Privacy Notice

This Privacy Notice applies to services operated by ECCTIS Ltd (Ecctis). Ecctis operates services to individuals and organisations, including services branded as Ecctis, UK ENIC and services formerly provided under the name UK NARIC. This notice covers the services offered under the following web domains:

and the former web domain:

  • naric.org.uk

Ecctis understands that your privacy is important to you. We respect and value the privacy of everyone who visits our website and uses our services. Ecctis will only collect and use your personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under data protection and other laws.

How to read this notice: The notice is structured to help you find information that is relevant to the service or services you use.

Ecctis Ltd is a limited company registered in England with company number 2405026.

Our address is:

Ecctis Ltd
Suffolk House
68-70 Suffolk Road
Cheltenham
Gloucestershire
GL50 2ED
UNITED KINGDOM

Our Data Protection Officer can be contacted at [email protected] or via our postal address. Please mark postal communication with ‘Data Protection Officer’.

The Ecctis Ltd ICO Registration Reference is Z7566127.

Ecctis may operate as the Controller of your personal data, or we may process your personal data on behalf of another Controller (as their Processor). For more information on our role(s) specific to each service, please see How we process your personal data for services you request below.

Generally, the following applies:

Ecctis acts as the Processor of your personal data when you contact us about, or apply for, our individual services, including:

  • Statement of Comparability
  • Visas and Nationality Service
  • English Language Assessment
  • Career Path Report
  • Early Years Service
  • UK Qualification Reference Statement

For these services, we operate as a Processor on behalf of the Controller, who tells us what to do with your personal data, and how we should process it. Ecctis will always have a contract in place with the Controller which sets out how Ecctis must provide the service. Please see the specific service information below for more detailed information.

Ecctis acts as a Controller when processing personal data for Industry Skills Statement (formerly Statement of Comparability for Construction Skills) services, for the delivery of training and events, undertaking marketing, sending you feedback surveys to understand satisfaction levels so we can improve our services, to check in visitors to our offices and when you apply to us for a job.

Throughout this privacy notice we will link to the privacy information of organisations with whom we share your information to enable you to see how each recipient organisation processes your information. To access an organisation’s privacy page, simply click on the name of the organisation within each section.

Most of the personal data we process is provided for one of the following reasons:

You are an Individual Applicant (Qualification Holder):

  • You have enquired about, and/or applied for, one of our services for individuals; or
  • An organisation has submitted an application for one of our services for individuals on your behalf.

You are an individual acting in a business capacity, i.e. a ‘Corporate Subscriber’, such as an employee of a:

  • Client company/organisation or a higher education provider. You or your employer has subscribed to one or more of our services for organisations and either you or your employer has provided your personal data to us to allow you to access or make use of those services. This may include for training and events purposes;
  • Higher education provider that works with Ecctis to verify Qualification Holders’ qualifications;
  • UK government department;
  • Company or organisation to whom Ecctis provides services or has a business relationship;
  • Supplier of goods or services (including consultancy) to Ecctis. You or your employer provides goods and services to Ecctis and either you or your employer has submitted your personal data to us to enter into an agreement, facilitate an order, pay an invoice or to facilitate collaborative working.

You are a Job Applicant who has applied for a role with Ecctis:

  • Direct via email
  • Through a recruitment agency

Where we do not receive information from you directly, we will endeavour to contact you to let you know we are processing your personal data unless to do so would be:

  • Disproportionate, or
  • Prejudicial e.g. to law enforcement or national security.

Your personal data is collected, stored, and used by our staff to communicate with you, identify you from other applicants, and deliver our services to you. This will include validating that qualification and identity information provided by you is accurate, and that you hold the qualifications submitted to us for comparison.

For most of the services provided, we operate as a Processor. This means we only process personal data under the instructions of another organisation, who is the Controller. The Controller is responsible for determining the purpose of processing and the lawful basis for processing.

