This is the privacy notice for Themis International Services Ltd, incorporated in England, with company number 11733141, of Castle House, Castle Street, Guilford, GU1 3UW, UK.
We are a risk management firm specialising in financial crime. We provide the following services:
Insight: Threat-based research, analysis and training that educates and drives change;
Intelligence: Preventative steps to avoid damaging links to financial criminals through Enhanced Due Diligence and ESG Reports;
Innovation: Pioneering RegTech tools to manage financial crime risk, including our Anti Financial Crime Risk Rating and Benchmarking Tool and our Themis Financial Crime Search Engine.
This notice explains what personal data we collect in connection with the provision of our Services, why we need that data, and how we use it.
We do not share personal data with 3rd parties other than in specific sponsor cases outlined later in this document. This notice should make it clear exactly when and to whom data may be transferred.
Our website provides a small number of links to other websites, which are beyond our control. We encourage you to read the privacy statements on the other websites you visit.
We might need to change this privacy notice from time to time. We will publish our privacy notice on our website (available at www.themisservices.co.uk) and we’ll do our best to update you directly if we think the changes might materially affect you. Please do keep an eye on our notice before giving us any personal data.
Visitors to Our Websites
Our websites include www.themisservices.co.uk / www.crime.financial and www.themisrating.io.
If you visit our websites, we will use cookies: to help us make sure our website performs correctly; to analyse how visitors use our websites (to help us make our websites more effective); and to help us make marketing decisions about how we promote our services online.
Cookies are small data files that websites store on your electronic device so that the website can store data and will enable us to collect information, which is likely to include data from which you can be identified.
Our lawful basis for using cookies to collect and process usage data is that it is necessary to protect our legitimate interest in promoting our business.
Marketing
Themis collects details from event attendees, event recordings, newsletter subscribers and subscribers of our Products where they have agreed to and accepted our data privacy policy.
Separately, we also may identify people who are likely to find our events or products useful for their jobs by looking for source business contact details and information about an individual’s job role on publically available resources and business websites.
Our team will use those business contact details to send event invites and emails about relevant industry news.
We always include an unsubscribe link at the bottom of any such email which we send, so that you can let us know if you do not wish to receive any further marketing emails.
Our lawful basis for using personal data in this way is that it is necessary to protect our legitimate interest in promoting our business.
Events
If you sign up to an event:
We will collect basic details of all those wishing to attend a Themis digital event such as a webinar or roundtable, or if we host a physical event. This information includes, name, job title, organisation and industry.
For some sponsors of events, we provide these details, but only with prior approval when registering for the event. We consider the processing to be necessary to protect our legitimate interest in running an effective event. We will not share your details with the venue or other third parties for marketing purposes unless you provide your consent.
If you are speaking at one of our events:
We will use the details you provide us with to contact you in connection with the event and, if relevant, process any payment or facilitate any obligations or rights set out in agreement between you and us. Any such processing will be carried out on the basis that it is necessary to facilitate the contract between you and us. We will only use the retained information to comply with regulatory requirements or in the event of a dispute between you and us – which processing would be carried out on the basis that it is necessary to protect our legitimate interest of protecting our business.
We will publicise the bio that you provide, on the basis that such processing is necessary to achieve our legitimate aim of running a successful event and we will retain both the bio and details relating to the talk you give after the event for our internal records as well as for marketing purposes for future events.
Subscription Services
We will use personal data that we collect from clients (which may include details of our clients’ staff) who have subscribed to receive our Services, in the following ways:
(a) To fulfil the contract: which includes setting you up as a client, providing you with updates relating to our Products and processing your user ID, password and contact details and any payments to be made. Any such use will be on the basis that the processing is necessary to perform the contract between you and us.
When you terminate your subscription, we will keep full records about your subscription for two years in case you want to reactivate your account.
We will also retain details of transactions for a period of up to 6 years for our internal records. Any further use of the retained information will only be to comply with regulatory requirements or in the event of a dispute between the recipient and us – which processing would be carried out on the basis that it is necessary to protect our legitimate interest of protecting our business.
(b) We use automated tools to monitor website access using your account details, to identify and manage potential security issues and to keep your account safe. Any such usage data shall be processed to the extent necessary for our legitimate interest of ensuring our Products are secure. We will retain usage data for a period of up to 6 years for our internal records. Any further use of the retained information will only be to comply with regulatory requirements or in the event of a dispute between you and us – which processing would be carried out on the basis that it is necessary to protect our legitimate interest of protecting our business.
