This Privacy Policy and Compliance Statement (“Policy”) is issued by Source Capital Group (“SCG”, “we”, “our”, “us”). It governs how we collect, process, store, and protect personal data, and sets out our obligations and your rights under applicable European Union, Swiss, and international law. It also documents our binding commitment to anti-money laundering, counter-terrorism financing, and international sanctions compliance — standards routinely required by banking institutions, payment processors, and regulatory bodies.
Company Information & Jurisdiction
Source Capital Group is a business-to-business (B2B) wholesale distributor of lithium-ion battery cells, operating commercially across the European Union, Switzerland, and select international markets. As a company conducting commercial activities within the EU and processing the personal data of EU and Swiss data subjects, SCG is fully subject to the following primary legal frameworks:
All commercial, contractual, and data processing activities of SCG are conducted in compliance with these frameworks. This Policy is designed to satisfy the due diligence requirements of banking partners, payment service providers, compliance officers, and regulatory authorities.
Scope & Applicability
This Policy applies to:
- All visitors to our website and digital properties operated by SCG.
- All business partners, clients, suppliers, and their authorised representatives whose personal data is processed in the course of a B2B commercial relationship with SCG.
- All natural persons who submit enquiries, contact forms, or requests via our website or direct communication channels.
- All employees, contractors, and agents of SCG to the extent they process personal data on behalf of the company.
SCG operates exclusively as a B2B wholesale supplier. We do not sell products to or process the personal data of consumers (natural persons acting in a private capacity for non-commercial purposes). All contractual counterparties are legal entities or registered businesses.
Personal Data We Collect
3.1 Website Visitors
- Technical data: IP address, browser type and version, operating system, referral URL, pages visited, time and date of visit, session duration. Collected automatically via server logs.
- Cookie data: As described in Section 9 of this Policy.
3.2 Contact & Enquiry Form Submissions
- First name, last name, business email address, company name.
- Content of the enquiry, including product interests and requested information.
- Voluntarily submitted telephone number or other contact details.
3.3 Business Partners & Clients (B2B)
- Identity data: Full name, job title, role, and authority level of authorised representatives and contact persons.
- Contact data: Business email, telephone, business address.
- Commercial data: Order history, transaction records, pricing agreements, communications.
- Compliance & KYB data: Company registration documents, beneficial ownership information, VAT registration numbers, bank account details, copies of identification documents of authorised signatories (where legally required for AML/KYB purposes).
- Financial data: Invoice records, payment history, credit assessment data as required for trade credit decisions.
SCG does not intentionally collect special category personal data as defined under GDPR Article 9 (health data, racial or ethnic origin, political opinions, religious beliefs, biometric data, etc.). If any such data is inadvertently received, it will be deleted without processing.
Legal Basis for Processing (GDPR Article 6)
SCG processes personal data only where a valid legal basis exists under GDPR Article 6. The applicable basis for each processing activity is identified below:
| Processing Activity | Legal Basis | GDPR Reference |
|---|---|---|
| Responding to contact form enquiries | Legitimate interests / Pre-contractual steps | Art. 6(1)(b), 6(1)(f) |
| Execution of B2B contracts and order fulfilment | Performance of a contract | Art. 6(1)(b) |
| Invoicing, accounting, tax records | Legal obligation | Art. 6(1)(c) |
| AML / KYB customer due diligence | Legal obligation (EU AML Directives) | Art. 6(1)(c) |
| Sanctions screening | Legal obligation / Vital interests | Art. 6(1)(c), 6(1)(d) |
| Website security and fraud prevention | Legitimate interests | Art. 6(1)(f) |
| Marketing communications to existing clients | Legitimate interests (B2B context) | Art. 6(1)(f) |
| Essential/functional cookies | Legitimate interests | Art. 6(1)(f) |
| Analytics cookies (if used) | Consent | Art. 6(1)(a) |
Purposes of Data Use & Processing
SCG processes personal data exclusively for the following documented and lawful purposes:
- Commercial operations: Processing orders, managing client accounts, issuing invoices, arranging logistics and customs clearance, managing warranty and product compliance obligations.
