Privacy Notice

This Privacy Notice applies to services operated by ECCTIS Ltd (Ecctis).

Ecctis understands that your privacy is important to you. We respect and value the privacy of everyone who visits our website and uses our services. Ecctis will only collect and use your personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under data protection and other laws.

How to read this notice: The notice is structured to help you find information that is relevant to the service or services you use.

Our contact details

Ecctis Ltd is a limited company registered in England with company number 2405026.

Our registered office address is:

Ecctis Ltd

Suffolk House

68-70 Suffolk Road

Cheltenham

Gloucestershire

GL50 2ED

UNITED KINGDOM

Our Data Protection Officer can be contacted at [email protected] or via our postal address. Please mark postal communication with ‘Data Protection Officer’

The Ecctis Ltd ICO Registration Reference is Z7566127.

Our role in processing

Ecctis may operate as the Controller of your personal data, or we may process your personal data on behalf of another Controller (as their Processor). For more information on our role(s) specific to each service, please see How we process your personal data for services you request below.

Generally, the following applies:

Ecctis acts as the Processor of your personal data when you contact us about, or apply for, our individual services, including:

  • Qualification and Language Service

For these services, we operate as a Processor on behalf of the Controller, who tells us what to do with your personal data, and how we should process it. Ecctis will always have a contract in place with the Controller which sets out how Ecctis must provide the service. Please see the specific service information below for more detailed information.

Ecctis acts as a Controller when processing personal data for the undertaking of marketing and sending you feedback surveys to understand satisfaction levels so we can improve our services.

Third party privacy information

Throughout this privacy notice we will link to the privacy information of organisations with whom we share your information to enable you to see how each recipient organisation processes your information.

How we get your personal data

Most of the personal data we process is provided for one of the following reasons:

You are an Individual Applicant (Qualification Holder) enquiring about and/or applying for, one of our services.

You are an individual acting in a business capacity, i.e. a ‘Corporate Contact’ (opens in a new tab) , such as an employee of a:

  • Higher education provider that works with Ecctis to verify Qualification Holders’ qualifications;
  • Qualification Institutions, Awarding bodies and authorised third parties that work with Ecctis to verify Qualification Holders’ qualifications;
  • UK government department;
  • Company or organisation to whom Ecctis has a business relationship;
  • Supplier of goods or services (including consultancy) to Ecctis. You or your employer provides goods and services to Ecctis and either you or your employer has submitted your personal data to us to enter into an agreement, facilitate an order, pay an invoice or to facilitate collaborative working

Where we do not receive information from you directly, we will endeavour to contact you to let you know we are processing your personal data unless to do so would be:

  • Disproportionate, or
  • Prejudicial e.g. to law enforcement or national security.

How we process your personal data for services you request as an Individual Applicant (Qualification Holder)

Your personal data is collected, stored, and used by our staff to communicate with you, identify you from other applicants, and deliver our services to you. This will include validating that qualification and identity information provided by you is accurate, and that you hold the qualifications submitted to us for comparison.

For most of the services provided, we operate as a Processor. This means we only process personal data under the instructions of another organisation, who is the Controller. The Controller is responsible for determining the purpose of processing and the lawful basis for processing.

Throughout this section we will clearly identify the Controller for each service. Where the service is being provided by Ecctis on behalf of another third party, you should read this Privacy Notice in conjunction with the privacy information provided by the following organisations:

UK Home Office: privacy information notice (opens in a new tab)

The following information relates to current services and applies where you apply directly to us via our website, or by post:

Qualification and Language Service

We process your personal data on behalf of the UK Home Office for the purpose of the Qualification and Language service. This is to enable you to evidence the level of your degree and/or your English language proficiency.

Our role

We act as a Processor of your personal data. The Controller of your information is the Home Office.

What information we need and why

This is determined by the UK Home Office, but includes: information including your name, contact details, date of birth, identity and qualification documents and information to deliver the service to you, to identify you, to verify the qualifications and to communicate with you about your application. our name, contact details, date of birth and qualification documents and information to verify the qualifications about

Your biometric data will also be collected and used solely for the purpose of identity verification, ensuring the security and integrity of our services.

