email_website
email_website

Effective Date: October-2016

1. Introduction About our privacy policy

As a global professional product and services business with AML-CFT regulatory and financial crime at its core, we are committed to safeguarding the privacy and security of the personal information in our care. This policy explains how we collect your personal information, what we do with it, and your rights. Our separate policy, found here (embed link to web page), sets out similar information about the cookies we use. 

Definitions:

EdificeMeans; Edifice Global Markets Limited
“we”,“us” or “our”Means; Edifice
“Website”This means; The website published by Edifice and accessible on the World Wide Web through the uniform resource locator should be noted: https://www.edificegm.com
“you” or “your”This means any individual who has viewed, uploaded, downloaded, utilized, or otherwise accessed the Website or Website Information.

Some of other terminology we use in this policy is set out in section 10.

Edifice products and services play a crucial role in ensuring compliance with anti-money laundering and combating the financing of terrorism regulations, as well as in managing international business risks associated with operational counterparty and third-party risk.

Edifice Global Markets Limited, a company registered in Hong Kong with Business Registration No 66817932, operates this website. Its registered office is Level 18, China Building, 29 Queen’s Road Central, Central, Hong Kong.

Our global reach means that we are subject to the differing data protection regimes of the jurisdictions in which we operate.  We strive to achieve uniformity of data protection practices across Edifice’s international presence while complying with all data protection laws.

This policy reflects the Personal Data (Privacy) Ordinance Hong Kong and Data Protection Legislation European Union “EU” General Data Protection Regulation “GDPR” standard of protection of personal information. It references the relevant Articles of the EU GDPR where appropriate.  In those jurisdictions where data protection regimes differ significantly from the EU GDPR, elements of this policy may not apply, for example, individuals’ rights to their personal information, and this policy does not establish rights or obligations which are additional to those prescribed in the applicable local data protection law.

We are the data controller “Data User” of the personal information that we process, i.e., the organisation that determines, alone or jointly with another party, how your personal information is processed and for what purposes. This means that we are legally responsible for ensuring our systems, processes, suppliers, and people comply with data protection laws in relation to the personal information that we handle.  

Edifice’s central IT systems are in the UK, EU, or USA and are controlled by Edifice.  Much of Edifices’ internal business operations are also centralised in Hong Kong, operating out of Edifice to support the business globally.  Edifice is the data controller of personal data processed for these centralised services.  However, it depends on the jurisdiction from which our legal or other services are provided or in which we otherwise process your personal information.  

Where we transfer your data to third parties, in certain circumstances, those third parties may also be data controllers.  More information about this is provided in the ‘Disclosure’ sections of the tables in section 5 of this policy. 

We want to offer you a means of contacting the right people in our organisation as swiftly and efficiently as possible. Therefore, we have dedicated email addresses managed by our team of privacy specialists, who support our global network on privacy matters. 

You may contact our privacy specialist with questions about this policy or our privacy practices at privacy@edificegm.com.

You have the right to your personal information in our care.  More information about these rights is set out in section 7 of this policy.  You may exercise your rights by emailing our Privacy specialist at privacy@edificegm.com.

Whilst our Privacy specialist operates through our centralised business operations in Hong Kong, for which Edifice Global Markets Limited is the data controller, the team works closely with information law and data protection specialists from the Edifice global network.  As such, our dedicated email address has a global reach, and your communications are directed to the appropriate data controller within Edifice, as applicable. 

Our global presence: means that your personal information may be transferred across the business worldwide due, for example, to our shared IT systems and data centers and cross-border working practices.

Personal data transfers: are facilitated across Edifice Global Markets Limited through an intra-group agreement, which applies contractual protections and other appropriate safeguards required under applicable data protection law to all such transfers of personal data within Edifice.  Such contractual protections include obligations on Edifice.

Entities based outside: of Hong Kong are encouraged to carefully consider and evaluate data requests made by local government agencies and to respond in a manner that aligns with relevant legal and ethical considerations.

  • We also use a number of suppliers and service providers in connection with the operation of our business who may have access to the personal information that we process. For example, IT suppliers when providing us with software support or cloud services or a company we use for a marketing campaign when processing your contact information on our behalf.
  • Your personal information is handled and protected under applicable data protection laws. Where we use cloud services, our data will generally be hosted within the UK or EU, which offer the highest level of data protection regulation of all the regions in which we operate.
  • Where any personal data is processed by suppliers outside the European Economic Area “EEA” in countries that the UK and/or the EU have not assessed as providing an adequate level of data protection, we ensure that personal data is adequately protected under applicable data protection law of Hong Kong, and in particular Article 46 of the UK GDPR and the EU GDPR in which the laws of Hong Kong has adopted, by ensuring information security and other appropriate safeguards are in place, and using approved model contract clauses to cover the transfer or by ensuring that the supplier has Binding Corporate Rules in place.

We collect and process the personal information:

  • of our non-counterparty contacts, such as those who use our website and online services, attend our webinars, seminars and events, and subscribe to our newsletters, email services and other promotional services(see section 5.1, ‘Service Users, Non-Counterparty Contacts and Visitors’, for more information);
  • obtained or created concerning the AML-CFT regulatory and financial crime services we provide, including the personal information of:
  • our counterparties, our counterparty contacts, their people and third parties engaged by our counterparties (see 5.2, ‘Counterparty and Counterparty Contacts’);
  • counterparties and other third parties connected to the matters on which we are working for our counterparty (see 5.5, ‘Service Providers and Other Non-Counterparty Individuals / Third Parties’); and
  • professional advisers, experts and consultants involved in the work that we carry out for our counterparty or engaged by us to support our counterparty work (see 5.5);
  • of those who apply for a job or work placement with us (see 5.3, ‘Applicants’); of our people;
  • of Various and prospective Various (see 5.4, ‘Various and Prospective Various’); and
  • of contractors, suppliers and other third parties connected to the operation of our business (see 5.5).

