Data Privacy Notice

Data Controller Statement

SSG Recruitment Partnerships Ltd is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR).

We are registered with the Information Commissioner's Office (ICO), registration number: Z9974787

Introduction

SSG Recruitment Partnerships Ltd is committed to protecting your personal data and handling it in a lawful, fair, and transparent manner.

This Privacy Notice explains how we collect, use, store, and share your personal data as part of our onboarding, launch and support processes.

As a UK-based organisation and an Authorised Corporate Service Provider (ACSP) supervised by HMRC, we are legally required to comply with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Money Laundering Regulations 2017
• Applicable Anti-Money Laundering (AML) and Know Your Customer (KYC) obligations

Please read this notice carefully and contact us if you have any questions.

1. Our Contact Details

• Organisation Name: SSG Recruitment Partnerships Ltd
• Registered in England and Wales No. 04834923
• Registered Address: 2nd Floor, 2 The Waterhouse, Waterhouse Street, Hemel Hempstead, Hertfordshire, HP1 1ES
• Data Privacy Contact: Ani Anaz
• Telephone: 01442 200940
• Email: hello@ssgpartnerships.co.uk

2. Personal Data We Collect

To fulfil our legal obligations as an ACSP and to support the launch process, we collect and process the following categories of personal data:

2.1 Identification & Verification Data

• Full name and any previous names
• Date of birth
• Current and previous residential addresses
• Proof of address documentation
• Government-issued identification (passport, driving licence)
• Credas verification data, including ongoing sanctions checks
• Directors' and PSC's unique identification details (UID)

2.2 Background & Financial Information

• Credit history and reports
• Credit information obtained from credit reference agencies where required for compliance or risk assessment purposes
• Directorship and professional history
• National Insurance number
• Tax and HMRC-related data where required

2.3 Contact & Operational Information

• Email address and telephone number
• Information provided via pre-launch forms
• Business information required for company formation or launch

We may also collect additional information voluntarily provided in the context of onboarding or verification.

Providing certain personal data is required to meet our legal obligations under anti-money laundering regulations. Where required information is not provided, we may be unable to proceed with onboarding or the provision of our services.

3. How We Obtain Your Data

3.1

We collect personal data directly from you and through:

• Credas and other identity verification tools
• Referees (where relevant and permitted)
• Credit reference agencies
• Approved third-party partners involved in the launch process
• HMRC and regulatory resources (where required)
• Public registers, including Companies House, sanctions registers and professional networking platforms (such as LinkedIn)

3.2 Credit Reference and Affordability Checks

To help us assess applications, prevent fraud, and meet our legal and regulatory obligations, we may obtain information about you from credit reference agencies (CRAs).

We obtain this information via Creditsafe, which uses its data partner TransUnion to supply consumer credit and identity data.

• Creditsafe Business Solutions Limited is authorised and regulated by the Financial Conduct Authority — FCA Firm Reference Number: 742313
• TransUnion International UK Limited is authorised and regulated by the Financial Conduct Authority — FCA firm reference number: 805757

The information we receive may include data relating to your identity, credit commitments, payment history, and public record information. This data is used solely for legitimate business purposes, including creditworthiness assessment, identity verification, and fraud prevention, in accordance with applicable data protection laws.

Further information about how Creditsafe and TransUnion process your personal data can be found in their respective privacy notices:

• Creditsafe Privacy / Transparency Notice: Transparency Notice | Customers & Suppliers
• TransUnion CRAIN (Credit Reference Agency Information Notice): https://www.transunion.co.uk/legal/privacy-centre/pc-credit-reference
• TransUnion Bureau Privacy Notice: https://www.transunion.co.uk/legal/privacy-centre/pc-bureau

4. Lawful Bases for Processing

We process your personal data under the following lawful bases:

• Legal Obligation — to comply with AML/KYC and regulatory requirements under the Money Laundering Regulations 2017
• Contractual Necessity — to provide onboarding, launch, and related services
• Legitimate Interests — for internal administration, risk management, fraud prevention, and system security. Where we use legitimate interests, we ensure these interests are balanced against your rights and freedoms.
• Consent — where required for specific optional services or processing activities

5. How We Use Your Personal Data

We may use your data for the following purposes:

• Conducting AML/KYC identity verification and due diligence
• Meeting our obligations as an ACSP
• Supporting company launch and associated processes
• Maintaining accurate internal records
• Facilitating regulatory and compliance requirements
• Communicating with you regarding onboarding, compliance, or account management
• Communicating with you about services or products relevant to your business
• Recording, transcribing, and summarising meetings and calls using AI-enabled tools to support accurate record-keeping, onboarding, and service delivery

You may opt out of marketing communications at any time by contacting us or using the unsubscribe link provided.

As part of compliance screening:

• We may receive risk scores or alerts generated through automated systems operated by verification providers
• All decisions are subject to human review

We do not sell your personal data.

6. Sharing Your Personal Data

We may share your data with:

6.1 Third-Party Service Providers

Including:

• Credas (identity verification)
• Credit reference agencies
• Recruitment insurance providers
• Factoring providers
• Other service partners

Depending on the processing, these organisations may act as either data processors or independent data controllers. Where they act as independent controllers, their own privacy notices will apply.

6.2 Regulatory Authorities

• HMRC
• Companies House

In certain circumstances we may be legally required to make disclosures to law enforcement, regulatory bodies or the National Crime Agency under applicable anti-money laundering legislation. Where such disclosures are made, we may be prohibited by law from informing you.

