Overview: Article 5 of the General Data Protection Regulation (“GDPR”) states that Personal Data must be processed lawfully, fairly and in a transparent manner. In line with the GDPR changes, we are updating our Privacy Notice so you can better understand why and how we collect, process and destroy your Data. Ridgewood Infrastructure, LLC (“RI” or “we”) is committed to protecting and respecting your privacy. This policy sets out the legal basis on which any Personal Data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your Personal Data and how we will treat it.
What types of Personal Data do we collect? We may control, process and use your Personal Data, which may include names, postal addresses, email addresses, telephone numbers or any other Personal Data that you provide to us. We may also, in appropriate cases and to the extent permitted by law, control, process and use certain categories of Personal Data which are more sensitive in nature (e.g. when undertaking “Know Your Customer” (KYC) or anti-money laundering (AML) checks, we may collect information about any criminal conviction offence that you or the directors of any company might have committed).
Identity of the Company: RI and the private investment vehicles it sponsors and/or manages (the “Funds”) are joint controllers of your data. RI handles all enquiries in regard to the GDPR.
Lawful basis for Processing: Where we act as Data Controller, we rely on the following legal basis for Processing your Personal Data: (a) legitimate interests – if you or the company for which you work is an investor in one or more of our Funds (“Investor”), a business affiliate of RI and/or the Funds or our website visitor; (b) performance of contract – if you are a supplier or other vendor, contractor or business affiliate (collectively “Vendor”) or our website visitor; and (d) legal obligation – if we process Personal Data according to requirements of domestic legislation or other legal process.
Data Protection Officer: RI has no regulatory obligations under the GDPR to appoint a DPO; the Company has no DPO currently appointed. The GDPR sets out guidelines on when the appointment of a DPO shall be required as follows: (a) where the scope or purpose of collecting Data requires a regular systematic monitoring of the data subjects; (b) where RI processes Special Categories of Data on a large scale; and (c) where Processing is carried out by a public authority. RI has instead agreed to name a Responsible Officer who may be reached at firstname.lastname@example.org.
Purpose of Data collected: The personal information we collect is for the following legitimate interest: (a) provision of services to the Funds; (b) administration of the Funds’ investments; (c) promotion of ideas and events relating to services we provide; (d) accuracy of Fund records, (e) maintenance of records of communication and management of your relationship with us; (f) to respond to your inquiries; (g) to comply with any present or future law, rule, regulation, guidance, decision or directive (including those concerning anti-terrorism, fraud, AML and anticorruption); (h) to carry out, in appropriate cases, KYC checks and other procedures that we undertake prior to you becoming a Vendor or Investor; (i) prevention and detection of fraud and other illegal activity or misconduct; and (j) for informing you about compliance with legal and regulatory obligations and provide related guidance.
Legitimate Interests: We occasionally process your personal information under the Legitimate Interests’ legal basis. Where this is the case, we have carried out a LIA to ensure that we have weighed your interests and any risk posed to you against our own and that such interests are proportionate and appropriate such as for the purposes of HR, marketing and day-to-day operations.
With whom do we share our information: We will not share personal information about you with third parties without you knowing of this. We are required, by law, to sometimes pass on some of this Personal Data to: (a) law enforcement agencies; (b) financial regulators and other relevant regulatory authorities; (c) government bodies; (d) tax authorities; (e) courts tribunals and complaints/dispute resolution bodies; (f) other bodies as required by law or regulation; (g) related financial institutions such as trustees, custodians and sub-custodians; (h) insurers; (i) fraud protection agencies; and/or (j) similar suppliers or service providers.
To fulfill our contractual obligations to the Funds, Vendors and other business partners, RI may sometimes pass information to: (a) IT services, including Investor relationship management platforms; (b) intragroup to related affiliates also working on providing related services; (c) placement agents; (d) legal counsels; and (e) Fund administrators.
International transfer outside the European Economic Area (“EEA”): RI is a US based organization that may from time to time have to transfer personal information outside of the EEA for the reasons of, the performance of its contractual, regulatory and legal obligations, reasons of public interest, to establish, exercise or defend legal claims. In these cases, we will follow the GDPR guidelines in protecting the transfer of Data to countries outside the EEA to ensure that the level of Data protection afforded to individuals by the GDPR is not undermined.
RI will only transfer Personal Data outside the EEA if one of the following conditions applies: The European Commission has issued a decision that the country to which we transfer the Personal Data ensures an adequate level of protection for the data subjects. This refers to (individual’s resident rights and freedoms); appropriate safeguards are in place such as BCRs, standard contractual clauses approved by the EC, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the Responsible Officer; the Data Subject has provided Explicit Consent (i.e. where permission has been given by the Data Subject in writing to the proposed transfer after being informed of any potential risks).
Retention: We will keep your Personal Data for no longer than reasonably necessary to comply with applicable laws, rules and regulations and fulfill our contractual obligations. We will retain your personal information in accordance with legal and regulatory requirements as set out in our data retention policies.
Your rights and your Personal Data: You have a right to request a copy of your Personal Data which the RI or related Data Controller holds about you; to request RI or any related Data Controller to correct any Personal Data if it is found to be inaccurate or out of date; to request your Personal Data is erased where it is no longer necessary for RI or related Data Controller to retain such Data and not to be subject to a decision based on automated processing; the Company does not currently practice such decision-making.
Further Processing: Where we may seek to further process your Data other than for the original purpose for which it was collected, RI shall only further process such Data where the new Processing is compatible with the original purpose.
Safeguarding measures: We take your privacy seriously and take every reasonable measure and precaution to protect and secure your Personal Data. Together with our vendors and site managers, we work hard to protect you and your information from unauthorized access, alteration, disclosure or destruction and have security measures in place, including, without limitation, encryptions.
- locks down the core files so they cannot be overwritten with a hacker’s infected code
- keeps WordPress up to date automatically
- ensures that all users use strong passwords
- blocks intruders with intelligent IP blocking by monitoring popular points of entry and keeping a database of malicious IP addresses
- provides no-cost and timely malware removal services in the event of a website hack
Special Categories of Data: Owing to the products and services that we provide the Funds, such as performance of AML, KYC and other background checks, we sometimes need to process Data which are deemed to be more sensitive in nature. However, we do not intend to process any Special Categories of Personal Data under Article 9 of the GDPR. Where we collect such information, we will only request and process the minimum necessary for the specified purpose and identify a compliant legal basis for doing so. If we have to rely on your consent for Processing Special Categories of Data, we will obtain your explicit consent through electronic means.
When we use third parties to collect personal information, we list those third parties and provide a link to their website. For more information, please refer to those organizations and their privacy policies.
Changes to our Privacy Notice: Any changes we may make to our Privacy Notice in the future will be posted on this page and, where appropriate, you will be notified by email.