S-RM is committed to protecting and respecting your privacy. We comply with the applicable data privacy and security requirements in the countries in which we operate.
What is Personal Data?
The UK General Data Protection Regulation (“GDPR“) defines Personal Data as any information from which a living individual is identified or identifiable.
Scope of Policy
This Policy sets out the basis on which we process the following personal data:
- Any Personal Data provided to us through our website (“Website Data”);
- Any Personal Data provided to us in connection with our contractual relationship with a client or prospective client (“Client Data”); and
- Any Personal Data that is provided to us or which we collect during the course of providing services to clients (“Client Services Data”).
Where we process Website Data and Client Data (as described below), S-RM is the data controller. Where we process Client Services Data, S-RM may act as a controller or a processor depending on our client instructions (as explained in more detail below).
Please read this Policy carefully to understand how we process your Personal Data.
What Personal Data do we collect and how do we use it?
We collect the following types of Personal Data as part of our business operations:
We collect the following Personal Data directly from clients and prospective clients to enable us, and our group companies, to provide you or our clients with the requested services:
- Your full name and your job title; and
- Your contact details, including your e-mail address and, where applicable, the name of your company.
We may also collect and process the following additional Personal Data about you:
- If you contact us, we may keep a record of that correspondence;
- Details of your interests and preferences;
- Where you use our proprietary portal (“Portal“), you may be required to set up an account following which we will also process your account information (username and password); and
- Details of your visits to our website including, but not limited to, traffic data, location data, weblogs and other communication data, and the resources that you access (see section on Website Data below).
Where we provide you with our services, the collection of your Personal Data is a requirement for the performance of a contract between you and us, namely to enable us to provide to you the services you have requested. Where we provide our services to clients, we process your Personal Data for our and our clients’ legitimate business interests in order to provide them with the requested services. You are not under an obligation to provide us with any of your Personal Data. However, this might result in us being unable to provide you with the requested services.
We may also use your Personal Data to market our services to you in which case our basis of processing is our legitimate interest in marketing our services to you. In some circumstances, such as where we are legally required, we may seek your consent to process your Personal Data in which case we will ensure that our request for such consent is clear and transparent.
We use Website Data in the following ways where it is necessary for our legitimate interests:
- To ensure that content from our website is presented in the most effective manner for you and for your computer;
- To analyse the data for the purposes of improving our website and services;
- To prevent fraud and/or for security; and
- To respond to a request submitted via our website.
Where applicable, we use Website Data to perform our obligations arising from any contracts entered into between you and us. We may also seek your consent for certain uses of your personal data, e.g. to register you for any requested subscriptions to newsletters and other communications.
We do not sell or disseminate Website Data to third parties or provide host mailing on behalf of third parties. We do enter Website Data into our contacts database, and we maintain it there, unless you ask us to remove it. You may ask us to remove your Personal Data from our database at any time by emailing us at firstname.lastname@example.org.
We will never sell your Personal Data and will only ever share it with organisations we work with where necessary and where we have taken steps to ensure its privacy and security.
For any enquiries to the website about possible employment with S-RM, we process personal data in line with our Employee Data Processing Notice (available on request).
Client Services Data
S-RM provides cyber security, corporate intelligence (including strategic intelligence, regulatory and compliance due diligence, disputes and investigations and litigation support services) and crisis response services to clients (including both corporates and individuals). As part of providing these services, our clients may require us to collect information on individuals. Personal Data may be provided to us by our client or by you or collected from public records such as corporate registries, court filings and media reports as well as from human sources. Depending on the nature of the client engagement and the nature of the processing and the extent of control and decision making we have in respect of the data, S-RM may act as a data controller or as a data processor on behalf of its client.
Where acting as a data controller, we take steps to establish a lawful basis of processing. Our lawful basis is typically that the processing is necessary for our legitimate interests of providing professional services to our clients to assist them in fulfilling their legal, regulatory or compliance obligations, to gain insights into businesses, industries and markets or to support other legitimate business interests of our client. We have carried out assessments of our legitimate interests and weighed these against the interests, fundamental rights and freedoms of the individuals whose personal data we process.
