The following provides you with information about how we process your personal data and the claims and rights to which you are entitled under data protection legislation as set out in Article 13 of the General Data Protection Regulation (GDPR).

1. Who is responsible for data processing and who can I contact?

Lupus alpha Asset Management AG  
Speicherstraße 49-51
60327 Frankfurt am Main

If you have any data protection questions, please contact:   

We have appointed the following data protection officer:

Verimax GmbH, Warndtstr. 115, 66127 Saarbrücken

2. What sources and data do we use?

We process personal data (Article 4 No.2 GDPR) that we receive from you as part of our email correspondence or when initiating or concluding an agreement with you. Where required for a particular contractual relationship, we also process personal data that we collect by law or based on the legitimate interests of other authorities (e.g. occasional requests as to whether a client is a private investor or an institutional client). Relevant personal data primarily consists of your key data (first name, surname, address and other contact details).

3. Why do we process your data (purpose of processing) and on what legal basis do we do this?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

3.1 Fulfilment of contractual obligations
(Article 6 (1) Letter b GDPR)

Personal data is processed for contract initiation, conclusion and processing purposes and in order to meet related secondary obligations.

3.2 With your consent
(Article 6 (1) Letter a GDPR)

If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent. Any consent granted can be revoked at any time. This also applies to the revocation of declarations of consent issued to us before GDPR came into force; that is, before 25 May 2018.

Please note that this revocation is only valid for the future. Any processing carried out before the revocation is not affected.

3.3 Based on statutory provisions
(Article 6 (1) Letter c GDPR and Section 24 BDSG)

As a commercial enterprise, we are also subject to various statutory obligations, i.e. legal requirements. In particular, data is processed:

  • to fulfil statutory requirements (e.g. tax-related issues, etc.),
  • to fulfil statutory disclosure obligations.

4. Who gets access to my data?

The areas within the company (e.g. relevant departments) that receive your data are those who need it to fulfil our contractual and legal obligations. We also appoint various service providers to fulfil part of our contractual and legal obligations. You can view a list of the processors and other service providers employed by us with non-temporary business relationships by visiting In addition, we can transfer your personal data to other recipients outside the company where this is necessary in order to fulfil our contractual and legal obligations. For example, this may include:

  • financial institutions,
  • tax authorities, courts,
  • auditors, regulatory bodies, etc.

5. How long is my data retained?

Where required for the aforementioned (No. 3) purposes, we process and retain your personal data for the duration of the initiation and processing of the agreement.

We are also subject to various retention obligations and obligations to provide evidence arising from legislation including the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention periods set out in this legislation are up to ten years. Finally, the retention period is also determined in accordance with statutory limitation periods, which generally last for three (3) years in accordance with Sections 195 et seqq. of the German Civil Code (BGB) but can extend to up to 30 years in certain cases.

6. Is my data transmitted to a third country or international organisation?

No data is transmitted to third countries (countries outside the European Economic Area – EEA).

7. What data protection rights do I have?

Every data subject has the right to access their personal data in accordance with Article 15 GDPR, the right to rectification in accordance with Article 16 GDPR, the right to erasure in accordance with Article 17 GDPR, the right to restriction of processing in accordance with Article 18 GDPR, the right to data portability according to Article 20 GDPR and the right to object as set out in Article 21 GDPR. The restrictions set out in Sections 34 and 35 of the German Federal Data Protection Act (BDSG) apply to the right to access personal data and the right to erasure. You also have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR and Section 19 BDSG) such as the Hesse Commissioner for Data Protection and Freedom of Information, P.O. Box 3163, 65021 Wiesbaden.

8. Am I obliged to provide my data?

As part of our business relationship, you only have to provide the personal data required for establishing, implementing and terminating the business relationship and fulfilling its associated contractual obligations, or where we are legally obliged to collect it. Without this data, we will generally be unable to execute the relevant contract with you.