Data Protection & Compliance Policy

Effective Date: January 1, 2026

Last Updated: January 1, 2026

This Data Protection and Compliance Policy sets out the obligations of Alba Capital regarding data protection and the rights of data subjects in connection with the processing of their personal data. This Policy is intended for internal use and as a public-facing statement of our commitment to data protection.

1. Purpose and Scope

This Policy applies to:

• All personal data processed by Alba Capital
• All employees, contractors, consultants, agents, and other individuals acting on behalf of Alba Capital
• All systems, platforms, and processes used to collect, store, or process personal data

The Policy covers data processed by automated means and data held in structured manual filing systems.

2. Data Protection Principles (GDPR Art. 5)

In accordance with the GDPR, all personal data must be:

• Processed lawfully, fairly, and in a transparent manner (Lawfulness, Fairness and Transparency)
• Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (Purpose Limitation)
• Adequate, relevant, and limited to what is necessary in relation to the purposes (Data Minimisation)
• Accurate and, where necessary, kept up to date (Accuracy)
• Kept in a form that permits identification of data subjects for no longer than is necessary (Storage Limitation)
• Processed in a manner that ensures appropriate security (Integrity and Confidentiality)

Accountability Principle (Art. 5(2)): Alba Capital is responsible for, and must be able to demonstrate compliance with, all of the above principles.

3. Lawful Basis for Processing

Before processing personal data, we identify and document the appropriate legal basis. Our processing activities rely on the following bases under Article 6 GDPR:

• Consent — freely given, specific, informed, and unambiguous. We maintain records of consent and provide easy withdrawal mechanisms.
• Contract — processing necessary for a contract with the data subject.
• Legal Obligation — compliance with EU or Member State law.
• Legitimate Interests — we conduct a Legitimate Interests Assessment (LIA) and ensure the data subject's interests do not override ours.

For special category data (Article 9 GDPR), we rely on explicit consent or other applicable conditions and document this separately.

4. Rights of Data Subjects

We maintain documented procedures to handle data subject requests within statutory timeframes:

• Right of access (Art. 15): respond within 1 month; provide copy of data and supplementary information
• Right to rectification (Art. 16): correct inaccurate data without undue delay
• Right to erasure (Art. 17): fulfil requests unless a legal basis for retention applies
• Right to restriction (Art. 18): restrict processing pending verification or objection
• Right to data portability (Art. 20): provide data in machine-readable format where applicable
• Right to object (Art. 21): cease processing unless compelling legitimate grounds exist
• Rights re: automated decisions (Art. 22): not subject individuals to solely automated decisions producing legal effects without human oversight

4.1 Responding to Requests

All requests must be acknowledged within 72 hours and fulfilled within 30 calendar days. Extensions up to 2 additional months are permissible for complex or numerous requests, with notice to the data subject. Requests are to be directed to: privacy@albacapital.com

5. Data Retention and Deletion

We maintain a Data Retention Schedule that specifies the retention period for each category of personal data and the criteria used to determine that period. At the end of the retention period, data is securely deleted or anonymised.

• Retention periods are based on: legal obligations, contractual necessity, business need, and limitation periods for legal claims
• Annual reviews of the Retention Schedule are conducted by the Data Protection Officer / Legal Team
• Secure deletion procedures are applied to both digital and physical records

6. Data Security

6.1 Technical Measures

• Encryption of personal data at rest and in transit (TLS 1.2+ / AES-256 or equivalent)
• Access controls and least-privilege principles (role-based access control)
• Regular vulnerability assessments and penetration testing
• Multi-factor authentication for systems processing personal data
• Automated logging and monitoring of access to personal data

6.2 Organisational Measures

• Data protection training for all staff upon onboarding and annually thereafter
• Confidentiality obligations for all staff and contractors
• Information security policies and acceptable use policies
• Physical security controls for premises and physical records
• Third-party due diligence and Data Processing Agreements (DPAs)

7. Personal Data Breaches

In the event of a personal data breach, we follow the procedures below in compliance with GDPR Articles 33-34:

• Identification: any suspected or confirmed breach must be reported immediately to the Data Protection Officer / designated contact
• Assessment: severity and scope of the breach are assessed within 24 hours
• Notification to supervisory authority (Art. 33): if the breach is likely to result in a risk to data subjects' rights and freedoms, we notify the relevant supervisory authority within 72 hours of becoming aware
• Notification to data subjects (Art. 34): where the breach is likely to result in a high risk, we notify affected individuals without undue delay
• Documentation: all breaches are documented in our breach register, including near-misses

8. Data Protection by Design and Default

In accordance with Article 25 GDPR, data protection considerations are embedded in new systems, processes, and products from the outset:

• Privacy Impact Assessments (PIAs) / Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing activities
• Privacy-enhancing technologies (PETs) are considered and implemented where appropriate
• Data minimisation and pseudonymisation are applied wherever technically feasible
• Default settings are always privacy-friendly

9. Third-Party Processors and International Transfers

9.1 Data Processing Agreements

We only engage third-party processors that provide sufficient guarantees of GDPR compliance. A Data Processing Agreement (DPA) is in place with each processor, containing the mandatory provisions of Article 28 GDPR, including:

• Processing only on documented instructions
• Confidentiality obligations
• Security measures
• Sub-processor restrictions
• Data subject rights assistance
• Deletion or return of data on termination

9.2 International Data Transfers

Transfers of personal data outside the EEA are only made where appropriate safeguards are in place, including:

• Adequacy decision by the European Commission
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)

A Transfer Impact Assessment (TIA) is conducted where required prior to any transfer.

10. Data Protection Officer (DPO)

We have appointed a Data Protection Officer who is responsible for overseeing compliance with this Policy and applicable data protection law. The DPO can be contacted at:

11. Policy Review and Governance

This Policy is reviewed at least annually or following:

• Material changes to processing activities
• New regulatory guidance or enforcement decisions
• A significant data breach or near-miss incident

Ownership of this Policy sits with the Data Protection Officer / Legal Counsel / Head of Compliance. Any questions about this Policy should be directed to privacy@albacapital.com.

12. Compliance Checklist

Use this checklist to verify ongoing compliance:

• Records of Processing Activities (RoPA) maintained and up to date (Art. 30)
• Privacy notices reviewed and published on the Website
• Consent records maintained with timestamps and withdrawal mechanisms in place
• Data Retention Schedule reviewed within the last 12 months
• DPAs signed with all third-party processors
• Staff data protection training completed and recorded
• DPIA conducted for high-risk processing activities
• Breach register maintained and response procedures tested
• Supervisory authority registration (if required) completed and current
• DPO appointed and contactable (if required)