This privacy policy (hereinafter the "Privacy Policy") describes the Processing (as hereinafter defined) of Personal Data (as hereinafter defined) by NEXEX Ltd, Level G (Office 1/1047), Quantum House 75, Abate Rigord Street, Ta'Xbiex, Malta (the "Company") and by all other companies belonging to Poseidon Group SA (CHE-181.247.415), c/o M. & A. GLOOR Family Office GmbH, Chamerstrasse 14, 6300 Zug, (the "Poseidon Group") each of them in their capacity as data controller (the "Data Controller"), as well as any other information required by law, including information on the rights of Data Subjects (as hereinafter defined) and on their exercise.

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of Personal Data (the "Regulation") lays down a set of rules on the protection of natural persons with regard to the Processing of Personal Data and to the free movement of the latter, safeguarding the fundamental rights and freedoms of the Data Subjects.

Art. 4 para. 1 of the Regulation sets forth that "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").

Pursuant to art. 4 para. 2 of the Regulation, the term "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Furthermore, according to art. 12 et seq. of the Regulation, the Data Subject has to be appropriately informed concerning (i) the Processing activities performed by the Company and (ii) the rights of Data Subjects.

Data Controller

The Data Controller pursuant to arts. 4 and 24 of the Regulation is the Company. The Data Controller may be contacted in writing at the above address of the Company or by sending an e-mail to: [email protected].


The Company collects Personal Data in many ways and, in particular by (a) direct interaction: information on Personal Data may be received directly from the Data Subject when filling out the forms at the beginning of the business relationship or when the Data Subject contacts the Company by ordinary or electronic mail, by telephone or else and/or by (b) automated systems: technical data on operating systems, research parameters and browsing patterns concerning the Data Subject may be automatically collected if the latter visits the Company's website. Such Personal Data are collected through cookies and similar devices. The Company's cookie policy is available under the following link


Without the consent by the Data Subject

The Personal Data provided by the Data Subject to the Company will be treated solely for the purposes regarding the performance of a prospective or existing professional assignment entrusted to the Company. Within the scope of these purposes, the Processing of Personal Data is also performed to comply with specific legal requirements concerning the contractual relationship and the fulfilment of the assignment. Finally, Personal Data will be processed in the presence of a Company's legitimate interest to perform and manage the activity, with the intent to deliver enhanced services, after considering and balancing any potential impact on the Data Subject's rights.

With the consent by the Data Subject

Upon express consent provided by the Data Subject, the Company will process Personal Data (name, surname, e-mail address, telephone number etc.) to convey communications containing information concerning the Company and its activities, which may include, among others: (i) events and meetings; (ii) various marketing activities and (iii) analysis of the Data Subject's preferences and areas of interest, to enhance the services provided by the Company and meet their specific requirements/needs (the so called "profiling activity").

Furthermore, when the Company will transfer Personal Data to other companies belonging to Poseidon Group for compliance requirements, such as the "Know Your Customer – KYC" process, or for other purposes regarding the performance of a prospective or existing professional assignment, it will ask and require an express consent from the Data Subject.


If the communication of Personal Data by the Data Subject and the consequent Processing by the Data Controller are required to establish or continue and appropriately carry out a pending relationship, such communication is mandatory. Refusal by the Data Subject to provide the Personal Data requested by the Data Controller may lead to the impossibility to execute and direct any contractual relationship with the Data Subject.

The disclosure of Personal Data for marketing purposes and profiling activities is optional but, if the Data Subject declines, the Company will be prevented from sending communications containing information about itself or about marketing or other promotional activities.


In accordance with art. 5 of the Regulation, Personal Data concerned by Processing are:

In relation with the purposes listed above, Personal Data may be processed using paper and electronic means and, in particular, by ordinary mail or e-mail, telephone (e.g. automated calls, text messages), fax and any other IT instruments (e.g. websites, mobile apps) merely in connection with such purposes and, in any case, ensuring data security and confidentiality, in compliance with what is envisaged by the Regulation.


Personal Data are processed and stored in cloud and on servers both within and outside the European Union, belonging or otherwise available to the Data Controller and/or to third-party companies in charge of the Processing, duly appointed as Data Processors.

The Personal Data concerned by Processing will be stored in compliance with the provisions set forth in art. 5 para. 1 lett. e of the Regulation in a form allowing the identification of the Data Subjects concerned for no longer than the time required to achieve the purposes indicated above, for which the Personal Data were originally collected and processed.


The Processing of Personal Data provided by the Data Subject will be performed by the professionals involved in the performance of the services, as well as by their supporting staff, through persons expressly and specifically appointed by the Data Controller, operating at the latter's office in their capacity as Data Processors (art. 28 of the Regulation) or as persons acting under the authority of the controller or of the processor (art. 29 of the Regulation) or even as officials expressly appointed for the Processing of Personal Data in accordance with the terms envisaged by the Regulation.

Personal Data may also be directly processed by the Data Controller and disclosed to third parties whenever such Processing serves legal or contractual obligations. For these purposes, Personal Data may be disclosed to external companies or professionals that may be collaborating with the Company for the purposes indicated in this Privacy Policy. The Company will always request to any such third party to respect the security of Personal Data and to treat them in compliance with the law.

In order to enable the fulfilment of legal and contractual obligations Personal Data may be communicated to service providers with Data Processor functions providing IT and system administrator services, to post offices, to shipping agents and couriers when sending documents, as well as to banking institutions carrying out accounting aspects deriving from the execution of the assignment, as well as to the Public Administration pursuant to the laws in force, as well as to any third parties providing IT or filing services.

The Personal Data of the Data Subject will not be publicised by the Data Controller, which will never disclose them or make them otherwise available to undetermined parties.


Personal Data may be transferred to countries of the European Union or to other countries (e.g. Switzerland) within the Processing purposes described in this Privacy Policy. In case Personal Data are transferred outside the European Union, and in the absence of an adequacy decision by the European Commission, the Company will comply with the provisions envisaged by applicable rules and regulations on the transfer of Personal Data towards countries not belonging to the European Union.


In compliance with the provisions of the Regulation, the Data Subject may exercise the rights indicated therein and in particular:

Without prejudice for any other administrative or judicial remedy, the Data Subject who deems that the Processing concerning him- or herself is breaching the Regulation has the right to lodge a complaint with a supervisory authority, based in the Member State of his or her habitual residence, place of work or place of the alleged infringement, pursuant to art. 77 of the Regulation.

In order to exercise the above rights, the Data Subject may contact the Data Controller at the contact details referred to in Paragraph 1 of this Privacy Policy.

The exercise, at any time, of the right to withdraw his or her consent to the Processing of Personal Data is without prejudice for the lawfulness of the Processing performed by the Data Controller which is based upon the consent granted before the revocation.


If you have any other questions about our Privacy Policy, please contact us at:


Level G (Office 1/1047)

Quantum House 75

Abate Rigord Street

Ta X'Xbiex


[email protected]

NEXEX Ltd (10/08/2018)