Legacy Data Notice

Notification to Data Subjects about
Their Data Collected as Part of Past Due Diligence Reviews

(relevant to EU residents only)

Who stores your personal data

TRACE International, Inc. and/or TRACE Inc. (“TRACE”) are what’s known as joint “Controllers” of the personal data that you may have provided to us or that we may have gathered about you.  Contact details for TRACE are set out below in the “What are your rights?” section.

Why we collected it and may still store it

A company (“Company”) with which you may be associated (e.g. employment, ownership, control, directorship, etc.) has previously undergone anti-bribery due diligence review by TRACE in order to be considered for commercial relationships with one or more of their business partners.

Information about you may have been collected as part of this review if Company identified you as a key individual associated with it in one of the following roles: a beneficial owner, officer, key employee, or someone who may have assisted Company in performance of tasks on behalf of its business partners or may have otherwise directed or influenced Company’s operations.

Company and TRACE had and still have a legitimate interest in collecting and processing your personal data to demonstrate Company’s reputation, experience and qualifications to provide services to Company’s business partners in an ethical and lawful manner. Without passing anti-bribery due diligence review by TRACE, Company could have lost significant business opportunities, which could in turn have had direct or indirect negative financial impact on you.

Such personal information was processed before the implementation of the EU General Data Protection Regulation in May 2018.  The data that we may still retain about you is not used for making any future due diligence decisions about Company or you; however, we need to retain it for three years for the limited purposes of addressing any questions about, or challenges to, our past due diligence review of Company or to ascertain any significant relevant changes over time if Company requests a new due diligence review.  In case of any new due diligence review of Company, which may involve your personal data, you will receive a separate personal data notification.

What legacy personal data we may still have

As part of anticorruption due diligence review of Company, we collected and processed the following categories of personal data in relation to you (which was based on your role at Company):

  • Basic contact information such as name, address, email address, and telephone number;[1]
  • Employment-related information such as work history (your CV), ownership in companies, current employment, division, department, title, and job duties;
  • Identifying information, including full legal name, citizenship and year of birth;
  • Background information regarding bankruptcy filings, presence on government denied parties lists, any negative reports, any history of criminal violations, charges, investigations, arrests or other misconduct, conflicts of interest, and compliance with various laws and international standards;
  • Information regarding relationships with government or military officials, or status as a current or former government or political party official; and
  • Information on family members who have current or former government, military or political party positions.

We may have collected such Personal Data from you and/or Company, and may have also collected information from financial and business references identified by Company, and from publicly available sources such as government denied parties lists, third-party databases of Politically Exposed Persons, legal decisions about bankruptcies, criminal convictions, and collections of media reports provided by third party service providers.

We did not collect any personal data we did not need and will not keep it longer than we need. In some instances (for example, for sole proprietorships, for contract execution purposes), we may have requested identification documents and other information to verify your identity.

What we do with it

All personal data is processed by TRACE’s staff in the United States of America. TRACE may have used service providers to process your data.  For example, this information is located on servers in the European Union that are hosted and maintained by third party service providers.

Any transfers of your personal data between countries are done strictly in compliance with applicable law.  Your data may have been transferred to the United States of America by TRACE in pursuit of any of the purposes described above.  As the United States of America has not been deemed by the EU Commission to have adequate data protection standards, such transfers are done pursuant to TRACE’s Privacy Shield registration, which is available to view at https://www.privacyshield.gov/list.

How long we keep it

We generally keep your personal data for three years from the date TRACE completes the due diligence review of Company after which time it will be destroyed.  More information on our retention schedule can be found on TRACE’s website at https://www.traceinternational.org/policy.

What are your rights?

At any time, you may:

  • request to see your personal data that we have;
  • request to correct or delete your personal data if you believe it is incorrect;
  • object to our processing of your personal data or to transfer of your data to TRACE or to Company’s business partners; or
  • bring a complaint on how we have handled your personal data.

In any such instance, please contact TRACE by email at privacyofficer@traceinternational.org or by regular mail at TRACE, 151 West Street, Annapolis, MD 21401, USA.  In addition, you can contact TRACE’s EU Representative at EURepresentative@traceinternational.org or TRACE’s Data Protection Officer at DPO@traceinternational.org.  If contacted, we may seek additional information from you to make sure that the personal data we may possess belongs to you.  Once verified, we will evaluate your request and provide you with a response.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you may file a complaint with the Data Protection Commissioner at info@dataprotection.ie or the supervisory authority located in your jurisdiction.