- Communication: Responding to enquiries, providing quotations, maintaining business correspondence with existing and prospective partners.
- Legal and regulatory compliance: Meeting obligations under EU and Swiss tax law, accounting standards, AML/CFT regulations, export control laws, and sanctions frameworks.
- Risk management: Conducting customer due diligence (CDD) and enhanced due diligence (EDD) as required, screening counterparties against sanctions lists, and assessing regulatory exposure.
- Website administration: Ensuring security, diagnosing technical issues, optimising performance, and preventing fraudulent access or misuse of our digital infrastructure.
- Business development: Sending relevant commercial communications to existing B2B clients regarding new products, stock availability, or relevant regulatory changes, where such communication is within the scope of a legitimate business relationship.
SCG does not engage in automated profiling or automated individual decision-making that produces legal effects on data subjects, as defined under GDPR Article 22.
Data Sharing & International Transfers
6.1 Categories of Recipients
SCG may share personal data with the following categories of third parties, strictly on a need-to-know basis and subject to appropriate contractual safeguards:
- Banking and payment institutions: For processing payments, trade finance, and meeting bank compliance requirements (KYC/AML).
- Logistics and freight partners: For arranging transportation, customs clearance, and delivery of goods.
- Customs and tax authorities: Where legally required by EU, Swiss, or applicable national law.
- Legal and compliance advisors: Bound by professional confidentiality obligations.
- IT infrastructure and cloud service providers: Hosting, email, CRM systems — all subject to Data Processing Agreements (DPAs) compliant with GDPR Article 28.
- Competent regulatory authorities: Including financial intelligence units (FIUs), customs enforcement, and sanctions enforcement bodies, where mandated by applicable law.
6.2 International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA) or Switzerland, SCG ensures that appropriate safeguards are in place in accordance with GDPR Chapter V and the Swiss nDSG, including:
- Transfer to countries with an EU adequacy decision (European Commission) or Swiss adequacy recognition (FDPIC).
- Use of Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) or equivalent Swiss transfer mechanisms.
- Transfer to processors certified under approved frameworks such as the EU–US Data Privacy Framework where applicable.
SCG does not transfer personal data to any country subject to EU, UK, Swiss, or UN sanctions, or to any country designated as high-risk under FATF recommendations.
Data Retention Periods
SCG retains personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Retention periods are determined as follows:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Website visitor logs / IP data | 90 days | Legitimate interests (security) |
| Contact form enquiries (no contract formed) | 24 months | Legitimate interests |
| B2B contracts, invoices, financial records | 10 years | EU/Swiss accounting & tax law obligations |
| AML / KYB due diligence records | 5 years from end of business relationship (minimum) | EU AMLD5, Art. 40; Swiss AMLA Art. 7 |
| Sanctions screening records | 5–10 years | Legal obligation / Regulatory requirement |
| Email & business correspondence | 6 years | Legitimate interests / Legal obligation |
| Delivery & logistics records | 5 years | Contractual / Tax obligation |
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in a manner that prevents reconstruction of the original data.
Your Rights as a Data Subject
Under the GDPR and Swiss nDSG, individuals whose personal data is processed by SCG have the following rights:
| Right | Description | GDPR Article |
|---|---|---|
| Right of Access | Obtain confirmation and a copy of personal data we hold about you. | Art. 15 |
| Right to Rectification | Request correction of inaccurate or incomplete data. | Art. 16 |
| Right to Erasure | Request deletion of data where no longer necessary or processing is unlawful. | Art. 17 |
| Right to Restriction | Request that processing be restricted pending resolution of a dispute. | Art. 18 |
| Right to Data Portability | Receive data in a structured, machine-readable format where technically feasible. | Art. 20 |
| Right to Object | Object to processing based on legitimate interests, including direct marketing. | Art. 21 |
| Right to Withdraw Consent | Withdraw consent at any time without affecting prior lawful processing. | Art. 7(3) |
Rights to erasure and restriction may be limited where SCG is subject to a legal obligation to retain data (e.g., AML record-keeping requirements, tax law, or active regulatory investigation). In such cases, SCG will communicate the applicable limitation clearly and in writing.
