I. Introduction

Under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter the “GDPR” the Data Controller provides the data subjects with the following information.

I./1. Contact details of the Data Controller

Data Controller

Name:

TGM ART LIMITED

Registered seat:

Coliemore House, Coliemore Road, Dalkey, Co. Dublin, Ireland

Email:

jfrarts@gmail.com

I./2. Laws providing the base for data processing

I./2.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the GDPR)

I./3. Definitions

I./3.1. Terms used in this Notice have the meaning given in Article 4 of the GDPR.

I./3.2. Under the GDPR ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

I./3.3. the ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry, in accordance with Union or a member state law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

II. Table of Contents

  1. Introduction. 1

I./1. Contact details of the Data Controller.

I./2. Laws providing the base for data processing.

I./3. Definitions.

  1. Table of Contents.

III. The scope of the processed data, the purpose, legal basis and duration of the data processing.

III./1. Processing in relation to the purchase of a TGM NFT..

III./2. Processing in relation to using our services.

III./3. Cookies, browsing activity, re-marketing.

III./4. Enforcement of claims.

III./5. Fulfilling the customer due diligence and record-keeping obligations under the AML Act

III./6. Other data processing.

  1. Data security measures – how do we protect your personal data?.

IV./1. Method of processing.

IV./2. Information security and organisational measures.

  1. Your rights.

V./1. Exercising your rights.

V./2. Right of Access.

V./3. Right to rectification.

V./4. Right to erasure.

V./5. Right to restriction of processing.

V./6. Right to object

V./7. Right to data portability.

V./8. Right to revoke your consent

V./9. Remedies at law..

III. The scope of the processed data, the purpose, legal basis and duration of the data processing

In this section, you can find out what personal data we process, for what purposes we process it and what we use it for. This section also sets out the legal grounds for each processing operation and the duration of the processing.

You can find information on each processing operation under a separate heading for each processing purpose.

III./1. Processing in relation to the purchase of a TGM NFT

When you purchase a TGM NFT through the services of the Data Controller you must disclose your wallet identification number through the services. This identification number is stored by the smart contract managing the sale of the TGM NFT on the Ethereum blockchain.

III./1.1. The purpose of the processing is: to facilitate the sale of the TGM NFT and in course of this to manage the financial side of the transaction.

III./1.2. Legal basis for processing: processing is necessary to perform the contract between you and the Data Controller or to take steps prior to entering into the contract (Article 6(1)(b) GDPR).

III./1.3. Scope of processed data: the wallet identification number.

III./1.4. Source of data: your declaration.

III./1.5. Duration of processing (envisaged duration): 1 year.

III./1.6. Consequences of not providing the data: failure of the TGM NFT sale and purchase transaction. Without the wallet ID the transaction cannot be completed, thus you cannot purchase the TGM NFT.

III./1.7. Recipients: we do not forward the personal data to third-parties, but please note that any information stored on the Ethereum blockchain is publicly available.

III./1.8. Data processors: the Data Controller may disclose your data to data processors contracted by the Data Controller in the course of processing. Such data processors are as follows. In the case of controllers outside the EEA, the safeguards of data transfer are also indicated.

Name

Registered seat

Scope of activities

Safeguards

IVANSON CONSULTING LIMITED

Central Office Building, Block A, Level 2, Halmann Vella, Mosta Road, Lija LJA 9016, Malta

software management

Data processor within the EEA

III./2. Processing in relation to using our services

When using our services we may process your data for communication, handling of complaints, etc.

III./2.1. The purpose of the processing is: communication with you; receiving and handling any complaints.

III./2.2. Legal basis for processing: processing is necessary to perform the contract between you and the Data Controller or to take steps prior to entering into the contract (Article 6(1)(b) GDPR).

III./2.3. Scope of processed data: name, contact information (address, e-mail address, phone number), details of communication, any personal information shared with us in the communication.

III./2.4. Source of data: your declaration, systems used for communication (e.g., e-mail system information).

III./2.5. Duration of processing (envisaged duration): at the latest the end of the fifth year after the completion of the legal relationship between us; or the last communication.

III./2.6. Consequences of not providing the data: the communication or the review and handling of the complaint will not be possible.

