Contact

Privacy Policy

INTRODUCTION

In compliance with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter “GDPR”) regulating the duty of transparency of the data controller regarding the data obtained from the interested party, Ithaka Infrastructure Partners SGEIC, S.L. (hereinafter, “ITHAKA”) informs users of its website https://ithaka.com through this Privacy Policy about the processing and protection of personal data of users that may be collected through their browsing or contracting of services they perform on this portal.

The website’s use by the user implies its acceptance of this Privacy Policy.

ITHAKA adopts the necessary measures to guarantee the security, integrity and confidentiality of the data in accordance with the provisions of the GDPR, and in those cases not provided for by the GDPR, by Organic Law 3/2018 of December 5, on the Protection of Personal Data and guarantee of digital rights, Royal Decree 1720/2007, of December 21, which approves the Regulations for the development of the Organic Law on Data Protection, and Law 34/2002, of July 11, on Information Society Services and Electronic Commerce.

Through the registration forms on this website or by sending emails, personal data necessary for the management and maintenance of some of the services provided is collected and processed from each user, and such collection and processing is governed by this Privacy Policy.

WHO IS RESPONSIBLE FOR YOUR DATA

Data Controller: The controller of your personal data within the framework of your contractual and business relationships with us is Ithaka Infrastructure Partners SGEIC, S.L.

DATA PROTECTION OFFICER

ITHAKA has appointed a Data Protection Officer, who will assist you with any questions regarding the processing of your personal data and the exercise of your rights. You can contact the Data Protection Officer with any suggestions, questions, concerns, or complaints at the following email address: gdpr@ithaka.com.

DATA CATEGORIES

At ITHAKA, we will process various personal data to manage the contractual relationships you establish with us, to carry out the rest of the data processing arising from your status as a client, and, if you have given us your consent, to also process your data for the activities detailed in section 5.1.

Personal data that may be processed include:

Data you have provided to us when registering for your contracts or during your relationship with us through interviews or forms. This data includes:

  • Identification data: name, surname, date and place of birth, national identity document number or equivalent, information contained in the identity document, postal and electronic address, telephone number(s), nationality, country of residence and signature.
  • Transactional data: bank account number, information on deposits, refund, and transfers made to or from said account, as well as details associated with said transactions (date, location, concepts, amounts, recipients, and transaction categories).
  • Financial data: invoices, income, payroll, payment habits, credit score, debt capacity, contracted financial products, registration in solvency files and possible late payments, contracted products and services, relationship with the product (status of owner, authorized or representative), MiFID category.
  • Socioeconomic data: marital status, existence of offspring, age, sex, assets, tax and fiscal information, educational level, employment status and occupation, employer.

Data that you have not provided directly to us, obtained from publicly accessible sources, public records, or external sources. This data includes:

  • Solvency and wealth data obtained from Asnef and Badexcug files.
  • Data on risks held in the financial system obtained from the Bank of Spain’s Central Risk Information Database (CIRBE).
  • Data of individuals or entities that are included in laws, regulations, guidelines, resolutions, programs or restrictive measures regarding international economic and financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, the United Kingdom and/or the US Department of State of the Treasury’s Office of Foreign Assets Control (OFAC).
  • Land Registry or statistical data obtained from companies that provide socioeconomic and demographic statistical studies associated with geographic areas or postal codes, not with specific individuals.

WHAT PROCESSING WE CARRY OUT WITH YOUR DATA

We will process your data in a variety of ways and for different purposes and on different legal bases:

  • Consent-based treatments
  • Treatments necessary for the execution of contractual relations
  • Treatments necessary to comply with regulatory obligations
  • Treatments based on legitimate interest

Consent-based treatments

The legal basis for these treatments is your consent, as established in Article 6.1.a) of the General Data Protection Regulation (GDPR).
We may have requested your consent through various channels, for example, during the interview during which you registered as a client or through our electronic channels.

The treatments based on your consent are the following:

  • Manage invitations to events organized by the Management Company.


Treatments necessary for the execution of contractual relations

The legal basis for this data processing is that it is necessary to manage the contracts you request or to which you are a party, or to implement, at your request, pre-contractual measures, as established in Article 6.1.b) of the General Data Protection Regulation (GDPR).

Therefore, these are necessary processing processes for you to establish and maintain contractual relationships with us.

The treatments necessary for the execution of contractual relations are indicated below:

  • Manage, maintain, control, and develop the pre-contractual or contractual relationships, including investments and divestments in the Fund, as well as the collection and/or invoicing of services rendered.
  • Communicate to third-party entities or bodies, both national and foreign (for example, the depositary), the data necessary for the establishment, maintenance, performance, and execution of the contractual relationship with the Company and, where applicable, with such entities.
  • Management of questions and complaints addressed to the Company.
  • Communications with the Investor and/or their legal representatives regarding the progress of the investment.


The lack of provision of such personal data may result in the impossibility of initiating or continuing said contractual relationship.

Treatments necessary to comply with regulatory obligations

The legal basis for these data processing operations is that they are necessary to comply with a legal obligation that we are required to fulfill, as established in Article 6.1.c) of the General Data Protection Regulation (GDPR).