To exercise any of the above rights, please submit a written request to: info@sourcecapitalgroup.com. We will respond within 30 calendar days (GDPR) / 30 days (nDSG) of receipt of a valid request, which may be extended by a further 60 days in cases of complexity.
Cookies & Tracking Technologies
Our website uses cookies and similar technologies as described below:
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Essential for website functionality (session management, security). Cannot be disabled. | No |
| Functional | Remember user preferences (language, region). Enhance usability. | No (Legitimate interests) |
| Analytics | Anonymised usage statistics to understand visitor behaviour and improve content. | Yes — prior consent required |
| Marketing / Third-party | SCG does not use marketing, retargeting, or third-party advertising cookies. | N/A — not used |
Where analytics cookies are used, SCG implements IP anonymisation and does not share raw analytics data with any third party for commercial purposes. Visitors may withdraw consent for optional cookies at any time via our cookie preference centre or by configuring their browser settings.
Anti-Money Laundering (AML) & Know Your Business (KYB)
SCG's AML/CFT compliance programme is designed in accordance with EU Directive 2018/843 (AMLD5), EU Directive 2018/1673 (AMLD6), the Swiss Anti-Money Laundering Act (AMLA, SR 955.0), and the FATF 40 Recommendations. These obligations apply to all business relationships and transactions conducted by SCG.
10.1 Customer Due Diligence (CDD)
Prior to entering into any business relationship, SCG conducts Customer Due Diligence (CDD) on all prospective clients and counterparties. This includes:
- Verification of legal entity identity (company registration certificates, articles of association, trade register extracts).
- Identification and verification of ultimate beneficial owners (UBOs) — individuals owning or controlling 25% or more of the entity, or exercising equivalent control.
- Verification of the identity of authorised signatories and representatives.
- Assessment of business activity, ownership structure, and source of funds.
- Screening against EU, UN, OFAC, and national sanctions lists prior to onboarding and on an ongoing basis.
10.2 Enhanced Due Diligence (EDD)
SCG applies Enhanced Due Diligence (EDD) in circumstances of elevated risk, including but not limited to:
- Business relationships or transactions involving countries identified as high-risk by FATF or the European Commission.
- Counterparties involving Politically Exposed Persons (PEPs) or their close associates.
- Complex corporate ownership structures with opaque beneficial ownership chains.
- Unusually large, unusual, or economically inexplicable transactions.
- Counterparties operating in high-risk sectors or jurisdictions.
10.3 Ongoing Monitoring & Suspicious Activity
SCG conducts ongoing monitoring of all established business relationships, including periodic review of CDD documentation and transaction pattern analysis. Where SCG has reasonable grounds to suspect money laundering, terrorist financing, or other financial crime, it will make a Suspicious Activity Report (SAR) to the relevant Financial Intelligence Unit (FIU) as required by law. SCG is legally prohibited from “tipping off” any counterparty in such circumstances.
Sanctions Compliance & Prohibited Counterparties
SCG maintains a strict zero-tolerance policy towards any business activity that would constitute a violation of international sanctions, arms embargoes, or export control laws. Any transaction, shipment, or business relationship that is found to involve a sanctioned entity, individual, or country is immediately terminated, and the matter is referred to the appropriate authorities.
11.1 Applicable Sanctions Regimes
SCG screens all counterparties, end-users, and transactions against the following sanctions frameworks prior to any commercial engagement and on an ongoing basis:
- EU Consolidated Sanctions List — administered by the European External Action Service (EEAS).