We collect and process the personal information:

  • We will only process your personal information where we are permitted by law, meaning when we have one or more legal bases. The following subsections explain how we process your personal information depending on how it typically comes into our care and include further information about the legal basis or bases that we rely on in those circumstances.

  • In some cases, we use the legal basis called ‘legitimate interests’ to handle your personal information. This means that we process your data when it is necessary to pursue our legitimate business interests in a manner that is reasonably expected as part of running our business but which does not harm you and has minimal impact on your privacy. Before processing your personal information for our legitimate interests, we assess any potential impact on your privacy.

  • If we want to use your personal information for reasons other than those mentioned above, we will first check if these additional purposes are compatible with the original ones. Personal data will only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate, but not excessive for such a purpose. The means of data collection must be legal and fair. The data controller is required to keep a logbook to document all refusals.

  • When we gather personal data directly from individuals, we will inform you whether providing it is mandatory or optional, explain the purpose of using your data, and disclose the categories of individuals with whom your data may be shared.

  • You have the right to access your data for corrections and updates during our regular review of your data.

  • Data controller (Data User)
    Regarding our global website and online services, as well as our local and international initiatives, such as e-KYC/CDD services, webinars, seminars and events, newsletters, email services, or other promotional services, Edifice ordinarily acts as data controller.
  • Legal bases for processing
      • You have provided us with your consent to use your personal information, e.g. in the course of e-KYC services, subscribing to our newsletters, completing a questionnaire of ours, signing-up to an event or creating an online account via our website (Article 6(1)(a) EU GDPR).
      • It is necessary to pursue our legitimate interests for the purposes set out in the ‘Use’ section of this table (Article 6(1)(f) EU GDPR).
      • It is necessary for the performance of a contract with you, e.g. in connection with the provision of legal or other professional services to you involving our online  tools, products and systems (Article 1(6)(b) EU GDPR).

    We handle sensitive personal data when needed, with your consent.”(Article 9(2)(a) EU GDPR).

  • Types of personal data: Outline Customer due diligence “CDD” involves conducting background checks, and screening potential and existing customers to ensure they’re correctly risk-assessed and not involved in money laundering, sanctions, terrorism or money muling. Minimum CDD includes checking customers against prohibited lists (PEPs and sanctions), as well as capturing and verifying:
    Individuals Legal Person (Company)
    Data information minimal extract examples indication
    purposes:
    		Data information minimal extract examples indication
    purposes:
    • Full Name (As stated on the government-issued document)
    • Government issues document
    • Liveness check self-identification photo
    • Date of Birth
    • Nationality
    • Residential address
    • Contact information
    • Occupation type
    • Name of employer/nature of self-employment
    • Note: further information will be required
    • General Corporate Information
    • Professional contact information
    • Company structure
    • Certificate of Incorporation
    • Partnership Agreement
    • Related company(ies)
    • Ultimate Beneficiary Owner
    • Liveness check self-identification photo.
    • Note: further information will be required

    The above merely indicates the minimum risk assessment; further information regarding you may be necessary.

  • Collection: Directly from you, e.g. when you register for our online seminars or webinars, or to receive communications from us, or when you subscribe to our online services or provide information through Edifice electronic Know Your Customer “e-KYC” platforms made available to you in connection with services that we provide to you. We use third-party software to help us manage our documentation communications. When we send you such communications, we gather information through unique links that enable us to track who opens particular articles or emails so that we can assess their relevance and improve how we interact with you. In doing so, we do not use any technology (e.g., cookies) to store or access data on your device. Our website, for example, sends connection data to our web server when your browser connects to our website. Through web-based services like our tech-based counterparty solutions, we may collect analytical information via e-KYC platforms provided to you in connection with our services. We are obligated to consider other publicly available sources under applicable law.
  • Use
    • To complete any request you may make in relation to your marketing preferences, or other preferences relating to our communications with you.
    • To provide and improve our services and products, e.g., by monitoring and recording information relating to web-based services such as how and when systems are accessed and how data is uploaded, to analyse performance, subject always to our obligations under applicable law.
    • To promote our services and to contact you with communications about legal updates, breaking news, newsletters and events.
    • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
    • Subject to our legal obligations, we aim to enhance your experience on our website, newsletters, and other services. This includes monitoring and recording information about your browsing behaviour to provide more efficient and relevant personalized content.
    • To facilitate our internal business operations, e.g. internal record keeping and accounting.
    • Subject always to our obligations under applicable law to monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business.
    • For information and physical security and the prevention and detection of criminal and dishonest activity, including ensuring the security of our website and premises and protecting our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity, and scanning communications for appropriate content, attachments and viruses.
  • Disclosure
    • Your personal information may be transferred worldwide:
      • across Edifice Global Markets Limited activities;
      • to service providers who support the operation of our business;
      • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where and to the extent that we are compelled to do so by law, regulation or professional obligations; and
      • to other third parties in limited circumstances, e.g. where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event).

