) the personal data have been unlawfully processed, (v) the personal data have to be erased on the basis of a legal requirement, or (vi) where the personal data have been collected in relation to the offer of information society services. We do not have to honour your request to the extent that the processing is necessary: (i) for exercising the right of freedom of expression and information, (ii) for compliance with a legal obligation which requires processing, (iii) for reasons of public interest in the area of public health, (iv) for archiving purposes, or (v) for the establishment, exercise or defence of legal claims.
Right to object: You have the right to object to processing of your personal data where we are relying on legitimate interests as processing ground (see above). Insofar as the processing of your personal data takes place for direct marketing purposes, we will always honour your request. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or that are related to the institution, exercise or substantiation of a legal claim.
Right to restriction: You have the right to request restriction of processing of your personal data in case: (i) the accuracy of the personal data is contested by you, during the period we verify your request, (ii) the processing is unlawful and restriction is requested by you instead of erasure, (iii) we no longer need the personal data but they are required by you for the establishment, exercise or defence of legal claims, or (iv) in case you have objected to processing, during the period we verify your request. If we have restricted the processing of your personal data, this means that we will only store them and no longer process them in any other way, unless: (i) with your consent, (ii) for the establishment, exercise or defence of legal claims, (iii) for the protection of the rights of another natural or legal person, (iv) or for reasons of important public interest
Right to data portability: You have the right to request to transfer of your personal data to you or to a third party of your choice (right to data portability). We will provide to you, or such third, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies if it concerns processing that is carried out by us by automated means, and only if the our processing ground for such processing is your consent or the performance of a contract to which you are a party (see above).
Automated decision-making: You have the right not to be subject to a decision based solely on automated processing, which significantly impacts you (“which produces legal effects concerning you or similarly significantly affects you”). In this respect, please be informed that when processing your personal data, we do not make use of automated decision-making.
Right to complaint: In addition to the above mentioned rights, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or of an alleged infringement of the GDPR at all times. Please be referred to this webpage for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us beforehand.

10.2 The exercise of the abovementioned rights is free of charge and can be carried out by phone or by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we will either charge you a reasonable fee or refuse to comply with the request.

10.3 We may request specific information from you to help us confirm your identity before we comply with a request from you concerning one of your rights.

10.4 We will provide you with information about the follow-up to the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receipt of the request. The applicable privacy legislation may allow or require us to refuse your request. If we cannot comply with your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

11 Contact details

11.1 For any questions, comments or requests, you may contact us via [email protected].

12 Miscellaneous

12.1 SWIC is entitled at all times to delete your personal data without notice. In such a case, we owe no compensation to you as a result of the termination of the account. If provisions from this privacy policy are in conflict with the law, they will be replaced by provisions of the same purport that reflects the original intention of the provision, all this to the extent legally permissible. In that case, the remaining provisions remain applicable unchanged.

12.2 SWIC reserves the right to change this privacy policy on a regular basis. Where required, we will inform you of updates made to this privacy policy. The current version is always available on our website. This privacy policy was last amended and revised in June 2022.

13 Definitions

13.1 In this privacy policy, the following definitions apply:

Applicable privacy legislation	All applicable privacy legislation, including the General Data Protection Regulation (“GDPR”) and the relevant national implementation acts.
Privacy policy	This present privacy policy.
Stichting Wirecard Investors Claim	Stichting Wirecard Investors Claim Röntgenstraat 18 3261 LK Oud-Beijerland The Netherlands Chamber of Commerce number: 80902085
Website	www.wirecardinvestorsclaim.com

13.2 Other terms that are defined in the applicable privacy legislation, such as personal data, (joint) controller, processor, data subject and processing will have the meaning as described in the applicable privacy legislation.

*****