The Refinitiv Red Flag Group privacy statement

On 25 May 2018, the General Data Protection Regulation (“GDPR”) came into effect in the European Union, replacing the Data Protection Directive 95/46/EC. The GDPR significantly increases the rights of individuals in relation to the protection of their personal data. It also increases the responsibilities of organisations that control and process personal data, and substantially increases the penalties for non-compliance.

We have always appreciated the importance of data privacy to both our clients and to individual data subjects. Information security and data privacy have long been a key focus of ours, and many of the new obligations imposed on data processors under the GDPR reflect practices that we have followed for many years.

We welcome the GDPR, as it provides clarity and promotes consistency for the protection of personal data. It requires organisations that control and handle personal data to do so in a manner which is transparent and preserves the rights of the individual. We have recently amended this Privacy Statement to address the new requirements of the GDPR, including:

• Establishing the legal bases on which we process your personal data.
• Advising European data subjects about how they may lodge a complaint with the relevant supervisory authority.
• Clarifying that we do not knowingly process personal data of children under 16 years of age; and
• Generally giving more information about the type of personal data we collect, why we collect it, who we transfer it to, and outlining individuals’ rights in relation to the personal data in our possession.

We are also firmly committed to offering our clients the tools and solutions they need to ensure that their use of our services satisfies their obligations under the GDPR. One solution we have developed is a Data Protection Addendum, which specifically addresses all requirements of data processors set out under the GDPR. This Data Protection Addendum also incorporates the European Commission’s Model Contract Clauses, to provide a legitimate mechanism for the transfer of personal data outside the European Economic Area. To obtain a copy of this Data Protection Addendum, please ask your Business Development Director or contact our Data Protection Officer at privacy@redflaggroup.com.

This statement covers all types of personal data that RFG holds. This may be data that we hold in our capacity as a 'controller', which may include:

• Individuals and companies identified via a government issued list or media reports that may be of interest to RFG’s clients;
• Contact persons within our actual or potential client organisations; or
• Individuals that have listened to our webinars, attended our events or subscribed to our mailing lists.

This data may also be that which we hold in our capacity as a 'processor', which may include:

• Actual clients and their employees; or
• Partners of clients who are involved with our clients’ compliance programmes and their employees.

NOTE: A ‘controller’ is an organisation which determines the purposes for which personal data is to be processed. This is contrasted with ‘processors’, which process personal data on behalf of ‘controllers’, and only in accordance with the controller’s instructions.

As a global company, RFG collects personal data from many geographical regions and sources. Our policy is to comply with all legislation, using an overarching set of principles to guide us, which we set out in further detail below. 

1. Notice: Where it is our responsibility under applicable law, we notify individuals about the purposes for which we collect and use information about them. This includes information about how individuals can contact us with any inquiries or complaints, the types of third parties to which we disclose the information and the choices and means we offer for limiting its use and disclosure.

2. Choice: Where we hold personal data as a controller, and where required by applicable law, we give individuals the opportunity to choose whether certain technologies are used (i.e. cookies) and whether their personal data will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected. Where we hold personal data as a processor on behalf of a client, we ensure that the personal data is secure and processed in accordance with the instructions of our client.

3. Onward Transfer (Transfers to Third Parties): Other than onward transfer to clients (as discussed in this statement), and other than as described in this Policy, RFG does not share, sell, rent, or trade personal data with third parties in any way. We may share the personal data you provide to us with business partners for services such as a hosting or conducting due diligence investigations. These service providers only use the personal data on behalf of us. We may also disclose personal data as required or permitted by law, or when we believe in our sole discretion that disclosure is necessary or appropriate to protect our rights or to comply with a judicial proceeding, court order, law-enforcement request, or other legal process.

4. Access: Where we hold personal data as a controller and where required by applicable law, we provide the ability for individuals to correct, amend, access or delete personal data held about them where it is inaccurate. You may correct, amend or delete your information by contacting us at privacy@redflaggroup.com. We will respond to your request within a reasonable timeframe. We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information for as long as reasonably necessary for the purpose(s) for which the information was collected.

