GENERAL PRIVACY NOTICE - Terminal 9 Studios

GENERAL PRIVACY NOTICE

WHO WE ARE

Terminal 9 Studios is made up of different legal entities which trade as “Terminal 9 Studios” or “Terminal 9”, all of which are subsidiary undertakings of The Independents Holding Limited in the UK – CRN: 10186775 (together, “Terminal 9 Studios Group”).

This Privacy Notice is issued on behalf of Terminal 9 Studios Group, so when we mention “Terminal 9 Studios”, “Company”, “we”, “us” or “our” in this Privacy Notice, we are referring to the relevant company in Terminal 9 Studios Group responsible for processing your data.

Terminal 9 Studios is part of the group of agencies comprising The Independents Group (together, “The Independents Group”).

Specifically, this Privacy Notice applies to Terminal 9 Studios SAS (incorporated in France, with company number 791 714 751).

Depending on your relationship with us and the relevant processing activity, one or more of these entities may act as controller of your personal data.

Where local law requires us to identify a specific local controller, representative, responsible person or privacy contact, further details are set out in the “Local Law Addendum” below or are available by contacting us.

Introduction

Terminal 9 Studios respects your privacy and is committed to protecting your personal data. This Privacy Notice will inform you as to how we look after your personal data when you visit our website or interact with us in the course of doing business, including as a client, supplier, business partner, prospective contact, event attendee or representative of any of the above, and tells you about your privacy rights and how the law protects you.

This Privacy Notice applies to:

Visitors to our website;
Clients, prospective clients, suppliers, prospective suppliers, business partners and their representatives;
Any person who communicates with us by phone, email, post, in person, through events, social media or other business interactions; and
Anyone whose information we process during our day-to-day operations, including for relationship management, marketing, compliance and business administration.

This Privacy Notice should be read together with any other notices or policies we may provide on specific occasions, including any local privacy notices, cookie notices, event notices or employee/candidate privacy notices.

Contact Details AND COMPLAINTS

If you have questions about this Privacy Notice or wish to exercise your privacy rights, please contact our Group Data Protection Officer and Group General Counsel at DPO@the-independents.com.

If you are in the EEA, UK or Switzerland, you have the right to contact your local data protection supervisory authority, but we would appreciate the chance to address your concerns first. For other jurisdictions, further details are set out in the “Local Law Addendum” below.

Changes to the Privacy Notice and Your Duty to Inform Us of Changes

We keep our Privacy Notice under regular review. Please keep us informed if your personal data changes during your relationship with us.

THIRD-PARTY LINKS

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party sites and are not responsible for their privacy notices. We encourage you to check the privacy policy and notices of every website you visit.

THE DATA WE COLLECT ABOUT YOU

We may collect, use, store, and transfer different kinds of personal data about you, including:

Identity and Contact Data: name, employer, job title, business address, email address, telephone number, social media/professional profile details and similar business contact information;
Business Communications: information provided in emails, phone calls, business meetings, events, social media messages or other professional interactions, including correspondence records and notes;
Profile Data: preferences, event attendance, interests, feedback, marketing preferences and relationship management notes;
Talent Profile Data: passport or identity information where required for travel, dietary and accessibility requirements, clothing/shoe/sample sizes, styling preferences, public social media handles, public profile information, public posts, public engagement metrics, influencer/talent campaign participation information and similar information relevant to PR, talent engagement, content production, influencer marketing or campaign management;
Technical Data: IP address, browser type, operating system, device identifiers, website usage statistics and similar information collected through cookies, analytics or other technologies. To the extent we collect cookies, please see our Cookies Policy available on our website for more information;
Due Diligence and Compliance Data: information needed for compliance purposes, including anti-bribery, sanctions, onboarding, KYC, supplier/client screening, security or regulatory checks, only as necessary;
Financial and Transaction Data: payment details, invoicing details, bank account details, purchase order information and transaction history, where relevant; and/or
Other Information: any personal data you or your organisation provide to us in the course of business.

We do not generally seek to collect special category data, sensitive personal information, criminal offence data or data relating to children through our websites or ordinary business interactions. However, in limited circumstances, we may process such information where it is necessary for a specific activity and permitted by applicable law, for example dietary or allergy information, accessibility requirements, health and safety information, passport or identity details for travel or accreditation, security/access information, information relating to minors involved in a production or event, or information which you have manifestly made public. Where required by applicable law, we will obtain consent, explicit consent or separate consent, and we will apply additional safeguards.