III./2.7. Data processors: the Data Controller may disclose your data to data processors contracted by the Data Controller in the course of processing. Such data processors are as follows. In the case of controllers outside the EEA, the safeguards of data transfer are also indicated.

Name

Registered seat

Scope of activities

Safeguards

IVANSON CONSULTING LIMITED

Central Office Building, Block A, Level 2, Halmann Vella, Mosta Road, Lija LJA 9016, Malta

software management

Data processor within the EEA

III./3. Cookies, browsing activity, re-marketing

We collect technical data when you are using and interact with our website. Such technical data includes your internet protocol (ip) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. This data is collected automatically through our website.

III./3.1. Cookies

Cookies are small text files that are placed on your computer’s hard drive by your web browser when you visit any website. Cookies allow information gathered on one web page to be stored until it is needed for use on another, allowing a website to provide you with a personalised experience and the website owner with statistics about how you use the website so that it can be improved.

Some cookies may last for a defined period, such as one day or until you close your browser, others last indefinitely. Your web browser should allow you to delete any you choose; it also should allow you to prevent or limit their use.

Our website uses cookies. They are placed by software that operates on our servers, and by software operated by third parties whose services we use. When you first visit our website, we ask you whether you wish us to use cookies. If you choose not to accept them, we shall not use them for your visit except to record that you have not consented to their use for any other purpose.

There are cookies that are essential to use any website, including ours. You cannot opt-out form using these cookies, because otherwise the website could not be displayed on your computer. Therefore, your consent is not needed for the use of essential (or technical) cookies and the below information does not refer to these essential cookies.

Apart from the technical cookies we use analytics cookies, preference cookies and marketing cookies. Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously. Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in. Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.

Re-marketing involves placing a cookie on your computer when you browse our website in order to be able to serve to you an advert for our products or services when you visit some other website.

III./3.2. The purpose of the processing is: providing better service and user experience, improvement and troubleshooting of our services and the website, marketing, re-marketing and market research.

III./3.3. Legal basis for processing: your consent to the processing (Article 6(1)(a) GDPR).

III./3.4. Scope of processed data: IP address, time of visit, time of certain activities on the site; traffic, logs, and other communication data; information regarding, the resources that you access; and information about your computer and internet connection, (e.g. including geolocation data, operating system and browser type), for system administration.

III./3.5. Source of data: your internet browser.

III./3.6. Duration of processing (envisaged duration): end of website visit in case of session cookies; we keep your statistical information about our website users’ equipment, browsing actions and patterns no longer than necessary and certainly no longer than 4 months after the information is collected.

III./3.7. You can revoke your consent to the processing any time, which does not affect the legality of the processing prior to revoking your consent. If you decide not to consent to the data processing, then you may not be able to use our website’s full functionality.

III./3.8. Data processors: the Data Controller may disclose your data to data processors contracted by the Data Controller in the course of processing. Such data processors are as follows. In the case of controllers outside the EEA, the safeguards of data transfer are also indicated.

Name

Registered seat

Scope of activities

Safeguards

IVANSON CONSULTING LIMITED

Central Office Building, Block A, Level 2, Halmann Vella, Mosta Road, Lija LJA 9016, Malta

software management

Data processor within the EEA

III./3.9. we may use a third party to provide us with re-marketing services from time to time. If so, then if you have consented to our use of cookies, you may see advertisements for our products and services on other websites.

III./4. Enforcement of claims

If a dispute arises between the Data Controller and you, the Data Controller may initiate legal proceedings to enforce its claims, to recover its claims, and may take legal action before courts or authorities.

III./4.1. The purpose of the processing is to enable the enforcement and recovery of claims.

III./4.2. Legal basis for processing: processing is necessary to perform the contract between you and the Data Controller or to take steps prior to entering into the contract (Article 6(1)(b) GDPR)

III./4.3. Scope of processed data: personal identification data, data of financial settlements.

III./4.4. Source of data: your declaration, personal documents, financial records of the Data Controller.

III./4.5. Duration of processing (envisaged duration): 1 year from the final and binding completion of the enforcement proceedings.

