Privacy Notice
INTRODUCTION
Stirling Square Capital Partners LLP, its subsidiaries and affiliates (hereinafter collectively referred to as "SSCP", "we", "our", "us") recognise the importance of protecting your personal data. This notice explains how we collect, store and use your personal data in compliance with applicable data protection law, including, where relevant, (as amended from time to time) the General Data Protection Regulation (EU) 2016/679 ("EU GDPR") and any national laws enacted pursuant to the EU GDPR, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 No. 419 ("UK GDPR") and the Data Protection (Jersey) Law 2018 (the "DPJL"). Unless we inform you otherwise, Stirling Square Capital Partners LLP will be the data controller.
When used in this notice, unless otherwise stated, the terms "controller", "processor", "data subject", "personal data", "process", "processes", and "processing" have the meanings given to them in the UK GDPR.
WHO DO WE COLLECT PERSONAL DATA FROM?
We may collect personal data from the following persons:
(a) Visitors to www.stirlingsquare.com (the "site");
(b) Visitors to our premises;
(c) Officers, directors, employees, advisors, intermediaries and other representatives of our suppliers, advisers and other service providers;
(d) Regulators and government bodies, as well as officers, directors, employees, advisors, intermediaries and other representatives of the same;
(e) In some cases, we process personal data relating to former employees and staff members. If you are a former staff member and want to know what data we still process about you, you should refer to your leaver's pack. If you no longer have your leaver's pack, please contact us using the details set out in the contact section below.
We may collect data from: (i) our employees and other staff members (and those of our affiliates and portfolio companies); (ii) current, prospective and former investors in our funds; (iii) the beneficial owners, trustees, nominees, agents, representatives and/or employees of current, prospective and former investors in our funds; (iv) the owners, advisers, representatives and/or employees and other staff members of our investment partners; and (v) the owners, advisers, representatives and/or employees and other staff members of the businesses we invest in (or may invest in). We have separate privacy notices which explain how we collect, store and use the personal data of such persons. If you cannot locate one of these notices, please contact us using the details set out in the contact section below.
WHAT PERSONAL DATA DO WE COLLECT?
The personal data we collect may include:
(a) Identifiers: for example, name, postal address, email address, telephone number, employee ID;
(b) Internet or other network activity: for example, browsing or search history, information regarding interaction with the site, or related applications or advertisements, as well as online identifiers such as cookies;
(c) Professional or work related information: for example, your professional role, occupational history, business relationship with SSCP and background and interests, and any other personal data which may be incidentally processed if you contact us; and
(d) Identification information: i.e. information we need in order to identify you and complete necessary security checks where you visit one of our buildings.
WHERE DO WE COLLECT PERSONAL DATA FROM?
(a) Personal data that you give us. This is information about you that you provide by (among other things) filling in forms, signing up to our newsletters or events, giving us a business card or CV, or corresponding with us by telephone, post, email or otherwise;
(b) Personal data that the site collects about you. If you visit the site it will automatically collect some information about you and your visit, including internet or other network activity such as the Internet protocol (IP) address used to connect your device to the Internet and some other information such as your browser type and version and the pages on the site that you visit. The site may also download "cookies" to your device or place cookies onto your browser. For a description of the cookies we use on the site, please refer to our separate cookie policy;
(c) Personal data that our other systems collect about you. If you exchange emails or other communications with us, our information technology systems may record details of those conversations, sometimes including their content; and
(d) Personal data collected from other sources. We may collect some information from other sources. For example, if we have a business relationship with the organisation that you represent, your colleagues or other business contacts may give us information about you such as your contact details or details of your role in the relationship.
HOW DO WE USE YOUR PERSONAL DATA?
We may use your personal data for the following purposes:
(a) To operate, manage, develop and promote our business, our funds, as well as the business of our investee companies, and, in particular, our relationship with you or the organisation you represent, including general business administration, accountancy and audit services, and risk monitoring;
(b) To operate, administer and improve our site and premises, including to protect the security of our site and premises;
(c) To protect our business from fraud, money-laundering, breach of confidence, theft of proprietary materials and other financial or business crimes;
(d) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
(e) To comply with our legal and regulatory obligations and bring and defend civil, regulatory and criminal claims; and
(f) With your consent, to contact you with details of SSCP's business, funds and investee companies which we believe you will find relevant and interesting.
WHAT LEGAL BASIS DO WE USE TO PROCESS PERSONAL DATA?
Depending on the nature and purposes of processing being carried out, our basis for processing may include:
(a) Pursuing our legitimate interest or those of a third party. Under the EU GDPR, the UK GDPR and the DPJL, the lawful basis of such processing is Article 6(1)(f) of the EU GDPR (or equivalent provisions in the UK GDPR and/or DPJL, as the case may be) (i.e. the processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests, fundamental rights and freedoms which require protection of personal data);
(b) Complying with legal obligations. Under the EU GDPR, the UK GDPR and the DPJL, the lawful basis of such processing is Article 6(1)(c) of the EU GDPR (or equivalent provisions in the UK GDPR and/or DPJL, as the case may be) (i.e. the processing is necessary to discharge a relevant legal or regulatory obligation to which we are subject); and
(c) Performance of a contract. Under the EU GDPR, the UK GDPR and the DPJL, the lawful basis of such processing is Article 6(1)(b) of the EU GDPR (or equivalent provisions in the UK GDPR and/or DPJL, as the case may be) (i.e. the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract).