      Some of these recipients may act as data controllers. In all cases, we will only share the minimum personal information required for the specific purpose. This sharing is subject to appropriate provisions and safeguards regarding the rights of data subjects, information security, disclosure, confidentiality, and data protection. For more information about personal data transfers, please refer to section 3 of this policy.

When we receive instructions related to AML-CTF compliance, operational counterparty risk matters, or when we are engaged for other professional services, we may need to process personal information of a counterparty’s customer and their contacts, counterparty contacts, litigants in person, advisors, experts, counsel, witnesses, and other individuals named in or connected with the services that we provide.

  • Data controller (Data User) : Regarding counterparty matter data, we act as the data controller rather than the data processor, under local laws and relevant data protection/supervisory authority guidance in the jurisdictions where we operate. When Edifice is instructed on a particular matter, it will typically be the data controller in this context. As a professional services company, we must adhere to professional codes of conduct and regulations for all Trust and Company Service Providers. We are not permitted to agree to act solely based on our counterparty’s instructions regarding the data we process. Regarding our global communications and business development initiatives, Edifice typically serves as the data controller (please see section 2.1 of this policy for more details). However, Edifice may also act as the data controller if it organises or delivers local communications and initiatives.
  • Legal bases for processing :
    • It is necessary to pursue our legitimate interests for the purposes set out in the ‘Use’ section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary for the performance of a contract with our counterparty, e.g. in connection with the provision of AML-CTF compliance, operational counterparty risk or other professional services to our Counterparty (Article 1(6)(b) EU GDPR).
    • It is necessary to pursue our legitimate interests for the purposes set out in the ‘Use’ section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary for the performance of a contract with you, e.g. in connection with the provision of legal or other professional services to you involving our online tools, products and systems (Article 1(6)(b) EU GDPR).

We handle sensitive personal data when needed, with your consent.” (Article 9(2)(a) EU GDPR).

  • Types of personal data: Outline Customer due diligence “CDD” involves conducting background checks, and screening potential and existing customers to ensure they’re correctly risk-assessed and not involved in money laundering, sanctions, terrorism or money muling. Minimum CDD includes checking customers against prohibited lists (PEPs and sanctions), as well as capturing and verifying:
  • Collection : Directly from you, e.g. when you register for our online seminars or webinars, or to receive communications from us, or when you subscribe to our online services or provide information through Edifice electronic Know Your Customer “e-KYC” platforms made available to you in connection with services that we provide to you.
    We use third-party software to help us manage our documentation communications. When we send you such communications, we gather information through unique links that enable us to track who opens particular articles or emails so that we can assess their relevance and improve how we interact with you. In doing so, we do not use any technology (e.g., cookies) to store or access data on your device.
    Our website, for example, sends connection data to our web server when your browser connects to our website.
    Through web-based services like our tech-based counterparty solutions, we may collect analytical information via e-KYC platforms provided to you in connection with our services.
    We are obligated to consider other publicly available sources under applicable law.
  • Use:
    • To complete any request you may make in relation to your marketing preferences, or other preferences relating to our communications with you.
    • To provide and improve our services and products, e.g., by monitoring and recording information relating to web-based services such as how and when systems are accessed and how data is uploaded, to analyze performance, subject always to our obligations under applicable law.
    • To promote our services and to contact you with communications about legal updates, breaking news, newsletters and events.
    • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
    • Subject to our legal obligations, we aim to enhance your experience on our website, newsletters, and other services. This includes monitoring and recording information about your browsing behavior to provide more efficient and relevant personalized content.
    • To facilitate our internal business operations, e.g. internal record keeping and accounting.
    • Subject always to our obligations under applicable law to monitor and analyze our interactions with you to improve our relationship with you and help us to grow and develop our business.
    • For information and physical security and the prevention and detection of criminal and dishonest activity, including ensuring the security of our website and premises and protecting our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity, and scanning communications for appropriate content, attachments and viruses.
  • Disclosure:Your personal information may be transferred worldwide:
    • across Edifice Global Markets Limited activities;
    • to service providers who support the operation of our business;
    • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where and to the extent that we are compelled to do so by law, regulation or professional obligations; and
    • to other third parties in limited circumstances, e.g. where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event).
  • Some of these recipients may act as data controllers. In all cases, we will only share the minimum personal information required for the specific purpose. This sharing is subject to appropriate provisions and safeguards regarding the rights of data subjects, information security, disclosure, confidentiality, and data protection. For more information about personal data transfers, please refer to section 3 of this policy.

If you apply for a job, work placement or vacation scheme with us, including if you proceed to the e-KYC onboarding stage having been successful in your application (excluding Vario applicants; see 5.4).

We carry out pre-employment vetting checks in certain jurisdictions in which we operate. For details of our pre-employment vetting practices regarding criminal offences, please refer to section 13 of this Policy.

