You are here

    • You are here:
    • Home > Privacy Policy

Privacy Policy

At SGG we take privacy and confidentiality matters very seriously, we have developed this privacy policy (hereinafter the “Privacy Policy”) to clearly define our ongoing commitment to protecting privacy rights and to explain how we collect, use and disclose the personal information as required by applicable law or as we require in the course of fulfilling our professional responsibilities and operating our business.

This Privacy Policy is issued by SGG Holdings S.A. (hereinafter “SGG”), a public limited liability SGG (société anonyme) formed under the laws of Luxembourg with registered offices at 412F, Route d’Esch, L-2086 Luxembourg, Grand Duchy of Luxembourg, registered within the Registre de Commerce et des Sociétés in Luxembourg under the number B152.013. It applies to all subsidiaries and affiliates of SGG. The terms "we", “our” or "us" in this Privacy Policy refer to SGG.

1. Definitions

The terms and expressions in capital letters used in the Privacy Policy have the meanings set forth below. Words in singular include the plural and vice versa. These terms and expressions shall always be interpreted according to applicable data protection rules including, but not limited to, the European Union Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as may be amended, replaced or re-enacted (the “Data Protection Legislation”).

Data Subjects”: means natural persons whose personal data is being processed by SGG.

Personal Data”: means any information allowing the direct or indirect identification of an individual.

Technical and Organizational Security Measures”: means measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of Personal Data over a network, and against all other unlawful forms of processing.

2. Collection of Personal Data

a) When does SGG collect your Personal Data?

SGG collects and stores Personal Data relating to Data Subjects having interactions with SGG in accordance with Data Protection Legislation. Data Subjects may include, but are not limited to, the following categories of individuals:

  • representatives, employees, contact persons and any other related individuals of SGG suppliers, third party providers and subcontractors; and
  • employees, shareholders, investors, directors, board members, signatories, contact persons, representatives, beneficial owners and any other related individuals of prospective clients.

The processing of personal data related to employees, shareholders, investors, directors, board members, signatories, contact persons, representatives, beneficial owners and any other related individuals of current customers of SGG is detailed within clause 18 of the SGG Terms of Business, as may be updated from time to time.

b) Types of Personal Data.

Personal Data collected and stored by SGG may include, but are not limited to, the following types of data:

  • identification data (such as name, family name, date and place of birth, gender);
  • contact information (such as phone and fax numbers, home and professional address, email address, country of (tax) residence);
  • other relevant personal details (nationality, citizenship) and about your employment, education, family or personal circumstances, and interests, where relevant;
  • government identification numbers (social security numbers, tax number, copy of ID card);
  • types of services received/provided or of products bought/sold and your objectives in SGG procuring such services;
  • financial and banking information (notably linked to bank account number); and
  • any other Personal Data reasonably related to the conduct of SGG’s business and in particular whether you may represent a politically exposed person or money laundering risk.

Most of the Personal Data we process is information that is knowingly provided to us by Data Subjects. However, please note that in some instances, we may process Personal Data received from a third party with the Data Subjects’ knowledge.

c) Purpose of the processing of Personal Data.

Personal Data shall mainly be processed for the following purposes:

  • the performance of any contractual obligations towards the Data Subjects, including but not limited to, relationship management, managing accounts and providing or receiving products and services. In this respect, we use your personal data for the following:
    • To prepare a proposal for you regarding the services we offer;
    • To provide you with the services as set out in our engagement agreement with you or as otherwise agreed with you from time to time;
    • To handle any request and any complaints or feedback you may have;
    • For any other purpose for which you provide us with your personal data.

In this respect, we may share your personal data with or transfer it to your agents, advisers, banks, intermediaries, and custodians of your assets who you tell us about; third parties whom we engage to assist in delivering the services to you, including other companies in the SGG Group, our professional advisers where it is necessary for us to obtain their advice or assistance, including lawyers, accountants, auditors, IT or public relations advisers; and Our data storage providers. 

  • for compliance with legal obligations, including but not limited to, compliance with applicable commercial law, laws applicable to regulated companies of the financial sector and laws on anti-money laundering and counter terrorist financing, tax identification and reporting (where appropriate) notably under the Luxembourg law of 18 December 2015 on the OECD common reporting standard, as well as compliance with requests from or requirements of regulatory and enforcement authorities. This implies that we will use your personal data To meet our compliance and regulatory obligations, such as compliance with anti-money laundering laws, also As required by tax authorities or any competent court or legal authority, and we may share your personal data with our advisers where it is necessary for us to obtain their advice or assistance, or our auditors where it is necessary as part of their auditing functions, as well as third parties who assist us in conducting background checks, and with any relevant regulators or law enforcement agencies where we are required to do so.
  • for the purposes of the legitimate interests pursued by us or by a third party that are necessary, for instance, for SGG to carry out its daily activities, for fraud and other criminal activity prevention, payment verification, to implement changes in our corporate structure or ownership, to create statistics and tests, to manage risk, litigation (including disputes and collections), accounting, audits, tax returns, for training our staff or monitoring their performance, as well as for direct marketing purposes relating to SGG products and services, including the development of commercial offers by SGG aimed at the Data Subject and in accordance with applicable law applicable to the sending of commercial communications for prospective Data Subjects.

SGG makes sure that only the Personal Data that are necessary to achieve the above-listed purposes are processed.

d) Update of Personal Data.

SGG will endeavor to keep the Personal Data in our possession or control accurate. Individuals providing Personal Data are therefore responsible for promptly informing SGG of any change to their Personal Data.

3. Disclosure of Personal Data

Personal Data will not be shared with third parties, except as provided below.

a) Disclosure of Personal Data.

