Privacy Statement

Introduction

Please read the following Privacy Statement (the “Statement”) carefully to understand how and why our web servers use your personal data in order for you to access and browse our website https://www.henleypassportindex.com/ (the “Website”).

Henley & Partners

Henley & Partners Group is an international group of companies which provides citizenship and residence planning services to clients and advisory services to governments all over the world.

Henley & Partners Group is made up of different legal entities, details of which can be found here. This Privacy Statement (the “Statement”) is issued on behalf of Henley & Partners Group so when we mention “Henley & Partners”, “we”, “us”, “our” in this Statement, we are referring to the relevant entity in the Henley & Partners Group responsible for processing your data. We will let you know which entity will be the data controller for your data when you obtain any of our services.

Henley & Partners Group Holdings Ltd (Company Registration No. C 58006), of Malta, is the Data Controller and responsible for this Website.

Our full details are:

Henley & Partners Group Holdings Ltd

Level 4, Aragon House,

Dragonara Road,

St. Julian’s STJ 3140

Malta

Phone: + 356 2138 7400

General Information

We have structured our Website so that you can visit us on the Internet without identifying yourself or revealing any personal information.

Once you choose to provide us with personal information, we will protect such information and use it only in the ways as described below.

Purpose of this Statement

We are committed to respecting and protecting your privacy at all times. Henley & Partners will not sell, rent, transfer, or otherwise make available to others any information about any person visiting our Website except as expressly provided for in this Statement.

The purpose of this Statement is to:

set out the type of personal data Henley & Partners will collect from you and how we will use your personal information – in particular see section A “Personal Data we collect from you”.

the basis on which any personal data is processed by Henley & Partners – see sections B “How we use your information” and C “Legal basis for processing”.

make you aware of how Henley & Partners will handle your personal data;

clarify Henley & Partners obligations under the data protection regulations with regards to processing your personal data lawfully and responsibly; and

inform you of your data protection rights – see section K “Your rights as a data subject”.

We process your personal data in an appropriate and lawful manner, in accordance with applicable data protection regulations and the General Data Protection Regulation EU 2016/679 (the “GDPR”) which is in force as of 25 May 2018.

We will comply with local data protection laws in jurisdictions we operate in and to do so the personal information we hold about you must be:

used by us lawfully, fairly and in a transparent way;

collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;

relevant to the purposes we have told you about and limited only to those purposes;

accurate and kept up to date;

kept only as long as necessary for the purposes we have told you about; and

kept securely.

This Statement should be read in conjunction with our Cookie Policy and any other Privacy Notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.

This Statement was last updated in May 2018.

A. PERSONAL DATA WE COLLECT FROM YOU

By means of this Website, you may contact our representatives and obtain information relating to the residence and/or citizenship programs or the services offered by Henley & Partners Group and start the process of obtaining any of the services in which you may be interested. You may also contact us if you are looking for a career opportunity, or wish us to provide you with further information to support your press/media work. You may also contact us for general inquiries or if you are planning to be a supplier to us.

We will collect and process the following personal data about you:

1. Information You Give Us

These are personal details and include your first name, last name, nationality, country of residence, email address and phone number. They will also include information on which services you are interested in or details about your enquiry. The information you give us may also include data about any marketing preference.

Such information may be provided by you in the following circumstances: (i) by filling in an enquiry form on the Website; (ii) by corresponding with us by post, phone email or otherwise when you apply for our services; (iii) subscribe to our services or publications; (iv) request marketing to be sent to you; (v) give us some feedback or (vi) to start negotiations for or entering into a contract to supply goods and/or services to us.

To the extent you engage our services or where you might apply for a job opportunity you may be required to provide further information. Where you are a business user, we may also require further information before we enter into a commercial relationship with you.

Such further information may include payment details such as banking information, VAT number and/or tax ID in order for us to process payments in relation to our services. We may also require you to provide us with information that might be needed to establish and serve as proof of your identification such as copies of your passport or national ID. Where you are a job applicant you will be required to provide a copy of your up-to-date CV.

Where we are collecting or processing further information we will provide you with separate Privacy Notices which further describe how and why we are using your personal data.

Where we are required to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the services as agreed or we may not be able to enter into a contract with you but we will notify you if this is the case at the time. We may have to terminate that contract with you as a result.