Where local law requires specific consent for processing sensitive personal data, cross-border transfers, marketing or other activities, we will obtain such consent where required.

We do not typically require you to provide personal information to browse our website. In this respect, we only collect personal information that you choose to provide to us, for example if you subscribe for updates, newsletters or industry reports from Terminal 9 Studios or any other members of The Independents Group, attend an event, communicate with us, or otherwise interact with us for business reasons.

We also collect non-personally identifiable and aggregated analytics data for internal reporting and improvement.

Where we ask you to provide personal data, this is usually voluntary. However, if you do not provide information that we need for contractual, compliance, security or business administration purposes, we may not be able to deal with you or your organisation, provide or receive services, invite you to events, respond to your request or comply with our legal obligations.

HOW IS YOUR PERSONAL DATA COLLECTED?

We may collect data directly from you:

When you use our website;
When you contact us through social media, by phone, email or post;
When you or your employer provide your information to us as a business contact;
When we exchange business cards, correspond at meetings/events, or engage through professional networks;
When you attend our events or interact with our campaigns; and/or
From publicly available sources, such as professional directories, LinkedIn, press sources, public registers or your organisation’s website.

We may also receive personal data from other companies within Terminal 9 Studios Group or The Independents Group, clients, suppliers, business partners, professional advisers, event partners, compliance screening providers and other third parties where lawful.

HOW WE USE YOUR PERSONAL DATA

We only use your personal data when the law allows us to and for the following purposes:

To manage our business relationship or communicate with you as a client, supplier, business partner or prospective contact;
To fulfil requests, respond to inquiries and provide or receive products and services;
To administer contracts, projects and accounts, including procurement and supply chain management;
To organise, administer and manage events, invitations and attendance;
To carry out identity, eligibility, conflict, sanctions, anti-bribery, KYC or other compliance checks where appropriate;
To send relevant updates, business communications, service information or market our services, subject to applicable marketing laws;
For internal record keeping, analytics, reporting and to improve our operations, website and services;
To protect our business, systems, premises, personnel, clients and partners;
To manage corporate transactions, reorganisations or integrations; and
To comply with our legal and regulatory obligations.

We may use analytics, ranking, categorisation or profiling tools in limited contexts, for example to understand engagement with our communications, manage event attendance, identify relevant VIPs, influencers, creators, journalists or talents, or provide social media analytics through Lefty. We do not use your personal data to make decisions based solely on automated processing which produce legal effects or similarly significant effects on you, unless we notify you separately and do so in accordance with applicable law. Where applicable law gives you a right to object to profiling, request human review or request an explanation, you may exercise those rights by contacting us.

LEGAL BASES FOR PROCESSING

We usually process your personal data on one or more of the following legal bases under data protection law:

Performance of a contract;
Compliance with a legal obligation;
Our legitimate interests, including in managing our business relationships, developing business, conducting B2B marketing, protecting our business and running our operations;
With your consent, where we specifically request it, for example for certain marketing activities, cookies, cross-border transfers or processing of sensitive information where required by local law; and/or
Other lawful bases permitted under applicable local law.

In some jurisdictions, local data protection law does not use the same “lawful basis” structure as the GDPR. In those jurisdictions, we rely on the lawful grounds available under local law, including notification, consent, contractual necessity, legal obligation, legitimate business purposes or other permitted grounds, as applicable.