We may disclose Personal Data to the following categories of recipients:

  • services providers;
  • affiliated companies of SGG;
  • subcontractors; • professional advisors;
  • public authorities and administrations;

SGG may disclose Personal Data in the following circumstances:

  • in the event of a legal request and/or investigation when, in our opinion, such disclosure is necessary to prevent crime or fraud, or to comply with any statute, law, rule or regulation of any governmental authority or any order of any court of competent jurisdiction;
  • on Data Subject’s instruction;
  • if we outsource some or all of the operations of our business to third party service providers, as we do from time to time. In such cases, it may be necessary for us to disclose Personal Data to those service providers. Sometimes the service providers may process some Personal Data on behalf of and under the instructions of SGG. We restrict how such service providers may access, use, disclose, and protect that data;
  • in case of business transfers in the event of the sale or acquisition of companies, subsidiaries, or business units. In such transactions, Personal Data may be part of the transferred business assets but remain subject to the protections in any pre-existing privacy statement;
  • when we believe release is appropriate or necessary to conduct SGG’s business, comply with the law, enforce or apply our policies and other agreements, or protect the rights, property or safety of SGG, our employees if any, or others.

In such circumstances, SGG ensures that Personal Data is kept secure from unauthorized access and disclosure.

b) Transfer of Personal Data.

Data Subjects are informed that certain data recipients may be located outside the territory of the European Union in countries that do not offer a level of protection equivalent to the one granted in the European Union (“Third Countries”). Data transfers to third parties located in Third Countries will be, depending on the nature of the transfer:

  • covered by appropriate safeguards such as standard contractual clauses approved by the European Commission, in which case the Data Subject may obtain a copy of such safeguards by contacting us. In this respect, you are informed that some Personal Data may be transferred to entities of the SGG Group located in a Third Country such as (but not limited to) in Mauritius, Singapore, Hong Kong with such appropriate safeguards; or
  • otherwise authorised under the Data Protection Legislation, as the case may be, as such transfer is consented to by the Data Subject or is necessary for the performance or execution of a contract concluded in the Data Subject’s interest or for the establishment, exercise or defense of legal claims or for the performance of a contract between the Data Subject and us.

4. Data Subjects’ rights in relation to the processing of their Personal Data

a) Rights granted to Data Subjects.

In accordance with applicable law, Data Subjects are granted the following rights with regards to the processing of their Personal Data:

  • the right to request access to their Personal Data stored by SGG; • the right to update or correct any of their Personal Data, if the Personal Data is incorrect or incomplete;
  • the right to oppose to the processing of their Personal Data, on grounds related to their particular situation;
  • the right to request from SGG the erasure of their Personal Data, to the extent such Personal Data (i) are no longer necessary in relation to the initial purpose(s) for which they were collected, (ii) consent, where applicable, has been withdrawn and there is no other means of legitimating the processing of Personal Data, (iii) the Data Subject objects to the processing of the Personal Data, (iv) the Personal Data is unlawfully processed;
  • the right to request the restriction of the processing of Personal Data, if such Personal Data is found to be inaccurate or unlawful, is no longer needed for the purposes of the processing, or should a court decision on a complaint lodged by a Data Subject be pending;
  • the right to data portability;
  • the right to withdraw any consent given in the context of this Privacy Policy;
  • in the event of a dispute between the Data Subject and SGG regarding the processing of Personal Data which failed to be resolved by the parties in an amicable manner, the right to lodge a complaint with the Luxembourg Data Protection Authority (the Commission Nationale pour la Protection des Données - CNPD). Data Subjects not residing in Luxembourg can contact their local Data Protection Authority.

SGG will respond to individual complaints and questions relating to privacy and will investigate and attempt to resolve all complaints. SGG will only be able to answer favorably to any of the above requests related to the right to oppose, right of erasure and right of restriction provided that it does not interfere with or contradict a legal obligations of SGG (e.g a legal obligation to keep the related Personal Data) or due to any other impediment that would justify that SGG would not be able to grant such requests.

SGG undertakes to handle each request by a Data Subject free of charge and within a reasonable timeframe.

b) How to exercise such rights.

Data Subjects can exercise the rights mentioned above or challenge compliance with this Privacy Policy, by contacting SGG by email at the following address:

5. Data retention

SGG undertakes not to use the Personal Data for purposes other than those for which it has been collected and that such information shall not be stored for a period longer than necessary for the realization of such purposes.

Retention periods shall, in any case, be compliant with any applicable law and proportionate to the purposes of the processing.

6. Technical and Organizational Security Measures

Ensuring that Personal Data is appropriately protected from data breaches is a high priority for SGG.

SGG implements adequate Technical and Organizational Security Measures, such as, depending on the equipment, password protection, encryption, physical locks, etc., to ensure a level of security appropriate to the risks represented by the processing and the nature of the Personal Data to be protected.

7. Internal training program

All SGG employees having access to Personal Data are provided with specific training programs in order to improve their practical skills and knowledge that relate to data protection issues. Privacy training programs are an integral part of professional development within SGG.

8. Amendment

SGG reserves the right to change, supplement and/or amend this Privacy Policy at any time.

In such case, notification will be given by email, or any other methods allowed by the Data Protection Legislation.

9. Contact

SGG has set up a Group Information Security Committee in charge of privacy compliance management and appointed a group Data Protection Officer in order to manage and monitor our compliance with data protection obligations. You may contact SGG Group Data Protection Officer for any question or queries you may have regarding this Privacy Policy, or if have any questions about how we use your personal data, or you wish to exercise any of the rights set out above, please contact us by email at or by post at

General Counsel
SGG Group,
412F route d’Esch
L-2086 Luxembourg

10. Candidate privacy notice

View our candidate privacy notice here (pdf)