Procedure on the General Data Protection Regulation (GDPR)

I. Scope of application

Under the General Data Protection Regulation, or “GDPR”, organisations must keep full internal documentation on their personal data processing and ensure that such processing complies with the new legal obligations. Regulation no 2016/679, known as the General Data Protection Regulation (GDPR), is a European Union regulation that constitutes the reference text in terms of personal data protection. It strengthens and unifies data protection for individuals within the European Union. The regulation applies to any organisation, regardless of its size, location or activity.

The GDPR applies to any organisation, public or private, which processes personal data, whether or not on its own behalf, provided that: It is established in the European Union, Where its activity directly targets European residents. The principles set out throughout this procedure are applicable to all present and future entities of Bellatrix Asset Management S.A., hereinafter referred to as the “Company”


II. Regulatory framework and key concepts

A. Regulatory framework

The Company's internal GDPR procedure is based on the following texts:

Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data, as amended.

Law of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal matters as well as in matters of national security.

Amended law of 30 May 2005 relating to specific provisions for the protection of individuals with regard to the processing of personal data in the electronic communications sector and amending articles 88-2 and 88-4 of the Code of Criminal Procedure.

Act of 18 July 2014, 1) approving the Council of Europe Convention on Cybercrime opened for signature in Budapest on 23 November 2001, 2) approving the Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems, done at Strasbourg on 28 January 2003, 3) amendment of the Criminal Code, 4) amendment of the Code of Criminal Procedure, 5) amendment of the amended Act of 30 May 2005 on the protection of privacy in the electronic communications sector.

Grand Ducal Regulation of 1 August 2018 determining the seat of the National Commission for Data Protection. GDPR Policy 3BELLATRIX ASSET MANAGEMENT SA Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data also known as the General Data Protection Regulation (hereinafter "GDPR") is directly applicable in all Member States of the European Union. It repeals Directive 95/46/EC.

EU Directive 2016/680 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data and repealing Council Framework Decision 2008/977/JHA.

Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector.

EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

Charter of Fundamental Rights of the European Union of 7 December 2000. EDPS guidelines. Practical guides from the CNPD. Rules of procedure of the CNPD adopted pursuant to Articles 32, paragraph (1) and 33 of the Act of 1 August 2018 and defines the operating conditions, the organisation of services and the rules of procedure applicable before the CNPD. The procedure for complaints to the National Data Protection Commission (CNPD) under Articles 77 and 80 of the GDPR and Articles 44 and 46 of the Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal matters and in matters of national security are investigated by the CNPD departments in accordance with the procedures described in the procedure.

B. Key concepts

1. Personal data‍

“Personal data” is “any information relating to an identified or identifiable natural person” . A person can be identified: Directly (e.g. surname, first name, postal address, email address, credit card number); or

GDPR Policy 4 BELLATRIX ASSET MANAGEMENT SA
‍
Indirectly (e.g. through an identifier (customer number), a (telephone) number, biometric data, several specific elements specific to their physical, physiological, genetic, psychological, economic, cultural or social identity, but also their voice or image). A natural person can be identified: From a single piece of data (e.g. social security number, DNA); By cross-referencing a range of data (e.g. a woman living at a particular address, born on a particular day, subscribing to a particular magazine and active in a particular association).

2. Person concerned‍

The data subject is defined as “any person who can be identified, directly or indirectly, by an identifier (e.g. a name, an identification number or location data) or by one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity”. In clear terms, the data subject is the final person whose personal data is collected and processed.

3. Treatment‍

“Processing of personal data” means any operation or set of operations which is performed upon personal data or sets of data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The latter must have an objective, a purpose, which must be legal and legitimate with regard to the Company's activity.

4. Data Controller and Data Protection Officer‍

The “Data Controller” is “the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing operation; where the purposes and means of such processing are determined by Union law or by the law of a Member State, the controller may be designated or specific criteria for such designation may be laid down in Union law or in the law of a Member State” . In this context, the Company has been designated as the Data Controller. The “Data Protection Officer” or “DPO” is a natural person designated by the Data Controller to monitor compliance with the GDPR and with the policies of the Data Controller, to cooperate with the supervisory authority and to act as the contact point for the supervisory authority on issues relating to processing, and the DPO shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. Within the Company, Mrs. Camille Conrad has been designated as the Data Protection Officer.

GDPR Policy 5 BELLATRIX ASSET MANAGEMENT SA

5. Personal data breach‍

A personal data breach is defined as any security incident, whether malicious or not and whether intentional or not, which has the effect of compromising the integrity, confidentiality or availability of personal data (e.g. the loss of an unsecured USB key containing a copy of a company's customer database, or information about the company).

