Lawful Basis for Data Processing
GDPR Article 6 Documentation
This page documents the lawful bases under which Calmony Sanctions Monitor processes personal data, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This page provides a summary of lawful bases. For the complete Register of Processing Activities (ROPA) required by UK GDPR Article 30 — including controller details, DPO contact, categories of data subjects, sub-processors, international transfer safeguards, retention periods, and security measures — see /ropa.
Summary
Calmony processes personal data primarily under GDPR Article 6(1)(c) — Legal Obligation. UK businesses are legally required to screen individuals and entities against the OFSI consolidated sanctions list under the Sanctions and Anti-Money Laundering Act 2018. Our service facilitates compliance with this legal obligation.
Lawful Bases by Processing Activity
| Processing Activity | Lawful Basis | Legal Reference |
|---|---|---|
| Sanctions screening of individuals/entities | Legal Obligation | Art. 6(1)(c) — Sanctions and Anti-Money Laundering Act 2018 |
| Continuous monitoring and re-screening | Legal Obligation | Art. 6(1)(c) — Money Laundering Regulations 2017 |
| Audit trail and compliance records retention | Legal Obligation | Art. 6(1)(c) — MLR 2017, Reg. 40 (5-year retention) |
| Account registration and authentication | Contract | Art. 6(1)(b) — Necessary for service provision |
| Payment processing and billing | Contract | Art. 6(1)(b) — Necessary for service provision |
| Email/SMS notifications for matches | Legitimate Interest | Art. 6(1)(f) — Ensuring timely compliance action |
| Marketing communications | Consent | Art. 6(1)(a) — Explicit opt-in consent |
| Analytics cookies | Consent | Art. 6(1)(a) — PECR Regulation 6 |
| Adverse media screening (premium) | Legitimate Interest | Art. 6(1)(f) — Enhanced due diligence for compliance |
Your Rights
Under UK GDPR, data subjects whose data is processed through Calmony have the following rights:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you. Available via Settings → Export Your Data.
Right to Rectification (Art. 16)
Request correction of inaccurate personal data. Contact us or update directly in the People section.
Right to Erasure (Art. 17)
Request deletion of your data, subject to legal retention obligations. Available via Settings → Delete Your Data.
Right to Data Portability (Art. 20)
Receive your data in a machine-readable format (JSON). Available via Settings → Export Your Data.
Right to Object (Art. 21)
Object to processing based on legitimate interest. Note: this does not override legal obligation processing.
Right to Withdraw Consent
Where processing is based on consent (marketing, analytics), you can withdraw at any time via Settings.
Data Retention Periods
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Screening records | 6 years | Money Laundering Regulations 2017 |
| Financial/billing records | 7 years | HMRC requirements |
| Audit log entries | Indefinite (anonymised) | SOC 2 compliance requirements |
| Personal data (on deletion) | Immediate anonymisation | GDPR Article 17 |
Contact & Complaints
Data Controller: Calmony Ltd
Data Protection Officer: dpo@calmony.com
General Privacy Enquiries: privacy@calmony.com
If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
Last updated: 1 January 2025