NDC Certification Bureau Ltd (“NDC”, “we”, “us”, “our”) is committed to protecting the privacy and security of the personal data we hold. This policy explains what personal data we collect, how and why we use it, who we share it with, how long we keep it, and the rights available to you.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a certification body, we also operate an information security management system aligned to ISO/IEC 27001:2022, the international standard for information security management, which underpins the technical and organisational measures we use to safeguard the personal data in our charge.

Who we are (Data Controller)
NDC Certification Bureau Ltd is the data controller responsible for your personal data.

Registered address: 21a Market Place, Warminster, Wiltshire, United Kingdom BA12 9AY
Company number: 15769297
ICO registration number: C1647703
Contact for data protection matters: Data Protection Officer , compliance@ndccertification.org T 0333 939 87 97

The personal data we collect
Depending on your relationship with us, we may collect and process the following categories of personal data (collectively, “personal information” or “PII”):

Clients, applicants and certified organisations

Names, job titles, and roles of contacts
Business contact details (email, telephone, postal address)
Audit and assessment records, including findings that may name individuals
Certification application, decision, and history records
Billing and payment information
Auditors, assessors, contractors and suppliers

Names and contact details
CVs, qualifications, competence and training records
Right-to-work and identity verification data
Contract, payment, and bank details
Employees and job applicants

Recruitment, HR, payroll, and employment records (covered in more detail in our internal HR privacy notice)
Website visitors and enquirers

Contact details submitted through forms or correspondence
Technical data such as IP address, browser type, and cookie data (see our Cookie Policy)
Special category data We do not routinely seek special category data (such as health, racial or ethnic origin, or religious belief). Where it is unavoidable — for example, accessibility requirements for an on-site audit — we process it only with an appropriate lawful basis and condition under Articles 9 UK GDPR.

Why we use your personal data and our lawful basis
Under UK GDPR we must have a lawful basis for each processing activity. We rely on:

Contract — to deliver certification, audit, and assessment services and manage our agreement with you.
Legal obligation — to meet accreditation, regulatory, tax, and employment law requirements.
Legitimate interests — to manage and develop our business, maintain records, ensure the impartiality and integrity of our certification decisions, and for security and fraud prevention. Where we rely on legitimate interests, we balance these against your rights.
Consent — for optional activities such as marketing communications, which you can withdraw at any time.
Specific purposes include: assessing certification applications; conducting audits and surveillance visits; making and maintaining certification decisions; managing accreditation requirements; communicating with you; processing payments; and complying with our legal and regulatory duties.

Who we share your personal data with
We may share personal data with:

Accreditation bodies (e.g. UKAS) and, where required, regulators and scheme owners, to demonstrate the validity of certifications.
Service providers and processors who act on our instructions (e.g. IT, hosting, audit-management platforms, payment processors), bound by written contracts under Article 28 UK GDPR.
Professional advisers such as auditors, lawyers, and insurers.
Authorities where we are required to do so by law.
We do not sell your personal data. Where information about certified organisations is published (for example on a public register of valid certificates), only the information necessary for that purpose is disclosed.

International transfers
Where we transfer personal data outside the UK, we ensure an appropriate safeguard is in place — such as an adequacy decision, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses — so your data receives an equivalent level of protection.

How long we keep your personal data
We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy accreditation, contractual, legal, tax, and accounting requirements. Certification and audit records are typically retained for the duration of the certification cycle plus any period required by the relevant accreditation scheme. Our retention schedule sets out specific periods. When data is no longer needed, it is securely deleted or anonymised.

How we protect your personal data
We take the security of personal data seriously. Our controls are governed by an information security management system aligned to ISO/IEC 27001:2022, and include:

Access controls and the principle of least privilege, so PII is accessible only to those who need it.
Encryption of data in transit and, where appropriate, at rest.
Network security, monitoring, and protection against malware and unauthorised access.
Staff training, confidentiality obligations, and clear information-handling policies.
Supplier due diligence and contractual security obligations on our processors.
Documented incident management and breach response procedures, including notification to the ICO within 72 hours where a reportable personal data breach occurs, and to affected individuals where required.
Regular risk assessments, internal audits, and continual improvement of controls in line with the ISO/IEC 27001:2022 framework.
While alignment to ISO/IEC 27001:2022 significantly strengthens our protection of PII, no system can be guaranteed completely secure; we manage risk on an ongoing basis.

Your rights
Under UK GDPR you have the right to:

be informed about how your data is used;
access a copy of your personal data;
request rectification of inaccurate or incomplete data;
request erasure (“right to be forgotten”) in certain circumstances;
restrict or object to certain processing;
data portability in certain circumstances;
withdraw consent at any time where processing is based on consent; and
not be subject to solely automated decisions producing legal or similarly significant effects (we do not currently carry out such automated decision-making).
To exercise any of these rights, contact us using the details above. We will respond within one month, as required by UK GDPR. There is normally no charge, though we may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive.

Cookies
Our website uses cookies. Details of the cookies we use and how to manage them are set out in our [Cookie Policy].

Complaints
If you have a concern about how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner’s Office (ICO) — http://www.ico.org.uk — helpline 0303 123 1113.