The DPO Centre's Privacy Notice for Clients and Prospects in the EU and UK
1. Who are The DPO Centre?
The DPO Centre consists of the following companies: The DPO Centre Limited (a private limited company registered in England with the company number 10874595) and a number of global subsidiary companies (as defined in section 1159 of the UK Companies Act 2006), including The DPO Centre Europe Limited, The DPO Centre Netherlands B.V., and The DPO Centre Canada Inc.
The company registration details for each company are:
- The DPO Centre Limited registered in England with company number 10874595 and registered office address of The Suffolk Enterprise Centre, 44 Felaw Street, Ipswich, Suffolk, IP2 8SJ. Registered with the Information Commissioner’s Office in the United Kingdom with registration number ZA310860.
- The DPO Centre Europe Limited registered in Ireland with company number 681576 and registered office address of Alexandra House, Ballsbridge Business Park, Ballsbridge Park, Merrion Road, Dublin DO4 C7H2.
- The DPO Centre Netherlands B.V. registered in The Netherlands with company number 85600601 and registered office address of Vijzelstraat 68, 1017HL Amsterdam.
- The DPO Centre Canada Inc registered in Ontario, Canada with company number 1000582816 and registered office address of 161 Bay Street, Suite 2700, Toronto ON, M5J 2S1.
Throughout this Privacy Notice, we will refer to the above companies as “The DPO Centre”, “DPO Centre”, “DPOC”, “Affiliates”, “We”, “Our” or “Us”.
It is important to note that We will transfer information between Our Affiliates as is most appropriate to manage Our businesses. Further information is contained in section 16 and 17 of this notice.
2. What services does The DPO Centre provide?
The DPO Centre is a leading Data Protection Officer resource centre, delivering expert data protection and privacy advice and access to skilled and experienced resources whenever and wherever it is needed.
You can find out more about The DPO Centre and Our services on Our website.
3. Scope of this Privacy Notice
This Privacy Notice Provides you with information on how We manage your personal data in your interactions with Us, regardless of your location.
Depending on your relationship with Us, We will hold and manage your information differently. The DPO Centre could be in possession of your information as a:
- Website visitor, or
- Contact for a prospective client, or
- Contact for a client, or
- Result of Us providing Our services to Our clients
This Privacy Notice details how We manage your information in all the above situations. Your relationship to Us will also determine whether We are acting as a Data Controller or a Data Processor for your information.
In some cases, where We are collecting information for new or novel purposes, We will provide specific privacy information at the point that We collect your information.
If you are a website visitor, this Privacy Notice should be read together with our Cookie Privacy Notice that can be found on each relevant DPO Centre website.
While Our website is designed for a general audience, We will not knowingly collect personal data of children under the age of 16. If you believe We might have any personal data from or about a person under the age of 16, please email Us at dpo@dpocentre.com.
You should read our Candidate Privacy Notice if you are considering applying for a job with Us.
Where there is a conflict between local law and the provisions of this Privacy Notice, local law will prevail.
4. When are We acting as a Data Controller?
We act as the Data Controller for personal data We hold:
- About Our Clients (including contact within Our clients’ businesses)
- About Our Prospects (including contact within Our clients’ businesses)
The DPO Centre is the Data Controller for the personal data We process, unless otherwise stated.
Unless otherwise stated, this Privacy Notice applies when We are acting as a Data Controller for your information.
5. When are We acting as a Data Processor?
In some circumstances, We will have access to or hold information as a Data Processor acting on Our clients behalf.
An example of this is in the provision of Our DSAR (Data Subject Access Request) Services. In these services, as with some of Our other services, Our client is the Data Controller and We are the Data Processor.
Any requests made to Us, for example, data subject right requests, complaints, or requests for information, will be reported to Our client and We will then proceed in line with client instruction.
6. How can I contact The DPO Centre?
If you would like to exercise one of your rights as set out in this Privacy Notice, or you have a question, query, or complaint about this Privacy Notice or the way your personal data is processed, please contact Our Data Protection Officer either by phone, email, or post.
