Purpose and Scope of this Notice

Identity of the Data Controller

Applicable Data Protection Framework

TLG processes personal data in accordance with all applicable data protection laws, including in particular:

• the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (PDPO), being the primary legislation governing the processing of personal data by TLG;
• Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), where TLG processes personal data of individuals located in the European Economic Area in connection with the offering of services to them or the monitoring of their behaviour within the Union;
• the UK General Data Protection Regulation and the Data Protection Act 2018, where the processing falls within their territorial scope;
• any other privacy or data protection legislation applicable to a specific engagement, including sectoral rules governing anti-money laundering, banking secrecy, professional confidentiality, and electronic communications.

Where this Notice refers to obligations or rights of data subjects, the precise content of those rights is determined by the law applicable to the specific processing activity.

Categories of Personal Data We Process

The categories of personal data we collect and process vary depending on the nature of the engagement and the role of the individual concerned. They may include any of the following:

• Identification data: full legal name, transliteration of name, date and place of birth, nationality, photograph, signature.
• Identity document data: passport number, national identity card number, residence permit, driving licence, supporting utility bill or bank statement evidencing address.
• Contact data: residential address, business address, telephone numbers, email addresses, messenger identifiers (including WhatsApp, Telegram, Signal, LinkedIn).
• Professional data: employer name, job title, function, qualifications, professional licences, curriculum vitae, references.
• Corporate-role data: directorship, shareholding, ultimate beneficial ownership, settlor, trustee, protector, or signatory position, as recorded in corporate registers and KYC files.
• Financial data: bank account details, IBAN, SWIFT/BIC, account holder name, source-of-funds and source-of-wealth evidence, tax identification numbers, payment history with TLG.
• Engagement data: instructions received, advice issued, drafts of contracts, correspondence, attendance notes, time records, billing data.
• Electronic data: IP address, browser type and version, device identifiers, operating system, language preference, log files, cookie identifiers, session metadata.
• Communications data: emails, letters, transcripts of telephone and video calls, recordings of meetings, chat messages, and metadata thereof.

Where strictly necessary for the engagement or required by law, we may also process the following categories of data, which attract additional protection under the PDPO, the GDPR, or the UK GDPR, as applicable:

• politically-exposed-person (PEP) status and related public-office information disclosed during AML screening;
• information relating to actual or alleged criminal offences, sanctions designations, enforcement actions, and adverse media coverage, obtained from compliance databases or open sources;
• biometric data, where used for remote identity verification or electronic onboarding;
• data revealing racial or ethnic origin, religion, or political opinions, where visible on identity documents or otherwise disclosed in the context of an engagement;
• health data, where required for a specific legal matter, employment-related advice, or accessibility arrangements.

We process sensitive data only on a defined lawful basis — most commonly your explicit consent, our compliance with a legal obligation, or the establishment, exercise, or defence of legal claims — and apply enhanced security and access controls to it.

You are not legally obliged to provide your personal data to TLG. However, certain data is necessary to enable us to accept and perform an engagement, to satisfy our regulatory obligations, and to communicate with you. Failure to provide such data may prevent us from accepting your instructions or from completing a service already commenced.

Sources of Personal Data

We may collect personal data about you from the following sources:

• directly from you, through email, telephone or video calls, secure messengers, online meetings, document-sharing portals, or in-person consultations;
• from your representatives, employer, group companies, or professional advisors, where they engage TLG on your behalf or in connection with a matter involving you;
• from publicly accessible sources, including company registers, land registries, court records, sanctions and PEP lists, regulatory enforcement notices, and reputable media;
• from third-party verification providers, KYC service vendors, credit-reference and corporate-intelligence agencies, retained by us under appropriate contractual safeguards;
• from government, regulatory, judicial, or law-enforcement authorities, where they communicate with us in the discharge of their functions;
• through your interactions with our website, electronic newsletters, and social-media presence, by means of cookies and similar tracking technologies.

Purposes of Processing and Legal Bases

TLG processes your personal data for clearly defined purposes and only where one or more lawful bases support such processing. The principal purposes are set out below.

We process your data in order to negotiate, accept, perform, manage, and conclude engagements; to provide advice; to draft and review documents; to represent clients before counterparties, authorities, and tribunals; and to invoice and collect Fees. The lawful basis is the performance of a contract to which you or your organisation are a party, or the taking of steps prior to entering into such a contract.