5. Security: We take reasonable organisational, technical, administrative and physical steps to protect against unauthorised access to and disclosure of personal data, which may include: 

• Security policies. Designing and supporting our products and services according to documented security policies and international standards. Annually assessing our policy compliance and making necessary improvements to our policies and practices.
• Employee training and responsibilities. Taking certain steps to reduce the risks of human error, theft, fraud, and misuse of our facilities. Training our personnel on our privacy and security policies. Requiring our employees to sign confidentiality agreements. Assigning to an individual the responsibility to manage our information security program.
• Access control. Limiting access to information to only those individuals who have an authorized purpose for accessing that information. Terminating those access privileges following job change or termination.
• Data encryption. Ensuring that all electronic transfers of information (including sensitive information such as your login information) are done through encrypted connections via SSL encryption and storing all data is stored on encrypted servers.
• Review of Vendors. Internal due diligence procedures to review the vendors we select and use.

No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our Web site, you can contact us at privacy@redflaggroup.com.

6. Data integrity: We take reasonable steps to ensure that data we collect is reliable for its intended use, accurate, complete, and current. We do not process personal data in any way that is incompatible or inconsistent with the purpose for which such information was collected.

7. Enforcement: We have in place a readily available and affordable independent recourse mechanism so that any complaints and disputes can be investigated and resolved, and damages awarded where the applicable law or private sector initiatives so provide. The Red Flag Group has committed to voluntarily and periodically reviewing our privacy and security practices to verify that we are meeting our obligations.

We may collect, use, store and transfer the following kinds of personal data:

• Identity Data, including first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, nationality, educational records, job title, employment history, business activities, credit history, passport number, national identification number, vehicle registration number, driver’s licence number, information on compliance indiscretions, details regarding whether data subjects are on watch lists or sanctions lists or are politically exposed, criminal records.
• Contact Data including billing address, delivery address, email address and telephone numbers.
• Financial Data including bank account, payment card details and other financial information.
• Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
• Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
• Profile Data including your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
• Usage Data including information about how you use our website, products and services.
• Marketing and Communications Data including your preferences in receiving marketing from us and our third parties and your communication preferences.

We do not collect any ‘special categories’ of personal data, such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.

For the purposes of communication and marketing, RFG collects information directly from you, through automated technologies or interactions, and from third parties.

You may give us your information directly, by purchasing our products and services, creating an account on our website, registering for conferences or webinars, subscribing to our services and notifications, requesting marketing information, or providing us with feedback.

We also gather certain information automatically from our website and store it in log files. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. In order to send you push-notifications (for reasons described in more detail below), we will need to collect certain information about your device such as operating system and user identification information.

We may also collect information about you from time to time through our analytics partners, advertising networks, search information providers, channel partners and organisers of events that we partner with.

The personal data we collect may be used to:

• Register you as a customer or as an attendee to a webinar or other event.
• Accept, process and deliver an order for our products or services.
• Issue invoices and collect fees.
• Send you newsletters as part of a regular service.
• Respond to your questions and concerns when you use our ‘contact us’ form.
• Improve the contents of our website and marketing efforts.
• Conduct research and analysis.
• Display content based upon your interests; and
• Allow you to subscribe to our announcements, events, or magazines (including sending you push notifications).

Where we process your personal data to register you as a customer, accept your orders and deliver goods and services to you, we do so on the basis that it is necessary to perform our obligations under contract with you. It may also be necessary to comply with certain legal obligations.

Where we process your personal data for the purpose of collection of fees, we do so on the basis that it is necessary to perform our obligations under contract with you. Such processing is also necessary for our legitimate interests, in ensuring that we can recover money that is owed to us.

Where we process your personal data to send you newsletters, respond to your questions, improve the contents of our website and marketing efforts, conduct research and analysis and display content based on your interests, we do so on the basis that it is necessary for our legitimate business interests. These interests include the interests of ensuring our clients receive premium service, growing our business to best satisfy changing market needs, and ensuring continual improvements to our suite of product and services.

Where we process your personal data to allow you to subscribe to our announcements, events or magazines, we do so on the basis that you have provided an explicit and specific consent for us to do so.  

You may choose to stop receiving our newsletter or marketing emails by following the unsubscribe instructions included in these emails or you can contact us at marketing@redflaggroup.com. If you no longer wish to receive push-notifications, you may turn them off at the device level.

You may receive information about the data collected on you personally by contacting privacy@redflaggroup.com. If the data is incorrect you have the right to ask that it is updated.

On our website we use cookies which, for example, make it easier for you to navigate our site and store your password and email address, so you do not have to enter it more than once. We will explicitly request your consent to use cookies on our site. Cookies are also used to collect general usage and volume statistical. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our site, but your ability to use some features or areas of our site may be limited.