For UK residents:
- By email: dpo@dpocentre.com
- By phone: +44 (0) 203 797 1289
- By post: The Suffolk Enterprise Centre, 44 Felaw Street, Ipswich, Suffolk, IP2 8SJ
For EU residents:
- By email: dpo@dpocentre.com
- By phone: +31 20 209 1510
- By post: The DPO Centre B.V., Vijzelstraat 68-78, Amsterdam, 1017 HL, The Netherlands
For residents in all other countries, please contact Us by email on: dpo@dpocentre.com
7. How does The DPO Centre collect my personal data?
Where We are acting as a Data Controller, We may have obtained your personal data directly or indirectly through a number of channels.
We may have collected your information directly from you when you have:
- Visited Our website
- Completed a contact form
- Contacted Us by phone, which includes Our call answering service
- Signed up to Our newsletter
- Responded to one of Our surveys
- Met with or engaged with Us at an event, exhibition or conference
- Visited Our office
- Interacted with Us on social media platforms (such as LinkedIn)
In some circumstances, We may collect your information indirectly, such as:
- From 3rd party data broker lists (e.g. ZoomInfo) or from websites who rely on Legitimate Interest for collecting and sharing information.
- Referrals from existing and prospective clients.
- From publicly available sources when it is in Our legitimate interest to do so.
Where We are acting as a Data Processor, We will only receive information under instruction from Our clients.
8. What personal data does The DPO Centre collect about me?
| Personal data category | Personal data |
| Contact information | Any information you provide to Us that allows Us to contact you, e.g., your first and last name, your business email address, business mailing address, or business telephone numbers. |
| Surveys and opinions | Information you provide when you participate in Our surveys or provide feedback. |
| Complaint information | Nature of your complaint. |
| Cookies | Please refer to Our Cookie Privacy Notice. |
| Website security | Cookies necessary for security purposes and Google reCAPTCHA. Please refer to Our Cookie Privacy Notice. |
| Browser and user information | All cookies placed by Google over the last 6 months, how many mouse clicks you have made on that screen (or touches if on a touch device), the Cascading Style Sheets (CSS) information for that page, the date, the language your browser is set to, any plug-ins you have installed on the browser, all JavaScript objects, and the data you supply via Our forms. More information can be found at Google reCAPTCHA and Google’s Privacy Policy. |
| Other information | Any other personal data that you choose to share with Us, which given the nature of Our services, is not likely to be special category data. |
We do not intentionally or knowingly collect or process special category data or criminal convictions and offences data where We are acting as a Data Controller under this notice.
9. What is the purpose and lawful basis for processing my personal data
The applicable lawful basis for Our processing will differ depending on the legislation that is applicable:
- Where you are from the UK, UK data protection legislation applies
- Where you are from the EU, EU data protection legislation applies
Please see below for information on the personal data processed, purpose, and the applicable lawful basis:
| What is the purpose of the processing? | What personal data Category is processed? | What is the lawful basis for processing personal data under the EU and UK General Data Protection Regulation (GDPR)? |
| To contact you, following your enquiry or to reply to any questions. | Contact information | Legitimate Interest (EU/UK) |
| Customer service enquiries, reply to suggestions, issues, or complaints you have contacted Us about. | Contact information; Complaint information; Other information | Legitimate Interest (EU/UK) |
| To manage data subject right requests. | Contact information; Other information | Legal Obligation (EU/UK) |
| Fulfilling Our contract to provide you with the agreed service. | Contact information; Surveys and opinions | Legitimate Interest (EU/UK) |
| Processing your orders. | Contact information | Legitimate Interest (EU/UK) |
| Taking payment from you or giving you a refund and associated financial accounting. | Contact information | Legitimate Interest (EU/UK) |
| For statistical analysis and to get feedback from you about Our service. We occasionally may invite you to participate in a case study following an engagement. | Contact information; Surveys and opinions | Legitimate Interest (EU/UK) |
| To ensure that Our website is safe and secure. | Cookies and website security | Legitimate Interest (EU/UK) |
| Helping Us understand more about you as a customer and the products and services you consumer, so we can serve you better. | Contact information; Surveys and opinions | Legitimate Interest (EU/UK) |
| Contacting you for sales and prospecting. | Contact information | Consent (EU); Legitimate Interest (UK) |
| Contacting you about relevant industry specific news stories, articles, or blogs, including sending you The DPIA Newsletter. | Contact information | Consent (EU); Legitimate Interest (UK) |
| Marketing and analytics from Our website using cookies. | Website security | Consent (EU/UK) |
| To deliver free webinars to you that you have signed up to. | Contact information | Consent (EU/UK) |
| Transpose calls using Microsoft
Co-pilot when having Teams calls. | Contact information; Other information | Legitimate Interest (EU/UK) |
| Contacting business contacts for feedback on Our white papers and GDPR toolkit and to ask if they require further assistance. | Contact information | Legitimate Interest (EU/UK) |
We may, in further dealings with you, extend this personal data to include your purchases, services used, subscriptions, records of conversations and agreements, and payment transactions.
