Privacy Policy

1. Introduction

NCC Group handles Personal Data on a daily basis and everyone has a responsibility to protect that data. As a global organisation, we are subject to a wide range of international privacy laws, including the General Data Protection Regulation which states that ‘the protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met’.

NCC Group is a global expert in cyber security and risk mitigation, therefore both security and privacy are the foundations of our business. We not only have a legal and ethical requirement to protect the data we hold, we also have a reputational requirement to meet the high standards we promote to our customers and to lead by example.

Data privacy laws give people fundamental rights with regard to the way that their Personal Data is handled. By handling Personal Data in accordance with the principles laid out in this policy, NCC Group ensures that these rights are upheld.

NCC Group has a designated Chief Data Protection and Governance Officer, supported by a larger Data Privacy Team, to provide support and guidance on all data protection-related matters.

The GDPR applies to processing of personal data carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU, and/or who monitor individuals’ behaviour as far as their behaviour takes place within the Union. This includes personal data which NCC Group plc and its subsidiary companies (“NCC Group” or “we” or “us”) holds about our customers (“you”) in whatever form, for example computer or searchable paper records. You have various rights under the GDPR, as outlined in section 4 below.

As of the 31st January 2020, the UK is no longer part of the EU. Hence the EU’s GDPR no longer applies. However, the UK government has directly translated the EU GDPR into UK law. Therefore, all requirements remain the same, and all references to the GDPR relate to both the UK and EU regimes.

2. Definitions

The below are some of the key terms used within this policy:

Customer

any personal or organisation that is considered a customer, or potential customer, of an NCC Group company.

Colleagues

all employees, company officers, and agency staff and other contractors working for NCC Group companies.

Data Protection Law

this is a collective term for any applicable laws relating to data protection and data privacy. This includes, but is not limited to, the General Data Protection Regulation (GDPR), the UK GDPR, US privacy legislation (such as the California Consumer Privacy Act) and the Australian Privacy Act.

Data Subject

the individual to whom the Personal Data relates. US privacy legislation, such as the California Data Privacy Act (CCPA) may refer to these as Consumers.

Data

information stored and used either electronically or in hard copy.

European Economic Area (EEA)

all countries in the European Union, as well as Norway, Liechtenstein and Iceland.

Personal Data

any information by which a living individual may be identified, including any expression of opinion about, or intention towards, that individual.

Personal Data Breach

a breach of security (or an error in processing) leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

Processing

Any activity using or involving data, including, but not limited to, viewing, using, accessing, storing, transferring or otherwise handling in some way.

Special Category Personal Data

a category of Personal Data which requires additional protection due to its sensitivity.

Supervisory Authority

an independent authority set up to uphold information rights in the public interest.

3. NCC Group's Approach to Data Protection

NCC Group prides itself on being a global cyber security and risk mitigation expert. Keeping information secure is at the heart of everything we do. Within the course of running our business and providing our services, we process Personal Data in a number of ways.

3.1. Data Processing Roles

Data Controller

NCC Group is a Data Controller for the personal data we hold about our colleagues and for some of the Personal Data we process on our Customers and their employees.

Examples of where NCC Group are a Data Controller include, but are not limited to:

• The business contact details we hold within our Customer Relationship Management Systems (CRM) and Accounts Systems which relate to the individuals we directly engage with for the purpose of providing our services to a Customer
• This includes key contacts for accounts payable, scheduling engagements and providing deliverables (e.g. Reports and Assessments)
• Usernames, IP address or other identifiers in relation to provisioning and maintaining Customer access to our systems for the purpose of service delivery.
• This includes accounts with access to any Software Resilience platforms, our Security Operations Centre (SOC), support/ticketing systems or accounts for our online Cyber Store.
• CCTV images taken on NCC Group premises where a Customer has visited one of our premises

Where NCC Group is a Data Controller, appropriate privacy notices will be provided to a Customer. Depending on the nature of the services provided, NCC Group may not have a direct relationship with Data Subjects; in these cases the Customer shall be responsible for ensuring that Data Subjects are informed of any Processing activity undertaken by NCC Group (where there is a requirement to provide such notice).

Data Processor

NCC Group is a Data Processor for the information we process in accordance with the instructions given to us by our Customers during the course of delivering our products and services.

Processing data on behalf of our Customers is not core to many of the products and services that we provide – it is often incidental. In some cases, processing data is a key part of a service. We understand that Data Protection Law does not usually make any distinction between incidental and core processing, and therefore we realise our obligation to comply with Data Protection Law across all products and services.

We are committed to handling personal data in accordance with Data Protection Law, as described within the principles below.

