TSG Data Privacy – Notice
The Search Group Ltd (TSG), a company incorporated in Hong Kong with a branch in Belgrade, is a research and risk management service provider with global reach, but with expertise in Central and Eastern Europe and East Asia.
In the course of business, we collect information about people and organisations. This Data Privacy Notice is issued on behalf of TSG and its branch office. Our main supervisory authorites for data privacy are:
- Office for the Privacy Commissioner for Personal Data Hong Kong
- Commissioner for Information of Public Importance and Protection of Personal Data (DPA) – Serbia
As a matter of policy TSG seeks to comply with all laws and regulations in any part of the world where it either collects, controls, or processes data. This includes taking all reasonable steps to ensure that the data we hold is complete, accurate, and up to date. We do not use data in any way that is incompatible with the purpose for which it was collected. It also includes making all efforts to ensure the data is secure and having timely reporting mechanisms in place for any breaches of data security.
This notice applies to all types of personal data collected, controlled or processed by TSG anywhere in the world.
Information collected by TSG
TSG only collects information in compliance with relevant laws.
TSG holds information in our capacity as a data controller (as defined by the General Data Protection Regulation – GDPR) on:
- Contact persons within our client organisations
- Contact persons within organisations with whom we have an association
- Business partners, including our contractors, human sources, advisors and content providers
- Individuals who have contacted us via our website
TSG holds information in its capacity as a data processor (as defined by the General Data Protection Regulation – GDPR) on:
- On third parties to fulfil a number of (mostly legally mandated) functions on behalf of our clients
As a data processor TSG processes data only in accordance with instructions given to us by data controllers (usually our clients). The terms of the processing will be contained in contracts and agreements between TSG and its clients.
As a data controller TSG may hold some or all of the following personal information:
- Personal identifiers – name, employment and position, nationality, identity document, address, photographic images, and social media labels
- Contact details: telephone numbers, employment address, billing address, email addresses and other social media contact details.
- Profile data: username, passwords or other information required for controlling access to TSG’s information technology
- Financial information: bank account details (for payments by TSG to the data subject), details of payments made, and of financial transactions between TSG and the data subject.
- Transactional data: details of work performed, or products and services sold or purchased by the data subject
In determining whether to enter into any business relationship, partnership, or association TSG will conduct due diligence on relevant parties. As a result, TSG may collect and control the following types of information:
- Personal identifiers – including names, dates of birth, places of birth, nationalities, addresses, etc.
- Business affiliations – directorships, ownership of businesses, shareholdings, trusteeships, etc.
- Business activities and previous employment
- Qualifications and educational background
- Skills and experience
- Financial data
- Information concerning reputation, reports in the media, etc.
- Legal processes related to the data subject, such as litigation, bankruptcy notices, criminal proceedings, etc.
- Political offices held
- Any other information in the public domain or otherwise that would help an assessment of the value or probity of the data subjects
How does TSG use information it controls or processes?
TSG will only use information in ways that are lawful. Where necessary this means where TSG has the consent of the data subject.
In respect of data TSG controls, TSG holds subject data for the following reasons:
- To allow TSG to fulfil its legal contractual obligations to the data subject
- To ensure the data subject fulfills its legal contractual obligations to TSG
- To facilitate consultation with relevant parties on services and products
- To assist TSG fulfil its own policies and legal obligations in respect of conflicts of interest, anti-bribery laws, etc.
- To allow resolution of legal disputes or corrections to, or updating of, data.
In respect of third-party data TSG processes under contract to, and on behalf of clients, the processing will only be for lawful reasons. However, it is our client’s obligation to seek the data subject’s consent to collect, control and process relevant data, and to inform the data subject of the purpose of collection/processing, where legally obliged to do so.
Reasons why our clients may seek TSG’s services to process information / data may include:
- To fulfill legal obligations to conduct due diligence
- To facilitate the management of the client’s risk
- To trace assets over which the client (or an interested party) has a lien, or a legitimate reason for pursuing those assets
- To assist with litigation
TSG creates reports which it delivers to clients. Reports will usually contain the following sets of information:
- Corporate filings
- Individual identifiers
- Media and social media reports or summaries
These reports often contain sensitive data on data subjects, including:
- Criminal records
- Bankruptcy records
- Media reports of misconduct or allegations which could be damaging to reputations
- Transcripts of interviews conducted
- Opinion and analysis on the data subjects
TSG may re-use publicly available personal data for the purposes of providing other clients with the same services but will never re-use non-publicly available information or data for any purpose other than that for which it was originally collected.