PURPOSES FOR WHICH WE MAY USE YOUR PERSONAL DATA

Purpose / Activity	Type of Data	Lawful Basis
Managing our business relationships with you or your organisation (eg, communications, project administration, procurement, business opportunities, meetings, correspondence)	Identity, Contact, Business Communications, Profile	Performance of contract; Legitimate interests
Fulfilling a contract, providing or receiving goods/services	Identity, Contact	Performance of contract; Legitimate interests
Responding to inquiries, support requests, or complaints	Identity, Contact, Business Communications	Performance of contract; Legitimate interests
Managing accounts, invoicing, payments	Identity, Contact, Financial	Performance of contract; Legal obligation
Managing PR, VIP, talent, influencer, creator, accreditation, travel, accommodation, campaign and content production activities	Identity, Contact, Event, VIP, Talent and Public Profile Data, Business Communications, Profile, limited sensitive information where necessary	Legitimate interests; performance of contract; legal obligation; consent / explicit consent / separate consent where required
Compliance (eg, anti-bribery, sanctions checks, KYC/CDD, regulatory recordkeeping)	Identity, Due Diligence	Legal obligation; Legitimate interests
Marketing and business development communications to existing or potential clients/suppliers	Identity, Contact, Profile, Marketing Preferences	Legitimate interests (B2B marketing); Consent (if required)
Event invitations, attendance and relationship management	Identity, Contact, Profile, Business Communications, Marketing Preferences	Legitimate interests; Performance of contract; Consent where required
Website analytics, security, system development	Technical	Legitimate interests; Consent where required
Group administration, reporting, integration and business planning	Identity, Contact, Business Communications, Profile, Financial and Transaction	Legitimate interests; Legal obligation

MARKETING

We may use your Identity and Contact Data, Business Communications and Profile Data to send you information or offers about our services, events, insights or other relevant business updates.

You may receive marketing communications if you have requested information, are an existing or former client/supplier, have attended or expressed interest in an event, or have otherwise engaged with us for business, unless you opt out.

Where required by local law, we will only send marketing communications with your consent. This may include certain electronic marketing, direct marketing, use of cookies or marketing to individuals in certain jurisdictions.

You can withdraw your consent or object to marketing at any time by using any unsubscribe links in marketing emails or by contacting us at DPO@the-independents.com.

We do not sell your personal data for monetary consideration. Where applicable US privacy laws treat certain analytics, advertising or cookie activities as a “sale”, “sharing” or “targeted advertising”, you may opt out through our cookie consent tool or by contacting us.

DISCLOSURES OF YOUR PERSONAL DATA

We may share your personal data with:

Other companies in Terminal 9 Studios Group and/or The Independents Group for the purposes described above;
External third parties, such as IT providers, CRM providers, marketing platforms, cloud hosting providers, event partners, travel providers, business support services, compliance screening providers, professional advisers, insurers, auditors, regulatory authorities or those who provide services to us;
Clients, suppliers, business partners and event partners where necessary for the relevant business purpose;
Third parties as part of a business transfer, merger, acquisition, reorganisation, investment, integration or asset sale; and/or
Any other person where permitted or required by law.

We require third parties to respect the security of your personal data and to process it lawfully, fairly and, where they act as our processors or service providers, in accordance with our instructions.

Where local law requires us to provide more detailed information about third-party recipients, processors, service providers, overseas recipients or outsourced processing arrangements, we will do so in the “Local Law Addendum”, in a separate local notice, through our website or on request, as required by applicable law.

INTERNATIONAL TRANSFERS

We may transfer your personal data outside of your country of residence, including to the UK, EEA, United States, Hong Kong, Singapore, Japan, Korea, PRC, Switzerland, UAE and other countries in which Terminal 9 Studios Group, The Independents Group or our service providers operate.

Where we transfer personal data internationally, we take steps designed to ensure appropriate protection for your personal data in accordance with applicable law. These may include:

Transfers to countries with adequacy decisions or equivalent recognition;
Using approved contracts and transfer mechanisms, including EU Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, Swiss transfer safeguards, PRC Standard Contract where applicable, Korean overseas transfer notices or consents where required, Japan APPI transfer mechanisms, or other applicable transfer agreements;
Conducting transfer impact assessments where required;
Implementing technical, organisational and contractual safeguards;
Obtaining consent where required by local law;
Completing local filings, assessments or regulatory procedures where required; and/or
Relying on other safeguards or derogations permitted by law.

You may contact us for more details about how we safeguard international transfers.

DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed, altered or disclosed in an unauthorised way. We also limit access to your personal data to those employees, agents, contractors and authorised third parties who have a business need to know.

We maintain appropriate administrative, technical and organisational measures having regard to the nature of the personal data, the risks of processing and applicable legal requirements.

