On the personal data processing activities carried out by STRIVE Climate Action SLU in relation to its clients.
STRIVE Climate Action SLU (“STRIVE”), in accordance with Article 13 and 14 of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”, “GDPR” or the “Regulation”), hereby provides information relating to the personal data processing carried out in the context of its relationship with its clients.
Identity and contact details of the data controller
Name of the controller: STRIVE Climate Action SLU
Seat of the controller: Calle Orense 34, 7th floor, 28020 Madrid, Spain
Email: privacy@strive.earth
Purpose, legal basis and retention period of the processing, in relation to each category of personal data processed
a) In the context of our client onboarding and client due diligence processes, regarding the Client’s representatives, executive officers, ultimate beneficial owners or authorised proxies as data subjects
| Purpose of data
processing |
Personal data
processed |
Legal basis | Retention period |
| Conducting KYC (“Know Your Client”) due diligence procedures, including verifying client’s representatives’ or beneficial owners’ data and monitoring sanctions lists. | – Name, position and representation right of the representative of the client.
– In case of medium or high risk clients, regarding the representative of the client: o The fact of appearing / not appearing on sanctions lists. o Professional CV. o Residential address. o ID document data and copy, if applicable. – In case of medium or high risk clients, regarding the beneficial owner of the client: o Name, residential address and ratio of beneficial ownership. o The fact of appearing / not appearing on sanctions lists. |
Our legitimate interest in conducting careful customer due diligence procedures, as well as the smooth processing of payments and the avoidance of possible sanctions.
In case of data regarding being listed on the UN Sanctions List, legal obligation STRIVE is subject to, under Article 42.1 of Spanish Act 10/2010 on the prevention of money laundering and the financing of terrorism. |
Five years after the end of the business relationship. |
b) In the context of our communication and business cooperation with our clients, regarding the representatives and contact persons acting on behalf of our Clients as data subjects
| Purpose of data
processing |
Personal data
processed |
Legal basis | Retention period |
| Maintaining business communication with clients. | Name, contact details (business email and phone number), data contained in the communication; Personal data that may appear in the content of customer-related notes, data necessary for possible legal claims enforcement. | Legitimate interest of STRIVE and its client in carrying out their business operations, maintaining business relations and in the fulfillment of concluded contracts, as well as the availability of evidence in the event of enforcement of legal claims related to the business relationship. | Six years. |
| Providing the service for the web-based onboarding application (onboarding.strive.earth) | Email address, access code, password, user profile data (name, company, position, telephone number, language); user data and data for any possible legal claim enforcement. | Legitimate interest of STRIVE and its client in the provision and use of the web-based onboarding service.
In the event of enforcing legal claims, our legitimate interest in the availability of the necessary evidence. |
Six years. |
| Providing “MyStrive” service through the webpage https://mystrive.earth, in case the client opts to use this service; making possible online payment. | Name, business email address, bank card details for online payment, previous webpage transactions related to the data subject. | Legitimate interest of STRIVE and its client in the provision and use of the MyStrive service and the possibility of closing transactions by online payment
In the event of enforcing legal claims, our legitimate interest in the availability of the necessary evidence. |
Six years |
| Provision of brokerage services, or fulfilment of contractual obligations arising from engagements aiming the creation of business cooperation between clients. | Contact details of representatives, executives of clients (including onboading information if applicable). | Legitimate interest of STRIVE and its client in providing the relevant service or fulfilling a contractual obligation. | The retention periods indicated at other data processing purposes apply. |
c) In the context of our internal administrative processes, regarding all data subjects mentioned above
| Purpose of data
processing |
Personal data
processed |
Legal basis | Retention period |
| Preparing back-up copies of documents kept in our IT systems, implementing measures of data loss prevention. | All data stored in our IT system. | legitimate interest of STRIVE in ensuring the uninterrupted operation of its IT processes and taking the necessary steps to ensure data security. | One year. |
| Complying with document retention obligations. | Data contained in documents relating to invoicing/accounting or taxes. | Compliance with the legal obligation to which STRIVE is subject, as set out in the Spanish Commercial Code, Article 30. | Six years. |
Sources of personal data
The sources of the personal data are normally you as the data subject or your company, in the course of our client business communication.
In the context of our customer due diligence processes, we may also rely on public registries and sanctions lists in order to obtain your data.
In the context of business communications, minutes or messages, the source of data is the sender of the communication or the person who took the minutes.