We process your data in order to comply with our obligations under anti-money laundering and counter-terrorist financing legislation (including the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, Cap. 615 of Hong Kong), tax and accounting laws, sanctions regimes, court orders, and the rules of relevant professional bodies. The lawful basis is compliance with a legal obligation to which TLG is subject.

We process your data where necessary for our legitimate interests, provided such interests are not overridden by your fundamental rights and freedoms. Such interests include: protecting the security and integrity of our information systems; preventing fraud and abuse; managing internal administration, archiving, and audit; defending our legal position in actual or potential disputes; conducting client-relationship management and limited direct marketing of services similar to those previously requested; and developing and improving our professional service offering.

Where we cannot rely on another lawful basis, we will obtain your explicit consent, in particular for processing of sensitive data, for non-essential cookies, and for marketing communications to individuals with whom we do not have a pre-existing client relationship. Consent can be withdrawn at any time, without affecting the lawfulness of processing carried out before withdrawal.

In exceptional circumstances we may rely on the protection of the vital interests of a natural person, or on the performance of a task carried out in the substantial public interest, where such basis is recognised by the law applicable to the processing.

Recipients of Personal Data

Personal data processed by TLG is, in principle, accessible only to TLG personnel on a need-to-know basis. We may, however, disclose personal data to the following categories of recipients:

• external lawyers, notaries, registered agents, accountants, auditors, translators, and other professional advisors engaged in connection with a specific matter, in each case bound by professional secrecy or by equivalent contractual undertakings;
• financial institutions, payment service providers, electronic money institutions, virtual asset service providers, and acquiring banks, where required for the introduction of clients to financial counterparties or the operation of accounts opened on behalf of clients;
• IT and cloud service providers (including hosting, document management, email, customer-relationship management, accounting, and electronic signature platforms), in each case bound by written data processing agreements imposing confidentiality and security obligations;
• KYC, identity verification, sanctions-screening, and corporate-intelligence providers used for compliance purposes;
• courts, tribunals, regulators, tax and AML authorities, law-enforcement agencies, and other public bodies, where disclosure is required by applicable law or by a binding order;
• any actual or prospective successor to all or part of TLG's business, in connection with a corporate reorganisation or transfer, subject to equivalent confidentiality undertakings.

Where we file a suspicious-transaction report or any other regulatory notification, we may be legally prohibited from informing you, or from disclosing the existence or content of such filing. You waive any claim against TLG arising from compliance with these legal restrictions.

Cross-Border Transfers

Retention Periods

We retain personal data only for as long as is necessary to achieve the purposes for which it was collected, having regard to legal, regulatory, contractual, and operational requirements. Indicative retention periods applied by TLG include:

• client identification, KYC, and AML records: seven (7) years from the end of the business relationship, or longer where required by the AMLO (Cap. 615) or by the law applicable in the country of the client;
• engagement files, correspondence, and work product: seven (7) years from the closure of the matter, save where ongoing or anticipated litigation, regulatory enquiry, or limitation period requires longer retention;
• accounting, tax, and financial records: as required by Hong Kong and other applicable tax legislation, generally seven (7) years from the end of the relevant accounting period;
• personnel records and contractor data: for the duration of the relationship and a reasonable period thereafter for the purpose of defending potential claims;
• marketing-list data: until you object or withdraw consent, and in any event reviewed periodically for relevance and accuracy;
• website and cookie data: as set out in our cookie notice and the relevant cookie lifespans.

On expiry of the applicable retention period, personal data is securely deleted, destroyed, or anonymised so that it can no longer be linked to an identifiable individual.

Your Rights as a Data Subject

Subject to the law applicable to a specific processing activity, you may exercise the following rights in relation to your personal data held by TLG. These rights are not absolute and may be limited by overriding legal obligations, professional secrecy, or the rights of third parties.

To exercise any of these rights, write to office@tauruslg.com. We will respond without undue delay and in any event within thirty (30) calendar days of receipt of a valid request, or within such other period as the applicable law prescribes. We may need to verify your identity before acting on a request; this measure protects you against unauthorised disclosure.

Automated Decision-Making and Profiling

TLG does not, as a general rule, take decisions in respect of clients or other data subjects that are based solely on automated processing and that produce legal effects concerning them or similarly significantly affect them. Where automated tools (for example sanctions-screening engines, transcription services, or risk-scoring systems used in compliance) generate intermediate output, the decisions concerning acceptance, continuation, or termination of an engagement are taken by qualified TLG personnel on the basis of that output and other relevant information.