Job Applicants
If you contact us about a job, we will use the information you provide us with to assess your suitability for the role and progress your application. Data we will require includes contact details, your curriculum vitae, your previous experience, education and answers to questions relevant to the role you have applied for. Our HR team and the hiring manager for the role will have access to this data.
We will only share your data with contracted third parties if it is necessary for the recruitment process, and will notify you at the time. We will never sell your data or use it for marketing purposes. If we need to securely process the data in another country, we will let you know before the transfer happens.
If your application is not successful, unless you ask us to retain your data for other opportunities in the future, we will store your details for six months to help with any questions, before securely deleting or anonymising the data.
If your application is successful, we will need to complete employment checks for legal reasons, to verify your right to work in the country and to verify your previous employment references.
We will only process such data to the extent required to achieve our legitimate interest of maintaining a workforce for our business
A copy of our retention policy in respect of all of the personal data we hold can be accessed here.
Security of personal data is very important to us. Our business operates with a Cyber Security Essentials certification and we are working towards the ISO 27001 International Security Standard. We use a wide range of organisational, technical, physical and operational controls, which are assessed for effectiveness on a regular basis.
We will only disclose any personal data that we hold to our employees, affiliated companies and third parties who are contracted to help us provide our Services (some of whom may be based outside the EEA). Any such third parties will be acting as processors on our behalf and will be contractually bound only to use the data in accordance with our instructions and to implement adequate security measures. The data will only be transferred in these circumstances if appropriate safeguards are implemented between us and the processor.
We may share personal data with third parties (which will also be acting as controllers in respect of that personal data) in the following circumstances:
If we are under a legal duty to do so or if it is required to enforce or apply our contracts or to protect the operation of our website, or the rights, property or safety of us or others.
If we sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners will only be entitled to use personal data in accordance with the provisions set out in this privacy notice.
Individuals have certain rights under the applicable data protection legislation in respect of the personal data which we hold relating to them. This includes:
(a) Right to be informed: the right to be informed about what personal data we collect and store about you and how it’s used.
(b) Right of access: the right to request a copy of the personal data held.
(c) Right of rectification: the right to require us to correct any personal data held about you which is inaccurate or incomplete.
(d) Right to be forgotten: in certain circumstances, the right to have the personal data held about you erased from our records.
(e) Right to restriction of processing: the right to request us to restrict the processing carried out in respect of personal data relating to you. You might want to do this, for instance, if you think the data held by us is inaccurate and you would like to restrict processing until the data has been reviewed and updated if necessary.
(f) Right of portability: in certain circumstances, the right to have the personal data held by us about you transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.
(g) Right to object: the right to object where processing is carried out, including for direct marketing purposes.
(h) Right to object to automated processing: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects (or other similar significant effects) on you.
If you wish to exercise any of your rights set out in section 6 above or contact us about any another matter, please contact our Data Governance Group on +44 (0)20 8064 1724
Send an email to [email protected].
When we receive a request, we will try to verify your identity and the request, before responding to you within 28 days.
Given the nature of the Services we provide, in certain situations, we may be able to rely on certain exemptions under the General Data Protection Regulation and the Data Protection Act 2018. These exemptions may enable us to resist the disclosure of information, erasure requests and rectification requests in certain circumstances, and exempt us from some notification obligations.
We will confirm to you in writing to acknowledge receipt of any request we receive relating to your rights as a Data Subject, and we will let you know if we have complied with your request. If having, carried out an assessment, we believe we have an overriding reason for resisting your request, we will let you know why we have reached that conclusion.
We will retain details of your request for two years, for quality assurance purposes, and may retain request relating to marketing preferences or restricted use for a longer period to ensure that we can comply with your request and to help if you have any further questions about the matter. Any such processing will be limited to the extent strictly necessary to achieve our legitimate interest of providing a robust and secure data management procedure.
Please let us know if you are not happy about how we are handling your data. We will do our best to resolve the matter, but if you have further concerns it is your right to make a complaint to our Data Governance Group on +44 (0)20 8064 1724 or the UK Information Commissioner’s Office at https://www.ico.org.uk.
Responsibility for the implementation of this policy lies with the company CTO and Themis Senior Management Team. They are responsible for making the company aware of the policy, and for its review.
This policy will be reviewed every year and at points of significant change to the business such as the leasing of office premises or the addition of a new team location.
Signed by Matthew Deacon, CTO
Date 21st July 2021