Privacy Notice

South West Cyber Resilience Centre Limited is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this Privacy Notice.

 

This Privacy Notice is effective from 1st March 2025. South West Cyber Resilience Centre Limited may change this Privacy Notice from time to time. We will notify you of any substantive changes to this Privacy Notice which affect you. Where this Privacy Notice is provided to an organisation, and its content affects or may affect individuals who work for or on behalf of that organisation, the organisation should ensure that this Privacy Notice is brought to the attention of those individuals.

​

This Privacy Notice should be read in conjunction with the SWCRC’s website terms and conditions, our cookie policy, and any supplementary data privacy documentation which are provided to you in connection with specific processing activities.

 

South West Cyber Resilience Centre Limited (collectively referred to as “SWCRC”, “we”, “us” and “our” in this Privacy Notice) is a company registered in England with registration number 13407119 at the registered address of Joint Emergency Services Building, Wimborne Road, Poole, Dorset, BH15 2BP.

 

We are registered with the Information Commissioner's Office (ICO) under registration number ZB072719.

​

This Privacy Notice contains the following information:

​

1. Data we collect about you;

2. How your personal data is collected;

3. How we use your personal data;

4. Disclosures of your personal data;

5. International transfers;

6. Data retention;

7. Your legal rights; and

8. Contact us.

​

​

1. Data we collect about you

The categories of personal data that we may collect about you include:

​

• Identity Data: title; first name; last name; nationality; National Insurance number; copies of identity documents.

• Contact Data: address; email address; telephone number(s); social media and communications platform aliases; company or organisation; role.

• Technical Data: internet protocol (IP) address; browser type and version; time zone setting and location; browser plug-in types and versions; operating system and platform; and the device used to access this site.

• Usage Data: information about how you use our website.

• Marketing and Communications Data: your preferences in receiving marketing from us and our third-party partners; topics of interest; your opinions regarding our services; communications between us; your communication preferences (you may receive marketing communications from us if you have requested information from us or have negotiated for or contracted to receive our services and you have not opted out of receiving that marketing under the ‘soft opt in’ within the UK's Privacy and Electronic Communications Regulations (PECR)).

• Contractual and Transactional Data: agreements between us or which you enter into on behalf of an organisation; services you request and/or we provide to you.

• Financial and Payment Data: bank account; credit/debit card numbers; sort code; CVC code; expiry date; related billing information.

• Screening Data: identification and contact information concerning registered officers, and individuals with significant control; information regarding criminal and regulatory investigations, findings and convictions of individuals with significant control, registered officers and staff; the expertise, professional qualifications and certifications of registered officers and staff; public domain information regarding individuals with significant control, registered officers and staff.

• Education and Work Data: academic institutions; employers; qualifications; experience; references.

• Other Data Necessary for the Provision of our Services.

 

 

2. How your personal data is collected

 

We may obtain your personal data:

​

• directly from you;

• from individuals or entities acting on your behalf;

• from our clients;

• from your organisation;

• when you or your organisation browse, complete a form or make an enquiry or otherwise interact with us via our website, social media or other platforms;

• from search engine and web analytics providers;

• by referrals;

• from the National Cyber Security Centre (NCSC);

• from our professional advisers, including, without limitation, our insurers, legal advisers and accountants;

• from courts, law enforcement bodies, regulators, government departments or agencies, lawyers or other parties; and/or

• from the public domain.

 

 

3. How we use your personal data

 

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

​

• where you have provided your consent (usually in relation to direct marketing);

• where we need to perform the contract we are about to enter into or have entered into with you (usually with regard to the free online security support we provide businesses in the south west);

• where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (for example if we consolidated our regional CRCs into a single national centre);

• where we need to comply with a legal obligation; and/or,

• where it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

 

We have set out below a description of the ways we plan to use your personal data, and the legal grounds we rely on to do so. We have also identified what the relevant lawful base for processing under the UK GDPR is. Please note that we will always only use one lawful base for processing from Article 6 of the UK GDPR to process your personal data. Where permitted to do so, we may also use your personal data for an alternate, but compatible, purpose stating the relevant lawful base for that processing.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with free online security support services). In this case, we may have to cancel the service you have with us, but we will notify you if this is the case.​

​

​

4. Disclosures of your personal data

​

We may share your personal data with:​

​

• our clients;

• the National Cyber Security Centre (NCSC);

• our professional advisers, including, without limitation, our insurers, legal advisers, accountants, etc;

• our suppliers, business partners and sub-contractors;

• search engine and web analytics providers;

• with courts, the police, law enforcement bodies, regulators, government departments or agencies, lawyers or other parties;

• companies providing anti-money laundering and terrorist financing services, credit reference and other fraud and crime prevention companies, financial institutions, and related regulatory bodies; and

• other third parties to which you request that we disclose your data. 