  • Data controller :
    Edifice is usually the data controller for applications made to Edifice via our website. If your online application is for a position in another Edifice entity, that entity may also be a data controller of the personal information you provide via our website. The Edifice entity to which the application is made may be the data controller for applications made by other means.
  • Legal bases for processing :
    • It is necessary to pursue our legitimate interests for the purposes set out in the ‘Use’ section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary in order for us to takes steps, at your request, to enter into a contract with you (Article 1(6)(b) EU GDPR).
    • To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
    • You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).
  • We process particular categories of personal data as necessary:
    • With your consent (Article 9(2)(a) EU GDPR).
    • In relation to personal information which has been made public by you (Article 9(2)(e) EU GDPR).
    • to carry out the obligations and exercise specific rights of ours or yours in the field of employment and social security and social protection law (Article 9(2)(b) EU GDPR).
    • For reviewing and improving equality of opportunity and treatment (Article 9(2)(g) EU GDPR and Paragraph 8(2) of Schedule 1 of the Data Protection Act 2018, as applicable).
  • We process criminal offence data, where necessary, e.g., as part of the recruitment process for particular roles:
    • With your consent.
    • To prevent or detect unlawful acts.
    • To comply with regulatory requirements relating to unlawful acts and dishonesty and/or for reasons of public interest combined with a statutory provision (e.g., to protect the public against dishonesty, to prevent fraud).
    • To protect the public against dishonesty.
    • To prevent fraud.

    Please refer to section 13 of this Policy for details of our pre-employment vetting practices for criminal offences and background checking with consent.

  • Disclosure Your personal information:
    • may be transferred worldwide:
      • across Edifice Global Markets Limited;
      • service providers who support the operation of our business e.g. third-party organisations who assist us with psychometric testing/other online assessments that might be required for specific roles;
      • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations;
      • to our advisors (e.g legal or financial) or auditors;
      • to other third parties in limited circumstances; and
    • will be stored in:
      • Edifices’ information systems; and
      • Third-party software applications and services have been procured to support the operation of our human resources functions.

    It is essential to acknowledge that specific recipients may act as data controllers. In all cases, any personal information shared or stored outside of Edifice Global Markets Limited will be limited to the minimum required for the relevant purpose. Additionally, it will be subject to the appropriate provisions and safeguards, ensuring the protection of data subjects’ rights, information security, disclosure, and confidentiality. For more information about personal data transfers, please see section 3 of this policy.

If you apply to become a Vario or are working with us as a Vario, In some areas where we conduct business, we perform pre-employment screening checks. For more information on our pre-employment screening procedures related to criminal offences, please consult section 13 of this Policy.

  • Data controller: 
    Edifice Global Markets Limited is usually the data controller for processing the personal information of Varios and applicants to the Vario business.
  • Legal bases for processing
    • It is necessary to pursue our legitimate interests for the purposes set out in the ‘Use’ section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary for the performance of a contract with you or in order for us to takes steps, at your request, to enter into a contract with you (Article 6(1)(b) EU GDPR).
    • To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
    • You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).
  • We process special category personal data, as necessary:
    • With your consent (Article 9(2)(a) EU GDPR).
    • In relation to personal information which has been made public by you (Article 9(2)(e) EU GDPR).
    • to carry out the obligations and exercise specific rights of ours or yours in the field of employment and social security and social protection law (Article 9(2)(g) EU GDPR).
  • We process criminal offence data, where necessary, e.g., as part of the recruitment process for particular roles:
    • With your consent.
    • In relation to legal claims.
    • To prevent or detect unlawful acts.
    • To comply with regulatory requirements relating to unlawful acts and dishonesty and/or for reasons of public interest combined with a statutory provision (e.g., to protect the public against dishonesty, to prevent fraud).
    • To protect the public against dishonesty.
    • To prevent fraud.

    Please refer to section 13 of this Policy for details of our pre-employment vetting practices for criminal offences and background checking with consent.

  • Types of personal data
    Vario’sVario’s
    Data information minimal extract examples indication purposes:Data information minimal extract examples indication purposes:
    • Full Name (As stated on the government-issued document)
    • Government issues document
    • Liveness check self-identification photo
    • Date of Birth
    • Nationality
    • Residential address
    • Contact information
    • Occupation type
    • Name of employer/nature of self-employment
    • Qualifications, and education and employment history.
    • Next-of-kin information (where applicable, e.g. emergency contact information for Vario’s placed at Edifice.
    • Pre-employment vetting information including the results of financial and criminal records checks, verification of address and qualifications, references, official forms of ID and right to work status.
    • Financial information including bank details and identifiers, e.g. National Insurance numbers.
    • Note: further information will be required
  • Collection
    • Directly from you, e.g. via your application to become a Vario, submission of your CV, completion of our e-KYC questionnaires, populating your information in our CRM System, Zoom interviews, in catch-ups, and at events and networking occasions.
    • From third parties, including recruitment agencies, counterparties of ours with whom you may be placed, providers of background checking services, providers of psychometric testing, former employers or other referees, academic institutions, professional bodies, and publicly available resources, including professional social media platforms such as LinkedIn. For details of the pre-joining vetting practices in respect of criminal offences that we carry out in certain jurisdictions in which we operate, please refer to section 13 of this Policy.
  • Use
    • For recruitment purposes, including vetting and background checks where appropriate, and to assess suitability, eligibility and fitness to work. For details of the pre-joining vetting practices in respect of criminal offences that we carry out, please refer to section 13 of this Policy.
    • For administration and management purposes, including remuneration, managing all aspects of our relationship with you, and connecting and placing Varios with suitable counterparties.
    • For health and safety reasons (e.g. to inform access, adjustment and dietary requirements for interviews, placements and for our meetings and events), and for the application, audit and enforcement of our policies and other terms and conditions relating to you becoming or working as a Vario.
    • To ensure information security and prevent criminal and dishonest activity, we monitor activity patterns and scan communications for appropriate content, attachments, and viruses. This is done to protect our website and premises, as well as safeguard our information systems against data breaches and similar threats.
    • For any other purposes connected with you being or becoming a Vario.
  • Disclosure
    Your personal information:
      • may be transferred worldwide:
        • across Edifice Global Markets Limited;
        • to service providers who support the operation of our business;
        • with Edifices’ counterparties who are considering or have contracted for, a Vario assignment;
        • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar, where and to the extent we are compelled to do so by law, regulation or professional obligations; and
        • to other third parties in limited circumstances, e.g. where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event);
      • will be stored in:
        • Edifices’ information systems; and
        • third party software applications and services which have been procured to support the operation of the Vario team.

