Processor Data Protection Policy
GSS Processor Data Protection Policy
GSS Processor Data Protection Policy
Dated 04 January 2024
This document sets out the roles and responsibilities of GSS and its customers in relation to the Processing of Personal Data that GSS Processes as part of the provision of GSS Screening Services to GSS Users. GSS Users are required to Process certain Personal Data about individuals (Data Subjects), to, amongst other things, meet their legal obligations in combatting fraud, money-laundering, bribery and corruption and the avoidance of sanctions.
How GSS Users Process Personal Data and with whom they share that data, will be set out in their respective Privacy Notices. We would encourage Data Subjects to review the Privacy Notices with the institution with whom they have a banking relationship. If Data Subjects wish to exercise any of their rights under Data Protection Laws[1] or any other applicable local data protection laws, including, but not limited to what Personal Data they hold about them, they will need to contact the FI concerned direct.
GSS Purposes
As set out in our Privacy Notice, GSS may Process Personal Data on individuals collected by GSS for the provision of the GSS services and products (GSS Purposes). Where GSS intends to Process Personal Data for its own purposes, GSS will be determined a data Controller (for that specific purpose). In such circumstances, GSS only Processes Personal Data based on a valid lawful basis and as set out in our Privacy Notice. Personal Data Processed by GSS (either for GSS Screening Services and/or GSS Purposes) includes Personal Data, it obtains directly from GSS Users, third party commercial partners and via publicly available sources.
Examples of source(s) of Personal Data
Examples of source(s) of Personal Data
Source: (Publicly Available) | Examples of Personal GSS may receive | Link to Website |
EU | Please visit official website | Consolidated list of persons, groups and entities subject to EU financial sanctions – Data Europa EU |
US Fed Register | Federal Register : Notice of OFAC Sanctions Actions | |
US OFAC | Please visit official website | Home | Office of Foreign Assets Control (treasury.gov) |
UN | Please visit official website | United Nations Security Council Consolidated List | United Nations Security Council |
UK/OFSI | Please visit official website | OFSI Consolidated List Search (hmtreasury.gov.uk) |
Factiva t/a Dow Jones (third party commercial provider) | See Dow Jones Privacy Notice: Privacy Notice – Dow Jones | www.dowjones.com |
Financial Institutions (GSS Users) | FI specific Privacy Notices available via their official websites | N-A |
Where GSS acts as a data Processor
Outside of GSS Purposes, GSS only Processes Personal Data as a data Processor that is, on the instructions of data Controllers (typically Financial Institutions (“FIs”)), whom we refer to as GSS Users.
GSS will also receive Personal Data directly from GSS Users in relation to its customers (in the form of lists) and specifically, sanctioned individuals, message data (payment and transaction) (which may include personal data) for the purpose of assisting GSS Users with Screening Services, to meet their legal obligations under applicable laws, such as anti money laundering.
GSS Users must ensure that prior to passing any Personal Data to GSS, they do so in accordance with all applicable data protection laws and regulations, including, but not limited to, where applicable, providing notice to the individual about GSS Screening Services and, where required, obtaining appropriate consent.
GSS Users’ Responsibilities
Compliance with applicable data protection laws
When providing Personal Data to GSS, GSS Users must comply with all applicable data protection laws and must collect such Personal Data for the relevant purposes in compliance with any local applicable data protection laws. In doing so and where relevant, GSS Users must ensure that they meet their own obligations regarding the Processing of Personal Data, in particular (but not limited to):
- accountability and transparency;
- data accuracy and lawfulness of the Processing;
- providing notice to individuals regarding the data Processing (including any profiling or automated decision-making);
- the handling individuals’ requests to exercise their rights of access, rectification, restriction, erasure, data portability, objection, consent withdrawal, and their rights relating to automated individual decision-making; and
- record keeping obligations, performing data protection impact assessments including any assessment relating to international data transfers.
GSS Responsibilities as data Processor
As part of their use of the GSS Screening Services, GSS receives Personal Data about individuals. GSS:
- only Processes such Personal Data on the written instructions of the GSS Users and in accordance with agreements between GSS and GSS Users.
GSS will inform GSS Users if it cannot comply with their instructions, to the extent required under applicable data protection law(s).
- does not retrieve, use, or disclose message data (which may contain Personal Data) except as agreed between itself and GSS Users and/or for GSS Purposes. Specifically, GSS does not Process Personal Data contained in message data for purposes falling outside GSS User instructions.
Confidentiality, integrity, and security
Our information security framework is governed by an information security policy, supported by technical and organisational security measures which are formally documented.
GSS will secure that data with appropriate technical, physical, and organisational security measures to protect such data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, and against other anticipated threats or hazards and relevant unlawful forms of Processing.
GSS corporate security policy and standards are based on principles of ISO 27001 standard series. GSS undertakes regular reviews of its security measures.
Personal Data breach notification
If and as required under applicable Data Protection Law(s), GSS will notify security incidents that lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data to GSS Users without undue delay after becoming aware of the Personal Data breach.
Limited retention periods and deletion procedures
Personal Data is deleted by GSS from its systems according to GSS’ data retention and deletion procedures and /or as agreed with GSS Users and in any event when this information is no longer necessary for the purposes for which it is Processed.
Assisting GSS Users
Facilitating the exercise of individuals’ rights
In accordance with Data Protection Laws, individuals have certain rights regarding their Personal Data, such as the right to:
- request access to and receive information about the personal data GSS maintains about the individuals, update and correct inaccuracies in the Personal Data, and where relevant restrict or object to the Processing of the Personal Data, have the information anonymised or deleted; and
- lodge a complaint with Information Commissioners Office (ICO) or any other data protection supervisory authority, including in the individual’s country of residence, place of work or where an incident took place.
GSS Users are responsible for handling requests from individuals to exercise their rights. If an individual sends a request to GSS to exercise these rights to his/her Personal Data, GSS will advise that individual to direct its request to the GSS User that originally collected the individual’s data (for instance the individual’s bank). GSS will provide GSS User with the necessary assistance in handling such requests.
GSS will use commercially reasonable efforts to assist GSS Users to facilitate their compliance with relevant obligations under Data Protection Law(s) and regulations, including their obligations to notify Personal Data breaches to the individuals concerned and to handle requests from individuals to exercise their rights.
Data Protection Officer
Any questions about GSS responsibilities regarding the Processing and protection of Personal Data should be directed to GSS, for the attention of Data Protection Officer, 40 Holborn Viaduct, London, EC1N 2PB or by e-mail to privacy@gss-rose.com. The GSS DPO is authorised to carry out internal supervision as may be deemed necessary in connection with GSS responsibilities under this GSS Personal Data Protection Policy.
Confidentiality
GSS ensures that its employees (and sub-Processors) are bound by confidentiality obligations with regards to the Processing of list and message data and are properly instructed and required to comply with GSS obligations under this policy and any other supporting GSS policy in existence from time to time.
Subcontracting
GSS will not subcontract the Processing of Personal Data) by third parties or in other locations, without prior notification or as agreed between GSS and GSS Users. Where appliable, GSS will enter into contractual arrangements and ensure appropriate safeguards and protections are in place with its sub-Processors in accordance with the requirements set out in Data Protection Laws.
Data Transfers
GSS may as data Processor, transfer Personal Data outside the UK and/or EU/EEA. When we transfer Personal Data to other countries, we will put in place appropriate safeguards and protections (such as standard contractual clauses), and where necessary, supplemental measures, that align to Data Protection Laws. We may transfer Personal Data to countries that have been formally deemed adequate under Data Protection Laws, without putting in place additional safeguards and protections.
[1] Means EU & UK GDPR