Privacy Notice
GSS Privacy Notice
Introduction
Dated 17 December 2024
The Privacy Notice explains how your Personal Data is Processed by GSS, where GSS is determined as a data Controller for the data Processing activities described in this notice. This applies to data collected through our website (for example, when you submit your data through our online forms, or collected during interactions you may have with us (for example, when you attend our events, forums, trainings, or when you call us or send us emails or mail. In this regard, GSS will Process all your Personal Data in compliance with EU & UK GDPR and the Data Protection Act 2018 (together known as “Data Protection Laws”).
In this Privacy Notice, unless stated otherwise, all defined terms shall have the meaning given to these terms in GDPR[1] and/or as set out in our Glossary of Terms.
This Privacy Notice does not apply to any Processing of Personal Data Processing by GSS when providing its services as a data Processor to GSS customers (“GSS Users”) for the provision of our services. Please refer to our separate Processor Data Protection Policy for further information of when GSS is engaged as a data Processor. Our Processor Data Protection Policy can be found here
GSS may update this Privacy Notice from time to time which will be indicated by changing the date at the top of the Notice. Please check it periodically on our website for changes. This Privacy Notice supersedes the Privacy Notice dated 04 January 2024.
GSS Purposes
We collect, Process and use Personal Data for different purposes (“GSS Purposes”), which include the following:
| Purpose/Activity | Types of data | Lawful Basis |
| Inform you about our products and services | Contact details | Legitimate Interest Consent |
| Improve our marketing and advertising activities, as well as to improve the contents and services offered on the website | Contact details | Legitimate Interest Consent |
| Certain Processing activities for the purposes of Sanction Screening across the GSS platform | Personal Data as provided by GSS Users, including financial transaction data Personal Data that appears in Public Sanctions Lists and/or other publicly available sources | Legitimate Interest Public Interest |
| Recruitment | Name Address Contact details | Legitimate Interest Necessity to enter contract of employment Legal obligation |
Marketing communications and Cookies
We rely on your consent for our marketing and events communications. You can withdraw your consent to our Processing of your Personal Data at any time. To withdraw your consent for email marketing, you can click the unsubscribe link at the bottom of any email you receive from us. To withdraw your consent for cookies, you can opt out of the Cookie Notice on our website.
Recruitment/Prospective & work experience candidates
We collect data about you in a variety of ways and this will usually start when we undertake a recruitment or work experience exercise where we will collect the data from you directly. This includes contact information such as your name, date of birth, and personal email address and information you would normally include in a CV or a recruitment cover letter, or notes made by our recruiting managers during a recruitment interview. We may also ask you to participate in assessment days, complete tests, case studies or assessments. Other details may be collected directly from you in the form of official documentation (such as your academic and professional credentials, driving license, passport or other right to work evidence).
In some cases, we will collect and share information about you from and with third parties, such as employment agencies, former employers when gathering references, third parties for the purposes of assessments, credit reference agencies, screening providers, who carry out a background screening checks on our behalf (where permitted by applicable law) and governmental, judicial, regulatory, and other bodies and authorities where required by applicable law.
During our recruitment process, we do not require any ‘sensitive’ data. We kindly ask you refrain from sharing any personal details which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning your sex life or sexual orientation. If sent through to us, it will be ignored and if possible deleted.
You may be asked and may share information about yourself (such as gender identity, ethnicity, disability and social mobility). We collect this data based on consent, which can be withdrawn at any moment. The goal is for us to analyse how we connect with traditionally underrepresented groups, and to improve our diversity and inclusion programme. Any such data provided during the recruitment process will be purely on a voluntary, anonymous and aggregate basis, and will not be attributable to any individual.
We keep your Personal Data for 18 months after the end of the recruitment process.
Lawful bases for Processing Personal Data
GSS may receive business contact details of employees and other individuals associated with GSS Users, Partners, and Vendors, such as first and last name, e-mail address, phone number, title and department, and other information relevant to the business relationship. GSS Users, Partners and our third-party vendors must ensure that they do so in accordance with all applicable data protection laws and regulations, including providing notice to the individual about GSS Purposes and, where required, obtaining appropriate consent.
Our and others’ legitimate interests
As summarised above, GSS Processes Personal Data on the basis that it is in our or others’ legitimate interest. We generally Process special category and criminal data for reasons of substantial public interest pursuant to Data Protection Laws.
