Last Revised: April 5, 2024

Arete Advisors, LLC and its subsidiary subsidiaries, Arete IR UK Limited and Arete Incident Response LLC (“Arete”, “our,” “us,” “we”), have self-certified its compliance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF (“UK Extension”) (collectively, the “DPF”).

This Data Privacy Framework Notice (“DPF Notice”) describes our compliance with the specific requirements of the DPF. Please see our Privacy Policy for additional information about information we collect through www.areteir.com. For the purposes of this DPF Notice, all references to “personal information” in our Privacy Policy and its supplements are deemed to be equivalent to “personal data,” as that term is used in this DPF Notice.

1. Certifications

We comply with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (“DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this DPF Notice and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program please visit www.dataprivacyframework.gov.

2. Scope

This DPF Notice applies to our processing of personal data transferred to the United States from the European Union / European Economic Area (“EU/EEA”) and the United Kingdom in reliance upon the DPF. If there is any conflict between this notice and the DPF Principles, the DPF Principles govern.

We process personal data as a controller (who determines the purpose and means of processing) or processor (who acts upon the written instructions of the controller).

3. Notice of Privacy Practices: Controller

Our privacy practices when we act as a data controller are set forth in our Privacy Policy, including:

• the types of personal data collected

• the purposes for which we collect personal data

• the type of third parties to whom we disclose personal data

• our practices relating to the collection and use of personal data

• the right of individuals to access their personal data, and

• the choices and means we offer for limiting use and disclosure of personal data.

4. Notice of Privacy Practices: Processor

When we act as a data processor, our customers determine the types of personal data collected, and the practices relating to the collection and use of personal data collected.

Our rights and obligations as a processor are defined by a written data processing addendum (“DPA”) executed between us and our customer. In general, we process personal data according to applicable law and the instructions provided by our customer acting as the data controller. Our customers are responsible for ensuring they:

• have a lawful basis for collecting the personal data provided to us

• have provided appropriate notices and disclosures to data subjects as required under applicable law

• have the right to allow transfer of personal data to the United States

• have otherwise complied with all applicable laws relating to the collection and processing of personal data

• provide responses to requests from individuals to access their personal data, and

• provide appropriate choices and means to individuals to limit the use and disclosure of their personal data.

When acting as a processor, we disclose personal data:

• to our affiliates and subprocessors for the purpose of operating our business and/or providing our services

• to third parties at our customer’s request

• when required to make disclosures pursuant to law or in response to lawful requests from governmental authorities, including in response to national security, government interests, or law enforcement requests.

5. Onward Transfers of Personal Data

When transferring personal data to a processor (or subprocessor) pursuant to the DPF (an “Onward Transfer”), we:

• require the processor to enter into a written DPA

• require the processor to process the personal data for only limited and specific purposes defined in the agreement

• take reasonable and appropriate steps to ensure that the personal data is processed in a manner consistent with the DPF Principles

• require the processor to notify us if the processor determines that it can no longer meet its obligations under the DPF Principles

• take reasonable and appropriate steps to stop and remediate unauthorized processing, and

• will provide a summary or representative copy of the relevant privacy protections in our agreements with our processors to the Department of Commerce upon request.

We remain liable under the DPF Principles if our processor or any other party to whom our processor transfers personal data processes personal data in a manner not consistent with the DPF Principles, unless we demonstrate that we are not responsible for the unauthorized processing.

6. Other Disclosures

We also disclose personal data:
(a) for the purpose of operating our business and providing our services as described in our Privacy Policy, applicable Statement of Work or DPA with our customer, and related privacy policies;
(b) to third parties at our customer’s request;
(c) if required to make disclosures pursuant to law; or
(d) in response to lawful requests from governmental authorities, including in response to national security, government interest, or law enforcement requests.

7. Data Subject Choice

We do not disclose personal data to third parties (other than processors working on our behalf) or use personal data for a purpose different from the purposes for which it was originally collected or subsequently authorized.

8. Human Resources Personal Data

We transfer human resources data pursuant to the DPF. A copy of our employee privacy policy governing the processing of employee personal data is available to employees on Arete’s internal network or by emailing privacy@areteir.com.

9. Data Security

Our Privacy Policy contains a description of the measures we employ to protect the confidentiality and security of personal data we process.

10. Recourse, Enforcement, and Liability

Arete has established internal mechanisms to verify its ongoing adherence to the DPF Principles and the other requirements described in this notice and our Privacy Policy. We are subject to the investigatory and enforcement powers of the U.S. federal government, including the Federal Trade Commission (“FTC”).

Arete commits to resolve DPF Principles-related complaints about our collection and use of personal information. Individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF should first contact us at privacy@areteir.com or at the address below:

Arete Advisors, LLC
Attn: Legal Department
4800 T-Rex Ave # 350
Boca Raton, FL 33431

We respond to complaints within 45 days.

If we cannot resolve a complaint through our internal processes, we commit to cooperate and comply with the advice of the panel applicable to the complainant established by the EU Data Protection Authorities (“EU DPAs”) and the UK Information Commissioner’s Office (“ICO”) with respect to all personal data, including HR-related data.

If we are unable to resolve a complaint through the independent dispute resolution panel applicable to you, you may be able to invoke binding arbitration for some residual claims not otherwise resolved by other recourse mechanisms. This binding arbitration mechanism is administered by the International Centre for Dispute Resolution of the American Arbitration Association (“ICDR-AAA”). For more information about binding arbitration, please visit the Data Privacy Framework’s Annex regarding Arbitration.

11. Changes to this Statement

We may revise this DPF Notice by posting a revised statement at the same location as this notice or on another location on our website. If we change this notice, it will apply to personal data collected prior to adoption of the new statement only to the extent the new statement does not reduce the rights of affected data subjects. As long as we continue to participate in the DPF program, we will not change our statement in a way that is inconsistent with our obligations under the DPF program or the DPF Principles.