Provision of your personal data is a statutory requirement in all those events where we refer to a legal obligation STRIVE is subject to. Provision of your data is not a requirement necessary to enter into a contract directly with you, but it may be necessary to enter into a contract with the company you represent or on behalf of which you act towards us. Consequently, you are generally not obliged to provide the personal data, but it might be necessary for your company or for STRIVE to obtain and process them. Possible consequences of failure to provide your data may be that STRIVE cannot enter into or maintain business relationship with or provide services to its clients.
Recipients of the personal data
In the context of the data processing activities referred to in this privacy notice, personal data shall be shared with the following addressees, in relation to the below detailed services STRIVE has engaged in order to be able to operate its systems and pursue its business activities. Most of such addressees, if they provide services to STRIVE, act as data processors providing the guarantees to implement appropriate technical and organisational measures in line with the rules of GDPR, in order to ensure protection of your data.
| Data category | Addressee | Activity or role which serves as
grounds for the data sharing |
| All data contained in e-mail correspondence, Skype for business or Teams application. | Microsoft Ireland Operations Limited. | Cloud based system for e-mail correspondence, Skype for business and Teams application. |
| All data relating to the business operation of STRIVE. | Vertis Environmental Finance Ltd (Hungary). | Supporting services (management, financial administration, back- office, legal, IT and Risk management services); Where applicable, agency services. |
| Data contained in Eikon messages (if we contact You through Eikon). | Refinitiv Ltd (UK). | “Eikon” Instant messaging service for business purposes. |
| Data contained in WhatsApp messages (only if You contact us through WhatsApp). | WhatsApp Ireland Ltd. (Ireland). | “WhatsApp” Instant messaging service for business purposes. |
| Data contained in WeChat messages (only if You contact us through WeChat). | Tencent International Service Europe BV. (The Netherlands). | “WeChat” Instant messaging service for business purposes. |
| All data accessible on the webpage https://mystrive.earth, in case of the use of MyStrive service. | RabIT Solutions Zrt. (Hungary). | Development and maintenance service provided to STRIVE in relation to the operation of the https://mystrive.earth webpage. |
| Bank/credit card data inserted for online payment on the webpage https://mystrive.earth, in case of the use of MyStrive service. | Stripe Payments Europe Limited (Ireland). | Provision of online payment services. |
| Business contact or onboarding data in case of brokerage services or other services aiming creating business cooperation between clients. | The other client affected by the service / business cooperation. | Brokerage services or other services aiming creating business cooperation between clients. |
| Data contained in accounting documentation. | Bissé Asesores SL (Calle Montalbán 3 2º right, Madrid, Spain). | Accounting services provided to STRIVE. |
| Data used for reporting or other administrative obligations, procedures or audits by authorities. | Supervisory or other authorities. | Compliance with legal obligations, supervisory audits or administrative procedures. |
| Data contained in documents necessary for enforcement of legal claims. | Legal advisors, courts. | Enforcement of legal claims. |
Please be kindly informed that in case of the web-based onboarding service we use our own system so no data processor or other third party is involved in the processing of your data.
Data transfer to third countries
Data transfer to third countries is carried out by STRIVE in the following events, in relation to the involvement of the following service providers. The chart below also provides you with information regarding the safeguards applied in relation to such data transfers.
| Service provider / other addressee | Third country to which data are transferred | Safeguards for ensuring proper protection for the
data |
When does it happen? |
| Refinitiv Ltd. | United Kingdom. | Adequacy decision of the EU Commission. | In case of communication through Eikon instant messaging service. |
If, for the purposes of our data processing relating to the provision of services for creating business cooperation between our clients, it is necessary to transfer personal data to third countries or international organisations, we will ensure that proper safeguards are implemented to protect your personal data, either because there is an adequacy decision regarding the receiving country, or by using standard data protection clauses adopted by the European Commission, or specific contractual clauses concluded with the receiving party.
Automated decision making, including profiling
Automated decision making, including profiling, does not occur in the context of the data processing referred to in this Privacy Notice.
Your rights in relation to our data processing activity
As a data subject, you can exercise
- the right to access;
- the right to rectification;
- the right to erasure (right to be forgotten);
- the right to restrict the processing
- the right to object to the processing of your personal data, subject to the conditions as set out by the
a) Right to access
You as data subject shall have the right at any time to request information whether your personal data are processed, and if so, in what manner such data are processed by the data controller, including the purposes of the processing, recipients to whom the personal data have been or will be disclosed, the source of information from where the data controller obtained such data, the retention period of such data, any right that they may have concerning the processing, and where personal data are transferred to a third country or any international organisation, you as data subject shall have the right to be informed of the appropriate safeguards relating to the transfer. When exercising the right of access, the data subject shall also be entitled to request copies of such data. In the event the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in an electronic form. If the right of access exercised by the data subject would affect adversely the rights and freedoms, in particular the business secrets or intellectual properties of others, the data controller shall have the right to refuse the request of the data subject to the extent necessary and proportionate. For any further copies of the above information requested by the data subject, the data controller may charge a reasonable fee that is proportionate to the related administrative costs.
