Koinos Capital SGR S.p.A., in its capacity as Data Controller, informs you, pursuant to Article 13 of EU Regulation No. 2016/679 (“GDPR”), that the personal data provided through the website (the “Website”), regardless of the method or tool used, will be processed as described below.
This Data Protection Notice applies to the personal data that Koinos Capital SGR S.p.A. collects from you as a user of the Website (the “User”), as a potential client/client or as a contact person of a potential client/client in case you act on behalf of a legal entity (respectively the “Prospective Client” and the “Client”), or as a candidate for open positions at Koinos Capital SGR S.p.A., or in the event of a spontaneous application submitted by you (the “Candidate”) (jointly and indistinctly, the “Data Subjects”).
This Data Protection Notice is provided solely for the Website as a whole and does not apply to other websites, pages, or online services that may be accessed through any hyperlinks published on the Website but referring to resources external to the Data Controller’s domain, which may be consulted by the Data Subject
The Data Controller is Koinos Capital SGR S.p.A., with its registered office at Via Fatebenefratelli Saffi No. 9, 20121 Milan, Tax Code and VAT No. 09900230963, registered with the Milan-Monza Brianza-Lodi Companies Register, with a share capital of €400,000 fully paid in, and listed under No. 164 in the Register of Asset Management Companies – Section for AIF Managers (hereinafter, the “Data Controller”).
The Data Controller’s email address is: info@koinoscapital.it.
The Data Controller may appoint one or more Data Processors pursuant to Article 28 of the GDPR, who, on behalf of the Data Controller, provide specific processing services or related, instrumental, or support activities, adopting all appropriate technical and organisational measures to protect the rights, freedoms, and legitimate interests legally recognized to the Data Subjects.
The processing will concern individual operations or a set of operations involving the following personal data provided by the Data Subject when using the services offered by the Data Controller through the Website, as described in the table below (the “Personal Data” or the “Data”).
Responding to the requests of Data Subjects, who may be recontacted via email or other communication channels provided by them.
Exercising the rights of the Data Controller, for example, to enforce a right in court.
Common data: name, email address, attached CV, and any additional data voluntarily provided in the application form
Any special categories of data under Article 9(1) GDPR, such as data concerning health, sexual orientation, religious beliefs, etc.
Assessing potential new collaborators;
Conducting interviews with candidates.
Obtaining anonymous statistical information on the use of the Website;
Verifying its proper functioning, also to improve the user experience.
The processing of Personal Data
is carried out through the operations indicated in Article 4(1)(2) GDPR, namely: collection, recording, organisation, storage, consultation, processing, modification, selection, retrieval, comparison, use, interconnection, blocking, communication, erasure, and destruction of the Data;
is also performed with the aid of electronic or otherwise automated means;
is also carried out by means of email or other remote communication technologies.
The methods of processing Personal Data may involve the use of IT systems and automated tools capable of linking the Personal Data to data of other subjects, based on qualitative, quantitative, and temporal criteria, recurring or defined from time to time, as well as through the use of artificial intelligence systems.
The management and storage of the Data will primarily take place within the European Economic Area (EEA), on servers of third-party companies appointed and duly designated as Data Processors.
The Data Controller may also provide access to the Website and the services indicated therein from other countries, in which case the transfer of Data to such countries is strictly limited to what is necessary on a need-to-know basis.
Personal Data may be transferred to systems used by the Data Controller and/or by third-party companies appointed and duly designated as Data Processors, also outside the European Economic Area.
In the event that such transfer takes place to countries that do not provide the same level of
protection as required by the GDPR or applicable data protection legislation, or in any case an adequate level of protection of personal data, the Data Controller will ensure that each of the recipient entities undertakes specific contractual obligations in compliance with the applicable data protection laws (including the execution of the Standard Contractual Clauses approved by the European Commission) or, in the absence of an adequacy decision under Article 45(3) GDPR, or appropriate safeguards under Article 46 GDPR, including binding corporate rules, the Data Controller will request, pursuant to Article 49 GDPR, the possibility to transfer personal data to a third country after obtaining the specific consent of the Data Subject.
The Data Controller has adopted a variety of security measures to protect the Data against the risk of loss, misuse, or alteration, in accordance with the measures outlined in Article 32 GDPR.
