CREST (International) (hereafter referred to as “CREST”) includes means CREST (International), with Company Registration number 09805375, and any or all of its group of companies.
· How do we collect information from you?
· What information do we collect?
· Why do we need personal information?
· How is your information used?
· Who has access to your information?
· How secure in information about me?
· How long is data kept?
· Does CREST share the information it receives?
· Email messages
· Information to improve our website
· Subject Access Requests
How do we collect information from you?
We obtain information about you in a variety of ways including when you contact us about our products and services, complete an Agreement with us, submit a membership application or renewal form to us, book an examination with us, make an enquiry to us or when you use our website.
What information do we collect?
You provide most of such information when you request further information about our services, make an enquiry or communicate with us regarding our services.
As a result of those actions, you might supply us with such information as title, name, postal address, email address, telephone number(s), IP address. We will also collect information from you if you complete any forms, including any on our website, or if you contact us with comments or specific requests.
Why do we need personal information?
We need to collect personal information in order to:
· ensure member companies are getting the full benefit of their membership;
· ensure that we manage CREST Qualified Individual certifications accurately;
· endeavour to improve our services for you.
How is your information used?
CREST may use the information you provide us with to:
· respond to your requests;
· carry out our obligations arising from any contracts or agreements entered into by you with us;
· communicate with you about our work and services for you;
· tell you about CREST services;
· seek your views or comments on the services we provide for you;
· notify you of changes to our services;
· update our records when necessary;
· support our activities on your behalf (eg. external venues);
for marketing purpose
unless you tell us that we may not do so.
Who has access to your information?
We may pass your details on to third parties that are contracted to CREST in the course of dealing with your request and if this is likely to happen, we will make it clear to you. These third parties are obliged to keep your details securely and will use them only to fulfil the request.
Third parties that we may share your information with include:
· The Bank of England (eg. STAR and CBEST data)
· The National Cyber Security Centre (eg. CHECK data, CIR/CIE services)
· The Civil Aviation Authority (eg. ASSURE services)
· Dubai Electronic Security Centre (eg. CyberForce framework)
We will never collect sensitive information about you without your explicit consent for each category and will only collect such data for statistical purposes (our Legitimate Interest as identified in GDPR Provisions Article 6(1)(f) and Article 9 (2)(j)).
Please note that in agreeing to share these details you have not forfeited your rights as prescribed under the Data Protection Act 1998 and CREST will continue to apply the same level of care to safeguard your privacy and use of your information across all our services. Your service entitlement from CREST will not be affected should you decide not to allow your data to be shared in this way or if you change your mind at any time in the future.
How secure is information about me?
We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of customer information and personal data. Our internal personnel, who have access to the data, have been trained to maintain the confidentiality of such information.
How long is data kept?
The personal information you provide to us may be retained for up to 15 years or as required by law. At that point, you will be contacted to seek your consent for us to retain it for a further period. At the same time, you will have the option to instruct us to delete it.
If you choose to visit our website, https://www.crest-approved.org, your visit and any dispute over privacy is subject to this Privacy Notice, including limitations on damages and application of the laws of England. If you have any concerns about privacy please email us at [email protected] a thorough description and we will do our best to investigate it.
Does CREST share the information it receives?
Client privacy is an important aspect of our business and we do not sell it or rent it to third parties. We will not share your information with third parties for marketing purposes.
CREST would share client information only as described below.
· Within the CREST Group: to respond to your requests and to manage the purposes for which it was collected. See also What do we use personal information for? above.
· Business transfers: as we continue to develop our business, we might sell or buy other companies, subsidiaries or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise). Also, in the unlikely event that CREST or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.
· Protection of CREST: we may release account and other personal information when we believe release is appropriate to comply with law or to protect the rights, property or safety our users or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction. Where required by law, we will notify you if such disclosures are necessary.
Email Messages and Marketing
You may receive e-mail messages from CREST on matters that we consider may be of interest to you, if you have provided your email address to us for this purpose. If you do not wish us to communicate with you in this way, please tell us. We will provide you with as many means of doing this as we can.
Information to improve our website
We collect web statistics automatically about your visit to our website. This information is used to help us follow browsing preferences on our website so that we can regularly improve our website. These statistics do not contain personal data and cannot be traced back to an individual.
You have a choice about whether or not you wish to receive information from us. You can change your preferences at any time by contacting us using the details below.
If you change email address or any of the other information we hold is inaccurate or out of date, please contact us using the details below.
Subject Access Requests
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please email us or write to us using the contact details below. We will provide the information within one month of receipt of the request. By law, we are required to verify your identity.
We may make a small charge for this service if the request is excessive or repetitive or requiring further copies of the same information.
We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate. Under the Data Protection Act 1998, you can make a formal request for information including:
· clarification that your personal data are being processed by the Company;
· a description and copies of such personal data;
· the reasons why such data are being processed;
· details of to whom they are or may be disclosed.
You may view the Company’s Data Protection Notification (Reg No.: ZA229721) by visiting the Data Information Commissioner’s Web site.
CREST does not guarantee the accuracy, relevance, timeliness, or completeness of any information on these external websites.
CREST assumes no responsibility for errors or omissions in the contents of the website. In no event shall CRET be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the website or the contents of the website.
CREST does not warrant that the Service is free of viruses or other harmful components.
If you have any questions about our Policy or information we hold about you please email [email protected].