1. Introduction
GRSS Limited is committed to safeguarding the privacy and security of the personal information in our care and respecting all applicable laws and requirements in the countries in which we operate. This privacy policy (“policy”) explains how we collect your personal information, what we do with it, how we protect it and your rights in respect of it.
All references in this policy to ‘we’, ‘our’, ‘us’ or ‘GRSS’ are to GRSS Limited, a limited liability company established under English law and all affiliates or subsidiaries.
2. Relevant legislation
We are required in the jurisdictions in which we operate to comply with relevant legislation regarding the use of personal information including the UK General Data Protection Regulation and the EU General Data Protection Regulation (together for the purposes of this policy “GDPR”) and related privacy laws when we are the controller or processor of such information. For the purposes of our obligations under the GDPR, “personal information” means information relating to an identified or identifiable person who is a resident of the United Kingdom or European Union.
3. The role of GRSS
In relation to the roles and responsibilities established under relevant data privacy and security laws, GRSS acts as the data controller of any personal information that we process. As a data controller we are legally responsible for ensuring our systems, processes, suppliers and employees comply with data protection laws in relation to the personal information that we handle. Our IT systems are located in the UK or EU.
Where we transfer your personal data to third parties, in certain circumstances those third parties may also be data controllers. In all cases, your personal information is handled and protected in accordance with data protection law.
Written terms of business, forming part of each of our contracts to deliver Services may supplement this policy by providing further details on our confidentiality obligations to our clients during and beyond the course of our engagement.
3. Who do we process personal information for
We collect and process the personal information of:
- Our clients
- Counterparties and other third parties of our clients connected to the matters on which we are working for our clients
- Non-client contacts, such as those who use our website, attend our seminars or other events, subscribe to our newsletters, email services or other promotional services
- Professional advisers, experts and consultants involved in the work that we carry out for our clients or engaged by us to support client work
- Contractors, suppliers and other third parties connected to the operation of our services
4. Why do we process personal information
We will only collect and process information where it is necessary for the operation of our business. This will arise in the following situations:
- Where the processing is necessary for the performance of a contract or in order to take steps at your request prior to entering into a contract
- Where the processing is necessary for our legitimate business interests in conducting and managing our business. When considering our legitimate interests, we must take account of what is reasonable for the running of our business, but which is not detrimental to you and would have minimal impact on your privacy. Examples of legitimate interest include:
To provide the products or perform the services requested by clients and individuals pursuant to a letter of engagement, statement of work, or similar
To provide the products or perform the services requested by clients and individuals using our website
Where permitted by applicable law, to advise you through e-mail, phone call, or post about other products or services similar to the products or services we have provided to you and that we think will be of interest to you
For complying with obligations provided by laws, current regulations and legislation (e.g. tax regulations, anti-money laundering regulations)
For hosting of events such as seminars or webinars. We may use your data to manage your registration to a GRSS event, including sharing data with event co-hosts and tracking and facilitating event attendance.
5. The personal information we collect
We may collect personal information directly from you, including through your use of the website, when you contact us or request information from us by email, telephone, post or social media, when you apply for an employment opportunity with GRSS, when you request a proposal from us in respect of the services we provide, when you engage us for services, when an entity with which you are associated as an employee or officer provides us with such information, or as a result of your attendance at one of our events.
We may also collect personal information from publicly available sources including social media sites, and/or from third parties, such as companies operating public relations or business development databases. We may use this information in connection with our marketing activities.
The information we collect typically consists of your contact information, including your name, address, business affiliation, business title, email address, and telephone number.
We also may obtain personal information indirectly from or on behalf of our clients. With respect to personal information that we receive from or on behalf of our clients in order to provide services, our client remains the data controller and GRSS acts as a processor of such personal information.
6. Processing of personal data
Personal data is processed both manually and electronically in accordance with the above-mentioned purposes and in compliance with current regulations. We permit only authorised GRSS employees and contractors, suppliers and other third parties connected to the operation of our services to have access to your information. Such individuals are appropriately designated and trained to process data only according to the instructions we provide them.
7. Data integrity
Users are responsible for the accuracy of any user information that they provide to GRSS. We will use reasonable efforts to maintain the accuracy and integrity of Information based on the input received from Users.
8. Who can we share personal information with
GRSS may share the information that we collect or that you provide to us with our affiliates. We also may share personal information with the following categories of third parties as necessary:
- Sub-contractors we have engaged in connection with providing services to our clients.