Therefore, they are necessary for you to establish and maintain contractual relationships with us. If you object to them, we would have to terminate those relationships, or we would not be able to establish them if we had not yet initiated them.

  • Comply with the laws, regulations, agreements, treaties, or other Spanish and foreign regulatory obligations applicable to the Company and/or to the relationship the Company maintains with the client as a result of their investment in the Fund, as well as with any type of internal policies and regulations to which the Company is subject (for example, reporting obligations, investor awareness studies, or those arising from anti-money laundering regulations, to the extent applicable).
  • Obtain and verify your personal identification data, as well as data regarding your economic activity, if it is necessary to carry out the appropriate checks directly or through the relevant authorities, in accordance with the provisions of the legislation in force at any given time on anti-money laundering, as well as for reasons of essential public interest, based on such legislation.
  • Communicate data and information to public authorities, official bodies, regulators, governmental agencies, or judicial or administrative authorities of other countries within and outside the European Union, when these or national regulations or international agreements or treaties signed by Spain so require, in order to comply with applicable legal, tax, or regulatory obligations, or pursuant to “ad hoc” information requests received from any of the above.
  • To manage the whistleblowing channel, in accordance with the provisions of Law 2/2023, of 20 February, regulating the protection of persons who report breaches of the law and the fight against corruption, in order to ensure compliance with internal and external regulations. Whenever the whistleblowing channel is used and the specific data protection policy has been accepted.

Processing based on ITHAKA’s legitimate interest

The legal basis for these processing operations is the pursuit of legitimate interests by ITHAKA or a third party, provided that these interests are not overridden by your interests or your fundamental rights and freedoms, as set out in Article 6.1.f) of the General Data Protection Regulation (GDPR).

Carrying out these processing operations will require us to weigh your rights against our legitimate interest, concluding that the latter prevails. Otherwise, we will not process the data.

The processing activities related to legitimate interest are as follows:

  • Prevent, detect, investigate, uncover, and, if necessary, report possible fraud to third parties, in order to identify those involved in fraudulent activities and to take the necessary measures.
  • Analyze, record, and develop the administrative management of data for control needs and/or purposes, and in particular, for the control, management, evaluation, and measurement of operational risks, as well as for statistical and security reasons, ensuring the continuity of IT operations, logistical infrastructure, and providing partner companies and third parties with the personal data strictly necessary to achieve these purposes.
  • Review and optimize internal procedures in order to assess needs in the context of negotiations and the relationship between the Company and the client.
  • Undertake legal actions and defend the Company’s interests in judicial and/or administrative proceedings in which it is involved and to prevent and investigate criminal actions. Likewise, within the framework of judicial and/or administrative proceedings in which (i) legal action is threatened or has been taken, or which involve criminal charges against the Company; or (ii) in relation to claims filed by the Company against a client (including, where appropriate, the enforcement of formalized guarantees); and/or (iii) in the event of public criticism by the client against the Company, through any media or social network, both within and outside Spain.
  • Offer other investment opportunities that the Company considers may be of interest to the client, through commercial and/or advertising actions or communications, including electronic or equivalent communications.
  • Carry out mergers, acquisitions, and corporate restructurings.


We also remind you that you have the right to object to processing based on legitimate interest, by sending an email to gdpr@ithaka.com.

WITH WHOM AND WHY YOUR DATA IS SHARED

In order to fulfill the purposes detailed in section 6.3, personal data may be shared with third parties.

These third parties act as data processors and manage the information exclusively to provide a service. In these cases, these entities may not use the information for their own purposes and are required to delete or return it once the service is completed.

In other cases, the receiving entities act as assignees, becoming responsible for the processing of the information. In most of these situations, these are public entities.

In the event that there are third parties directly and/or indirectly involved with the service provided by the Company, but whose relationship with the Client/Investor is direct, in such cases, the client/investor, or their representative, must take into account the privacy policies established by those third parties with whom they have a direct relationship.

Transfer of data in compliance with legal obligations

  • Communicate identifying data and information regarding active risks to the Bank of Spain’s Risk Information Center (CIRBE), including, where applicable, the status of self-employed person.
  • Consult the background information and records registered by this organization regarding associated risks and credits.
  • Communicate personal data to the financial ownership file managed by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses.
  • Economic activity may be verified through information provided by the General Treasury of Social Security or the Tax Agency, in order to comply with legal obligations regarding labor or taxes.
  • Data may be provided to competent judicial, tax, supervisory and government authorities.

Transfer of data to service providers and other third parties

These are service providers who could assist with activities such as:

  • The design, development and maintenance of tools and applications available on the Internet.
  • The provision of IT services, including cloud-based application or infrastructure services.
  • The organization of events or marketing activities and the management of communications.
  • The preparation of reports and statistics, as well as product materials and designs.
  • The placement of ads on apps, websites, and social media.
  • The provision of legal, auditing, or other specialized services by lawyers, notaries, administrators, auditors, or professional advisors.
  • Providing services for the identification, investigation, and prevention of fraud or other misconduct through specialized companies.
  • The provision of specific services, such as mailing, filing physical documents, or hiring external service providers.
  • The execution of securitization agreements, as administrators, investors or advisors.
  • Credit institutions for the purpose of collaborating in management functions and for the payment of services rendered.
  • Entities operating in the financial sector, in order to obtain loans and/or related guarantees.
  • Insurance companies, in order to cover the risks associated with the operations of the Fund and/or the Company.

