The CPD Register Ltd
1.1. This Privacy Policy ("Policy") describes how The CPD Register Ltd ("The CPD Register", "we", "us", or "our") collects, uses, protects, and shares personal data in connection with:
1.2. The CPD Register Ltd is the data controller for the personal data processed under this Policy. We are a company registered in England and Wales under company number 13075495, with our registered office at International House, 6 South Molton Street, London W1K 5QF.
1.3. We are registered with the UK Information Commissioner's Office as a data controller.
1.4. This Policy is designed to meet the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.
1.5. If you have any questions about this Policy, please contact us at [email protected].
2.1. This Policy applies to personal data we process about:
2.2. Different processing activities apply to different categories of individual. This Policy sets out each processing activity and the lawful basis on which it is conducted.
3.1. The categories of personal data we process depend on the nature of the relationship. The main categories are:
3.1.1. Identity and contact data. Name, email address, phone number, postal address, and job title.
3.1.2. Website usage data. IP address, browser type, operating system, device type, pages visited, referring website, and interaction with forms or services on the Website.
3.1.3. Register data. Information about CPD Accreditation Organisations listed on our public Register, including (where applicable) the names of directors, PSCs, and publicly named officers as drawn from Companies House, regulatory records, and the organisation's own published material.
3.1.4. Certification data. Information submitted by organisations applying for, or holding, certification under our scheme, including corporate information, policies, procedures, and documentary evidence.
3.1.5. API-submitted data. Information submitted by Certified CPD Accreditation Organisations through our API about their accredited training providers and CPD activities, which may include the names of training providers, instructors, and (where provided) participants.
3.1.6. Investigation Service data. Information submitted to our Investigation Service by Submitters, including the Submitter's identity and contact details, the nature of the concern, and any personal data about third parties contained in supporting evidence.
3.1.7. Communications data. Records of correspondence, enquiries, complaints, and other interactions with us.
3.2. Special category personal data. In limited circumstances, we may process special category personal data under Article 9 UK GDPR. This typically arises through the Investigation Service, where submissions may include information relating to health, therapy training, or other sensitive fields. Where we process special category personal data, we rely on the lawful bases set out in Section 5.3.
3.3. Criminal offence data. Investigation Service submissions may occasionally include information relating to allegations of criminal conduct. We process this data only where necessary for the public-interest purpose of our investigation and we refer matters to the appropriate authorities where required.
4.1. We collect personal data through the following routes:
4.1.1. Directly from the individual. For example, when you contact us, submit a concern to the Investigation Service, apply for certification, or request a correction to a Register listing.
4.1.2. From organisations we interact with. For example, where a certified organisation submits information about its training providers through our API, or where an applicant organisation submits documentation including information about named individuals.
4.1.3. From public sources. For example, from Companies House, the Information Commissioner's Office register, regulatory rulings databases, court judgments, and the public websites of CPD Accreditation Organisations.
4.1.4. Automatically through our Website. For example, through our server logs, analytics cookies, and interaction logs.
This Section sets out each main processing purpose and the lawful basis under UK GDPR on which it is conducted.
Purpose: To operate, secure, and improve the Website, and to respond to general enquiries made through the Website.
Data processed: Identity and contact data, website usage data, communications data.
Lawful basis: Legitimate interests (Article 6(1)(f) UK GDPR). Our legitimate interests are the operation, improvement, and security of our Website and responding to people who contact us.
Purpose: To compile, maintain, and publish the public Register of CPD Accreditation Organisations operating in the UK market, including information about directors and PSCs drawn from Companies House and other public sources.
Data processed: Register data, including the names of directors and publicly named officers of listed organisations.
Lawful basis: Legitimate interests (Article 6(1)(f) UK GDPR). Our legitimate interests are the provision of transparent, sourced information about organisations operating in an unregulated sector, in support of consumer protection and informed choice by CPD Training Providers and consumers.
We have conducted a Legitimate Interests Assessment (LIA) covering this processing, which is maintained on file and available to the Information Commissioner's Office on request. The LIA addresses the necessity of the processing, the balance of rights, and the mitigations in place (including our correction, right of reply, and removal routes under the Listing Policy).
Purpose: To operate our voluntary Certification Scheme, including assessing applications, granting certification, conducting annual recertification, and monitoring compliance between renewals.
Data processed: Certification data, identity and contact data, communications data.
