top of page

PRIVACY NOTICE

This Privacy Notice is provided by the Privacy Protect Group Ltd, hereafter referred to as “PPG” (“we”, “our” or “us”). Privacy Protect Group is registered with the Information Commissioner’s Office (ICO) under reference number ZB698813


This privacy notice tells you how the PPG will use your personal information. It explains what you can expect us to do with your personal information when you use our service or have an interaction with us.


For the purposes of this privacy notice, the PPG is a Data Controller where we collect information for our own purposes, like delivering services to you and collecting payment. 


PPG is a Data Processor at any point we undertake work on your behalf, as instructed by you, for example preparing templates, advising on breach prevention actions, or undertaking compliance checks. 

On this page:

Purposes and Lawful Bases

Whose personal data do we process

What data do we process

How we get your information

What we do with your data 

How long do we keep your data 

Children's privacy 

Where your data is processed

How we protect your data 

Our Sub-Processors 

Your Rights 

Links to other websites

Contact us

Your right to complain

 

Changes to this privacy notice

We keep our privacy notice under regular review to make sure it is up to date and accurate.

It was last updated on 25th March 2025.

Privacy Protect Group Ltd logo - a dark blue shield

Purposes and lawful bases

PPG may process your personal information for the following purposes:

  • UK GDPR Article 6(1)(a) – consent, for example when providing services that you have opted into, such as training content updates;

  • Article 6(1)(b) for example when performing a contract or providing services to you, including free consultations, digital products and processing payments where relevant, and facilitating bookings, for training events, key note speeches or similar;

  • Article 6(1)(c), when complying with legal obligations, such as Health and Safety laws, tax obligations, or similar.

  • Article 6(1)(d), when taking action to protecting individual’s vital interests, for example sharing information in an emergency;

  • Article 6(1)(f) – legitimate interests, for example when gathering feedback to improve our service.

Where we process special category data, such as your learning preferences which may reveal health information about you, we will do so under a lawful basis grounded in Article 9(2) which will be supported by at least one Condition in Schedule 1 of the Data Protection Act 2018. 

Whose personal data do we process

We process information relating to a range of individuals, including;

  • customers and service users

  • complainants, correspondents and enquirers

  • advisors, consultants and other professional experts

  • suppliers

  • current and former employees, temporary and casual workers, and volunteers

What data do we process

The data we collect from you includes:

  • personal data, including your name, email address, telephone number, and address

  • employment details such as your role and the organisation you work for

  • education and training details

  • sound and visual images (e.g. from CCTV)

  • financial details to facilitate payments and invoicing

  • goods or services provided

  • information relating to health and safety

  • complaint, incident, and accident details; questions, queries or feedback you leave, including your email address if you contact us

  • opinions and assessments of staff in relation to matters dealt with

 

The types of personal data we process will vary depending on the purpose. We aim to process the minimum amount of personal data necessary for the relevant purpose. You should not assume that we hold personal data in all of the categories identified for every person whose personal data we process.

The categories identified are not exhaustive. Occasionally, we may gather other personal data for the purposes described.

How we get your information

Most of the personal information we process is provided to us directly by you through your interactions with our staff, website or digital services.

We may also receive personal information indirectly by someone who has provided your data, for example if your employer is booking a session on your behalf.

We collect personal data from a variety of sources, including:

  • individuals who visit the website and interact with it (including by filling in and submitting forms)

  • businesses (including security companies, and other supplies of goods and services) and other private sector organisations working with us

  • legal representatives

  • auditors

  • current, past or prospective employers of individuals

  • healthcare, social and welfare advisers or practitioners

  • education, training establishments and examining bodies

  • business associates and other professional advisors

  • our employees, agents, and other temporary and casual workers

  • persons making enquiries or complaints

  • financial organisations and advisors, and credit reference agencies

  • survey and research organisations

  • trade, employer associations, and professional bodies

  • the media

  • CCTV systems

What we do with your data

PPG may disclose personal information to a range of recipients including those from whom personal data is obtained, for example in response to a data subjects rights request.

Disclosures of personal information are made on case-by-case basis. Only relevant information, specific to the purpose and circumstances, will be disclosed and with necessary controls in place.

The data we collect may be shared with our technology suppliers, for example our hosting provider.