The legal basis for processing your personal data is based on compliance with a Legal Obligation, Our Legitimate Interest, or your Consent that We will have requested/stated at the point the information was initially provided, therefore, We will not store, process, or transfer your data unless We have an appropriate lawful reason to do so.
We will only use your personal data for the purposes for which We collected it, unless We reasonably consider that We need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal data for an unrelated purpose, We will notify you and We will explain the legal basis which allows Us to do so.
Please note that We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
10. How We keep you updated on Our products and services
We will send you relevant news about Our services in a number of ways, including by email, but only if We have a Legitimate Interest or your Consent to do so. Where We rely on Legitimate Interest, We have completed a Legitimate Interest Assessment for the processing activity, or for data of UK residents acting in a business environment, We rely on the Corporate Subscriber exemption.
Newsletters and marketing communications might be sent from Our own domains (dpocentre.com or thedpocentre.com) or Our dedicated newsletter domain (thedpia.com) that provides an informative newsletter to business contacts.
When We send you marketing by email, each email communication will have an option to object to the processing. If you wish to amend your marketing preferences, you can do so by following the link in the email you receive from Us and updating your preferences, or by contacting Us at dpo@dpocentre.com.
11. Giving your reviews and sharing your thoughts
When using Our website, you may be able to share information through social networks like LinkedIn and X. For example, when you ‘like’, ‘share’ or review Our services. When doing this, your personal data may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts, so you are comfortable with how your personal data is used and shared on them.
12. How long does The DPO Centre keep my personal data?
The period for which We will retain personal data will vary depending on the purposes that it was collected for, as well as the requirements of any applicable law or regulation:
- For prospect clients, two years after Our last contact with you or some other identifiable action, at which point your information will be deleted.
- For clients, six years from the end of the financial year you are no longer a customer.
We may also retain your personal data for longer periods where We need to exercise, establish, or defend against legal claims. When personal data is no longer required, We delete or anonymise data in line with Data Protection Legislation and appropriate industry guidance.
13. What are my data rights and can I object to you processing my personal data?
It is important that the personal data we hold about you is accurate and current. Please keep Us informed if your personal data changes during your engagement with Us.
Where We are acting as a Data Controller, and under certain circumstances, by law you have the right to:
- Request access to your personal data (commonly known as a Data Subject Access Request (DSAR)). This enables you to receive a copy of the personal data We hold about you.
- Please note that We do not have agreements in place with any third-party platforms that offer “Subject Access Requests as a Service”. The right of access afforded to you does not obligate Data Controllers to share data with 3rd parties in the delivery of an access request. It is Our policy to provide the information directly to Data Subjects where We can confirm contact details.
- Request correction of the personal data that We hold about you. This enables you to have any incomplete or inaccurate information We hold about you corrected.
- Request erasure of your personal data. This enables you to ask Us to delete or remove personal data where there is no good reason for Us continuing to process it. You also have the right to ask Us to delete or remove your personal data where you have exercised your right to object to processing.
- Object to processing of your personal data where We are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where We are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask Us to suspend the processing of personal data about you.