III./5. Fulfilling the customer due diligence and record-keeping obligations under the AML Act

As detailed in the Terms, if you wish to exercise your option regarding the Shares and wish to be registered as a TGM Shareholder you must go through the client identification procedure required by the applicable anti-money laundering and anti-terrorist financing regulations, mainly the Irish Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (“AML Act”).

In this context, the Data Controller shall perform the following tasks required by the AML Act identification of the customer, risk classification of the customer, verification of identity, identification and continuous monitoring of the purpose and nature of the business relationship and the transaction.

III./5.1. Legal basis for processing: fulfilment of the Data Controller’s legal obligations (Article 6(1)(c) GDPR); the laws that require the processing: The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.

III./5.2. Scope of processed data:

  • first and family name
  • first and family name at birth
  • citizenship
  • place and date of birth,
  • mother’s birth name (maiden name)
  • address of the place of habitual residence,
  • type and number of identification document.

III./5.3. Source of data source: personal documents, public registers

III./5.4. Duration (envisaged term) of data processing: eight years from the termination of the business relationship or from the execution of the engagement. At the request of the supervisory authority, the financial information unit, the investigation authority, the public prosecutor’s office and the court the Data Controller shall keep the data or documents for the period specified in the request, but not for longer than ten years from the termination of the business relationship or the execution of the engagement.

III./5.5. The Data Controller shall employ data processors in the course of the processing of data in order to retain the documents relating to the processing of the data:

Name

Registered seat

Scope of activities

Safeguards

IVANSON CONSULTING LIMITED

Central Office Building, Block A, Level 2, Halmann Vella, Mosta Road, Lija LJA 9016, Malta

software management

Data processor within the EEA

III./6. Other data processing

III./6.1. We may aggregate anonymous data such as statistical or demographic data for any purpose. Anonymous data is data that does not identify you as an individual. Aggregated data may be derived from your personal data but is not considered personal information in law because it does not reveal your identity.

For example, we may aggregate profile data to assess interest in a product or service. However, if we combine or connect aggregated data with your personal information so that it can identify you in any way, we treat the combined data as personal information and it will be used in accordance with this privacy notice.

III./6.2. Third parties may advertise on our website. In doing so, those parties, their agents or other companies working for them may use technology that automatically collects information about you when their advertisement is displayed on our website. They may also use other technology such as cookies to personalise the content of, and to measure the performance of their adverts. We do not have control over these technologies or the data that these parties obtain. Accordingly, this privacy notice does not cover the information practices of these third parties.

IV. Data security measures – how do we protect your personal data?

IV./1. Method of processing

IV./1.1. The Data Controller stores the personal data provided by the data subject on paper at the registered office or registered place of business of the Data Controller.

IV./1.2. The data stored electronically shall be stored by the Data Controller on servers and cloud storage facilities rented from a hosting provider, as well as on the Ethereum blockchain.

IV./2. Information security and organisational measures

IV./2.1. The Data Controller shall ensure that appropriate information security measures are in place to protect the personal data of the data subject against, inter alia, unauthorised access or unauthorised alteration. For example, the Data Controller keeps its IT systems up to date, ensures adequate virus protection, uses password protection in each system, and, where available, two-factor authentication. The Data Controller keeps paper-based documents in a lockable room/closet, ensuring that only authorised persons have access to the documents.

IV./2.2. The Data Controller shall take appropriate organisational measures to ensure that personal data cannot be made available to an indefinite number of persons. For example, it shall ensure that appropriate rights are assigned to ensure that only those who need to have access to the data and, to the extent necessary for the purposes for which they are intended, have access to the data.

IV./2.3. The Data Controller shall carefully select the data processors it engages and shall ensure the security of the data by means of an appropriate data processing contract.

V. Your rights

V./1. Exercising your rights

V./1.1. You can make a request for remedy either orally (in person) or in writing (personally, by proxy, or by post), or by electronic means, protected at least by an advanced electronic signature, using the Data Controller’s above contact details.

V./1.2. We will respond to your request as soon as possible, but no later than one month after its receipt, in writing or electronically if you have submitted your request electronically. The reply will inform you of the action taken or not taken and of the remedies available to you.

