Privacy Policy for Website Users

SGR Compliance SA, Switzerland (“SGR”, “we”, “us”, “our”) produces and maintains several databases (specific collection of data) that are archives of publicly available information ordered according to different area of interest. The contents of the databases are available only to public authorities and public or private firms under the legal obligation to carry-out anti-money laundering, anti-terrorism financing (“AML” and “CFT”) and Know Your Customer (“KYC”) screenings. Please note that SGR does not conduct any personal investigative or factfinding activity or give any indication, assessment or score to any record we hold. International and domestic law globally are quite clear by imposing on specific activities, such as banks, financial intermediaries, fiduciaries and specific categories of businesses enhanced screening obligations to prevent the misuse of financial or professional services.

This Privacy Policy for Website Users, together with any other documents referred to, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

Website Users

This document concerns data subjects (“Data Subject”, “you”, “your”) whose personal information is collected by us
when you act as user of our websites or provide us your information as explained below.

Our websites https://www.sgrcompliance.com/ and https://www.sgrdailycontrol.com/ are owned and operated by SGR (all together, “Website”).

If you are concerned about your inclusion in our databases please review the Privacy Policy for Data Subjects published on this website.

This Privacy Policy is based on the “Bundesgesetz über den Datenschutz” 1992 as amended (“DSG”) [Swiss Federal Acton data protection: https://www.fedlex.admin.ch/eli/cc/1993/1945_1945_1945/en]. SGR is authorized to treat and process personal data pursuant to those laws and regulations and by the Swiss Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB) [Swiss Federal data protection and information commissioner: https://www.edoeb.admin.ch/edoeb/en/home.html]. Although the GDPR is a regulation of the European Union, it is of relevance to us. Furthermore, this Privacy Policy is also based on the General Data Protection Regulation (Regulation EU 2016/679: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN) as amended (“GDPR”), in particular on its UK implementation of the GDPR UK “Data Protection Act” 2018 (“DPA”) as amended (https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted). Our Representative and Data Protection Officer (“DPO”) is Moore ClearComm Ltd, 6th Floor, 9 Appold Street, London, EC2A 2AP, UK, dpo@sgrcompliance.com. In this document we shall refer to the above mentioned DSG, and GDPR as implemented by DPA definitions and rules.

Personal data

Under the DSG personal data is defined as “all information relating to an identified or identifiable individual”. Under the GDPR personal data is defined as “any information relating to an identified or identifiable natural person (Data Subject), by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

The Data Controller

Under the DSG a data controller is the private person or federal body that decides on the purpose and content of a data file. SGR is the data controller as defined by DSG (“Data Controller”). Under the GDPR a data controller is the individual or legal person who controls and is responsible to keep and use personal data in paper or electronic files. SGR is the Data Controller as defined by the GDPR.

Lawful Processing

The lawful legal basis for the processing of your personal data is contemplated in the DSG and GDPR as implemented in the UK under the DPA. Please note that this privacy policy is only for website users.

At least one of these must apply whenever personal data is to be processed:

  1. Consent: you have given SGR your freely, specific, informed or unambiguous consent for your personal data
    to be processed for a specific purpose or, pursuant to Article 30.3 of the DSG and Schedule 1 of the DPA, “this
    condition is met if the processing relates to personal data which is manifestly made public by the Data Subject”.
  2. Contract performance: the processing is necessary for the performance of a contract you have with SGR,
    which had asked you to take specific steps before entering a contract.
  3. Compliance with legal obligation: the processing is necessary for SGR to comply with the law in the
    jurisdictions where SGR operates (not including contractual obligations).
  4. Public interest: the processing is necessary to perform a task that is in the public interest or for its official
    functions, and the task or function has a clear basis in law, so pursuant to Schedule 1 of the DPA this means
    “preventing or detecting unlawful acts”, “necessary for the purposes of preventing fraud or a particular kind of fraud”,
    “regulatory requirements relating to unlawful acts and dishonesty” and “suspicion of terrorist financing or money
    laundering”. With reference to the production and maintenance of its Database, SGR falls into this scope and is
    authorized pursuant to Article 31 of the DSG, GDPR and DPA, laying the legal basis for the processing of personal
    data down by such Union Law and Member State law to which SGR is subject.
  5. Legitimate interests: the processing is necessary for SGR’s legitimate interests, or the legitimate interests of
    a third-party, including SGR Customers, unless there is a good reason to protect the individual’s personal data that
    overrides those legitimate interests.

Data Rights

Your Data Subject rights are listed below:

  • right to be informed, as set out in Article 19 of the DSG and in Article 14 of the GDPR
  • right of access, as set out in Article 25 of the DSG and Article 15 of the GDPR
  • right to rectification, as set out in Article 32 of the DSG and Article 16 of the GDPR
  • right to erasure or right to be forgotten, as set out in Article 32 of the DSG and Article 17 of the GDPR.

Restrictions on Data Subject’s rights are provided for by Articles 30.3, 31 and 32 of the DSG and by Article 15 and 26
of the DPA, especially in connection with a public interest or “in connection with the safeguarding of national security
and with defence”.

If you wish to exercise any of the above rights, please fill out the form at the following link:
https://sgrdailycontrol.com/dcrights.cfm.

Personal data we collect with your consent

Information that you made public or that you provide us by completing forms in writing, email, through our websites or social media. This includes information provided at the time of registering with us, to use our website, to login into our Database, to connect with us via our LinkedIn page, to participate to our events (webinar, fair, conference), to receive newsletter, to support or subscribe to our services, to request materials or information or to request further services, when you respond to a survey and/or when you report a problem with any of our communication channels or services.

