Buying & Building Cyber Services icon
Back
Accreditation Pathway & Membership icon
Back
Skills, Certifications & Careers icon
Back
News, Events & Research icon
Back
About Us icon
Back
Login to profile
Join Today Find a Supplier

Privacy Policy

Home  »  Privacy Policy

Last updated:  January 2026

This Privacy Policy explains how CREST (International) (“we“, “us“, or “our“) collects, uses, discloses, and protects personal data when you visit or interact with our website https://www.crest-approved.org (the “Website“).

We are a global cyber security non-profit organisation headquartered in the United Kingdom. We operate internationally, accrediting member organisations to our standards and issuing professional certifications to individuals worldwide.  This Privacy Policy applies globally and is designed to align with major data-protection frameworks, including the UK GDPR, EU GDPR, and other comparable international data-protection laws.

  1. Scope and Applicability

This Privacy Policy applies to all visitors, users, member organisations, certification holders, applicants, stakeholders, and any other individuals who access or interact with the Website, regardless of location.  Local laws may grant additional rights depending on the country or region.

  1. Personal Data We Collect

We may collect the following categories of personal data:

  • Information you provide directly: such as your name, email address, professional role, organisation, country, certification status, membership or accreditation details, and/or any information submitted through forms, applications, assessments, events, or inquiries.
  • Account-related information: where applicable, login credentials, certification records, accreditation status, renewal history, and continuing professional development information.
  • Automatically collected information: such as IP address, browser type, device identifiers, operating system, pages visited, referring URLs, and usage data.
  • Cookies and similar technologies: see Section 9 below for more information.

We do not intentionally collect special category (sensitive) personal data unless it is voluntarily provided, strictly necessary for our activities, and permitted by applicable law.

  1. How We Use Personal Data

We use personal data for the following purposes:

  • To operate, maintain, and improve the Website
  • To administer membership accreditations and individual certifications
  • To process applications, renewals, assessments, and verifications
  • To communicate with members, certification holders, applicants, and other stakeholders
  • To provide information about standards, guidance, events and related activities
  • To analyse usage and performance of the Website
  • To ensure security, integrity, and prevention of fraud or misuse
  • To comply with legal, regulatory, and governance obligations
  1. Legal Bases for Processing

Where required by applicable law, including the UK GDPR and EU GDPR, we process personal data on one or more of the following legal bases:

  • Consent: where you have given clear consent for specific purposes
  • Contract: where processing is necessary for the performance of a contract or to take steps at your request prior to entering into a contract (including certification or accreditation processes)
  • Legal obligation: where processing is required to comply with applicable law
  • Legitimate interests: where processing is necessary for our legitimate interests as a non-profit organisation promoting cyber security standards and professional competence, provided those interests are not overridden by your rights and freedoms
  1. Sharing and Disclosure of Personal Data

We may share personal data with:

  • Trusted service providers and partners who process data on our behalf (eg. IT hosting, assessment platforms, examination providers)
  • Accreditation bodies, assessors, or other stakeholders involved in certification or membership activities
  • Professional advisers (such as legal, accounting, or audit advisers)
  • Public authorities or regulators where required by law

We do not sell personal data and do not use personal data for commercial advertising purposes.

  1. International Data Transfers

As a global organisation, we may transfer personal data to countries outside the UK or European Economic Area.  Where required by law, we take appropriate safeguards to protect your data in accordance with applicable regulations.

  1. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including maintaining accurate certification and accreditation records, unless a longer retention period is required or permitted by law.

  1. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. However, no website or internet transmission can be guaranteed to be completely secure.

  1. Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Enable core website functionality
  • Support secure access to member or certification-related areas
  • Analyse website traffic and usage
  • Remember user preferences

Where required by law, we obtain consent before placing non-essential cookies. You can manage or disable cookies through your browser settings.  Our Cookie Policy is available here: https://www.crest-approved.org/cookie-policy/

  1. Your Rights

Depending on your location and applicable law, you may have the right to:

  • Access your personal data
  • Request correction or deletion of personal data
  • Restrict or object to processing
  • Withdraw consent at any time (where processing is based on consent)
  • Request data portability
  • Lodge a complaint with a relevant data-protection authority

Requests may be made using the contact details in Section 12.

  1. Children’s Privacy

The Website is not intended for children under the age of 16 (or a higher age where required by local law).  We do not knowingly collect personal data from children.

  1. Contact Information

If you have questions about this Privacy Policy or our data-protection practices, or wish to exercise your rights, please contact:

CREST (International)

Email:  [email protected]

Registered address:  Seven Stars House, 1 Wheler Road, Coventry, West Midlands, CV3 4LB, UK

  1. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations.  Any updates will be posted on this page with an updated “Last updated” date.

You may view the Company’s Data Protection Notification (Reg No.: ZA229721) by visiting the Information Commissioner’s website.

This Privacy Policy is provided for general informational purposes and does not constitute legal advice.