NCC Group handles Personal Data on a daily basis and everyone has a responsibility to protect that data. As a global organisation, we are subject to a wide range of international privacy laws, including the General Data Protection Regulation which states that ‘the protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met’.
NCC Group is a global expert in cyber security and risk mitigation, therefore both security and privacy are the foundations of our business. We not only have a legal and ethical requirement to protect the data we hold, we also have a reputational requirement to meet the high standards we promote to our customers and to lead by example.
Data privacy laws give people fundamental rights with regard to the way that their Personal Data is handled. By handling Personal Data in accordance with the principles laid out in this policy, NCC Group ensures that these rights are upheld.
NCC Group has a designated Chief Data Protection and Governance Officer, supported by a larger Data Privacy Team, to provide support and guidance on all data protection-related matters.
The GDPR applies to processing of personal data carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU, and/or who monitor individuals’ behaviour as far as their behaviour takes place within the Union. This includes personal data which NCC Group plc and its subsidiary companies (“NCC Group” or “we” or “us”) holds about our customers (“you”) in whatever form, for example computer or searchable paper records. You have various rights under the GDPR, as outlined in section 4 below.
As of the 31st January 2020, the UK is no longer part of the EU. Hence the EU’s GDPR no longer applies. However, the UK government has directly translated the EU GDPR into UK law. Therefore, all requirements remain the same, and all references to the GDPR relate to both the UK and EU regimes.
The below are some of the key terms used within this policy:
NCC Group prides itself on being a global cyber security and risk mitigation expert. Keeping information secure is at the heart of everything we do. Within the course of running our business and providing our services, we process Personal Data in a number of ways.
NCC Group is a Data Controller for the personal data we hold about our colleagues and for some of the Personal Data we process on our Customers and their employees.
Examples of where NCC Group are a Data Controller include, but are not limited to:
Where NCC Group is a Data Controller, appropriate privacy notices will be provided to a Customer. Depending on the nature of the services provided, NCC Group may not have a direct relationship with Data Subjects; in these cases the Customer shall be responsible for ensuring that Data Subjects are informed of any Processing activity undertaken by NCC Group (where there is a requirement to provide such notice).
NCC Group is a Data Processor for the information we process in accordance with the instructions given to us by our Customers during the course of delivering our products and services.
Processing data on behalf of our Customers is not core to many of the products and services that we provide – it is often incidental. In some cases, processing data is a key part of a service. We understand that Data Protection Law does not usually make any distinction between incidental and core processing, and therefore we realise our obligation to comply with Data Protection Law across all products and services.
We are committed to handling personal data in accordance with Data Protection Law, as described within the principles below.
Where NCC Group is a Data Controller, we will inform the data subject of the following when we collect their data:
Where NCC Group is either a Data Controller or Data Processor, we will ensure that personal data is:
Furthermore, we will not transfer personal data to other countries outside the European Economic Area (EEA) without ensuring that there are adequate safeguards in place for its continued protection.
The information NCC Group will Process will depend on the nature of the service we provide, however some categories of data will be more common. These include:
The primary purpose for NCC Group collecting Customer information is to ensure we are able to fulfil our contract to provide you with requested products or services. In addition to this, we may process your data in the following ways (provided that, where we are required to obtain your consent to use your information, you have provided such consent):
As standard, the following retention periods are in place:
Unless otherwise set out in this privacy policy, any other information we process about you will be retained by us until we no longer need it for the purposes for which it was collected, as set out in this privacy policy and/or the relevant fair processing notice.
We will base that decision on a number of criteria, including whether we are required by law to keep the information for a certain period of time, whether you have withdrawn consent to the processing, whether a contract has been performed and the likelihood of us needing to retain the information in the event of a claim arising, whether the data is still up to date, and whether there are exceptions set out in the applicable data protection legislation that allow us to retain the personal data for a longer period or indefinitely.
We will review and delete or destroy personal data on a regular basis. If we are unable, using reasonable endeavours, to delete or destroy personal data we will ensure that the personal data is encrypted or protected by security measures so that it is not readily available or accessible by us.
We collect much of your information on the grounds of:
If we require your personal data for fulfilment of a contract with you (for example, to provide services or products to you or to receive payment from you), we may be unable to fulfil the contract without your personal data.
Where we rely on legitimate interests, our legitimate interests are the promotion of the products and services offered by NCC Group and the provision of information in respect of products and services you have already purchased from us or in which you have expressed an interest in purchasing.
If we are unable to rely on legitimate interests, fulfilment of a contract or any other ground set out in Data Protection Law to process your personal data, we will obtain consent from you to the processing. This will be the case if, for example, you download documentation from us and we would like to send you marketing communications about our products and services. If you give us your consent, you can withdraw it at any time by clicking on the link in the email we send to you, or by emailing response@nccgroup.com. Withdrawal of your consent will not affect any processing we have carried out in respect of your personal data prior to you withdrawing consent.
