GDPR Compliance

1. GDPR Commitment

MADAXA is fully committed to compliance with the European Union's General Data Protection Regulation (GDPR) and equivalent data protection laws in other jurisdictions. We recognize that protecting personal data is not just a legal obligation but a fundamental aspect of maintaining client trust.

2. Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds:

2.1 Contractual Necessity

Processing is necessary to perform our advisory agreement with you, including:

• Providing wealth management and advisory services
• Generating reports and recommendations
• Coordinating with custodians and other service providers
• Processing fees and maintaining financial records

2.2 Legal Obligation

Processing is required to comply with applicable laws and regulations:

• Anti-money laundering (AML) and know-your-client (KYC) requirements
• Tax reporting obligations (FATCA, CRS, etc.)
• Securities regulations and fiduciary duties
• Record retention requirements

2.3 Legitimate Interests

Processing serves our legitimate business interests while respecting your rights:

• Improving and developing our services
• Detecting and preventing fraud
• Maintaining system security and functionality
• Internal administration and analytics

2.4 Explicit Consent

In certain cases, we obtain your explicit consent for processing, such as:

• Marketing communications (which you can opt out of at any time)
• Processing of sensitive personal data beyond what's necessary for our services
• Sharing information with third parties not covered by our standard service agreements

3. Your GDPR Rights

As a data subject under GDPR, you have comprehensive rights regarding your personal data:

3.1 Right to Access

You can request:

• Confirmation of whether we process your personal data
• A copy of your personal data in our possession
• Information about how we use your data
• Details of third parties who have access to your data

3.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. We will update your information within 30 days and notify relevant third parties when necessary.

3.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

• It's no longer necessary for the purposes collected
• You withdraw consent (where consent was the basis for processing)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: This right may be limited by legal retention requirements (e.g., tax, AML laws).

3.4 Right to Restriction of Processing

You can request temporary suspension of data processing when:

• You contest the accuracy of personal data
• Processing is unlawful but you don't want data erased
• We no longer need the data but you need it for legal claims
• You've objected to processing pending verification of legitimate grounds

3.5 Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format to:

• Transfer to another service provider
• Keep for your own records

This right applies to data processed based on consent or contract performance.

3.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.

3.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing. MADAXA does not use fully automated decision-making for any critical advisory functions. All significant recommendations involve human review.

4. Exercising Your Rights

To exercise any of your GDPR rights:

1. Submit a Request: Email privacy@madaxa.org with your full name and specific request
2. Identity Verification: We may request additional information to verify your identity before fulfilling requests
3. Response Timeline: We will respond within one month, extending to two months for complex requests
4. Free of Charge: We do not charge fees for legitimate requests unless they are manifestly unfounded or excessive

5. International Data Transfers

As a global advisory firm, we may transfer your data outside the European Economic Area (EEA). We ensure adequate protection through:

5.1 Standard Contractual Clauses (SCCs)

We use European Commission-approved SCCs with all non-EEA service providers and affiliates, ensuring they provide equivalent data protection.

5.2 Adequacy Decisions

We transfer data to jurisdictions deemed by the European Commission to provide adequate data protection levels.

5.3 Binding Corporate Rules

Our internal policies establish uniform data protection standards across all MADAXA offices globally.

5.4 Explicit Consent

In certain circumstances, we may seek your explicit consent for specific international transfers.

6. Data Protection Measures

We implement comprehensive technical and organizational measures:

6.1 Technical Measures

• Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
• Access Controls: Role-based permissions with multi-factor authentication
• Network Security: Firewalls, intrusion detection, and regular penetration testing
• Secure Infrastructure: EU-based data centers with ISO 27001 certification
• Data Minimization: Automated systems to delete or anonymize unnecessary data

6.2 Organizational Measures

• Data Protection Officer (DPO): Dedicated officer overseeing GDPR compliance
• Privacy by Design: Data protection integrated into all new systems and processes
• Staff Training: Mandatory GDPR training for all employees
• Vendor Management: Due diligence on all third-party processors
• Regular Audits: Internal and external assessments of data protection practices

7. Data Breach Procedures

In the event of a data breach:

7.1 Internal Response

• Immediate investigation and containment of the breach
• Assessment of breach severity and affected data
• Documentation of incident details and remediation steps

7.2 Regulatory Notification

If the breach poses a risk to your rights and freedoms, we will notify relevant supervisory authorities within 72 hours of becoming aware of the breach.

7.3 Individual Notification

If the breach poses a high risk to your rights and freedoms, we will notify you directly without undue delay, providing:

• Nature of the personal data breach
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details for further information

8. Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for processing activities that may pose high risks to data subjects, including:

• New technology implementations
• Large-scale processing of sensitive data
• Systematic monitoring or profiling
• Processing that affects vulnerable individuals

9. Children's Data

Our services are directed at adults. We do not knowingly collect data from individuals under 16 without parental consent, except when processing is necessary for family wealth management purposes (e.g., succession planning involving minor beneficiaries).

10. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, workplace, or where an alleged infringement occurred.

For EU clients, you may contact:

Your national data protection authority
or
European Data Protection Board (EDPB)
Website: edpb.europa.eu

11. Updates to This Policy

We review and update our GDPR compliance measures regularly. Material changes will be communicated via:

• Email notification to affected clients
• Prominent website notices
• Updated documentation in our client portal

12. Contact Our Data Protection Officer

For GDPR-related questions, concerns, or to exercise your rights:

Data Protection Officer
Email: dpo@madaxa.org
Address: 5 Parvis Alan Turing, 75013 Paris, France