​

In the event that we were to sell our business or assets, we may disclose your personal data to any prospective/actual purchaser and/or their advisers.​

 

 

5. International transfers 

​

When we process your personal data, we may process it in countries outside of the UK and the European Economic Area (‘the EEA’, which is comprised of the EU in addition to Iceland, Norway and Liechtenstein), for example when we engage third-party service providers based in other countries. When we conduct relevant international transfers of your personal data, we will only do so in circumstances where:​

​

• You provide your explicit consent;

• It is necessary to conclude or perform a contract in your interest between us and an individual or entity;

• It is necessary for the establishment, exercise or defence of legal claims;

• The European Commission has determined that the country to which the data is to be transferred ensures an adequate level of protection (e.g. Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay); and/or

• We have entered into standard contractual clauses approved by the European Commission with the transferee and, where necessary, have conducted an appropriate risk assessment.
   

Should you require further information, please contact us using the details below.

 

​

6. Data retention

​

We will retain your personal data for as long as is necessary to fulfil the purpose(s) for which we collected it. This will typically mean that we will retain your personal data for as long as you/your organisation is a customer of ours or maintains an association with us and/or for as long as you are content to receive communications from us, and for a period thereafter as necessary to comply with legal, accounting, taxation or regulatory requirements, to prevent fraud, or as required in the context of establishing, exercising or defending legal rights or responding to your communications.

​

We may also retain your personal data outside of these periods, where we are unable to delete it for technical reasons, in which case we will isolate it and securely store it until secure destruction/erasure is possible.

​

Otherwise, we will securely destroy/erase your personal data, or shall anonymise it.

​

In practice, we will retain your personal data for a short time (90 days) beyond the specified retention period, to allow for information to be reviewed and any deletion to take place.

 

​

7. Your legal rights

South West Cyber Resilience Centre Limited processes personal data in a fair way. We do this by putting the individual’s rights at the heart of all processing with regards to personal data. 

There are eight individual rights:

Ø  Right to be informed – Data Subjects have the right to know why we are collecting and processing personal data, this right is met by the provision of this Privacy Notice and any subsequent privacy documentation;

Ø  Right of access – you have the right to know what personal data we have on record and request a copy;

Ø  Right of rectification – you have the right to correct personal data that we hold about you that is inaccurate or incomplete;

Ø  Right to be forgotten – in certain circumstances you can ask for the personal data we hold about you to be erased from our records;

Ø  Right to restriction of processing – where certain conditions apply you have a right to ask us to only process your personal data for certain processing activities;

Ø  Right of portability – you have the right to have the personal data we hold about you transferred to another Data Controller;

Ø  Right to object – you have the right to object to certain types of data processing such as marketing; and

Ø  Right to object to automated processing, including profiling – you also have the right to object to the legal effects of automated processing or profiling.

 

South West Cyber Resilience Centre Limited will only handle personal data in ways that individuals would reasonably expect and not use it in ways that have unjustified adverse effects on them. 

​​​

In addition, if you have a complaint about how we have handled your personal data, you may be able to ask us to restrict how we use your personal data while your complaint is investigated. To exercise these rights, we need to be suitably satisfied of your identity and so may request that you provide identification documents or confirm other details we may hold about you.

​

You can exercise these rights by contacting us using the details below. You will not have to pay a fee to exercise your rights, however we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

​

We will respond to all requests at the earliest opportunity and in most cases will do so within a month of receipt. On occasion, if your request is particularly complex or is one of a number of requests, it may take us longer to provide a substantive response to your request. If this is the case, we will inform you as soon as possible and indicate when we anticipate being in a position to respond.   

 

​

8. Contact us

​

Should you have any queries regarding this Privacy Notice or the use of your personal data, you may contact us at our registered address or by email:

 

hello@swcrc.police.uk 

 

South West Cyber Resilience Centre

Joint Emergency Services Building

Wimborne Road

Poole

Dorset

BH15 2BP

South West Cyber Resilience Centre Limited hopes we can resolve any query or concern you raise about our use of your personal data. 

Should we not be able to resolve the complaint, you have the right to lodge a complaint with the lead authority. The lead authority in the UK is the Information Commissioner’s Office (ICO), who may be contacted by telephone on 0303 123 1113 or by visiting www.ico.org.uk.