top of page
Award-winning GDPR and Data Protection Services

GRC Information Management
Privacy Notice

Our contact details

Address:  203 - 205 Charminster Road, Bournemouth, Dorset, England, CLB VO29

Phone Number: 07941 248033


ICO Registration Number:

In accordance with the Data Protection Act 2018 (‘the Act’), GRC Information Management has notified the Information Commissioner’s Office of its processing activities. GRC's ICO registration number is ZB 322805.



This Privacy Notice provides information about how GRC Information Management as a Data Controller will process personal data where the data subjects include current, past, and prospective individual customers, professionals, or corporate business clients.

Anyone who works for, or acts on behalf of, GRC Information Management – including staff, contractors, third-party service providers, and data processors - should also be aware of and comply with GRC Information Management's GDPR, Data Protection, and  Cyber Security policy, which provides further information on how personal data will be used.


Responsibility for Data Protection

GRC Information Management has appointed a Data Protection Officer who will ensure that all personal data is processed in compliance with the Act, GDPR, and applicable data protection legislation.


The contact details are as follows:

​Data Protection Officer

Christina Tueje


​The type of Personal Data we collect

GRC Information Management may process a range of personal data about Individuals by providing consultancy, training, and Data Protection Officer (DPO) professional support services. We will process personal data when we procure services and when we employ staff.


We may collect, use, store, and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data which includes your first name and last name.

  • Contact Data means the data we use to contact you including your billing address, email address, mobile number, other contact details, and unique identifiers.

  • Payment Data means bank details and other financial information

  • Your communication preferences. 

  • Images of staff (and possibly other individuals) engaging in GRC Information Management activities and events

  • Technical Data means details about the device(s) you use to access our website including your internet protocol (IP) / MAC address, browser type, and version, location, browser plug-in types, and versions, operating system and platform, and other technology on the devices you use to access this website.  

  • Usage Data includes information about how you use our website, products, and services.

  • Profile Data includes your username (email address), your login data, the services you have purchased, your interests, preferences, feedback, and survey responses.  

GRC Information Management does receive personal data from the individual directly. However, in some cases, personal data may be supplied by third parties - for example, another organisation may collect personal data from individuals and send this information to GRC Information Management for business or employment reasons.


GRC Information Management may need to process  “special categories of data” (GDPR) regarding individuals - eg in relation to our employees. Special categories of data are entitled to special protection so will only be processed with the explicit consent of the individual or as otherwise permitted by the Act, GDPR, or applicable legislation.


We also collect, use and share aggregated and/or anonymised data (“Aggregated Data”) such as statistical or demographic data for analytical purposes. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.


How we get the personal information and why we have it

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • Direct interactions: by using our website, filling in forms, or by corresponding with us by post, phone, email, in person, or otherwise. 

  • Automated technologies or interactions: as you interact with us, we may automatically collect usage data and technical data about your equipment, browsing actions, and patterns. Please see our Cookies Policy for further details.

We use the information that you have given us to:

  • Provide you with services

  • To provide you with information, advice, and downloads

  • To provide you with employment

  • To procure services from you


Under the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR) and applicable legislation, the lawful bases we rely on for processing this information are:

  • (a) We have a contractual obligation - processing is necessary to meet contractual obligations entered into by the individual or the corporate business client

  • (b) We have a legal obligation - Processing is necessary to comply with GRC Information Management legal obligations 

  • (c) We have a legitimate interest - Purposes of the legitimate business interests pursued of GRC Information Management - in line with its stated core purpose and function


Use of Personal Data

GRC Information Management will use - and where appropriate share with third parties - personal data about individuals for a number of purposes as part of its normal operation and business activities, including as follows:


  • To provide training, consultancy, and professional Data Protection Officer (DPO) support services

  • To respond to your requests  when information, advice, or downloads

  • To give and receive information and references about past and current employees

  • To enable GRC Information Management to fully comply with legislation and key requirements regarding recruitment, selection and employment, and other operational activities

  • Where otherwise required by national policy requirements and statutory legislation

  • To safeguard the welfare of employees and other individuals

  • To monitor - as appropriate - use of GRC Information Management's Privacy and Acceptable Use policies

  • To make use of photographic images of staff and possibly other individuals in publications on GRC Information Management's website and – where appropriate - on GRC Information Management's social media channels 

  • For security purposes, to prevent or detect crime and for regulatory and legal purposes - for example, anti-money laundering, fraud, gross misconduct

  • Where otherwise reasonably necessary for GRC Information Management's purpose including obtaining appropriate professional advice and insurance for GRC Information Management


​Recipients of the Personal Data

The nature of the way GRC Information Management provides training, consultancy, and support services means that we may share limited personal data with the following:


  • Training venues, training organisations, and conference providers

  • Accreditors and Regulators

  • Accountants and payroll providers

  • HR or employment-related service providers


Limited personal data is shared in accordance with our legal basis for processing as mentioned above.