    Certain recipients may act as data controllers. In all cases, any personal information of yours that is shared or stored outside of Edifice will be limited to the minimum required for the relevant purpose and will be subject to appropriate provisions and safeguards regarding data subjects’ rights, information security, disclosure, confidentiality, and data protection. Once your information has been shared with a counterparty in relation to a Vario assignment in which you have expressed an interest, that counterparty may share your personal information with other third parties. The privacy policies of the counterparty will provide details on how it may further process your personal data.
    For more information about personal data transfers, please see section 3 of this policy.

If you are a supplier or service provider, or if you work for or represent a supplier or service provider, or if you are an individual named in or connected with matters on which we are advising a counterparty (including counterparty contacts and litigants in person, advisors, experts, counsel, witnesses, and other individuals named in or connected with the services that we provide to our counterparties).
  • Data controller Regarding services procured for Edifice Global Markets Limited, Edifice ordinarily acts as a data controller. For services procured locally, Edifice engaging you for those services may be the data controller. Regarding individuals named in or connected with matters on which we advise a counterparty, Edifice, who is instructed on the matter, will typically be the data controller.
  • Legal bases for processing
    • It is necessary to pursue our legitimate interests for the purposes set out in the ‘Use’ section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary for the performance of a contract with you (Article 6(1)(b) EU GDPR).
    • To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
    • You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).
  • We process special category personal data, as necessary:
    • To establish, exercise or defend legal claims (Article 9(2)(f) EU GDPR).
    • With your consent (Article 9(2)(a) EU GDPR).
    • In relation to personal data which has been made public by you (Article 9(2)(e) EU GDPR).
    • For reasons of public interest in connection with a statutory provision (Article 9(2)(g) EU GDPR).
  • We process criminal offence data, where necessary, e.g., as part of the recruitment process for particular roles:
    • With your consent.
    • Which has been manifestly made public by the data subject.
    • In relation to legal claims.
    • To prevent or detect unlawful acts.
    • To comply with regulatory requirements relating to unlawful acts and dishonesty and/or for reasons of public interest combined with a statutory provision (e.g., to protect the public against dishonesty, to prevent fraud).
    • To protect the public against dishonesty.
    • To prevent fraud.
    • In relation to our obligations concerning suspicion of terrorist financing or money laundering.
  • We may process criminal offence data relating to individuals who are:
    • involved in corporate crime cases, matters concerning victims of crime or other matters for which criminal offence information informs our work for our counterparties; counterparties; and
    • connected to or involved in the structure of our corporate counterparties entities, our corporate counterparty entities and our suppliers and service providers, such as directors, beneficial owners and Politically Exposed Persons.
  • Types of personal data
    Service providers and other individuals Service providers and other individuals
    Data information minimal extract examples indication purposes: Data information minimal extract examples indication purposes:
    • General Corporate Information
    • Company structure
    • Certificate of Incorporation
    • Partnership Agreement
    • Related company(ies)
    • Ultimate Beneficiary Owner
    • Liveness check self-identification photo.
    • Professional information, e.g., your expertise and experience, feedback on your services (including opinions) from our people and/ or our clients and other information relevant and connected to how you may have performed any service referred to you by us
    • Financial information, e.g. bank details and identifiers, and fees information.
    • Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
    • Note: further information will be required
  • Collection
    • Directly from you.
    • From the organisation that you work for.
    • From our counterparty.
    • From third parties, such as other professional advisers and third parties connected to a matter, and through publicly available sources including court and public records and social media.
  • Use
    • To deliver our services to our counterparty.
    • For referral purposes: we maintain a database of services providers and personal information relating to other third parties such as experts for similar purposes.
    • To manage and administer our relationship with you e.g. communicating with you, and instruction and billing procedures.
    • To facilitate our internal business operations, e.g. internal record keeping, and procurement and accounting practices (in respect of suppliers and other service providers).
    • To establish, exercise or defend legal claims.
    • As required by law and to comply with our statutory and regulatory obligations, e.g. anti-money laundering, disclosure obligations and court orders.
    • For the prevention and detection of criminal activity.
    • To uphold the security of our information and physical assets and to prevent and detect criminal and dishonest activities, including safeguarding our website and premises, and defending our information systems against data breaches, viruses, and other threats, we employ the monitoring of activity patterns and scanning of communications for suitable content, attachments, and viruses.
    • You may provide a reference for us in connection with a bid or tender, where we have agreed that you are happy to do so.
    • For health and safety reasons, we kindly ask that you provide information regarding access, adjustments, and dietary requirements for our meetings and events. This information is crucial for the application, audit, and enforcement of our policies. Your cooperation in this matter is greatly appreciated.
    • To review and improve equality of opportunity and treatment.
  • Disclosure Your personal information:
    • may be transferred worldwide:
      • across Edifice ;
      • to service providers who support the operation of our business;
      • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations;
      • to other third parties in appropriate circumstances, e.g. to our clients during the course of our work with them and where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event); to an organisation that sublets space in our premises upon that organisation’s request in respect of building access information (subject always to our obligations under applicable law); and
    • will be stored in:
      • Edifices’ information systems; and
      • third party software applications and services have been procured to support the management of the information in our care.We want to ensure that any personal information shared or stored outside of Edifice is limited to the minimum required for the intended purpose.
    • We are committed to  upholding data subjects’ rights, information security, confidentiality, and data protection. For further details on personal data transfers, please refer to section 3 of this policy.