If, in an exceptional case, an automated decision producing legal or similarly significant effects on you is taken, you have the right to obtain meaningful information about the logic involved, to express your point of view, to contest the decision, and to request human review by a TLG team member.

Recording of Calls and Meetings

TLG may record telephone calls, video conferences, and in-person meetings (or their transcripts) for purposes of accurate record-keeping, quality assurance, training, compliance verification, and the establishment, exercise, or defence of legal claims. Recordings and transcripts are treated as confidential, stored on access-controlled systems, and retained in accordance with the retention periods set out in clause 9.

Where required by applicable law, you will be informed at the beginning of the call or meeting that the conversation is being recorded, and you may object to such recording. Where you object, we will use alternative means of documenting the conversation, which may include the preparation of a contemporaneous attendance note.

Marketing and Business Development

We may use your contact data to send you occasional updates about TLG, including legal alerts, newsletters, event invitations, and information about services that we believe may be of interest to you. We rely on your consent where required by law, and otherwise on our legitimate interest in promoting our services to existing and prospective clients within a clearly defined and proportionate framework.

Every marketing email contains an unsubscribe link. You may also opt out at any time by writing to office@tauruslg.com. Opting out of marketing communications does not affect the receipt of service-related communications required for the performance of an engagement.

Website, Cookies, and Online Tracking

Our website www.tauruslg.com uses cookies and similar technologies to ensure proper functioning, remember your preferences, generate aggregated traffic statistics, and, where you consent, deliver content tailored to your interests. Detailed information about the cookies used, their purpose, lifespan, and the means of granting or refusing consent is set out in the cookie notice available on the website. You can adjust your cookie preferences at any time through the cookie banner or your browser settings; declining non-essential cookies will not affect access to the substantive content of the website.

Information Security

TLG implements technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, alteration, or disclosure. These measures are calibrated to the nature, scope, context, and purposes of processing and to the risks of varying likelihood and severity for the rights and freedoms of data subjects. They include, where appropriate:

• encryption of data in transit and at rest, including for client portals, document exchange, and remote access channels;
• role-based access controls, multi-factor authentication, and least-privilege administration of information systems;
• regular backups, business continuity and disaster recovery arrangements;
• logging, monitoring, and periodic review of security events;
• training of personnel in confidentiality, data protection, and information security;
• written confidentiality and data processing undertakings from all employees, contractors, and providers with access to personal data;
• documented procedures for the identification, containment, assessment, and notification of personal data breaches.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, TLG will, without undue delay, notify the relevant supervisory authority and affected data subjects in accordance with the requirements of the applicable law.

Contact and Complaints

For any matter arising under this Notice — including requests to exercise data-subject rights, queries about specific processing activities, and complaints — you may contact TLG using the following channels:

Communications addressed to TLG concerning data protection are handled by the partner of TLG with primary responsibility for the relevant engagement, supported, where appropriate, by external data protection counsel. We will acknowledge receipt of any rights request or complaint within five (5) working days and provide a substantive response within thirty (30) calendar days, unless the applicable law provides for a shorter or longer period.

If, having exhausted communication with TLG, you remain dissatisfied with the manner in which your personal data has been processed, you have the right to lodge a complaint with the competent supervisory authority. The principal authorities likely to have jurisdiction are:

• Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD), www.pcpd.org.hk
• European Economic Area: the data protection authority of your country of habitual residence, place of work, or place of the alleged infringement;
• United Kingdom: Information Commissioner's Office (ICO), www.ico.org.uk

Children

Our services are directed to corporate clients, professionals, and adult natural persons. We do not knowingly collect personal data from individuals under the age of 18 except in the context of family-related corporate, succession, or compliance matters where the participation of a minor is unavoidable, in which case processing is carried out with particular care and on the basis of parental or guardian consent where required by law.

Changes to this Notice

This Notice may be updated from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. The current version is identified by the edition date set out on the cover page and is published at www.tauruslg.com. Where a change is material, we will take reasonable steps to bring it to your attention, for example by email or by a prominent notice on the website. Continued use of our services after the publication of an updated version constitutes acknowledgment of the updated Notice, to the extent permitted by the applicable law.

Acknowledgement