Control Risks Group Limited registered in England under registration number 01810707 and with a registered address at Cottons Centre, Cottons Lane, London SE1 2QG ("Control Risks") operates the website www.controlrisks.com (the "Site") and organises its maintenance and the placing of its content. In this policy, "Control Risks" refers to Control Risks and its parent company: Control Risks International Limited and may refer to one or more of the members of that group each of which is a separate legal entity. For a full list of such entities, please click here.
Control Risks understands that privacy is important and is committed to respecting your privacy and protecting your personal data. This policy sets out Control Risks’ approach to the collection, storage, usage and transfer or disclosure of information you provide to us and information we collect in the course of operating our business or in connection with this Site. It also includes a description of your data protection rights which, in some instances, will include a right to object to the processing we carry out.
Information we collect
Control Risks collects, receives, stores and processes the following information:
Information supplied for the above purposes may include names, addresses, telephone numbers, email addresses, dates of birth, educational details, banking and financial details and any other additional information that you may supply, or which may be otherwise processed.
Use of Data
Control Risks is the controller of any personal data where we determine the means and method of the processing, for example any personal data collected through the Site, or for any marketing or client relationship management purposes, or where the personal data is used for compliance with our own internal procedures or legal and regulatory requirements. Additionally, Control Risks may process personal data as a data processor upon the instructions of you or a third party.
Control Risks processes all personal data in accordance with applicable data protection law including the EU General Data Protection Regulation 2016/679, as incorporated into UK legislation ("GDPR").
Control Risks will use personal data for various purposes which include:
Where required to satisfy the purpose for which the personal data was initially collected, personal data may be shared with Control Risks' affiliates and associated companies as well as third party service providers who perform services or functions on our behalf, some of whom may be in jurisdictions which do not provide a level of data protection equivalent to that of GDPR. An up-to-date list of key sub-processors, including their jurisdictions, can be found here. The list of key sub-processors is subject to amendment and update. The updated list is published 30 days prior to becoming effective. For any questions regarding our sub-processors, please contact us using the details in the Contact section at the bottom of this page.
Control Risks ensures that all transfers from the UK or the EU to third parties located in non-equivalent jurisdictions are subject to adequate safeguards and the protections required under applicable law.
The Legal Basis for Processing Personal Data
Control Risks processes personal data on the following legal basis:
a) Necessary for entering into, or performing, a contract – in order to perform obligations that we undertake in providing service(s) to you, or in order to take steps at your request to enter into a contract with us, it will be necessary for us to process your personal data;
b) Necessary for compliance with a legal obligation – we are subject to certain legal requirements which may require us to process your personal data. We may also be obliged by law or for national security reasons to disclose your personal data to a regulatory body, government agency, court of competent jurisdiction, regulatory body or law enforcement agency in response to a lawful request submitted by court order, subpoena, warrant, or similar legal mechanism that carries equal weight;
c) Necessary for the purposes of legitimate interests - either we, or a third party, will need to process your personal data for the purposes of our (or a third party's) legitimate interests, provided we have established that those interests are not overridden by your rights and freedoms, including your right to have your personal data protected. Our legitimate interests include responding to requests and enquiries from you or a third party, maintaining client relationships, optimizing our website and customer experience, informing you about our services and ensuring that our operations are conducted in an appropriate and efficient manner;
d) Consent – in some circumstances, we may ask for your consent to process your personal data in a particular way. To the extent that we are processing your personal data based on your consent, you will have the right to withdraw your consent at any time. You can do this by contacting us using the details in the Contact section at the bottom of this page.
The security and protection of personal data is of the highest importance and concern to Control Risks. We have in place all generally accepted standards of technology and operational security in order to protect personal data processed by us from loss, misuse, alteration or destruction and to ensure compliance with the requirements of all applicable data protection and privacy legislation.
Notwithstanding the arrangements set out above, unfortunately the transmission of information via the internet is not completely secure. Once we have received information, we will use strict procedures and security features to try to prevent unauthorized access.
Data Subject’s rights
You have certain rights in relation to personal data we hold about you. Details of these rights and how to exercise them are set out below. We will require evidence of your identity before we are able to act on your request.
Right of Access
You have the right at any time to ask us for a copy of your personal data that we hold. Where we have good reason, and if the GDPR or other applicable data protection law permits, we can refuse your request for a copy of your personal data, or certain elements of the request (for example, if we would also be disclosing third party personal data). If we refuse your request or any element of it, we will provide you with our reasons for doing so.
Right of Correction or Completion
If personal data we hold about you is not accurate, out of date or incomplete, you have a right to have the data rectified, updated or completed. Therefore, please advise us of any changes to your information. You can let us know by contacting us using the details in the Contacts section at the bottom of this page.
Right of Erasure
In certain circumstances, you have the right to request that personal data we hold about you is erased e.g., if the information is no longer necessary for the purposes for which it was collected or processed or our processing of the information is based on your consent (which you wish to withdraw) and there are no other legal grounds on which we may process the information.
Right to object to or restrict processing
In certain circumstances, you have the right to object to our processing of your personal data by contacting us using the details in the Contacts section at the bottom of this page.
Specifically, please note that you have the right to object:
(a) at any time to Control Risks' use of your personal data for direct marketing purposes; and
(b) to Control Risks' processing of your personal data where it is based on our legitimate interests, unless we have compelling legitimate grounds to process the information, or we need to do so in relation to legal claims.
