This is the privacy notice for Themis International Services Ltd, incorporated in England, with company number 11733141, of 1-2 Paris Garden, London, SE1 8ND.
Registered address: Castle House, Castle Street, Guildford, GU1 3UW, UK.
We are a risk management firm specialising in financial crime. We provide the following services:
Data Protection Officer (DPO): dpo@wearethemis.com
This notice explains what personal data we collect in connection with the provision of our Services, why we need that data, and how we use it.
We do not share personal data with 3rd parties other than in specific sponsor cases outlined later in this document. This notice should make clear exactly when and to whom data may be transferred.
Our website provides a small number of links to other websites, which are beyond our control. We encourage you to read the privacy statements on the other websites you visit.
We might need to change this privacy notice from time to time. We will publish our privacy notice on our website (available at wearethemis.com) and we will do our best to update you directly if we think the changes might materially affect you. Please do keep an eye on our notice before giving us any personal data.
Our websites include:
Cookies are small data files that websites store on your device. They help websites remember preferences and understand how visitors use different features. Most browsers automatically accept cookies, but you can usually change your browser settings to decline them. This may affect how parts of our website work.
These are required for our website to function – for example, enabling secure login or remembering your cookie preferences. They do not require your consent.
These help us understand how visitors use our site, so we can improve it. We only set these once you select “Accept” via our cookie banner.
These remember your preferences and recognise you when you return, including functionality from third-party services. We only set these once you select “Accept” via our cookie banner.
These record your visit to our site so we can make advertising more relevant to you and measure how effective it is. Where you consent, we share this information with third parties, such as our advertising and social media partners, for this purpose. We only set these once you select “Accept” via our cookie banner.
When you first visit our site, you will see a banner offering “Accept”, “Reject All”, or “Customise”. Non-essential cookies (analytical, functionality, and marketing) are only set on your device if you choose to accept them. You can change your choice at any time using the cookie settings link in our website footer.
Themis collects details from event attendees, event recordings, newsletter subscribers and subscribers of our Products where they have agreed to and accepted our data privacy policy.
Separately, we also may identify people who are likely to find our events or products useful for their jobs by looking for source business contact details and information about an individual’s job role on publicly available resources and business websites.
Our team will use those business contact details to send event invites and emails about relevant industry news.
We always include an unsubscribe link at the bottom of any such email which we send, so that you can let us know if you do not wish to receive any further marketing emails.
Our lawful basis for using personal data in this way is that it is necessary to protect our legitimate interest in promoting our business.
If you sign up to an event:
If you are speaking at one of our events:
We will use personal data that we collect from clients (which may include details of our clients’ staff) who have subscribed to receive our Services, in the following ways:
If you contact us directly about a job, we will use the information you provide us with to assess your suitability for the role and progress your application. Data we will require includes contact details, your curriculum vitae, your previous experience, education and answers to questions relevant to the role you have applied for. Our HR team and the hiring manager for the role will have access to this data.
We will only share your data with contracted third parties if it is necessary for the recruitment process and will notify you at the time. We will never sell your data or use it for marketing purposes. If we need to securely process the data in another country, we will let you know before the transfer happens.
If your application is not successful, unless you ask us to retain your data for other opportunities in the future, we will store your details for six months to help with any questions, before securely deleting or anonymising the data.
If your application is successful, we will need to complete employment checks for legal reasons, to verify your right to work in the country and to verify your previous employment references.
We will only process such data to the extent required to achieve our legitimate interest of maintaining a workforce for our business.
A copy of our Data Retention Policy, which sets out the periods for which we hold personal data, is available from the DPO on request at dpo@wearethemis.com.
Security of personal data is very important to us. Our business operates a Cyber Security Essentials Plus certification, which is externally audited, and we are working towards the ISO 27001 International Security Standard. We use a wide range of organisational, technical, physical and operational controls, which are assessed for effectiveness on a regular basis.
We will only disclose any personal data that we hold to our employees, affiliated companies and third parties who are contracted to help us provide our Services (some of whom may be based outside the UK or EEA). Any such third parties will be acting as processors on our behalf and will be contractually bound only to use the data in accordance with our instructions and to implement adequate security measures.
Where personal data is transferred outside the UK or European Economic Area (EEA), we ensure that appropriate safeguards are in place. We rely on the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as approved transfer mechanisms under UK GDPR to protect your data when it is sent to countries that do not have an equivalent level of data protection to the UK.
We may share personal data with third parties (which will also be acting as controllers in respect of that personal data) in the following circumstances:
If we are under a legal duty to do so or if it is required to enforce or apply our contracts or to protect the operation of our website, or the rights, property or safety of us or others.
If we sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners will only be entitled to use personal data in accordance with the provisions set out in this privacy notice.
Individuals have certain rights under the applicable data protection legislation in respect of the personal data which we hold relating to them. This includes:
As part of the financial crime risk management services we provide, Themis may use automated processing — including algorithmic screening and risk-scoring tools — to assist in the identification of financial crime risks such as money laundering, sanctions violations, fraud, and terrorist financing (AML/CFT screening).
Where such automated tools are used in connection with our clients’ due diligence obligations, the processing may include:
In all cases where automated screening generates an output that may have a legal or similarly significant effect on an individual (for example, a sanctions match), that output will be subject to human review before any decision is made or communicated. We do not make legally or significantly consequential decisions based solely on automated means without human oversight.
If you believe you have been adversely affected by an automated processing decision, you have the right under Article 22 UK GDPR to:
To exercise these rights, please contact our Data Protection Officer at dpo@wearethemis.com.
If you wish to exercise any of your rights set out in section 6 above, or if you have any questions about this notice or how we handle your personal data, please contact our Data Protection Officer (DPO):
Email: dpo@wearethemis.com
When we receive a request, we will try to verify your identity and the request, before responding to you within one calendar month.
Given the nature of the Services we provide, in certain situations, we may be able to rely on certain exemptions under the General Data Protection Regulation and the Data Protection Act 2018. These exemptions may enable us to resist the disclosure of information, erasure requests and rectification requests in certain circumstances, and exempt us from some notification obligations.
We will confirm to you in writing to acknowledge receipt of any request we receive relating to your rights as a Data Subject, and we will let you know if we have complied with your request. If, having carried out an assessment, we believe we have an overriding reason for resisting your request, we will let you know why we have reached that conclusion.
We will retain details of your request for two years, for quality assurance purposes, and may retain requests relating to marketing preferences or restricted use for a longer period to ensure that we can comply with your request and to help if you have any further questions about the matter. Any such processing will be limited to the extent strictly necessary to achieve our legitimate interest of providing a robust and secure data management procedure.
Please let us know if you are not happy about how we are handling your data. We will do our best to resolve the matter, but if you have further concerns, it is your right to make a complaint to the UK Information Commissioner’s Office at https://www.ico.org.uk.
Responsibility for the implementation of this policy lies with the Data Protection Officer and Themis Senior Management Team. They are responsible for making the company aware of the policy, and for its review.
This policy will be reviewed every year and at points of significant change to the business such as the leasing of office premises or the addition of a new team location.
Version 2.0 | June 2026 | Updated following DPO Review
Last Reviewed: June 2026