We collect and process information relating to your qualifications (including copies of documentation) to provide the requested service to you on behalf of the Home Office.

Lawful Basis for Processing

These are determined by the Home Office – you should refer to their privacy information notice (opens in a new tab)

How long we keep it

For completed applications, we retain information for a period of up to 25 years. This is necessary for detecting and preventing crime, fraudulent applications, preserving the integrity of our services and providing the services in compliance with our contractual obligations.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.

Are third parties involved in the processing

In order to provide this service to you, we undertake primary source verification to confirm the authenticity of the award(s) presented, either directly with the issuing institution, awarding body or through an authorised third-party. This will involve sharing the information you have provided to us. You can find more information in the Who we share your data with section.

Confirming the content of a Statement to a third party

On occasion we will be asked to confirm that a Statement issued by us is genuine, and/or accurate. This might be, for example, where you have provided your Statement to a third party for them to rely on the contents of it.

Where we are asked to do so, we will confirm whether the Statement was issued, and whether the information contained in the Statement is accurate.

Our role

It depends on the Statement being requested and therefore which Service(s) you have used. Please see the Service Specific information where we have defined our role as Controller or Processor.

What information we need and why

No further personal data will be collected.

Lawful Basis for Processing

We will confirm whether information provided to us matches our records. We will never volunteer any personal data to a third party.

When we are acting as Controller, the lawful basis that we will rely upon to process this information will be Legitimate Interests since it is in the interests of us, you, and the general public for statements to be able to be relied upon and checked for accuracy.

When we are acting as a Processor, the lawful basis will be determined by the relevant Controller and can be found in their privacy notice (see links under the Service Specific information).

Who we share it with

Organisations to whom a Statement has been disclosed by you if they wish to confirm its authenticity. We will confirm with the enquirer whether information matches our records.

How long we keep it

For completed applications, we retain information for a period of up to 25 years. This is necessary for detecting and preventing crime, fraudulent applications, preserving the integrity of our services and providing the services in compliance with our contractual obligations.

We actively discourage applicants from sending original paper documentation to support their application, as it is unnecessary. Paper documentation will be confidentially destroyed within a maximum of 12 months from completion of the service or the last action on an account, unless we are required to retain the documents.

How we process your personal data for Corporate Contacts

If you are an employee of an organisation, the following information sets out what we do with your personal data:

Corporate Contacts

Your information is collected, stored, and used by our staff to communicate with you if you or your employer has a working relationship with Ecctis. See Corporate Contact above.

Our role

Where Ecctis has engaged with your employer to verify Qualification Holders’ qualifications, supply services or develop a business relationship, we process your personal data as a Controller.

What information we need and why

We collect and process personal data including your name, title, job title, the organisation you work for and their address and your email address.

Lawful Basis for Processing

We collect and process your personal data for the purposes of delivering and developing our services.

We rely on Legitimate Interests as the lawful basis for processing your personal data, since it is the interests of you, us, and your employer for us to process your data for these purposes.

How long we keep it

We will keep your personal data for a period of up to 7 years from the conclusion of our engagement with your employer.

How we process your personal data for communicating with you as an Individual Applicant (Qualification Holder), including marketing and surveys

If you are an Individual Applicant (Qualification Holder), we will process your personal data when you contact us with enquiries or when we contact you for marketing purposes or to send you satisfaction surveys. The following information sets out what we do with your personal data:

Communications regarding a service or general enquiry

We may communicate with you in relation to general enquiries, or in relation to your existing applications via telephone or our website LiveChat functionality. Generally, we receive two different types of enquiries:

  • A general enquiry for information about our services, or
  • An enquiry relating to an existing application you have with us (whether live or historical).

We will use the information to answer your enquiry and may record details of the enquiry for future reference.

Our role

It depends on the purpose of your enquiry:

  • If it is a general enquiry, then we will be the Controller of your personal data.
  • If you are contacting us about an existing application for our services, then we will usually be acting as a Processor for the service you have applied for.