Client Services Data may include:
- Company and business professional contact information, including name, job title, address, phone number, fax number, e-mail address, passport, driving licence and other forms of identification, domain names, and trade associations;
- Detailed company profiles and statistics, which include details of company officers and employees and, for publicly listed companies only, the remuneration of certain officers;
- Background information regarding company management such as beneficial ownership/persons of significant control, the educational and career histories of company principals;
- Information relating to actual or suspected criminal offences data relating to company officers and employees from media reports or other information in the public domain; and
- Special Categories of Personal Data, such as information relating to health, beliefs and political affiliations from media reports or other information in the public domain.
Where We Store Your Personal Data
Storage and Retention
S-RM typically retains Personal Data only for as long as necessary for the purpose for which it is collected. In the case of Client Data and Website Data, this is usually for the duration of the client relationship. For Client Services Data, we typically retain Personal Data for the duration of the relevant client engagement pursuant to which the data was collected. However, in all cases, we retain certain records for longer periods in order to comply with legal or regulatory obligations or to defend ourselves against legal claims.
Transfers out of the UK and EEA
S-RM typically stores Personal Data on servers hosted in the UK. We may transfer your Personal Data to our group companies and third-party suppliers and service providers both in and outside the UK and the European Economic Area (“EEA”) including to the US. We will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with the relevant data protection requirements and that the transfers of Personal Data are subject to appropriate safeguards including, where applicable, reliance on an adequacy decision by the UK or European Commission, or, in the case of absence thereof, the use of relevant contractual safeguards such as Standard Contractual Clauses approved by the European Commission or the Information Commissioner’s Office.
How We Protect Your Data
S-RM has in place industry standard technical and organizational security measures in order to keep your Personal Data safe and to prevent against unauthorised access, use or disclosure.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Our staff receive data protection training and we have a set of detailed data protection procedures which personnel are required to follow when handling Personal Data.
Disclosures of Personal Data
We may disclose your Personal Data to any of our group companies (which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006) to assist us in provision of the services requested by you. We may also disclose your Personal Data to our suppliers and service providers from time to time to enable us to provide our services. Any such disclosures will be in accordance with GDPR using relevant safeguards. We also disclose Client Services Data to our clients and their related entities/related parties on a confidential basis.
We may also disclose your Personal Data to third parties:
- In the event that we sell or buy a business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets;
- If S-RM or substantially all of its assets are acquired by a third party, in which case Personal Data held by it will be one of the transferred assets;
You have the right to ask us not to process your Personal Data for marketing purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at email@example.com.
Data Subject Rights
In addition to the right set out above, GDPR provides individuals the following rights:
- The right to request access to the Personal Data we hold about you;
- The right to request correction or deletion of your Personal Data;
- The right to withdraw your consent for a specific use of your Personal Data provided to us;
- The right to request restriction of processing by us of your Personal Data;
- The right to object to processing of your Personal Data by us;
- The right to obtain copies of the data that we hold about you in a machine-readable format and to transfer such data to another company on your request.
Such requests should be made to the data controller which, in most cases, will be S-RM’s client. If we receive a request directly from a data subject where we act as processor of Personal Data on behalf of a client, we will contact the controller client for instructions on how to deal with the request. In certain cases, we may, with the consent of the client and without prejudice to our position as data processor, elect to deal with the request on behalf of the controller client to ensure that the request is dealt with expeditiously.
If you consider that our processing of your Personal Data breaches any of your rights under GDPR or you are otherwise dissatisfied with the way your Personal Data is handled by us, you have the right to complain to the Information Commissioner’s Office, https://ico.org.uk/.
Data Protection Officer
Our Data Protection Officer is:
4th Floor, Beaufort House,
15 St. Botolph Street,
Links to Third Party Websites
Our website may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that S-RM does not accept any liability for any Personal Data you provide to those websites or your use thereof. Please check these policies before you submit any Personal Data to these websites.
Any questions you have in relation to this policy and how we use your data should be sent to firstname.lastname@example.org.
CHANGES TO THIS NOTICE
We reserve the right to make changes to this Policy. Any updated Policy will be posted on our Website.
Last updated: September 2022