Steele Compliance Solutions, Inc.
Effective Date: June 1, 2020
This Privacy Statement is applicable to Steele Compliance Solutions, Inc., its affiliates and subsidiaries, including Steele CIS LLC; Securimate LLC; Compliance Wave LLC; TransparINT LLC; Osprey Compliance Software LLC (“Steele,” “we,” “us,” or “our”). Steele provides a wide range of compliance-related services, including advisory, subscription-based software, professional due diligence, training and managed services, and conflict of interest and incident reporting (“Services”). In connection with providing those Services, Steele is committed to complying with privacy laws and regulations in all of the jurisdictions in which we operate. That commitment extends to compliance with the General Data Protection Regulation to protect the privacy of individual data subjects residing in the European Economic Area.
For the purposes of this Privacy Statement, “Personal Data” means any information relating to an identified or identifiable individual. “Process”and variants of it, such as “Processing,” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Data Controller” means a natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. “Data Processor” means a natural or legal person which processes Personal Data on behalf of a Data Controller. This Privacy Statement applies to the Processing of Personal Data collected in the context of your use of our Services and in connection with our Client, Business Partner, and Vendor relationships.
This Privacy Statement describes the types of Personal Data we Process, the purposes for which we Process that Personal Data, the other parties with whom we may share it, and the measures we take to protect the security of your Personal Data. It also tells you about your rights and choices with respect to your Personal Data, and how you can reach us to update your contact information or get answers to questions you may have about our privacy practices.
This Privacy Statement covers the following details:
- Personal Data We May Process
- How We May Use Your Personal Data
- How We May Share Your Personal Data
- Your Rights and Choices
- How We Protect Your Personal Data
- Cross-Border Data Transfers
- Updates to this Privacy Statement
- How to Contact Us
Personal Data We May Process
We obtain Personal Data relating to you from various sources described below:
- Personal Data Provided by You: You may provide us with your Personal Data during an event such as a conference or in connection with a subscription registration, a survey, a request for publications or information, a webinar, an employment submission (by online form or online résumé submission), a vendor qualification form, or via our website: steeleglobal.com. Where applicable, we indicate whether and why you must provide us with your Personal Data, as well as the consequences of failing to do so. If you do not provide Personal Data when requested, you may not be able to benefit from our Services if that information is necessary to provide you with the Service or if we are legally required to collect it.
- Information We Gather or Track While You Visit Our Website: Steele collects data that allows us to display customized content and features. Users of our website also should be aware that non-personal information and data may be automatically collected through the use of “cookies.” “Cookies” are small text files a website can use to recognize repeat users, facilitate the user’s ongoing access to and use of the site and allow a site to track usage behavior and compile aggregate data that will allow content improvements and targeted advertising. Also, your computer reaches us via a particular IP (Internet Protocol) address and indicates where you are connecting from and what service provider you are using. An IP Address is considered Personal Data.
- Personal Data Provided in the Context of Our Contractual Relationship:We may receive contact information (e.g., name, professional email address) of employees of Clients, Business Partners and Vendors in the context of our contractual relationship with such entities. Our Business Partners may also provide us with Personal Data from their clients. For example, some of our Business Partners resell our Services as part of their own services and they may provide us with Personal Data (e.g., name, address, company and title) from their clients. We also maintain the emails or other communications that our Clients, Business Partners and Vendors may send us, such as client support inquiries to our helpdesk or Client Success Managers, and their content.
- Personal Data Our Clients, Business Partners or Vendors Provide to Us: We receive Personal Data and other data from multinational corporations, including financial institutions, and other entities with anti-bribery and anti-corruption (ABAC), anti-money laundering (AML), and corporate social responsibility (CSR) regulatory compliance obligations (“Clients”) that have entered into agreements with Steele for compliance-related due diligence Services and/or software for third-party business partner management and monitoring. Some of the third-party business partners identified by our Clients for due diligence investigations are legal entities and some are individual principals or key managers of those legal entities. We Process such Personal Data on behalf of our Clients, who are considered the Data Controllers. As Data Controllers, our Clients are responsible for the Personal Data Processing that we, as Data Processor, carry out on their behalf and we rely upon them to inform you of such Processing and either obtain your consent or otherwise justify the lawfulness of the Processing. If we receive such Personal Data from our Business Partners or Vendors, they have the same responsibilities.