6.3 Professional Advisors

Legal, audit, and compliance advisors where necessary

6.4 Legal Requirements

Where disclosure is required by law, court order, or law enforcement

7. Data Retention

Retention periods are determined in accordance with statutory obligations, regulatory requirements, and our internal data retention policy.

• AML/KYC records: 7 years from the end of the business relationship
• Where no relationship is established: 5 years from decision date
• Other data: retained only as long as necessary for the purposes set out in this notice
• In limited circumstances, records may be retained for longer where required by law or where necessary for the establishment, exercise or defence of legal claims.

Data is retained solely to:

• Comply with legal obligations
• Establish, exercise, or defend legal claims

Data is securely deleted or anonymised when no longer required.

8. International Data Transfers

Some of our technology, communication and AI service providers may process personal data in jurisdictions outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK data protection law. These may include:

• Transfers to countries subject to a UK adequacy regulation
• The UK International Data Transfer Agreement (IDTA)
• The UK Addendum to the EU Standard Contractual Clauses

9. Identity Verification and Automated Screening

As part of our legal obligations under the Money Laundering Regulations 2017 and our role as an Authorised Corporate Service Provider (ACSP), we use accredited third-party providers (including Credas) to carry out identity verification and compliance screening.

These providers use automated technology to support:

• Identity verification
• Sanctions and Politically Exposed Person (PEP) screening
• Fraud detection
• Risk assessment and due diligence checks

These processes may generate risk indicators, alerts, or scores. We receive the results of these checks, including any associated risk indicators.

Where these results indicate a potential issue (for example, a possible match to a sanctions or PEP list), we carry out additional checks and ensure that a member of our team reviews the information before making any decision.

All onboarding and business relationship decisions are reviewed by appropriately trained personnel within SSG Recruitment Partnerships Ltd. We do not make decisions based solely on automated processing where this would have legal or similarly significant effects on you.

We use these tools to meet our legal and regulatory obligations, manage risk, and comply with anti-money laundering and counter-terrorist financing requirements. The results of these checks help us assess identity and risk and may affect whether we can proceed with onboarding.

9.1 Use of AI Notetaking Transcription Tools

We use AI-enabled tools, including Fireflies.ai, to record, transcribe, and summarise meetings, calls, and interactions where appropriate.

These tools are used to support:

• Accurate note taking and record keeping
• Internal administration
• Onboarding and service delivery processes

Where these tools are used:

• Participants will be informed that recording or transcription is taking place
• Audio, transcripts, and AI-generated summaries may be created
• Outputs are reviewed by our personnel and are not relied upon solely

We rely on legitimate interests to use these tools, namely improving efficiency, accuracy, and record-keeping, while ensuring this does not override your rights.

We apply the following safeguards:

• Access to recordings and transcripts is restricted to participants and authorised personnel
• Data is retained only for as long as necessary in line with our retention policy
• Appropriate technical and organisational security measures are applied

Fireflies.ai acts as our data processor when providing transcription and meeting note services.

Where personal data is transferred outside the UK, appropriate safeguards (such as the UK IDTA or Standard Contractual Clauses) are used.

9.2 Use of other AI tools

We use AI-assisted technologies including large language model (LLM) systems and automated transcription tools to support document review, contract analysis, onboarding administration, meeting transcription, customer support interactions, and operational efficiency.

These systems may process personal data contained within documents, communications, meeting recordings, and onboarding materials under our instructions.

We do not permit AI providers to use customer or onboarding data to train public AI models unless expressly authorised and appropriate safeguards are in place.

AI-generated outputs are reviewed by appropriately trained personnel and are not relied upon as the sole basis for decisions affecting individuals.

10. Biometric Identity Verification

Biometric verification (for example, facial recognition or NFC passport verification) may be offered as part of the identity verification process.

• Its use is optional
• Alternative methods are available

If you choose to use biometric verification:

• The processing is carried out by our third-party provider
• We do not receive or store your biometric data
• We receive only the outcome of the verification process

In some cases, the identity verification providers we use may act as independent data controllers for activities such as biometric processing and fraud detection. This means they are responsible for how they use your personal data for those purposes.

Where this applies, Credas' privacy notices will explain how your personal data is collected, used, and protected.

Biometric verification is used only for identity verification and fraud prevention in line with our legal obligations under the Money Laundering Regulations 2017. Where the biometric verification option is chosen, biometric processing is carried out by the verification provider on the basis of your consent and, where applicable, your explicit consent for special category biometric data.

11. Your Rights

Under UK GDPR, you have the right to:

• Access your data
• Correct inaccuracies
• Request erasure (where applicable)
• Restrict processing
• Object to processing
• Request transfer of your data (data portability)
• Withdraw consent (where applicable)
• Make a complaint at any time

To exercise your rights, raise a concern or ask any questions about this notice or your data, please contact us at: privacy@ssgpartnerships.co.uk

You may also complain to:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk
0303 123 1113

12. Data Breaches

We maintain a Data Breach Response Plan.

Where required by law, we will notify:

• The ICO within 72 hours of becoming aware of a notifiable breach
• Affected individuals where necessary

13. Business Changes

If SSG undergoes a merger, acquisition, or restructuring, personal data may be transferred under this notice.

14. Changes to This Privacy Notice

We may update this notice periodically.

The latest version will always be available upon request.