Last updated: 14 February 2018

General Data Protection Regulation

On 25 May 2018, the General Data Protection Regulation (“GDPR”) comes into effect in the European Union, replacing the Data Protection Directive 95/46/EC. The GDPR significantly increases the rights of individuals in relation to the protection of their personal data. It also increases the responsibilities of organisations that control and process personal data, and substantially increases the penalties for non-compliance.

At The Red Flag Group, we have always appreciated the importance of data privacy to both our clients and to individual data subjects. Information security and data privacy have long been a key focus of ours, and many of the new obligations imposed on data processors under the GDPR reflect practices that we have followed for many years.

We welcome the GDPR, as it provides clarity and promotes consistency for the protection of personal data, and we are well placed to achieve compliance across our operations from the moment it comes into effect. We are also firmly committed to offering our clients tools and solutions to ensure that their use of our services satisfies their obligations under the GDPR.  

One solution we have developed is a Data Protection Addendum, which specifically addresses all requirements of data processors set out under the GDPR. This Data Protection Addendum also incorporates the European Commission’s Model Contract Clauses, to provide a legitimate mechanism for the transfer of personal data outside the European Economic Area. To obtain a copy of this Data Protection Addendum, please ask your Business Development Director or contact our Privacy Officer at

We will do all that is necessary to assure our clients that we have implemented appropriate technical and organisational measures to protect personal data. We thank you for your continued support.



The Red Flag Group (RFG, “We”, “Our”, “Us”) is an independent integrity and compliance risk firm with a distinct focus on integrity & compliance risk management. As part of our business, we collect information about people and companies.

Our headquarters are located in the Cayman Islands, with major offices in Hong Kong, Dubai, the United States, Australia, and the United Kingdom. Our United Kingdom company is The Red Flag Group (UK) Limited and is registered with the Information Commissioner’s Office under number ZA077245.

The privacy and protection of your data is important to us. This privacy statement applies to and, our Compliance Technology Platform owned and operated by RFG. RFG is providing this statement to describe and explain our information practices and the measures we take to protect your privacy and comply with applicable law and obligations.



This statement covers all types of personal data which RFG holds. This may be that which we hold in our capacity as a 'controller', which may include:

  • individuals and companies identified via a government issued list or media reports that may be of interest to RFG’s clients.

Or, this data may be that which we hold in our capacity as a 'processor', which may include:

  • potential future clients and their employees; or
  • partners of clients who are involved with our clients’ compliance programmes and their employees.

NOTE: A ‘controller’ is an organisation which determines the purposes for which any manner in which any personal data are to be processed. This is contrasted with ‘processors’, which process personal data on behalf of ‘controllers’, and only in accordance with the controller’s instructions. 


As a global company, RFG collects data from many geographical regions and sources. Our policy is to comply with all legislation, using an overarching set of principles to guide us, which we set out in further detail below. 

1. Notice: Where it is our responsibility under applicable law, we notify individuals about the purposes for which we collect and use information about them. This includes information about how individuals can contact us with any inquiries or complaints, the types of third parties to which we disclose the information and the choices and means we offer for limiting its use and disclosure.

2. Choice: Where we hold personal data as a controller, and where required by applicable law, we give individuals the opportunity to choose whether certain technologies are used (i.e. cookies) and whether their personal data will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected. Where we hold personal data as a processor on behalf of a client, we ensure that the personal data is secure and processed in accordance with the instructions of our client.

3. Onward Transfer (Transfers to Third Parties): Other than onward transfer to clients (as discussed in this statement), and other than as described in this Policy, RFG does not share, sell, rent, or trade personal data with third parties in any way. We may share the personal data you provide to us with business partners for services such as a hosting or conducting due diligence investigations. These service providers only use the personal data on behalf of us. We may also disclose personal data as required or permitted by law, or when we believe in our sole discretion that disclosure is necessary or appropriate to protect our rights or to comply with a judicial proceeding, court order, law-enforcement request, or other legal process.

4. Access: Where we hold personal data as a controller and where required by applicable law, we provide the ability for individuals to correct, amend, access or delete personal data held about them where it is inaccurate. You may correct, amend or delete your information by contacting us at We will respond to your request within a reasonable timeframe .We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information for as long as reasonably necessary for the purpose(s) for which the information was collected.

