Welcome to our Global site – choose your Jurisdiction

Welcome to our Global site – choose your Jurisdiction

Privacy Policy

The ComplyMAP Group and each ComplyMAP Group Entity (as defined below) are committed to protecting individuals’ personal data in line with the requirements of applicable law. ComplyMAP Group’s commitment applies to all individuals whose personal data it may process.

Personal Data” means any information relating to an identified or identifiable natural person. For the avoidance of doubt, information relating solely to a corporate entity, such as the corporate name of a client company, is not Personal Data unless it identifies a natural person.

“DPO” means the Data Protection Officer appointed by ComplyMAP Group, where required by applicable law, responsible for monitoring compliance with applicable data protection laws, advising on data protection obligations, cooperating with supervisory authorities, and acting as a contact point for data subjects and competent authorities on data protection matters.

Each ComplyMAP Entity, as controller, maintains records of processing activities under its responsibility in accordance with Article 30 of the GDPR, where applicable.

  1. Who is ComplyMAP Group

ComplyMAP Group is a UK-headquartered group operating across multiple jurisdictions, including the United Kingdom, the European Union and the United Arab Emirates, and also has operations in Mauritius and India.

For the purposes of this Privacy Policy, “ComplyMAP Group” means ComplyMAP Group and its relevant affiliated entities, business divisions and operating companies, including, as applicable, Complyport (EU) Ltd, Complyport Tech (EU) Ltd, Complyport  Limited,  Complyport Tech (UK) Ltd, Complyport Gentium UK Limited, Complyport Information Technology CO. LLC, Complyport (MAU) Ltd, Complyport (IND) Private Limited, Spinebiz FZCO, Quadprime Cyprus Limited,  and each a “ComplyMAP Entity” and together the “ComplyMAP Group Entities”).

From time to time, the composition of the ComplyMAP Group may change, including through reorganisation, merger, rebranding, acquisition, disposal or internal restructuring. Any reference in this Privacy Policy to a ComplyMAP Entity shall include its successors, permitted assigns and any entity forming part of the ComplyMAP Group at the relevant time.

References in this Privacy Policy to “we”, “us”, “our”, or the “ComplyMAP Group” shall be construed as references to the relevant ComplyMAP Entity acting as controller or processor, as the case may be, and/or to more than one ComplyMAP Entity where the context so requires.

The ComplyMAP Group, operating globally under the Complyport brand, provides integrated governance, risk, compliance and technology-enabled services. These include regulatory and financial services advisory, compliance and risk management consultancy, internal audit and assurance services, RegTech and transaction reporting solutions, operational resilience and cyber risk support, IT and digital transformation services, technology‑enabled managed services (including client lifecycle and financial crime support), as well as broader business and regulatory consultancy services across multiple jurisdictions

As the Controller, each ComplyMAP Entity determines the purpose and means of processing individuals’ personal data.

  1. Personal data that we may collect

Each ComplyMAP Entity processes different personal data for a variety of reasons. These may include:

Personal data for contact, service provision and other purposes:

These may include name and surname, position, residential address, identification details (e.g. passport or ID), postal or residential address, business address, mobile number, email address, proof of source of income, signature, employment status, company of employment, login details and other account data.

Information necessary to make and accept payments:
This may include bank account details and other relevant details.

Compliance details:
In offering its services to its clients, each ComplyMAP Entity may process personal data relating to individuals such as proof of residence documentation, source of income and tax identification numbers.

Publicly available information:
ComplyMAP Entities may also process personal data from public sources, including databases used for compliance checks.

Appointment to office:
ComplyMAP Entities may process personal data in relation to individuals that may be appointed to an official position, such as directors or officer in legal entities who are clients of ComplyMAP Entities.

Compliance with statutory obligation:
ComplyMAP Entities may process personal data where obliged to do so under the law (e.g. employment records, company records, tax reporting obligations, personnel recruitment laws, and contractual duties).

Information collected during registration for an event or conference organised by ComplyMAP Group:
ComplyMAP Entities may organise different kinds of events or conferences either for promoting and marketing their services to existing and potential clients, for networking purposes, or for identifying potential candidates for employment.