RFG and our partners, affiliates, or analytics or service providers also use technologies to analyse trends, administer the site, track users’ movements around the site and gather demographic information about our user base as a whole. These technologies may include, but are not limited to, cookies, beacons, tags, and scripts.  We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

We partner with a third party to either display advertising on our Web site or to manage our advertising on other sites. Our third party-partner may use technologies such as cookies to gather information about your activities on this site and other sites in order to provide you advertising based upon your browsing activities and interests.  If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by using a third-party tool such as the Digital Advertising Alliance’s self-regulatory opt-out (http://optout.aboutads.info/) or the Network Advertising Initiative’s self-regulatory opt-out (http://optout.networkadvertising.org/).

Where our site includes links to other websites the privacy practices may differ from our own. If you submit personal data to any of those sites, your information is governed by their privacy statements. We encourage you to carefully read the privacy statement of any website you visit.

Our site may also include Social Media Features, such as the Facebook and Twitter buttons and Widgets, such as the Share this button or interactive mini-programs that run on our site. These Features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Site. Your interactions with these Features are governed by the privacy policy of the company providing it.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.

To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

We also use the information collected to maintain and upgrade our system. Our technical staff may require periodic access to services data to monitor system performance, test systems, and develop and implement upgrades to systems. This services data generally does not include your personal data. Any temporary copies of services data created as a necessary part of this process are only maintained for time periods relevant to those purposes.

If you either work for a client of RFG who has purchased one or more of our proprietary software-as-a-service products:

• The Compliance Desktop® technology platform.
• The Supplier Integrity® Supplier Management Platform.

(which are each jointly and separately called the “Hosted Services”) or you work as a partner of such a client, information about you may be held in the platforms underpinning the Hosted Services. In each case, the client who has purchased access is the controller of your data and RFG is the processor. We process this personal data on the basis that it is necessary to perform our obligations under contract with our client.

It is the responsibility of the client company to request your consent to the information being stored and to inform you of their intentions to use the data and your rights.

Depending on your relationship with the client, the information collected may include:

• Your name,
• Your password,
• Your role and title,
• Descriptions of your relationship with the client, such as conflicts of interest or gifts,
• Information about policies you have read or training you have taken (including the results of the training);
• The answers you have given any questions the client has asked you in a questionnaire,
• The results of due diligence reports which have been collated by RFG or other providers, and
• Details regarding an alleged incident regarding serious misconduct, and the investigations involving such incident.

As processor of your data, RFG does not use the information except in the case where we have been asked by our client to provide support or advice or to maintain and upgrade a system. For support or maintenance, our technical staff may require periodic access to services data to monitor system performance, test systems, and develop and implement upgrades to systems. We may also access information in an aggregate form for statistical analysis and capacity management. RFG may transfer personal data to companies that help us provide our service. Transfers to subsequent third parties are covered by the provisions in this Privacy Statement regarding notice and choice and the service agreements with our clients.

Requests for access, changes or deletion to the information collected about you should be made to the client who has purchased the Hosted Services. If you are unsure of who to contact at the client, you may contact us at privacy@redflaggroup.com. If the client requests RFG to remove the data, we will respond to their request as soon as reasonably practicable, but no later than 30 days.

RFG will retain information we process on behalf of our clients for as long as needed to provide the Hosted Services to our Client. RFG will retain and use this information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

As part of our business to help clients select ethical and trustworthy partners, we are often requested by clients to investigate and compile reports about people and companies which our clients may want to do work with. We also conduct research on current or prospective employees of clients.

It is the responsibility of the client company to request your consent for your personal data to be collected, analysed, and stored to inform you of their intentions with regards to such personal data and about your rights. In certain situations, your consent will not be sought prior to an investigation for example where the processing is necessary for the legitimate interests of the company such as there are reasons of confidentiality or ethics.

Depending on the circumstances, our integrity Due Diligence reports may contain some or all of the following types of information about subject individuals and companies:

• Names.
• Addresses of subjects, including at time photographs.
• Corporate registry information detailing ownership and directorship of companies.
• Media reports including translations and summaries.
• Social media reviews including translations and summaries.
• Transcripts of interviews discussing the reputation of subject companies and individuals.

In addition some reports may contain information of a sensitive nature such as:

• Criminal and bankruptcy records where this information is available from a government agency.
• Media reports of criminal or other court proceedings.
• Educational background.
• Identifying numbers such as passport, driving license or other ID which is used to confirm the identity of subjects.

Our reports may also contain our opinion and analysis the reputation of the subject company.

The information we collect and organise in our reports is used to help clients when making decisions about the reputation and ethical standards of a partner who they currently or potentially may do business with (or a future or current employee). The information by itself does not form part of an automated review, but is typically used in conjunction with other business related criteria to form a decision.

