Buying & Building Cyber Services icon
Back
Membership & Accreditation icon
Back
Skills, Certifications & Careers icon
Back
News, Events & Research icon
Back
About Us icon
Back
Login to profile
Join Today Find a Supplier

Privacy Policy

Home  »  Privacy Policy

CREST (International) (hereafter referred to as “CREST”) includes all of the CREST Chapters.
CREST will use its best endeavours to safeguard the privacy of its contacts and website visitors. In
compliance with UK and European data protection regulations, this Privacy Policy explains what
information we collect, how we use any personal information that we may collect about you and the
data processing practices of the Company.
Topics:

  •  How do we collect information from you?
  •  What information do we collect?
  •  Why do we need personal information?
  •  How is your information used?
  •  Who has access to your information?
  •  How secure in information about me?
  •  How long is data kept?
  •  Does CREST share the information it receives?
  •  Email messages
  •  Information to improve our website
  •  Subject Access Requests
  •  Cookies
  •  Changes to our Privacy Policy
  •  Contact

How do we collect information from you?
We obtain information about you in a variety of ways including when you contact us about our
products and services, complete an Agreement with us, submit a membership application or renewal
form to us, book an examination with us, make an enquiry to us or when you use our website.

What information do we collect?
You provide most of such information when you request further information about our services, make
an enquiry or communicate with us regarding our services.
As a result of those actions, you might supply us with such information as title, name, postal address,
email address, telephone number(s), IP address. We will also collect information from you if you
complete any forms, including any on our website, or if you contact us with comments or specific
requests.

Why do we need personal information?
We need to collect personal information in order to:

  •  ensure member companies are getting the full benefit of their membership;
  •  ensure that we manage CREST Qualified Individual certifications accurately;
  •  endeavour to improve our services for you.

How is your information used?
CREST may use the information you provide us with to:

  •  respond to your requests;
  •  carry out our obligations arising from any contracts or agreements entered into by you with us;
  •  communicate with you about our work and services for you;
  •  tell you about CREST services;
  •  seek your views or comments on the services we provide for you;
  •  notify you of changes to our services;
  •  update our records when necessary;
  •  support our activities on your behalf (eg. external venues);
  •  for marketing purpose
  • unless you tell us that we may not do so.

Who has access to your information?
We may pass your details on to third party service providers who are contracted to CREST in the
course of dealing with your request and if this is likely to happen, we will make it clear to you. These
third parties are obliged to keep your details securely and will use them only to fulfil the request.
Third parties that we may share your information with include:

  •  The Bank of England (eg. STAR and CBEST data)
  •  The National Cyber Security Centre (eg. CHECK data, Cyber Essentials data, CIR service)
  •  The Civil Aviation Authority

We will never collect sensitive information about you without your explicit consent for each category
and will only collect such data for statistical purposes (our Legitimate Interest as identified in GDPR
Provisions Article 6(1)(f) and Article 9 (2)(j)).

Please note that in agreeing to share these details you have not forfeited your rights as prescribed
under the Data Protection Act 1998 and CREST will continue to apply the same level of care to
safeguard your privacy and use of your information across all our services.  Your service entitlement
from CREST will not be affected should you decide not to allow your data to be shared in this way or if
you change your mind at any time in the future.

How secure is information about me?
We maintain physical, electronic and procedural safeguards in connection with the collection, storage
and disclosure of customer information and personal data. Our internal personnel, who have access
to the data, have been trained to maintain the confidentiality of such information.

How long is data kept?
The personal information you provide to us may be retained for up to 15 years or as required by law.
At that point, you will be contacted to seek your consent for us to retain it for a further period. At the
same time, you will have the option to instruct us to delete it.

If you choose to visit our website,  https://www.crest-approved.org, your visit and any dispute over
privacy is subject to this Privacy Notice, including limitations on damages and application of the laws
of England. If you have any concerns about privacy please email us at governance@crest-
approved.org a thorough description and we will do our best to investigate it.