In this respect, ComplyMAP Entities may process personal data (e.g. name, surname, contact details and, if relevant, details regarding academic and/or professional qualifications, including but not limited to the name of university, subject of study and year of study) for the efficient organisation and management of an event or conference. This information may be used for future contact, only with your consent, in order to market the Entity’s services to you, to inform you of similar events, or regarding possible employment opportunities that are tailored to you, if appropriate. This information will be held by the ComplyMAP Entity until you choose to unsubscribe or withdraw your consent, in accordance with Article 7(3) of the General Data Protection Regulation (Regulation (EU) 2016/679).

Photographs, presentations, audio and video recordings of speakers and participants, and live web streaming of events or conferences may be taken. They may be reproduced in various media including ComplyMAP Group publications, ComplyMAP Group websites, social networks, TV channels and the press, in connection with the event or conference, as well as for promotional activities of ComplyMAP Group.

If you wish that your image or voice is not recorded and published, for compelling and legitimate grounds relating to your particular situation, please follow the procedure described below at paragraph 11 for making a request.

Children’s data:
ComplyMAP services are not directed at children under the age of 16 (or the applicable age of digital consent in the relevant jurisdiction). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us using the details in Section 11.

Employee, worker, consultant and applicant data:

ComplyMAP Entities may process personal data relating to employees, workers, consultants, directors, officers, candidates and other individuals engaged by, or applying to work with, a ComplyMAP Entity. This may include identification and contact details, recruitment and application information, employment history, references, right-to-work or eligibility information, contract and role details, payroll, tax, social security and benefits information, bank account details, performance, training and development records, absence and leave records, disciplinary and grievance records, IT and system access information, health and safety information, and any other information reasonably required for the establishment, administration, management or termination of the employment or engagement relationship.

Such personal data may be processed for recruitment and selection, onboarding, workforce administration, payroll and benefits management, training and development, performance and talent management, compliance with employment, tax, social security, immigration, health and safety and other legal obligations, internal governance and reporting, IT and security administration, investigation of complaints or concerns, business continuity, and the management or termination of employment or engagement with the relevant ComplyMAP Entity.

Where special categories of personal data are processed, such as health-related information or information required for equality, absence, workplace accommodation, legal or regulatory purposes, this will be done only where permitted or required by applicable law and subject to appropriate safeguards.

Business contact details:
Where a ComplyMAP Entity provides services to a corporate client, it may process personal data relating to that client’s directors, officers, employees, representatives and beneficial owners in the context of the business relationship. Such personal data may include names, job titles, business email addresses, business telephone numbers and other professional contact details.

  1. Time of collection of personal data

Personal data may be collected by a ComplyMAP Entity where you, or an organisation with which you are related in any capacity (e.g. shareholder, employee, officer or representative), contact a ComplyMAP Entity in relation to any services that it may provide. Your personal data may also come into our possession if you express any interest in, and/or become, an employee of a ComplyMAP Entity. Your data may also be processed if you sign up to receive informative or marketing material, including Regulatory Alerts and Group News. Your personal data may also be processed if you sign up to participate in an event or conference organised by a ComplyMAP Entity. Your data may also be collected when an organisation engages a ComplyMAP Entity to provide services and you are involved in the organisation in any capacity that is relevant, for example as director, representative or employee of the relevant organisation.

ComplyMAP Entities may also collect personal data from other sources including client entities, government agencies and risk intelligence service providers (e.g. World-Check).

  1. Use of your personal data

ComplyMAP Entities will process personal data to:

  • Provide services or enter into discussions for the provision of services to you or a Client Entity;
  • Manage the day-to-day tasks relating to the business relationship with you or a Client Entity (e.g. communication, payments, invoicing and support);
  • Analyse, market and improve services, as well as develop new services that may be of interest to you or a Client Entity;
  • Ensure physical security and IT security;
  • Obtain and maintain insurance coverage;
  • Comply with legal obligations, including accounting and tax obligations;
  • Identify individuals acting for a Client Entity or engaged by a Client Entity in a task requiring communication with such individuals;
  • Defend or uphold legal rights;
  • Comply with any order of a competent court or other authority;
  • Manage services offered to a ComplyMAP Entity by any person or other entity, including legal services, tax services and public services;
  • Conduct research regarding the effectiveness of website services, marketing, advertising and sales efforts;
  • Keep you or a Client Entity informed in relation to services and products;
  • Carry out direct marketing for the purposes of the ComplyMAP Entity’s legitimate interests, in which case you may opt out of direct marketing as provided further below;
  • Conduct recruitment, employment, payroll and other related purposes of ComplyMAP Entities;
  • Organise an event or conference and provide relevant information to participants; and
  • Process data for purposes that are similar or connected to the above, or for any other purpose for which you or a Client Entity provide personal data to us.

