Privacy Notice

GLOBAL DATA PROTECTION NOTICE

EXTERNAL CORPORATE WEBSITE

1. About Us

2. About this Notice

3. Sources of Personal Data Collection

4. Categories of Personal Data we Collect

5. How We Use Your Personal Data Lawfully

6. How We Share Your Personal Data

7. Cross-Border Transfers of Personal Data

8. How we Protect and Secure Your Data

9. Retention and Disposal of Personal Data

10. Individual Privacy Rights

11. Contact Us

1. About Us

The ISTARI Group (“we”, “us”, “our”) takes a holistic approach to cyber risk management and aims to build cyber resilience and long-term success for its clients. For the purpose of this notice, the ISTARI Group includes ISTARI Global Limited and certain of its associates whose affairs ISTARI Global Limited oversees and helps to manage, namely its immediate parent company, ISTARI Pte. Limited, and certain of that company’s other wholly-owned subsidiaries being ISTARI Global (Singapore) Pte. Ltd., ISTARI Investments Holdings Pte. Ltd, ISTARI International (US) LLC and ISTARI International (UK) Limited (in all cases including any foreign branches and permanent establishments. For more information about us, please visit our home page.

2. About this Notice

This Data Protection Notice (“Notice”) describes how we collect, process, and protect your Personal Data when you interact with us. It does not form part of any contract between us, but we recommend you read it carefully. The categories of Personal Data we collect about you and how we process such data depends on the nature of our relationship with you and the means through which we interact, including when you visit our website. We take your data protection rights and our legal obligations seriously. All enquiries regarding this Notice including how you can exercise your data subject rights should be directed to the details provided in the Contact Us section below. 

This Notice sets out detailed information regarding how we hold and process Personal Data relating to members of the general public visiting our Website, external job candidates, contractors, nominees, attendees of and/or participants in events and programmes operated by the ISTARI Academy, and other third parties including but not limited to, actual and prospective clients, investee companies, goods and service providers, partners, shareholder nominees, and journalists.

Unless stated otherwise, definitions referred to in this Notice will have the meaning given to them under applicable privacy laws. This Notice is provided by your Data Controller which is responsible for deciding how your Personal Data is used, and for ensuring that your Personal Data is handled in accordance with applicable privacy laws. Your European Data Controller is ISTARI Global Limited, save for activities relating to the ISTARI Academy where ISTARI International (UK) Limited will be the Data Controller. Unless otherwise stated, your United States (“US”) Data Controller is ISTARI International (US) LLC, and your Singapore Data Controller is ISTARI Global (Singapore) Pte Ltd.

Any third-party websites which you may access via our Website are not covered by this Notice. ISTARI accepts no responsibility or liability for the use and protection of any Personal Data which you provide to such third-party websites. You should exercise caution and read the privacy notice of the relevant third party before providing any Personal Data.

3. Sources of Personal Data Collection

We may collect Personal Data about you from several sources, including directly from yourself, from third parties, and through automated means. 

The following provides more information regarding the aforementioned sources: 

• Direct Collection. Personal Data that you provide to us directly when you initiate contact with us.

• Third-Party Collection. Personal Data which third parties provide to us about you (e.g. business partners or specialist recruiters who may refer you to us).You should liaise directly with the third parties concerned should you wish that they refrain from disclosing data about you to us.

• Automated Collection. We also collect and may permit third parties to collect Personal Data about you automatically through the use of cookies and similar tracking technologies on our Website. You may update your automated collection preferences by accessing the cookie preference center on our Website. For more information please refer to our Cookies Notice.

4. Categories of Personal Data we collect

We collect different categories of Personal Data about you depending on the nature of our relationship with you and the purposes for which such information is necessary in the context of our relationship. These include personal identification, financial, recruitment, marketing, monitoring, compliance and contract information, government identifiers, online identifiers, and in isolated instances, sensitive information such as dietary preferences and food allergies. 

ISTARI only collects Personal Data that is strictly necessary for the purposes for which it was collected , including:

• Personal Identification and Contact Information: name, contact information (such as e-mail and postal address, telephone numbers), date of birth, job title, employing organisation;

• Government and Online Identifiers: social insurance / security / tax identification numbers, and internet protocol (IP) addresses;

• Financial Information: bank account name and number, sort code, credit reports, shareholding rights, and other financial data appropriate to support business transactions and/or credential verifications;

• Recruitment Information: professional resumé including biographical information (such as employment and education history), professional reference and recruitment feedback, notes, and related performance information, right to work documentation (such as passport, driving licence, and/or visa information) and other information about yourself that you provide in a CV or similar document;

• Marketing Information: marketing interaction data, communication preferences and records of consents provided and/or withdrawn in connection with the receipt of marketing communications;

• Monitoring Information: video surveillance, including closed-circuit television (CCTV) footage when entering ISTARI premises and technical information collected through the use of cookies, web beacons, and/or similar tracking technologies that we place and may permit third parties to place on our website(s), including online identifiers such as IP addresses and unique device identification, and online activity information, such as direct and social media interaction with our Website;

• Compliance Information: background verification results, including against international sanctions, exposed persons or export controls registers, criminal record databases, complaints or claims, investigations and other compliance monitoring, reporting and remediation information;

• Contract Information: contracts (to be) entered into between ISTARI with an individual, information regarding existing contracts between the individual and third parties that may impact the same in relation to ISTARI, such as existing non-competition restrictions to which you may be subject. 

