Data Privacy Notice Sangha Capital Fund III

In accordance with the provisions of the Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (“GDPR”) and any law, circular or regulation in the context of
GDPR, as amended from time to time, personal data may be processed by Sangha Capital
Fund III (the “Fund”), Sangha CVP (the “General Partner”) and their service providers,
when relevant.
‍
In accordance with articles 13 and 14 of GDPR, some information, as detailed in the present
notice, must be provided by the data controller to the Data Subjects.
‍
Data Subjects should be understood as identified or identifiable natural persons whose
personal data is processed by the Fund such as (i) the investors of the Fund, their ultimate
beneficial owners, directors, agents, authorised representatives, their designated contact
persons (the “Investors”), (ii) the ultimate beneficial owners, directors, agents, authorised
representatives, and designated contact persons of the portfolio investments of the Fund, (iii)
the ultimate beneficial owners, directors, agents, authorised representatives, and designated
contact persons of the General Partner and Fund’s service providers, (iv) natural persons
reaching out through Sangha website such as prospective portfolio investments (all together
to be referred to as the “Data Subjects”).
‍
Personal data should be understood as any information (as more detailed in section 2.2.
below) relating to an identified or identifiable Data Subject (the “Personal Data”).

2.1 Who is the data controller and who to contact?

The Fund is the data controller, determining the purpose and means of processing.
‍
The data controller collects, stores and processes by electronic or other means the Personal
Data supplied by the Data Subjects, for the purpose of fulfilling the services related to an
investment in the Fund by the Investors, the Fund making an investment in a portfolio
company, for the Fund and its service providers to comply with their legal obligations, and
when Data Subjects reach out to the Fund for instance prospective portfolio investments
reaching out through Sangha’s website.
‍
Data Subjects who wish to contact the data controller should contact:

Sangha Capital Fund III
58, Rue Charles Martel,
L - 2134 Luxembourg,
Grand Duchy of Luxembourg
Attn: Data Protection team
Or by Email to: berta@sanghacapital.co
‍
You have the right to lodge a complaint at any time to the competent supervisory authority
on data protection matters, such as in particular the supervisory authority in the place of your
residence or your place of work. In the case of Luxembourg, this is the Commission
Nationale pour la Protection des Données (“CNPD”). We would, however, appreciate the
opportunity to deal with your concerns before you approach the supervisory authority, so
please contact us in the first instance.

2.2 What kind of Personal Data is processed?

Personal Data includes, but it is not limited to: the name, address, passport or identification
card details, bank account details, granted amount and financial situation of each Data
Subject.
‍
In particular the Personal Data of the Data Subjects processed includes, but it is not limited
to, the following categories:
‍
• Identification data (e.g. name, date of birth, place of birth, gender, marital status, e-mail,
postal address, telephone number, country of residence, passport, identity card, tax
identification number and bank account details).
• Contact details.
• Source of wealth.
• Any other information provided by the Data Subjects in the context of services provided to/by
them.

2.3 How do we receive your Personal Data and who are the recipients?

Certain Personal Data shall be collected, recorded, stored, adapted, transferred or otherwise
processed. The Personal Data processed is received through the business relationship with
the Data Subject. The Fund receives the Personal Data either directly from the Data Subject
or through their service providers.
‍
The following parties may have access to the Personal Data:
‍
• The Fund
• The General Partner
• Stonehage Fleming Luxembourg S.A.
• Canopia de Arán Holding, S.L.
• PricewaterhouseCoopers Luxembourg
• Other processor(s) that Sangha Capital Fund III may have; and
• Any affiliates or delegates of the foregoing, the employees of those entities, the
appointed legal and professional advisers of those entities may also have access to
the Personal Data, in connection with the operations of the Fund.
‍
The data controller may sub-contract to another entity, the data processor (such as the
service providers), the processing of Personal Data. The data processors may also engage
sub-processors.
‍
When the data controller uses data processors (such as the service providers), the data
controller shall ensure that such data processors provide sufficient guarantees to implement
appropriate technical and organisational measures and that such processing on behalf of the
data controller complies the requirements of GDPR and ensure the protection of the rights of
the Data Subjects.
‍
Where Personal Data is not collected directly from the Data Subjects, the person providing
the Personal Data shall ensure that Data Subjects are informed about the processing of their
Personal Data, their rights, how to exercise them and the information provided

3.1 For the purposes of a contractual obligation

We process your Personal Data in relation to your investment in the Fund. The information
required is necessary for you to make an investment in the Fund.

In this regard Personal Data may be processed for the following purposes:
‍
• Maintaining the register of partners of the Fund
• Processing subscriptions and redemptions of partnership interests and payments of
distributions to limited partners of the Fund
‍
We process your Personal Data in relation to the services you provide to the Fund.
‍
We process your Personal Data in relation to the Fund making a portfolio investment.