- Personal Data We Identify During Due Diligence Investigations: We receive Personal Data from our Clients and their third-party business partners in connection with our Clients’ requests for compliance-related due diligence Services. You may be identified as an owner, governing board member, officer, or key manager by our Clients or in a third-party business partner’s response to a due diligence questionnaire issued by our Clients. Also, during our due diligence investigations for our Clients, you may be identified as an individual related to the third-party business partner when we check sanctions lists and watchlists or search business registration records, legal and financial databases and other public sources for ownership information or compliance issues relating to the third-party business partner. In these cases, we are also Processing such Personal Data on behalf of our Clients and we rely upon them to inform you of such Processing and the lawful basis of such Processing, e.g., their legitimate interest in such Processing in connection with their regulatory compliance programs.
- Personal Data We Identify From Sanctions Lists, Watchlists and Other Public Sources: We may receive Personal Data from sanctions lists, watchlists, and other public sources when our software searches such sources for compliance issues including, but not limited to, money laundering, bribery, modern slavery and child labor, and assembles them into searchable profiles of interest to our Clients. We have a legitimate interest in such Processing in providing such Services to our Clients in connection with their regulatory compliance programs.
- Personal Data Provided by You in the Context of Conflict of Interest and Incident Reporting: You may provide us with certain Personal Information, such as name, email address, and contact details, and, where specifically and voluntarily provided by you, certain categories of sensitive information.
How We May Use Your Personal Data
- Personal Data provided by you is used to evaluate potential employment with Steele, in connection with employee benefits, to keep you informed of new Services offered by Steele, to invite you to participate in events and surveys, and to inform you of thought leadership articles published by Steele. Steele does not sell or otherwise disclose your Personal Data to any other third parties.
- Information gathered from users of our website is used in analyzing trends, administering the site, tracking users’ movements around the site and to gather demographic information about our website-user base.
- Personal Data provided by you in connection with your company’s contractual relationship with Steele is used to provide Steele’s Services to your company, including the issuance of passwords to access our software, training, and adverse media Services.
- Personal Data provided by our Clients, Business Partners or Vendors is used to:
- Provide our Clients with compliance-related due diligence investigation Services on designated third-party business partners and their principals.
- Provide our Clients with periodic or continuous monitoring of their third-party business partners and their principals for adverse information relating to their ABAC, AML or CSR compliance programs.
- Provide our Clients with beneficial ownership information on their third-party business partners.
- Manage our relationships with our Business Partners and provide our Services to our Business Partners for resale.
- Manage our relationships with our Vendors who may assist us in providing our Services to our Clients and Business Partners.
- Personal Data we identify during due diligence investigations is used to:
- Provide our Clients with compliance-related due diligence investigation reports.
- Provide our Clients with adverse information relating to their ABAC, AML or CSR compliance programs.
- Provide beneficial ownership information on entities of interest to our Clients.
- Personal Data we identify From Sanctions Lists, Watchlists and Other Public Sources is used:
- As a component of our compliance-related due diligence investigation reports performed at the request of our Clients.
- To assist our Clients in periodic or continuous monitoring of their third-party business partners and individuals associated with such entities.
- To assemble and make available to our Clients profiles of individuals having compliance-related adverse information.
- Personal Data Provided by You in the Context of Conflict of Interest and Incident Reporting:
- Provide our Clients with a means to manage, evaluate, report, document, and track any potential conflicts of interest or incidents.
We may process your Personal Data for the above purposes when:
- We or a third party (e.g., Clients, Business Partners or Vendors) have a legitimate interest in Processing your Personal Data. For example, in line with the EU General Data Protection Regulation which recognizes fraud prevention as a legitimate interest, our Clients have a legitimate interest in the processing of your Personal Data for managing their financial risks, protecting against fraud, knowing who they are doing business with, and meeting compliance and regulatory obligations. Also, we have a legitimate interest in Processing your Personal Data to provide our Clients and Business Partners with the ability to determine beneficial ownership of their third-party business partners and to monitor their third-party business partners and those individuals who own or control them for adverse compliance-related information.
- You have consented to the Processing of your Personal Data.
- We need your Personal Data to provide you with Services requested by you or to respond to your inquiries.
- We have a legal obligation to Process your Personal Data.
How We May Share Your Personal Data
We do not sell or otherwise disclose Personal Data we collect about you, except as described in this Privacy Statement or as otherwise disclosed to you by us or our Clients, Business Partners or Vendors at the time the data is collected. We do not share marketing data gathered via our website with anyone.
- Affiliates and Business Partners (e.g., resellers): We may share the Personal Data we collect or receive with our affiliates and Business Partners to whom it is reasonably necessary or desirable for us to disclose your Personal Data to operate our business and to perform Services for our Clients or for our Business Partners or their clients.
