1. Personal information we use
1.1 Information we collect
We collect the following certain personal information in relation to providing info4c Products:
- PEP data: PEP data is personal data that we collect about you as a current or past politically exposed person (“PEP”) or another important person (e.g. regional public official, regional PEP, head of state, cabinet member and ministerial staff, member of the parliament, highest member of the judiciary, national bank governor and member, political and religious leader, military official, senior executive of stated owned company, as well as ambassador, consul and diplomat) in our PEP products, such as PEP Desk®, PIL List® and Brazilian Local PEPs, such as first name, last name, other names, title, ID, relative ID, gender, date of birth, place of birth, country of origin, function, specific function, category of function, and country of activity. PEP data may also include personal data of third parties, such as family members of and closely associated persons to a PEP. We collect PEP data primarily from official government websites (presidency, government, legislative bodies, supreme courts of justice, military administration, etc.) and official gazettes in which laws, decrees, investitures and depositions are published.
- Sanction data: Sanction data is data that we collect about you or your entity being subject to financial sanctions according to major financial sanctions lists, such as full name, other names, ID, type of SDN or entity, address, name of the financial sanction list in which it appears, type of list, date of publication, authority and information on whether it is whitelisted or not. We collect sanction data from regulators and other official national and international organizations and institutions.
- Watchlist and blacklist data: Watchlist and blacklist data is data we collect about you or your entity in relation to warning notices from financial authorities and supervisors (e.g. Bafin, FMA, CBFEA, FINMA, CNMV, MAS, FCA), wanted lists from police departments, governments, national and international investigation authorities (e.g. Interpol, FBI, DEA, DIA), as well as lists from international tribunals, enforcement actions, disqualified directors and debarred companies from governmental and international agencies, such as first name, last name, other names, date of birth, country, category, title, ID, alternative script, description of the case, name of the list, date of information and authority. We collect watchlist and blacklist data from official, recognized and documented sources, including international organizations (e.g. World Bank, Interpol and international tribunals), national governments, internal ministries and police departments, national banks, licensing authorities and regulators, and financial authorities (e.g. FINMA, Bafin, FCA, FMA).
- SOE data: SOE data is data we collect about state-owned enterprises (“SOEs”). We collect SOE data mostly from official sources, such as governments and ministries, national lists of SOEs and state entities and official company websites.
- Other data: We also collect data about you in other situations or for other compliance information databases. For example, we process data that may relate to you in administrative or judicial proceedings or criminal convictions and offenses, where allowable by law.
1.2 Special Categories of personal data
We may collect and process special categories of personal data, which, for the sake of clarity is Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, or data concerning health or sex life or sexual orientation. This data is collected and processed as provided by government or official publications as part of a watchlist or sanctions list entry. We process this type of data for reasons of substantial public interest based on applicable law.
2. How we use your personal information and the basis on which we use it
We use your personal data for the establishment of compliance information databases. We aim to provide online compliance information databases to assist our clients and contractual partners in complying with their regulatory or risk requirements, including for example money laundering, anti-bribery and corruption, prevention of terrorism financing and fraud, and making certain clarifications about their customers such as KYC or EDD. These regulatory or risk requirements may arise from EU or Swiss law, but also from foreign regulations to which they are subject, as well as from self-regulations and industry standards. For this purpose, we use in particular PEP data, sanction data, watchlist and blacklist data and SOE data that is available through publicly available information sources.
3. The basis on which we process your Personal Data
Insofar as we need a legal basis to process your data, we rely on the basis of our or a third-party’s legitimate interest in the particular processing, in particular in pursuing the purposes and objectives set out in Section 2. Examples of these legitimate interests also include compliance with legal regulations, insofar as this is not already recognized as a legal basis by applicable data protection law (for example in the case of the GDPR, the laws in the EEA and in the case of the DPA, Swiss law).
4. Your rights over your personal information
You have certain rights regarding your personal information, subject to local law. These may include the following rights to:
- access your personal information
- rectify the information we hold about you
- erase your personal information
- restrict our use of your personal information, including limiting disclosures made for valuable consideration
- object to our use of your personal information
- receive your personal information in a usable electronic format and transmit it to a third party (right to data portability)
- receive a disclosure regarding how we have collected and used your personal information
- lodge a complaint with your local data protection authority.
If you would like to discuss or exercise these rights, please contact us at the details below. We will request that you provide us with information for us to verify your identity and process your request. Once we verify your request, we will comply with it to the extent required by applicable law. Note, that in some cases, we may be prohibited from disclosing certain information, such as Social Security numbers, or may be permitted to retain information, for example to complete the transaction for which it was provided.
