PRIVACY POLICY

Privacy Policy

Introduction

Charlesworth Sykes Limited ("Charlesworth Sykes", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, protect, and otherwise process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable privacy legislation.

For the purposes of applicable data protection legislation, Charlesworth Sykes Limited is the Data Controller in respect of the personal data described within this Privacy Policy.

Company Registration Number: 11173335

Registered Office: 33 Mossop Street, London SW3 2NB

Privacy Contact: Christopher Sykes

Email Address: cs@charlesworthsykes.com

Telephone Number: +44 7802225960

Should you have any concerns regarding our processing of your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Our Commitment to Privacy and Security

We take the protection of personal data seriously and implement appropriate technical and organisational measures designed to ensure the confidentiality, integrity, availability, and resilience of personal information entrusted to us.

Personal data is processed only where a lawful basis exists and is handled in accordance with recognised security and privacy principles, including data minimisation, purpose limitation, storage limitation, accuracy, integrity, confidentiality, and accountability.

All employees, contractors, agents, and third-party processors handling personal data on our behalf are subject to confidentiality obligations and appropriate security requirements.

Information We Collect

We may collect and process the following categories of personal data:

 

 

Information Provided Directly by You

●        Name

●        Job title

●        Employer details

●        Email address

●        Telephone number

●        Postal address

●        Information provided through contact forms, correspondence, surveys, or business enquiries

Information Collected Automatically

When visiting our website, we may collect:

●        IP address

●        Browser type and version

●        Device information

●        Operating system

●        Time zone settings

●        Website usage statistics

●        Pages visited

●        Referring websites

●        Session information and interaction data

Information Obtained from Third Parties

Where permitted by law and necessary for legitimate business purposes, we may receive personal information from:

●        Publicly available sources

●        Professional advisers

●        Business partners

●        Clients

●        Regulatory or professional bodies

●        Due diligence and background verification providers

Lawful Basis for Processing

We process personal data only where permitted by law. Depending upon the circumstances, processing may be based upon:

●        Your consent.

●        Performance of a contract.

●        Compliance with legal or regulatory obligations.

●        Legitimate business interests.

●        Establishment, exercise, or defence of legal claims.

Where consent is relied upon, consent may be withdrawn at any time. Withdrawal will not affect the lawfulness of processing undertaken prior to withdrawal.

How We Use Personal Information

We may use personal information for the following purposes:

●        Responding to enquiries and requests.

●        Providing professional services.

●        Managing client relationships.

●        Conducting supplier due diligence and assurance activities.

●        Performing executive vetting, background verification, and business integrity assessments where instructed by clients.

●        Managing contractual obligations.

●        Maintaining website functionality and security.

●        Detecting and preventing fraud or unlawful activity.

●        Complying with legal, regulatory, and professional obligations.

●        Improving services and business operations.

●        Marketing communications where consent has been provided or another lawful basis applies.

 

Higher-Risk Processing Activities

Where we undertake higher-risk processing activities, including executive due diligence, background verification, integrity assessments, or similar investigations, we implement enhanced safeguards proportionate to the sensitivity of the information being processed.

Where required by law, Data Protection Impact Assessments (DPIAs) will be conducted prior to commencing such activities.

Information Sharing and Third Parties

We do not sell personal information.

Personal data may be shared only where necessary and proportionate with:

●        Approved service providers.

●        Professional advisers.

●        Technology and cloud service providers.

●        Background verification and due diligence providers.

●        Regulatory bodies.

●        Law enforcement agencies.

●        Courts or competent authorities.

●        Auditors and compliance assessors.

All third-party processors acting on our behalf are subject to written contractual agreements requiring them to:

●        Process personal data only in accordance with our instructions.

●        Implement appropriate security controls.

●        Maintain confidentiality.

●        Notify us of security incidents where required.

●        Comply with applicable data protection legislation.

Charlesworth Sykes remains accountable for ensuring that third-party processors acting on its behalf comply with applicable data protection obligations.

 

International Data Transfers

Where personal data is transferred outside the United Kingdom, appropriate safeguards will be implemented in accordance with UK GDPR requirements.

Such safeguards may include:

●        UK International Data Transfer Agreements (IDTAs).

●        International Data Transfer Addendums.

●        Adequacy Regulations.

●        Other legally approved transfer mechanisms.

Details of applicable safeguards are available upon request.

Information Security

We maintain a comprehensive information security programme designed to protect personal information from unauthorised access, disclosure, alteration, loss, destruction, or misuse.

Security measures may include:

●        Role-based access controls.

●        Multi-factor authentication.

●        Encryption of data in transit and at rest where appropriate.

●        Secure backup procedures.

●        Vulnerability management.

●        Security monitoring and incident detection.

●        Staff security awareness training.

●        Third-party supplier assurance activities.

●        Secure disposal and destruction processes.

Whilst no system can guarantee absolute security, we continuously review and improve our controls to reduce risk and maintain appropriate protection.

 

 

Data Retention

Personal information will be retained only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, enforce agreements, and support legitimate business requirements.

Unless a longer retention period is required by law or regulatory obligation:

●        General business enquiries will typically be retained for up to 24 months.

●        Client engagement records will be retained for the duration of the engagement and applicable legal retention periods.

●        Executive due diligence and background verification information will normally be retained for no longer than 12 months following completion of the engagement unless otherwise required by law, contractual obligations, legal proceedings, or legitimate business requirements.

Upon expiry of retention periods, personal information will be securely deleted, anonymised, or otherwise disposed of in accordance with our retention procedures.

Your Rights

Subject to applicable legal limitations, you have the right to:

●        Be informed about how your personal data is processed.

●        Access your personal data.

●        Correct inaccurate information.

●        Request erasure of personal information.

●        Restrict processing.

●        Object to processing.

●        Request portability of personal data.

●        Withdraw consent.

●        Object to direct marketing.

●        Challenge decisions based solely upon automated processing where applicable.

Requests relating to these rights should be submitted using the contact details provided within this Privacy Policy.

Automated Decision-Making

Charlesworth Sykes does not ordinarily make decisions producing legal or similarly significant effects based solely on automated processing.

Should this position change, affected individuals will be informed of the nature of the processing, its significance, and their rights under applicable legislation.

Policy Governance

This Privacy Policy is reviewed periodically to ensure ongoing compliance with applicable legal, regulatory, contractual, and business requirements.

Policy Owner

Data Protection Lead

Approved By

Executive Management

Review Frequency

Annually

Last Review Date

09 JUNE 2026

Version

1.00

The latest version of this Privacy Policy will always be available on our website.