- Request the transfer of your personal data to another party.
- Right to withdraw Consent. In the limited circumstances where We are processing your data on the basis of Consent you have provided Us, and We have no other legal justification or obligation to continue the processing, you have the right to withdraw your Consent for that specific processing at any time.
For your protection and to protect the privacy of others, We may need to verify your identity before completing your request.
If you object to Us using your personal data or withdraw Consent for Us to use your personal data (when We are processing your personal data based on your Consent) after initially giving it to Us, We will respect your choice in line with applicable law.
If you would like to exercise any of these rights or would like to confirm the accuracy of your information, please contact dpo@dpocentre.com.
Where We determine that your request is for information that We hold in Our capacity as a Data Processor, We will pass the request on to Our client (the Data Controller) and will act under their direction.
14. Automated decision making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
15. How do We protect your personal data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, We limit access to your personal data to those employees, contractors, and trusted third parties who have a business need-to-know basis for the purpose of supporting Us to deliver Our services.
Examples of Our security measures include:
- Limiting access to Our buildings to those that We believe are entitled to be there by use of passes.
- Implementing access controls to Our information technology.
- Ensuring there are appropriate procedures and technical security measures (including strict encryption, anonymisation, and archiving techniques) to safeguard your Personal Data across all Our systems, website, and offices.
- When We work with trusted third parties, known as Data Processors who help to deliver Our services or manage Our business, We carry out Due Diligence checks to review a third parties’ compliance with Data Protection Legislation before We work with them and ensure there are appropriate contracts in place before a Data Processor processes any Personal Data.
- Regular training for staff on Information Security and Data Protection
- Policies and procedures to cover Data Protection matters including incidents, personal data breaches, and data subject right requests.
16. Will The DPO Centre share my Personal Data with other organisations?
We may disclose the personal data We hold about you to:
- Any other member of The DPO Centre
- Affiliates (all the companies listed at the beginning of this Privacy Notice) to ensure that you receive the best service. Please note that all business support services are managed in the United Kingdom.
- With companies affiliated with Us when this is necessary to deliver Our services.
- Banks and other financial institutions.
- Payment service providers.
- Your employer or the corporate entity that you represent, solely for the purposes of providing the Services to you and/or your employer where We have a contract with your employer or the company you represent.
- Third party companies in the event that We are involved in a corporate transaction, such as an actual or potential merger, joint venture, consolidation, or asset sale. We may, from time to time, expand or reduce Our business and this may involve the sale and/or the transfer of control of all or part of Our business. Any personal data that you have provided will, where it is relevant to any part of Our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by Us.
- Our professional advisors, such as lawyers, accountants, auditors, financial services providers, and other professionals.
- Our service providers as Data Processors on Our behalf, including IT hosting companies – We may engage other companies and individuals to perform functions on Our behalf. We use Data Processors who are third parties who provide elements of services for Us. We have Data Processor Agreements in place with Our Data Processors. This means that they cannot do anything with your personal data unless We have instructed them to do it. They will not share your personal data with any organisation apart from Us or further Sub-Processors who must comply with Our Data Processor Agreement. They will hold your personal data securely and retain it for the period We instruct. Further, they must process the personal data in accordance with this Privacy Notice and as permitted by applicable data protection laws. Examples include data storage and hosting, sending newsletters, analysing data, providing marketing assistance, and providing customer services.
- reCAPTCHA from Google helps protect websites from spam and abuse. A “CAPTCHA” is a test to tell humans and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out. By adding reCAPTCHA to Our site, We can block automated software, whilst helping Us welcome real users, like you. First, the reCAPTCHA algorithm will check to see if there’s a Google cookie placed on the computer being used. Then, an additional reCAPTCHA-specific cookie will be added to your browser and a complete snapshot of the browser window at that moment in time will be captured, pixel by pixel.
- We release account and other personal data when We believe release is appropriate to comply with the law, enforce or apply Our agreements with Our customers or suppliers, or protect the rights, property, or safety of Our users or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction. However, this does not include selling, renting, sharing, or otherwise disclosing personally identifiable information from customers for commercial purposes in a way that is contrary to the commitments made in this Privacy Notice.