3.2 For compliance with laws and regulations

The Fund, the General Partner, the service providers and any of their affiliates are subject to
various legal obligations pursuant to statutory (e.g. laws of the financial sector, anti-money
laundering and combating the financing of terrorism laws, tax laws) and regulatory
requirements.
‍
This covers our processing of your Personal Data for compliance with applicable laws such
as the applicable legislation on Know-Your-Customer (“KYC”) and anti-money laundering
and combating the financing of terrorism (“AML/CFT”), compliance with requests from or
requirements of local or foreign regulatory enforcement authorities, tax identification and
reporting (where appropriate) notably under Council Directive 2011/16/EU on administrative
cooperation in the field of taxation (as amended by Council Directive 2014/107/EU), the
OECD’s standard for automatic exchange of financial account information commonly
referred to as the Common Reporting Standard, for Foreign Account Tax and Compliance
Act purposes, for the automatic exchange of information and any other exchange of
information regime to which we may be subject to from time to time.
‍
Your Personal Data may be shared with Luxembourg tax authorities (or service providers for
the purpose of reporting) and may be forwarded by the latter to foreign tax authorities (failure to provide correct information to us or to respond may result in incorrect or double reporting).

3.3 Upon your request

We process your Personal Data in relation to your interest to contact the Fund, following
your request through our website.

3.4 Automated decision making

Data Subjects should note that Personal Data shall not be used for direct marketing,
profiling, or automated decision making.

Your Personal Data will be kept in a form which permits its identification for the duration of
the service for which it was collected (i.e. for the duration of your investment in the Fund or
portfolio investment made by the Fund, or the duration of your mandate) and for the length of
time required by applicable law.
‍
Luxembourg laws relating to KYC and AML/CFT requires that documents be retained for a
period of five (5) or ten (10) years (depending on the specific processing) after the
relationship has come to an end and in light of any statute of limitation.

Each Data Subject has:
‍
a) A right to access his/her Personal Data processed by or on behalf of the data controller. Data
Subjects should send their requests as set out in section 2.1.
‍
b) A right to have his/her Personal Data rectified if they are incorrect or incomplete.
‍
c) A right to request the erasure (right to be forgotten) of his/her Personal Data in
accordance with the provisions of article 17 of the GDPR including in the following
situations: (i) where the Personal Data is no longer necessary in relation to the
Investor’s subscription in the Fund, the portfolio investments of the Fund, the request
through the website or the service being provided, and (ii) the Data Subject objects to
the processing of his/her Personal Data and there are no overriding legitimate
grounds for the processing, and (iii) where the data has been unlawfully processed.
‍
d) A right to request a restriction of the processing in accordance with the provisions of
Article 18 of the GDPR.
‍
e) A right to lodge a complaint with the CNPD or the relevant authority of the Member
State in which the Data Subject resides or works in accordance with the provisions of
Article 77 of the GDPR.
‍
f) A right to receive the Personal Data concerning him or her or to request that it be
transmitted to another data controller, when feasible, in accordance with the
provisions of article 20 of GDPR.
‍
To make any of the above requests you need to put the request in writing addressing it as
set out in section 2.1 of this notice.

Personal Data of the Data Subjects may be processed by the service providers or their sub-
processors, including where such authorised entities are located outside Luxembourg or the
European Economic Area, in jurisdictions where confidentiality and Personal Data protection
laws might not exist or be of a lower standard than in the European Union. In this case, any
transfer of Personal Data to a third country shall take place only if appropriate or suitable
safeguards for the Data Subjects have been put in place the service provider transferring
Personal Data shall enter into a data transfer agreement in the form of the EU Commission-
approved standard data protection clauses (as amended from time to time) or shall take any
other measures satisfying the requirements of the data protection laws and GDPR for such
disclosure, contractually ensuring that the Personal Data is protected in a manner which is
equivalent to the protection offered pursuant to Luxembourg data protection laws. Data
Subject may obtain a copy of the list of countries where his/her Personal Data may be
processed at the registered office of the Fund.
‍
The Fund and its processors may transfer personal data to a third country or any
international organisation where such transfer is required by the European Union or Member
State law to which the Fund or its processors are subject.

It is imperative that the Personal Data we hold about you is accurate and current at all times.
Otherwise, this will impair our ability to provide you with the requested services (amongst
other potential and salient issues). Please keep us informed if your Personal Data changes
during the course of our engagement and professional relationship with you.
‍
Data Subjects should be aware that the information provided here above may be subject to
changes. Changes to this privacy notice will be posted on our website, we encourage you to
actively follow it.

By accessing the Fund’s website, you can set your browser to refuse all or some browser
cookies, or to alert you when websites set or access cookies. If you disable or refuse
cookies, please note that some parts of the website may become inaccessible or not
function properly. This data privacy notice should be read in conjunction with the cookie
policy available on the website.

The Fund may request the Data Subject to provide additional or updated identification
documents from time to time pursuant to on-going client due diligence requirements under
relevant laws, regulations and circulars, and Data Subjects shall comply with such requests.
Data Subjects should note that the data processed may be obtained from, the service
providers, or from public registers, when available.