Throughout this section we will clearly identify the Controller for each service. Where the service is being provided by Ecctis on behalf of another third party, you should read this Privacy Notice in conjunction with the privacy information provided by the following organisations:

Department for Education (DfE): Personal information charter - Department for Education - GOV.UK (www.gov.uk)

UK Home Office: https://www.gov.uk/government/publications/personal-information-use-in-borders-immigration-and-citizenship/borders-immigration-and-citizenship-privacy-information-notice

The following information relates to current services and applies where you apply directly to us via our website, or by post:

Statement of Comparability (including Fast Track services and Translation Waiver)

We process your personal data on behalf of the Department for Education (DfE) for the purpose of the Statement of Comparability service. This is to enable you to evidence the comparable level of your qualifications completed outside of the UK against those in the UK education frameworks.

Our role

We act as a Processor of your personal data. The Controller of your personal data is the DfE.

What information we need and why

We collect and process personal data including your name, contact details, date of birth, identity and qualification documents and information to deliver the service to you, to identify you, to verify the qualifications, and to communicate with you about your application.

We collect and process information relating to the reasons for your application (including refugee status) to ensure we are delivering the correct service to you and to optimise our services for your needs.

Lawful Basis for Processing

These are determined by the DfE – you should refer to their privacy notice: Personal information charter - Department for Education - GOV.UK (www.gov.uk)

How long we keep it

For completed applications, we retain information for a period of up to 25 years. This is necessary for detecting and preventing crime, fraudulent applications, preserving the integrity of our services, and providing the services in compliance with our contractual obligations.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.
Industry Skills Statement

We process your personal data as Controller for the purpose of the Industry Skills Statement service. This is to enable you to evidence your overseas qualifications for those in the construction, plumbing, electrical, or land-based sectors.

Our role

We are the Controller of your personal data.

What information we need and why

We collect and process personal data including your name, contact details, date of birth, identity and qualification documents and information to deliver the service to you, to identify you, to verify the qualifications, and to communicate with you about your application.

We collect and process information relating to the reasons for your application (including refugee status) to ensure we are delivering the correct service to you and to optimise our services for your needs.

Lawful Basis for Processing

We rely on Legitimate Interests as the lawful basis for delivering the service to you, since it is in the interests of you, us, and the general public to be able to issue statements and/or confirm the contents of our statements if necessary.

How long we keep it

For completed applications, we retain information for a period of up to 10 years. This is necessary for detecting and preventing crime, fraudulent applications, and preserving the integrity of our services.

Scanned documents submitted in support of applications are deleted within seven years of the service being completed, or the last action on an account.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.
UK Qualification Reference Statement

We process your personal data on behalf of the Department for Education (DfE) for the purpose of the UK Qualification Reference Statement service. This is to enable you to receive detailed information about your completed UK qualification(s).

Our role

We act as a Processor of your personal data. The Controller of your personal data is the DfE.

What information we need and why

This is determined by the DfE, but includes information such as your name, contact details, and date of birth to deliver the service to you, to identify you, to verify the qualifications, and to communicate with you about your application.

We collect and process information relating to your qualifications (including copies of documentation) to provide the requested service to you.

Lawful Basis for Processing

These are determined by the DfE – you should refer to their privacy notice: Personal information charter - Department for Education - GOV.UK (www.gov.uk)

How long we keep it

For completed applications, we retain information for a period of up to 25 years. This is necessary for detecting and preventing crime, fraudulent applications, preserving the integrity of our services, and providing the services in compliance with our contractual obligations.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.
Visas and Nationality Service

We process your personal data on behalf of the UK Home Office for the purpose of the Visas and Nationality services. This is to enable you to evidence the level of your degree and/or your English language proficiency.

Our role

We act as a Processor of your personal data. The Controller of your information is the Home Office.

What information we need and why

This is determined by the UK Home Office, but includes information such as your name, contact details, date of birth, identity and qualification documents, and information to deliver the service to you, to identify you, to verify the qualifications, and to communicate with you about your application.

Your biometric data will also be collected and used solely for the purpose of identity verification, ensuring the security and integrity of our services.

We collect and process information relating to your qualifications (including copies of documentation) to provide the requested service to you on behalf of the Home Office.