- UN Security Council Consolidated List — maintained by the UN 1267/1989/2253 Committee.
- OFAC SDN List (USA) — Specially Designated Nationals and Blocked Persons List.
- Swiss SECO Sanctions List — Secretariat of State for Economic Affairs.
- UK HM Treasury Consolidated List — applicable where relevant.
- EU Dual-Use Export Control Regulation (EU) 2021/821.
11.2 Specific Country Restrictions
SCG categorically does not conduct any commercial activity — including sale, supply, transfer, brokering, or provision of technical assistance — with the following countries, territories, or their nationals, in compliance with applicable EU, UN, and Swiss sanctions regimes:
This list reflects current EU, UN, OFAC, and Swiss SECO designations and is reviewed and updated continuously. The list is not exhaustive — SCG applies sanctions screening to all jurisdictions and may decline to engage with any country, entity, or individual where risk of sanctions violation cannot be excluded.
Lithium-ion battery cells and related technology may be subject to dual-use export controls. SCG verifies end-use declarations and conducts end-user screening for all export transactions outside the EU/EEA.
FATF High-Risk & Non-Cooperative Jurisdictions
The Financial Action Task Force (FATF) is an inter-governmental body that sets international standards for combating money laundering and terrorist financing. FATF publishes two lists of jurisdictions with deficient AML/CFT regimes: the “Black List” (High-Risk Jurisdictions Subject to a Call for Action) and the “Grey List” (Jurisdictions Under Increased Monitoring). SCG applies heightened due diligence to all counterparties connected to FATF-listed jurisdictions.
12.1 FATF Black List — Zero Tolerance
SCG does not engage in any business with counterparties located in, incorporated in, or controlled from jurisdictions on the FATF High-Risk list (Call for Action). As of the effective date of this Policy, this includes:
12.2 FATF Grey List — Enhanced Due Diligence
For counterparties connected to jurisdictions on the FATF “Jurisdictions Under Increased Monitoring” (Grey List), SCG applies Enhanced Due Diligence as described in Section 10.2. SCG reserves the right to decline to engage with any Grey List jurisdiction counterparty where adequate assurance of AML/CFT compliance cannot be obtained. The Grey List is reviewed quarterly and updated in line with FATF public statements.
Current FATF Grey List jurisdictions include (as updated by FATF — SCG monitors updates at fatf-gafi.org): Algeria, Angola, Bulgaria, Burkina Faso, Cameroon, Côte d'Ivoire, Croatia, DR Congo, Haiti, Kenya, Mali, Monaco, Mozambique, Namibia, Nigeria, Philippines, Senegal, South Africa, South Sudan, Syria, Tanzania, Venezuela, Vietnam, Yemen.
Engagement with Grey List jurisdictions requires written approval by SCG compliance management and enhanced documentation of business rationale and source of funds.
Export Controls & Dual-Use Compliance
Lithium-ion battery cells and associated technology may be classified as dual-use goods under EU Regulation 2021/821 (Dual-Use Regulation) and equivalent national regulations. SCG maintains the following export control compliance programme:
- Classification review: SCG reviews the technical specifications of all battery products it distributes to determine applicable export control classifications (CN codes, ECCN where relevant).
- End-use verification: For exports outside the EU/EEA, SCG requires written end-use declarations from buyers confirming the lawful civilian application and final destination of goods.
- Re-export controls: Buyers are contractually prohibited from re-exporting SCG products to sanctioned or embargoed countries without obtaining all required licences and notifying SCG in advance.
- Licence management: Where an export licence or authorisation is required under EU Regulation 2021/821 or applicable national law, SCG will obtain the necessary licence before proceeding with any shipment.
- Record retention: All export documentation, end-user statements, and licence records are retained for a minimum of 5 years in compliance with EU Dual-Use Regulation Article 26.
