CLS Group Privacy Notice

1. Introduction

CLS Group Holdings A.G, its subsidiaries and its affiliates (collectively referred to as “CLS Group”, “we”, “us” and “our”) respect your privacy and is committed to protecting your personal data. This notice (Privacy Notice) applies to personal information held by members of the CLS Group as data controllers or joint data controllers, as described below. This Privacy Notice explains how we collect, use and share personal information in the course of our business activities.

This Privacy Notice is directed at any individual whose personal data is processed by CLS Group, including but not limited to clients or their representatives (including their employees or agents), vendors, suppliers or other parties with whom CLS Group have a contractual relationship (including individuals employed by, or agents of, such vendors, suppliers or other parties), users of CLS Group’s website or other applications and CLS employees or applicants for employment.

2. Changes to the Privacy Notice and your duty to inform us of changes

This version was last updated on 18 January 2024. CLS Group’s Privacy Notice can be found on www.cls-group.com. We may change or update portions of this Privacy Notice to reflect changes in our practices and or applicable law and regulation. Please check this Privacy Notice from time to time so you are aware of any changes or updates to the Privacy Notice, which may be indicated by a change in the effective date noted in this section. Where required under applicable data protection and privacy laws, we will notify you of any change or update portions of this Privacy Notice by individual message or by disclosing the changes to the data processing on a publicly available medium.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

3. The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can, either directly or indirectly, be identified. It does not include data where individuals can no longer be identified (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

Identity and Contact Data includes your contact information and information about you, including in some cases your signature, identification documents and other identifiers.
Communications Data includes information we capture through your communications with us e.g. telephone conversations, emails, letters and instant messaging.
Contractual Data includes information about the nature of the products or services we provide to each other.
Imagery Data includes CCTV footage and photographs.
Financial Data includes financial information about you, transactional information and credit information, account authentication details.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access through CLS Group websites and applications.
Profile Data includes your username and password, your interests, preferences, feedback and survey responses.
Usage Data includes information about how you use our website or other applications, products or services.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
Location Data includes data we receive about where you are.
Public Data includes information you have made publically available, including via social media sites such as (but not limited to) LinkedIn.
Recruitment and Employment Data includes your resumé or CV, data required for background checks, information required to carry out employment relationship such as, but not limited to, passport number, bank account details, tax identifiers and conflicts of interest.
Special Categories of Data and Data Related to Criminal Convictions includes categories of personal data relating to health, religious beliefs, ethnicity, biometrics, political opinions, criminal convictions and offences or other categories. We may request special category data from employees, applicants for employment or individuals wishing to provide services to us. The law and other regulations afford additional protections to special categories of personal data and CLS Group will only collect and use this information where the law allows us to do so.

4. How is your personal data collected?

We will collect your personal data from one or more of the below sources:

Directly from you throughout our relationship.
From third parties that are authorised to share your information with us, such as clients, service providers or intermediaries.
From publically available sources of information.
From other CLS Group entities

We also collect personal data when we monitor or record our communications with you or through use of certain technology.

5. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

Where we need to perform the contract we have entered into.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Where we need to comply with a legal or regulatory obligation.
Where you have provided your consent. Note that you have the right to withdraw your consent at any time.

6. Purposes for which we will use your personal data

We have set out below, in a table format, a description of the main ways we plan to use your personal data, and which of the legal bases we may rely on to do so.

Purpose/Activity	Lawful Basis
Delivering products and services To manage our relationship with you or your business and deliver our products and services. To exercise our rights set out in agreements or contracts. To communicate with you about our products and services. To measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer risk. This includes credit risk. For business continuity management.	Contractual Obligation Legal Duty Legitimate Interests Consent
Registering you as a vendor and receiving your services To measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer risk. This includes credit risk. To communicate with you about the service.	Legitimate Interests
Recruitment, employment and receipt of certain services To confirm your references, educational background or other information and to consider your suitability for any current or future recruitment requirements. To carry out the employment relationship, to fulfil our duties as an employer and to make use of our rights as employer. For internal training. For business continuity management. To facilitate communications with clients, vendors and other third parties in relation to our business.	Legitimate Interests Contractual Obligation Legal Duty Consent Vital Interests For special category personal data Article 9(2)(b) – rights of Controller in the field of Employment Article 9(2)(c) – to protect the vital interests of the data subject or of another natural person
Protecting our legal rights To protect our legal rights, e.g. in the case of defending or the protection of legal rights and interests (e.g. collecting money owed, enforcing or protecting our security or defending rights of intellectual property), court action, managing complaints or disputes, in the event of a restructuring of companies or other mergers or acquisition.	Legitimate Interest Contractual Obligation For special category personal data: Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims
Website, web portals, applications and systems To allow us to provide you with access to our website, web portals and systems. To allow you to directly or indirectly communicate with us through our website, web portals, applications and systems. See CLS Group’s Cookie Notice for further information.	Legitimate Interests Contractual Obligation
To meet our legal or regulatory obligations To prevent and detect crime or non-compliance with laws or regulatory requirements including, e.g. insider trading, fraud, terrorist financing and money laundering, including monitoring, mitigation and risk management, carrying out client due diligence, name screening, transaction screening and client risk identification. For reporting to, and audits by, national and international regulatory or enforcement bodies and complying with court orders associated with us.	Legitimate Interests Legal Duty Public Interest
Monitoring activity To access, review, disclose, intercept, monitor and/or record verbal and electronic messaging and communications including for the purposes of: detecting non-compliance with laws, regulatory obligations or CLS Group’s internal policies monitoring quality of service establishing facts preventing fraud, money laundering or other crimes ensuring effectiveness of systems assisting investigations managing cybersecurity risks To review CCTV footage or other information for the purposes of managing physical security or monitoring who and when enters or leaves CLS premises.	Legitimate Interests Legal Duty Public Interest For special category personal data: Article 9(2)(g) – reasons of substantial public interest.
Marketing To make suggestions and recommendations to you about goods or services that may be of interest to your company.	Consent Legitimate Interest

Purpose/Activity

Lawful Basis

Delivering products and services

To manage our relationship with you or your business and deliver our products and services.
To exercise our rights set out in agreements or contracts.
To communicate with you about our products and services.
To measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer risk. This includes credit risk.
For business continuity management.