Lawful Basis for Processing

These are determined by the Home Office – you should refer to their privacy notice: https://www.gov.uk/government/publications/personal-information-use-in-borders-immigration-and-citizenship/borders-immigration-and-citizenship-privacy-information-notice

How long we keep it

For completed applications, we retain information for a period of up to 25 years. This is necessary for detecting and preventing crime, fraudulent applications, preserving the integrity of our services, and providing the services in compliance with our contractual obligations.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.
Early Years Services (Early Years Statement and Early Years Advisory Service)

We process your personal data on behalf of the DfE for the purpose of the Early Years services. This includes the Early Years Statement service, the domestic Early Years Confirmation service, and the discontinued Early Years Service. This is to enable you to evidence your early years specialised qualifications for gaining the required recognition to work in an early years setting in England.

Our role

We act as a Processor of your personal data. The Controller of your personal data is the DfE.

What information we need and why

We retain and process information including your name, contact details, date of birth, and information relating to your qualifications (including copies of documentation) and identity to confirm the contents of your statement and confirm authenticity of Statements.

Lawful Basis for Processing

These are determined by the DfE – you should refer to their privacy notice: Personal information charter - Department for Education - GOV.UK (www.gov.uk)

How long we keep it

For completed applications, we retain information for a period of up to 25 years. This is necessary for detecting and preventing crime, fraudulent applications, preserving the integrity of our services, and providing the services in compliance with our contractual obligations.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.
Confirming the content of a Statement to a third party

On occasion we will be asked to confirm that a Statement issued by us is genuine and/or accurate. This might be, for example, where you have provided your Statement to a third party for them to rely on its contents.

Where we are asked to do so, we will confirm whether the Statement was issued and whether the information contained in the Statement is accurate.

Our role

It depends on the Statement being requested and therefore which service(s) you have used. Please see the service-specific information where we have defined our role as Controller or Processor.

What information we need and why

No further personal data will be collected.

Lawful Basis for Processing

We will confirm whether information provided to us matches our records. We will never volunteer any personal data to a third party.

When we are acting as Controller, the lawful basis that we will rely upon to process this information will be Legitimate Interests since it is in the interests of us, you, and the general public for statements to be able to be relied upon and checked for accuracy.

When we are acting as a Processor, the lawful basis will be determined by the relevant Controller and can be found in their privacy notice (see links under the service-specific information).

Who we share it with

Organisations to whom a Statement has been disclosed by you if they wish to confirm its authenticity. We will confirm with the enquirer whether information matches our records.

How long we keep it

For completed applications, we retain information for a period of up to 25 years. This is necessary for detecting and preventing crime, fraudulent applications, preserving the integrity of our services, and providing the services in compliance with our contractual obligations.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.
Historical and Discontinued Services

The following information relates to historical, discontinued services (which we no longer offer) and applies where you applied directly to us via our website, or by post:

English Language Assessment

We may continue to process your personal data on behalf of the DfE for the purpose of the discontinued English Language Assessment service. For completed applications, we are required to retain your personal data for a period of 25 years. This allows us to confirm the contents of Statements should you seek to rely on them within this time period.

Our role

We act as a Processor of your personal data. The Controller of your personal data is the DfE.

What information we need and why

We retain and process information including your name, contact details, date of birth, and information relating to your qualifications (including copies of documentation) and identity to confirm the contents of your statement and confirm authenticity of Statements.

Lawful Basis for Processing

These are determined by the DfE – you should refer to their privacy notice: Personal information charter - Department for Education - GOV.UK (www.gov.uk)

How long we keep it

For completed applications, we retain information for a period of up to 25 years. This is necessary for detecting and preventing crime, fraudulent applications, preserving the integrity of our services, and providing the services in compliance with our contractual obligations.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.
Career Path Report

We may continue to process your personal data on behalf of the DfE for the purpose of the discontinued Career Path Report service. For completed applications, we are required to retain your personal data for a period of 25 years. This allows us to confirm the contents of Statements should you seek to rely on them within this time period.

Our role

We act as a Processor of your personal data. The Controller of your personal data is the DfE.

What information we need and why

We retain and process information including your name, contact details, date of birth, and information relating to your qualifications (including copies of documentation) and identity to confirm the contents of your statement and confirm authenticity of Statements.

Lawful Basis for Processing

These are determined by the DfE – you should refer to their privacy notice: Personal information charter - Department for Education - GOV.UK (www.gov.uk)

How long we keep it

For completed applications, we retain information for a period of up to 25 years. This is necessary for detecting and preventing crime, fraudulent applications, preserving the integrity of our services, and providing the services in compliance with our contractual obligations.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.

