This Policy sets out how Greyline Investigations Limited protects personal data and maintains confidentiality across all client engagements. Discretion and data security are fundamental to the integrity of our work. This Policy should be read alongside our Privacy Policy and Data Processing Agreement.
1.1 This Policy applies to all directors, investigators, analysts, subcontractors, and any third parties acting on behalf of Greyline Investigations Limited.
1.2 It governs the handling of all personal data, case data, client information, and investigation findings from the point of first contact through to data deletion.
1.3 Greyline complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
2.1 All client engagements are treated as strictly confidential. Greyline will never disclose a client's identity, case details, or the existence of an engagement to any third party without the client's express prior written consent, unless required by law.
2.2 We will never disclose a client's identity or case details to the subject of an investigation under any circumstances without express prior written consent from the client.
2.3 All personnel are bound by confidentiality obligations before being granted access to any case data. Subcontractors are subject to equivalent obligations by contract.
2.4 Confidentiality obligations survive the termination of an engagement indefinitely.
Greyline adheres to the data protection principles set out in UK GDPR Article 5. All personal data is:
Greyline implements the following measures to protect personal data and case information:
We retain personal data only for as long as necessary:
6.1 In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, Greyline will notify the Information Commissioner's Office (ICO) without undue delay and within 72 hours, as required by UK GDPR Article 33.
6.2 Where the breach is likely to result in a high risk to affected individuals, those individuals will be notified directly without undue delay.
6.3 All breaches, including those assessed as low risk, are recorded in an internal breach register with a full assessment, timeline, and remediation actions.
7.1 Where personal data is transferred outside the UK, appropriate safeguards are in place in accordance with UK GDPR Chapter V, including International Data Transfer Agreements (IDTAs), Standard Contractual Clauses, or adequacy decisions.
7.2 For Nigerian client engagements, Greyline additionally adheres to the Nigeria Data Protection Act 2023 (NDPA) requirements where applicable.
8.1 Clients may exercise their rights under UK GDPR at any time, including rights of access, rectification, erasure, restriction, portability, and objection. Requests should be sent to cases@greylineinvestigations.co.uk and will be responded to within one calendar month.
8.2 Providing investigation subjects with access to investigation data may in certain circumstances be restricted under UK GDPR Article 23 and Schedule 2 of the DPA 2018, including exemptions for the prevention and detection of crime.
When conducting investigations, Greyline processes personal data about the subject of the investigation collected from publicly available open sources only (OSINT). We do not access private accounts, intercept communications, or obtain data through unlawful means. The legal basis for processing this data is our legitimate interests in providing the contracted service and, where relevant, the vital interests or legal claims of the commissioning client.
Greyline does not sell, rent, or share personal data with third parties for marketing purposes. Data may only be shared in the following limited circumstances:
11.1 All personnel are required to read and acknowledge this Policy before undertaking any client-facing or case-related work.
11.2 This Policy is reviewed annually and updated to reflect changes in legislation, regulatory guidance, or business operations.
11.3 Breach of this Policy by any personnel may result in termination of engagement and, where applicable, referral to the appropriate authorities.
This Policy is governed by the laws of England and Wales. Any dispute arising under this Policy is subject to the exclusive jurisdiction of the courts of England and Wales.
If you have any questions about this Policy, wish to exercise your data rights, or want to raise a concern, please contact us: