Abingworth Privacy Policy Statement

1. Introduction

The information contained in this privacy policy statement is intended to provide you with details of how we may collect and process your personal data from time to time and the circumstances giving rise to the request and receiving of data.

Abingworth LLP acts as a data controller and processor. Abingworth is referred to as “Abingworth”, “the firm”, “we”, “us” or “our” in this privacy policy statement.

2. Contact details

If you have any questions about our Privacy Policy please contact us by writing to the General Counsel, Abingworth LLP, 38 Jermyn Street, London SW1Y 6DN; or by emailing privacy@abingworth.com or telephoning 020 7534 1500.

3. Personal data we may collect about you

Where we collect data that identifies an individual this is classed as “personal data”. Personal data may include (but is not limited to) a name, date of birth, contact address and telephone number.

The types of personal data we may request are:

• Full name and title including any previous names
• Photographic proof of identity (typically passports or photo driving licences)
• Proof of address (utility bill)
• Contact information such as residential address, email address and telephone numbers
• Tax information (unique tax reference number and national insurance number)
• Information regarding your investment experience, wealth, source of funds and bank details
• Information regarding your knowledge of investment and types of transactions undertaken
• Employment history and salary details
• Information we learn from you such as requests, transactions, services provided or offered, any advice or recommendations made, a log of meetings, telephone recordings (where permitted and required for regulatory purposes) as well as email exchanges
• Internet browsing behaviour data, by use of cookies (please see the Cookies Policy).

The above list is not exhaustive and we may periodically require additional information in order to satisfy our legal and regulatory obligations. Where additional information is required we will provide you with a reasonable explanation of why it is required unless we are prevented from doing so by law.

4. Special category data

Special category data refers to any data that is sensitive and is subject to additional rules and requirements under the General Data Protection Regulations (GDPR). Special category data may include information regarding: criminal convictions and offences, race, ethnicity, religious or philosophical beliefs, political opinions, sexual orientation, trade union membership and information about your health, genetic and biometric data.

As a general rule we do not collect any Special Category Data about you. However, we are required to request information relating to criminal convictions as part of our recruitment process for staff and contractors undertaking regulated activities and as such we require consent from the individual for this. If we are required by law to request any special category data from you, aside from the reasons mentioned above we will provide you with a reasonable explanation as to the nature and purpose for this request and obtain your consent. We would not be able to proceed without your consent unless there was a lawful reason for doing so.

5. How we collect your personal data

Typically, where we are required to obtain your personal data we will request it from you. However, we may also from time to time receive your personal data through intermediaries where you have authorised the sharing of your personal data with us. Intermediaries may include accountants and solicitors who may be working on your behalf. Personal data may be provided to us via post, in person, email or via a specially created secure data room / platform. The data we collect may be facilitated by way of completing an application form or by responding to information requests from us. We may also receive information from publicly available resources.

6. Why we collect your personal data

We only collect your personal data where we believe we have a legitimate business interest with you or we have a lawful purpose to do so. These reasons may include but may not be limited to circumstances where you:

• are a limited partner in a fund managed by Abingworth
• are involved with a current prospective or exited portfolio company (e.g. as a management team member)
• request services from us
• consent to receiving communications from us
• have a contractual agreement with us
• request resources be sent to you
• give us feedback, or some other form of legitimate business interest with you.

7. How and why we use your personal data

Typically, we only use your data to be able to perform our duties under contracts we may have with you or where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data. Generally, we do not rely on consent as a legal ground for processing your personal data, other than in relation to sending marketing communications to you via email or text message.

8. Marketing communications

You will receive marketing communications from us if you have:

• requested information from us or have a contractual agreement with us; or
• if you provided us with your details and have positively consented to us sending you marketing communications; and
• in each case, you have not opted out of receiving that marketing.

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

You have the right to withdraw consent to marketing at any time by emailing us at privacy@abingworth.com. When you opt out of receiving our marketing communications, this will not apply to communication we make with you in relation to a legitimate business interest or lawful purposes, such as the performance of a contract we may have with you.

9. Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for a purpose unrelated to the purpose for which we collected the data, we will notify you and we will explain the legal grounds for this. We may process your personal data without your knowledge or consent only where this is required and permitted by law.

10. Sharing and disclosure of your personal data

We may share your personal data with the parties set out below for legitimate business interests and lawful purposes, these may include but are not limited to:

• Other companies in our group
• Fund, IT and system administration service providers
• Professional advisers including lawyers, bankers, auditors, tax advisors and insurers who provide consultancy, banking, legal, insurance, tax and accounting services
• HM Revenue & Customs, regulators and other authorities based in the United Kingdom and other relevant jurisdictions who require reporting of processing activities in certain circumstances which may include but is not limited to the Financial Conduct Authority

We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.

11. International transfers

Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.

Please email privacy@abingworth.com if you like further information regarding international transfers or visit the ICO (Information Commissioner’s Office) website https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international

12. The security of your data

We have put in place adequate, proportionate and appropriate security measures as is required of an authorised firm to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with data breaches in accordance with the GDPR and we will notify you and any applicable regulator of a breach where we are legally required to do so.

13. Data retention periods

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we must keep basic information about our customers (including contact, identity, financial and transaction data) for six years for tax purposes and for at least five years after a client ceases to be a client under the UK money laundering regulations 2017. We must also keep all business records and communications for at least five years as an Investment Adviser registered with the US Securities and Exchange Commission.

In some circumstances we may pseudonymise your personal data for statistical purposes in which case we may use this information indefinitely without further notice to you.

14. GDPR personal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:

• Request access to your personal data (subject access request)
• Request correction of your personal data
• Request erasure of your personal data
• Object to processing of your personal data
• Request restriction of processing your personal data
• Request transfer of your personal data
• Right to withdraw consent

For further information visit or if you wish to exercise any of the rights set out above, please email us at privacy@abingworth.com.

You will not have to pay a fee to access your personal data, or to exercise any of your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. In order to respond to a subject access request, we will need to confirm your identity as a security measure to safeguard you from your personal data from being disclosed to non-authorised third parties. Please provide us with as much information as possible to enable us to comply with your request within an acceptable time-frame. We are required to respond to subject access requests where practically possible within 30 days and if this is not possible we will provide you with a reasonable explanation as to why this cannot be achieved.

15. Accurate data

We will make all reasonable efforts to ensure the data we hold on you is accurate and up to date and to correct any inaccuracies that we become aware of. Please help us to comply with our obligations by letting us know of any changes in relation to the data we hold about you as It is very important that the information we hold about you is accurate and up to date. Please email privacy@abingworth.com with any required updates or amendments.

16. Complaints and queries

If you are not happy with any aspect of how we collect and use your data, please contact privacy@abingworth.com and we will do our best to resolve your issue. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

May 2018