Consumer Dispute Resolution Limited (“CDRL”, “we”, “us”, or “our”) is a not for profit alternative dispute resolution (ADR) provider, approved under the Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015. CDRL is dedicated to safeguarding and protecting your privacy when visiting our site or communicating with us.
We do update this Policy from time to time so please do return and review this regularly.
CDRL is registered with the Information Commissioner’s Office (ICO) under ZA093108.
1. Collection and use of personal information
We process personal data for various purposes:
1.1. Providing our alternative dispute resolution service
1.1.1. Where CDRL is in contract with third parties for the use of our alternative dispute resolution service, we may collect and process personal data in order to satisfy a contractual obligation.
1.1.2. We collect personal data in order to provide and operate our service effectively. We will only collect the minimum personal information needed to complete a task and will not collect information just in case.
1.1.3. The personal data we collect is provided to us either directly from the individual complainant concerned, from a third party authorised to act on their behalf, or by the person or organisation who the complainant is in dispute with.
1.1.4. If you submits a complaint via one of our ADR channels, we will ask you to authorise that we can inform the party you are in dispute with and request the organisation to provide us with their side of the story. They will provide any relevant information about you, your account(s) the goods or service etc.
1.1.5. Where organisations make use of our services, the information that they provide us may also include personal data about individuals or employees who are involved in the dispute.
1.1.6. We additionally collect data of prospective employees.
1.1.7. We will take care of your personal data and will only use it to process your enquiry or investigate your complaint and to help us improve service quality. Following completion of the complaint investigation, your information may be used as the basis for creating an anonymous case report and this may, in turn, be used to build scenarios for training and reporting purposes but these will contain no personal information.
1.1.8. The personal data we collect includes:
• Full name
• Full address
• Email address
• Mobile and/or landline telephone number
• Information received from your device or software may also be collected and stored. This information can include an IP address, browser type, domain names, access times and website address. Please refer to our Cookies Policy for further information.
We may from time to time be required to collect and process personal data in order to fulfil regulatory, legal or ethical requirements. This may include the verification of identity of individuals.
2. How we obtain personal data
2.1. At points in our site, we invite or request you to submit your contact details or other information about yourself or your organisation, or to send us emails which will, of course, also identify you.
2.2. We collect personal data via electronic webforms or via phone or face to face contact.
3. Retention and deletion policy
3.1. We retain the personal data processed by us for as long as is considered necessary for the purpose(s) for which it was collected (including as required by applicable law or regulation).
3.2. In determining the appropriate period for the retention of personal data we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these purposes through other means and the applicable legal requirements.
4. Disclosure of your personal information
4.1. In order to process your complaint, we will need to disclose the personal information you send us to the organisation.
4.2. To help us process our work we have contracts with organisations who provide us with services such as IT support. Where they process your data for us our contract with them makes clear that they must hold it securely and only use it as we instruct them to. If your case raises issues which we think might be more appropriate for one of the regulators, we will only pass your information on with your consent.
Examples of the types of third parties we will engage with to provide our service are;
1. Web developers who are specifically engaged in the development of World Wide Web applications, or applications that are run over HTTP from a web server to a web browser. Developers also assist in updating the software we use to process complaints.
2. Phone system software and service providers who supply our telephone systems.
3. Cyber security services, which complete checks and maintain our cyber security system.
4. Printing services whom supply our printing machines and maintenance.
5. Website hosts provide our server space and web services.
4.3. All such parties are required to maintain the confidentiality of your information by agreeing to provide adequate protections for personal data in line with GDPR and other data protection laws.
4.4. We may disclose your personal information to third parties if we are required to do so through a legal obligation (for example to the police or a government body); to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.
7. Access to your information
7.1. Clients and individuals have the right to access information held about them to ensure that such personal data is accurate and relevant for the business purposes for which it was collected.
7.2. To understand what personal information we hold, we ask that you place a Subject Access Request. We invite requests to be made electronically in writing to Stephanie Lewis, our nominated Data Protection Officer, at firstname.lastname@example.org. However, this is not compulsory, and we shall also accept a Subject Access Request verbally or in writing through an alternative method. We have one month from receipt of the request within which to provide the information you request and will provide you a copy of the information free of charge (unless we deem your request to be manifestly unfounded or excessive, in which we will charge a reasonable fee for the administrative costs of complying with your request).
8. Our legal basis for processing
Under GDPR, the grounds which we rely upon to process your personal data are:
• You may voluntarily provide us with your consent to process your data for a particular purpose.
• It may be necessary for compliance with our legal or contractual obligations.
• It may be necessary for the purposes of legitimate business – either we, or a third party, will need to process your information for the purposes of our (or a third party’s) legitimate interests, provided we have established that those interests are not overridden by your rights and freedoms, including your right to have your personal data secured.
9. Incident handling
9.1. We will report all serious data breaches to the Information Commissioner’s Office (“ICO”) within 72 hours which result in the loss, release or corruption of personal data.
9.2. The definition of a serious breach is where CDRL’s data security has been compromised resulting in the loss or disclosure of a client’s personal or sensitive data which could prove detrimental to the individual’s financial, physical or emotional well-being. Detrimental effect would include information leading to;
• Identify theft
• Financial hardship
• Insurance exclusion
• Volume affected – 10 individuals
9.3. A non-reportable breach will be the compromise of CDRL’s data security resulting in the loss or disclosure of staff members’ personal data where there is no particular sensitivity and would not result in an individual being adversely affected.
9.4. All breaches are recordable and will be documented in our Personal Data Security Breach Log.
10. Your rights
10.1. GDPR and other applicable data protection legislation afford you a variety of rights, we are obliged to tell you these rights include:
• The right to be informed about how your personal data is being used (as per this Statement).
• The right to access the personal data we hold on you.
• The right to request we rectify any incorrect personal data we hold about you.
• The right to request we delete your data, or stop processing it, in some circumstances.
• The right to stop any unauthorised transfer of your data to a third party.
• The right to complain to your data protection regulator with regards to the way in which we process your persona data — in the UK, the Information Commissioner’s Office.
• The right to withdraw your consent. If you object to us processing your personal data, or if you have provided your consent to processing and you later decide to withdraw it, we will respect your choice in accordance with our legal obligations. Should you wish to exercise this right, please contact Stephanie Lewis, our nominated Data Protection Officer, at email@example.com.
10.2. Your objection (or withdrawal of any previously given consent) could mean that we are unable to perform the actions necessary to achieve a purpose. Please note you may also not be able to make use of our services without such information. After your consent has been withdrawn, we may still be able to process your personal data, only to the extent required or otherwise permitted by law. This is particularly in connection with exercising or defending our legal rights and/or meeting our legal and regulatory responsibilities.