Where we operate services for organisations, we may need to process personal data about their employees. If you are an employee of such an organisation, the following information sets out what we do with your personal data:

  1. Corporate Subscriber Contacts

Your information is collected, stored, and used by our staff to communicate with you if you or your employer has a working relationship with Ecctis. See Corporate Subscriber above.

Our role

Where you or your employer has engaged with Ecctis to use its services, verify Qualification Holders’ qualifications, supply services, instruct or develop a business relationship with Ecctis, we process your personal data as a Controller.
What information we need and why

We collect and process personal data including your name, title, job title, the organisation you work for and their address and your email address. This is to deliver, develop, and/or receive services.
Lawful Basis for Processing

We collect and process your personal data for the purposes of delivering, developing and/or receiving our services.

We rely on Legitimate Interests as the lawful basis for processing your personal data, since it is the interests of you, us, and your employer for us to process your data for these purposes.
How long we keep it We will keep your personal data for a period of up to 7 years from the conclusion of our engagement with your employer.
  1. Training and Events including Conferences

Your information is collected, stored, and used by our staff to communicate with you, coordinate and tailor training and events to your needs, and deliver the training or event to you. It is also used to invoice your or your employer and/or discharge any obligations we might have to you or them.

Our role

Where you apply to us for training or events, whether included in a membership package or paid for as a stand-alone service, we will be the Controller of your personal data.

What information we need and why

We collect and process personal data including your name, title, job title, the organisation you work for or represent and their address and your email address. This is to deliver the training or event to you, and to invoice your employer for payment.

If you tell us about dietary or special requirements (including disabilities) we may use this information to make adjustments for the relevant attendees. This may also include sharing with the venue provider to ensure appropriate access arrangements.

Photographs may be taken at Events by our staff, which may subsequently be published by us.

Lawful Basis for Processing

We collect and process your personal data for the purposes of delivering the training or event to you, including communicating with you.

A contract will exist relating to the delivery of training or event to you. This may be either directly with you, or with your employer, or both.

Where the contract is with you, we rely on Contract as the lawful basis for delivering the service to you as it is necessary for the performance of a contract that we have with you.

Where we contract with your employer rather than you, we rely on Legitimate Interests as the lawful basis for processing your personal data, since it is the interests of you, us, and your employer for us to process your data for this purpose.

We will request your Explicit Consent before processing your personal data relating to health and/or disability.

If your photograph is taken at an event and published by us we rely on legitimate interest for this processing.

How long we keep it

We will keep your personal data for a period of up to 7 years after the training or event has been completed or the contract with your employer has been fulfilled.

If you are an Individual Applicant (Qualification Holder), we will process your personal data when you contact us with enquiries or when we contact you for marketing purposes or to send you satisfaction surveys. The following information sets out what we do with your personal data:

  1. Communications regarding a service or general enquiry

We may communicate with you in relation to general enquiries, or in relation to your existing applications via telephone or our website LiveChat functionality. Generally, we receive two different types of enquiries:

  • A general enquiry for information about our services, or
  • An enquiry relating to an existing application you have with us (whether live or historical).

We will use the information to answer your enquiry and may record details of the enquiry for future reference.

Our role

It depends on the purpose of your enquiry:

  • If it is a general enquiry, then we will be the Controller of your personal data.
  • If you are contacting us about an existing application for our services, then we will usually be acting as a Processor for the service you have applied for.

What information we need and why

We will only collect sufficient personal data to allow us to deal with your enquiry, particularly when it is relevant to an existing application.

For general enquiries, we may not need to collect any information from you, though you should be aware that, in both cases, the software we use will collect the following additional personal data.

Telephone

When you call our telephone helpline, we will:

Collect Calling Line Identification (CLI) information – this is the phone number you are calling from. This is to help us to identify you, to understand demand for our services, improve how we operate, and call you back if we need to.

Record the audio of your telephone conversation - This is for training purposes and complaints, to improve the way in which our staff deal with enquiries and complaints.

LiveChat

When you contact us via our LiveChat facility, we will collect information to identify your general location information (for statistical purposes) such as your IP address. A transcript of the conversation will also be recorded.

Lawful Basis for Processing

The lawful basis that we will rely upon will depend on the reason for your enquiry:

For general enquiries we will rely on Legitimate Interests since it is in the interests of us and you to process personal data that is necessary to deal with your enquiry.

Where you are enquiring about an existing application, we rely upon the legal basis relevant to the processing of that application. You should check the section of this Privacy Notice relevant to the service for further information.

For telephone audio recordings, we rely on Legitimate Interests since it is in the interests of us, you, and the general public for our staff to provide training, improve the way our enquiries are managed, and investigate complaints.

How long we keep it

We will keep call recordings for a maximum of 14 months. LiveChat transcripts are retained for a maximum of 14 months.

Where enquiries relate to an existing enquiry the transcript, or parts of it, may be transferred onto the permanent file associated with your application and kept for the retention periods outlined under ‘Individual Applications’, above.
  1. Sending you marketing material

If you are an Individual Applicant (Qualification Holder) we will not send marketing communications to you unless we have consent to do so. You may be asked to opt-in to marketing emails.

Where we do send you marketing emails, you can withdraw your consent at any time. There will be a link in any marketing communications we send that will to allow you to do so easily.

The following relates to our direct email marketing activities:

Our role

We are the Controller of your personal data.

What information we need and why

We will use and share your email address and may personalise emails using your name.

Lawful Basis for Processing

The lawful basis that we will rely upon in this instance will be Consent as you will have consented to our sending you marketing emails either by opting in via our website or in some other way, such as at an event.
  1. Sending you satisfaction surveys

We may send communications to you containing satisfaction surveys. We only do this to understand satisfaction levels so we can improve our services.

We do not rely on your consent to send satisfaction surveys to you, but we do not want to send these emails if you do not want us to. If you do not want to receive these emails you can opt out of them easily via the link provided in any survey communication we send to you.

The following relates to our satisfaction survey communications and activities:

Our role

We are the Controller of your personal data.

What information we need and why

We will already have collected your data, since you will have applied for one of our services. We will use your email address to send you satisfaction surveys.

Purpose and Lawful Basis for Processing

We may send survey emails relating to services that you have used so that we can understand your level of satisfaction and improve our services. The lawful basis that we will rely on is Legitimate Interests for us to receive your feedback so that we can improve our services.

If you are an individual acting in a business capacity, we will process your personal data when you contact us with enquiries or when we contact you for marketing purposes or to send you satisfaction surveys. The following information sets out what we do with your personal data:

  1. Sending you communications regarding a service or general enquiry

We may communicate with you in relation to general enquiries in the course of day-to-day business.

Our role

We are the Controller of your personal data.

What information we need and why

We will use and share your email address and may including your name and/or title.

Lawful Basis for Processing

We rely on Legitimate Interests as the lawful basis for communicating with you for this purpose as it is in our interests to communicate with customers, stakeholders and business contacts regarding services and for providing you the information necessary to satisfy your query.
  1. Sending you marketing material

From time to time, we may email you about products, services and events which may be of interest to you or your organisation. We will only ever contact you with these communications if we consider you to be an individual acting in a business capacity and the content is relevant to your role as an employee at the organisation you work for.

Please note that marketing emails should be distinguished from “Service” emails which might be sent to you if you are a representative of one of our members. Service emails are necessary to provide information about existing services that you or your organisation contract with us for.

Our role

We are the Controller of your personal data.

What information we need and why

We will use your email address and may personalise emails using your name and/or title.

Lawful Basis for Processing

We rely on Legitimate Interests as the lawful basis for delivering the service to you – since it is in ours, and we hope your, interests to provide information about other services we offer that might be of use to you or your organisation.

We do our utmost to ensure that you only receive communications that you want to receive, therefore you can change your mailing preferences (or unsubscribe completely) at any time by following the link that will be provided at the bottom of every marketing email.
  1. Sharing your contact details with event sponsors

From time to time, we will share your contact details with training and events sponsors, but only when you have given us consent to do so. When you register for training or an event, you will be asked for permission to share your personal data with the event sponsor for marketing purposes.

Our role

We are the Controller of your personal data.

For the avoidance of doubt, the event sponsor will be an independent Controller for the purpose of any further processing (including marketing activity). Please refer to each sponsor’s own Privacy Notice for further information.

What information we need and why

We will use and share your email address and name and/or title with the event sponsor.

