Effective May 29, 2019


SIH ACA Topco, L.P. and its subsidiaries (hereinafter referred to collectively as “ACA,” “we” or “us”) are committed to respecting your privacy.

ACA has developed this EU GDPR Privacy Notice (this “Notice”) to provide you with additional information regarding how we handle personal information that is subject to the EU General Data Protection Regulation (“GDPR”) and related privacy laws when we are the controller or processor of such information. This Notice supplements the ACA Compliance Group Global Privacy Policy, a copy of which is available at

This Notice explains how we handle the personal information we collect through our website,, and any other website or application where this GDPR Notice is posted (each, a “Site”), the personal information we collect when individuals engage with us or use our products or services (our “Services”), the personal information we receive about individuals as a result of providing Services to our clients, and the personal information we receive from applicants for employment opportunities with ACA, whenever such personal information is subject to GDPR.

For the purposes of this Notice, “personal information” means information relating to an identified or identifiable person who is a resident of the European Union.


ACA Compliance Group

ACA is a leading provider of governance, risk, and compliance advisory services and technology solutions, offering services to firms across the globe. ACA provides services to its clients through one or more operating subsidiaries, all of which do business as ACA Compliance Group.


The Personal Information We Collect

We may collect personal information directly from you, including through your use of the Site, when you contact us or request information from us, when you apply for an employment opportunity with ACA, when you engage us for Services, or as a result of your attendance at one of our conferences. With respect to personal information collected directly by ACA, including through a Site, we are the independent data controller responsible for your personal information. The information we collect directly from you typically consists of your contact information, including your name, address, business affiliation, business title, email address, and telephone number.


We only use, disclose, or otherwise process personal information when we have a lawful basis for doing so under applicable laws, including fulfilling our contractual obligations, complying with legal obligations, protecting the vital interests of a person, furthering our legitimate interests as a company and employer, and otherwise for reasons you have consented to such processing.


For example, we use the personal information you provide directly to us to provide you with the information you requested (for example, ACA blog posts or other informational materials) or to evaluate your application for employment. To the extent required by law, by providing personal information to us, you consent to our use of the personal information as explained herein.

We also may obtain personal information indirectly from or on behalf of our clients. We typically are retained by corporate entities in the financial services industry. In connection with providing Services pursuant to contracts with our corporate clients, we often obtain personal information of our client’s customers, employees and/or agents. This personal information varies based on the Services provided, but may include names, contact information, account numbers and other similar financial data. With respect to personal information that we receive from or on behalf of our clients in order to provide Services, our client remains the independent data controller and ACA acts as a processor of such personal information.


How We Share Personal Information

ACA only shares personal information when it has a lawful basis for doing so, as described above. ACA may share the information that we collect or that you provide to us with our affiliates. We also may share personal information with the following categories of third parties as necessary:


  • Sub-contractors we have engaged in connection with providing Services to our clients.
  • Our professional advisers, including our attorneys and accountants.
  • Our insurers and insurance brokers.
  • Third parties to which we outsource certain services to assist with operating our business, such as IT managed service providers, document shredding services, software providers, information storage providers and other related service providers.
  • Third parties to which our clients have directed us to share information in connection with our Services, such as our clients’ attorneys and accountants.
  • Third-party service providers that assist us with client data analytics.
  • Third-party postal or courier providers that assist us with delivering marketing and other documents to you.


We do not share personal information with unaffiliated third parties, other than for the reasons stated herein.


Third-Party Sub-Processors

As described above, we may provide certain third parties (“Sub-Processors”) with your personal information. Our Sub-Processors process personal information for us at our direction. We conduct reasonably appropriate due diligence on our Sub-Processors and include in our contracts with our Sub-Processors provisions requiring them to keep the personal information confidential, to process the personal information in accordance with our instructions, and to maintain reasonably appropriate information security systems. We may be liable for any unauthorized processing of personal information by our Sub-Processors.

We may appoint new Sub-Processors to assist us with providing Services and/or conducting our business. You can view a list of our current Sub-Processors at We will provide notice to you of the addition of new Sub-Processors by updating this list.


Where We Transfer Personal Information

ACA is primarily located in the United States and the United Kingdom. Depending on the nature of the Services we provide to our client, your personal information could be stored in either or both jurisdictions. ACA also maintains offices in Malta and Hong Kong, and your personal information could be shared with ACA employees in these jurisdictions if required to perform Services.

For transfers of personal information from the European Economic Area (EEA) to the United States, we rely on our U.S.-based entities’ certification of their participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively.


Period of Retention

ACA retains personal information in compliance with our obligations under applicable laws. We may destroy personal information without notice or liability.


Confidentiality and Information Security

ACA is committed to keeping your personal information secure. We have taken reasonably-designed steps to protect personal information from unauthorized access, use or disclosure. We also require our vendors to maintain reasonably appropriate information security policies and procedures and to maintain personal information confidentially.


Changes to This Notice

We reserve the right to make changes to this Notice, which may reflect changes to our business practices or changes required by law. Any material changes will be reflected in an updated Notice or provided via other means as may be required by applicable law.


How You Can Contact Us

If you have any questions about this Notice or want to exercise any of your rights under this Notice, please contact us at





© 2019 SIH ACA Topco, L.P. All rights reserved.