5. Purposes we use your Personal Data for and Lawful Bases we rely on

We may use your Personal Data for different business purposes and in reliance upon different legal bases, depending on the nature of our relationship with you and in accordance with applicable privacy laws. We do not process your Personal Data for further purposes incompatible to those notified to you through this Notice. ISTARI will only process personal Data for the purposes set out below. In doing so, we rely upon the lawful bases for processing set out detailed in this section, subject to applicable privacy laws. 

We may use each category of Personal Data we collect in the following ways (in each case, only where the processing is necessary for the purpose):

• With your consent, for all such purposes for which you specifically provide consent. This includes, but is not limited to, providing related content about our products, services, events, and programs that you may have subscribed to receive. You may unsubscribe from receiving marketing communications from us either by clicking the link included in the relevant marketing communication or by contacting us to opt out. Where we process Sensitive Data about you, we additionally rely on your explicit consent obtained when you voluntarily provide any Sensitive Data to us through our Website.

• To perform our contractual obligations towards you (as an individual) and to undertake pre-contractual steps at your request, such as to respond to requests for quotation, proposal or registration and deliver contracted services, programs and events (including the ISTARI Academy Navigator Program), to provide associated customer services, to raise related invoices and process payments regarding the same, and to respond to vacancy applications we receive from you for recruitment purposes.

• To fulfil a legal obligation to which we are subject,

• To pursue our legitimate interests, where it is not overridden by your own legitimate interests and/or fundamental rights and freedoms, including:

• Managing our interactions and business relationship with you, including by responding to requests which you have submitted via our Website, by telephone, e-mail, or any other means and to deal with ongoing matters relating to such requests;

• Presenting content from our site in the way that we consider most effective;

• Keeping our Website and IT network safe and secure, prevent, and manage security incidents appropriately;

• Preventing or detecting fraud or crime through our Website;

• Protecting the safety, property and rights of all individuals who interact with us, including through ensuring the health and safety of all individuals who are present at our business premises;

• Bringing or defending legal claims concerning ISTARI entities.

• Investigating any complaints received from you or from others, about our Website or our services;

• Improving your browsing experience by remembering your preferences on our Website (where only Strictly Necessary cookies are being used)

• Obtaining legal advice, support, or representation in connection with legal claims, compliance, regulatory and investigative purposes, as necessary or as permitted by applicable laws and regulations; or

• Notifying you about changes to our services, where applicable.

• For such purposes that may be required or permitted by applicable privacy laws, including for compliance with legal obligations which we are subject to and any other secondary purposes that are compatible with the original purposes of processing Personal Data set out in this Notice. This includes the processing of Personal Data relating to criminal offences and/or convictions. Such criminal data are processed exclusively in relation to recruitment candidates and investee company management only. This processing is strictly necessary for the purposes of conducting background screening as part of our recruitment process and procuring legal advice and support in connection with investment transactions concerning ISTARI. In doing so, ISTARI relies on our legitimate interest in obtaining legal advice and ensuring the health, safety, and wellbeing of our workforce and partners, subject to appropriate safeguards for the rights and freedoms of all individuals concerned by such processing. Any collection of criminal data remains qualified to instances where ISTARI is permitted to collect such data in accordance with applicable privacy laws, including subject to individuals’ consent, as permitted by the U.K. Data Protection Act 2018, Schedule 1, Part 3, Paragraph 29.

Wherever there is a business requirement to process your Personal Data for purposes that are incompatible with those described above, we will notify you of the same and obtain your consent where required by applicable privacy laws prior to engaging in any such further processing.  We do not currently sell or intend to sell your Personal Data. Should this change at any point in future we will update this Notice, notify you of any changes, and provide you with the appropriate mechanism to exercise your right to opt-out from the sale of your Personal Data. For further information regarding your privacy rights please refer to Your Individual Privacy Rights set out below.

Please note that in certain circumstances such as when you have entered or are proposing to enter into a contract with us (e.g. to provide us/you with products and/or services), the provision of Personal Data is a requirement of the contract you entered/are proposing to enter into with us. The provision of Personal Data in these circumstances is necessary to enable us to perform pre-contractual steps at your request, to enter into the contract with you, and/or to perform our legal obligations under our contract with you.