Swiss nDSG (Revised Federal Act on Data Protection) Compliance
The revised Swiss Federal Act on Data Protection (revDSG / nDSG), which entered into force on 1 September 2023, imposes obligations broadly aligned with the GDPR. For Swiss data subjects and in respect of our operations in Switzerland, SCG additionally complies with the following nDSG-specific requirements:
- Privacy by Default (Art. 7 nDSG): SCG applies data minimisation and privacy-protective default settings in all systems that process personal data.
- Data Protection Impact Assessments (Art. 22 nDSG): SCG conducts DPIAs for high-risk processing activities, including large-scale processing of personal data or systematic profiling.
- Data Breach Notification (Art. 24 nDSG): In the event of a data security breach that poses a high risk to the rights and freedoms of data subjects, SCG will notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible, and affected data subjects without undue delay.
- Cross-border transfers (Art. 16–17 nDSG): Transfers of personal data to countries not on the FDPIC adequacy list require appropriate safeguards, including Swiss Standard Contractual Clauses or binding corporate rules.
- Representative (Art. 14 nDSG): Where required, SCG designates a representative in Switzerland for data protection purposes.
- Register of Processing Activities: SCG maintains an internal record of data processing activities as required under Art. 12 nDSG.
Data Security Measures
In accordance with GDPR Article 32 and nDSG Article 8, SCG implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk of processing. These measures include:
- Encryption: Personal data and sensitive commercial data is encrypted in transit (TLS 1.2 minimum) and at rest using industry-standard encryption protocols.
- Access controls: Role-based access controls (RBAC) limit access to personal data strictly to personnel who require it for their job function. Access is logged and audited.
- Password and authentication policies: Strong password policies and multi-factor authentication (MFA) are enforced for all systems containing personal data.
- Vendor management: All third-party processors are contractually bound by Data Processing Agreements (DPAs) under GDPR Article 28, including requirements for equivalent security standards.
- Incident response: SCG maintains a documented data breach response procedure, including notification protocols in compliance with GDPR Article 33–34 and nDSG Article 24.
- Staff training: All personnel with access to personal data receive regular data protection and information security training.
- Physical security: Physical access to systems and storage containing personal data is restricted and protected.
Supervisory Authority & Complaint Procedure
Data subjects have the right to lodge a complaint with the competent supervisory authority at any time. Relevant authorities include:
| Jurisdiction | Authority | Website |
|---|---|---|
| European Union (lead authority) | Competent national Data Protection Authority of EU Member State concerned | edpb.europa.eu |
| Switzerland | Federal Data Protection and Information Commissioner (FDPIC) | edoeb.admin.ch |
| Slovakia | Úrad na ochranu osobných údajov (ÚOOÚ) | dataprotection.gov.sk |
| Poland | Urząd Ochrony Danych Osobowych (UODO) | uodo.gov.pl |
Before lodging a formal complaint with a supervisory authority, we encourage data subjects to first contact SCG directly so that we may address the concern promptly.
Policy Updates & Version Control
This Policy is reviewed at least annually and updated as necessary in response to changes in applicable law, regulatory guidance, business operations, or identified compliance gaps. Material changes to this Policy will be communicated to affected data subjects and business partners via email or prominent notice on our website.
The version history of this Policy is maintained internally. Upon request, SCG will provide prior versions of this Policy to data subjects, regulatory authorities, or banking compliance officers.
The most current version of this Policy is always available at our website. The effective date and version number are displayed at the top of this document.
Contact, Data Controller & DPO
SCG acts as Data Controller for all personal data processed in connection with its commercial operations and website.
| Role | Details |
|---|---|
| Data Controller | Source Capital Group |
| General Enquiries | info@sourcecapitalgroup.com |
| Data Protection / Privacy Requests | info@sourcecapitalgroup.com — Subject: “Data Protection Request” |
| Compliance & AML Enquiries | info@sourcecapitalgroup.com — Subject: “Compliance Enquiry” |
| Response Timeframe | Within 30 calendar days of receipt of a valid written request |