Privacy Policy & Data Protection

This privacy policy applies to all personal data processing activities conducted by DKK Investments BV in connection with our import-export services, brokerage operations, investment consulting, and all related business activities.

Key Definitions (Article 4 GDPR):

• "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• "Data Subject" means any identified or identifiable natural person whose personal data is processed by us.
• "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

We collect and process the following categories of personal data, depending on the nature of our business relationship:

Category	Examples	Purpose
Identity Data	First name, last name, title, date of birth, nationality, ID/passport numbers	Client identification, KYC compliance, contract execution
Contact Data	Email address, postal address, phone number, business address	Communication, contract execution, service delivery
Financial Data	Bank account details, IBAN, BIC, transaction history, credit information, investment portfolio details	Payment processing, investment services, financial consulting
Business Data	Company name, VAT number, Chamber of Commerce registration, business type, trade references	Business relationship management, due diligence
Technical Data	IP address, browser type, device information, cookies, access logs	Website functionality, security, analytics
Special Categories	Data revealing racial/ethnic origin, political opinions (if applicable for sanctions screening)	Legal compliance (sanctions/PEP screening only)

We process your personal data only when there is a valid legal basis under the GDPR:

3.1 Performance of a Contract (Art. 6(1)(b) GDPR)
Processing necessary for the performance of our import-export, brokerage, or investment consulting contracts with you.

3.2 Compliance with Legal Obligations (Art. 6(1)(c) GDPR)
Processing required to comply with EU and Dutch laws, including:

• Anti-Money Laundering (AML) Directive (EU) 2015/849
• Know Your Customer (KYC) regulations
• Tax reporting obligations (DAC6, CRS)
• Sanctions and embargo regulations
• Corporate reporting requirements

3.3 Legitimate Interests (Art. 6(1)(f) GDPR)
Processing necessary for our legitimate business interests, including:

• Fraud prevention and security
• Network and information security
• Business analytics and service improvement
• Debt collection and credit risk assessment

We carefully balance our interests against your privacy rights and ensure processing is proportionate.

3.4 Consent (Art. 6(1)(a) GDPR)
Where we rely on your consent (e.g., for marketing communications), you have the right to withdraw consent at any time.

3.5 Vital Interests (Art. 6(1)(d) GDPR)
Processing may be necessary to protect your vital interests or those of another natural person in emergency situations.

We process your personal data for the following specific purposes:

4.1 Service Provision

• Managing import-export transactions and logistics
• Executing brokerage services and trade facilitation
• Providing investment consulting and portfolio management
• Processing payments and financial transactions

4.2 Legal Compliance

• Customer due diligence and identity verification (KYC/AML)
• Transaction monitoring for suspicious activities
• Reporting to supervisory authorities (FIU, tax authorities)
• Sanctions screening against EU, UN, and OFAC lists
• Record-keeping obligations under commercial and tax law

4.3 Business Operations

• Internal accounting and financial management
• Risk assessment and credit scoring
• Quality assurance and service improvement
• Training and compliance monitoring

4.4 Communication

• Responding to inquiries and providing customer support
• Sending contract-related notifications
• Marketing communications (with consent only)
• Surveys and feedback requests

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

Data Category	Retention Period	Legal Basis
Contract and business correspondence	10 years after contract termination	Dutch Civil Code (Burgerlijk Wetboek)
Financial and accounting records	7 years (tax records)	Dutch General Tax Act (Algemene Wet inzake Rijksbelastingen)
AML/KYC documentation	5 years after business relationship ends	EU Anti-Money Laundering Directive
Marketing consent records	Until consent is withdrawn + 3 years	GDPR accountability requirements
Website logs and technical data	90 days (security logs), 2 years (analytics)	Legitimate interest, legal obligations
Job applications (if not hired)	6 months after rejection	AGG (German General Equal Treatment Act)

Your personal data may be disclosed to the following categories of recipients:

6.1 Service Providers (Data Processors)

We engage carefully selected service providers who process data on our behalf under Article 28 GDPR:

• IT and hosting services: Data center operators, cloud service providers (Microsoft Azure, AWS)
• Financial services: Banks, payment processors, credit card companies
• Logistics partners: Shipping companies, customs brokers, freight forwarders
• Professional services: Legal advisors, tax consultants, auditors
• Marketing services: Email service providers, CRM systems

All processors are bound by data processing agreements ensuring GDPR compliance and data security.