We process this personal data on the basis that it is necessary to perform our obligations under contract with our client. We also process this personal data on the basis that it is necessary for the legitimate public interest of allowing individuals and organisations to accurately evaluate the risks of doing business with certain third parties. This processing is also necessary to comply with laws, such as the Foreign Corrupt Practices Act 1977.

We may re-use publicly available personal data for the purposes of providing other clients with compliance and corporate governance services and products. However, for the avoidance of doubt, we will never use non-publicly available data that has been provided by a client for any purpose other than the purpose that it was given to us.

Our IntegraWatch® service collects data about individuals and companies which may be of interest to our clients. We source this information from government produced lists (such as Sanctions lists) and open source media research.

The data may contain some or all of the following types of information about subject individuals and companies – Names, Registration ID numbers, and Media reports of regulatory, bankruptcy, criminal or other court proceedings and company ownership details. This information is stored in a database and provided to clients to screen potential partners.

We collect this information on the basis that it is necessary for the legitimate public interest of allowing individuals and organisations to accurately evaluate of the risks of doing business with certain third parties. This processing is also necessary to comply with laws, such as the Foreign Corrupt Practices Act 1977

We will share your personal data with third parties only in the ways that are described in this privacy policy.

In the interests of us further enhancing our services, RFG may share personal data collected for sales and marketing purposes with industry organisations (such as those organisations dedicated to thought leadership in compliance and ethics). In those cases, RFG may provide these organisations with your personal data to alert you to seminars or events which may be of interest to you. RFG will not disclose any personal data to industry organisations unless those organisations exhibit privacy and data protection standards on par with those of RFG. We will only provide your personal data to third parties for sales and marketing purposes if you have given us your explicit and specific consent to do so. If you wish to withdraw your consent, please email us at privacy@redflaggroup.com. 

In the ordinary course of our business, we work closely with our affiliate companies and with a trusted network of third-party business partners. These affiliates and business partners provide a variety of services, including:

• Information collection and analysis.
• Hosting services.
• Support, maintenance and other IT services.
• Analytics and measurement services.
• Internet and social media services.
• Recruitment services.
• Business advisory and management consulting services and
• Marketing and advertising services.

Our affiliates are all governed by the terms set out in this Privacy Statement. We will only share your personal data with business partners that can provide the same degree of security and protection that we do. Our business partners will only process your personal data in accordance with our instructions, for the purposes and the legal bases identified in this Privacy Statement.

Circumstances may arise where for strategic or other business reasons RFG decides to sell, buy, merge or otherwise reorganize businesses in some countries. Such a transaction may involve the disclosure of personal data to prospective or actual purchasers or receiving it from sellers. It is RFG’s practice to seek appropriate protection for personal data in these types of transactions. You will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

We may disclose personal data if required to do so by law or in the good-faith belief that such action is necessary to comply with legal requirements or with legal process served on us, to protect and defend our rights or property, or in urgent circumstances to protect the personal safety of any individual, including requests from national security agencies or law enforcement.

As a global company, RFG may need to transfer your personal data out of the country in which it was originally collected. For personal data collected in the European Economic Area (“EEA”), this may mean transfers outside the EEA.

We will only transfer personal data out of the EEA under the following circumstances:

• Where the recipient is located in a country that has been deemed to adequately safeguard the personal data by the European Commission; or
• Where the recipient has entered into a contract with us, which contains clauses approved by the European Commission to offer the personal data the same degree of protection it has in the EEA; or
• For recipients located in the United States, where the recipient is registered under the Privacy Shield framework.

For more information about this section, please contact us at privacy@redflaggroup.com.

The GDPR establishes certain rights of individuals in relation to their personal data. These rights (as limited under law) include:

• The right to request access to the personal data that we hold about you.
• The right to have us correct and update your personal data where it is inaccurate or incomplete.
• The right to have us delete your personal data.
• The right to object to our processing of your personal data.
• The right to ask us to restrict the processing of your personal data.
• The right to ask that we transfer your personal data.
• The right to withdraw consent to our processing of your personal data.

To find out more, and to exercise your rights under the GDPR, please contact us at privacy@redflaggroup.com.

Should you have comments or questions about this statement, you may contact our Data Protection Officer by email at: privacy@redflaggroup.com.

You may also contact our Data Protection Officer via postal mail at the following address:

Attention: Data Protection Officer

The Red Flag Group (HK) Limited
21/ F Cityplaza Three 
14 Taikoo Wan Road
Taikoo, Hong Kong

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.