Supplier Privacy Policy

Commissum Associates Ltd. is committed to protecting your personal data and respecting your privacy.

1. Introduction

This privacy policy sets out the basis on which any personal data that Commissum collects from or about you when you interact with us will be processed by us. It also explains how we will store and handle that data and keep it safe. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

2 Who Are We?

Commissum Associates Ltd. is a leading provider of information security services, which includes our affiliated companies operating under the Commissum brand.

This Privacy Policy is issued on behalf of Commissum so when we mention “Commissum”, “we”, “us” or “our” in this Privacy Policy, we are referring only to Commissum and our affiliated companies operating under the Commissum brand. It is Commissum that is the data controller in respect of any personal data we collect about you in the UK, and is responsible for the Commissum website () (the ‘Website’) and any registration on the Website.

3. Contacting Us

If you have any queries, comments or requests regarding this Privacy Policy or you would like to exercise any of your rights, you can contact us in the following ways:

  • By email at
  • By post at Data Protection Officer, Commissum Associates Ltd, 5 Mitchell Street, Edinburgh, EH6 7BD

It is also important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, using the contact details above.

4. What is Personal Data?

Personal data means any information about an individual from which that person can be identified, whether directly (e.g., personally identifiable information such as your name) or indirectly (e.g., online identifiers such as IP address or cookies). It does not include data where the identifying element has been removed (anonymous data)

5. What Personal Data Do We Collect?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, title
  • Contact Data organisation name and address, business email, phone numbers, and job title
  • Additional Data which you may choose to share with us that you think is relevant, or specific data we may request in order to match your service to our or our client’s requirements, such as professional profile data for associates

The source of the personal data above will be either yourself, your organisation, internal company management, or publicly accessible sources. We collect data from and about you during the negotiation and fulfilment of a contract.

We may also collect, use and share Aggregated Data such as statistical data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

6. How Do We Use Your Personal Data?

The law on data protection sets out a number of different reasons for which a company may collect and process personal data. Our uses of your personal data comply with the law, and include the following lawful bases:

  • To allow us to enter into and/or perform our contract with you for products or services, or for the delivery of these products or services to our clients, and enable us to comply with our legal obligations in this regard
  • If the law requires us to, we may need to collect and process your data, for example to government entities for tax purposes, or where people are involved in fraud or other criminal activity affecting Commissum, we may be required to share personal data with law enforcement
  • In specific situations we may require your personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your interests, rights or freedoms; these legitimate interests include maintenance of certifications and accreditations, IP rights protection and due diligence

7. Special Categories of Personal Data

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions or offences.

8. If You Fail to Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract that we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have, or are trying to enter into, with you.

9. Sharing Your Personal Data

We sometimes share your personal data with trusted third parties. For example, our professional advisors such as lawyers and accountants for legal or business administration purposes, and with certifying bodies that we use to maintain industry certifications such as ISO certifications and CREST accreditation.

When we do share your data with third parties we only provide the information they need to perform the service. They may only use your data for the exact purpose we specify to them and we work closely with them to ensure your privacy is secure and respected.

10. International Transfers of Your Personal Data

We are a global business and some of our offices and service providers are located in countries outside of the UK. As a result, personal data that we collect from you may be transferred to, accessed and/or stored outside the UK in order to provide our services.

If we do this, we have procedures in place to ensure your data receives the necessary protections. Any transfer of your personal data will follow applicable laws and we will treat the information under the principles set out in this Privacy Policy. In addition, any transfer of your personal data to a third country or international organisation will only ever take place on the following conditions:

  • Adequate data protection measures are in place for the destination country, as determined by the ICO
  • ICO-approved model clauses are in place between us and any joint controller or processor

For further details, please get in touch using the information provided in the ‘Contacting Us’ section.

11. How Long Will We Keep Your Personal Data?

We will only keep your personal data for as long as we need to in order to fulfil the relevant purpose(s) it was collected for, as set out in Section 6 of this Privacy Policy, and thereafter for as long as we need to keep it for legal purposes or a reasonable period as defined in our Retention Policy.

For example, we retain your data in relation to the contract we have with you for 10 years after we cease having a commercial relationship with your organisation.

At the end of that period, your data will either be deleted or anonymised. For example, by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning

12. Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have implemented an Information Security Management System (ISMS) that is certified to ISO 27001. In addition, we are certified to Cyber Essentials Plus.

We have put in place suitable physical, electronic, contractual and managerial control to safeguard and secure the data we collect from and about you in accordance with this Privacy Policy.

13 Your Rights

13.1 Overview of your Rights

You have the following rights in relation to your personal data:

  • Access – you have the right to obtain a copy of the personal data that we hold on you
  • Rectification – where data that we hold on you is incorrect or incomplete, you have the right for this to be corrected
  • Erasure – in the following circumstances you have the right to the deletion of your data
    • Where it is no longer necessary for the original purpose
    • Where you have previously given consent for the processing of your data and wish to withdraw it
    • Where you object to the processing of your data, and we have no overriding legitimate interest to continue this processing
    • You no longer wish your personal data to be used for direct marketing
    • To meet a legal obligation
    • Where personal data is unlawfully processed
    • We have processed the personal data in relation to providing services to a child
  • Restriction of processing – in the following circumstances you have the right to request us to restrict how we process your data:
    • You dispute the accuracy of the personal data that we hold on you
    • The processing is unlawful and you wish us to restrict processing instead of deleting your data
    • We no longer need to process your data, but the data is required by you in relation to legal claims
    • In relation to you raising an objection to the processing of your data
  • Data portability – you have the right for your data to be transferred to another controller if we process your data by automated means as a result of your freely given consent or as part of a contract with you
  • Object to processing – you may object to processing of your data where we process your data in relation to direct marketing, on the basis of our legitimate interest, where the processing is by automated means, or for scientific, historical or statistical purposes
  • Automated decision-making – you have the right not to be subject to solely automated decisions about you (i.e., performed by a computer without human intervention)
    • We do not conduct any automated decision-making

In all cases, use the contact details provided in the ‘Contacting Us’ section.

13.2 Further Information on Specific Rights

13.2.1 Direct Marketing

You have the right to opt-out of marketing at any time and you have a choice about how you wish to receive information from us. If you do not wish to receive direct marketing communications then you can you can change your marketing preferences at any time by getting in touch using the details in the ‘Contacting Us’ section.

You can also click on the ‘unsubscribe’ link in all marketing emails to opt-out of receiving future communications from us by email.

13.2.2 Accessing Your Personal Data

You have the right to obtain a copy of all personal data we hold on you.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is clearly unfounded, excessive, or is a duplicate of a previous request you’ve submitted. Alternatively, we may refuse to comply with the request in such circumstances. 

We may need to request specific information from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

To request a copy of the personal data we hold on you, please get in touch using the details in the ‘Contacting Us’ section.

14 Complaints

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

You can contact them by:

If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence. If in doubt, contact the ICO.