You may also have the right to restrict our use of your personal data, such as in circumstances where you have challenged the accuracy of the information and during the period where we are verifying its accuracy.
Right of Data Portability
In certain instances, you have a right to receive any personal data that we hold about you in a structured, commonly used and machine-readable format.
You can ask us to transmit that information to you or directly to a third-party organization.
The above right exists only in respect of personal data that:
• you have provided to us previously; and
• is processed by us using automated means.
While we are happy for such requests to be made, we are not able to guarantee technical compatibility with a third party organization’s systems. Also, we may be unable to comply with requests that relate to personal data of others without their consent.
You can exercise any of the above rights by contacting us using any of the methods in the Contact section at the bottom of this page.
Most of the above rights are subject to limitations and exceptions. We will provide reasons if we are unable to comply with any request for the exercise of your rights.
Control Risks does not intend that children should visit the Site or otherwise be subject to personal data processing by Control Risks. Control Risks understands that children merit special protection and will never knowingly process their personal data.
Disclosure of Personal Data to Third Parties
Control Risks will not share your personal data with third parties unless required by law, required to enable the fulfilment of the purpose for which the personal data was originally supplied or as otherwise set out in this policy. Control Risks may transfer all or part of its business in the circumstances of a merger or sale of part or all of its business. In such circumstances personal data may be transferred but this will be only in circumstances where the acquiring company has agreed to the same standards and terms of privacy as are set out in this policy. Control Risks remains liable to you in respect of its obligations concerning your personal data in cases of onward transfers to third parties.
EU-U.S. Privacy Shield + Swiss-U.S. Privacy Shield
Control Risks relies on the European Commission’s Standard Contractual Clauses to transfer personal data from the EU to the US and recognises that the EU-U.S. Privacy Shield Framework is no longer a valid data protection mechanism for such transfers.
Control Risks Group LLC, a subsidiary of Control Risks Group Holdings Limited, is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Under certain conditions, it is possible for any individual who wishes to do so to invoke binding arbitration in respect of the treatment of their personal data by Control Risks Group LLC. Control Risks Group LLC also commits to cooperate with the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from Switzerland in the context of the employment relationship.
In compliance with the Privacy Shield Principles, Control Risks Group LLC commits to resolve complaints about our collection or use of your personal data. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Control Risks Group LLC at: [email protected].
Control Risks Group LLC has further committed to cooperate with the panel established by the EU data protection supervisory authorities with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.
If you are unhappy about our use of your personal data, you can contact us using the details in the Contact section at the bottom of this page. You are also entitled to lodge a complaint with the UK Information Commissioner's Office using any of the below contact methods:
Telephone: 0303 123 11113
Post: Information Commissioner's Office
If you live or work outside the UK or you have a complaint concerning our activities outside the UK, you may prefer to lodge a complaint with a different supervisory authority. A list of relevant authorities in the EEA and the European Free Trade Area can be accessed here.
If your query or complaint relates to Control Risks (Middle East) Ltd. (registered in the Dubai International Financial Centre with registration number 0093) or Control Risks (Middle East) Ltd is a controller of your personal data for other reasons, you have the right to lodge a complaint with the Dubai International Financial Centre Commissioner of Data Protection.
Data Processed During Provision of Services
In accordance with GDPR or other applicable data protection laws, where we are a controller of the personal data in relation to due diligence services, we do not provide fair processing notices to such individuals as to do so would seriously impair the achievement of the objectives of that processing. We treat all such data in accordance with our obligations under GDPR or other applicable data protection laws. We make this statement in compliance with our obligation under article 14(5)(b) GDPR to publicize that nature of the information that would otherwise be contained in any such fair processing notice.
Personal data obtained and processed in the course of providing client services will typically include a summary of the individual’s profile or reputation in the market.
The data will be collected for the purpose of providing our services to our clients. The lawful basis under GDPR, or analogous data protection laws, for such data processing will vary depending on the nature of the data and the project, but will include:
a) necessary for the purpose of our or our client’s legitimate interests. These interests may include ensuring that the client does not take actions that could result in legal liability, reputational impact or other adverse effects;
b) necessary for the prevention or detection of an unlawful act;
c) necessary for the establishment, exercise or defence of a legal claim;
d) where it is in the vital interest of the data subject or a third party;
e) the data has been manifestly made public by the data subject.
We are a controller of personal data which is collected through source enquiries with suitable individuals. We are a processor of personal data which is collected through open-source research, which includes public record (such as press articles, corporate filings, court records, and the records of central and local government departments and statutory bodies), news aggregators, specialist databases, social media and deep-web research.
Third parties with whom we may share such data include, other members of the Control Risks Group, our client who commissioned the work and its advisers who have, themselves, a lawful basis for processing the data, and our subcontractors who are involved in gathering the information.
Personal data is stored according to our global data retention and data protection policies. Our policies establish that personal data is stored no longer than is necessary for the purposes for which it was processed.
We may nevertheless retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject to, or in order to protect your vital interests or the vital interests of another natural person.
If you have any enquires or if you would like to contact us about our processing of your personal data, including to exercise your rights as outlined above, please contact us by using one of the methods listed below.
When you contact us, we will ask you to verify your identity.
Contact name: Global General Counsel (Data Protection Officer)
Email: [email protected]
Telephone: 020 7970 2200
Post: Cottons Centre, Cottons Lane, London SE1 2QG