- Vendors: We may share Personal Data with our Vendors who perform services on our behalf and in relation to the purposes described in this Privacy Statement. For example, we may use Vendors to host our third-party management software, help us provide client support, help us analyze data as part of our Services, or help us complete due diligence investigations requiring specialized language skills, local knowledge, or access to local resources in foreign countries. We contractually require these Vendors to only process Personal Data in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements.
- Compliance with the Law: We may disclose your Personal Data to third parties if we determine that such disclosure is reasonably necessary to comply with the law, respond to valid legal process, establish, assert or defend our legal rights, or prevent fraud or abuse of Steele or our Clients. In particular, we may disclose your Personal Data in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements.
- Business Transfers: If we are involved in a reorganization, merger, acquisition or sale of our assets, your Personal Data may be transferred as part of that transaction. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use Personal Data you have provided to us in a manner that is consistent with this Privacy Statement.
Your Rights and Choices
- Cookies: Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or allaboutcookies.org.
- Forms and Surveys: Our contact forms ask for contact and demographic information. This information is voluntarily provided by you and is used so that we may contact you about our products, Services and upcoming events. You may opt out of receiving any mailings at any time.
- Deactivating Your Name: Visitors to our website may unsubscribe from newsletters and all marketing related emails through our online registration forms by clicking here. If you have difficulty using these forms, you can email us at firstname.lastname@example.org. You can also opt-out of receiving other email from us by sending an email to email@example.com requesting no further contact.
- Links to Third-Party Websites: The links included within the Steele website (located at https://www.steeleglobal.com/) may let you leave our website to visit another website (“Linked Sites”). The Linked Sites are not under the control of Steele and we are not responsible for the contents of any Linked Sites, any link contained in a Linked Site, or any changes or updates to such sites. If you submit Personal Data to a Linked Site, your information is governed by their privacy statements.
- Personal Data Processed on behalf of Our Clients: It is the responsibility of our Clients to request your consent or to Process your Personal Data under another lawful basis such as their legitimate interest or to comply with a legal obligation. Questions about your rights and choices in connection with such Processing should be directed to Steele’s Client. If you are unsure of who to contact at our Client, you may contact us at DPO@steeleglobal.com.
- Personal Data Processed by Steele: In certain jurisdictions, you have the right to request access and receive information about the Personal Data we maintain about you, to update and correct inaccuracies in your Personal Data, to restrict or object to the processing of your Personal Data, to have the information blocked, anonymized or deleted, as appropriate, or to exercise your right to data portability to easily transfer information to another company. Those rights may be limited in some circumstances by local law requirements. In addition to these rights, you also have the right to lodge a complaint with a competent supervisory authority in your country of residence, place of work or where an incident took place, subject to applicable law.
- Personal Data Transfers: Your rights in connection with transfers of your Personal Data from the European Union or Switzerland are described below under Cross-Border Data Transfers.
How We Protect Your Personal Data
We maintain industry-standard administrative, technical and physical safeguards that are intended to appropriately protect your Personal Data against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Data in our possession. Steele encrypts Personal Data during transmission and storage.
We also take measures to delete your Personal Data or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we Process it in the context of the Services or when you request the deletion of your Personal Data, unless we are required by law to keep the information for a longer period. Personal Data that is collected through our website will be retained in accordance with our data retention policy. Personal Data obtained from our Clients and Business Partners will be maintained for the length of the relevant agreements and the required time after their termination to meet any contractual audit or regulatory obligations or to otherwise comply with applicable law. Personal Data Processed on behalf of our Clients will be maintained for the duration of such Client agreement or until a Client, as Data Controller, directs that it be deleted.
Cross Border Data Transfers
As a global company, Steele is engaged in cross-border transfers of Personal Data. Steele, as well as its affiliates and subsidiaries (including Steele CIS LLC; Securimate LLC; Compliance Wave LLC; TransparINT LLC; Osprey Compliance Software LLC) complies with the EU – U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of Personal Data transferred from the European Union and Switzerland to the United States. Steele has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit HTTPS://WWW.PRIVACYSHIELD.GOV/.
In compliance with the Privacy Shield Principles, Steele commits to resolve complaints about our collection and use of your Personal Data. Individuals in the European Union with inquiries or complaints regarding our Privacy Shield policy should first contact Steele at: DPO@steeleglobal.com.
Steele has further committed to refer unresolved Privacy Shield complaints to the International Centre for Dispute Resolution (ICDR/AAA), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit: http://info.adr.org/privacy shield.html for more information or to file a complaint. The services of ICDR/AAA are provided at no cost to you. Steele has further committed to cooperate with EU data protection authorities (DPAs) and will comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship.