In the context of corporate clients, ComplyMAP Entities may also use the business contact details of directors, officers, employees and other representatives of such corporate clients for business-to-business marketing purposes, including to inform them about related professional services offered by other ComplyMAP Group Entities that may be relevant to their role or to the needs of their organization.

  1. Legal ground for personal data processing

ComplyMAP Entities may process the personal data set out above on one or more of the following grounds:

  • You have provided your consent to a ComplyMAP Entity for the specific purpose of processing;
  • The processing is necessary for the performance of a contract to which you or a Client Entity are party, or in order to take steps at your or a Client Entity’s request prior to entering into a contract with a ComplyMAP Entity;
  • The processing is necessary for compliance with a legal obligation to which a ComplyMAP Entity, as controller, is subject;
  • The processing is necessary in order to protect the vital interests of you or of another natural person;
  • The processing is necessary for the purposes of the legitimate interests pursued by a ComplyMAP Entity as controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child.

Examples where a ComplyMAP Entity may process personal data on the basis of legitimate interests include fraud detection and prevention, credit and KYC checks, inquiries in relation to politically exposed persons, product development, communications and marketing, insurance purposes, employment and recruitment purposes, IT purposes (e.g. data loss prevention, information security, system security, network security and cyber-security), employment data processing, general operations and due diligence (e.g. internal customer analysis, reporting and management information).

Where a ComplyMAP Entity processes business contact details of representatives of corporate clients for business-to-business marketing, including cross-marketing by other ComplyMAP Group Entities, the legal basis will generally be the legitimate interests of the relevant ComplyMAP Entity and/or the ComplyMAP Group, provided that such processing is proportionate, has minimal privacy impact, is relevant to the recipient’s professional role, and the recipient is given a clear opportunity to object or opt out.

  1. Provision of your personal data to third parties

ComplyMAP Entities may share your information with other ComplyMAP Entities within the ComplyMAP Group. In particular, ComplyMAP Entities may share:

  • information necessary for service delivery, administration, compliance, risk management, internal reporting and governance;
  • the names of corporate client entities, which are generally not personal data; and
  • the business contact details of directors, CEOs, officers, employees and representatives of corporate clients with other ComplyMAP Group Entities for business-to-business marketing of related professional services, where permitted by applicable law and subject to an appropriate lawful basis.

Personal data may also be disclosed internally, where appropriate, to the DPO, legal and compliance functions, internal audit, risk management personnel, and IT security teams, to the extent necessary for compliance, governance, security and risk management purposes

ComplyMAP Entities may share information in the context of providing services to you or any Client Entity with other third parties including, for example, prospective employers, recruitment agencies, CySEC, other regulatory authorities, Approved Reporting Mechanisms or Trade Repositories (where trade reporting or similar services are offered), other specialist service providers, trainers at the ComplyMAP Entity’s courses, its own legal and/or other advisers, entities offering services in relation to AML and fraud prevention checks, financial institutions whose services may be required as part of the services that you require a ComplyMAP Entity to provide to you, and other service providers (e.g. online storage centres, cloud service providers and statistics monitoring providers).

ComplyMAP Entities may also share your information where obliged to do so by an applicable court order and/or where required to do so by applicable law.

  1. The safety of your personal data

ComplyMAP Entities take appropriate physical, organisational and technical measures to ensure the safety of your personal data. Your personal data may be stored electronically or in paper form.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with applicable data protection law, unless certain exceptions apply.

