Privacy Notice

Summa respects your privacy and is committed to protecting your personal data. This Privacy Notice will inform you as to how Summa as a data controller collect and use your personal data. The information below also describes your rights and how you can enforce them.

About Summa

Summa is the common denomination for a group of an alternative investment manager, advisory companies, private equity funds and vehicles.

Information which is collected by Summa will be the responsibility of the entity who collects the information, namely Summa Equity AB, Summa Equity Advisory AS or Summa Equity Advisory GmbH, who will act as a data controller in relation to your personal data. If necessary, we will provide you with further information about the applicable data controller(s) and how your personal data is processed by such data controller(s).

This Privacy Notice is issued by Summa Equity AB for and on behalf of Summa.

What personal data does Summa process?

Personal data means any information about an individual from which that person can be identified. It does not include anonymous information, namely information which does not relate to an identified person.

Summa may collect, use, store and transfer different kinds of personal data about you, including:

  • Identity data, which can include name, gender, nationality, date of birth and copies of anti-money laundering identification (for example, passport, national ID card, driver’s license);
  • Contact data, which can include address, email address, telephone numbers and copies of proof of address documentation (for example, copies of utility bills or bank statements);
  • Financial data, which can include bank account details, source of wealth and tax information;
  • Transaction data, which can include details about payments, transaction history, investment activity, interest in the Funds, including ownership percentage.

Sensitive personal data is afforded special protection and may not be processed by Summa except under special circumstances. For example, Sensitive personal data may be processed in order for Summa to fulfil its obligations under employment law, to assess the working capacity of an employee, or where the data subject has given explicit consent for their Sensitive personal data to be used for one or more specific purposes.

Summa process personal data in a number of different situations in connection to its business operations, including:

  • Fundraising: Summa can process personal data when Summa is in the fundraising stage. Foremost, processed data regards the Investor’s key personnel in connection with AML onboarding.
  • Portfolio Company management: Summa can process personal data in its daily operations of managing portfolio companies. This can include Portfolio Company executives, key personnel and employees. In this regard, daily operations can include setting up management incentive programs and salary management, containing personal data on employees’ salaries etc.
  • Target company due diligence: Summa can process personal data when conducting due diligence on potential target companies. This includes, foremost, personal data regarding target company executives and key personnel and target company employees. Additionally, Summa can process personal data when targeting add-on acquisitions to preexisting portfolio companies.
  • Summa HR: Summa processes personal data concerning Relevant Persons and recruitment candidates.

Summa does not engage in direct marketing, profiling or automated decision-making.

How does Summa collect personal data?

Summa uses different methods to collect personal data, including:

Personal data that is provided directly to Summa

Summa may collect personal data from prospective investors, intermediaries and other business partners for the purposes of establishing a business relationship in respect of a Fund, entering into contractual relationships, and/or to otherwise satisfy our legal or regulatory obligations.

Personal data obtained from third parties

In addition, Summa may receive personal data in connection with legal requirements that are applicable to Summa, or from third parties in connection with the services Summa provide.

On what legal basis is your personal data processed?


Summa may only process personal data when a specific legal ground permits such processing. Summa only processes personal data if one of the following legal grounds applies:

When Sensitive personal data is processed for any reason, higher levels of data protection should be afforded and, in some cases, a data protection impact assessment must be conducted.
Summa must not process any criminal offence data except when permitted or required by applicable laws and regulations.
Even if there is a valid legal ground to process personal data, Summa must first conduct a data protection impact assessment if it is about to engage in data processing activities that are likely to result in a high risk to the rights of freedoms of individuals.

Legal basis for Summa’s processing

Typically Summa will use your personal data in the following circumstances, for the following purposes and pursuant to the following legal bases:

where it is necessary for the performance of a contract to which you are party, or to comply with a request you have made prior to entering into a contract, and for compliance with legal obligations:

  • to facilitate hiring processes, manage employment, and ensure compliance with legal obligations;
  • to manage fundraising processes and administer Investor’s commitments and/or interests and any related accounts, and ensure compliance with legal obligations;
  • in daily operations of managing portfolio companies.

where it is necessary for the performance of a contract to which you are party, or to comply with a request you have made prior to entering into a contract, and for Summa’s legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests:

  • to conduct due diligence on potential target companies;
  • to engage and manage external consultants and advisors.

If Summa requires your personal data due to a legal requirement or obligation, or in order to perform a contract with you, then failure to provide this information might mean that Summa cannot provide its services or products to you. In this case, Summa may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

Data transfers

Summa may exchange or transfer personal data to a third party that will have the role of a processor. Processors include Summa’s third-party service providers as well as group companies. Whenever Summa exchanges or transfers personal data to such third party, this must be subject to a processor agreement containing certain requirements. The processor may only process personal data on behalf of Summa according to the instructions laid out in the processor agreement.

In addition, Summa may exchange or transfer personal data to a country outside the EU/EEA. Summa uses safeguards to ensure that personal data is treated appropriately where it is transferred to countries outside the EU/EEA. Such safeguards may include the use of standard contractual clauses approved by the European Commission.

For information on the safeguards applied to such transfers, please contact us.

Data security

Summa have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Summa has established internal guidelines for IT security, data protection and information security, as well as non-disclosure agreements with employees, the Board and third parties.


Summa will process and store your personal data for as long as our business relationship continues, or for the duration of provision of services to you by us.

Summa may also store that data for as long as necessary in order to comply with our legal, compliance, contractual or other regulatory obligations or in connection with the establishment, enforcement or defence of any legal claims.

Your rights

The right you have, as a data subject, are described below.

  • You have the right to request information about what personal data we process or have access to (right to access). In order to ensure we provide the data to the correct person you must identify yourself when requesting an extract from our registers.
  • Summa is obliged to have correct and updated personal data about you. If your personal data is incorrect, you can request rectification or supplementation thereof (right to rectification). You also have the right to request that we limit the processing of your personal data e.g., if you contest the accuracy or the legitimate interest of the processing of certain personal data (right to restriction).
  • Under certain conditions, you may request that data about you is erased when it is no longer necessary for the purpose for which it was collected (right to erasure). Summa removes information about you when it is no longer needed but may be required by other legislation to store data about you in order to comply with statutory requirements.
  • You have the right to object to the processing of personal data based on legitimate interest. You also have the right to object to direct marketing (right to object).
  • If you have given your consent or if we base the processing on performance of a contract with you, you have the right, under certain circumstances, to obtain the personal data that you have provided us. This will be provided to you in a structured, widely used, and machine-readable format and you have the right to transfer it to another controller or to have our help to transfer the data to another controller when technically possible (right to data portability).

You may exercise your rights by contacting us.


You have the right to make a complaint at any time to the competent data protection supervisory authority in the relevant jurisdiction.


The Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) is the competent authority in Sweden.


The Norwegian Data Protection Authority (No. Datatilsynet) is the competent authority in Norway.


Germany does not have one central supervisory authority for data protection law but authorities in each of the sixteen German federal states, contact details can be found here.

Contact details

Our contact details can be found here.