6.2 Public Authorities

We may be required to disclose data to:

• Financial Intelligence Units (FIU) for AML reporting
• Tax authorities (Dutch Belastingdienst, foreign tax authorities under CRS/DAC6)
• Customs and border control authorities
• Supervisory authorities (Dutch Data Protection Authority - Autoriteit Persoonsgegevens)
• Law enforcement agencies (upon valid legal request)

6.3 Business Partners

In the course of trade transactions, limited data may be shared with:

• Counterparties in trade transactions (necessary for contract performance)
• Insurance companies and credit insurers
• Credit reference agencies (with consent or legitimate interest)

6.4 International Transfers

As an international trading company, data transfers outside the European Economic Area (EEA) may occur. Such transfers are protected by:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries recognized by the EU as providing adequate protection
• Binding Corporate Rules (BCRs) for intra-group transfers
• Derogations under Article 49 GDPR for occasional transfers

You may request a copy of the safeguards in place for international transfers by contacting our privacy officer.

Our website uses cookies and similar technologies in accordance with the ePrivacy Directive and GDPR. Detailed information is available in our Cookie Policy.

8.1 Types of Cookies We Use

Category	Purpose	Duration	Legal Basis
Essential	Website functionality, security, user authentication	Session - 1 year	Legitimate interest (Art. 6(1)(f))
Preferences	Language selection, display settings	1 year	Consent (Art. 6(1)(a))
Analytics	Google Analytics, visitor statistics, performance monitoring	2 years	Consent (Art. 6(1)(a))
Marketing	LinkedIn Insights, conversion tracking, retargeting	90 days - 1 year	Consent (Art. 6(1)(a))

8.2 Cookie Management

You can manage cookie preferences through:

• Our cookie consent banner (presented on first visit)
• Browser settings to block or delete cookies
• Google Analytics opt-out browser add-on
• Your online choices at www.youronlinechoices.eu

8.3 Third-Party Services

We use services from: Google Analytics (IP anonymization enabled), LinkedIn Insights, Microsoft Clarity. These providers act as data processors under GDPR Article 28.

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR):

9.1 Technical Safeguards

• Encryption: TLS 1.3 for data in transit; AES-256 encryption for data at rest
• Access Control: Multi-factor authentication (MFA), role-based access control (RBAC), principle of least privilege
• Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection
• Endpoint Security: Anti-malware, endpoint detection and response (EDR), mobile device management (MDM)
• Data Loss Prevention: DLP systems preventing unauthorized data exfiltration

9.2 Organizational Measures

• Binding confidentiality agreements for all staff
• Regular data protection training and awareness programs
• Data Protection Impact Assessments (DPIA) for high-risk processing
• Incident response plan and breach notification procedures
• Regular security audits and penetration testing
• Business continuity and disaster recovery plans

9.3 Data Breach Notification

In case of a personal data breach likely to result in high risk to your rights and freedoms, we will notify:

• The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours where feasible
• You as the affected data subject without undue delay when high risk is determined

Generally, we do not process special categories of personal data as defined in Article 9 GDPR (racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health data, sex life/orientation).

However, for legal compliance purposes (sanctions and PEP screening under AML regulations), we may process:

• Political exposure indicators (PEP status)
• Nationality/citizenship data for sanctions screening

Legal Basis: Article 9(2)(g) GDPR - processing is necessary for reasons of substantial public interest, specifically for preventing or detecting unlawful acts (money laundering, terrorist financing, sanctions evasion).

Safeguards: Such processing is strictly limited to legal compliance, subject to enhanced security measures, and subject to DPIA where required.

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 16, we will delete such data immediately upon verification.

If you believe we may have collected data from a minor, please contact our privacy officer immediately.

We may update this privacy policy from time to time to reflect changes in legal requirements, our business practices, or technological developments.

Version History:

• Version 2.1 (March 2026): Updated retention periods, added BCR information, clarified international transfers
• Version 2.0 (January 2026): Major revision for GDPR compliance audit
• Version 1.0 (June 2025): Initial comprehensive privacy policy

Material changes will be notified to you by email (if we have your contact details) or through a prominent notice on our website. Continued use of our services after changes constitutes acceptance of the revised policy.