back to homepage

Privacy notice

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”3.29.1″ custom_padding=”0px||0px||true|false” fb_built=”1″ _i=”0″ _address=”0″][et_pb_row _builder_version=”3.29.1″ _i=”0″ _address=”0.0″][et_pb_column type=”4_4″ _builder_version=”3.29.1″ _i=”0″ _address=”0.0.0″][et_pb_text _builder_version=”3.29.1″ _i=”0″ _address=”″]

Privacy Notice.

This notice was last updated on 16th September 2019

We, the GDPR Institut or our affiliate company GDPR Associates, are committed to protecting your privacy.
As such we have specified below in detail what data we are collecting, how we are collecting it, how we are using your data and all the rights you have under the UK Data Protection Act 2018 (incorporating the UK amended version of the GDPR 2018 legislation).
We will change this notice from time to time to stay aligned with current features of our web site, any changes in data collection or usage changes, or with the changes in the general data protection regulation (UK DPA 2018) and E-Privacy regulation (currently the UK PECR).
Please check back on a regular basis to read the latest version of this notice.

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”1″ _address=”″]

Data controller:

The UK based company, the GDPR Group Ltd, is the data controller for all data related to the GDPR Institut as well as GDPR Associates.

The contact details are:

The GDPR Group Ltd.
Kemp House
160 City Road
United Kingdom

phone: +44 (0)208 133 2545

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”2″ _address=”″]

Data Protection Officer:

For all inquiries regarding our usage of your data as well as executing your rights as a data subject, please contact our data protection officer Raymond Ford:

phone: +(44) 07989305294

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”3″ _address=”″]

What information we are collecting from you?

We collect and process several items of your personal information for different reasons, these are depending on the relationship we have with you.
The sections below will list the different relationships and per section list the data we collect and process including our reason for doing so.

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”4″ _address=”″]

GDPR Institut or Associates memberships:

If you are a member the GDPR Institut or GDPR Associates, we collect the following data:

Your full name (first, last)
your phone number (landline and /or mobile)
your e-mail address
your login name (in case this is not identical to your e-mail address)
Your password (hashed so not visible to us but able to be verified)
payment details, but only for paying members (we do not keep a record of this but a record of the transaction through our PCIDSS partner)

We collect this data to deliver you your membership benefits and allow you to login to our website, our legal basis is entering into a contract.

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”5″ _address=”″]


From our clients (GDPR Associates delivers professional services), either requesting our one-on-one advisory calls, filling out the contact form on our website and/or entering into a services contract with us to deliver various advisory services, we collect the following data:

company name
company address
payment details including company registration number, VAT number and bank details if required
name of contact person or persons
Per contact person we register:
Job title
phone number
email address

We collect these details to be able to provide you with our services, send invoices and contact you in relation to your requests and inquiries. Our legal basis is entering into a contract for services provision; for the one to one sessions and newsletter subscription our legal basis is consent.

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”6″ _address=”″]

Marketing usage

We do not sell or generate revenue from selling or sharing your data with third parties.
We do not deploy or apply any cookies or tracking pixels via our web site or newsletter emails unless you specifically select them to be deployed. We adhere strictly to the privacy by design ethos of the regulation, and thus only essential cookies are deployed by default, and newsletter emails are explicit consent only.
Our web site would like to gather anonymous analytic data for feedback to design and identifying any issues that may arise, but this is purely optional on your part, and we appreciate your assistance in this regard. Our web site complies with the PECR in regards to the deployment of cookies or other technology to allow access to information on end user equipment and the targeting of individuals based on this content. Please see our cookie notice for details on this aspect of data collection and privacy by design.

We do not sell marketing or publishing space to third parties using Real Time Bidding (RTB) or targeting solutions, or attempt to identify you, or build a profile of you, by any means using cookies. If this situation changes then we will update this notice accordingly, but in any event, you are in complete control of any cookie or tracking technologies deployed. We may display events information on our web site but this is not targeted to any visitor, thus is outside PECR legislation.

We only will use your data for us to market our services directly to you under the following strict conditions:

You have provided us your explicit consent to do so (e.g. you have requested a one to one phone call with an expert and consented for the call to be recorded; you have consented for the newsletter).