It is in our legitimate interests to carry on a business to facilitate and assist GSS Users to undertake screening checks (“Screening Services”), in meeting their legal obligations to comply with applicable laws and regulations. The public also have a legitimate interest in ensuring that financial crime, fraud and serious misconduct or dishonesty are prevented and detected.
Further, GSS Processes Personal Data including special category data on the basis that the Processing is necessary for reasons of substantial public interest, based on applicable Data Protection Laws (including laws designed to combat money-laundering, bribery and corruption and avoidance of sanctions).
Sources of Personal Data
For the purposes of Screening Services, GSS obtains Personal Data from a range of sources, including, but not limited to:
- Publicly available sources, such as official governmental departments and bodies (e.g., OFAC, EU, UK, UN);
- Third party commercial providers such as Factiva, trading as Dow Jones; and
- GSS Users (e.g., financial institutions which will include those you have banking relationships with).
Categories of Personal Data
For the specific purpose of the provision of Screening Services, GSS may receive a range of Personal Data about you from a variety of sources. Personal Data may include, amongst other data, payment and/or transaction data and Personal Data relating to beneficiaries of any receipt of funds. GSS does not control the content of Personal Data that has been collected by those sources. Neither is GSS responsible for its accuracy. For further details on the source of Personal Data we collect and Process, please see our Processor Data Protection Policy which provides further information on the source of that data. As part of any contractual arrangements, you may have or had with GSS Users, you will have already been provided with a copy of their Privacy Notice at that time. Should you wish to receive this information again or require any other additional information on what is held about you by those institutions, you will need to direct your query to the relevant institution concerned.
For the specific purpose of Screening Services, GSS does not obtain Personal Data direct from you as individuals. If you wish to exercise any of your data rights under Data Protections Laws in respect of your Personal Data, you are required to make contact direct with the relevant organisation in question. Please see our Processor Data Protection Policy for further information.
Sharing Personal Data
We make available Personal Data we have obtained from the various sources as outlined above, to a variety of recipients, for the purpose of our Screening Services and as required by, or to comply with applicable law(s). Our third-party service providers are not permitted to share or use Personal Data we make available to them for any purpose other than to provide services to us.
GSS will not transfer, disclose, sell, distribute, or lease Personal Data about you to third parties other than as described in this Privacy Notice as reasonably necessary unless we have your permission or as required or permitted by law. If we transmit Personal Data to third parties who partner with us or provide services to us, we will use reasonable efforts to ensure that these third parties also comply with this GSS Website Privacy Notice and applicable privacy laws.
If Personal Data about you is included in any information we receive from our various sources for the provision of our services, it is made available to the following parties:
- GSS Users. We only make Personal Data which is used as part of our Screening Services available to GSS Users that have a legitimate need to access the information for the fulfilment of their legal obligations and/or their legitimate interests. We also require that they only use it for the purposes of carrying out Screening Services or to otherwise comply with applicable laws and regulations.
- Third Party Service Providers. To assist us in supplying and maintaining the provision of our Screening Services, we allow a limited number of third-party service providers to access information held by us (e.g. IT systems providers, hosting providers, providers of technical support). We have contracts in place with all our third-party service providers that align with Data Protection Laws. As part of our contractual arrangements with them, we require commitments from them that they only use the information for the purposes specified in our agreements or to otherwise, where they may be compelled to do so in accordance with applicable laws and regulations. We will use reasonable efforts to ensure that these third parties also comply with this Privacy Notice and applicable Data Protection Laws.
- Authorities, Courts and Tribunals. We may also disclose information about you to competent authorities (including any national and/or international regulatory or enforcement body or court or other form of tribunal) in connection with one or more of the purposes outlined above where we are required to do so or at their request.
Securing Personal Data
We take information security seriously and use a range of physical, electronic and operational measures to keep your Personal Data secure, accurate and relevant. We will take reasonable steps to restrict access to Personal Data so that only those staff members who require knowledge about your Personal Data to fulfil GSS Purposes. These measures and our information security policies are closely aligned with Data Protection Laws, are reviewed regularly, and updated as necessary to meet our business needs and changes in technology and regulatory requirements.
These policies and measures include:
- Robust controls designed to ensure that Personal Data about you, in fulfilling GSS Purposes is safeguarded and to ensure it is Processed in a manner compatible with Data Protection Laws;
- Education and awareness to relevant staff to ensure that they are aware of and comply with our policies, procedures and controls designed to keep Personal Data secure, accurate and relevant;
- Administrative and technical controls to restrict staff access to Personal Data;
- On-going monitoring of compliance with our policies, procedures and controls.