2. Information We Collect About You From Our Website

Whenever you visit our Website we will automatically collect the following:

Technical information : including the IP address used to connect your computer to the Internet, your login information, browser type and version, the full Uniform Resource Locators (URL), clickstream to, through and from our Website (including date and time) as well as other information regarding your experience on our Website such as page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page.

: including the IP address used to connect your computer to the Internet, your login information, browser type and version, the full Uniform Resource Locators (URL), clickstream to, through and from our Website (including date and time) as well as other information regarding your experience on our Website such as page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page. Location Information: We may receive information about your location. We may determine your location through your IP address and, when accessing the Website through a mobile device, by using the data that we collect from this device. This includes information about the wireless networks or cell towers near your mobile device at the time of access.

Our Website uses cookies to distinguish you from other users of our Website. This helps ensure that we provide you with a good experience when you browse our Website and also allows us to improve our Website. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Policy accessible at:

3. Information we receive from other sources

We may receive personal data about you from various third parties and publicly available sources as set out below:

Technical Data from Google Analytics Advertising Features, including Google AdWords, Facebook Pixel’s, Google Tag Manager, Amiando, Microsoft Dynamics, LinkedIn, Gmail and other Adhoc paid media partnerships.

from Google Analytics Advertising Features, including Google AdWords, Facebook Pixel’s, Google Tag Manager, Amiando, Microsoft Dynamics, LinkedIn, Gmail and other Adhoc paid media partnerships. Identity, Contact and Background Data from publicly available sources, compliance databases and/or compliance and due diligence service providers within and outside the EU so we can confirm you are a suitable client of or supplier to us.

B. HOW WE USE YOUR INFORMATION

1. Information you give to us

We shall use this information:

to facilitate the provision of services which you request and where we need to perform the contract we are about to enter into or have entered into with you;

where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;

where we need to comply with a legal or regulatory obligation;

to resolve any issues which you have reported and provide support related services; or

manage the supplier relationship you have with us.

2. Information we collect about you from our Website

We shall use this information:

to administer our Website and for internal operations, including troubleshooting and in order to keep our Website safe and secure;

to improve our Website to ensure that content is presented in the most effective manner for you; and

to ensure that content displayed on the Website is presented in a user-friendly manner.

3. Information we collect about you from our Website

We will combine information we receive from other sources with information you provide to us and information which we collect from you. We will use your information only for purposes as described in the paragraphs above.

C. LEGAL BASIS FOR PROCESSING

We shall only process your personal data insofar as this is necessary for us to be able to provide the services we offer and/or for the purposes indicated in this Statement.

We may also process your personal data on the basis of any legitimate interest or in order to comply with any legal obligations at law. This may include the exercise or defense of legal claims or in order to comply with an order of any court, tribunal or authority or disclosure to a government or regulatory entity.

Generally we do not rely on consent as a legal basis for processing your personal data. However where your consent is required we will provide you with a form requesting (explicit) consent to do so.

D. MARKETING

You will receive marketing communication if you have requested such marketing information from us by providing us with your details through this Website and have consented and opted-in to receiving such information. Where we have entered into a business relationship, i.e. a contract, with you we may inform you about our activities, offers or other information which we believe would be useful to you in accordance with our legitimate interest.

We will centralize the provision of marketing communications through Henley & Partners South Africa (Pty) Ltd, a Henley & Partners entity based in South Africa. The purpose of doing so is to ensure that you receive the marketing communications you have consented to and that no further marketing information is sent to you. Since, in certain circumstances this will constitute a transfer of personal data outside the European Economic Area (the “EEA”), please refer to Section E “Disclosure of your information” below which further outlines the manner in which we transfer personal data outside the EEA and the appropriate safeguards we adopt.

We will not share your personal data with any third party for marketing purposes without your explicit consent.

You have the right to withdraw consent or to object to receive marketing information at any time by contacting DPO@henleyglobal.com or clicking unsubscribe. If you choose not to consent or to object to any one of the purposes listed herein or withdraw your consent at any time, we will still be able to provide our services, however, we would not be able to provide you with the full range of services which we offer and it may affect the efficiency with which we provide the services you request.

E. DISCLOSURE OF YOUR INFORMATION

We may disclose your personal data to any of our international offices/companies forming part of Henley & Partners Group who may act as joint data controllers or data processors to the company which will be the data controller for your data when you obtain our services and/or may provide administration, controls and reporting services. For a full list of the Henley & Partners Group companies who may receive this information, please click here. All Henley & Partners Group companies respect and protect the security of your personal data in accordance with the applicable law (including the GDPR) and apply the security measures and safeguards as described below.

We may need to share personal data with government agencies and authorities in the country where you seek to obtain residence or citizenship. We shall only provide the necessary information in order to perform services under our contract with you.

We may require to share your data with local agents or other service suppliers (in their capacity as data processors) which is necessary for us to provide the services you request. These local agents and suppliers store and process your data on the basis of strict confidentiality and subject to the appropriate security measures and safeguards in place as described below.

We may also share your data with other third parties in their capacity as data controllers such as legal, tax, real estate, immigration or other advisors and consultants, (international) banks for payment details or third parties providing other or additional services or goods to you such as real estate agencies/owners/developers who you might wish to engage with under separate terms and conditions between you and such third parties. These third parties will be processing your data in their own right as data controllers and their data protection policies and processes shall be become applicable.

We may also disclose your data if we are under a duty to disclose or share your personal data to comply with any legal obligation, judgment or under an order from a court, tribunal or authority. We may also disclose your data to enforce our Terms of Use, or to protect our rights, property or safety, that of our partners or other users of our Website. This includes exchanging information with other companies and organizations for the purposes of Anti-Money Laundering/KYC checks, Anti-Bribery/Corruption Laws compliance and/or fraud protection.

F. TRANSFERS OF DATA TO THIRD COUNTRIES

Where we share your personal data with internal or external third parties, this may involve transferring your data outside the EEA. We will transfer your personal data in accordance with standard contractual clauses (European Commission: Model contracts for the transfer of personal data to third countries) to ensure your personal data is protected and transferred securely in compliance with applicable law, including the GDPR.

Henley & Partners Group Holdings Ltd acts as the EU Data Representative of all our offices located outside the EEA. You may address any issues, queries or concerns which you may have to Henley & Partners Group Holdings Ltd by sending an email with ‘Data Protection’ in the subject line to the following address: EUrepresentative@henleyglobal.com.

G. THIRD PARTY ACCESS TO YOUR PERSONAL DATA

We work closely with third parties in order to provide you the services you request on our Website. These third parties include cloud storage providers, analytics providers and search engine information providers. We will only work with third party providers that comply with applicable laws in the jurisdictions which we operate and abide by the GDPR and, if applicable, agree to be bound by the standard contractual clauses to adequately protect and safeguard your personal data.

H. DATA SECURITY

We will ensure that appropriate security measures are taken against unlawful or unauthorized processing of personal data, and against the accidental loss of, or damage to, personal data.

The transfer of information between our Website and your device is protected with TLS (Transport Layer Security) certificates. When the Website is accessed using compatible browsers, that technology protects personal information using both server authentication and data encryption to ensure that personal information is safe and secure while in transit. The mainstream browser versions compatible with that technology are the Internet Explorer from version 11, the Mozilla Firefox from version 27, the Google Chrome from version 32 and the Apple Safari from version 7.

All personal data is stored in a secure server environment that uses a firewall and other advanced technology to protect against interference or unauthorized access. Servers are located in Malta and in Switzerland. Usernames and passwords are issued to persons authorized to access the personal data, such as our employees, who are bound by confidentiality not to disclose any personal data.

No method of transmission of data is one hundred percent (100%) secure and absolute security cannot be guaranteed.

I. DATA STORAGE

We shall only store your data as long as is strictly necessary for the purposes for which it was collected i.e. to provide you our services or for the purposes of satisfying any legal, accounting or reporting requirements. In any case, retention of data shall not exceed 10 years from the date of termination or completion of the services. This period of retention enables us to use the data for defending potential legal claims, taking into account the applicable limitation periods under relevant laws, as well as, if applicable, to comply with Anti-Money Laundering/KYC laws and regulations, Anti-Bribery/Corruption Laws and regulations, accounting and tax laws, applicable to certain jurisdictions which we operate in.