We collect the following classes of information:

  • name(s), surname(s), address(es), email(s), phone number(s), and other relevant personal details (e.g. age group, subscriptions, company, work) and preferences (e.g. activities, events, news);
  • information about our relationship with you, correspondence, meeting notes, attendance at events;
  • occupation, skills and professional activity, network(s) and interests where relevant to our needs;
  • financial information (e.g. bank details) where they may be relevant in relation to contracts with SGR;
  • details of your access to our Databases or other materials.

If you contact us, we may keep a record of that correspondence.

We may also ask you to complete surveys that we use for research purposes, although you do not have to respond
to them.

To help us improve our services, if you send us personal information which identifies you via email, we may keep your email, your email address and “screen” name.

During the normal operation of this website, our systems automatically collect certain personal data as part of the inherent function of internet communication protocols. These data are processed to ensure the proper functioning of the web services provided.

We do not use cookies for user profiling. We only use session-based technical cookies, which are non-persistent and limited to what is necessary for secure and efficient website navigation.

How we collect personal data

There are several ways in which we collect your personal data directly from you:

  • that you provide to us;
  • that you made public; and
  • that we automatically collect because of sharing with other parties such as educational platforms.

Personal data that you give to us may be through one of several ways. These may include:
directly via our Website;

  • emailing your CV to our HR team or via our emails;
  • providing information via on-line forms, surveys, our websites, our LinkedIn or Twitter page or contacting
    us;
  • collecting your data through a contractual or commercial relationship with you e.g. for membership
    subscriptions, attending an event, being supplier or client, partner;
  • via a form which could be online as part of our website or a form provided to us as a hard copy or
    electronically or when registering to our events or newsletter; and
  • contacting us with enquiries or comments by telephone, email or hard copy correspondence.

Personal data may be also given to us through another organisation with which you have registered, and we may be required to process that data in order to fulfil services that you expect of us. This could include one of the following:

  • via another authorized body with whom joint education or professional development takes place;
  • via professional bodies with whom there is a sharing of registration for events or activities;
  • company you are employed with for performance of contractual obligations between SGR and your
    company.

How we use personal data

We will process any of your personal data, in accordance with our obligations under the DSG and the DPA, for the
following reasons:

  • to provide you with the services you have requested;
  • to comply with the DSG and the DPA;
  • for administrative purposes;
  • to assess enquiries; and
  • to provide you with information about us and our services. If, at any time, you do not wish to receive further information about us and our services, contact us at privacy@sgrcompliance.com.

Sharing your personal data

We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data to comply with any legal obligation, or in order to enforce or apply any agreements and contracts, or to protect the rights, property, or safety of the organisation, or other individuals. This includes exchanging information with other companies and organisations for the purposes of safeguarding or other statutory regulations we have to comply with as well as those organisations with whom you and we have reciprocal agreements for providing services for education or professional development.

Websites

Our websites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Protecting your personal data

The data that we collect from you will be processed and transferred also outside the European Economic Area (EEA), in Switzerland or other countries categorised by Switzerland or the European Commission as having adequate data protection legal and regulatory regimes. If we send personal data to a country that does not have appropriate data protection legislation, nor is deemed as an adequate country under the adequacy rating of Switzerland or the European Commission, we will ensure an appropriate level of protection by employing contracts accordingly, or we will act on the basis of the following statutory requirements, consent, performance of the contract, execution or enforcement of legal claims, in accordance with the requirements imposed by DSG and DPA. We may also use the binding corporate rules, standard contractual clauses or ad hoc contractual clauses that stipulate that the data will be processed in accordance with the DSG and the DPA. At any time, you have the right to request information about the contractual guarantees mentioned. However, we reserve the right to censor copies, or to supply them only in part to protect the privacy of any third parties mentioned or to protect our confidentiality duty.

Security of your information

To help protect the privacy of data and personally identifiable information you transmit through use of our website, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities.

We do not monitor any queries done via our websites.

For how long we store the data

We store your personal data in accordance with our internal data retention policy. This policy is reviewed and updated internally to ensure we do not store your data for longer than is necessary. We also review how and where we store any data to ensure that we meet our obligation to store data securely. We process and store your personal data to the extent that it is required to fulfil our contractual and legal obligations or for the purposes pursued by the processing, which means, for example, for the entire duration of the business relationship (from the initiation and performance of a contract to its conclusion) and beyond that in accordance with legal obligations for storage and documentation. It is therefore possible that personal data is stored for the period of time when claims can be made against the SGR and to the extent that we are legally obliged or authorised to do so, or legitimate business interests necessitate this.

Changes to privacy policy

SGR reserves the right to vary this Privacy Policy from time to time. Such variations become effective on posting on our websites. Your subsequent use of our websites or submission of personal information to the SGR will be deemed to signify your acceptance to the Privacy Policy and its variations.

Complaints

If you think we are not handling your personal data in accordance with this Privacy Policy and with the relevant data
protection framework outlined in this Privacy Policy, please contact us at privacy@sgrcompliance.com.

Pursuant to the DSG, you may also contact the

Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte (“EDÖB“)

[Swiss Federal data protection and information commissioner: https://www.edoeb.admin.ch/edoeb/en/home.html]

Feldeggweg 1 CH – 3003 Berne.

Or pursuant to DPA, the UK Information Commissioner’s Office (“ICO”)

Wycliffe House, Wilmslow, Cheshire, UK.

(Updated May 2023)