V./2. Right of Access

V./2.1. Under Article 15 of the GDPR the data subject may request access to his or her personal data as follows:

V./2.2. You have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the right of the data subject to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data is not collected from the data subject, any available information as to their source;

(h) the fact of automated decision-making, including profiling, and in such cases, at least comprehensible information about the applied logic and the significance of such data processing and the anticipated consequences it may lead to for the data subject.

V./2.3. The Data Controller shall provide you, upon your request with a copy of the personal data undergoing processing. The Data Controller may charge a reasonable fee based on administrative costs for further copies.

V./2.4. Where you submitted your request in electronic form, the response will be provided to you by widely used electronic means unless otherwise requested by you. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

V./3. Right to rectification

V./3.1. Under Article 16 of the GDPR you are entitled to request that the Data Controller should rectify your personal data.

V./3.2. At your request the Data Controller is obliged to rectify inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

V./4. Right to erasure

V./4.1. Under Article 17 of the GDPR the data subject may request erasure of his or her personal data as follows:

V./4.2. You have the right to obtain from the Data Controller the erasure of personal data concerning you and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

(b) the individual withdraws consent on which the processing is based, and no other legal ground subsists for the processing;

(c) the data subject objects to the processing necessary in the public interest or in the exercise of official authority vested in the Data Controller, for the legitimate interests pursued by the Data Controller (a third party), and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes;

(d) the personal data has been unlawfully processed;

(e) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;

(f) the personal data has been collected in relation to the offer of information society services.

V./4.3. Your above rights of erasure may only be restricted if any of the exceptions described in the GDPR arises, i.e., if any of the following grounds applies, the further retention of personal data can be regarded as lawful:

  1. for exercising the right of freedom of expression and information; or
  2. for compliance with a legal obligation; or
  3. for the performance of a task carried out in the public interest; or
  4. in the exercise of official authority vested in the Data Controller; or
  5. for reasons of public interest in if area of public health; or
  6. for archiving purposes in the public interest; or
  7. for scientific or historical research purposes or statistical purposes; or
  8. for the establishment, exercise or defence of legal claims.
V./5. Right to restriction of processing

V./5.1. Under Article 18 of the GDPR the data subject may request restriction of processing of his or her personal data as follows:

V./5.2. You have the right to obtain a restriction of processing from the Data Controller where one of the following applies:

(a) you contest the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the personal data;

(b) the processing is unlawful and you oppose the erasure of your personal data and request the restriction of their use instead;

(c) the Data Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or

(d) you object to the processing necessary in the public interest or in the exercise of official authority vested in the Data Controller, for the legitimate interests pursued by the Data Controller (a third party), pending the verification whether the legitimate grounds of the Data Controller override those of the data subject.

V./5.3. Where processing has been restricted under the above, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

V./5.4. If you have requested restriction of processing, then you will be informed by the Data Controller before the restriction of processing is lifted.

V./6. Right to object

V./6.1. Under Article 21 of the GDPR you are entitled to object to the processing of your personal data by the Data Controller as follows:

V./6.2. You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data in the public interest or for the purposes of legitimate interests of the Data Controller (or a third party). The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

V./7. Right to data portability

V./7.1. Under Article 20 of the GDPR you are entitled to portability of your personal data as follows:

V./7.2. You have the right to receive the personal data concerning you, which you provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where:

  1. the processing is based on consent or on a contract
  2. and the processing is carried out by automated means.

V./7.3. In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

V./7.4. The right to data portability shall not adversely affect the rights and freedoms of others.

V./8. Right to revoke your consent

V./8.1. Under Article 7(3) of the GDPR the data subject shall have the right to withdraw his or her consent to the processing of his or her personal data at any time as follows:

V./8.2. You shall have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You may withdraw your consent in writing, by electronic mail or, in the case of a declaration, at least by means of an electronic declaration with enhanced security, using the contact details of the Data Controller indicated above.

V./9. Remedies at law

V./9.1. If you feel that we have not processed your data in accordance with the applicable law or this Notice, please let us know so that we can investigate your complaint and take the necessary action. Please make your request for remedy either orally (in person) or in writing (in person, by proxy, or by post), or by electronic means, protected at least by an advanced electronic signature, using the contact details above.

V./9.2. You may bring a civil action against the Data Controller for unlawful processing of your personal data and claim damages from the Data Controller.

V./9.3. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.