In any case TSG does not use information on data subjects in any way that would identify the data subjects in the following circumstances:
- When marketing its products
- When developing products and services
- When sharing metrics with organisations having a legitimate interest in such metrics for the purposes of risk analysis or research.
TSG does not make automated decisions about data subjects of any sort. Where data is stored or processed electronically, or subject to some form of modelling to assist decision making, there will always be points in the process in which human intervention and direction is required.
If you have any questions regarding the level of automation, or how decisions are reached, you may contact TSG’s DPO (please see below).
TSG tracks and records the work it has completed for its clients in order to protect its own legitimate interests. Records are kept in compliance with the regulations and principles of GDPR.
Any party wishing to make a data request under GDPR may contact TSG’s DPO (please see below).
With whom can information be shared by TSG?
TSG only shares information on data subjects where it has a lawful reason to do so.
Situations in which, and parties with whom TSG may share data subject information (including identifying information) includes:
- TSG’s clients, where TSG has been commissioned under a lawful contract to perform research on behalf of the client
- TSG entities (i.e. the Hong Kong and Belgrade offices) where TSG has been commissioned under a lawful contract to perform research on behalf of the client, or for any other lawful purpose
- TSG sub-contractors, consultants or agents where TSG has been commissioned under a lawful contract to perform research on behalf of the client, or for any other lawful purpose
- Government authorities where a lawful request for such information has been made, or where TSG has a legal obligation to do so without such a request.
- The data subject where a request has been pursuant to GDPR
- Other parties where we have asked for permission from the data subject to share information and have received permission.
Transferring information overseas
Data subject identifying Information that is subject to the rulings of GDPR may be stored in locations outside the European Economic Area (EEA).
Where such information is transferred to or stored in a non-EEA location TSG ensures that maintains the same levels of protection as any data stored within the EEA, and that any movement of the information is lawful.
Such transfers or storage may be necessary for the following reasons:
- To fulfil TSG’s legitimate contracts with its clients
- To fulfil a legal or regulatory obligation, or where compelled by a legally authorized, competent and relevant authority
- Where there is a legitimate public interest
- Where the data subject requests
Where TSG is sharing identifying data TSG will only transfer data out of the EEA where the recipient is located in a country deemed by the European Commission to adequately safeguard information, or where the recipient has entered into a contract with TSG which contains clauses acceptable to the European Commission protecting personal data to the same degree of protection as provided by the EEA. In addition to this TSG will transfer data to recipients in the USA covered by the Privacy Shield Framework.
Information that has been anonymized and which is also subject to the rulings of GDPR, may also be stored or transferred outside the EEA. In such circumstances such information will be subject to exactly the same protections as data subject identifying data.
How long does TSG keep information?
Data subject rights
Under GDPR data subjects have a number of rights in respect of their personal data which has been collected, processed and stored.
These rights include:
- The right of access to information held about the data subject
- The right to know how that information has been, or is being processed
- In some circumstances the right to object to processing the subject’s information and to request cessation of the processing of such information / data.
- In some circumstances the right to receive information TSG has processed on the data subject in electronic format, and to ask TSG to forward the information to a third party
- The right to seek TSG’s rectification any data that is deemed to be inaccurate, or incomplete.
- In some cases, the right to request TSG to erase personal data / information (the right to be forgotten).
In order to exercise these rights relevant parties must call the TSG DPO (please see below).
How TSG keeps information secure
TSG uses a range of measures to keep its information and data secure. These include technical measures aimed at the platforms we use to store and process data, as well as human measures, to ensure that the conduct of those handling data is of the highest standards.
A few of the measures are outlined here:
- TSG only processes and stores information on platforms with the highest standards of encryption, and which are reputable.
- TSG only communicates using secure channels
- TSG requires any contractors, agents or partners with whom it shares information to have equivalent standards of data protection
- TSG vets its staff rigorously before employment
- Within TSG information is as far as possible available only on a need to know basis
- TSG contractors, agents or partners are also subject to intensive scrutiny before being entrusted with information. As well as vetting, TSG trains those processing TSG data, and requires the execution of legally binding NDAs.
- TSG staff are trained at appropriate intervals on data and information handling.
TSG lives by its reputation as a safe and secure company with which to do business. Confidentiality is, therefore, at the heart of everything TSG does.
Where to get more details about your information
If you would like more information on any matter referred to in this notice, or would like to exercise any of the rights set out in this notice, and in accordance with GDPR, you may contact us at firstname.lastname@example.org