You have the right to access your Personal Data by contacting Steele at the link set forth above. Steele may disclose your Personal Data in response to lawful requests by public authorities having jurisdiction over Steele, including to meet national security or law enforcement requirements. In connection with compliance-related due diligence investigations requested by Steele’s clients, Steele may also disclose your Personal Data to third-party investigators under contract with Steele as its agent in local jurisdictions throughout the world. In the event Steele transfers your Personal Data to third parties acting as agents on its behalf, Steele shall remain liable if such third-party agent processes your Personal Data in a manner inconsistent with the Privacy Shield Principles. Steele is subject to the investigatory and enforcement powers of the Federal Trade Commission in connection with the processing of your Personal Data under the Privacy Shield Framework and under certain conditions you may have the right to invoke binding arbitration to resolve any claim or dispute relating to the Processing of your Personal Data.
California Consumer Privacy Act (“CCPA”)
This section supplements the information contained in this Privacy Statement and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this section.
Personal Information We Collect
We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:
|Categories of Personal Information||Categories of Sources from Which PI is Collected||Business Purpose for Collecting PI||Categories of and Purpose for Third Parties to Whom the PI was Disclosed|
|Identifiers (such as name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.)||Government databases, publicly-available news and information databases, consumer, client||Legal and regulatory compliance, for purposes of financial crime compliance, anti-bribery and anti-corruption, corporate social responsibility and ethical compliance||Service providers: to assist us in the performance of Services; Clients: to assist in legal and regulatory compliance obligations|
|Personal Information listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as a name, signature, Social Security number, address, telephone number, passport number, driver’s license or state identification card number, etc.)||Government databases, publicly-available news and information databases, consumer, client||Legal and regulatory compliance, for purposes of financial crime compliance, anti-bribery and anti-corruption, ethical compliance||Service providers: to assist us in the performance of Services; Clients: to assist in legal and regulatory compliance obligations|
|Protected classification characteristics under California or federal law (such as age, marital status, gender.)||Government databases, publicly-available news and information databases, consumer, client||Legal and regulatory compliance, for purposes of financial crime compliance, anti-bribery and anti-corruption, ethical compliance||Service providers: to assist us in the performance of Services; Clients: to assist in legal and regulatory compliance obligations|
|Professional or employment-related information (such as current or past job history or performance evaluations.)||Publicly-available news and information databases, consumer, client||Job-search related activity||Service providers: to assist us in the performance of Services|
Use of Personal Information
We may use or disclose the personal information we collect for one or more of the following business purposes:
- As listed above in “How We May Use Your Personal Data” and “How We May Share Your Personal Data”
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing Personal Information
We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
We may disclose your personal information for a business purpose to the following categories of third parties:
- Our affiliates.
- Service providers.
- Third parties to whom you authorize us to disclose your personal information in connection with products or services we provide to you.
- As listed above in “How We May Share Your Personal Data”
In the preceding twelve (12) months, we have not sold personal information to third parties. We do not sell personal information of minors under sixteen (16) years of age.
Your Rights and Choices
California residents may have certain rights under the CCPA, subject to certain limitations or exceptions under applicable law:
Right to Know
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The categories of personal information that the business sold, if any, in the preceding twelve (12) months, and for each category identified, the categories of third parties to which it sold that particular category of personal information.
- The categories of personal information that the business disclosed for a business purpose in the preceding twelve (12) months, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information.
Right to Delete
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to provide our services to you or for recordkeeping purposes, as outlined in the CCPA.
We will not discriminate against you for exercising any of your CCPA rights, including denying you goods or services; charging different prices for services; or providing you with a different level or quality of services.
Exercising Your Rights
To exercise the rights described above, please submit a verifiable consumer request to us by either:
- Calling us at 415.692.5000
- Sending a request through our website: https://steeleglobal.com/contact/
- Emailing us at firstname.lastname@example.org
- Mailing us a request to Steele Compliance Solutions, Inc., One Sansome Street, Suite 3500, San Francisco, CA 94104
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Note, we may take steps to verify your identity before granting access to your personal information or complying with your request, such as asking for further identifying information.
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days total), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Updates to This Privacy Statement
We may modify this Privacy Statement from time to time, and will post the most current version on our website and indicate at the bottom of the policy when it was most recently updated.
How to Contact Us
Privacy Statement:If you have any questions or comments regarding Steele’s Privacy Statement or believe that any Personal Data we have about you is incorrect, or is, has been, or might be used inappropriately, please contact our Data Protection Officer via email at DPO@steeleglobal.comor write to us at:
Steele Compliance Solutions, Inc.
One Sansome Street, Suite 3500
San Francisco, CA 94104
Attn: Data Protection Officer
Last updated June 2020