  1. Personal data that you or a Client Entity provide to us in relation to other individuals

Where you or a Client Entity provide to a ComplyMAP Entity personal data of other individuals (e.g. officers, secretaries, employees, other individuals that the Client Entity interacts with, or persons related to you), you or the Client Entity, as the case may be, represent that you or the Client Entity are duly entitled to do so.

You or a Client Entity also represent that the individual in question is aware of the relevant ComplyMAP Entity’s data protection practices as stated in this Policy, where relevant to that individual, how such ComplyMAP Entity may be contacted, as well as any information that you or a Client Entity are obliged to provide to such individual under applicable laws in relation to the relevant ComplyMAP Entity.

Where a Client Entity provides personal data relating to its directors, officers, employees or representatives to a ComplyMAP Entity, the Client Entity is responsible for ensuring that such individuals have been informed that their business contact details may be processed by the relevant ComplyMAP Entity and, where permitted by applicable law, shared within the ComplyMAP Group for the purposes described in this Policy, including business-to-business marketing of related professional services.

  1. How long we store your personal data for

ComplyMAP Entities store personal data for no longer than is reasonably necessary for the purposes for which it is processed. Where a ComplyMAP Entity stores personal data based on your consent, it will delete such personal data when you withdraw your consent, provided that it is not obliged under law to retain such data. In the case of recruitment activities, ComplyMAP Entities will delete your personal data if you are not employed unless you expressly consent to the storage of your personal data for potential future roles and/or other purposes. Consent will be updated on an annual basis. If you accept an offer of employment by a ComplyMAP Entity, any relevant personal data collected during your pre-employment period will become part of personnel records and will be retained during your employment and for as long as required by applicable laws after the end of employment. ComplyMAP Entities may, in any case, keep personal data for as long as necessary for the defence or bringing of legal claims as provided by applicable limitation laws in the relevant jurisdiction.

  1. Transfers of personal data to third countries

ComplyMAP Entities may transfer personal data internationally (outside the UK and to third countries outside the EU/EEA) where required for any of the purposes stated above, including for storage purposes. In such a case international data transfers are carried out in compliance with the data protection laws of the jurisdiction in which the relevant ComplyMAP Entity is established:

ComplyMAP Entities in the United Kingdom will ensure that transfers of personal data to countries outside the UK comply with the UK General Data Protection Regulation, using adequacy regulations, the UK International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses, or other appropriate safeguards under UK GDPR.

ComplyMAP Entities in the European Union will ensure that transfers of personal data to third countries outside the EU/EEA comply with the General Data Protection Regulation (Regulation (EU) 2016/679), based on a Commission adequacy decision, appropriate safeguards (e.g. standard contractual clauses), or other grounds provided by the GDPR.

ComplyMAP Entities in the United Arab Emirates will ensure that transfers of personal data internationally comply with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and will implement appropriate contractual or other safeguards as required under UAE law.

For ComplyMAP Entities established outside the UK and EU/EEA, international transfers of personal data will be carried out in accordance with the data protection laws applicable to that entity. Appropriate safeguards will be implemented where required by the applicable legal framework governing such transfers.

You may contact the relevant ComplyMAP Entity or the DPO in order to be informed of the appropriate or suitable safeguards, as the case may be.

  1. Your rights as a data subject
  • Right of access – you have the right to request from a ComplyMAP Entity acting as your controller a copy of the personal data held about you.
  • Right of rectification – you have the right to request from a ComplyMAP Entity acting as your controller the correction of personal data that is inaccurate or incomplete.
  • Right to erasure – you have the right to request from a ComplyMAP Entity the erasure of your personal data from its records, where the applicable legal conditions are met and no exception applies.
  • Right to restriction of processing – you have the right to request from a ComplyMAP Entity acting as your controller, where certain conditions apply, restriction of the processing of your personal data.
  • Right to portability – you have the right to request from a ComplyMAP Entity acting as your controller, where certain conditions apply, to have the data it holds about you transferred to another organisation.
  • Right to object – you have the right to object, on grounds relating to your particular situation, to certain types of processing such as direct marketing.
  • Right to withdraw consent– where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right regarding automated decision-making and profiling– you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is necessary for entering into or performance of a contract, authorised by law, or based on your explicit consent.
  • Right to lodge a complaint– you have the right to lodge a complaint with the competent supervisory authority (see Section 13 below).
  • Right to judicial remedy – in the event that a ComplyMAP Entity refuses your request in relation to any of the above rights, it will provide you with reasons, subject to applicable law.