Retaining Personal Data
We calculate retention periods for your Personal Data in accordance with the following criteria:
- the length of time your Personal Data remains relevant to Screening Services;
- the length of time it is reasonable to keep records to demonstrate that we have fulfilled our duties and obligations;
- any limitation periods within which claims might be made;
- any retention periods prescribed by law, including Data Protection Laws or recommended by regulators, professional bodies or associations or inter-governmental bodies (for example, the Financial Action Task Force); and
- the existence of any relevant legal or regulatory proceedings.
Cross Border Transfers
We may transfer Personal Data we collect about you to countries other than the country in which the information was originally collected. All transfers to other countries will be done in compliance with Data Protection Laws which govern the Processing, retention and transfer of Personal Data transferred to other countries outside of the UK and EU/EEA. When we transfer Personal Data to other countries, we will put in place appropriate safeguards and protections (such as standard contractual clauses), and where necessary, supplemental measures, that align to Data Protection Laws. We may transfer Personal Data to countries that have been formally deemed adequate under Data Protection Laws, without putting in place additional safeguards and protections.
Rights
Where GSS has received Personal Data from another source
As set out in this Privacy Notice, GSS obtains Personal Data from a variety of sources. If you wish to find out more of the Personal Data held about you by a specific organisation or official government body, how and why the Process your Personal Data or if you wish to exercise your statutory rights, please see our Processor Data Protection Policy which provides further details on who those organisations may be and, where possible, how to contact them.
GSS as a data Controller for GSS Purposes
Subject to certain exceptions and exemptions, and where applicable, you may have the following rights under Data Protection Laws, in respect of your Personal Data:
| Right to Access | You may have rights under Data Protection Laws to have access to your information and to ask us to rectify, erase and restrict use of your Personal Data. You may also have rights to object to your information being used and to withdraw consent to the use of your information. Further information on how to exercise your rights is set out below. |
| Right of subject access | The right to make a written request for details of your Personal Data and a copy of Personal Data we hold about you. |
| Right to rectification | The right to have inaccurate information about you corrected or removed. |
| Right to erasure (‘right to be forgotten’) | The right to have certain Personal Data about you erased. |
| Right to restrict Processing | The right to request that your Personal Data is only used for restricted purposes. |
| Right to object | The right to object to Processing of your Personal Data in cases where our Processing is based on the performance of a task carried out in the public interest or we have let you know the Processing is necessary for our or a third party’s legitimate interest. |
| Right to withdraw consent | The right to withdraw your consent, where the lawful basis for Processing your Personal Data was based on consent. |
We do not make a charge where you wish to exercise any of your rights, but we will ask for information to verify your identity. This is to safeguard your own privacy. Any identification evidence that you provide will only be used to verify your identity for the purpose of your requests.
There are limits to the rights that you have in relation to your Personal Data and in certain circumstances we may not be required or able to meet your request, or we may meet your request in part only. Where this occurs, we will provide you with an explanation of the legitimate basis on which we are unable or not required to meet your request.
Contacting us
If you would like to know more about how we Process your Personal Data, your rights as a data subject, reasons we are using your Personal Data, or if you are unhappy with the Processing of your Personal Data, please contact us in writing at the Data Privacy Office, GSS UK Services Limited, 1-3 Fredericks Place, London, EC2R 8AE United Kingdom. or by sending an email to privacy@gss-rose.com.
ICO details (UK)
If you remain dissatisfied with the way we are handling your Personal Data or with the way we have dealt with your concerns, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can contact the ICO at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Helpline number: 0303 123 1113 You can also visit the UK ICO website.
Irish DPC details (EU)
You may direct your questions or complaints to the Data Protection Commission in Ireland, which is our lead supervisory authority at, Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, DO2 RD28, Ireland.
Helpline number: +353 578 684 800 You can also visit the Irish DPC website.
Changes to this Privacy Notice
GSS may update this Privacy Notice from time to time which will be indicated by changing the date at the top of the Notice.
Glossary of Terms
| Controller | means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State or UK law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law |
| FI | Financial Institution(s) |
| GDPR | Both UK and EU GDPR |
| GSS User | Financial Institutions |
| GSS Purposes | GSS processing activities as set out in the GSS Privacy Notice |
| GSS Screening Services | Facilitation and assistance provided to GSS Users to undertake screening checks |
| Personal Data | means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
| Processing | means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction |
| Processor | means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller |
[1] References to GDPR include both EU and UK GDPR