Lawful Basis for Processing

The lawful basis that we will rely upon in is Consent since you will have consented to our sharing of your contact details either by opting in via our website or in some other way, such as at an event.
  1. Sending you satisfaction surveys

We may send communications to you containing satisfaction surveys. We only do this to understand satisfaction levels so we can improve our services.

We do not rely on your consent to send satisfaction surveys to you, but we do not want to send these emails if you do not want us to. If you do not want to receive these emails you can opt out of them easily via the link provided in any survey communication we send to you.

The following relates to our satisfaction survey communications and activities:

Our role

We are the Controller of your personal data.

What information we need and why

We will already have collected your data, since you will have applied for one of our services. We will use your email address to send you satisfaction surveys.

Purpose and Lawful Basis for Processing

We may send survey emails relating to services that you have used so that we can understand your level of satisfaction and improve our services. The lawful basis that we will rely on is Legitimate Interests for us to receive your feedback so that we can improve our services.
  1. Inviting you to participate in market research

We may send communications inviting you to participate in market research. This will help us understand your challenges and what you and your organisation may need from our products and services in the future.

The following relates to our market research communications and activities:

Our role

We are the Controller of your personal data.

What information we need and why

We may have already collected your data if you have used or expressed an interest in using one or more of our consultancy services or commercial and educational products. Alternatively, we may obtain information about you from other sources, such as public databases, data providers, and from other third parties.

We will use your email address to send you satisfaction surveys or we will contact you via third party platforms, including LinkedIn. If you choose to participate in our market research initiatives, we will process your name and job title.

Purpose and Lawful Basis for Processing

The lawful basis that we will rely on is Legitimate Interests for us to receive your feedback so that we can improve our products and services.

Where we operate services for organisations, we may need to process personal data about their employees. If you are an employee of such an organisation, the following information sets out what we do with your personal data:

1. Corporate Subscriber Contacts

Your information is collected, stored, and used by our staff to register you and communicate with you regarding the services offered through our Global Ed Community.

Our role

Where you or your employer has engaged with Ecctis to use its services relating to the Global Ed Community, we process your personal data as a Controller.

What information we need and why

We collect and process personal data including your name, job title, the organisation you work for and your work email address. This is to deliver, develop, and/or receive services.

Lawful Basis for Processing

We collect and process your personal data for the purposes of delivering, developing and/or receiving our services.

We rely on Legitimate Interests as the lawful basis for processing your personal data, since it is the interests of you, us, and your employer for us to process your data for these purposes.

How long we keep it

We will keep your personal data for a period of up to 1 year from your last engagement after your subscription has ended

When you make a payment for one of our services, whether on our website or over the telephone, this is done using Stripe, an independent third-party payment processing company. We do not have access to your banking or payment card information and this privacy notice does not cover how Stripe processes personal information. We encourage you to read their privacy notice, which can be found here: https://stripe.com/gb/privacy.

If you made a payment to one of our services before 26/11/2022 it would have been through WorldPay, an independent third-party card processing company. We do not have access to your banking or card information and this privacy notice does not cover how WorldPay processes personal information. We encourage you to read their privacy notice which can be found here: https://www.fisglobal.com/en-gb/privacy.

We do not encourage you to send payment card details to us in any format. Any payment card details received by us will be destroyed immediately.

Where you provide payment card information to us over the telephone, staff are trained to switch off any telephone recording software or equipment. We do not record this information in any other way.

We will also process your personal data when you apply for a job with us, whether directly or through a recruitment agency. The following information sets out what we do with your personal data:

Our role

We are the Controller of your personal data.

What information we need and why

When you apply for a role with Ecctis we will process your CV (including previous work history and qualifications) to review your application and your contact details to arrange and conduct an interview.

Lawful Basis for Processing

This processing is carried out for our legitimate interests to ensure you have appropriate qualifications for the role which you are applying for.

How long we keep it

If your application is successful, your application form, CV and covering letter will be held as part of your employment record for 6 years beyond the termination of your employment with Ecctis.

If your application is not successful, your application form, CV, and covering letter will be held for one year from the date at which someone is appointed to the advertised position. Data is held for the purpose of monitoring the level of repeated applications and maintaining a talent pool of candidates who may be interested in other vacancies.