6. Consent‍

Consent is “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies his or her agreement, either by a declaration or by a clear act of consent, to personal data relating to him or her being processed”.

Consent can take two forms: Explicit consent is established by means of a form of expression. A written declaration from the data subject is required to approve the collection of his or her personal data. Legitimate interest is one of the six legal bases set out in the General Data Protection Regulation. Processing on the basis of legitimate interest does not require a specific purpose or the consent of users. The purpose of processing is the legitimate interest of the Data Controller. This principle authorises the processing of personal data by the Company subject to compliance with certain conditions. The Data Controller must ensure that the interests it pursues do not create an imbalance to the detriment of the rights and interests of the persons whose data is processed. The legitimate interest must be necessary to achieve the objective pursued (e.g. performance of a contract). This balancing of the rights and interests involved must be carried out for each processing operation. Data processing must meet the following three conditions: Data processing must be manifestly authorised by law; The treatment must be clear and precise; The treatment must have a precise objective defined by the body.


III. Identification of personal data processing

The Company must meet a certain number of fund requirements for any processing of personal data. The requirements that the Company must meet are as follows:

• Personal data must be processed in accordance with the applicable regulations, in good faith and in a manner that is transparent to the customer.

• Data must be collected and processed for the purposes defined by the Company and not for any ulterior purpose. The purpose must be known to the customer before processing begins.

‍

GDPR Policy 6 BELLATRIX ASSET MANAGEMENT SA

• The data collected by the Company must be appropriate for the purpose and must also be relevant and limited. The Company must only collect data that is necessary for the purpose of processing.

• The personal data processed must be accurate and, if necessary, kept up to date throughout the relationship.

• The data collected by the Company must be kept for the time required for the purpose of processing. After that, the data must be deleted or made anonymous. A retention period of 5 years has therefore been defined for each processing operation carried out by the Company.

• The Company must ensure the integrity and confidentiality of personal data collected using appropriate technical and organisational measures against any risk of data Breach.
‍
• The Company, and more specifically the Data Protection Officer, must be able to demonstrate that personal data is processed in compliance with the regulations in Force.

A. Identification of the personal data to be collected

To identify personal data, the Company must:

• List the different ways in which personal data is processed;
• Categorise the personal data processed;
• Identify the objectives pursued (purposes) by the data processing operations;
• Define the parties (internal or external) who process this data. In particular, the Company must clearly identify subcontractors in order to update confidentiality clauses;
• Identify data flows by indicating the origin and destination of the data, in particular to identify any data transfers outside the European Union.

IV. GDPR action plan

Having identified the processing of personal data, the Data Protection Officer identifies the actions to be taken to comply with the obligations of the Regulation. This prioritisation can be carried out with regard to the risks posed by the processing operations to the freedoms of the data subjects.

‍

A. Points to bear in mind for all treatments

The Company must verify:

That only data strictly necessary for the pursuit of the objectives is collected and processed (Article 5).

GDPR Policy 7 BELLATRIX ASSET MANAGEMENT SA

The legal basis for the processing (e.g. consent of the individual, legitimate interest, contract, legal obligation) (Article 6). Verification of information to ensure that it complies with the requirements of the regulation (Articles 12, 13 and 14). That processors are aware of their new obligations and responsibilities, and that they are informed of the existence of contractual clauses setting out the processor’s obligations in terms of security, confidentiality and protection of personal data processed (Article 28). The procedures for exercising the rights of data subjects (right of access, rectification, right to portability, withdrawal of consent, etc.) (Articles 15-23). That personal data is processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality). (Article 32). That data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed (storage limitation) (Article 5). The Company does not carry out any processing of personal data that is likely to result in a high risk to the rights and freedoms of data subjects. According to Article 9 of the GDPR, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation are prohibited.

‍

B. Organisation of the internal GDPR process

The Company has put in place the following measures:

Application of “Privacy by design” right from the design stage of an application or processing operation (minimisation of data collection with regard to purpose, cookies, retention periods, information notices, obtaining consent, data security and confidentiality, ensuring the role and responsibility of those involved in implementing data processing);

The accuracy of the data collected; Raising awareness and organising feedback, in particular by drawing up a training and communication plan for the Company's employees;

The handling of complaints and requests from data subjects concerning the exercise of their rights (rights of access, rectification, opposition, right to portability, withdrawal of consent) by defining the parties involved and the procedures (it must be possible to exercise rights electronically if the data has been collected by this means);

GDPR Policy 8 BELLATRIX ASSET MANAGEMENT SA

The detection of a personal data breach incident should lead the organisation to focus its efforts on resolving it by adopting any appropriate measures to remedy any breach and limit its consequences for the people whose data is affected. However, these measures should not obscure the need for the organisation to assess at the same time whether or not it should notify the CNPD of the incident. The obligation to notify carries with it heavy penalties in the event of failure to do so. The GDPR sets a very tight deadline for notification: 72 hours at the latest after becoming aware of the incident. In order to be as proactive as possible, the Company has a register for monitoring data breaches (whether or not declared to the CNPD) and a data breach declaration form;

Setting up a register of processing activities (name and contact details of the Data Protection Officer, purpose of processing, category of data subjects, data retention period, etc.).

‍

1. Application of the ePrivacy Directive‍

In accordance with the ePrivacy Directive, Internet users must be informed and give their consent before certain tracking data is stored and read, while others are exempt from the requirement to obtain consent. The consent provided for in these provisions refers to the definition and conditions set out in Articles 4(11) and 7 of the GDPR. It must therefore be free, specific, informed and unambiguous, and the user must be able to withdraw it at any time with the same ease with which it was given. Consent must be demonstrated by positive action on the part of the individual, who has been informed of the consequences of his or her choice and has the means to accept, refuse or withdraw consent.

2. Handling complaints and requests from data subjects to exercise their rights‍

The Company has implemented a data erasure procedure enabling the Company to be aware of all its obligations concerning the rights of the persons concerned. The Data Controller must facilitate the exercise of the rights of individuals as defined by articles 15 to 23 of the General Data Protection Regulation. The Data Controller must provide a response as soon as possible, i.e. within one month of receiving the request. This period may be extended, but the data subject must be notified of the reasons for the extension.

3. Data breaches

In the event of a personal data breach, the Data Controller shall notify the breach in question to

the competent supervisory authority as soon as possible and, if possible, no later than 72 hours after becoming aware of it, unless the breach in question is unlikely to result in a risk to the rights GDPR Policy 9 BELLATRIX ASSET MANAGEMENT SA and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, the reasons for the delay shall be given. In Luxembourg, this supervisory authority is the Commission Nationale pour la Protection des Données (CNPD). At the same time, the data subjects are also notified (Articles 33 and 34 of the GDPR). If a data breach is detected by one of the Company's subcontractors, the latter must notify the Data Controller. The Company has a data breach monitoring register and a model personal data breach declaration to be sent to the CNPD.

4. Register of activities

The Company has set up a register of data processing operations to record the processing of personal data. The register is provided for in Article 30-1 of the GDPR. It helps to document compliance. The inventory and analysis document must reflect the reality of personal data processing and make it possible to identify precisely:

• Stakeholders (representatives, subcontractors, joint controllers, etc.) involved in data processing;

• Categories of data processed;

• What is the purpose of this data, who has access to it and to whom it is communicated?

• The length of time the data is kept (the length of time the data is useful from an operational point of view, and the length of time it is kept in archives);

• How they are secured;

• Ensuring that all documents are made available to the CNPD and kept up to date. Each processing operation identified in the register of processing operations generates a processing operation form meeting the criteria required by the GDPR regulation.

5. Register of subcontractors' activities

The Company has listed its subcontractors and has verified the protection of data in the event of processing by them. The Company must keep an up-to-date register of processing activities, which must include the following information:

• The name and contact details of the Data Protection Officer and, where applicable, the joint controller and the representative of the controller;

• The purposes of the processing;

• A description of the categories of data subjects and the categories of personal data;

• The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;

GDPR Policy 10BELLATRIX ASSET MANAGEMENT SA

• Where applicable, transfers of personal data to a third country or to an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the Regulation, documents attesting to the existence of appropriate safeguards;

• As far as possible, the deadlines set for the deletion of the various categories of data;

• As far as possible, a general description of the technical and organisational security measures referred to in Article 32(1).

6. IT Security

Data protection is implemented within the Company’s IT systems. The Company has put in place the following rules:

• Define authorisation profiles in the systems, separating tasks and areas of responsibility, so as to limit user access to only the data strictly necessary for the performance of their tasks;

• Suspend and/or delete users’ access permissions as soon as they are no longer authorised to use an IT resource, and in any case at the end of their contract;

• Provide an automatic session locking mechanism if the workstation is not used for a given period of time, and raising awareness to the employees that they should exit the server each time they leave their desk;

• Encrypt incoming and outgoing emails with a TLS protocol ensuring that the Company is protected against cyberattacks type “man-in-the-middle”;

• Use the two software firewalls provided by our IT servicer and restrict the opening of communication ports to those strictly necessary for the proper operation of the applications installed on the workstation;

• Use the regularly updated antivirus software provided by our IT servicer;

• Make users aware of the specific risks associated with the use of mobile IT tools (e.g. theft of equipment hence the need to lock the access to the emails, no document stored on the mobiles, use of the token to connect to the server) and the procedures in place to limit them (see Homeworking procedure);

• Require a VPN for remote access and, if possible, strong user authentication (smart card, one-time password (OTP) generator, etc.);

•Make frequent back-ups of data in electronic form and store back-ups off-site, if possible in fireproof, watertight safes, in a secure location – this is handled by our IT servicer. The Company keeps a paper copy in its registered office;

• Protect backed-up data with the same level of security as that stored on the operating servers (for example, by encrypting back-ups, providing for storage in a secure location, contractually governing the outsourcing of back-ups, etc.);

• With regard to recovery and business continuity – review the Company’s IT recovery and business continuity plan to adapt to the one provided by our IT servicer, including a list of those involved. A DRP simulation is done once a year by our IT servicer and the results are shared with the Company;

GDPR Policy 11BELLATRIX ASSET MANAGEMENT SA

• Ensure that users, service providers and subcontractors know who to alert in the event of an incident.

‍

C. Data protection impact assessment

If the Company has identified personal data processing operations that are likely to generate high risks for the rights and freedoms of data subjects, you must carry out a Data Protection Impact Assessment (“DPIA”) for each of these operations.

The DPIA enables:

To develop personal data processing or a product that respects privacy, Assess the impact on the privacy of the individuals concerned, Demonstrate compliance with the fundamental principles of the regulations. The challenge is to assess the risks to data protection from the point of view of the data subjects. In accordance with Article 35.4 of the GDPR, the CNPD has drawn up a list of types of processing operation for which it considers that a data protection impact assessment is mandatory in all cases:

• Processing of profiles of natural persons for the purposes of human resources management;

• Processing for the purpose of constantly monitoring the activity of the employees concerned;

• Processing for the purpose of managing social and health alerts and warnings;

• Processing for the purpose of managing professional alerts and warnings;

• Processing of health data required to set up a data warehouse or register;

• Processing involving the profiling of individuals which may lead to their exclusion from a contract or to its suspension or termination;

• Mutual processing of contractual breaches likely to lead to a decision to exclude or suspend the benefit of a contract;

• Profiling processing using data from external sources;

• Large-scale location data processing.

• If the analysis of risks to the rights and freedoms of data subjects in the DPIA results in one (or more) residual risks that have not been addressed, the entity must consult the CNPD, which will give an opinion on the planned processing operation and its risk management (prior consultation). The processing operation may not be implemented until the CNPD has issued its opinion and, where applicable, implemented its recommendations.

V. Working with the authorities

‍

GDPR Policy 12 BELLATRIX ASSET MANAGEMENT SA

The Data Controller and the Data Protection Officer shall cooperate with the supervisory authority, at the latter’s request, in the performance of its duties.
‍

VI. Customer, prospect and employee data management

A. Information

‍

The Company provides information on each collection of sensitive data. The Company must inform the persons concerned:

In the case of direct data collection: when data is collected directly from individuals or when it is collected via devices or technologies for observing the activity of individuals (e.g. video surveillance, etc.);

Indirect collection of personal data: when data is not collected directly from individuals (e.g. data retrieved from partners, publicly available sources or other individuals).

The Company defines the purpose for which data is collected (customer), the framework authorising data processing and who has access to this information.

B. Conditions for the data subject's consent

Insofar as the processing of personal data is based on consent, the Data Controller must be able to demonstrate the data subject's consent. The data subject has the right to withdraw consent at any time. Such withdrawal shall in no way compromise the lawfulness of the processing which is based on that consent (Article 7).

VII. Contact
‍
The Company also provides a simple and rapid means of contacting it to exercise customers’ rights of access, rectification, opposition and deletion by contacting the Company directly by telephone or email:

Email: info@bellatrix.lu

Telephone: +352 26 25 66 20

If electronic contact details are used, the Company must obtain the customer’s consent, which it will keep as proof.

GDPR Policy 13 BELLATRIX ASSET MANAGEMENT SA

Appropriate security measures have been put in place by the Company and its subcontractors.

These security measures must take account of the state of the art and be adapted to the risks for data subjects and to the volume and sensitivity of the data processed. In addition, the Company deletes information in the event of prolonged customer inactivity (5 years from the end of the commercial relationship).

‍