b) Right to rectification
The data controller shall rectify or supplement the personal data of the data subject based on any related request from the data subject. Where there is any doubt concerning any rectified data, the data controller may call upon the data subject to adequately verify, preferably by an official document, the rectified data for the data controller. If the data controller has disclosed the personal data affected by such right to any other persons (i.e. to another recipient e.g. the data processor), the data controller shall inform such persons of the rectification of such data without delay, provided that it is not impossible or does not require a disproportionate effort from the data controller. At the request of the data subject, the data controller shall inform the data subject of the identity of these recipients.
c) Right to erasure (“right to be forgotten”)
Where You as data subject request the erasure of any or all of your personal data, the data controller shall have the obligation to erase those without undue delay, if:
- the data controller does not need the affected personal data in relation for the purposes for which they were collected or otherwise processed;
- processing was based on your consent, however, you have withdrawn your consent, and there is no other legal ground for the processing;
- processing was based on the legitimate interest of the data controller or a third party, however, You have objected to the processing, and there are no overriding legitimate grounds for the processing, except for objection to data processing for direct marketing purposes;
- the personal data have been unlawfully processed by the data controller, or
- the personal data have to be erased for compliance with a legal
If the data controller has disclosed the personal data affected by such right to any other persons (i.e. to another recipient e.g. the data processor), the data controller shall inform such persons of the rectification of such data without delay, provided that it is not impossible or does not require a disproportionate effort from the data controller. At the request of the data subject, the data controller shall inform the data subject of the identity of these recipients. The data controller shall not always be required to erase the personal data, in particular where e.g. the data processing is necessary for the establishment, exercise or defence of legal claims.
d) Right to restriction of processing
You as data subject may request restriction of processing in relation to your personal data where one of the following applies:
- the accuracy of the personal data is contested by the data subject, in this case restriction of processing shall be applied for a period enabling the data controller to verify the accuracy of the personal data;
- the processing is unlawful, but the data subject opposes the erasure of the data, and requests the restriction of their use instead;
- the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise and defence of legal claims; or
- the data subject has objected to the processing, in this case restriction of processing shall be applied until it is verified whether the legitimate grounds of the data controller override those of the data subject.
Restriction of processing means that such personal data shall not be processed by the data controller or shall, with the exception of storage, only be processed with the data subject’s consent, or in the absence of such consent the data controller may also process these data for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a member state of it. The data subject shall be informed by the data controller before the restriction of processing is lifted. If the data controller has disclosed the personal data affected by such right to any other persons (i.e. to another recipient e.g. the data processor), the data controller shall inform such persons of the rectification of such data without delay, provided that it is not impossible or does not require a disproportionate effort from the data controller. At the request of the data subject, the data controller shall inform the data subject of the identity of these recipients.
e) Right to object
Where processing of data concerning You as data subject is based on the legitimate interest of the data controller or a third party, You as data subject shall have the right to object to processing of data. The data controller shall not be obliged to accept such objection, unless the data controller demonstrates
- compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User, or
- that the data processing is related to the submission, enforcement or protection of the data controller’s legal claims.
f) The right to data portability
Right to data portability generally means that the data subject shall have the right to receive the personal data concerning him/her, which he/she provided to the data controller based on consent or on a contract, and are processed by the data controller by automated means (e.g. in a computer system), in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller, or the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Since the data processing activities referred to in this privacy notice are not based on your consent or on the performance of a contract concluded directly with you, according to the rules of the GDPR you shall not be entitled to exercise your right to data portability. Please consult any of our other privacy notices issued in relation to other data processing activities we pursue in other context not mentioned herein, in order to gain full information on your rights relating to these other data processing activities.
In addition to the above, as a data subject, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of the EU of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. For a list of the data protection supervisory authorities, see https://edpb.europa.eu/about-edpb/about-edpb/members_en. You may also enforce your rights in court pursuant to the provisions of the GDPR or other legislation applicable to you.
How we handle your requests or questions in relation to our data processing activities
We shall provide information on the action taken on your questions or requests submitted to us relating to the processing of your personal data or to the exercise of your rights as data subject, without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests we receive. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay. If You make the request by electronic means, we shall also provide you our answer by electronic means where possible, unless otherwise requested by You. Should it be the case that we do not take action on your request, we shall inform You on that without delay and at the latest within one month of receipt of the request, explaining you the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.