DATA RETENTION

We retain your personal data only for as long as reasonably necessary for the purposes for which it was collected, including to manage our relationship with you or your organisation, provide or receive services, maintain business records, comply with legal, regulatory, tax, accounting and reporting obligations, resolve disputes and protect our legal rights.

In general, business contact and relationship management data is retained for the duration of our relationship with you or your organisation and for a reasonable period afterwards. Contract, project, invoicing, tax and accounting records are typically retained for up to 6–7 years after the relevant relationship, contract or transaction, unless a longer period is required by law or otherwise appropriate. Marketing contact data is retained until you unsubscribe, opt out or object, after which we may retain limited suppression details to ensure we respect your preferences. Where applicable, website analytics and cookie data are retained for the periods described in our Cookies Policy or cookie consent tool.

When determining the appropriate retention period, we consider the nature and sensitivity of the personal data, the purposes for which it is processed, applicable legal limitation periods, regulatory requirements and our legitimate business needs. Details of our retention periods are set out in our Data Retention Policy, which is available on request.

When personal data is no longer required, we will delete it, anonymise it or securely archive it in accordance with our policies and applicable law.

YOUR LEGAL RIGHTS

Under certain circumstances, you may have rights under data protection law in relation to your personal data, including to:

Request access to your personal data;
Request correction of your personal data;
Request erasure of your personal data;
Object to processing;
Request restriction of processing;
Request the transfer or portability of your data;
Withdraw consent at any time, where processing is based on consent;
Opt out of direct marketing;
Opt out of certain sales, sharing, targeted advertising or profiling, where applicable;
Request information about third-party recipients, overseas transfers or safeguards, where applicable;
Appeal a decision we make about your privacy rights request, where applicable; and
Lodge a complaint with a data protection or privacy authority.

To exercise any of these rights, please contact us at DPO@the-independents.com.

You will not usually have to pay a fee to access your personal data or to exercise your rights. However, we may charge a reasonable fee or refuse to comply where a request is unfounded, repetitive, excessive or otherwise permitted to be refused under applicable law.

LOCAL LAW ADDENDUM

This Local Law Addendum supplements the main Privacy Notice and applies where local data protection or privacy laws give individuals additional rights or require additional disclosures. For certain jurisdictions, local law may require additional or more specific disclosures than those set out in this Local Law Addendum. Where a jurisdiction is relevant, we may make available a local privacy schedule on our website. Any such local privacy schedule forms part of this Privacy Notice and applies to the extent the relevant local law applies to our processing of your personal data. If there is any inconsistency between this Privacy Notice, this Local Law Addendum and a local privacy schedule, the local privacy schedule will apply to the extent required by applicable law. Please see our website for further details.

EU and UK

Where EU or UK data protection law applies, we process your personal data in accordance with the GDPR, UK GDPR and applicable local implementing laws.

You have the GDPR rights described above, including rights of access, correction, erasure, objection, restriction, portability and withdrawal of consent.

You may lodge a complaint with your local supervisory authority.

Switzerland

Where Swiss data protection law applies, we process personal data in accordance with the Swiss Federal Act on Data Protection.

References in this Privacy Notice to personal data include personal data as defined under Swiss law. International transfers are protected through adequacy decisions, contractual safeguards or other mechanisms recognised under Swiss law.

You may have rights to access, correction, deletion, objection and information about the processing of your personal data. You may also contact the Swiss Federal Data Protection and Information Commissioner.

Hong Kong

Where Hong Kong law applies, this Privacy Notice is intended to operate as a Personal Information Collection Statement under the Hong Kong Personal Data (Privacy) Ordinance.

We collect personal data for the purposes described above. Providing personal data is generally voluntary, but if you do not provide information we reasonably require, we may not be able to deal with you or your organisation.

We may transfer personal data to the categories of recipients described in “Disclosures of Your Personal Data”.

If we use your personal data for direct marketing, we will comply with applicable Hong Kong direct marketing requirements. You may opt out of direct marketing at any time.

You may request access to and correction of your personal data by contacting us as set out above.

Singapore

Where Singapore law applies, we process personal data in accordance with the Singapore Personal Data Protection Act.

We collect, use and disclose personal data for the purposes described in this Privacy Notice, and we may rely on consent, deemed consent, contractual necessity, legitimate interests, business improvement or other exceptions permitted by Singapore law.