5. Security: We take reasonable technical, administrative and physical steps to protect against unauthorised access to and disclosure of personal data, which may include: 

  •  Security policies. Designing and supporting our products and services according to documented security policies and international standards. Annually assessing our policy compliance and making necessary improvements to our policies and practices.
  • Employee training and responsibilities. Taking certain steps to reduce the risks of human error, theft, fraud, and misuse of our facilities. Training our personnel on our privacy and security policies. Requiring our employees to sign confidentiality agreements. Assigning to an individual the responsibility to manage our information security program.
  • Access control. Limiting access to information to only those individuals who have an authorized purpose for accessing that information. Terminating those access privileges following job change or termination.
  • Data encryption. Ensuring that all electronic transfers of information (including sensitive information such as your login information) are done through encrypted connections via SSL encryption and storing all data is stored on encrypted servers.
  • Review of Vendors. Internal due diligence procedures to review the vendors we select and use.

No method of transmission over the Internet, or method of electronic storage, is 100% secure, however.  Therefore, we cannot guarantee its absolute security. If you have any questions about security on our Web site, you can contact us at

6. Data integrity: We take reasonable steps to ensure that data we collect is reliable for its intended use, accurate, complete, and current. We do not process personal data in any way that is incompatible or inconsistent with the purpose for which such information was collected.

7. Enforcement: We have in place a readily available and affordable independent recourse mechanism so that any complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide. The Red Flag Group has committed to voluntarily and periodically reviewing our privacy and security practices to verify that we are meeting our obligations.



For the purposes of communication and marketing, RFG collects information from our website ( and from third parties.

The information collected may include your personal data, for example contact Information such as name, email address, mailing address, phone number and items which you would like to subscribe to. We obtain address information about you from third party sources, such as the US Postal Service, to verify your address so we can properly ship your order to you and to prevent fraud. We on occasion purchase marketing data from third parties and combine it with information we already have about you, to create more tailored advertising and products.

As is the case of most web sites, we gather certain information automatically and store it in log files. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. We do not link this automatically collected data to other information we collect about you.

We send you push notifications from time-to-time in order to update you about any events or promotions that we may be running, but will only do so with your express consent. If you no longer wish to receive these types of communications, you may turn them off at the device level. To ensure you receive proper notifications, we will need to collect certain information about your device such as operating system and user identification information.

You may choose to stop receiving our newsletter or marketing emails by following the unsubscribe instructions included in these emails or you can contact us at

You may receive information about the data collected on you personally by contacting If the data is incorrect you have the right to ask that it is updated.

The personal data we collect may be used to:

  • send you newsletters as part of a regular service;
  • respond to your questions and concerns when you use our ‘contact us’ form;
  • improve the contents of our website and marketing efforts;
  • conduct research and analysis;
  • display content based upon your interests;
  • allow you to subscribe to our announcements, events or magazines.


On our website we use cookies which, for example, make it easier for you to navigate our site and store your password and email address, so you do not have to enter it more than once. We will explicitly request your consent to use cookies on our site. Cookies are also used to collect general usage and volume statistical. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our site, but your ability to use some features or areas of our site may be limited.

Technologies such as: cookies, beacons, tags and scripts are used by RFG and our partners, affiliates, or analytics or service providers. These technologies are used in analyzing trends, administering the site, tracking users’ movements around the site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

We and our partners also use Local Storage Objects (LSOs) such as HTML5 to store content information and preferences. Various browsers may offer their own management tools for removing HTML5 LSOs.

We partner with a third party to either display advertising on our Web site or to manage our advertising on other sites. Our third party partner may use technologies such as cookies to gather information about your activities on this site and other sites in order to provide you advertising based upon your browsing activities and interests.  If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union click here. Please note this does not opt you out of being served ads. You will continue to receive generic ads.

Where our site includes links to other websites the privacy practices may differ from our own. If you submit personal data to any of those sites, your information is governed by their privacy statements. We encourage you to carefully read the privacy statement of any website you visit.

Our site may also include Social Media Features, such as the Facebook and Twitter buttons and Widgets, such as the Share this button or interactive mini-programs that run on our site. These Features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Site. Your interactions with these Features are governed by the privacy policy of the company providing it.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit or

To opt out of being tracked by Google Analytics across all websites visit

We also use the information collected to maintain and upgrade our system. Our technical staff may require periodic access to services data to monitor system performance, test systems, and develop and implement upgrades to systems. This services data will generally does not include your personal data. Any temporary copies of services data created as a necessary part of this process are only maintained for time periods relevant to those purposes.


Please click here for our privacy policy for personal data processed via the Compliance Desktop® | Compliance Technology Platform.

If you either work for a client of RFG who has purchased the ComplianceDesktop® technology platform or you work as a partner of such a client, information about you may be held in the platform. In each case, the client who has purchased access is the controller of your data (according to the meaning provided by the EU Data Protection Directive) and RFG is the processor.