What information we need and why

We will only collect sufficient personal data to allow us to deal with your enquiry, particularly when it is relevant to an existing application.

For general enquiries, we may not need to collect any information from you, though you should be aware that, in both cases, the software we use will collect the following additional personal data.

Telephone

When you call our telephone helpline, we will:

Collect Calling Line Identification (CLI) information – this is the phone number you are calling from. This is to help us to identify you, to understand demand for our services, improve how we operate, and call you back if we need to.

Record the audio of your telephone conversation - This is for training purposes and complaints, to improve the way in which our staff deal with enquiries and complaints.

LiveChat

When you contact us via our LiveChat facility, we will collect information to identify your general location information (for statistical purposes) such as your IP address. A transcript of the conversation will also be recorded.

Lawful basis for processing

The lawful basis that we will rely upon will depend on the reason for your enquiry:

For general enquiries we will rely on Legitimate Interests since it is in the interests of us and you to process personal data that is necessary to deal with your enquiry.

Where you are enquiring about an existing application, we rely upon the legal basis relevant to the processing of that application. You should check the section of this Privacy Notice relevant to the service for further information.

For telephone audio recordings, we rely on Legitimate Interests since it is in the interests of us, you, and the general public for our staff to provide training, improve the way our enquiries are managed, and investigate complaints.

How long we keep it

We will keep call recordings for a maximum of 14 months. LiveChat transcripts are retained for a maximum of 14 months.

Where enquiries relate to an existing enquiry the transcript, or parts of it, may be transferred onto the permanent file associated with your application and kept for the retention periods outlined under ‘Individual Applications’, above.

Sending you marketing material

If you are an Individual Applicant (Qualification Holder) we will not send marketing communications to you unless we have consent to do so. You may be asked to opt-in to marketing emails.

Where we do send you marketing emails, you can withdraw your consent at any time. There will be a link in any marketing communications we send that will to allow you to do so easily.

The following relates to our direct email marketing activities:

Our role

We are the Controller of your personal data.

What information we need and why

We will use and share your email address and may personalise emails using your name.

Lawful basis for processing

The lawful basis that we will rely upon in this instance will be Consent as you will have consented to our sending you marketing emails either by opting in via our website or in some other way, such as at an event.

Sending you satisfaction surveys

We may send communications to you containing satisfaction surveys. We only do this to understand satisfaction levels so we can improve our services.

We do not rely on your consent to send satisfaction surveys to you, but we do not want to send these emails if you do not want us to. If you do not want to receive these emails you can opt out of them easily via the link provided in any survey communication we send to you.

The following relates to our satisfaction survey communications and activities:

Our role

We are the Controller of your personal data.

What information we need and why

We will already have collected your data, since you will have applied for one of our services. We will use your email address to send you satisfaction surveys.

Purpose and Lawful Basis for Processing

We may send survey emails relating to services that you have used so that we can understand your level of satisfaction and improve our services. The lawful basis that we will rely on is Legitimate Interests for us to receive your feedback so that we can improve our services.

Inviting you to participate in market research

We may send communications inviting you to participate in market research. This will help us understand your challenges and what you and your organisation may need from our products and services in the future.

The following relates to our market research communications and activities:

Our role

We are the Controller of your personal data.

What information we need and why

We may have already collected your data if you have used or expressed an interest in using one or more of our consultancy services or commercial and educational products. Alternatively, we may obtain information about you from other sources, such as public databases, data providers, and from other third parties.

We will use your email address to send you satisfaction surveys or we will contact you via third party platforms, including LinkedIn. If you choose to participate in our market research initiatives, we will process your name and job title.

Purpose and Lawful Basis for Processing

The lawful basis that we will rely on is Legitimate Interests for us to receive your feedback so that we can improve our products and services.

How we process your personal data for communicating with you as a Corporate Contact

Where Ecctis has engaged with your employer to verify Qualification Holders’ qualifications, supply services or develop a business relationship. The following information sets out what we do with your personal data:

Sending you communications regarding a service or general enquiry

We may communicate with you in relation to general enquiries in the course of day-to-day business.

