Last updated 17th November 2022

Company means ‘FCS Compliance Ltd’
GDPR means the EU General Data Protection Regulation 2016, as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018, and the UK Data Protection Act, 2018
Responsible Person means James Golfar
Register of Systems means a register of all systems or contexts in which personal data is processed by the Company.

All defined terms not defined specifically in this document have the same meaning as in the GDPR.

1. Introduction

This Data Protection Policy sets out how the Company (“we”, “our”, “us”) handle your personal data. The Company respects your privacy and is committed to protecting your personal data. This Data Protection Policy will inform you as to how we look after your personal data as clients of the Company and tell you about your privacy rights and how the law protects you.

2. Data protection principles

The Company is committed to processing data in accordance with its responsibilities under the GDPR.

As an organisation we must make sure that we:

a) are legally entitled to process the information under data protection law (“lawful grounds”);

b) are transparent with individuals about what personal data we process and why (“transparency”);

c) do not use personal data for any purpose other than for which it is collected (“purpose limitation”);

d) collect the minimum personal data needed for the purpose it is collected (“data minimisation”);

e) keep personal data accurate and up to date (“accuracy”);

f) respect an individual’s data subject (“data subject rights”);

g) keep personal data secure both when using internally and when sharing with third parties (“security”);

h) only transfer data outside of the UK (or allow access to it from outside of the UK) if we have put in place appropriate data transfer arrangements (“data transfers”);

i) build data protection compliance (i.e. compliance with the above principles) by way of implementing appropriate technical and organisational measures into any new project that involves personal data processing or new use of personal data (“data protection by design”); and

j) can demonstrate compliance with data protection principles (“accountability”).

3. General provisions

a) This policy applies to all personal data processed by the Company.

b) This policy shall be reviewed at least annually.

4. Lawful, fair and transparent processing

a. To ensure its processing of data is lawful, fair and transparent, the Company shall maintain a Register of Systems.
b. The Register of Systems shall be reviewed at least annually.
c. Individuals have the right to access their personal data and any such requests made to the company shall be dealt with in a timely manner.

5. Lawful purposes

a. All data processed by the Company must be done in accordance with one of the following lawful bases as appropriate: consent, contract, legal obligation, vital interests, public task or legitimate interests.

The lawful bases we principally rely on are the following:

b) Contract: Where we process personal data to fulfil a contractual arrangement with the client. We will process personal data to allow regulated firms who are clients of the Company to undertake Customer Due Diligence and therefore comply fully with its legal obligations in relation to the Legislation namely the Money Laundering, Terrorist Financing and Transfer of Funds (information on the Payer) Regulation 2017.

Data will be collected from when you first request information from FCS Compliance, book to attend training or an event, provide us with your business card or purchase any service and become a client. When you order services from FCS Compliance, you may be asked for further data such as your banking details.

c) Consent: This is where we have asked you to provide explicit permission to process your personal data.

In those circumstances where it is necessary to rely on consent we will make sure that consent is:

i) Given affirmatively (such as ticking a box or signing a document) – we cannot rely on ‘inaction’ as a way of obtaining consent (e.g., no pre-ticked boxes);

ii) Freely given and retractable at any time – it must be as easy to withdraw as to give consent;

iii) Not ‘tied’ or ‘bundled’ i.e. conditional on accepting services/offers; and

iv) Documented so we demonstrate we have obtained consent lawfully.

Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.

d) Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the systems.

e) Legitimate interests: Your personal data may be used to send you, by post or by email, any FCS Compliance publications including updates and renewal reminders. We will require you to supply an email address for confirmation and administration purposes, however, when capturing your email address you may also be offered the chance to opt-in to receive other email promotional communications. If you do not ask to be sent these communications, you will only receive email for administration purposes.

Your data may also be used by FCS Compliance for other marketing, advertising and promotional purposes where we will personalise and improve your experience in doing business with us. These promotions may advertise FCS Compliance’ events, training or other services. You may opt out of any such future usage by contacting us on +44 (0)207 924 7979.

You may at any time opt-out of any future FCS Compliance communication, digital or non-digital, promotional or non-promotional. If you wish to opt out of receiving postal communications, please contact us on +44(0)207 924 7979. You may opt out of email communication, you can also use the ‘Unsubscribe’ links provided.

6. Data minimisation

a) The Company shall ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

7. Data sharing with third parties

a) In order to assist with certain aspects of the CDD process e.g. verification of documents, Politically Exposed Persons and Financial Sanctions the Company will utilise the services of the online verification company W2 Global Data. The Privacy Policy of this third party can be found at:

b) Unless obliged to do so by law, FCS Compliance will not sell, rent, lease or otherwise share your personal data with other third parties, unless you have provided your specific, positive and unambiguous consent.

c) If personal data of an individual is shared with a third party or a third party shares personal data with the Company, we will make sure that a mechanism is in place to communicate with each other about any requests to restrict, delete or correct personal data unless this would be impossible or involve disproportionate effort.

