Privacy Policy
1. Introduction and legal framework
This Privacy Policy (the “Policy”) explains how SIANDIS, s. r. o., with its registered office at Rybná 716/24, Staré Město, 110 00 Prague 1, Czech Republic, ID No. 08530106, registered with the Municipal Court in Prague, File No. C 320454 (“SIANDIS” or the “Controller”), processes personal data of natural persons. The Policy is based on Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and Czech Act No. 110/2019 Coll., on the Processing of Personal Data, together with other applicable EU and Czech legislation. SIANDIS treats all personal data as confidential and processes them in accordance with the principles laid down in Article 5 GDPR, in particular lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
2. Role of SIANDIS – controller and processor
SIANDIS may act both as a data controller and as a data processor, depending on the context: • Controller – especially in relation to: - operation, security and optimisation of this Website, - SIANDIS’ own accounting and tax obligations, - handling of general enquiries and contact requests, - HR and recruitment (job applicants, external experts), - compliance with statutory record‑keeping obligations. • Processor – for all OSINT, investigative, due diligence, AML/KYC, crisis investigation, SOCMINT and related mandates carried out solely on the basis of a client’s legal mandate and legal title: - the client determines the purposes and legal bases of processing and is the controller, - SIANDIS processes personal data only on documented instructions of the client and always verifies that a valid legal title and legal interest (“de lege”) exist, - the relationship is governed by a written data processing agreement or equivalent contractual clauses pursuant to Article 28 GDPR.dataprotection+1 Unless explicitly stated otherwise, this Policy describes processing where SIANDIS acts as controller, especially in connection with this Website and its own internal agenda.
3. Categories of data subjects
Depending on the specific context, SIANDIS may process personal data of the following categories of individuals: • visitors to the SIANDIS Website, • clients who are natural persons and natural persons acting on behalf of legal entity clients, • statutory bodies, ultimate beneficial owners (UBOs), politically exposed persons (PEPs) and other persons at all levels of management and decision‑making, • counterparties and business partners of clients, including their representatives and related persons, • individuals assessed or otherwise covered by OSINT, investigative, reputational, integrity and AML/KYC due diligence mandates, • whistleblowers, informants and other third‑party sources of information (where identifiable), • job applicants, candidates for cooperation and external experts.
4. Categories of personal data processed
The scope of personal data always depends on the specific mandate and legal basis. Typically, SIANDIS processes in particular: • Identification data – name, surname, academic title, date of birth, nationality, address, position or function, relationship to a specific entity (e.g. director, UBO, PEP, key decision‑maker, business partner). • Contact data – postal address, e‑mail address, telephone number, and other contact channels, where applicable. • Contract and relationship data – information relating to the contractual relationship with clients and suppliers, information on services provided, communications, invoicing and payment records to the extent necessary for accounting and tax purposes. • OSINT / SOCMINT and analytic data – information from public registers and databases, official records, sanctions and PEP lists, corporate databases, media archives, professional publications, online platforms and social networks, including factual and reputational information, historical conduct and risk factors, as far as lawfully accessible. • Data from non‑public sources – information provided by clients and their partners, information obtained from specialised paid databases, commercial screening tools and other licensed sources used within the OSINT, due diligence and investigative mandate. • Investigative and forensic data – audio and video recordings related to interviews, meetings or fieldwork, digital forensic outputs, logs and metadata, provided they are collected and processed in accordance with applicable law and the client’s mandate. • Technical and usage data – IP address, device identifiers, timestamps, server logs, basic diagnostic and security information, and cookies or similar technologies used when accessing and using the Website. SIANDIS does not maintain a separate marketing database of personal data and does not use personal data to train generic models or for internal training purposes beyond what is strictly necessary for a given case.
5. Sources of personal data
Personal data processed by SIANDIS may come from: • the data subjects themselves (via contact forms, e‑mails, telephone calls, meetings, interviews), • clients and their contractors, including documents and information shared in the context of specific mandates, • public sources – public registers (including commercial register, insolvency register, land registry and similar), official lists and databases, professional and sectoral registers, open government data, sanctions and PEP lists, court decisions, media archives and press articles, professional publications, academic sources, online platforms and social media, in compliance with EU and Czech law, • paid and specialised databases and OSINT / SOCMINT tools – corporate and financial databases, sanctions and risk screening tools, mass data analytics platforms, data leak and dark/deep web monitoring tools, where lawfully used and licensed, • third‑party information sources – whistleblowers, informants, cooperating partners and other third parties; if they consent to being identified, their identity may be recorded, otherwise such sources are anonymised and referenced only as non‑identifiable source entries. Wherever the nature of the mandate allows, SIANDIS applies the principle of multi‑sourcing and cross‑verification, i.e. important findings are verified across multiple independent sources to assess their reliability and validity.