You may withdraw consent, request access to personal data and request correction of personal data by contacting us.

We will protect personal data transferred outside Singapore in accordance with the PDPA. Where applicable, we will also comply with Singapore Do Not Call and marketing rules.

Our data protection contact is: DPO@the-independents.com.

Japan

Where Japanese data protection law applies, we process personal information in accordance with the Act on the Protection of Personal Information of Japan.

We process personal information for the purposes described in this Privacy Notice and will not use personal information beyond those purposes except where permitted by applicable law.

Where required by Japanese law, we will provide additional information about the relevant member of The Independents Group which is responsible for handling personal information, the purposes of use, third-party provision, overseas transfers, joint use within The Independents Group, security control measures, retention, and procedures for exercising privacy rights.

Where personal information is jointly used within The Independents Group, the categories of jointly used personal information, purposes of joint use, scope of joint users and responsible entity will be described in this Privacy Notice, in a local privacy schedule or otherwise made available as required by Japanese law.

Where required, we will obtain consent or provide information required under Japanese law before transferring personal data to third parties outside Japan.

You may request disclosure, correction, addition, deletion, suspension of use, erasure, suspension of third-party provision or other rights recognised under Japanese law by contacting us at DPO@the-independents.com.

Where Japan is a relevant territory, a Japan Privacy Schedule will be made available on our website and will supplement this Privacy Notice.

Korea

Where Korean data protection law applies, we process personal information in accordance with the Personal Information Protection Act of Korea and applicable related laws and regulations.

We process personal information for the purposes described in this Privacy Notice and retain it only for as long as necessary for those purposes, unless a longer retention period is required or permitted by applicable law.

Where required by Korean law, we will provide additional information about the relevant member of The Independents Group which is responsible for processing personal information, the categories of personal information processed, purposes of processing, retention periods, third-party provision, outsourced processing, overseas transfers, destruction procedures, security measures, privacy contact details and procedures for exercising privacy rights.

Where required by Korean law, we will obtain consent or provide specific notices for certain processing activities, including the processing of sensitive information or unique identification information, third-party provision of personal information, outsourced processing and overseas transfers.

Your personal information may be transferred outside Korea to The Independents Group and service providers in other jurisdictions for the purposes described in this Privacy Notice. Where required, we will provide additional information about overseas transfers, including the recipient, country of transfer, transfer date and method, purpose of transfer, categories of personal information transferred and retention period.

Subject to applicable Korean law, you may have rights to access your personal information, request correction or deletion, request suspension of processing, withdraw consent and exercise other rights recognised under Korean law.

You may exercise your rights by contacting us at DPO@the-independents.com.

Where Korea is a relevant territory, a Korea Privacy Schedule will be made available on our website and will supplement this Privacy Notice.

People’s Republic of China

Where PRC data protection law applies, we process personal information in accordance with the Personal Information Protection Law of the People’s Republic of China, together with applicable PRC data protection, cybersecurity and data security laws.

We process personal information for the purposes described in this Privacy Notice and will process personal information only in accordance with the lawful grounds available under applicable PRC law.

Where required by PRC law, we will provide additional information about the relevant member of The Independents Group which is responsible for processing personal information, the purposes and methods of processing, categories of personal information processed, retention periods, sharing with third parties, entrusted processing, public disclosure, cross-border transfers, sensitive personal information and procedures for exercising privacy rights.

Where required by PRC law, we will obtain separate consent for certain processing activities, including processing sensitive personal information, sharing personal information with other personal information processors, public disclosure and transferring personal information outside PRC.

Your personal information may be transferred outside PRC to The Independents Group and service providers in other jurisdictions for the purposes described in this Privacy Notice. Where required, we will implement applicable PRC cross-border transfer mechanisms, which may include personal information protection impact assessments, PRC standard contracts, regulatory filings, security assessments, certification, separate consent or other measures required by law.

Subject to applicable PRC law, you may have rights to know and decide about the processing of your personal information, restrict or refuse processing, access and copy your personal information, correct or supplement inaccurate or incomplete personal information, request deletion, withdraw consent, request an explanation of our processing rules and exercise other rights recognised under PRC law.

You may exercise your rights by contacting us at DPO@the-independents.com.