Generally, we do not rely on consent as a legal basis for processing your personal data, although we will obtain your consent before sending third party direct marketing communications to you, or where your consent is otherwise required under applicable law. You have the right to withdraw your consent at any time by contacting us (see below).
We do not sell your personal information.
We do not envisage your personal data will undergo any automated decision making.
WHO DO WE DISCLOSE PERSONAL DATA TO?
We may disclose personal information about you, where reasonably necessary for the various purposes set out above, to:
(a) The other members of the SSCP group of companies, including our funds, fund partners, and fund administrators;
(b) Third party agents and contractors, including other service providers of a fund, IT and communications service providers, law firms, accountants, auditors, administrators, reference providers, and background check providers. These third parties will be subject to confidentiality requirements and they will only process your personal data as described in this notice (or as otherwise notified to you);
(c) Third parties, where we believe, in good faith, that we are required to access, use, preserve or disclose it in order to comply with any applicable law or regulation, a court or regulatory order or other statutory requirement;
(d) Third parties in connection with investments in, or the sale of, our business or assets or an acquisition of our business (or a part of our business) by a third party. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy; and
(f) Your colleagues within the organisation that you represent.
Some recipients will process your personal data on our behalf as processor. Others will determine the purposes and means of processing of your personal data as controller and may be permitted to disclose your personal data to other parties in accordance with applicable law.
PERSONAL DATA OF THIRD PARTIES
To the extent that you provide us with personal data of third parties, you agree and acknowledge that you have informed them of, and they have agreed to, our use, collection and disclosure of their personal data including the purposes of such use, collection and disclosure of personal data as set out in this notice.
DO WE TRANSFER PERSONAL DATA OVERSEAS?
The disclosures described above may involve transferring your personal data overseas. If you are dealing with us within the European Economic Area (the “EEA”) you should be aware that this may include transfers to countries outside the EEA, including the UK and Jersey. (Equally, if you are dealing with us within the UK or Jersey, you should be aware that we may transfer your data outside of the UK or Jersey.) Some of these countries do not have similarly strict data privacy laws.
We will ensure that any such transfers are carried out in compliance with applicable law, including, where necessary, being governed by data transfer agreements (such as the European Commission approved model clauses) designed to ensure that your personal data is protected on terms approved for this purpose by the European Commission (or UK or Jersey government, as applicable) or as otherwise required under applicable law. If you want to request further information on the specific mechanism used by us when transferring your personal data, please contact us using the details set out in the contact section below.
HOW DO WE SECURE YOUR PERSONAL DATA?
The transmission of information via the Internet is, in general, not completely secure. Although we do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to us via the Internet, and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.
We have procedures in place to deal with any actual or suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
HOW LONG DO YOU RETAIN PERSONAL DATA?
Subject to applicable law, we retain your information for (as the case may be):
(a) As long as it is reasonably required to fulfil the purposes we collected it for;
(b) As long as it is required to perform our contractual obligations;
(c) As long as we have your consent; or
(d) Such period as is required or required by law or regulatory obligations which apply to us.
We will delete your personal data when it is no longer required.
WHAT RIGHTS DO I HAVE IN RESPECT OF MY PERSONAL DATA?
Applicable law may provide you with a number of legal rights in relation your personal data that we process. These rights may include:
(a) A right to know what personal data we process and a right of access to such personal data;
(b) The right to request any incomplete or inaccurate personal data be corrected;
(c) The right to object to our processing of your personal data where we send you direct marketing;
(d) The right to require us to delete your personal data and/or otherwise restrict our processing of your personal data in some circumstances;
(e) The right to object to our processing of some or all of your personal data on grounds relating to your particular situation which are based on legitimate interests, at any time (and require such personal data to be deleted). If you object, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms or where it is necessary for the establishment, exercise or defence of legal rights; and
(f) A "data portability" right to require us to transfer your personal data to you or to a new service provider in a structured, commonly used and machine-readable format.
If you wish to exercise any of the rights referred to above, please contact us using the details set out in the contact section below.
We review and verify data protection rights requests. We apply non-discriminatory principles when we action requests relating to your data, in accordance with applicable data protection laws and principles. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We exercise particular care when receiving a request to exercise these rights on your behalf by a third party. We will ensure that the third party is correctly authorised by you to receive the requested information on your behalf.
You also have the right, at any time, to lodge a complaint about our processing of your personal data with the relevant body regulating data protection in your country (for the European Union, details are available here). In the UK, you can lodge a complaint about our processing of your personal information with the office of the UK Information Commissioner (www.ico.gov.uk).
If you do not want SSCP to send you e-mail or postal mail, you can opt out at any time by contacting SSCP by e-mail at gdpr@stirlingsquare.com.
You should be aware that when you are on the site, you could be directed to other websites that are beyond our control. There are links to other websites from the site that may take you outside our service. We cannot guarantee that the privacy policies of these websites meet our standards. You should read the privacy notice of any new website you go to online.
California residents may also request certain information about our disclosure of personal data during the past 12 months, including information about the categories of information we process, the purpose of processing that data, the categories of recipients to which we disclose this information and the source of the information.
HOW DO I CONTACT YOU?
If you would like further information on the collection, use, disclosure, transfer or processing of your personal data, or to exercise of any of the rights listed above, please address questions, comments and requests to gdpr@stirlingsquare.com.
CHANGES TO THIS NOTICE
Any changes we make to this privacy notice in the future will be posted to the site and also available if you contact us. Please check back frequently to see any changes.
This policy was last reviewed/updated: 20 October 2023.
