Client Personnel Privacy Notice
Gara Strategic Advisory LLP and affiliates ("Gara Strategic", "we", "our" or "us") respect the privacy of the individuals whose personal data we collect ("you" or "your").
This privacy notice (the "Privacy Notice") provides information, for the purposes of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as it forms part of domestic law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the UK Data Protection Act 2018 ("DPA") and other applicable national data protection laws, concerning how Gara Strategic processes and protects your personal data that we may receive as part of your registering and interactions with Gara Strategic.
The terms "controller", "processor", "data subject", "personal data", "process", "processes", and "processing" used in this Privacy Notice have the meanings given to them in the UK GDPR.
This notice applies to the current, prospective and former beneficial owners, officers, and employees in positions of senior management, as well as their family members ("you", "your" or "data subject") of the companies with whom Gara Strategic is in, or is proposing to enter into, a contractual relationship to assist with strategic advisory services ("Client").
Controllership
Gara Strategic is an independent 'controller' in respect of its processing of your personal data. We are responsible for ensuring that we hold and use your personal data in compliance with the UK GDPR and the DPA and other applicable national data protection laws.
Who do we collect personal data from?
We may collect personal data from the following persons / sources:
- Clients, including but not limited to sources such as their websites and other documentation (both external public information, and internal documents provided by the Clients to us);
- Regulators and government bodies: regulators and government bodies, as well as officers, directors, employees, advisors, intermediaries and other representatives of the same; and [Could be relevant depending on the nature of the business?]
- Publicly accessible sources, such as [sanctions lists and assume N/A given no AML DD requirements] LinkedIn [and other business related public databases – anything else we want to specifically call out?].
The personal data that we collect about you
- Identifiers: for example, name, postal address, email address;
- Professional or work-related information: your professional role, occupational history, business relationship with Gara Strategic (including notes of our interactions with you and correspondence) [and background and interests], [and any other personal data which may be incidentally processed if you contact us].
[I’ve omitted equivalent paragraphs on PEPs, AML, Terrorist financing and Sanction on the basis we’re not collecting any of that as part of an AML DD process]
The purposes for processing your personal data
We process your personnel data solely as we consider this necessary for the purpose of providing our strategic advisory services to our Clients. Recording our interactions is necessary to ensure we are able to provide an appropriate level of service to our Clients and for risk management purposes, including to enable us to manage any legal claims against Gara Strategic and for the protection of Gara Strategic’s business reputation and assets.
We do not share your personal data with any other organisations other than with our technology suppliers or as required by law – for example, by court order, or to prevent fraud or other crime.
What is the legal basis of the processing?
When we process your personal data, we may rely on:
Article 6(1)(b) UK GDPR to the extent processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into such a contract. ]. [Will we ever have a contract where the data subject (i.e. the individual) is a party?]
Article 6(1)(c) UK GDPR to the extent processing is necessary for compliance with a legal obligation to which Gara Strategic is subject.
Article 6(1)(f) UK GDPR to the extent such processing is necessary for the purposes of the legitimate interests we pursue to the extent we have concluded that our processing is not overridden by yours interests or fundamental rights or freedoms that require the protection of personal data.
Article 4(11) and Article 7 UK GDPR where we have obtained your consent to the relevant processing activity (NB – we will not generally rely on this processing ground where we are able to rely on another processing ground instead).
Who will your personal data be shared with? Who are the recipients of your personal data?
We may share your personal data with legal or other professional advisors and with regulators, prosecutors and law enforcement authorities which regulate us and persons to whom we are required by law or lawful order, instruction or direction to disclose your personal data. We may also share your personal data with our affiliates.Any such transfers will be in compliance with our obligations as a controller under the UK GDPR, the DPA and other applicable national data protection laws. Some of these persons may process your personal data in accordance with our instructions and others will themselves be responsible for their use of your personal data. [Note there are rules as to the contractual arrangements we must have in place if we engage a third party to process personal data on our behalf]
[The disclosures described in this Privacy Notice may involve transferring your personal data to countries outside the UK and EEA which may not have similarly strict data privacy laws. When this occurs, we will ensure that any such transfers are carried out in compliance with applicable law, including, where necessary, being governed by data transfer agreements designed to ensure that your personal data is protected, on terms approved for this purpose by the UK or EU. ]. [I assume this won’t be relevant, provided Capsule does not host our data outside the UK – data transfers is a bit of a minefield]
We will never sell your personal data and in all cases, Gara Strategic will ensure that your personal data is only disclosed for the purposes set out above and in compliance with applicable data protection laws.
Retention and deletion of your personal data
We intend to keep your personal data accurate and up to date and, as a general principle, we do not retain your personal data for longer than we need it. We will delete or anonymise any information that we hold about you when it is no longer required for the purposes set out above, or where longer, such period as is required or permitted by law or regulatory obligations which apply to us. [Specific information about our record retention policies is available on request. Please contact us (see below).] [To assess whether we need this]
Automated decision-making techniques (including profiling)
We do not envisage your personal data will undergo any automated decision making.
Your rights in relation to your personal data.
The UK GDPR and other applicable laws provide you (as the data subject) a number of absolute or qualified legal rights in relation to the processing of your personal data. These rights include:
- the right to know what personal data we process and a right of access to such personal data;
- the right to request any incomplete or inaccurate personal data to be corrected;
- the right to object to our processing of your personal data; the right to require us to delete your personal data in some limited circumstances;
- the right to object to our processing of some or all of your personal data on grounds relating to your particular situation which are based on legitimate interests, at any time (and require such personal data to be deleted). If you object, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms or where it is necessary for the establishment, exercise or defence of legal claims; and
- a "data portability" right to require us to transfer your personal data to you or to a new service provider in a structured, commonly used and machine-readable format.
We review and verify data protection rights requests. We apply non-discriminatory principles when we action requests relating to your data, in accordance with applicable data protection laws and principles. We exercise particular care when receiving a request to exercise these rights on your behalf by a third party. We will ensure that the third party is correctly authorised by you to receive the requested information on your behalf.
If you wish to exercise any of the rights referred to above, please contact us using the details set out under "Contacting Us" below. You can also lodge a complaint about our processing of your personal information with the office of the UK Information Commissioner (http://www.ico.gov.uk/).
When exercising any of these rights, we may request specific information from you to prove your identity to our satisfaction so that we can safeguard your personal data from unauthorised access by someone impersonating you. [Please note that due to the pseudonymised nature of the personal data we receive about you, it may not be possible for us to identify your personal data in the dataset in order to comply with your request.] [To assess if we need this]
Contacting Us
If you would like further information on the collection, use, disclosure, transfer or processing of your personal data, or to exercise of any of the rights listed above, please address questions, comments and requests to [our Data Protection Officer] [TBC whether we need a DPO and, if so, who will perform this role] at [privacy@garastrategic.com]. [We’ll need to create this email address, unless we just use an info@ address]
Changes to this policy
Any changes we make to this Privacy Notice in the future will be posted to our website at [include link to website].
This Privacy Notice was last updated on [___________] 2024.