3.2. NCC Group's Commitment

Where NCC Group is a Data Controller, we will inform the data subject of the following when we collect their data:

• The data we intend to collect;
• The purposes for which we will use it;
• Whether we intend to share it with anyone, and why;
• How long we intend to keep it for;
• Whether we intend to transfer it to a country outside the EEA (or other jurisdictions as applicable); and
• Their rights relating to the personal data we process about them.

Where NCC Group is either a Data Controller or Data Processor, we will ensure that personal data is:

• processed lawfully, fairly and in a transparent manner in relation to individuals;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Furthermore, we will not transfer personal data to other countries outside the European Economic Area (EEA) without ensuring that there are adequate safeguards in place for its continued protection.

4. Information We Hold

4.1. Information Collected and Processed

The information NCC Group will Process will depend on the nature of the service we provide, however some categories of data will be more common. These include:

• Information you have provided to us directly, such as names, addresses and contact details. You may give us information about you by filling in forms on the Website or by corresponding with us by phone, email or otherwise. This includes information you provide when you:
• ask us to contact you in relation to services we provide;
• request downloads of documentation or software and related support;
• subscribe to our mailing lists, newsletters or bulletins;
• book a seminar or event run by us;
• order products or services from us;
• interact with us on social media platforms (such as LinkedIn or Twitter); or
• report a problem with our Website.
• We may also collect information when you visit the Website, including but not limited to your IP address, location, time of access, the browser you use, your operating system and the pages you visit.
• For NCC Group’s Privacy Policy, please visit https://www.nccgroup.com/uk/about-us/privacy-policy/
• For information on how the Website uses cookies, please visit our Cookie Policy online at https://www.nccgroup.com/uk/cookie-policy/
• We capture CCTV images of visitors to our offices for the purposes of security, including crime prevention and detection, and the apprehension and prosecution of offenders.
• If you contact us by telephone, we may monitor or record phone calls for training and quality purposes.
• NCC Group do not record calls as standard however if a call is recorded at any point you will be provided with a notice at the start of the call.
• We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
• We only obtain information from third parties if this is permitted by law. We may also use legal public sources to obtain information about you.
• Examples of this may include using Dun and Brandstreet to enhance the data we hold on our Customers and prospects
• Using public registers, such as Companies House, to validate Company Director information during any Anti-Money Laundering checks or other due diligence activities.

4.2. Why NCC Group Process Information

The primary purpose for NCC Group collecting Customer information is to ensure we are able to fulfil our contract to provide you with requested products or services. In addition to this, we may process your data in the following ways (provided that, where we are required to obtain your consent to use your information, you have provided such consent):

• to monitor and improve our products, services and the Website;
• to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about or that we feel may be of interest to you;
• to notify you about changes to our services;
• to administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; and
• to enable us to comply with any legal or regulatory requirements.

4.3. Information Retention

As standard, the following retention periods are in place:

• If we are providing services to you, we will retain your personal information for the duration of the services and for six years thereafter, unless agreed otherwise.
• This includes the retention of any reports, or other deliverables, created as part of our Penetration Testing or Security Consulting services and any tickets or incident reports associated with our Security Operations Centre or Managed Detection and Response services.
• Where such information relates to evidence collected during a Penetration Test, Security Consulting or as part of any other assessment or investigation, such evidence shall be retained for six months following the creation of the associated report.
• When you visit our website, you will be asked whether you consent to the use of Cookies. If you consent, we will retain the information collected about you in accordance with the retention periods outlined in our Cookie Policy.
• Phone calls that are recorded are retained for 12 months.
• CCTV records at our NCC Group offices are kept for a period of up to 90 days. Other subsidiaries have different retention periods in accordance with local legislation.
• If you make a complaint to us or provide feedback in any other format other than those specified below (including via telephone, email, web forms or any other form of direct contact) and have a live agreement with us, we will retain a record of your complaint or feedback for the life of the agreement and for 25 months after agreement termination, or if longer than 25 months, until such time as the complaint has been satisfactorily resolved. After 25 months, if you are in reciprocal contact with us during the course of a sale or as part of negotiations for a sale, we will keep a record of previous complaints or feedback until such point as a purchase is made, or if no purchase is made, for a further 6 months thereafter.
• If you choose to provide us with feedback, outside of the complaints process above, the following applies:
• for service feedback surveys, we will retain your data for a maximum of 25 months;
• for NPS Score surveys, product surveys, and general marketing surveys, we will retain your data for a maximum of 25 months;
• data collected through event registration, events requirements, and market research, will be retained for a maximum of 25 months; and
• where you provide us with ‘quotable feedback’, for which we ask your permission, we will retain and use the data for up to 5 years in the format in which you granted permission (for example, if you requested anonymity, or agreed to us assigning the feedback to you at a certain company).

Unless otherwise set out in this privacy policy, any other information we process about you will be retained by us until we no longer need it for the purposes for which it was collected, as set out in this privacy policy and/or the relevant fair processing notice.

We will base that decision on a number of criteria, including whether we are required by law to keep the information for a certain period of time, whether you have withdrawn consent to the processing, whether a contract has been performed and the likelihood of us needing to retain the information in the event of a claim arising, whether the data is still up to date, and whether there are exceptions set out in the applicable data protection legislation that allow us to retain the personal data for a longer period or indefinitely.

We will review and delete or destroy personal data on a regular basis. If we are unable, using reasonable endeavours, to delete or destroy personal data we will ensure that the personal data is encrypted or protected by security measures so that it is not readily available or accessible by us.

4.4. Basis for Processing Personal Data

We collect much of your information on the grounds of:

• legitimate interests (for example, to send you direct marketing about products and services similar to those you have purchased from us or negotiated or enquired about, or to help us administer the Website; and
• fulfilment of a contract with you (for example, to provide you with products or services you have purchased from us).

If we require your personal data for fulfilment of a contract with you (for example, to provide services or products to you or to receive payment from you), we may be unable to fulfil the contract without your personal data.

Where we rely on legitimate interests, our legitimate interests are the promotion of the products and services offered by NCC Group and the provision of information in respect of products and services you have already purchased from us or in which you have expressed an interest in purchasing.

If we are unable to rely on legitimate interests, fulfilment of a contract or any other ground set out in Data Protection Law to process your personal data, we will obtain consent from you to the processing. This will be the case if, for example, you download documentation from us and we would like to send you marketing communications about our products and services. If you give us your consent, you can withdraw it at any time by clicking on the link in the email we send to you, or by emailing response@nccgroup.com. Withdrawal of your consent will not affect any processing we have carried out in respect of your personal data prior to you withdrawing consent.

4.5. Access to Customer Information and Personal Data

Unless prohibited by national or local law or other regulatory requirements, we may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

Unless prohibited by national or local law or other regulatory requirements, we may disclose your personal information to third parties:

• if the third party contracts with us to provide certain of the services you have requested and requires your Personal Data in order to do so;
• if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
• if NCC Group or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets; or
• if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or to protect the rights, property, or safety of NCC Group, our customers, or others.

Customer information is held securely. Access is restricted to NCC Group colleagues and agents (including our data processors) that need to access and process the information in order to perform their jobs. Otherwise, your information is generally only provided to you.

If a third party asks for information about you, we will check the identity and authority of the third party to make sure that they are entitled to the information, and we will ensure that any disclosure is permissible under relevant Data Protection Law.

4.6. Where NCC Group Store Personal Data

The data that we collect from you may be transferred to, and stored at, a destination outside the EEA and transferred from such destination to another destination outside the EEA. It may also be processed by colleagues operating outside the EEA who work for us or for one of our suppliers. Such colleagues may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. This will be made clear at the time of enter into an agreement with NCC Group for the provision of service.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. The destinations to which your personal data will be transferred will either offer adequate protection for your personal data, as determined by the European Commission, or we will make sure there are appropriate safeguards in place.

We will also ensure adequate safeguards are in place when transferring personal data outside of countries located outside the EEA, where additional measures are required by national law. If you would like to know more about the basis on which we transfer your data outside the EEA where a finding of adequacy hasn’t been made, please contact dataprotection@nccgroup.com.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website or other services which we provide to you, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

5. Your Rights

While the rights individuals have can depend on their country, residence and citizenship, NCC Group has adopted a global approach to privacy. Therefore, if an you are not based within the, United Kingdom, the European Union or are in a location which does not have specific data privacy rights, we will assess rights requests based on our ability to provide for your rights rather than your actual location.

These rights are not absolute and can vary depending on the relationship we have with you and the reasons for processing your data.

The key fundamental rights include:

Access to your data

You have the right to ask for access to, and receive copies of, your Personal Data. You can also ask us to provide a range of information relating to our processing of your data.

We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.

We will provide the information you request as soon as possible and in any event within any timeframes mandated by the applicable Data Protection Laws. If we need more information to comply with your request, we will let you know.

Rectification of your data

If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to correct that information.

We will usually comply with your request within one month of receiving it, unless we don’t feel it’s appropriate for us to do or we are legally required to deny the request. In these cases we will let you know why. We will also let you know if we need more time to comply with your request.

