Updated: 25th May 2018
Updated: 25th May 2018
Consumer Dispute Resolution Limited (“CDRL”) is a not for profit alternative dispute resolution (ADR) provider, approved under the Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015. CDRL is dedicated to safeguarding and protecting your privacy when visiting our site or communicating with us.
Please read this Privacy Statement carefully as it applies when you visit our site or use our service. This Statement is applicable exclusively to our site (inclusive of our ADR channels – RetailADR, AviationADR, UtilitiesADR, Consumer Arbitration, Data Arbitration and CommsADR), and not to other websites that may be viewed by users via links present on the site.
We do update this Statement from time to time so please do return and review this regularly.
This Privacy Statement explains how we obtain and utilise your personal data. All your personal data shall be held and used in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and national laws implementing GDPR and any other legislation relating to the protection of personal data.
You provide us with the information we collect and use about you. If you ask us to look into a dispute you have with a company, we will ask you to authorise them to provide us with their side of the story. They will provide any relevant information about you, your account(s) the goods or service etc.
We collect personal data in order to provide and operate our service effectively. We additionally collect data of third parties and prospective employees. We will only collect the minimum personal information needed to complete a task and will not collect information just in case.
We will take care of your personal data and will only use it to process your enquiry or investigate your complaint and to help us improve service quality. Following completion of the complaint investigation, your information may be used as the basis for creating an anonymous case report and this may, in turn, be used to build scenarios for training and reporting purposes but these will contain no personal information.
The personal data we collect includes:
Information received from your device or software may also be collected and stored. This information can include an IP address, browser type, domain names, access times and website address.
At points in our site, we invite or request you to submit your contact details or other information about yourself or your organisation, or to send us emails which will, of course, also identify you.
We collect personal data via electronic webforms or via phone or face to face contact.
We do record our telephone calls for quality and training purposes. You will be told about this in a recorded message before your call is put through to a member of staff. Calls that are recorded for these purposes will be kept secure, will not be disclosed outside of CDRL and will be deleted after a maximum period of 12 months. However, you are entitled to object to this and can choose to opt out of call recordings by following the instructions.
When you provide us with your personal information we will only retain it for as long as we need to, to make sure that we have dealt with all aspects of your enquiry or complaint. In practice, this means that we will keep your name and address for a minimum of six months if you make an enquiry or submit a complaint which is deemed to be out of scope (as per the scheme rules).
Once we have archived your complaint and provided a determination to you, we will only store all personal data for 12 months. After this, the information will be deleted. All personal information held by CDRL will be deleted in a structured, secure and timely manner.
In order to process your complaint we shall usually need to disclose the personal information you send us to the company. We may then need to disclose it to a third party such as an independent expert, to help us determine the case.
To help us process our work we have contracts with companies who provide us with services such as IT support. Where they process your data for us our contract with them makes clear that they must hold it securely and only use it as we instruct them to. If your case raises issues which we think might be more appropriate for one of the regulators, we will only pass your information on with your consent.
Examples of the types of third parties we will engage with to provide our service are;
All such parties are required to maintain the confidentiality of your information by agreeing to provide adequate protections for personal data in line with GDPR and other data protection laws.
Clients and individuals have the right to access information held about them to ensure that such personal data is accurate and relevant for the business purposes for which it was collected.
To understand what personal information we hold, you will need to place a Subject Access Request in writing to Stephanie Lewis, our nominated Data Protection Officer, at firstname.lastname@example.org. We have one month within which to provide the information you request and will provide you a copy of the information free of charge.
Under GDPR, the grounds which we rely upon to process your personal data are:
We will report all serious data breaches to the Information Commissioner’s Office (“ICO”) within 72 hours which result in the loss, release or corruption of personal data.
The definition of a serious breach is where CDRL’s data security has been compromised resulting in the loss or disclosure of a client’s personal or sensitive data which could prove detrimental to the individual’s financial, physical or emotional well-being. Detrimental effect would include information leading to;
A non-reportable breach will be the compromise of CDRL’s data security resulting in the loss or disclosure of staff members’ personal data where there is no particular sensitivity and would not result in an individual being adversely affected.
All breaches are recordable and will be documented in our Personal Data Security Breach Log.
GDPR and other applicable data protection legislation afford you a variety of rights, we are obliged to tell you these rights include:
Your objection (or withdrawal of any previously given consent) could mean that we are unable to perform the actions necessary to achieve a purpose. Please note you may also not be able to make use of our services without such information. After your consent has been withdrawn, we may still be able to process your personal data, only to the extent required or otherwise permitted by law. This is particularly in connection with exercising or defending our legal rights and/or meeting our legal and regulatory responsibilities.