You are an existing client, and have received a specific service in which case we may contact you in the future regarding the specific services you received for feedback to improve our quality or to advise of similar ones available which we believe in good faith are of genuine interest/benefit to you. If we do the latter we rely on the Legitimate Interest basis for this processing, and our LIA is available for inspection on request.
In all cases, you have the right to opt-out of any marketing usage by using the relevant option present in all marketing communications. If you have provided explicit consent this can be removed at any time by yourself with no reason required.

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”7″ _address=”″]

Conference call recordings

For our records, to facilitate our services to you and to provide you with valuable insights on your questions and our answers and recommendations, we will record all conference calls we have with you as our client for this specific service.

However: at the start of each call we will explicitly request your consent for this recording to take place; if you don’t give permission, the call will still be recorded but we will delete the recording directly after the call has finished.

Recordings will only be used by the GDPR Group Ltd. as well as yourself as a party on the call. If you, at a later stage, change your mind, and wish to remove consent, please contact us immediately and we will delete your call’s recording from our systems.

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”8″ _address=”″]

Who do we share your data with?

We only share your data with our partner professionals or privacy experts we contract to provide us with the necessary expertise to fulfil your contract. There is no other sharing whatsoever.
We will share the following information with them:

your name
your phone number
your e-mail address
the conference call recording (if present)

We will inform you to which partner or professional we are sharing your data before we do so.
We will make sure that any party we share data with is held to the same strict data protection procedures as are used by us (we use the Standard Contractual Clauses (SCC’s) within our contracts). Data is only shared for specifically defined reasons and may not be further processed by our partners and professionals for any other reason, except when expressly mandated by us or for the defence of legal claims.

At the moment that we inform you of the fact we will share your data with one of our partners or professionals, we will request you to consent to sharing the conference call recording as well.

Please note you are free to object to the sharing of the recording, this will not adversely affect our ability to execute the services you have requested of us. However, it may provide our professionals with a little more insight into your company and requests which may ease any additional work and may prevent duplicate questions thus saving time. However, the choice is yours to make.

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”9″ _address=”″]

How long do we keep your data for?

Again, this differs depending on the reason we collected your data for. Generally, the following retention scheme is used:

For memberships the data is kept until 14 months after the memberships ends or is cancelled

Client data is kept for 2 years after the contract ends, unless specific requirements including fiscal law mandates us to keep certain information for a longer term such as revenue generated is 7 years.

Data from prospects is kept no longer than one year after the last contact with the prospect

We may retain data to defend legal claims for a period of two years after completion of the hearing and judgement passed to allow for appeals.

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”10″ _address=”″]

Your rights

Under the UK DPA 2018 (incorporating UK version GDPR) you, as a data subject, have a number of rights available to you. These rights allow you to ask if we are processing your data, if so why and what legal basis etc. You can have sight of the data we hold on you, correct any data which you deem to be incorrect or incomplete, request to know whom we have shared your data with. You can ask us to stop processing your data or request us to delete all your data from our systems in some circumstances and where we rely on Legitimate Interest as our legal basis, you are entitled to challenge this interest and how it overrides your specific rights. You can also object to profiling if it is carried out by us.

You can execute any of these rights by contacting our data protection officer, contact details can be found at the top of this privacy notice.

We will respond to your requests, where required, within 4 weeks of receiving your request, if it requires more time we will contact you accordingly and ask for it.

Please note: to protect your privacy as well as that of our other members, clients and prospects, we will ask you to provide proof of identity to us. This will be necessary to make sure we do not provide your data to somebody else or provide you with data that is not your own.

Making use of your rights is free of charge, unless we deem your requests to be excessive, repetitive in nature or otherwise manifestly executed with malicious intent, we reserve the right to not respond to your request in full or charge you a reasonable fee based on our administrative costs.

In either case, we will inform you of our decision.

[/et_pb_text][et_pb_text _builder_version=”3.29.1″ _i=”11″ _address=”″]

Further complaints

If we can’t agree on a resolution to your request or complaints, you believe we are handling your personal data incorrectly or we are infringing on any of your rights as listed above and we can’t come to a mutual satisfactory agreement to solve our differences, you are welcome to contact the Information Commissioners Office and register your grievances with them.

Please check for the relevant procedures.