J. DATA MINIMIZATION

Whenever and to the extent possible, we anonymize the data which we hold about you when it is no longer necessary to identify you from the data which we hold about you.

K. YOUR RIGHTS AS A DATA SUBJECT

You are entitled to exercise the following rights under the GDPR:

a. Right to Access Information

You have the right to request information as to whether or not your personal data is being processed by Henley & Partners as well as information as to how and why it is processed. You may send an email to DPO@henleyglobal.com requesting information as to the personal data which is undergoing processing. You shall receive one (1) electronic copy free of charge via email. We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive in which case we may also refuse to comply with your request in these circumstances.

b. Right to object

You may contact us at any time at DPO@henleyglobal.com to ask us not to process your personal data for marketing purposes e.g. receiving information from us about upcoming events, newsletters and publications and your data will no longer be processed for such purposes.

c. Right to correction

You have the right to obtain correction of any inaccurate personal data about you that we have processed, update any data which is out-of-date and the right to have incomplete personal data completed, including by means of a supplementary statement.

d. Right to erasure

You have the right to obtain the erasure of personal data we have concerning you when your personal data is no longer required where:

you withdraw your consent to us processing your personal data;

your personal data no longer needs to be processed; or

your personal data has been unlawfully processed.

e. Right to Restriction of Processing

You have the right to restrict our processing activities where:

you contest the accuracy of this personal data, for a period enabling Henley & Partners to verify the accuracy of the same personal data;

our processing is deemed unlawful, and you oppose the erasure of your personal data and request restriction of its use instead;

we no longer need your personal data for the purposes stated in this Statement, but you require it for the establishment, exercising or defending of legal claims; or

you have objected to our processing pending the verification whether the legitimate grounds of our processing activities overrode those pertaining to you.

f. Right to Restriction of Processing

As from 25 May 2018, you shall have the right to receive your personal data in a structured and machine-readable format and transmit this data to another Date Controller (as defined in the GDPR).

L. RIGHT TO WITHDRAW CONSENT

Where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose eg marketing, you have the right to withdraw your consent for that specific processing at any time or you may withdraw your consent to this Statement. To withdraw your consent, please contact DPO@henleyglobal.com. This will not affect the lawfulness of processing which we carried out on the basis of such consent before its withdrawal. Once we have received notification that you have withdrawn your consent, we will no longer process your information for that purpose unless we have another legitimate basis for doing so in law. Withdrawal of consent to this Statement will result in us having to terminate our services immediately.

M. QUALITY OF WEBSITE AND OVERALL EXPERIENCE

So as to improve the quality and overall user experience of the Website as well as facilitate event bookings and client event registrations, we are using Google Analytics Advertising Features, as well as Xing Events, a subsidiary brand of New Work SE, and Microsoft Dynamics CRM.

If you would like to opt-out of Google Analytics for display advertising, you may do so by using the Ads Preference Manager.

In addition, there is also a Google Analytics Opt-Out browser add-on that you can download at https://tools.google.com/dlpage/gaoptout.

You may withdraw your consent given for any of the purposes listed above at any time. This does not affect the lawfulness of your personal data for these purposes prior to your withdrawal. You may send us an email at DPO@henleyglobal.com indicating your withdrawal of consent and specify which processing activities such withdrawal relates to.

N. COMPLAINTS

We welcome any comments, complaints and queries in relation to data protection. As indicated above you may contact our Data Protection Officer at DPO@henleyglobal.com and we shall try our best to deal with any issue or concern you may have.

If we fail to address your concerns you have the right to lodge a complaint with the Information and Data Protection Commissioner (“IDPC”) at www.dataprotection.gov.mt as the relevant national supervisory authority on all data protection matters.

O. CHANGES TO THIS PRIVACY STATEMENT

Any changes we make to this Statement in the future will be posted on this page, and where appropriate, notified to you via email.

If you have any questions regarding this Statement, or if you would like to send us your comments, please contact us today or alternatively write to us using the details below:

Henley & Partners Group Holdings Ltd

Level 4, Aragon House,

Dragonara Road,

St. Julian’s STJ 3140

Malta

Phone: + 356 2138 7400

Please check back frequently to see any updates or changes to this Statement.