CATEGORIES OF INTERESTED PARTIES

This applies to clients/investors—existing or potential—their representatives and lawyers, ultimate beneficial owners, contact persons, and/or third parties whose personal data are provided by the signatory.

In the event that the signatory is required to provide personal data of third parties, such as contact persons or ultimate beneficial owners, the signatory undertakes to comply with all obligations required by data protection regulations to communicate their personal data to the Company and to inform them of the possibility of exercising their rights against the Company.

DATA RETENTION PERIOD

Conservation for the maintenance of Contractual Relations
We will process your data for as long as the contractual relationships we have established remain in force.

Preservation of authorizations for consent-based processing
We will process data based on your consent until you revoke it.

Conservation for compliance with legal obligations and formulation, exercise and defense of claims
Once you revoke your consent to use your data, or once the contractual or business relationship you have established with us has ended, we will retain your data only to comply with legal obligations and to allow for the formulation, exercise, or defense of claims during the statute of limitations for actions arising from the contractual relationship.

We will process this data using the necessary technical and organizational measures to ensure that it is used only for these purposes.

The maximum period for retaining personal data after the termination of the contractual relationship is ten (10) years. This period may be reduced or extended as appropriate, subject to legislative changes that may affect the Company’s activities.

Data destruction
We will destroy your data once the retention periods imposed by the regulations governing ITHAKA’s activity and the statute of limitations for administrative or judicial actions arising from the relationship established between you and us have elapsed.

DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA

The Management Company may transfer your personal data to data recipients located in third countries (outside the territory of the European Economic Area) provided that the European Commission has determined that the country where the recipient is located provides an adequate level of protection for personal data, for example, the United Kingdom, or where appropriate safeguards required by applicable law are in place, for example, through the execution of standard contractual clauses approved by the European Commission to ensure an adequate level of protection, with exceptions for specific situations where appropriate.

Therefore, in the event that a transfer of personal data to third parties located outside the European Economic Area (EEA) takes place, the necessary security measures to protect such information are guaranteed.

  • The requirements established in the applicable regulations and current local legislation.
  • The European Union (EU) standard contractual clauses are used to ensure that data transfers outside the EEA comply with the General Data Protection Regulation (GDPR).
  • The European Commission’s adequacy decisions, which determine whether a country outside the EEA ensures an adequate level of protection of personal data.


The data subject may obtain more information about international data transfers, as well as a copy of the contractual agreements used (for example, standard contractual clauses approved by the European Commission), by contacting gdpr@ithaka.com.

PROFILES AND AUTOMATED DECISIONS

The Company may need to develop profiles in order to comply with its legal and regulatory obligations, for example, for anti-money laundering and fraud prevention purposes, as well as to assess your investor profile.

Under no circumstances will such profiles be created by automated means. However, if, during the Contractual Relationships you maintain with us, we adopt decisions that could produce legal effects on you or could significantly affect you based solely and exclusively on automated processing, we will inform you about this, as well as the logic by virtue of which we have adopted it, in the contractual documentation for the product or service you have requested from us.

At that time, we will also take steps to safeguard your rights and interests by providing you with the right to obtain human intervention, express your point of view, and challenge the decision.

RIGHTS OF INTERESTED PARTIES

The user may exercise at any time, under the terms established in current legislation, the following rights:

  • Access: obtain information about whether or not your personal data is being processed and, if so, to know what data it is, the purposes, the third parties, the retention period, and other relevant information.
  • Rectification: correct your personal data when it is inaccurate, and complete it when it is incomplete.
  • Deletion: obtain the deletion of your personal data when it is no longer necessary, consent has been withdrawn, processing is unlawful, or other legal grounds apply.
  • Objection: refuse processing based on legitimate interest, for reasons related to your particular situation.
  • Refusal to be subject to automated individual decision-making: refuse decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect you.
  • Limitation of processing: have data not processed temporarily or processed on a limited basis in specific cases.
  • Portability: receive your personal data in a structured, commonly used and machine-readable format and transmit it to another controller.


The user may exercise these rights by contacting ITHAKA by sending an email to gdpr@ithaka.com.

To effectively exercise these rights, the user must prove their identity by providing their full name, a photocopy of their ID or equivalent identification document, a detailed request, a notification address, and the date and signature of the applicant.

Likewise, the user may file a complaint with the Spanish Data Protection Agency (the competent Control Authority in this matter), especially when they have not obtained satisfaction in the exercise of their rights, by writing to the same, C/Jorge Juan, nº 6, 28001 – Madrid, or through the website: https://www.agpd.es

REVISION

We will review this Privacy Policy whenever necessary to keep you informed, for example, when new rules or criteria are published or new processing is carried out.

We will notify you through our usual communication channels whenever there are substantial or important changes to this privacy policy.