The right to be forgotten

In some circumstances, you may have the right to ask us to delete the Personal Data we hold about you.

This right is usually available to you where:

• we no longer need your personal data for the purpose for which we collected it;
• where we have collected your personal data on the grounds of consent and you withdraw that consent;
• where you object to the processing and we don’t have any overriding legitimate interests to continuing processing the data;
• where we have unlawfully processed your personal data (i.e. we have failed to comply with GDPR); and
• where the personal data has to be deleted to comply with a legal obligation

There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know.

The right to restrict processing

In some circumstances, you are entitled to ask us to restrict processing of your personal data. This means we will stop using your personal data but we may not have a requirement to delete your data. This right is normally available where:

• you believe the personal data we hold isn’t accurate – we shall cease processing it until we can verify its accuracy;
• you have objected to us processing the data (see below) – we shall cease processing it until we have determined whether our legitimate interests override your objection;
• the processing is unlawful; or
• we no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim.

Data portability

In certain scenarios, you may have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the Personal Data to another organisation. This right only applies

• to Personal Data you provide to us;
• where processing is based on your consent or for performance of a contract (i.e. the right does not apply if we process your Personal Data on the grounds of legitimate interests); and
• where we carry out the processing by automated means.

We will respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we will let you know.

The right to object

You are entitled to object to us processing your personal data where:

• the processing is based on legitimate interests and/or is for the purposes of public interest or the exercise of official authority;
• we are processing your data for direct marketing purposes (including profiling); and/or
• Personal Data is processed for the purposes of scientific or historical research and statistics.

In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

Right to opt-out of the sale of information

Under the CCPA, Californian residents have the right to direct a business that sells personal information about an individual to third parties not to sell their personal information.

Right to disclosure of information sold

Under the CCPA, Californian residents have the right to request that a business that sells personal information about them, or who discloses their personal information for a business purpose, provide them with the details of the information disclosed and the recipients of that information.

Right to non-discrimination

Under the CCPA, Californian residents have the right to not be discriminated against for exercising their rights. NCC Group shall not discriminate against any person who exercises their rights under the CCPA, the GDPR or any other privacy law.

Automated decision making

Under GDPR and the UK GDPR, you may have the right to challenge any automated decision making and request human intervention. This right only applies where any automated decision making has legal or similarly significant effects and where such decision making is not based on consent.

If you would like to exercise any of your rights in respect of your personal data, please contact us at dataprotection@nccgroup.com or write to us at:

Chief Data Protection and Governance Officer
NCC Group
XYZ Building
2 Hardman Boulevard
Spinningfields
Manchester
M3 3AQ

6. Cookies and External Links

6.1. Cookies

You will be asked whether or not you consent for the use of cookies when you visit our website. We use cookies to monitor your use of our Website and so that we are able to advertise to you when you use third party websites. This won’t affect your use of our websites or the third party websites. We won’t directly contact you solely as a result of you visiting our Website.

6.2. Links

The Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

7. Who is Responsible for this Policy?

Our Chief Data Protection and Governance Officer is responsible for this policy and must approve any changes. If you have any questions about this policy, please contact our Group Data Protection Officer at our Manchester office address, or email dataprotection@nccgroup.com.

Any changes we may make to this Policy in the future will be posted on this page and, where appropriate, notified to you by email.

8. Contact Information

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to dataprotection@nccgroup.com. You may also write to us at:

Chief Data Protection and Governance Officer
NCC Group
XYZ Building
2 Hardman Boulevard
Spinningfields
Manchester
M3 3AQ

If you have any concerns about the ways in which we process your personal data, you are entitled to report those concerns to the relevant supervisory authority in your jurisdiction.

Please see below for details of some of the key regulators for data privacy:

• Denmark
• Datatilsynet
• T: 33 19 32 00
• Germany
• Bayerisches Landesamt für Datenschutzaufsicht
• 0981 1800930
• Lithuania
• State Data Protection Inspectorate
• T: 271 2804 / 279 1445
• Netherlands
• Autoriteit Persoonsgegevens
• T:070 888 8501
• Spain
• Agencia Española Protección de Datos
• T: 901 100 099 / 91 266 35 17
• Sweden
• Swedish Authority for Privacy Protection (IMY)
• T: 08-657 61 00
• Switzerland
• Schweizerische Eidgenossenschaft
• T: 058 462 43 95
• UK
• Information Commissioner’s Office (ICO)
• T: 0303 123 1113

In the United States the key authority would be the Attorney General within any given State – information on the relevant Attorney Generals may be found here. Additionally, there may be a requirement to contact specific Credit Reference Agencies where details relate to financial information.