We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate.
We will contact you if we need additional information from you in order to honor your requests.
If you are a California resident, we will not deny you goods or services, charge a different price or rate, or provide a different level or quality of goods or services on account of your decision to exercise any of the above rights which may apply to you.
5. Information sharing
- Group companies: info4c is part of Diligent Corporation. Info4c may share personal information with group companies from the Diligent Group companies. A list of Diligent Group companies can be found here: https://www.diligent.com/landing-pages/diligent-data-controllers.
- Service providers: We work with service providers in Switzerland and abroad. These service providers generally process your personal data on our behalf as so-called "processors". Our processors are obliged to process personal data in accordance with our instructions and to take appropriate measures to ensure data security. Some service providers are also responsible jointly with us or independently (e.g. collection agencies).
- Contractual partners and clients: We may disclose your data to our contractual partners and clients, and their users, that have a legitimate interest and need to access the information contained with info4c Products. We require that they only use it for the purposes of conducting internal searches for compliance purposes only to comply with any applicable law.
- Authority: We may disclose personal data to agencies, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to make such disclosures or if it appears necessary to protect our interests or those of third parties.
- Other persons: We may also disclose your data to other persons in connection with the purposes set out in Section 3, for example service recipients or persons involved in administrative or legal proceedings.
6. Information Security and Storage
We implement technical and organizational measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the ongoing integrity and confidentiality of personal information. In the limited cases where we process credit card transactions, we use PCI compliant third-party payment processors to process these transactions in a secure manner. We evaluate these measures on a regular basis to ensure the security of the processing.
You share responsibility for protection of your personal information by keeping your username and password confidential and by changing passwords regularly.
Where we collect personal information from you, we will keep your personal information for as long as we have a relationship with you. Where we collect personal information from third party sources and do not have a relationship with you, we will keep your personal information for a period of time that is consistent with the reason for which we collected it (see the section on How we use your personal information and the basis on which we use it above). This retention period shall take into account the amount, nature and sensitivity of the relevant personal information. When these retention periods have ended, we will retain your personal information for a period of time that enables us to:
- Maintain business records for analysis and/or audit purposes
- Comply with record retention requirements under the law
- Defend or bring any existing or potential legal claims
- Deal with any complaints regarding the services
- Enforce our commercial agreements.
We will delete your personal information when it is no longer required for these reasons. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing or use of the data.
7. International Data Transfer
Your personal information may be transferred to, stored and processed in various countries, including those that are not regarded as ensuring an adequate level of protection for personal information under European Union law or by the European Commission. We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your personal information is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details below
8. EU-U.S. and Swiss-U.S. Privacy Shield
Diligent Corporation (“Diligent”) participates in and has certified its compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. Diligent is committed to subjecting all personal data received from European Union (EU) Member States, the United Kingdom (UK) and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework and to view our certification, visit the US Department of Commerce’s Privacy Shield List: https://www.privacyshield.gov/list.
Diligent is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Diligent complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, the UK and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred under the Privacy Shield Frameworks, Diligent is subject to the regulatory enforcement powers of the US Federal Trade Commission. In certain situations, Diligent may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Diligent commits to cooperate with the panel established by the EU data protection authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by the panel and/or Commissioner with regard to data transferred from the EU and/or Switzerland, as applicable.
Under certain conditions, described in more detail on the Privacy Shield website https://www.privacyshield.gov/... , you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
9. Links to Other Sites
Our sites and services may include links to other websites whose privacy practices may differ from our practices. If you submit personally identifiable information to any of those sites, your information is governed by their privacy policies. We are not responsible for the privacy practices or the content of any sites to which our sites provide links. We encourage you to carefully read the privacy statement of any website you visit.
10. Contact Us
You may contact us for data protection concerns and to exercise your rights as follows:
We have appointed the following additional positions:
Diligent Corporation and, with respect to individual service specific inquiries or relationships, the relevant Diligent Group companies, are the controllers responsible for the personal information we collect and process as controllers.
Our European Union representative is Diligent Governance Ireland Limited, whose registered office is located at 6th Floor, South Bank House, Barrow Street, Dublin 4, Ireland.
Our United Kingdom representative is Diligent Boardbooks Limited, whose registered office is located at 1 Northumberland Avenue Trafalgar Square, London, WC2N 5BW, United Kingdom.
Our Data Protection Officer can be contacted at: firstname.lastname@example.org.
11. Changes to the Policy
Last updated: 01 June 2022