6. How We Share Your Personal Data

We may disclose your Personal Data to ISTARI subsidiaries and affiliates, third-party suppliers, service providers and business partners, law enforcement and other government agencies, companies with whom we are involved with in a corporate transaction, or any other third parties. 

We may share your Personal Data with the categories of recipients described below:

• ISTARI subsidiaries and affiliates. We may share your Personal Data within our group of companies, which includes parents, corporate affiliates, subsidiaries, business units and other companies that share common ownership for the purposes, and using the legal bases, set out in this Notice.

• Third-Party goods and service providers, partners, and other companies. We may share your Personal Data with third parties in order to facilitate our interactions with you or request or support our relationship with you, including website hosting, backend services, analytics, crash reporting, and marketing service providers.

• Law enforcement and other government agencies. We may share your Personal Data with law enforcement and/or other government agencies to comply with law or legal requirements, to enforce or apply our Terms and Conditions and other agreements, and to protect our rights, property, and the safety of our employees, clients, and third parties.

• Companies involved in a corporate transaction with us. If we sell some or all of our assets, merge, or are acquired by another entity or otherwise restructure our business, including through a sale or in connection with a bankruptcy, we will share your Personal Data with that entity.

• Any other third parties for which you provide your consent for us sharing your Personal Data with.

7. Cross-Border Transfers of Personal Data

We may need to transfer your Personal Data from the originating country to another jurisdiction for processing. Where Personal Data is transferred outside the territory where it was collected, we will implement appropriate legal mechanisms to ensure that your Personal Data remains adequately protected upon reaching its destination, as required by applicable privacy laws. 

Our global operations expand across several jurisdictions including in particular the UK, US, Germany, Norway, Switzerland, and Singapore. In some instances, it may be necessary for us to transfer your Personal Data to an ISTARI entity or to a third party outside the country where it was collected. Third party recipients include organisations with whom we engage to deliver our products and services to you. In doing so, we rely on a number of legal mechanisms to ensure that your data remains protected to a standard equivalent to that afforded to it in the country of origin. Depending on the direction of transfer of Personal Data, this includes European Commission Adequacy Decisions and Standard Contractual Clauses, United Kingdom Adequacy Regulations and Standard Contractual Clauses, and other legally enforceable safeguards in accordance with applicable privacy laws. A copy of the relevant mechanism can be made available upon request by Contacting Us.

8. How we Protect and Secure Your Data

ISTARI has implemented appropriate technological and operational security measures, policies and procedures designed to protect your Personal Data against accidental or unlawful loss, disclosure, misuse, alteration, or use. We limit access to your Personal Data only to those ISTARI employees, other staff and third parties on a business need to know basis. They will only process your Personal Data upon our instructions, and they are subject to a duty of confidentiality. We have implemented procedures to respond appropriately to any suspected personal data breach or security incident and will notify you and relevant data protection regulators where we are legally required to do so.

9. Retention and Disposal of Personal Data

We will generally only retain your Personal Data for as long as is necessary, for the purposes for which such data was collected for and, in line with  legal, regulatory, and legitimate business requirements. This will usually be for the duration of your relationship with us plus the length of any applicable statutory limitation or obligation , as required or permitted by applicable privacy laws. Upon reaching the end of the relevant retention period, ISTARI will take steps to dispose of your Personal Data in a secure and permanent manner, in accordance with applicable privacy laws.

10. Individual Privacy Rights

Individuals whose Personal Data we process are afforded a number of rights in relation to such data, depending on the jurisdiction where they are located. To exercise your data protection rights please Contact Us. We will respond to requests in accordance with applicable privacy laws. 

The specific data protection rights applicable to you are detailed in the table below, depending on the jurisdiction where you reside or are otherwise are located. Please note that these data protection rights are not absolute and there may be circumstances where we may legitimately deny or limit a request as permitted by applicable privacy laws. You should also note that the specific scope of the rights and their associated exemptions may further vary from one jurisdiction to another.  You will not normally have to pay a fee to access your Personal Data (or to exercise any of the other rights stated above), although we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of the other rights stated below). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in order to clarify your request. We will only collect strictly necessary information to ensure that we only honour requests received from the true Data Subject or their authorised representative, in accordance with the data minimisation principle (see Our Data Protection Values). We strive to respond to all legitimate requests within the relevant deadlines pursuant to applicable privacy laws. Occasionally it may take us longer to respond if your request is particularly complex or you have made a number of different requests. In this case, we will notify you of estimated response timelines.

11. Contact Us

If you have questions, concerns, and/or complaints regarding this Notice or you wish to exercise your data protection rights above, please contact the ISTARI Data Protection Manager by post at ISTARI Global Limited, 8 Cavendish Square, London W1G 0PD, United Kingdom, EC4A 4AB, or by e-mail to legalnotices@istari-global.com. You also have the right to lodge a complaint with the data protection authority in the territory where you are located, should your matter remain unsettled or otherwise unsatisfied.

 Last updated May 2022.