menu
menu

Privacy Statement

Data Privacy

1. Name and contact details of the controller

This data privacy statement shall apply to data processing activities by the following controller:

Marley Spoon Group SE (named 468 SPAC II SE through 13 July 2023)
9 Rue de Bitbourg,
L-1273 Luxemburg,
Email: ir@marleyspoon.com

2. Subject matter of data protection‍

The subject matter of data protection is personal data as defined herein. “Personal data” means any information relating to an identified or identifiable natural person (“data subject”). These include e.g. information such as name, postal address, e-mail address or telephone number.

Specific information on the personal data processed by us can be found below in detail in the data processing operations listed.

3. Collection and storage of personal data as well as the nature and purpose of their processing

– When using our email contact

If there are any questions, we offer the option of contacting us via the provided email address. In such a case, your personal data transmitted in the email will be stored.

The legal basis for data processing for the purpose of Data processing activities for the purpose of contacting is Article 6(1)(1)(f) GDPR. If the purpose of the contact is to conclude a contract, the additional legal basis for the processing is Article 6(1)(1)(b) GDPR.

4. Cookies

A cookie is a small file that is stored in the browser of the end device when the website is accessed. Cookies can be used, for example, to identify the respective terminal device or to ensure the complete and correct display of our website. Cookies can also help to provide the services included on the website, to personalise content and to customise and analyse advertisements.

Depending on their function and purpose, cookies can be divided into five categories: technically required cookies, performance cookies, functional cookies, analysis cookies and cookies for marketing purposes.

On this website, we use only technically required cookies that must be present in order for the website to provide its basic functions.

5. Rights of the data subject

You have the right:

  • To demand information in accordance with Article 15 GDPR regarding the processing of your personal data by us. In particular, you may request information on the purposes of the processing, the categories of personal data, the categories of recipient to whom your data have been or are disclosed, the envisaged storage period, the existence of the right to rectification, erasure, restriction of processing or objection, the right to lodge a complaint, the source of your data to the extent that these were not collected at our site, and the existence of automated decision-making, including profiling and any meaningful information on its details;
  • In accordance with Article 16 GDPR, obtain the rectification of any inaccurate personal data stored by us or completion of such data without undue delay;
  • In accordance with Article 17 GDPR, obtain the erasure of your personal data stored by us, to the extent that processing is not required for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
  • In accordance with Article 18 GDPR, obtain the restriction of processing of your personal data, to the extent that the accuracy of the data is contested by you, processing is unlawful, but you oppose erasure and we no longer need the personal data, but you still require them for the establishment, exercise or defence of legal claims or you have objected to processing pursuant to Article 21 GDPR;
  • In accordance with Article 20 GDPR, demand to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to demand transmission to another controller;
  • In accordance with Article 7(3) GDPR, to withdraw your consent once given to us towards us at any time. This has the consequence that we may no longer continue the data processing activities that were based on this consent in future and
  • In accordance with Article 77 GDPR, lodge a complaint with a supervisory authority. Usually, you may contact the supervisory authority at your habitual residence or place of work or our registered office for this.

6. Right to object

As far as your personal data are processed based on legitimate interests in accordance with Article 6(1)(1)(f) GDPR, you have the right to object to processing of your personal data in accordance with Article 21 GDPR, to the extent that there are grounds relating to your particular situation or the objection is targeted against direct marketing. In the latter case, you have a general right to object that will be implemented by us without any indication of a particular situation.

If you want to exercise your withdrawal right or right to object, simply send us an email to privacy@marleyspoon.de.

7. Data security

Within the website visit, we use the common TLS (Transport Layer Security) protocol in conjunction with the respective highest encryption cipher your browser supports. This is usually TLS 1.3. If your browser does not supportTLS 1.3, we will use TLS 1.2 instead. Whether an individual website of our internet offer is transmitted encrypted or not is evident by the closed display of the key or lock symbol in the lower status bar of your browser.

Apart from this, we use appropriate technical and organisational security measures in order to protect your data from accidental or wilful manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures will be improved continually according to the technological developments.

8. Topicality and changes of this data privacy statement

This data privacy statement is currently valid as of July 7, 2023.

Further development of our website and offers through it or changed statutory or authority specifications may require changes to this data privacy statement. You may call and print the respective current data privacy statement at any time on the website.

Privacy Notice for CDI Holders

In accordance with the provisions of the EU Regulation n°2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) and any applicable national data protection laws (including but not limited to the Luxembourg law of 1st August 2018 organizing the National Commission for data protection and the general system on data protection, as amended from time to time) (collectively hereinafter the “Data Protection Laws”) Data Protection Laws, Marley Spoon Group SE as data controller (the “Data Controller” or “MSG”), collects stores and processes by electronic or other means the CDI Holder’s data (or if the CDI Holder is a legal person, any natural person related to it such as its contact person(s), employee(s), trustee(s), nominee(s), agent(s), representative(s) and/or beneficial owner(s)) (the “Data Subjects”) for the purposes outlined in section 2 of the Privacy Notice.

