Buying & Building Cyber Services icon
Back
Accreditation Pathway & Membership icon
Back
Skills, Certifications & Careers icon
Back
News, Events & Research icon
Back
About Us icon
Back
Login to profile
Join Today Find a Supplier
Home  »  Privacy Statement (UK)

CREST (International) (hereafter referred to as “CREST”) includes means CREST (International), with Company Registration number 09805375, and any or all of its group of companies.
 
CREST will use its best endeavours to safeguard the privacy of its contacts and website visitors.  This privacy notice tells you what to expect us to do with your personal information.
 
For the purposes of this privacy notice, “client” includes member companies and their representatives, examination candidates and relevant partners.

Contact details
What information we collect, use, and why
Lawful bases and data protection rights
Where we get personal information from
How long we keep information
Who we share information with
Sharing information outside the UK
How to complain

Contact details: 
Email [email protected]
 
Why do we need personal information?
We need to collect personal information in order to:
– ensure member companies are getting the full benefit of their membership;
– ensure that we manage CREST examination candidates’ certifications accurately;
– endeavour to improve our services for you.
 
How is your information used?
CREST may use the information you provide us with to:
– respond to your requests;
– carry out our obligations arising from any contracts or agreements entered into by you with us;
– communicate with you about our work and services for you;
– tell you about CREST services;
– seek your views or comments on the services we provide for you;
– notify you of changes to our services;
– update our records when necessary;
– support our activities on your behalf (eg. external venues);
– for marketing purposes
unless you tell us that we may not do so.
 
What information we collect, use, and justification
We collect or use the following information to provide and improve products and services for our clients:
– Names and contact details
– Addresses
– Occupation
– Account access information
– Website user information
 
We collect or use the following personal information for the operation of client or customer accounts:
– Names and contact details
– Addresses
– Account information, including registration details
– Marketing preferences
 
We collect or use the following personal information for information updates or marketing purposes:
– Names and contact details
– Addresses
– Profile information
– Marketing preferences
– Website user journey information
 
We collect or use the following personal information for dealing with queries, complaints or claims:
– Names and contact details
– Address
– Call recordings (if collected)
– Relevant information from previous investigations (if applicable)
– Any general correspondence
 
Lawful bases and data protection rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information.  There is a list of possible lawful bases in the UK GDPR and you can find out more about lawful bases on the ICO’s website.
 
Which lawful basis we rely on may affect your data protection rights which are in brief set out below.  You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
 
– Your right of access – You have the right to ask us for copies of your personal information.  You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
– Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
– Your right to erasure – You have the right to ask us to delete your personal information. You can read more about this right here.
– Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
– Your right to object to processing – You have the right to object to the processing of your personal data. You can read more about this right here.
– Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.  You can read more about this right here.
– Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.  You can read more about this right here.
 
If you make a request, we must respond to you without undue delay and in any event within one month.  We may make a small charge for this service if the request is excessive or repetitive or requiring further copies of the same information.
 
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
 
Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information for the operation of client accounts are:
– Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
– Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
– Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone.  All of your data protection rights may apply, except the right to portability.  Our legitimate interests are:
i) Collecting information from member companies to enable us to communicate with relevant individuals in the company regarding membership application processes, accreditations and renewals.  The information is provided to us by the company.
ii) Collecting information from exam candidates to enable us to track their progress through our career path, to enable us to assess their criteria for awards, and to pass to government departments for regulated programmes. Candidates provide the information to us.
 
Our lawful bases for collecting or using personal information to provide and improve products and services for clients are:
– Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
– Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
– Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
i) Information is collected from exam candidates to enable us to track their progress through our career path, to enable us to assess their criteria for awards, and to pass to government departments for regulated programmes
 
Our lawful bases for collecting or using personal information for information updates or marketing purposes are:
– Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
 
Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:
– Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
– Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
– Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are the collection of information from member companies and individuals to enable us to carry out investigations into complaints from any of their clients.  This is embedded in our Codes of Conduct that both organisations and candidates sign that is directly linked to our complaints handling procedure
 
We get personal information directly from member company representatives and examination candidates.
 
How long we keep information
The personal information you provide to us may be retained for up to 15 years or as required by law.  At that point, you will be contacted to seek your consent for us to retain it for a further period. At the same time, you will have the option to instruct us to delete it.
 
Who we share information with
– Data processors:
i) Pearson Vue:  this data processor delivers our examinations.
ii) SMApply:  this data processor provides software services for our membership application portal.
iii) Microsoft:  this data processor provide software services for our customer relationship management system.
 
We have a joint controller relationship with Member companies and exam candidates. We process your personal information with that joint controller for the following reasons:
– Member companies provide personal information during their application, assessment and renewal processes.
– Exam candidates provide their personal information when booking one of our examinations.
 
Others we share personal information with are:
– Regulatory authorities in the UK
– Suppliers and service providers
 
Sharing information outside the UK
Where necessary, we may transfer personal information outside of the UK.  When doing so, we comply with the UK GDPR and make sure appropriate safeguards are in place.  For further information or to obtain a copy of the appropriate safeguard for the transfers below, please contact us using the contact information provided above.
 
Organisation name:  Dubai Electronic Security Center (DESC)
Category of recipient:  Government
Country the personal information is sent to:  UAE
How the transfer complies with UK data protection law:  There is a legal data processing agreement in place with DESC which complies with UK data protection law with appropriate safeguards including enforceable rights and effective remedies.
 
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
 
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.  The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
 
Email Messages and Marketing
You may receive e-mail messages from CREST on matters that we consider may be of interest to you, if you have provided your email address to us for this purpose.  If you do not wish us to communicate with you in this way, please tell us.  We will provide you with as many means of doing this as we can.
 
Information to improve our website
We collect web statistics automatically about your visit to our website. This information is used to help us follow browsing preferences on our website so that we can regularly improve our website.  These statistics do not contain personal data and cannot be traced back to an individual.
 
Your choices
You have a choice about whether or not you wish to receive information from us.  You can change your preferences at any time by contacting us using the details below.
 
If you change email address or any of the other information we hold is inaccurate or out of date, please contact us using the details below.
 
Other websites
Our website contains links to other websites.  This Privacy Policy only applies to our website, crest-approved.org, so when you link to other websites, you should read their own Privacy Policies.
 
CREST does not guarantee the accuracy, relevance, timeliness, or completeness of any information on these external websites.
 
Liability
CREST assumes no responsibility for errors or omissions in the contents of the website.  In no event shall CREST be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the website or the contents of the website. 
 
Our Privacy Policy
We keep our Privacy Policy under regular review and we will place any updates on this webpage.  You may view the Company’s Data Protection Notification (Reg No.: ZA229721) by visiting the Information Commissioner’s website.
 
Last updated
31 October 2024