- Our professional advisers, including our lawyers and auditors.
- Our insurers and insurance brokers.
- Third parties to whom we outsource certain services to assist with operating our business, such as IT managed service providers, software providers, information storage providers and other related service providers. We also require such vendors to maintain reasonably appropriate information security policies and procedures and to maintain personal information confidentially.
- Third parties to whom our clients have directed us to share information in connection with our services, such as our clients’ lawyers and auditors.
- Third-party service providers that assist us with client data analytics.
- Third-party postal or courier providers that assist us with delivering marketing and other documents to you.
9. Where we transfer personal information
GRSS is located in the United Kingdom and Malta. Your personal information could be stored in either or both jurisdictions. GRSS does not transfer personal information outside the United Kingdom and European Union, except where we have been explicitly authorised by a client to transfer such information to a recipient outside these areas.
10. Personal data rights
Under GDPR you are entitled to see any EU personal data held about you and you may ask us to make any necessary changes to ensure that it is accurate and kept up to date.
Under GDPR your rights with respect to EU personal data are:
- Right to access – You have the right to request copies of your EU personal data that GRSS holds about you in our databases. We will provide you with all the details that we hold about you, both online and offline, upon request.
- Right to erasure – Under certain conditions, you have the right to request that we erase your EU personal data.
- Right to restrict processing or object – You also may restrict or object to the processing of your EU personal data, in some circumstances.
- Right to rectify. You may ask us to correct or remove information you think is inaccurate or out of date.
- Right to data portability – You have the right to have your EU personal data transmitted to another controller, where technically feasible and if it does not adversely affect the rights and freedoms of others.
- Rights related to automated decision making and profiling – GRSS does not make decisions about you using automated decision making or profiling of your EU personal data.
- Right to complain – you may have the right to lodge a complaint to an applicable supervisory authority or other regulator if you are not satisfied with our responses to your requests or how we manage your EU personal data.
11. Period of retention
GRSS retains personal information in compliance with our obligations under applicable law. We may destroy personal information without notice or liability.
Your personal information is retained by us in accordance with applicable law and regulation. Our data retention periods may vary depending on the location, nature and context of the personal information that we have in our care, and will take into account the following factors:
- potential claims or litigation
- guidance from official bodies such as relevant data protection supervisory authorities and regulatory bodies
- how long we need to keep the data to fulfil the original purpose for which it was collected
- the nature and sensitivity of personal data and
- legal obligations to which we are subject
12. Confidentiality and information security
An organisation creating, maintaining, using or disseminating personal data must take reasonable and appropriate measures to protect it from loss, misuse and unauthorised access, disclosure, alteration, and destruction.
GRSS is committed to keeping your personal information secure. We have taken reasonably designed steps to protect personal information from unauthorised access, use or disclosure. We also require our vendors to maintain reasonably appropriate information security policies and procedures and to maintain personal information confidentially.
Our web site has commonly used security measures to protect against the loss, theft, misuse, and alteration of personal information and remains under the control of GRSS. You should be aware, however, that we have no control over the security of other websites that you might visit or use, even when a link to those websites is available on or through our web site.
In the event of a breach of the confidentiality or security of your personal information, GRSS will notify you if reasonably necessary under applicable law so that you can take appropriate protective steps. We may notify you under such circumstances using the email address or addresses that we have on record for you.
13. Amendments to privacy policy
GRSS may occasionally update this policy, as noted by the “updated date” at the beginning of this policy. If GRSS updates this policy in a manner that allows it to collect, use, or disclose your personal information in a materially less restrictive manner than under a prior version of the policy, GRSS will provide you with prior notice of the pending update and seek your consent by posting notice on our website or by contacting you using the email address or addresses that GRSS has on record for you.
GRSS encourages you to periodically review this policy to stay informed about its collection, use, and disclosure of your Information. Your continued use of any web site constitutes your agreement to this policy and any updates.
14. Complaints and Dispute Resolution
If you have any questions, complaints, or disputes regarding how we handle or protect your personal Information, please bring it to our immediate attention (see “How to Contact GRSS below).
The Data Protection Act 2018 and certain other applicable data protection laws give you the right to lodge a complaint with a data protection supervisory authority (‘DPA’), usually in the country or state where you work, normally live or where any alleged infringement of data protection laws has occurred. Details of European DPAs can be found here EU DPA contacts.
15. How to Contact GRSS
If you have any questions about the policy, please email [email protected].