We will share your data if we are required to do so by law, for example, by court order, or to prevent fraud or other crime. This may include:

  • the Home Office

  • courts

  • a regulatory body who can demonstrate that there is a legitimate purpose for the processing of your personal data, such as the Information Commissioner's Office (ICO).

 

We may also disclose personal information on a discretionary basis for the purpose of legal proceedings or for obtaining legal advice.

If we make disclosures outside of the United Kingdom and the European Economic Area to locations which do not have as extensive data protection laws we ensure that there are appropriate safeguards in place to certify that the personal data disclosed is adequately protected.

How long we keep your data

We will only retain your personal data for as long as it is needed for the purposes set out in this document or for as long as the law requires us to. Our retention periods are determined by a combination of factors, including legal requirements, business needs, industry standards, and risk assessments.

Children's privacy

In our capacity as a Data Controller, we do not intentionally collect or maintain data about anyone under the age of 13. Our service is not designed for, or intentionally targeted at, children 13 years of age or younger.

PPG may, hold some data on children 13 years of age or younger, when acting as a Data Processor, for example, if a client instructs us to undertake a piece of work involving children’s data.

Where your data is processed and stored

We design and run our systems to make sure that your data is as safe as possible at all stages, both while it's processed and when it's stored.

Your personal data is primarily stored in the UK. Some of our information, especially that hosted by a third party may be stored in the European Economic Area (EEA).

Amalgamated analytics data and that related to cookies may be stored outside of the EEA, for example in the US and are covered by a separate notice. We will have robust and compliant transfer mechanism in place to conduct international transfers

How we protect your data and keep it secure

We are committed to keeping your data secure. Our systems meet appropriate industry security standards, and we comply with the relevant parts of legislation relating to data security. We have set up systems and processes to as a minimum:

  • prevent unauthorised access or disclosure of your data - for example, we protect your data using varying levels of access permissions and encryption;

  • have appropriate policies, training, technical and procedural measures in place, to ensure our buildings are secure and protected by adequate physical means, and our policies contain guidelines as to what use may be made of any personal information;

  • regularly monitor and check to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason;

  • ensure that any third parties that we deal with keep secure all personal data they process on our behalf via processing contracts and similar arrangements.

Our Sub-Processors

PPG uses certain sub-processors to provide our services.

A sub-processor is a data processor engaged by PPG, who agrees to process personal data of PPG’s users and customers, on behalf of PPG and in accordance with PPG’s written instructions.

Prior to engaging with a sub-processor, PPG conducts appropriate due diligence, which includes security and legal analysis. Each sub-processor enters into a written contract with PPG that enforces compliance with applicable data protection laws. Cross-border transfers are conducted under applicable approved mechanisms (together with additional measures, where required) to ensure compliance with applicable data protection laws.

 

Sub-Processor
Service Provided
Location of Processing
Transfer Mechanism
Adyen N.V
Payment collection services
EEA, UK and US
Standard Contractual Clauses / Data Privacy Framework
QuickBooks
Invoice and Accounting Software
UK, EEA, United States
Standard Contractual Clauses / Data Privacy Framework
Google Ireland Ltd
Cloud hosting and content delivery provider
Ireland
N/A
Microsoft Corporation
Software services
UK and other registered entities
Standard Contractual Clauses/ Data Privacy Framework
Stripe Payments Europe Limited
Payment collection services
EEA, UK and US
Standard Contractual Clauses / Data Privacy Framework / UK IDTA
Wix.com (UK) Limited
Website platform and related services
United Kingdom and other locations (Wix's registered entities)
Standard Contractual Clauses
Business Works UK
Mail forwarding service
United Kingdom, EEA and US
N/A
Zoom
Conferencing software services
United States
Standard Contractual Clauses/ Data Privacy Framework

Your rights

Under the data protection legislation, you have a number of rights that you can exercise in relation to personal data we process about you. You do not have to pay to exercise your rights (other than a reasonable fee if a request for access is clearly unfounded or excessive but we agree to fulfil it anyway).

You have the following rights:

  • Right to Withdraw consent - where we have relied on consent as a lawful basis for processing your data, you may opt out and withdraw your consent at any time.

  • Right to be Informed - This places an obligation upon PPG to tell you how we obtain your personal information and describe how we will use, retain, store and who we may share it with. We have written this Privacy Notice to explain how we will use your personal information and tell you what your rights are under the legislation.

  • Right of Access – This is commonly known as subject access and is the right which allows you access to your personal data and supplementary information, however it is subject to certain restrictions. Normally we will provide a response within one month of receipt of your request unless an exemption applies. You can request access to the personal data we hold about you, using the contact details in this privacy notice.

  • Right to Request Rectification – You are entitled to have personal data rectified if it is inaccurate or incomplete. If we hold personal data about you that is inaccurate or incomplete, you have the right to ask us to correct it. You can ask us to correct your personal data using the contact details in this privacy notice. We will reply to you within one month unless the request is complex.

  • Right to Erasure – The right to erasure is also known as ‘the right to be forgotten’. This right enables you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The circumstances most likely to apply are:

    • where holding your personal data is no longer necessary in relation to the purpose for which we originally collected and processed it;

    • where you withdraw your consent to us holding your personal data if we are relying on your consent to hold it;

The right of erasure does not apply if we are processing your personal data:

  • to comply with a legal obligation;

  • for the establishment, exercise or defence of legal claims;

  • for archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to make it impossible to carry out or seriously impair that processing.

If you want to ask us to delete your personal data, you can do so using the contact details in this privacy notice. We will respond to you within one month unless the request is complex.

  • Right to Restrict Processing – Under certain circumstances you have a right to ‘block’ or suppress processing of personal data. This may be in cases where:

  • you are contesting the accuracy your personal data while we are verifying the accuracy;

  • your information has been unlawfully processed and you oppose its erasure and have requested a restriction instead;

  • where we no longer require your personal data, but you need it to establish, exercise or defend a legal claim and do not want us to delete it.

 

When processing is restricted, organisations are permitted to store the personal data, but not further process it. You can ask us to restrict processing of your personal data using the contact details in this privacy notice.

  • Right to Data Portability – You have the right to obtain and reuse your personal information for your own purposes, transferring it from one environment to another. This right only applies to personal data provided by an individual, where the processing is based on their consent or for the performance of a contract and when that processing is carried out by automated means. If you wish to discuss this right, you can do so using the contact details in this privacy notice.

  • Right to Object – You have the right to object to:

    • The processing of your personal data based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);

    • The processing of your personal data for direct marketing (including profiling); and

    • The processing of your personal data for the purposes of scientific/historical research and statistics.

Any objection must be on grounds relating to your particular situation. If you want to exercise your right to object you can do so using the contact details in this privacy notice.

  • Rights Relating to Automated Decision Making – You have the right not to be subject to a decision when it is based on solely automated processing (including profiling) and which produces a legal effect or similar significant effect on you. This right does not apply if the decision is authorised by law, is necessary for entering into or performance of a contract, or is based on your consent.

We are unlikely to carry out automated decision making because our processes involve some type of human interaction and decision-making. Profiling is any form of automated processing of personal data intended to evaluate certain personal aspects about you to predict things about you such as your behaviour, interests, movements or performance at work. We do not currently carry out automated profiling. If you have any questions about automated decision-making or automated profiling you can raise them using the contact details in this privacy notice.

Links to other websites

The PPG website contains links to other websites. This privacy notice only applies to PPG and does not cover other services and websites that we may link to. These websites have their own terms and conditions and privacy policies.

If you go to another website from this one, read the privacy policy on that website to find out what it does with your information.

If you come to PPG from another website, we may receive personal information from the other website. You should read the privacy policy of the website you came from to find out more about this.

Contact us

We take our data protection responsibilities seriously. We take great care to ensure we process your personal data properly to maintain your trust and confidence. You can contact our Team if you have any questions or concerns about how we process your personal data, using the following methods:

Privacy Protect Group Ltd.

4 Lidgett Lane

Garforth

Leeds

LS25 1EQ
UNITED KINGDOM

 

Email: info@privacyprotectgroup.com

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, you can make a complaint to PPG and we'll respond.

If you remain dissatisfied, you can make a complaint to the Information Commissioners Office (the UK supervisory authority) about the way we process your personal information.

The Information Commissioner's Office (ICO) regulates the processing of personal data. You can complain to the ICO if you are unhappy with how we have processed your personal data using the following details:

The Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Helpline number: 0303 123 1113

Website: www.ico.org.uk/concerns

bottom of page