Your personal information is retained by us in accordance with applicable law and regulation. Our data retention periods vary depending on the location, nature and context of the personal information that we have in our care, and are calculated taking into account the following factors:

  • potential claims or litigation;
  • guidance from official bodies such as relevant data protection supervisory authorities and professional regulatory bodies;
  • how long we need to keep the data to fulfil the original purpose for which it was collected;
  • the nature and sensitivity of personal data; and
  • legal obligations to which we are subject.

We strive to ensure that personal information is securely retained until the purpose for its processing has been fulfilled or until the contractual relationship with our counterparty, you or your company has ended and all mutual claims have been satisfied. Additionally, we will retain personal information in counterparty files for a period of 5 years after the completion of the matter, except in cases where specific circumstances compel us to retain the client files for a more extended period.

Section 7 of this Policy provides further details regarding your rights concerning your personal information in our possession, as well as the procedures for contacting us to exercise these rights or to seek clarification about our data retention policies.

Depending on where you are in the world and where Edifice processes your personal information, you may have rights in respect of that personal information. For example, the following rights are provided for under the Hong Kong, UK and EU data protection regimes:

  • to be informed about the collection and use of your personal information;
  • to ask whether we process your personal information and request a copy of it if so;
  • to object to decisions that we may make based solely on the automated processing of your personal information;
  • in certain circumstances, to object to the processing of your personal information where we do so for our legitimate interests;
  • to request that any inaccurate or incomplete personal information of yours in our care is rectified or competed;
  • in certain circumstances, to restrict our processing of your personal information;
  • in certain circumstances, to receive your personal information or have your personal information transmitted to another organisation in a structured, commonly used and machine-readable format;
  • in certain circumstances, to request that we delete your personal information; and
  • to object to our processing of your personal information for direct marketing purposes.

Not all of these rights are absolute, which means that they may only apply in certain situations and may be subject to legal exceptions and exemptions. To exercise your rights, please email us at privacy@edificegm.com. You may also write to us at Privacy Team, Edifice Global Markets Limited, Level 18, China Building, 29 Queen’s Road Central, Central, Hong Kong. Please also refer to section 12.1 of this policy for any further information regarding exercising your rights concerning your personal information.

Our Privacy Team oversees our compliance with data protection laws and this policy and provides guidance and advice to the firm and our people. Our Compliance Officer for Legal Practice (‘COLP’) oversees compliance with our professional responsibilities and the reporting of any failures to comply with legislative requirements, including data protection.

Please direct any complaint about how the firm has processed your personal information to privacy@edificegm.com. You may also write to us at Privacy Team, Edifice Global Markets Limited, Level 18, China Building, 29 Queen’s Road Central, Central, Hong Kong. We hope that we can resolve any query or concern you raise about our processing of your personal information.

The Hong Kong Personal Data (Privacy) Ordinance (the “PDPO”) and EU General Data Protection Regulation, and certain other applicable data protection laws give you the right to lodge a complaint with a data protection supervisory authority (‘DPA’), usually in the country or state where you work, typically live or where any alleged infringement of data protection laws has occurred. Details of EU Member State DPAs and EEA DPAs can be found here

Hong Kong

https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html

EU

https://commission.europa.eu/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en</a >

Section 12 of this policy details the DPAs relevant to other jurisdictions we operate, including the UK.

We sometimes provide links to other websites, but these websites are not under our control. We are not liable to you for any issues arising from their use of your information, the website content, or the services those websites offer.

We recommend you check each website’s privacy policy and terms and conditions to see how each third party will process your information.