6. Purposes and legal bases of processing
6.1 Processing where SIANDIS acts as controller As a controller, SIANDIS processes personal data for the following main purposes: 1. Operation and security of the Website - ensuring proper technical functioning, stability, security and optimisation of the Website, including logging, incident detection and prevention of abuse; - legal basis: legitimate interests of SIANDIS (Article 6(1)(f) GDPR). 2. Handling contacts requests and pre‑contractual communication - handling general enquiries, evaluating requests for services, preparing offers, clarifying mandates; - legal basis: legitimate interests of SIANDIS or steps taken at the request of the data subject prior to the conclusion of a contract (Article 6(1)(b) GDPR). 3. Performance of contracts with clients and suppliers - performance and administration of contractual relationships, including communication, delivery of services, billing and enforcement of contractual rights; - legal basis: performance of a contract (Article 6(1)(b) GDPR). 4. Compliance with legal obligations - accounting and tax obligations, record‑keeping obligations and other statutory duties under EU and Czech law; - legal basis: compliance with a legal obligation (Article 6(1)(c) GDPR). 5. Direct marketing to existing clients - sending limited and proportionate information about developments in SIANDIS’ services to existing clients, in accordance with Act No. 480/2004 Coll. and applicable e‑privacy rules; - legal basis: legitimate interests of SIANDIS (Article 6(1)(f) GDPR), or consent where required. 6. Protection of rights and legal claims - protection of SIANDIS’ rights, including prevention and investigation of incidents, fraud and abuse, enforcement and defence of legal claims; - legal basis: legitimate interests of SIANDIS (Article 6(1)(f) GDPR). 6.2 Processing where SIANDIS acts as processor For all OSINT, investigative, due diligence, AML/KYC, crisis investigation and related mandates, SIANDIS acts exclusively as a data processor: • The client is the controller, defines the precise purpose of processing (e.g. reputational and integrity due diligence of a business partner, AML/KYC screening, internal investigation of suspected misconduct, pre‑transaction risk assessment) and the legal basis (e.g. compliance with legal obligations, legitimate interests, contractual necessity, consent). • SIANDIS processes personal data strictly: - within the scope of the client’s documented instructions, - after having verified that a valid legal title and legitimate interest exist, - in a way that respects the principle of proportionality and avoids any unjustified interference with the rights and freedoms of individuals. In the AML/KYC context, SIANDIS performs checks strictly within the scope required by applicable AML/KYC legislation and the client’s internal policies and does not go beyond what is necessary for the mandated risk assessment.
7. Risk assessment, profiling and automated decision‑making
In the course of its professional activities, SIANDIS uses structured analytic and assessment methods, including: • risk rating and scoring of entities and relationships (e.g. low/medium/high reputational, integrity or AML risk), • formulation and evaluation of hypotheses and scenarios, including analysis of potential motives and drivers where these cannot be determined directly, • use of frameworks such as General mode and NATO 6×6 / Admiralty‑type grading for evaluating the reliability of sources and the credibility of information. These activities support human expert decision‑making. SIANDIS does not engage in automated individual decision‑making, including profiling, that produces legal effects concerning the data subject or similarly significantly affects them solely on the basis of automated processing (Article 22 GDPR). Final assessments, recommendations and conclusions are always reviewed and approved by qualified human analysts and investigators who carry out the necessary analysis and synthesis of information.
8. Cookies and similar technologies
The Website may use cookies and similar technologies. Depending on their nature, these include in particular: • Strictly necessary (technical) cookies – required for the basic functioning, security and correct display of the Website; processed on the basis of SIANDIS’ legitimate interests. • Preference cookies – e.g. language settings; used only where necessary for the user experience or where consent is provided. • Analytics / statistical cookies – used to measure Website traffic and improve content and structure; where required by law, these cookies are used only on the basis of the user’s consent, which may be withdrawn at any time. • Marketing cookies – not used by default. If ever implemented, they will only be used with explicit consent and with clear information about their purpose and providers. Further details (types of cookies, retention periods, providers) may be set out in a separate cookie notice or cookie banner.