Unless prohibited by national or local law or other regulatory requirements, we may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
Unless prohibited by national or local law or other regulatory requirements, we may disclose your personal information to third parties:
Customer information is held securely. Access is restricted to NCC Group colleagues and agents (including our data processors) that need to access and process the information in order to perform their jobs. Otherwise, your information is generally only provided to you.
If a third party asks for information about you, we will check the identity and authority of the third party to make sure that they are entitled to the information, and we will ensure that any disclosure is permissible under relevant Data Protection Law.
The data that we collect from you may be transferred to, and stored at, a destination outside the EEA and transferred from such destination to another destination outside the EEA. It may also be processed by colleagues operating outside the EEA who work for us or for one of our suppliers. Such colleagues may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. This will be made clear at the time of enter into an agreement with NCC Group for the provision of service.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. The destinations to which your personal data will be transferred will either offer adequate protection for your personal data, as determined by the European Commission, or we will make sure there are appropriate safeguards in place.
We will also ensure adequate safeguards are in place when transferring personal data outside of countries located outside the EEA, where additional measures are required by national law. If you would like to know more about the basis on which we transfer your data outside the EEA where a finding of adequacy hasn’t been made, please contact dataprotection@nccgroup.com.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website or other services which we provide to you, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
While the rights individuals have can depend on their country, residence and citizenship, NCC Group has adopted a global approach to privacy. Therefore, if an you are not based within the, United Kingdom, the European Union or are in a location which does not have specific data privacy rights, we will assess rights requests based on our ability to provide for your rights rather than your actual location.
These rights are not absolute and can vary depending on the relationship we have with you and the reasons for processing your data.
The key fundamental rights include:
You have the right to ask for access to, and receive copies of, your Personal Data. You can also ask us to provide a range of information relating to our processing of your data.
We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.
We will provide the information you request as soon as possible and in any event within any timeframes mandated by the applicable Data Protection Laws. If we need more information to comply with your request, we will let you know.
If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to correct that information.
We will usually comply with your request within one month of receiving it, unless we don’t feel it’s appropriate for us to do or we are legally required to deny the request. In these cases we will let you know why. We will also let you know if we need more time to comply with your request.
In some circumstances, you may have the right to ask us to delete the Personal Data we hold about you.
This right is usually available to you where:
There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know.
In some circumstances, you are entitled to ask us to restrict processing of your personal data. This means we will stop using your personal data but we may not have a requirement to delete your data. This right is normally available where:
In certain scenarios, you may have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the Personal Data to another organisation. This right only applies
We will respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we will let you know.
You are entitled to object to us processing your personal data where:
In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
Under the CCPA, Californian residents have the right to direct a business that sells personal information about an individual to third parties not to sell their personal information.
Under the CCPA, Californian residents have the right to request that a business that sells personal information about them, or who discloses their personal information for a business purpose, provide them with the details of the information disclosed and the recipients of that information.
Under the CCPA, Californian residents have the right to not be discriminated against for exercising their rights. NCC Group shall not discriminate against any person who exercises their rights under the CCPA, the GDPR or any other privacy law.
Under GDPR and the UK GDPR, you may have the right to challenge any automated decision making and request human intervention. This right only applies where any automated decision making has legal or similarly significant effects and where such decision making is not based on consent.
If you would like to exercise any of your rights in respect of your personal data, please contact us at dataprotection@nccgroup.com or write to us at:
Chief Data Protection and Governance Officer
NCC Group
XYZ Building
2 Hardman Boulevard
Spinningfields
Manchester
M3 3AQ
You will be asked whether or not you consent for the use of cookies when you visit our website. We use cookies to monitor your use of our Website and so that we are able to advertise to you when you use third party websites. This won’t affect your use of our websites or the third party websites. We won’t directly contact you solely as a result of you visiting our Website.
The Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Our Chief Data Protection and Governance Officer is responsible for this policy and must approve any changes. If you have any questions about this policy, please contact our Group Data Protection Officer at our Manchester office address, or email dataprotection@nccgroup.com.
Any changes we may make to this Policy in the future will be posted on this page and, where appropriate, notified to you by email.
Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to dataprotection@nccgroup.com. You may also write to us at:
Chief Data Protection and Governance Officer
NCC Group
XYZ Building
2 Hardman Boulevard
Spinningfields
Manchester
M3 3AQ
If you have any concerns about the ways in which we process your personal data, you are entitled to report those concerns to the relevant supervisory authority in your jurisdiction.
Please see below for details of some of the key regulators for data privacy:
In the United States the key authority would be the Attorney General within any given State – information on the relevant Attorney Generals may be found here. Additionally, there may be a requirement to contact specific Credit Reference Agencies where details relate to financial information.