Contractual Obligation
Legal Duty
Legitimate Interests
Consent

Registering you as a vendor and receiving your services

To measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer risk. This includes credit risk.
To communicate with you about the service.

Legitimate Interests

Recruitment, employment and receipt of certain services

To confirm your references, educational background or other information and to consider your suitability for any current or future recruitment requirements.
To carry out the employment relationship, to fulfil our duties as an employer and to make use of our rights as employer.
For internal training.
For business continuity management.
To facilitate communications with clients, vendors and other third parties in relation to our business.

Legitimate Interests
Contractual Obligation
Legal Duty
Consent
Vital Interests

For special category personal data

Article 9(2)(b) – rights of Controller in the field of Employment

Article 9(2)(c) – to protect the vital interests of the data subject or of another natural person

Protecting our legal rights

To protect our legal rights, e.g. in the case of defending or the protection of legal rights and interests (e.g. collecting money owed, enforcing or protecting our security or defending rights of intellectual property), court action, managing complaints or disputes, in the event of a restructuring of companies or other mergers or acquisition.

Legitimate Interest
Contractual Obligation
For special category personal data:
Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims

Website, web portals, applications and systems

To allow us to provide you with access to our website, web portals and systems.
To allow you to directly or indirectly communicate with us through our website, web portals, applications and systems.

See CLS Group’s Cookie Notice for further information.

Legitimate Interests
Contractual Obligation

To meet our legal or regulatory obligations

To prevent and detect crime or non-compliance with laws or regulatory requirements including, e.g. insider trading, fraud, terrorist financing and money laundering, including monitoring, mitigation and risk management, carrying out client due diligence, name screening, transaction screening and client risk identification.
For reporting to, and audits by, national and international regulatory or enforcement bodies and complying with court orders associated with us.

Legitimate Interests
Legal Duty
Public Interest

Monitoring activity

To access, review, disclose, intercept, monitor and/or record verbal and electronic messaging and communications including for the purposes of:
- detecting non-compliance with laws, regulatory obligations or CLS Group’s internal policies
- monitoring quality of service
- establishing facts
- preventing fraud, money laundering or other crimes
- ensuring effectiveness of systems
- assisting investigations
- managing cybersecurity risks
- To review CCTV footage or other information for the purposes of managing physical security or monitoring who and when enters or leaves CLS premises.

Legitimate Interests
Legal Duty
Public Interest

For special category personal data:
Article 9(2)(g) – reasons of substantial public interest.

Marketing

To make suggestions and recommendations to you about goods or services that may be of interest to your company.

Consent
Legitimate Interest

7. Direct Marketing

We may use your personal information to let you know about products and services we believe may be relevant for you. We may contact you by email, post or telephone or through other appropriate communication channels. We strive to ensure that direct marketing is reasonable and proportionate and that we believe is of relevance or interest to you.

You can ask us to stop sending you direct marketing messages at any time by contacting CLS Group’s Data Protection Officer at any time.

8. Disclosure of your personal data

We share your information in the manner and for the purposes described below:

Within CLS Group, where such disclosure is necessary to provide you with our services or to manage our business.
With third parties and vendors who help manage our business and deliver services. These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us, including IT service providers.
With agencies and organizations working to prevent fraud in financial services.
To our clients, to facilitate ongoing communications and receipt or provision of services.
To comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies.
We may share in aggregate, statistical form, non-personal information regarding the visitors to our website or applications, traffic patterns, and website usage with our business partners, affiliates or advertisers.
Where required in connection with potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of our rights or duties under an agreement. Your personal information, technical information about your device or browser and/or other anonymous information we obtain from you via the websites may be disclosed to any potential or actual third party purchasers of such assets and/or may be among those assets transferred.
To any third party to whom you authorise us to disclose your personal data.

9. International transfers

We share your personal data within the CLS Group. This will involve transferring your data outside the United Kingdom (UK).

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented (unless a derogation applies):

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where we use certain service providers, we may use specific contracts approved by the Information Commissioners Office.

10. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

11. Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

12. Your legal rights

You have the right to:

access information we hold about you and to obtain information about how we process it (often referred to as a “Subject Access Request”);
in certain circumstances, where we are relying on Consent, you have the right to withdraw your consent to our processing of your information at any time.
in some circumstances, the right to receive certain information you have provided to us in an electronic format and/or request that we transmit it to a third party;
the right to request that we rectify your information if it’s inaccurate or incomplete;
in some circumstances, the right to request that we erase your information. We may continue to retain your information if we’re entitled or required to retain it;
the right to object to, and to request that we restrict, our processing of your information in some circumstances. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we’re entitled to continue processing your information and/or to refuse that request; and
you have the right to lodge a complaint with your local data protection supervisory authority if you have concerns about how we are processing your personal information. We would ask that you attempt to resolve any concerns with CLS Group before lodging a complaint with your local supervisory authority.

13. Contact details

If you have any questions, concerns or complaints or if you wish to exercise any of your rights, please contact CLS Group’s Data Protection Officer:

Data Protection Officer, CLS Group, Exchange Tower,1 Harbour Exchange Square, London. E14 9GE

Data Protection Officer