Data Protection Policy.

Delton Sterling Limited is a company registered in England and Wales No. 5350465. This following policy sets out how Delton Sterling Limited its consultants and affiliates (further collectively referred to as “Delton Sterling”, “we”, “us” and “our”) collects, stores, uses and otherwise processes the Personal Data (as defined below).

  1. Delton Sterling is a UK consulting business mainly engaged in conducting security risk advisory, market research, due diligence and litigation-related investigations, including in the context of combating fraud, money-laundering and bribery, in support of our clients’ obligations under UK law, EU regulations and directives, international conventions, UK, EU and US Sanction regimes, and other prevailing regimes such as the US Foreign Corrupt Practices Act and FinCen Rules. The Fourth AML Directive explicitly authorises financial institutions to use third party service providers in meeting its obligations.
  2. Delton Sterling seeks to operate within industry best practice at all times and is committed to complying with all applicable legislation, including the UK’s Data Protection Act (DPA) and, in so much as it applies beyond the scope of the DPA, the EU General Data Protection Regulation (GDPR).
  3. In the course of our work, we may need to process certain personal information (Personal Data) related to individuals. We are committed to fair and lawful processing, transparency, and protecting the rights and privacy of individuals, while at the same time providing appropriate, prudent and professional services to our clients to enable them to fulfil their societal, regulatory and legal obligations.
  4. Delton Sterling understands personal data to be any combination of information which identifies a specific natural person (Data Subject). This may include: Biographical information or current circumstances, dates of birth, social security numbers, phone numbers and email addresses, IP addresses, behaviour, character traits, associations, workplace and career data, educational information, memberships, religion, political opinions, geo-tracking data, health and genetics, including medical history.
  5. In processing a data subject’s personal data, we seek to adhere to the eight principles enshrined in the Data Protection Act and the GDPR, namely:
    • Personal data shall be processed fairly, lawfully and transparently in relation to the Data Subject. In particular, data shall not be processed unless at least one of the conditions in Paragraph 6 is met.
    • Personal data shall be obtained only for a lawful purpose as specified in Paragraph 6, and shall not be further processed in any manner not compatible with that process.
    • Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed (“data minimisation”).
    • Personal data shall be accurate and, where necessary, kept up to date (“accuracy”). Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.
    • Personal Data will not to be kept longer than is necessary for the purpose ('storage limitation'). The Data Controller will regularly review the length of time personal data is retained and if the purpose or purposes for which the information is held is no longer necessary, the data will be securely destroyed.
    • Personal data shall be processed in accordance with the Rights of data subjects.
    • Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction ('integrity and confidentiality').
    • Personal data shall not be transferred to a country or territory outside the EU unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  6. We will only process personal data under a lawful basis. The Data Protection Act and the GPDR set out six lawful bases. At least one of the following shall apply whenever we process personal data:
    • Consent: the data subject has given clear consent for the processing of their personal data for a specific purpose.
    • Contractual Necessity: the processing is necessary for a contract entered into with the individual, or because the individual has asked for specific steps to be taken before entering into a contract.
    • Legal obligation: the processing of personal data is necessary to comply with the law (not including contractual obligations).
    • Vital interests: the processing is necessary to protect interests that are essential for someone’s life.
    • Public task: the processing is necessary to perform a task in the public interest or for an official functions, and the task or function has a clear basis in law.
    • Legitimate interests: the processing is necessary in under legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
  7. There are a number of circumstances under which we may process personal information. However the most common circumstances are likely to be:
    • With the consent of the data subject, for example where we are conducting due diligence or pre-appointment scrutiny and the data subject has provided informed consent to the processing of their data.
    • In preparation for entering into a contract with the data subject, or in the performance of a contract with the data subject, for example with our clients and their partners, our business partners, employees or other service providers and agents.
    • In pursuit of our legitimate interests or those of the clients we act for. Usually this will be for the purposes of prevention, detection, investigation or prosecution of criminal offences; matters of general public interest; fulfilling our obligations or those obligations of our clients to conduct adequate due diligence and background checks to comply with the obligations of relevant legislation and regulation, including but not limited to the UK Bribery Act, the US Foreign Corrupt Practices Act, EU Anti-Money Laundering and Terrorist Financing Regulations and Directives, Sanctions and Denied Persons Regimes and other prevailing regimes and standards. Legitimate interest processing will frequently be the most relevant ground for our processing. Where this is the case, we will seek to ensure organisational accountability and responsible use of personal data, while effectively protecting data privacy rights of individuals. We will always seek to balance our legitimate interest with the rights of individuals and we will apply safeguards and compliance steps to ensure that individuals’ rights are not unfairly or unlawfully prejudiced in any given case.
  8. We obtain personal information only through lawfol means. The overwhelming majority of the personal information which we may process will be derived from data that are already in the public domain, such as published corporate and legal records, online, archived and historic media articles, social media, biographies and business profiles. Where we use this information, we will endeavour to render it faithfully, to ensure that it is as accurate as possible and to provide a link or citation for the original source of the data. This information will be used in the spirit and for the same overriding purpose for which it was originally provided, e.g. biographical data provided for the purposes of establishing an individual’s bona fides and experience or to obtain employment or career advancement, data on corporate involvements provided for the purposes of complying with statute and agreed principles of corporate transparency, beneficial ownership and combatting fraud. Where we obtain personal information from third parties, for example a confidential reference on a data subject, we will endeavour to verify the information provided the lawful basis on which that information can be passed to us and processed and the authenticity of the party that has provided it. We will identify such information as having been derived from a third party.
  9. In accordance with Principle 5(f). above, data subjects have the following rights regarding data processing and the data recorded about them:
    • To make subject access requests to learn the nature of information held and to whom it has been disclosed;
    • To prevent processing likely to cause damage or distress;
    • To prevent processing for the purposes of direct marketing;
    • To be informed about mechanics of automated decision taking processes that will significantly affect them;
    • Not to have significant decisions that will affect them taken solely by automated process;
    • To sue for compensation if they suffer damage by any contravention of the regulation;
    • To take action to rectify, block, erase or destroy inaccurate data;
    • To request the Information Commissioner to assess whether any provision of the regulation has been contravened;
    • In the event of complaint by a Data Subject concerning our processing of personal data will invite complaint to us to resolve. If we are not able to resolve the complaint we will advise the Data Subject to direct the complaint to the ICO;
  10. Individuals wishing to determine if Delton Sterling is processing their personal information should send a subject access request to the Data Protection Officer. Please note there may be certain situations where we are unable to disclose all personal information, for example where it may prejudice the interests and rights of others, including in relation to prejudicing legal proceedings, negotiations, management information and other market sensitive information.
    Delton Sterling does not maintain archives, lists or otherwise hold or store personal information in databases. All personal data is erased upon completion of the specific task requiring the processing in accordance with our retention and deletion policy. For the duration that personal data is held, we seek to ensure that personal data is safeguarded through the use of technical means and safe data handling.