As our business changes, so may our Privacy Notice.  You should check our website frequently to
see recent changes.  Unless stated otherwise, our current Privacy Policy applies to all information that
we have about you.

Does CREST share the information it receives?
Client privacy is an important aspect of our business and we do not sell it or rent it to third parties. We
will not share your information with third parties for marketing purposes.

CREST would share client information only as described below.

  •  Within the CREST Group: to respond to your requests and to manage the purposes for which
    it was collected. See also What do we use personal information for? above.
  •  Business transfers: as we continue to develop our business, we might sell or buy other
    companies, subsidiaries or business units.  In such transactions, customer information
    generally is one of the transferred business assets but remains subject to the promises made
    in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise).  Also,
    in the unlikely event that CREST or substantially all of its assets are acquired, customer
    information will of course be one of the transferred assets.
  •  Protection of CREST: we may release account and other personal information when we
    believe release is appropriate to comply with law or to protect the rights, property or safety our
    users or others. This includes exchanging information with other companies and
    organisations for fraud protection and credit risk reduction. Where required by law, we will
    notify you if such disclosures are necessary.

Email Messages and Marketing
You may receive e-mail messages from CREST on matters that we consider may be of interest to
you, if you have provided your email address to us for this purpose.  If you do not wish us to
communicate with you in this way, please tell us. We will provide you with as many means of doing
this as we can.

Information to improve our website
We collect web statistics automatically about your visit to our website. This information is used to help
us follow browsing preferences on our website so that we can regularly improve our website. These
statistics do not contain personal data and cannot be traced back to an individual.

Your choices
You have a choice about whether or not you wish to receive information from us. You can change
your preferences at any time by contacting us using the details below.
We are working to provide additional ways to make it easier for you to review and correct the
information that we hold about you. In the meantime, if you change email address or any of the other
information we hold is inaccurate or out of date, please contact us using the details below.

Subject Access Requests
You have the right to request a copy of the information that we hold about you. If you would like a
copy of some or all of your personal information, please email us or write to us using the contact
details below. We will provide the information within one month of receipt of the request. By law, we
are required to verify your identity.

We may make a small charge for this service if the request is excessive or repetitive or requiring
further copies of the same information.

We want to make sure that your personal information is accurate and up to date. You may ask us to
correct or remove information you think is inaccurate. Under the Data Protection Act 1998, you can
make a formal request for information including:

  •  clarification that your personal data are being processed by the Company;
  •  a description and copies of such personal data;
  •  the reasons why such data are being processed;
  •  details of to whom they are or may be disclosed.

You may view the Company’s Data Protection Notification (Reg No.: ZA229721) by visiting the Data
Information Commissioner’s Web site.

Other websites
Our website contains links to other websites. This Privacy Policy only applies to our website crest-
approved.org so when you link to other websites, you should read their own Privay Policies.

Cookies

Cookies are text files placed on your computer to collect standard internet log information and visitor
behaviour information. We may collect information about your computer, including your IP address,
operating system and browser type, for system administration and in order to create reports.  This is
statistical data about our users’ browsing actions and patterns, and does not identify any individual.

The only cookies in use on our site are for Google Analytics which is a web analytics tool that helps
website owners understand how visitors engage with their website. Google Analytics customers can
view a variety of reports about how visitors interact with their website so that they can improve it.

This information is used to track visitor use of the website and to compile statistical reports on website
activity. Google Analytics collects information anonymously. It reports website trends without
identifying individual visitors

For further information visit www.aboutcookies.org or  www.allaboutcookies.org.

You can set your browser not to accept cookies and the above websites tell you how to remove
cookies from your browser. However, in a few cases some of our website features may not function
as a result.

Changes to our Privacy Policy
We keep our Privacy Policy under regular review and we will place any updates on this webpage.
This privacy Policy was last updated in April 2021.

Contact
If you have any questions about our Policy or information we hold about you please
email [email protected]