It is the responsibility of the client company to request your consent to the information being stored and to inform you of their intentions to use the data and your rights.

Depending on your relationship with the Client, the information collected may include:

  • Your name,
  • Your password,
  • Your role and title,
  • Descriptions of your relationship with the Client, such as conflicts of interest or gifts,
  • Information about policies you have read or training you have taken (including the results of the training)
  • The answers you have given any questions the client has asked you in a questionnaire,
  • The results of due diligence reports which have been collated by RFG or other providers.

As processor of your data, RFG does not use the information except in the case where we have been asked to by our client in order to provide support or advice or to maintain and upgrade a system. For support or maintenance, our technical staff may require periodic access to services data to monitor system performance, test systems, and develop and implement upgrades to systems. We may also access information in an anonymous form for statistical analysis and capacity management. RFG may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the provisions in this Privacy Statement regarding notice and choice and the service agreements with our Clients.

Requests for access, changes or deletion to the information collected about you should be made to the Client who has purchased the ComplianceDesktop® technology platform. If you are unsure of who to contact at the Client, you may contact us at If the Client requests RFG to remove the data, we will respond to their request within 30 days.

RFG will retain information we process on behalf of our Clients for as long as needed to provide services to our Client. RFG will retain and use this information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.



It is the responsibility of the client company to request your consent for your personal data to be collected, analysed and stored to inform you of their intentions with regards to such personal data and about your rights. In certain situations your consent will not be sought prior to an investigation for example where the processing is necessary for the legitimate interests of the company such as there are reasons of confidentiality or ethics.

Depending on the circumstances, our integrity Due Diligence reports may contain some or all of the following types of information about subject individuals and companies:

  • names;
  • addresses of subjects, including at time photographs;
  • corporate registry information detailing ownership and directorship of companies;
  • media reports including translations and summaries;
  • social media reviews including translations and summaries;
  • transcripts of interviews discussing the reputation of subject companies and individuals.

In addition some reports may contain information of a sensitive nature such as:

  • criminal and bankruptcy records where this information is available from a government agency;
  • media reports of criminal or other court proceedings;
  • educational background;
  • identifying numbers such as passport, driving license or other ID which is used to confirm the identity of subjects.

Our reports may also contain our opinion and analysis the reputation of the subject company.

The information we collect and organise in our reports is used to help clients when making decisions about the reputation and ethical standards of a partner who they currently or potentially may do business with (or a future or current employee). The information by itself does not form part of an automated review, but is typically used in conjunction with other business related criteria to form a decision. RFG may also use the personal data collected during the course of providing our client company with the Due Diligence report for the purposes of providing other of our clients with compliance and corporate governance services and products.



The data may contain some or all of the following types of information about subject individuals and companies – Names, Registration ID numbers, and Media reports of regulatory, bankruptcy, criminal or other court proceedings and company ownership details. This information is stored in a database and provided to clients to screen potential partners.


We will share your personal information with third parties only in the ways that are described in this privacy policy.


In the interests of us further enhancing our services, RFG may share personal data collected for sales and marketing purposes with industry organisations (such as those organisations dedicated to thought leadership in compliance and ethics). In those cases, RFG may provide these organisations with your personal data to alert you to seminars or events which may be of interest to you. RFG will not disclose any personal data to industry organisations unless those organisations exhibit privacy and data protection standards on par with those of RFG. If you would like to opt-out of us sharing your personal data with such organisations please email us at


Circumstances may arise where for strategic or other business reasons RFG decides to sell, buy, merge or otherwise reorganize businesses in some countries. Such a transaction may involve the disclosure of personal data to prospective or actual purchasers, or receiving it from sellers. It is RFG’s practice to seek appropriate protection for personal data in these types of transactions. You will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.


We may disclose personal data if required to do so by law or in the good-faith belief that such action is necessary to comply with legal requirements or with legal process served on us, to protect and defend our rights or property, or in urgent circumstances to protect the personal safety of any individual. We may also share your personal data with third party data processors. Such processors will only process your personal data in accordance with our instructions.


Should you have comments or questions about this statement, you may e-mail us at:

You may also contact us via postal mail at the following address:

The Red Flag Group
2004-06, Bonham Trade Centre
50 Bonham Strand
Sheung Wan, Hong Kong

If we decide to change our privacy statement, we will post those changes to this privacy statement and other places we deem appropriate so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

We reserve the right to modify this statement at any time. When we make only minor modifications, we may do so without notifying you. When we make material modifications, we will notify you here, through a prominent notice on our site or by email (sent to the email address specified in your account) prior to the change becoming effective.