9. Recipients of personal data
Personal data may be disclosed only to the extent necessary to: • IT, cloud and hosting providers – including providers of secure communication platforms (such as end‑to‑end encrypted e‑mail), data loss prevention (DLP) tools, backup solutions and security monitoring tools, • providers of specialised databases and tools – screening databases, OSINT/SOCMINT tools, large‑scale data analytics software, forensic and incident‑response tools, • external experts and advisors – digital forensic specialists, cyber security experts, legal, tax and compliance advisors and other professional consultants engaged in particular mandates, • public authorities and supervisory bodies – where disclosure is required by law or valid official request, • clients and their authorised bodies – as controllers, to whom SIANDIS delivers reports, evidentiary materials and other outputs according to the mandate. All processors engaged by SIANDIS are bound by written contracts that meet the requirements of Article 28 GDPR, including appropriate confidentiality and security obligations.
10. Transfers of personal data to third countries
If personal data are transferred to countries outside the European Economic Area, this will only take place where an adequate level of protection is ensured in accordance with Chapter V GDPR, in particular: • on the basis of an adequacy decision of the European Commission for the relevant country, or • under standard contractual clauses or other appropriate safeguards recognised by the GDPR. Information on specific transfers and safeguards can be provided upon request or via the relevant client if SIANDIS acts as processor.
11. Retention periods
Personal data are retained only for as long as necessary for the purposes for which they are processed and subsequently for the periods required or permitted by law (e.g. limitation periods, statutory record‑keeping periods). Typically: • Case files and mandate‑related documentation – kept for the duration of the mandate and, as a rule, for up to 10 years after its completion, unless a different period is required by law or contract (e.g. in high‑risk or regulated matters). • Accounting and tax records – retained for the periods required by Czech accounting and tax legislation (usually 5–10 years). • Technical logs and security records – retained only for as long as necessary to ensure security, investigate incidents and demonstrate compliance. Once the relevant period has expired and no further legal ground for retention exists, personal data are either securely deleted or irreversibly anonymised. SIANDIS does not maintain a separate “personal data database” for marketing or training purposes.
12. Retention periods
SIANDIS implements technical and organisational measures appropriate to the risk associated with its activities and the nature of the data processed: • use of encrypted communication platforms (including end‑to‑end encrypted services such as Proton) for communication with clients and selected partners, • strict access control based on the need‑to‑know principle, regular review of access rights and logging of access to sensitive systems and data, • encryption of data both in transit and at rest, segmentation of systems and secure storage of audio/video and forensic evidence, • deployment of DLP tools and other technologies preventing unauthorised data exfiltration, • confidentiality obligations for all persons involved in the processing of personal data and clear internal rules for handling sensitive information. For security reasons, the specific technical details of these measures are not fully disclosed in this Policy; however, the overall level of protection corresponds to the nature and sensitivity of SIANDIS’ services.
13. Rights of data subjects
Data subjects have the rights granted by the GDPR, in particular: • Right to be informed – about the processing of their personal data, including the purposes, legal basis, recipients and retention periods. • Right of access – to obtain confirmation as to whether personal data concerning them are being processed and, if so, to access such data. • Right to rectification – to have inaccurate or incomplete data corrected. • Right to erasure – to request deletion of personal data in cases provided for in Article 17 GDPR. • Right to restriction of processing – to request temporary limitation of processing under Article 18 GDPR. • Right to data portability – to receive personal data in a structured, commonly used and machine‑readable format, where applicable. • Right to object – to processing based on legitimate interests, including profiling, and to processing for direct marketing purposes. • Right not to be subject to solely automated decision‑making, including profiling, that produces legal or similarly significant effects, subject to the conditions laid down in Article 22 GDPR (not used by SIANDIS for such purposes). • Right to withdraw consent – where processing is based on consent, without affecting the lawfulness of processing before withdrawal. • Right to lodge a complaint – with a supervisory authority, in particular the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, Where SIANDIS acts as a processor, data subjects typically exercise their rights through the relevant client (controller); SIANDIS will assist the controller in responding to such requests in accordance with Article 28 GDPR.
14. Contact and updates
Contact details for privacy‑related matters are available in the “Contact” section of the Website. SIANDIS may amend or update this Policy from time to time, in particular to reflect changes in legislation, supervisory guidance or its own processing activities. The current version, including the date of effect, is always available on the Website.