Lawful basis: Contract (Article 6(1)(b) UK GDPR) where the applicant or certified organisation is in a direct contractual relationship with us. For personal data about third parties included in certification submissions, our basis is legitimate interests (Article 6(1)(f) UK GDPR) — our legitimate interests being the operation of the Certification Scheme.
Purpose: To receive and publish information submitted by Certified CPD Accreditation Organisations about their accredited training providers and CPD activities.
Data processed: API-submitted data.
Lawful basis: Contract (Article 6(1)(b) UK GDPR) with the Certified CPD Accreditation Organisation. Where API-submitted data includes personal data about individuals who are not party to the contract, our basis for processing that data is legitimate interests (Article 6(1)(f) UK GDPR). Certified CPD Accreditation Organisations are responsible, under their Certification Agreement, for ensuring they have a lawful basis for submitting any personal data via the API.
Purpose: To receive submissions to our Investigation Service, conduct investigations, produce written reports, and where appropriate refer matters to regulators or other authorities.
Data processed: Investigation Service data, identity and contact data, communications data, and (in limited circumstances) special category personal data and criminal offence data.
Lawful basis:
Purpose: To receive, investigate, and respond to complaints about our services under our Complaints Procedure.
Data processed: Identity and contact data, communications data, and any data relevant to the subject matter of the complaint.
Lawful basis: Legitimate interests (Article 6(1)(f) UK GDPR) — our legitimate interest being the fair handling of complaints and the improvement of our services.
Purpose: To send marketing communications to individuals who have consented to receive them, or to existing customers in accordance with the "soft opt-in" rule under PECR.
Data processed: Identity and contact data.
Lawful basis:
You can withdraw consent to marketing communications at any time by clicking the unsubscribe link in any marketing email, or by emailing [email protected].
Purpose: To comply with legal and regulatory obligations.
Lawful basis: Legal obligation (Article 6(1)(c) UK GDPR).
6.1. We share personal data with third parties only where necessary, and only in the circumstances described below.
6.1.1. Service providers. We use trusted third-party service providers to support our operations, including IT hosting and infrastructure, email delivery, analytics, website live chat, and professional services such as legal, accounting, and audit. These providers process personal data only as instructed by us, under written data processing agreements that meet the requirements of Article 28 UK GDPR.
6.1.2. Regulators and enforcement bodies. Where an investigation identifies matters warranting regulatory action, we may share relevant personal data with regulators such as the Advertising Standards Authority, Trading Standards, the Competition and Markets Authority, the Information Commissioner's Office, the Police, or professional regulators. The basis for such disclosure is set out in Section 5.5 (for Investigation Service data), our legal obligations (Section 5.8), and the Investigation Service Terms.
6.1.3. Courts and legal processes. We may disclose personal data where required by court order, statutory demand, or other legally enforceable process.
6.1.4. Partners with the Submitter's consent. Where a Submitter to the Investigation Service consents to their identity being disclosed to a specific regulator or other body for the purpose of referral, we share data accordingly.
6.1.5. Professional advisers. We may share personal data with our professional advisers (solicitors, accountants, insurers) where necessary for them to advise us on a matter.
6.1.6. Business transfers. In the event of a sale, merger, or acquisition of The CPD Register, personal data may be transferred to the acquiring entity. Where such a transfer would involve a material change to how personal data is processed, we will notify affected individuals in advance where legally required.
6.2. Countries of processing. Personal data is primarily processed within the UK. Where processing takes place outside the UK — for example, because a service provider uses infrastructure in the EU or elsewhere — we ensure appropriate safeguards are in place, including UK adequacy decisions, the UK International Data Transfer Agreement, or equivalent mechanisms.
6.3. We do not sell personal data to third parties.
7.1. We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required by law. Our retention periods are as follows:
| Category | Retention period |
|---|---|
| Website usage data (server logs, analytics) | 26 months |
| Enquiries and correspondence | 3 years from last contact |
| Marketing data | Until consent is withdrawn; at that point, a suppression record is retained to honour the unsubscribe |
| Register data | Retained indefinitely while the Register is in operation, in accordance with the public-interest purpose of the Register set out in the Listing Policy |
| Certification application records (declined applications) | 6 years from decision |
| Certification records (certified organisations) | Duration of certification plus 6 years |
| API-submitted data (training provider and CPD activity records) | Duration of certifying organisation's certification plus 6 years |
| Investigation Service submissions and reports | 6 years from closure of the investigation |
| Complaints records | 6 years from closure of the complaint |
| Financial records (invoices, payments) | 6 years from end of financial year |
7.2. Where we retain data beyond the periods above, we do so on the basis of a specific legal obligation or a documented legitimate interest. We review retention periods periodically and adjust them where appropriate.
