Legacy Data Notice
Notification to Data Subjects about
Their Data Collected as Part of Past Due Diligence Reviews
(relevant to EU residents only)
Who stores your personal data
TRACE International, Inc. and/or TRACE Inc. (“TRACE”) are what’s known as joint “Controllers” of the personal data that you may have provided to us or that we may have gathered about you. Contact details for TRACE are set out below in the “What are your rights?” section.
Why we collected it and may still store it
A company (“Company”) with which you may be associated (e.g. employment, ownership, control, directorship, etc.) has previously undergone anti-bribery due diligence review by TRACE in order to be considered for commercial relationships with one or more of their business partners.
Information about you may have been collected as part of this review if Company identified you as a key individual associated with it in one of the following roles: a beneficial owner, officer, key employee, or someone who may have assisted Company in performance of tasks on behalf of its business partners or may have otherwise directed or influenced Company’s operations.
Company and TRACE had and still have a legitimate interest in collecting and processing your personal data to demonstrate Company’s reputation, experience and qualifications to provide services to Company’s business partners in an ethical and lawful manner. Without passing anti-bribery due diligence review by TRACE, Company could have lost significant business opportunities, which could in turn have had direct or indirect negative financial impact on you.
Such personal information was processed before the implementation of the EU General Data Protection Regulation in May 2018. The data that we may still retain about you is not used for making any future due diligence decisions about Company or you; however, we need to retain it for three years for the limited purposes of addressing any questions about, or challenges to, our past due diligence review of Company or to ascertain any significant relevant changes over time if Company requests a new due diligence review. In case of any new due diligence review of Company, which may involve your personal data, you will receive a separate personal data notification.
What legacy personal data we may still have
As part of anticorruption due diligence review of Company, we collected and processed the following categories of personal data in relation to you (which was based on your role at Company):
- Basic contact information such as name, address, email address, and telephone number;
- Employment-related information such as work history (your CV), ownership in companies, current employment, division, department, title, and job duties;
- Identifying information, including full legal name, citizenship and year of birth;
- Background information regarding bankruptcy filings, presence on government denied parties lists, any negative reports, any history of criminal violations, charges, investigations, arrests or other misconduct, conflicts of interest, and compliance with various laws and international standards;
- Information regarding relationships with government or military officials, or status as a current or former government or political party official; and
- Information on family members who have current or former government, military or political party positions.
We may have collected such Personal Data from you and/or Company, and may have also collected information from financial and business references identified by Company, and from publicly available sources such as government denied parties lists, third-party databases of Politically Exposed Persons, legal decisions about bankruptcies, criminal convictions, and collections of media reports provided by third party service providers.
We did not collect any personal data we did not need and will not keep it longer than we need. In some instances (for example, for sole proprietorships, for contract execution purposes), we may have requested identification documents and other information to verify your identity.
What we do with it
All personal data is processed by TRACE’s staff in the United States of America. TRACE may have used service providers to process your data. For example, this information is located on servers in the European Union that are hosted and maintained by third party service providers.
Any transfers of your personal data between countries are done strictly in compliance with applicable law. Your data may have been transferred to the United States of America by TRACE in pursuit of any of the purposes described above. As the United States of America has not been deemed by the EU Commission to have adequate data protection standards, such transfers are done pursuant to TRACE’s Privacy Shield registration, which is available to view at https://www.privacyshield.gov/list.
How long we keep it
We generally keep your personal data for three years from the date TRACE completes the due diligence review of Company after which time it will be destroyed. More information on our retention schedule can be found on TRACE’s website at https://www.traceinternational.org/policy.
What are your rights?
At any time, you may:
- request to see your personal data that we have;
- request to correct or delete your personal data if you believe it is incorrect;
- object to our processing of your personal data or to transfer of your data to TRACE or to Company’s business partners; or
- bring a complaint on how we have handled your personal data.
In any such instance, please contact TRACE by email at firstname.lastname@example.org or by regular mail at TRACE, 151 West Street, Annapolis, MD 21401, USA. In addition, you can contact TRACE’s EU Representative at EURepresentative@traceinternational.org or TRACE’s Data Protection Officer at DPO@traceinternational.org. If contacted, we may seek additional information from you to make sure that the personal data we may possess belongs to you. Once verified, we will evaluate your request and provide you with a response.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you may file a complaint with the Data Protection Commissioner at email@example.com or the supervisory authority located in your jurisdiction.
 Your address, email address and telephone number were collected only if you were the point of contact for Company.