Preamble / Summary

  1. 1. What personal data does the Data Controller collect?
  2. 2. What is Personal Data used for?
  3. 3. With whom will Personal Data be shared?
  4. 4. How long will Personal Data be retained?
  5. 5. The Data Subject’s rights
  6. 6. Changes to this Privacy Notice

1. What personal data does the Data Controller collect?

The Data Controller collects the following categories of personal data:

  • Identification data: name, age, gender, date of birth, nationality, citizenship, identity number, passport number, identity card with photo, profession, address, proof of address.
  • Contact data: e-mail, address, phone number.
  • Bank account data: IBAN and BIC Codes and bank account information.
  • Tax related data: tax identifiers, tax status and tax certificates.
  • Shares related data: number of shares in MSG and CDIs as well as any information regarding the dealing in shares (subscription, conversion, redemption and transfer).
  • AML/KYC related data: income, source of wealth, source of funds, power of attorney, related parties, sensitive data (criminal convictions and offences, political opinions).
  • Communication data: communications via electronic or other means, telephone conversations recordings.


Collectively hereinafter the “Personal Data”.

CDI Holders who are legal persons undertake and guarantee to process Personal Data and to supply such Personal Data to the Data Controller in compliance with the Data Protection Laws, including, where appropriate, informing the relevant Data Subjects of the contents of the Privacy Notice in accordance with Articles 12, 13 and/or 14 of the GDPR.

2. What is the Personal Data used for?

The Personal Data are processed by the Data Controller for the following purposes and lawful grounds for processing:

(i) Compliance with applicable legal obligations

Categories of Personal Data Purposes
Identification data and shares related data Maintaining the register of shareholders.
Identification data and shares related data Mandatory registration with registers including among others the Luxembourg register of beneficial owners.
Identification data, contact data, tax related data, AML/KYC related data and sensitive data Carrying out anti-money laundering checks and related actions considered appropriate to meet any legal obligations relating to the prevention of fraud, money laundering, terrorist financing, bribery, corruption, tax evasion and the provision of financial and other services to persons who may be subject to economic or trade sanctions, on an on-going basis.

 

Sensitive data, specifically political opinions of Data Subjects having a public political exposure will be processed by the Data Controller on the basis of article 9, (2), e) (i.e. the personal data have manifestly been made public by the data subject) and/or g) the personal data is necessary for reasons of substantial public interest).

 
Identification data, tax related data, bank account data and AML/KYC related data Reporting tax related information to tax authorities under Luxembourg or foreign laws and regulations (including laws and regulations relating to FATCA or CRS).

 

(ii) Facilitate and execute the contract between the CDI Holder and MSG

Categories of Personal Data Purposes
Identification data, contact data, bank account data and tax related data Processing subscriptions, redemptions and conversions of shares and payments of dividends or interests to shareholders.
Identification data, contact data, bank account data, tax related data and shares related data Carrying out the Small Holdings Offer and Subsequent Tender Offer (if applicable).
Identification data, bank account data and shares related data Securities’ administration.

 

(iii)The legitimate interests of the Data Controller

Categories of Personal Data Purposes
Identification data, contact data, bank account data, tax related data, shares related data, AML/KYC related data and communication data A due diligence carried out by any third party that acquires, or is interested in acquiring or securitizing, all or part of the MSG’s assets or shares, or that succeeds to it in carrying on all or a part of its businesses, or services provided to it, whether by merger, acquisition, reorganization or otherwise.
Identification data and contact data Client relationship management, which may include contacting Data Subjects by email, SMS or telephone, either directly or via a third party, as well as conducting segmentation and analysis of the register of shareholders.
Identification data, bank account data, tax related data, shares related data, ALM/KYC related data and communication data Establishing, exercising, or defending legal claims.
Identification data, contact data, bank account data, tax related data, shares related data, AML/KYC related data and communication data Providing proof, in the event of a dispute, of a transaction or any commercial communication.
Identification data, contact data, bank account data, tax related data, shares related data, AML/KYC related data and communication data Complying with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority.
Identification data, contact data, bank account data, tax related data, shares related data, AML/KYC related data and communication data Risk management.
Identification data and contact data Commercial prospection.
Identification data and contact data Processing Personal Data of employees or other representatives of CDI Holders which are legal persons.
Identification data and shares related data Disclosing the list of existing CDI Holders and shareholders to prospective investors in compliance with their investment policies.