We process your personal data when you visit our offices for security and health & safety purposes.

Our role

We are the controller of your personal data.

What information we need and why

We collect and process personal data including your name and email address to ensure we are aware of who is in the building at all times and to send you confirmation of your check in.

Lawful basis for processing

We rely on legitimate interest for this processing since it is of the interest of both you and us that we are aware who is in the building for health and safety and security purposes.

How long we keep it

Your personal data will be kept for a period of 7 days after your visit.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any contractual, legal or reporting requirements.

To determine the appropriate retention period for personal data, we consider the volume, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances you can ask us to delete your personal data, however, where we are providing a service as a Processor we may be required to retain records for fraud monitoring purposes. Please see below for more information about your right to erasure.

Please refer to each individual service or purpose for specific information on how long we will retain your personal data.

We may need to share your personal data with third parties to deliver a service to you. This might be for the following general reasons:

  1. Processors who provide part of our IT infrastructure. This may include, for example, off-site back-up providers, telephone recording, web, LiveChat and email servers.
  2. Processors who perform elements of our services for us, such as Primary Source Verification providers.
  3. Other third parties with whom we are required to share the information to deliver the services. Examples include organisations that issued your qualifications, or UK government departments.
  4. Organisations that you have disclosed a Statement to and they wish to confirm its authenticity.
  5. When we have your consent to do so, we will share your contact details with training and event sponsors who may contact you for their own marketing purposes.
  6. Recruitment agencies in order to progress your application for a job with us.
  7. Where we are obliged to share your data by law, for example where we are involved in legal proceedings, or where we are complying with legal requirements, a court order, or the orders of a government authority.
  8. Where there is a requirement for us to do so to comply with an external audit.

Where the party is a processor (points 1 & 2 above), we will have a contract in place with them to ensure that they cannot do anything with your personal data unless we have instructed them to do so. They must not share your data with anyone else unless we give them permission to do so. We will only give permission if we are satisfied that their sub-Processors will also comply with our instructions.

Under data protection law, you have certain rights in relation to your personal data, such as the right to access and the right erasure. Please be aware that these rights do not apply in all circumstances, but we will always look to fulfil your request where possible.

To make a request related to any of these rights, please contact the Data Protection Officer at [email protected], or one of our customer services team. We will typically respond within one month.

  • The right to be informed about our collection and use of personal data: this Privacy Notice is our way of complying with this.

  • The right of access: you have the right to ask us for copies of the information that we hold about you.

  • The right to rectification: you have the right to have inaccurate or incomplete information we hold about you to be rectified.

  • The right to erasure: in certain circumstances you can ask us to delete your information.

  • The right to restrict (prevent) processing: in certain circumstances you can ask us to restrict the processing of your information.

  • The right to object: in certain circumstances you have the right to object to us using your information for particular purposes e.g. for direct marketing.

  • The right to data portability: in some circumstances and where appropriate, and technically feasible, you can ask us to provide your information in a commonly used, machine readable format.

  • Rights related to automated decision making and profiling: please note that Ecctis Ltd does not perform any automated decision making or profiling.

If you have any cause for complaint about our use of your personal data, please contact us using the details above and we will do our best to help.

Should you remain dissatisfied, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.

We may need to transfer your data out of the UK or European Economic Area (EEA). This might be because we need to do this to deliver your service, or because our Processors are located outside of the UK or EEA.

When we transfer, store or process your personal data outside of the UK or EEA, we take appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Notice and appropriate legislation. We may rely on one of the following:

  1. An adequacy agreement, if one exists, with the country we are transferring your personal data to; or
  2. Standard Contractual Clauses approved by the European Commission and/or the UK Government / Information Commissioner’s Office; or
  3. Your explicit consent, or because it is necessary to perform the contract that we have with you or the transfer is necessary for a task carried out in the public interest; or
  4. Some other legal exception that is permitted by law.

Please contact [email protected] to obtain further information about these safeguards or if you have any questions about how your personal data is disclosed outside the UK or EEA.

This notice is regularly reviewed and updated, for example when organisations change their name, or to clarify how your personal data is used. Updates can be made at any time, and you will always find the most up-to-date version at https://www.ecctis.com/PrivacyNotice.aspx