Skip to Content

Data protection

policy statement


The protection of data, including personal and sensitive data, is of high importance to Savanta, and we take our roles and responsibilities or controllers and processors very seriously.

Adherence to local data protection laws is built into the fundamentals of how our business operates. Savanta adheres to the strictest global data protection / security standards and, at the time of writing, we built our model on the EU General Data Protection Regulation (GDPR), while also taking into account the requirements of our ISO 27001 certified ISMS and the California Consumer Privacy Act (CCPA).

All Savanta legal entities, and all our trading names, are committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards and, as a Group, we comply with all applicable principles. Our privacy policy details the ways in which we will use anyone’s data and is published on our website.

Key Principles
  • Personal data shall be processed fairly and lawfully and with the consent of the Data Subject
  • Personal data shall be used for the specified and lawful, consensual, purposes for which it was collected and not further processed in any manner incompatible with those purposes
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
  • Personal data shall be accurate and, where necessary kept up to date (with every reasonable step being taken to ensure that data that are inaccurate or incomplete, are erased or rectified)
  • Personal data shall not be kept for longer than is necessary for the purpose it was collected
  • Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  • Data shall only be processed in the Data Subject’s originating territory e.g. EEA citizens will only be processed in the EEA, US citizens will only be processed in the US etc. and will not be transferred to a new territory unless that territory’s data protection laws are equal to, or greater than, those of the originating territory (this also takes into consideration regional legal challenges e.g. Schrems II). Client approval may also be required / sought depending on signed MSAs.