8. Accuracy

a) The Company shall take reasonable steps to ensure personal data is accurate.

b) Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.

9. Archiving

a) To ensure that personal data is kept for no longer than necessary, the Company has put in place an archiving policy for each area in which personal data is processed and review this process annually.

b) The archiving policy sets out what data should/must be retained, for how long, and why.

c) At the date of drafting this Policy any record or personal data accumulated as a result of undertaking the CDD process on behalf of a third party shall be destroyed within 7 days of providing the third party with the information.

10. Security

a) The Company ensures that personal data is stored securely using modern software that is kept-up-to-date.

b) Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.

c) Personal data will not be shared with anyone or any organisation (including our service providers) unless appropriate contractual arrangements have been put in place or the disclosure is otherwise permitted under data protection law.

d) If personal data is collected for a particular purpose, we will always consider whether we could achieve the same purpose with anonymised data. If not, wherever possible personal data will be pseudonymised (i.e. masked, hashed or otherwise concealed) and/or encrypted. The more confidential the information the higher the security standards will need to be to protect it.

e) When personal data is deleted this should be done safely such that the data is irrecoverable.

f) Appropriate back-up and disaster recovery solutions shall be in place.

11. Data transfers

 As mentioned above, personal data will not be transferred outside of the UK, unless the transfer is:

a) To a country approved by the UK (and/or to the extent relevant EU) authorities as having adequate data protection laws to protect the personal data; or

b) To an organisation that has entered into a data transfer agreement with us (based on UK and/or to the extent relevant an EU supervisory authority’s approved standard contracts);

c) To an organisation that has its “binding corporate rules” for the relevant type of data approved by the UK Information Commissioner’s Office and/or to the extent relevant the EU supervisory authority.

12. Data protection design and accountability

a) We will build data protection compliance into our processes and systems from the outset of any new processing activity and during the life cycle of the relevant data processing activity.

b) The GDPR requires us to document how we comply with our data protection obligations (this is referred to as accountability). We do this on an ongoing basis through our Register of Systems, during compliance audits and/or when our data protection policies or procedures require us to document our compliance steps.

13. Cookies

A cookie is a small piece of data that is sent from our web server to your browser when you visit It is stored on your hard drive. There are several types of cookie that are used to keep track of information needed by a site user as they travel from page to page within a website.

Other types of cookie can be used to track internet activity after the user has left a website. These are normally facilitated by organisations external to the website being visited and are generally known as ‘third party’ cookies. These usually have a long lifetime with several months being quite common. They are “harvested” and “refreshed” whenever the user visits a page where the same or a similar cookie is being used.

We use cookies to offer you a better user experience, and we may also include elements that set cookies on behalf of a third party – for example a “Like” button from Facebook or a #Tweet# button from Twitter. We also use Google Analytics to measure and analyse visitor information related to our website. For that purpose, your IP address, internet traffic data and data on your browser type and PC are collected. We will not use any of this data to identify you personally, it is used only to monitor and improve FCS Compliance and its website.

You can review the options available to manage cookies in your browser and you may revoke your consent at any time via the options available in your browser. Internet browsers normally accept cookies by default, but it is possible to set a browser to reject cookies. If this is done it is important not to exclude the benign and useful cookies. Choose an option that rejects all third party and long-lived cookies. Different browsers use different ways to disable cookies, but they are usually found under a Tools or Options menu. You can also consult the browser’s help menu.

FCS Compliance actively reviews ICO guidance to ensure ongoing compliance with the ICO’s recommendations and best practices in relation to cookie policies. This will ensure you are able to prevent information about your visit to our website being collected, if you wish. Further information on cookies can be accessed here:

14. Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Company shall promptly assess the risk to data subject’s rights and freedoms and if appropriate report this breach to the ICO and/or the data subject (more information on the ICO website).

FCS Compliance reserves the right to modify, alter or otherwise update this Policy at any time. For further Terms and Conditions, please visit:

FCS Compliance is registered with the Information Commissioners Office: Reg no: ZA498569/

Data subject’s rights

Unless subject to an exemption under the GDPR data subjects have the following rights with respect to your personal data:

a. The right to request a copy of your personal data which we hold about you;

b. The right to request that we correct any personal data if it is found to be inaccurate or out of date;

c. The right to request your personal data is erased where it is no longer necessary for us to retain such data;

d. The right to withdraw your consent to the processing at any time where consent is relied on by us as a processing condition;

e. The right to request that we provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller (known as the right to data portability), where applicable

f. The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;

g. The right to object to the processing of your personal data (where applicable);

h. The right to lodge a complaint with the Information Commissioner’s Office.

Contacts and further information

For questions and complaints from individuals about our processing of their personal data or requests from individuals seeking to exercise their data subject rights, please refer to:

The Contact Person

James Golfar

020 7924 7979


This is without prejudice to the right of individuals to make a complaint to the Information Commissioner’s Office ( or the data protection supervisory authority in the EU country in which you live or work where you think that we have not complied with data protection laws.


Further information in relation to all of the above can be found on the ICO’s website: