CEDR's Privacy Policy

Introduction

Centre for Effective Dispute Resolution and its group companies ("CEDR", "we", "us", or "our") are committed to protecting and respecting the personal data that we hold. This privacy statement describes why and how we collect and use personal data and provides information about individuals' rights. It applies to personal data provided to us, both by individuals themselves and by others.

Personal data is any information relating to an identified or identifiable living person. When collecting and using personal data, our policy is to be transparent about why and how we process personal data. The personal data that is provided to us is provided either directly from the individual concerned, from a third party acting on behalf of, or connected to, an individual, or from publicly available sources (such as internet searches, and Companies House).

CEDR is defined as a Data Controller under the Data Protection Act 2018 and is registered with the Information Commissioner's Office (ICO) under Z7486946. CEDR only collects or uses personal information for those purposes indicated in our notification with the Information Commissioner's Office.

Data that we hold

CEDR processes personal data for numerous purposes:

  • Providing services to clients
    Where CEDR engages with clients for professional services, we may collect and process personal data in order to satisfy a contractual obligation. Where individuals make use of our services this personal data will usually be provided to us by the individual directly, or by the person or organisation with whom they are in dispute. Where organisations make use of our services, the information that they provide us may also include personal data about individuals, employees or advisers who are involved in a particular matter.
  • Client management
    When communicating with and assessing the needs of actual or prospective clients, personal data may be processed in order to ensure that their needs are appropriately addressed. This may include assessing whether the right collection of services and information is being provided to our clients and contacts.
  • Promoting our services
    We may use business contact details to provide information about effective dispute resolution and conflict management, including our services, that we think will be of interest. Examples include industry updates and insights, other services that may be relevant and invitations to events. We do not, however, use personal data about individuals using our consumer services for such promotional purposes without their specific consent.
  • Administration
    In order to manage and administer our business and services, we may collect and process personal data. This may include (but is not limited to) maintaining internal business records, managing client and supplier relationships, hosting events, and maintaining internal operating processes, including personnel administration.
  • Regulatory
    We may from time to time be required to collect and process personal data in order to fulfil regulatory, legal or ethical requirements. This may include the verification of identity of individuals.

The personal data that we process may include any relevant financial or non-financial information necessary for us to provide our services. As an example, this may include contact details, payroll data, employee information, lists of shareholders, customers and suppliers and any other specifically relevant data.

The data that is processed is dependent on the service that is being provided and on the recipient of this service. In some instances, where this is relevant to the service that we are providing, this may include sensitive data special category data such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life or criminal record.

Security

We take the security of all the data we hold seriously. Staff are trained on data protection, confidentiality and security, and we maintain a culture of confidentiality.

We have a framework of policies and procedures which ensure that we keep the data we hold secure.

All data is stored on our secure servers and we have put in place appropriate internal security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to the duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach as required by law.

We have taken steps to ensure all personal data is provided with adequate protection and that all transfers of personal data outside the EEA are done lawfully.

Retention period

We retain the personal data processed by us for as long as is considered necessary for the purpose(s) for which it was collected (including as required by applicable law or regulation).

In determining the appropriate period for the retention of personal data we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes through other means and the applicable legal requirements.

Information sharing and disclosure

CEDR will not sell or swap your information with any third party.

We may share your information with our data processors. These are trusted third party organisations that provide applications/functionality, data processing or IT services to us. We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud-based software, identity management, website hosting and management, data analysis, data back-up, security and storage services.

In addition, we may share personal data with individual members of our mediator, adjudicator, consultant and trainer panels where this is a necessary aspect of our service delivery.

All our trusted partners are required to comply with data protection laws and our high standards and are only allowed to process your information in strict compliance with our instructions. We will always make sure appropriate contracts and controls are in place and we regularly monitor all our partners to ensure their compliance.

We may disclose your personal information to third parties if we are required to do so through a legal obligation (for example to the police or a government body); to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.

We do not share your information for any other purposes.

Your rights

The GDPR and Data Protection Act 2018 provide you with a number of rights. Your key rights are set out below. Further information may be obtained from the Information Commissioner's Office.

  • You have the right to be informed in a clear, transparent and easily understandable way about how we use your personal data and about your rights
  • You have the right to request to access your personal data; this provides you with the right to obtain a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • You have the right to request correction of the personal data that we hold about you; this allows you to have any incomplete or inaccurate data corrected.
  • You have the right to request erasure of your personal data; this enables you to ask us to delete or remove personal data where there is no valid reason for us continuing to process it.
  • You have the right to object to the processing your personal data in cases where we are relying on a legitimate interest or those of a third party and there are particular facts which make you want to object to us using your data on this basis and we do not have a compelling legitimate basis for doing so which overrides your rights, interests and freedoms; you also have the right to object where we are processing your personal information for direct marketing purposes.
  • You have the right to request the restriction of processing of your personal data; this allows you to ask us to suspend the processing of personal data about you.
  • You have the right to request the transfer of your personal data to a third party where you provide it to us and we are using it based on your consent or to carry out a contract with you, and we process it using automated means.
  • You have the right to withdraw consent in those circumstances we have been relying on your consent to the collection, processing and transfer of your personal data for a specific purpose.
  • You have the right to lodge a complaint. If you consider we are using your information in a way which breaches the GDPR or the Data Protection Act 2018, you have the right to complain to us and, if you remain unhappy following our response to your complaint, you have the right to lodge a further compliant with our The Information Commissioners Office (ICO).

The ICO's address is: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. You can also contact them by telephone on 01625 545 745 or via their website at ico.org.uk.

If you wish to review, verify, correct or request the erasure of your personal data, object to the processing of your personal data, withdraw your consent to the processing of your personal data or request that we transfer a copy of your personal data to a third party please contact our Company Secretary, Graham Massie at: gmassie@cedr.com.

We will respond to your request as soon as we can. Generally, this will be within one calendar month from when we receive your request but on occasions, it may take longer to deal with your request and in such circumstances, we will let you know.

Changes to this Privacy Notice

Any changes we make to our Privacy Notice in the future will be posted on our website and where appropriate notified to you by email or otherwise.