Our role

We are the Controller of your personal data.

What information we need and why

We will use and share your email address and may including your name and/or title.

Lawful basis for processing

We rely on Legitimate Interests as the lawful basis for communicating with you for this purpose as it is in our interests to communicate with customers, stakeholders and business contacts regarding services and for providing you the information necessary to satisfy your query.

How long we keep your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any contractual, legal or reporting requirements.

To determine the appropriate retention period for personal data, we consider the volume, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances you can ask us to delete your personal data, however, where we are providing a service as a Processor we may be required to retain records for fraud monitoring purposes. Please see below for more information about your right to erasure.

Please refer to each individual service or purpose for specific information on how long we will retain your personal data

Who we share your personal data with

We may need to share your personal data with third parties to deliver a service to you. This might be for the following general reasons:

  1. Processors who provide part of our IT infrastructure. This may include, for example, off-site back-up providers, telephone recording, web, LiveChat and email servers.
  2. Processors who perform elements of our services for us, such as Primary Source Verification providers.
  3. Other third parties with whom we are required to share the information to deliver the services. Examples include organisations that issued your qualifications, or UK government departments.
  4. Organisations that you have disclosed a Statement to and they wish to confirm its authenticity.
  5. Where we are obliged to share your data by law, for example where we are involved in legal proceedings, or where we are complying with legal requirements, a court order, or the orders of a government authority.
  6. Where there is a requirement for us to do so to comply with an external audit

Where the party is a processor (points 1 & 2 above), we will have a contract in place with them to ensure that they cannot do anything with your personal data unless we have instructed them to do so. They must not share your data with anyone else unless we give them permission to do so. We will only give permission if we are satisfied that their sub-Processors will also comply with our instructions.

Your rights

Under data protection law, you have certain rights in relation to your personal data, such as the right to access and the right erasure. Please be aware that these rights do not apply in all circumstances, but we will always look to fulfil your request where possible.

To make a request related to any of these rights, please contact the Data Protection Officer at [email protected], or one of our customer services team. We will typically respond within one month.

  • The right to be informed about our collection and use of personal data: this Privacy Notice is our way of complying with this.
  • The right of access: you have the right to ask us for copies of the information that we hold about you.
  • The right to rectification: you have the right to have inaccurate or incomplete information we hold about you to be rectified.
  • The right to erasure: in certain circumstances you can ask us to delete your information.
  • The right to restrict (prevent) processing: in certain circumstances you can ask us to restrict the processing of your information.
  • The right to object: in certain circumstances you have the right to object to us using your information for particular purposes e.g. for direct marketing.
  • The right to data portability: in some circumstances and where appropriate, and technically feasible, you can ask us to provide your information in a commonly used, machine readable format.
  • Rights related to automated decision making and profiling: please note that Ecctis Ltd does not perform any automated decision making or profiling.

If you have any cause for complaint about our use of your personal data, please contact us using the details above and we will do our best to help.

Should you remain dissatisfied, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.

International Data Transfers

We may need to transfer your data out of the UK or European Economic Area (EEA). This might be because we need to do this to deliver your service, or because our Processors are located outside of the UK or EEA.

When we transfer, store or process your personal data outside of the UK or EEA, we take appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Notice and appropriate legislation. We may rely on one of the following:

  1. An adequacy agreement, if one exists, with the country we are transferring your personal data to; or
  2. Standard Contractual Clauses approved by the European Commission and/or the UK Government / Information Commissioner’s Office; or
  3. Your explicit consent, or because it is necessary to perform the contract that we have with you or the transfer is necessary for a task carried out in the public interest; or
  4. Some other legal exception that is permitted by law.

Where the party is a processor (points 1 & 2 above), we will have a contract in place with them to ensure that they cannot do anything with your personal data unless we have instructed them to do so. They must not share your data with anyone else unless we give them permission to do so. We will only give permission if we are satisfied that their sub-Processors will also comply with our instructions.

Review and Updates to this Notice

This notice is regularly reviewed and updated, for example when organisations change their name, or to clarify how your personal data is used.