Without prejudice to the Data Subject’s right to provide Personal Data to the Data Controller, the provision of Personal Data may be:
mandatory for the provision of services accessible through the Website and for purposes related to the fulfilment of obligations under applicable laws and/or regulations, as well as provisions issued by competent authorities/supervisory or control bodies;
optional with regard to data voluntarily provided by the Data Subject and for the purpose of sending newsletters.
Any refusal by the Data Subject to provide Personal Data to the Data Controller may result in the Data Controller being unable to provide the requested services and to make access to the Website available.
Furthermore, please note that the withdrawal of one or more permissions and/or consents not granted by the User may have consequences on the proper functioning of, and/or the possibility to access and/or correctly use, the Website and/or for the Data Controller to provide the services.
The retention period of Personal Data is indicated in the table under section 2 above.
At the end of the retention period, the Personal Data will be deleted. Therefore, upon the expiry of such period, the User will no longer be able to exercise the rights of access, erasure, rectification, and the right to data portability.
Personal Data will be stored in electronic archives, including portable devices, with appropriate measures in place to ensure their security and to restrict access exclusively to personnel authorized by the Data Controller, and solely within the scope of the purposes outlined above.
For the purposes outlined above, Personal Data may be made accessible or disclosed to:
employees and collaborators of the Data Controller, in their capacity as authorized persons for processing, within the scope of their respective duties and in accordance with the instructions received. Such individuals are subject to appropriate confidentiality and secrecy obligations;
third parties performing outsourcing activities on behalf of the Data Controller, whose activities are related, instrumental, or supportive to those of the Data Controller (e.g., management software providers);
all public and/or private entities, whether natural or legal persons (such as, by way of example, administrative and tax consultancy firms, Judicial Offices, Chambers of Commerce), whenever the disclosure is necessary or functional to the proper fulfilment of contractual obligations undertaken, as well as obligations arising from the law;
all entities (including Public Authorities) that have the right to access the Personal Data by virtue of legal or administrative provisions.
In any case, the Personal Data collected will not be subject to dissemination.
The Data Subject may exercise the rights provided for under Chapter III of the GDPR, within the limits and conditions set forth therein:
access to Data (Art. 15): the Data Subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed and, if so, to access such Personal Data in a commonly used electronic format and to receive certain information about the processing (e.g., purposes, categories of data processed, recipients, non-EU transfers, profiling activities, etc.);
rectification of Data (Art. 16): the Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning them without undue delay and/or the completion of incomplete Personal Data, also by providing a supplementary statement;
erasure of Data or "Right to be Forgotten" (Art. 17): the Data Subject has the right to obtain from the Data Controller the erasure of Personal Data concerning them without undue delay, and the Data Controller is obliged to erase such data without undue delay;
restriction of Processing (Art. 18): the Data Subject has the right to obtain from the Data Controller the restriction of processing;
data Portability (Art. 20): the Data Subject has the right to receive, in a structured, commonly used, and machine-readable format, the Personal Data concerning them provided to a Data Controller and has the right to transmit such data to another controller without hindrance from the Data Controller to which they have provided the data;
objection to Processing (Art. 21): the Data Subject has the right to object at any time, on grounds relating to their particular situation, to the processing of Personal Data concerning them pursuant to Article 6(1)(e) or (f) GDPR, including profiling based on those provisions;
withdrawal of Consent (Art. 7(3)): the Data Subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Data Subjects who believe that the processing of their Personal Data is carried out in violation of the GDPR have the right to lodge a complaint with the Italian Data Protection Authority ("Garante Privacy";) by email at garante@gpdp.it or urp@gpdp.it, by fax at +39 06 696773785, or by post to the Garante per la protezione dei dati personali, Piazza Venezia No. 11, 00187 Rome, Italy, or alternatively to bring an action before the competent judicial authority.
The Data Subject may exercise their rights at any time by sending an email to: info@koinoscapital.it.
The Data Controller undertakes to provide the Data Subject with information on the action taken regarding a request to exercise rights without undue delay and, in any case, no later than thirty (30) days from receipt of the request, extendable up to three (3) months only in cases of particular complexity.
Data Subjects who believe that the processing of their Personal Data is carried out in violation of the GDPR have the right to lodge a complaint with the Italian Data Protection Authority
An up-to-date list of data processors and persons authorized to process data is kept at the Data Controller's registered office.
This Data Protection Notice may be amended and/or updated at any time. Therefore, it is recommended to check it regularly and refer to the most recent version.
Last Update: August 2025.