When we say ‘we’, ‘our’, ‘us’, ‘Edifice’ or ‘Edifice Global Markets Limited’ in this policy, we refer to all that make up the international Edifice Global Markets Limited, as the context requires. An explanation of some of the other terminology we use in this policy is below.
“checking organisations” means an organisation registered with a criminal records bureau to (a) submit basic checks through a web service or by other means; (b) to submit standard and enhanced checks, and is entitled by law to ask an individual to reveal their full criminal history; or (c) any other approved organisation engaged by the firm to carry out criminal checks on its behalf;
“counterparty” The term ‘counterparty’ refers to any individual or organization that receives services from a company and is specifically identified in the company’s practice management system, regardless of whether time is recorded or a fee is charged.
“contact” an individual who is a contact of a company, including any counterparties, any potential or former counterparty, any supplier, any consultant, or any another professional advisor and any other contact of the company;
“criminal record certificate” means a criminal records certificate issued by a criminal record bureau in response to a criminal record check;
“criminal record check” is a request submitted to a criminal records bureau to find out whether an individual has a criminal record;
“data” recorded information whether stored electronically, on a computer, or in certain paper-based filing systems;
“data controller”
“data user” 		An individual or organization, whether independently or in collaboration with others, that is responsible for determining how personal information is processed and for what specific purposes;
“EU GDPR” or “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;
“individual” or “you” the person whose personal information is being collected, held or processed;
“PDPO” Personal Data (Privacy) Ordinance Hong Kong
Asia’s longest standing comprehensive data protection laws. It has its origins in the August 1994 Law Reform Commission Report entitled “Reform of the Law Relating to the Protection of Personal Data”, which recommended that Hong Kong introduce a new privacy law based on the OECD Privacy Guidelines 1980 to ensure an adequate level of data protection to retain its status as an international trading centre and give effect to human rights treaty obligations.
“partner(s)” refers to a member of Edifice or an employee or consultant of Edifice with equivalent standing;
“our/Edifice people” Refers to partners, members, consultants, employees, temporary workers, agency and casual workers, contractors, collaborators, volunteers, and individuals on work placements who are delivering services to or working for Edifice.”
“personal information” or “personal data” information (including opinions) which relates to an individual and from which they can be identified either directly or indirectly through other data which the company has or is likely to have in its possession. These individuals are sometimes referred to as data subjects;
“policy” the global privacy policy as amended from time to time;
“process” or “processing” any activity that involves personal information. It includes obtaining, recording or holding the personal information, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal information to third parties as a result of those third parties having access to it;
“special category personal data” or “special category personal information” means information revealing someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic information, biometric information, information concerning health or concerning sex life or sexual orientation;
“UK GDPR” means the Data Protection Act 2018 and the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019); and
“Vario” A consultant engaged in providing legal and professional services as an independent contractor for Edifices’ business resources.
The data protection and marketing provisions of Edifice Standard Terms of Business for the provision of professional services to our counterparties include certain defined terms. These defined terms and the meanings attributed to them are set out below, with further variances specific to certain jurisdictions described in 12.1
Counterparty Personal Data “All personal data processed by Edifice, its agents, affiliates, or sub-contractors in relation to the Agreement and for which the Counterparty acts as the Controller shall be encompassed within the definition.”
Controller means (a) “controller”, “responsible party” or “data user”, or equivalent term as defined in the Data Protection Laws where applicable;
Data Subject means a living natural person who can be identified, directly or indirectly;
Data Protection Laws means (a) PDPO and the EU Data Protection Laws, the UK Data Protection Laws or any other applicable law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding pronouncements, including findings, orders, decisions and judgements of a competent court or regulator with jurisdiction as updated and amended from time to time which relates to the protection of individuals with regards to the processing of personal data to which a party is subject; and (b) any code of practice or statutory guidance published by a competent Regulator from time to time;
EU Data Protection Law
PDPO Data Protection Law 		means (a) General Data Protection Regulation (EU) 2016/679 (“GDPR”) and PDPO December 1996 and October 2021 ; (b) Directive 2002/58/EC on privacy and electronic communications as incorporated into law by applicable implementing legislation; and (c) any other applicable member state laws in the European Economic Area from time to time;
“personal data” means (a) “personal data” or “personal information” or equivalent term as defined any information relating to a data subject as set out in the Data Protection Laws where applicable;
“process” and “processing” shall have the meaning set out in the Data Protection Laws, where applicable, or equivalent term used to define any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means;
Regulator means any supervisory authority or independent public authority which has competence to monitor, apply and/or enforce the Data Protection Laws, in order to protect the rights and freedoms of natural persons in relation to processing of personal data, including those organisations referred to in sections 8 and 12 of this Privacy Policy;
Restricted Country means a country, territory or jurisdiction which is not deemed to provide adequate protection of personal data in accordance with the Data Protection Laws (and in particular, where applicable, Article 45 (1) of GDPR);
Security Requirements means the requirements regarding the security of personal data, as set out in the Data Protection Laws (including, where applicable, the measures set out in Article 32(1) of GDPR (taking due account of the matters described in Article 32(2) of GDPR));
Transparency Requirements means the requirements of lawfulness, fairness and transparency set out in the Data Protection Laws, (and in particular, where applicable, Articles 13 and 14 of GDPR); and
UK Data Protection Law means the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 and the GDPR as the same are amended in accordance with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586).
Australia The Information Commissioner, under the Office of the Australian Information Commissioner (“OAIC”).
GPO Box 5218, Sydney NSW 2001
https://www.oaic.gov.au/
Azerbaijan Ministry of Digital Development and Transport.
The Ministry of Internal Affairs, the Ministry of Justice, the State Security Service, and the Special State Protection Service have the power to enforce applicable data protection/privacy laws within the scope of their competences.
https://mincom.gov.az/en
Cayman Islands. Office of the Ombudsman
Visit: 5th Floor, Anderson Square, 64 Shedden Road, George Town, Grand Cayman
Mail: PO Box 2252, Grand Cayman KY1-1107,
https://ombudsman.ky/get-in-touch
Ghana Data Protection Commission (‘Commission’)
Accra
Ghana
GPS: GA-414-1469
https://www.dataprotection.org.gh/
Germany Federal Commissioner for Data Protection and Freedom of Information (BfDI)
https://www.bfdi.bund.de/EN/Service/Kontakt/kontakt_node.html
Macau Personal Data Protection Bureau
Address:Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau
https://www.dspdp.gov.mo/en/
Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD)
12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong
http://www.pcpd.org.hk/
Indonesia The Minister of Communication and Informatics (“MOCI”)
largely have the authority over data privacy matters that are processed through electronic systems in accordance with the General Data Protection Regulations.
https://www.kominfo.go.id/
Luxembourg Commission Nationale pour la Protection des Données (CNPD)
https://cnpd.public.lu/en.html
People’s Republic of China (‘PRC’) The three main pillars of the personal information protection framework in the PRC are the relatively new Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL), and the Data Security Law (DSL)
Pursuant to PIPL, the Cyberspace Administration of China (CAC) is primarily responsible for the overall planning and coordination of personal information protection and related supervisionhttp://www.cac.gov.cn/
However, sector-specific regulators, such as the People’s Bank of China or the China Banking and Insurance Regulatory Commission, may also monitor and enforce data protection issues of regulated institutions within their sector.
Singapore Personal Data Protection Commission
10 Pasir Panjang Road, #03-01 Mapletree Business City Singapore 117438
http://www.pdpc.gov.sg/
Thailand Personal Data Protection Act B.E. 2562 (PDPA)
a regulator under the PDPA, was formed on 11 January 2022.
https://pdpathailand.com/
United Kingdom The Information Commissioner (whose functions are discharged through the Information Commissioner’s Office (“ICO”))
http://www.ico.org.uk/
United States Federal Trade Commission (“FTC”)
FTC has jurisdiction over most commercial entities and has authority to issue and enforce federal privacy regulations (including telemarketing, email marketing, and children’s privacy) and to take enforcement action to protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.
https://www.ftc.gov/about-ftc/contact

