Data Protection Compliance Statement September 2024

Secretariat complies with UK and EU GDPR

Secretariat is committed to ensuring that it complies with data protection laws and regulations that apply to its business.

Where Secretariat processes personal data about individuals in the UK, it does so in accordance with the UK GDPR and the Data Protection Act 2018, and where Secretariat processes personal data about individuals in the EU, it does so in accordance with the EU GDPR.

Legal and compliance audit completed

Secretariat has undertaken a legal and compliance audit with a specialist law firm (Garfield Smith – Technology & Data Lawyers), and has implemented the following compliance measures:

  • Database of Records of Processing. This database records Secretariat’s data processing activities and is updated each time the company carries out a new or different processing activity or enters into a contract with a new third party processor.
  • Data Protection Impact Assessments. DPIAs have been carried out in accordance with Article 35 of the GDPR for all processing activities which carry a higher risk of harm for individuals, including job recruitment processing, and tracking of prospects, clients and website traffic for marketing.
  • Company Data Protection Policies. Secretariat has implemented appropriate internal and external data protection policies which govern its data processing activities and fulfil its transparency obligations under Articles 13 and 14 of the GDPR.
  • Data Security: Secretariat’s Information Technology team has carried out a thorough assessment of Secretariat’s data security measures to ensure that these comply with Article 32 of the GDPR.

The nature and scope of Secretariat’s processing of personal data

  1. Clients and prospective clients

    Nature of processing: Secretariat processes personal data (primarily contact information) about its clients or prospective clients to carry out sales and marketing activities and to provide its services to clients.

    Status of relationship: Secretariat is a data controller for some of the personal data that it processes about clients and prospective clients (for example, for sales and marketing), and is a data processor for the personal data provided to it by clients in connection with the services that Secretariat provides.

    Each of Secretariat’s clients is directly responsible for ensuring that it complies with its own obligations as a data controller in relation to the personal data that it shares with Secretariat.

  1. Suppliers

    Nature of processing: Secretariat processes personal data (primarily contact information) about its suppliers to manage the relationship with suppliers and to purchase goods and services from the suppliers.

    Status of relationship: Secretariat is the data controller for the personal data that it processes about suppliers.

  1. Secretariat employees and prospective employees

    Nature of processing: Secretariat processes personal data (primarily contact information but also some special categories of data) about its employees and prospective employees for recruitment and to manage their employment.

    Status of relationship: Secretariat is the data controller for the personal data that it processes about employees.

  1. Individuals whose personal data is shared as part of client services

    Nature of processing: Secretariat processes personal data (including contact information, financial information and other types of personal information including special category data) about individuals where this information is provided to Secretariat by its clients as part of the services Secretariat provides to clients (for example, where Secretariat is engaged to conduct forensic investigatory work for a client).

    Status of relationship: Secretariat is a data processor for the personal data provided to it by clients about third party individuals in connection with the services that Secretariat provides (and Secretariat’s client is the data controller).

Who Secretariat shares data with

Like most companies, Secretariat works with third party service providers who supply services to Secretariat. Many of these third parties process personal data on behalf of Secretariat (for example, for document hosting and management, website analytics, marketing services and similar).

Secretariat has written contracts in place with its third party processors that comply with Art. 28 of the GDPR.

Where Secretariat transfers personal data outside the UK or the EEA, it makes sure it has the appropriate transfer safeguards in place: either an adequacy decision (that the country to which the data is being transferred provides adequate protection under the EU GDPR/UK GDPR), or under the standard contractual clauses for international data transfers from the UK or the EU (as applicable).

Secretariat Privacy Policy

Secretariat’s privacy policy can be found at: https://secretariat-intl.com/privacy-policy/.