[1]               Your address, email address and telephone number were collected only if you were the point of contact for Company.





Notification to Data Subjects about
Their Data Collected as Part of Past TRAC Applications
(relevant to EU residents only)
 
Who needs your personal data
 
TRACE International, Inc. and/or TRACE Inc. (“TRACE”) are what’s known as joint “Controllers” of the personal data that you may have provided to us or that we may have gathered about you. Contact details for TRACE are set out below in the “What are your rights?” section.
 
Why we collected it and may still need it
 
A company (“Company”) with whom you may be associated (e.g. employment, ownership, control, etc.) has previously obtained a TRACE Registered Access Code (“TRAC”) from TRACE in order to demonstrate its commitment to commercial transparency and to be considered for commercial relationships with one or more business partners.
 
Information about you may have been collected as part of the TRAC review if Company identified you as a key individual associated with it in one of the following roles: a beneficial owner, officer, or point of contact.
 
Company and TRACE had and still have a legitimate interest in collecting and processing your personal data to allow Company’s business partners to obtain baseline due diligence about Company’s bona fides and to demonstrate Company’s ability to provide services to its business partners in an ethical and lawful manner. Without obtaining the TRAC, Company could have lost significant business opportunities, which could in turn have had direct or indirect negative financial impact on you.
 
Such personal information was processed before the implementation of the EU General Data Protection Regulation in May 2018. The data that we may still retain about you is not used for making any future due diligence decisions about Company or you; however, we need to retain it for three years for the limited purposes of addressing any questions about, or challenges to, our past TRAC review of Company or to ascertain any significant relevant changes over time if Company requests a renewal of its TRAC. In case of any new TRAC review of Company, which may involve your personal data, you will receive a separate personal data notification.
 
What legacy personal data we may still have
 
As part of TRAC review of Company, we collected and processed the following categories of personal data in relation to you (which may vary based on your role in the Company):
 
  • Full name;
  • Email address (only if you are the point of contact or authorized representative for Company);
  • Citizenship;
  • Ownership percentage in Company (if any);
  • Information whether you are a government official; and
  • Information regarding presence on government black lists and denied parties lists.
 
We may have collected such Personal Data from you and/or Company, and may have also collected information from publicly available sources such as third-party databases of government denied parties lists.
 
We did not collect any personal data we did not need and will not keep it longer than we need. In some instances (for example, for sole proprietorships, for contract execution purposes), we may have requested identification documents and other information to verify your identity. However, once the identity was verified, we deleted this information and it is not stored in our databases.
 
What we do with it
 
All personal data is processed by TRACE’s staff in the United States of America. TRACE may use service providers to process your data. For example, this information is located on servers in the United States or the European Union that are hosted and maintained by third party service providers.
 
Any transfers of your personal data between countries are done strictly in compliance with applicable law. Your data may have been transferred to the United States of America by TRACE in pursuit of any of the purposes described above. As the United States of America has not been deemed by the EU Commission to have adequate data protection standards, such transfers are done pursuant to TRACE’s Privacy Shield registration, which is available to view at https://www.privacyshield.gov/list.
 
How long we keep it
 
We generally keep your personal data for three years from the date TRACE issues the TRAC number to the Company after which time the data is deleted. More information on our retention schedule can be found on TRACE’s website at https://www.traceinternational.org/policy.
 
What are your rights?
 
At any time, you may:
 
  • request to see your personal data that we have;
  • request to correct or delete your personal data if you believe it is incorrect;
  • object to our processing of your personal data or to transfer of your data to TRACE or to Company’s business partners; or
  • bring a complaint on how we have handled your personal data.
 
In any such instance, please contact TRACE by email at privacyofficer@traceinternational.org or by regular mail at TRACE, 151 West Street, Annapolis, MD 21401, USA. In addition, you can contact TRACE’s EU Representative at EURepresentative@traceinternational.org or TRACE’s Data Protection Officer at DPO@traceinternational.org. If contacted, we may seek additional information from you to make sure that the personal data we may possess belongs to you. Once verified, we will evaluate your request and provide you with a response.
 
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you may file a complaint with the Data Protection Commissioner at info@dataprotection.ie or the supervisory authority located in your jurisdiction.
 
This website uses cookies to ensure you get the best experience on our website. MORE INFO