Criminal offence information may be requested of prospective Edifice people and prospective Various as part of our recruitment processes before a consultant’s offer of or offer of employment is made unconditional. This practice is limited to our Hong Kong operations. This Privacy Policy is regularly reviewed and updated, and should our practice of requesting criminal offence information of prospective Edifice people and prospective Various for specific roles expand outside Hong Kong, we will tell you here. Our vetting practices are carried out constantly under applicable law.

If we are not permitted to or are not justified in seeking information about criminal offences for a role, we will not ask candidates for criminal offence information. We will not seek criminal offence information from any source other than the individual concerned, a criminal record bureau or a checking organization.

Criminal offence information will only ever be used by Edifice for the purposes for which it was initially collected. Criminal record certificate information will be handled, kept, and disposed of under the firm’s Pre-employment Checks Policy: candidates may email to privacy@edificegm.com to request a copy.

Recruitment of ex-offenders’ policy statement

We are committed to the fair treatment of our people, prospective Edifice people and users of our services, regardless of their offending background.

The firm promotes equality of opportunity for all with the right mix of talent, skills, and potential.

Having a criminal record does not necessarily bar an individual from working with us, and we welcome applications from a wide range of candidates, including those with criminal records.

Edifice selects all interview candidates based on their skills,
qualifications and experience.

Circumstances in which candidates may be asked to provide criminal offence information

A criminal record check or a request for criminal offence information from an individual is only requested after a thorough risk assessment has indicated that doing so is both proportionate and relevant to the position concerned.

The type of criminal records information and level of criminal record check that Edifice is entitled to request will depend on the nature of the role for which the individual’s suitability is being assessed. When recruiting for a role, we consider whether:

  • it is appropriate to limit the criminal offence information sought to offences that have a direct bearing on suitability for the job in question and
  • a criminal records bureau should verify the information provided.

If candidates are asked to provide criminal offence information

Where we request criminal offence information from an individual but do not request a criminal record check, we will ask the individual to provide only criminal offence information concerning convictions and cautions that Edifice would be legally entitled to see in a criminal record check for the relevant role.

If it is deemed necessary to verify criminal record information through a criminal record check, we will adhere to any applicable criminal record bureau code of practice and furnish the individual in question with a copy of Edifices’ Pre-employment Checks Policy. Edifice will not base its decisions solely on previously issued criminal record certificates.

Criminal offence information verified through a criminal record check

Once criminal offence information has been verified through a criminal record check, we will:

  • if inconsistencies emerge between the information provided by the individual and the information in the criminal record certificate, give the individual the opportunity to explain; and
  • record that a criminal record check was completed and whether it yielded a satisfactory or unsatisfactory result.

Where an unprotected conviction or caution is disclosed

If we have concerns about the information disclosed by a criminal record bureau or if the information is not as expected, we will discuss our concerns with the candidate and carry out a risk assessment.

Our risk assessment will consider the circumstances and background of any offences and whether they are relevant to the position in question, balancing the rights and interests of the individual, Edifice people, counterparties, suppliers, and the public.

We treat all applicants fairly but reserve the right to withdraw any offers if an individual does not disclose relevant information or if a criminal bureau check reveals information that we reasonably believe would make an individual unsuitable for a role.

Disputing the content of a criminal record certificate

Individuals may raise a dispute with a criminal record bureau if they believe that there has been a mistake in the contents of their certificate, for example, a mistake in:

  • the records provided, for example, incorrect or irrelevant information on convictions; or
  • their details.

Dispute processes may vary by criminal record bureau, so the relevant bureau should be contacted directly for guidance on how to raise a dispute.

error: Content is protected !!