 

The Data Subjects may, at their discretion, refuse to communicate the Personal Data to the Data Controller. In this event however the Data Controller may reject their request for subscription for shares in MSG if the relevant Personal Data is necessary to such subscription of such shares.

3. With whom will Personal Data be shared?

The Personal Data may also be processed by the Data Controller’s data recipients (the “Recipients”) which, in the context of the above mentioned purposes, refer to the Auditor, the Legal Advisor(s), service providers approaching existing CDI Holders or shareholders on behalf of the Data Controller,  other prospective or existing CDI Holders or shareholders, any pledgee on Data Controller’s assets, any third party that acquires, or is interested in acquiring or securitizing, all or part of MSG’s assets or shares, or that succeeds to it in carrying on all or a part of its businesses, or services provided to it, whether by merger, acquisition, financing, reorganization or otherwise as well as any other third party supporting the activities of the Data Controller.

The Recipients may, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the “Sub-Recipients”), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to the Data Controller and/or assisting the Recipients in fulfilling their own legal obligations.

The Recipients and Sub-Recipients may be located either inside or outside the European Economic Area (the “EEA”). Where the Recipients and Sub-Recipients are located in a country outside the EEA which benefit from an adequacy decision of the European Commission, the Personal Data are transferred to the Recipients and Sub-Recipients upon such adequacy decision. Where the Recipients and Sub-Recipients are located outside the EEA in a country which does not ensure an adequate level of protection for Personal Data or does not benefit from an adequacy decision of the European Commission, the Data Controller has entered into legally binding transfer agreements with the relevant Recipients in the form of the European Commission approved model clauses or any other appropriate safeguards pursuant to the GDPR, as well as, if necessary, supplementary measures. In this respect, the Data Subjects have a right to request copies of the relevant document for enabling the Personal Data transfer(s) towards such countries by writing to the Data Controller at the following address: privacy@marleyspoon.de.

The Recipients and Sub-Recipients may, as the case may be, process the Personal Data as data processors (when processing the Personal Data on behalf and upon instructions of the Data Controller and/or the Recipients), or as distinct data controllers (when processing the Personal Data for their own purposes, namely fulfilling their own legal obligations).

The Personal Data may also be transferred to third-parties such as governmental, judicial, prosecution or regulatory agencies and/or authorities as well as official national registers, including tax authorities, in accordance with applicable laws and regulations. In particular, Personal Data may be disclosed to the Luxembourg tax authorities, which in turn may acting as data controller, disclose the same to foreign tax authorities.

Following recent case law from the CJEU (“Schrems II”), the CJEU reaffirmed the validity of the Standard Contractual Clauses (the SCCs”), but they are not sufficient per se. A data exporter located in the EEA must assess the effectiveness of the chosen transfer tool and verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under the SCCs and, where it doesn’t, that companies must identify and implement “supplementary measures”.

Where such supplementary measures would still not be sufficient to provide an adequate level of protection, the transfers to such countries should not take place. In that respect, guidelines which should be taken into consideration prior to any transfer to a third country have been issued by the European Data Protection Board (available here).

In sum, it should be reassessed if transfers of personal data to third countries are strictly necessary and ideally such transfers should be avoided.

Please let us know should you wish any additional guidance and/or assistance from our side in that respect.

4. How long will Personal Data be retained?

The Data Controller will retain the Personal Data for the duration of the and thereafter for a period of ten (10) years, unless longer or shorter statutory limitation periods apply. In some circumstances the Personal Data may be anonymised so that it can no longer be associated with the Data Subjects, in which case it is no longer personal data and can be kept for an unlimited period of time.

5. The Data Subject’s rights

In accordance with the conditions and limitations laid down by the Data Protection Laws, the Data Subjects acknowledge their right to:

  • access their Personal Data;
  • correct their Personal Data where it is inaccurate or incomplete;
  • object to the processing of their Personal Data (including for commercial purposes);
  • restrict the use of their Personal Data;
  • have their Personal Data erased;
  • ask for Personal Data portability.

The Data Subjects may exercise their above rights by writing to the Data Controller at the following address:
Marley Spoon Group SE
9 Rue de Bitbourg,
L-1273 Luxemburg
privacy@marleyspoon.de

The Data Subjects also acknowledge the existence of their right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”) at the following address: 15, Boulevard du Jazz, L-4370 Belvaux, Grand Duchy of Luxembourg; or with any competent data protection supervisory authority of their EU Member State of residence.

6. Changes to this Privacy Notice

The Data Controller reserves the right to update this Privacy Notice at any time and will make an updated copy of such Privacy Notice available directly to the Data Subject, or in any case to all shareholders that have provided the Data Controller with Personal Data. Data Subjects will be notified when any substantial updates are made to the present Privacy Notice.