7.3. At the end of the retention period, personal data is securely deleted or anonymised.
8.1. Under UK GDPR, you have the following rights in relation to personal data we process about you:
8.1.1. Right to be informed. You have the right to be informed about the collection and use of your personal data. This Policy is our primary means of providing that information.
8.1.2. Right of access. You have the right to request a copy of the personal data we hold about you. Requests (often called Subject Access Requests or SARs) should be made in writing to [email protected]. We respond within one month of receipt.
8.1.3. Right to rectification. You have the right to ask us to correct personal data that is inaccurate or incomplete.
8.1.4. Right to erasure ("right to be forgotten"). You have the right to ask us to delete personal data we hold about you, subject to the limitations set out in UK GDPR. This right is limited in the context of the public Register where personal data is processed in the substantial public interest. We consider each erasure request on its merits and explain our decision in writing.
8.1.5. Right to restrict processing. You have the right to ask us to restrict the processing of your personal data in certain circumstances.
8.1.6. Right to data portability. Where processing is based on consent or contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
8.1.7. Right to object. You have the right to object to the processing of your personal data where we rely on legitimate interests or public task. We consider each objection on its merits. In the case of direct marketing, we will stop processing immediately upon objection.
8.1.8. Rights in relation to automated decision-making. We do not carry out automated decision-making that produces legal effects concerning you or significantly affects you.
8.2. To exercise any of these rights, please contact us at [email protected]. We respond to requests within one month of receipt. In complex cases, we may extend this period by up to two months and will notify you if we need to do so.
8.3. We do not charge a fee for responding to a rights request. In limited cases where a request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or decline to act on the request, and will explain our reasons.
8.4. Right to complain to the Information Commissioner's Office (ICO). If you are dissatisfied with how we have handled your personal data, you have the right to complain to the ICO at any time. The ICO's contact details are:
9.1. We have implemented technical and organisational measures designed to protect personal data against unauthorised access, loss, alteration, and unlawful processing. These include:
9.2. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the ICO within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals directly.
10.1. Our Website uses cookies. Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work efficiently and to provide information to the operators of the site.
10.2. We use cookies in three broad categories:
10.2.1. Strictly necessary cookies. Required for the Website to function, such as cookies that remember your session or security preferences. These cookies do not require consent, though you can block them in your browser settings (which may affect functionality).
10.2.2. Analytics cookies. Used to understand how visitors interact with the Website and to improve our content and services. These cookies require consent.
10.2.3. Marketing cookies. Used, where applicable, to deliver relevant advertising. These cookies require consent.
10.3. When you first visit our Website, you are presented with a cookie banner that allows you to accept or reject non-essential cookies. You can change your cookie preferences at any time via the cookie settings link in our Website footer.
10.4. Third-party cookies may be set by services we use, including analytics providers, social media platforms, and live chat providers. Information about these cookies is provided in our cookie banner and settings panel.
10.5. You can also manage cookies through your browser settings. Most browsers allow you to block or delete cookies, though blocking strictly necessary cookies may affect the functionality of our Website.
11.1. Our Website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16.
11.2. If you become aware that a child under 16 has provided us with personal data, please contact us so we can take appropriate action.
12.1. Our Website contains links to third-party websites, including the websites of CPD Accreditation Organisations listed on our public Register, regulators, and partners. This Policy does not apply to third-party websites, which have their own privacy policies.
12.2. We are not responsible for the privacy practices of third-party websites. We recommend that you review the privacy policy of any third-party website you visit.
13.1. We review this Policy regularly and update it to reflect changes in our services, the law, or best practice.
13.2. Where we make material changes to this Policy, we will notify affected individuals by email (where we have contact details) or by a prominent notice on our Website. The date of the most recent update is shown at the foot of this page.
13.3. We encourage you to review this Policy periodically to stay informed about how we handle personal data.
For any questions, requests, or concerns about this Policy or our handling of personal data:
Data Protection Enquiries
The CPD Register Ltd
International House
6 South Molton Street
London W1K 5QF
Email: [email protected]
Phone: 0333 188 9783