- Regulatory authorities as required by any such authority, including tax authorities.
- Law enforcement agencies, courts, and other relevant tribunals.
17. Will my data be processed outside my home country?
We will need to transfer and use your personal data outside of the country where We collect it from you. Your data will be processed in the UK as all Our core business systems are held within the UK.
Where We transfer personal data to Our Affiliates or other third parties outside of the European Economic Area, We will ensure that those transfers take place in accordance with the applicable data protection laws designed to ensure the privacy of your personal data, including by entering into data transfer agreements with recipients. If you would like more information about how your personal data may be transferred, please contact Us at dpo@dpocentre.com.
18. How can I make a complaint?
You have the right to make a complaint if you are unhappy about how your personal data is processed. However, We would appreciate the chance to deal with your complaint before you approach the Supervisory Authority, so please contact Us in the first instance at dpo@dpocentre.com. Your satisfaction is extremely important to Us and We will always do Our very best to solve any problems you may have. If you remain dissatisfied, you may wish to contact the Supervisory Authority.
You have the right to complain about the use of your personal data to the local Supervisory Authority, which in the UK is the Information Commissioner’s Office. If you are located within the EU, then Our representative DPO Centre entity is The DPO Centre Netherlands B.V. The Supervisory Authority in Netherlands is Autoriteit Persoonsgegevens.
You can find the contact details for the Information Commissioner’s Office and Autoriteit Persoonsgegevens in the table below.
| Supervisory Authority | Website | Telephone | Address |
| UK’s Information Commissioner’s Office (ICO) | ICO’s website | 0303 123 1113 | Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
| Netherlands’ Autoriteit Persoonsgegevens (AP) | AP’s website | +31 70 888 8500 | Hoge Nieuwstraat 8, P.O. Box 93374, 2509 AJ Den Haag/The Hague |
A listing of each EU country’s Supervisory Authority can be found on the link below:
19. Updates and changes to this Privacy Notice
We may change this Privacy Notice from time to time, for example, if the law changes. Any changes become effective when We publish an update to this Privacy Notice. If there are significant changes, We may contact you to notify you of the update.
20. Document control
| Document control | |||
| Document name | The DPO Centre’s Privacy Notice for clients and prospects in the EU and UK | Document type | Policy |
| Document category | Data Protection | Initial date issued | November 2017 |
| Issue number | 9 | Last review date | August 2024 |
| Written by | Data Protection Officer | Last reviewed by | Data Protection Officer |
| Approved by | Policy Approval Group | Date of approval | August 2024 |
| Final status | Final – Controlled | Document length | 16 pages |
| Who to contact for questions, queries, suggestions or feedback | Data Protection Officer: dpo@dpocentre.com | Document control status | This is a Controlled document. It is Uncontrolled when printed. You should verify that you have the most current issue. |
| Version | Updates | Review date | |
| 1 | First version of the Privacy Notice. | November 2017 | |
| 2 | Updated section on how We use information. | October 2018 | |
| 3 | Annual review and minor updates throughout the document. | October 2019 | |
| 4 | Updated Privacy Notice to align to any legal and regulatory requirements as a result of the UK leaving the EU. | February 2020 | |
| 5 | Updated the Privacy Notice template and general updates throughout the document. | September 2020 | |
| 6 | Updated Data Processor table, data processed when individuals register for webinars, and how We contact individuals regarding Business-to-Business activities. | August 2021 | |
| 7 | Updated The DPO Centre companies to include The DPO Centre B.V. (Netherlands). | April 2022 | |
| 8 | Updated (i) section on how We use information, and (ii) The DPO Centre companies to include The DPO Centre Canada Inc. | July 2024 | |
| 9 | (i) Updated the Privacy Notice template, (i) made the lawful basis clearer as it applies to EU or UK residents, (iii) updated EU and UK representative contact details, (iv) updated the data collected to ensure it aligns any recent changes to internal processes, and (v) general updates throughout the document. | August 2024 | |