International Transfers 

Some data processors and third parties that we use are based outside the United Kingdom, so their processing of your personal data will involve a transfer of data outside the United Kingdom.


The Transfer of Data Within the UK, the European Union (EU), and the European Economic Area (EEA)

GRC Information Management may transfer data to recipients within the EU and the EEA. These data transfers are subject to the GDPR, the DPA, and other applicable data protection regulations.


All EU Member States and the Member States of the EEA apply the provisions of the GDPR.  These countries thereby respect the principles of protection of personal data and privacy as laid out in the DPA and GDPR.


The Transfer of Data Outside the UK, the EU, and the EEA

GRC Information Management will only transfer data outside the UK, EU, and the EEA if an adequate level of protection is ensured in the country of the recipient.


Whenever we transfer your personal data out of the United Kingdom, we ensure a similar degree of protection is afforded to it.


How we store your personal information

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed. GRC Information Management will endeavor to ensure that all personal data held is as up-to-date and accurate as possible.

GRC Information Management Limited will take appropriate and organisational steps to ensure the security of personal data.  Where appropriate, data security measures will include:


  • The pseudonymisation and encryption of personal data

  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services

  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident


We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for.  Data discovery audits will be used to identify information that is no longer needed. All staff will be made aware of this policy.


Your Data Protection Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data:


Your right of access - You have the right to ask us for copies of your personal information. Individuals have the right to obtain:


  • Confirmation that their data is being processed

  • Access to their personal data


We will respond to such requests within one month. This may be extended where the request for rectification is complex.

GRC Information Management has a Data Subject Access Request procedure to handle such enquiries.


Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.


Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. GRC Information Management will respond to such requests within one month. This may be extended where the request for rectification is complex.


Your right to erasure (Right To Be Forgotten) - You have the right to ask us to erase your personal information in certain circumstances. An individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing. There are some specific circumstances where the right to erasure does not apply, so GRC Information Management may not be able to deal with all such requests.


Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Individuals have the right to block, suppress or restrict the processing of personal data in the following circumstances:


  • Where an individual contests the accuracy of the personal data

  • Where an individual has objected to the processing but GRC Information Management may consider whether its legitimate grounds override those of the individual

  • When processing is unlawful and the individual opposes erasure and requests restriction instead

  • If GRC Information Management no longer needs the personal data but the individual requires the data to establish, exercise, or defend a legal claim


Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

Individuals have the right to object to profiling, direct marketing, and processing for the purposes of scientific/ historical research and statistics


Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.


Under GDPR, exercising this right allows individuals to obtain and reuse their personal data for their own purposes across different services. GRC Information Management will support individual customers’ right to move, copy or transfer personal data easily from one provider to another in a safe and secure way, without hindrance to usability.

The right to withdraw consent – GRC Information Management will support individuals’ rights to withdraw consent at anytime, where relevant.  We will ensure that withdrawing consent is as easy as possible.

The right to lodge a complaint – Individuals have the right to lodge a complaint with a Supervisory Authority.

GRC Information Management does not carry out automated decision-making, including customer profiling. If this position changes in the future, we will update our Privacy Notice and we will inform individuals.


You are not required to pay any charge for exercising your rights. If you make a request, we typically have one month to respond to you.

Please contact us at if you wish to exercise your rights.



The Site is intended for adults and is not intended for use by children under 13 years of age.  We do not knowingly collect information from or about children or sell products to children under the age of 13.

Queries and Complaints

Any comments or queries on this Privacy Notice should be directed to the Data Protection Officer by emailing

If an individual believes that GRC Information Management has not complied with this Privacy Notice or acted otherwise than in accordance with the Act, GDPR or applicable legislation, they should notify the Data Protection Officer.


You can also complain to the Information Commissioner’s Office (the ICO) if you are unhappy with how we have used your data. The contact details are as follows:



Information Commissioner’s Office

Wycliffe House

Water Lane






Helpline number:

0303 123 1113






Cookies collect information about how visitors use our site, which is then used to help improve the site. The information collected includes the number of site visitors, where visitors come to the site from and the pages they visited.

You can choose to refuse cookies or tell your browser to let you know each time that a website tries to set a cookie. However, refusing cookies may mean some sections of the site will not work properly.


For more information about cookies (including how to turn them off), please visit



Periodic Updates to this Privacy Notice

We keep our privacy notice under regular review to make sure it is up to date and accurate.


Policy Produced: June 2022
Policy Review: January 2024

bottom of page