If your personal data is processed for direct marketing purposes, including business-to-business marketing by a ComplyMAP Group Entity, you have the right to object at any time to such processing, and your personal data will no longer be processed for those marketing purposes once your objection is received and implemented in accordance with applicable law.

You can make a request or exercise these rights by completing the Data Subject Access Request Form and sending it by e-mail to the following e-mail address: dpo@complyport.com

We may request you to provide information for the purpose of verifying your identity and residency in order to comply with our security obligations and to prevent unauthorised disclosure of data.

We will answer your request, or request additional information from you, within 1 (one) month. Occasionally, it may take longer than 1 (one) month if your request is particularly complex or you have made a number of requests. In this case, we will notify you within 1 (one) month of receipt of your request about the extension and keep you updated.

Each ComplyMAP Entity may charge a reasonable fee where a request is manifestly unfounded, excessive or repetitive, or where we receive a request to provide further copies of the same data. In this case, we will send you a fee request which you will have to accept prior to us processing your request. Alternatively, we may refuse to comply with your request in these circumstances.

  1. Failure to provide personal information

If a ComplyMAP Entity requests that you provide personal data and you fail to do so, such ComplyMAP Entity may not be in a position to provide a service and/or enter into an agreement with you, in which case it will inform you accordingly.

  1. Your right to make a complaint

The DPO and/or the relevant ComplyMAP Entity will endeavour to respond promptly to your requests and complaints. In the event that you are unsatisfied with the way your personal data has been handled, or with any privacy query or request that you have raised, you may submit a complaint in writing to: dpo@complyport.com

We will try to respond to all requests within 1 (one) month. Occasionally, it may take longer than 1 (one) month if your request is particularly complex or you have made a number of requests. In this case, we will notify you within 1 (one) month of receipt of your request and keep you updated.

If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with the competent supervisory authority in the jurisdiction of the relevant ComplyMAP Entity or where otherwise available under applicable law. For ease of reference, the principal supervisory authorities relevant to ComplyMAP Group Entities include:

 

Cyprus

For entities established in Cyprus, details of the Office of the Commissioner for Personal Data Protection are available at this link

Address: kypranoros 15, Nicosia 1061 , Cyprus, Postal address, P.O.Box 23378, 1682 Nicosia, Cyprus
Telephone: +357 22818456
Fax: +357 22304565
Email: commissionerdataprotection.gov.cy

United Kingdom

Information Commissioner’s Office (ICO)
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Email: icocasework@ico.org.uk
Website: https://ico.org.uk

United Arab Emirates (UAE):

UAE Mainland (Federal):
UAE Data Office (Data Protection under Federal Decree-Law No. 45 of 2021)
Website: https://u.ae/en/about-the-uae/digital-uae/data/data-protection

Dubai International Financial Centre (DIFC):
Commissioner of Data Protection – Dubai International Financial Centre (DIFC)
Address: Level 14, The Gate, P.O. Box 74777, Dubai, United Arab Emirates
Email: commissioner@dp.difc.ae
Telephone: +971 4 362 2222
Website: https://www.difc.ae/business/registrar/data-protection

India

Data Protection Board of India
Head office: National Capital Region (New Delhi), India

Website: https://dpdpaedu.org

Mauritius:

Data Protection Office
Address: Level 5, SICOM Tower, Wall Street, Ebene Cyber City, Republic of Mauritius
Email: dpo@govmu.org
Telephone: +230 460 0251
Website: https://dataprotection.govmu.org

  1. Cookies

ComplyMAP Entities use cookies in order to deliver a better user experience on their websites. For further information regarding cookies please see the ComplyMAP Group Cookie Policy at Cookie Policy.

  1. Changes to this Privacy Policy

This Privacy Policy is subject to change to reflect changes in data protection practices or the legal framework. In the event that this Policy is amended, the revised document will be posted on the ComplyMAP Group website and such change will apply from the date it is posted unless otherwise stated in the revised Privacy Policy.