Where PRC is a relevant territory, a China Privacy Schedule will be made available on our website and will supplement this Privacy Notice.

Middle East

Where Middle East data protection laws apply, including in the UAE, KSA and Qatar, we process personal data in accordance with applicable local requirements. This may include requirements relating to lawful basis or consent, sensitive personal data, individual rights, international transfers, breach notification, record-keeping, regulator notifications or registrations, and privacy governance.

You may have rights under applicable local law, including rights to access, correct or delete your personal data, object to or restrict processing, withdraw consent and complain to a relevant data protection authority. Relevant authorities may include the Saudi Data & AI Authority, the UAE Data Office, the DIFC Commissioner of Data Protection, the ADGM Office of Data Protection, the Qatar Ministry of Communications and Information Technology, or another applicable local authority.

To exercise your rights, please contact DPO@the-independents.com.

United States

Where United States privacy, data security or breach notification laws apply, we process personal information in accordance with applicable federal and state requirements.

We collect, use, disclose and retain personal information for the purposes described in this Privacy Notice, including business relationship management, service delivery, event management, marketing and business development, website analytics, compliance, security, group administration and legal or regulatory purposes.

Where applicable US state privacy laws require additional disclosures, we will provide information about the categories of personal information collected, sources of personal information, purposes of collection and use, categories of recipients to whom personal information is disclosed, retention periods, sensitive personal information, consumer rights and whether personal information is sold, shared or used for targeted advertising.

We do not sell personal information for monetary consideration. However, certain cookie, analytics, advertising or similar technologies may be considered a “sale”, “sharing” or “targeted advertising” under California, Delaware or other US state privacy laws. Where applicable, you may opt out through our cookie consent tool, any “Do Not Sell or Share My Personal Information” link available on our website, or by contacting us.

Subject to applicable law, US residents may have rights to know/access personal information, request correction, request deletion, obtain a portable copy of personal information, opt out of sale, sharing, targeted advertising or certain profiling, limit certain uses or disclosures of sensitive personal information, appeal a decision about a privacy request, and not be discriminated against for exercising privacy rights.

For Delaware residents, where the Delaware Personal Data Privacy Act applies, you may have additional rights, including rights to access, correct, delete and obtain a copy of personal data, and to opt out of targeted advertising, sale of personal data and certain profiling. You may also have the right to appeal our response to your request.

For New York residents, applicable New York laws may require reasonable data security safeguards and breach notifications. If sector-specific laws apply to our processing, we will comply with those requirements as applicable.

For California residents, where the California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies, additional California-specific disclosures are set out in our California Privacy Schedule, which will be made available on our website where required and will supplement this Privacy Notice.

You may exercise your rights by contacting us at DPO@the-independents.com. Where applicable, you may also use any privacy request mechanism, cookie tool or opt-out link made available on our website.

GLOSSARY:

LAWFUL BASIS AND PERSONAL DATA TYPES

Consent means a freely given, specific, informed and unambiguous indication of your wishes, where required by applicable law. In some jurisdictions, separate or explicit consent may be required for certain processing activities.

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

Personal Data means information relating to an identified or identifiable individual and includes equivalent concepts under applicable local law.

Sensitive Personal Data / Sensitive Personal Information means information given special protection under applicable law, which may include health data, biometric data, precise location data, financial account data, government identifiers, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation or other information treated as sensitive under local law.

INTERNAL THIRD PARTIES

Other companies in Terminal 9 Studios Group and The Independents Group (acting as joint controllers or processors) and who are based within and outside the EEA and provide IT and system administration services, undertake leadership reporting and/or have access to group-wide databases.

EXTERNAL THIRD PARTIES

Service providers (acting as processors) based within and outside the EEA who provide various IT and system administration services.

Professional advisers, who may act as processors, independent controllers or joint controllers depending on the circumstances, including lawyers, bankers, auditors and insurers, based within and outside the EEA who provide consultancy, banking, legal, insurance and accounting services.

Tax authorities, regulators, courts, law enforcement bodies and other public authorities, where required or permitted by law.

YOUR LEGAL RIGHTS

You have the right to:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

If you want us to establish the data’s accuracy.
Where our use of the data is unlawful but you do not want us to erase it.
Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Updated: 16 January 2026