Privacy and protection of personal information

BRCGS Privacy Notice

This Privacy Notice explains how BRCGS obtains, uses and discloses your personal data and how you can contact us if you have any questions or want to exercise any of your privacy rights.  References to “we” and “us” in this Privacy Notice are references to BRCGS.

BRC Trading Limited (trading as BRCGS), is the controller of your data.  BRCGS takes its privacy responsibilities seriously and has implemented measures designed to protect your personal data and ensure compliance with applicable laws.  For information about how to contact us, please go to Section 15.

1. How we get personal data about you

We may get personal data directly from you, for example, if you:

  • visit, register to use, or interact with any of our websites (such as the BRCGS Bookshop or our BRCGS e-Learning site)
  • purchase any of our products or sign up to receive our services or attend our events
  • create a profile to use our products or services (for example on our BRCGS Educate site)
  • sign up to receive newsletters or other promotional information from us
  • supply goods and services to us
  • otherwise interact with us in any way (e.g. by giving us your business card in a meeting or downloading a whitepaper from our website).


We may also get personal data about you indirectly from third parties, for example from:

  • social media sites (such as LinkedIn)
  • our Approved Training Partners (“ATPs”) or Approved Training Establishments (“ATEs”) if you participate in any of their training events
  • third party organised events and conferences, or
  • Certification Bodies (e.g. in connection with auditing).


2. What personal data do we get about you

The personal data we get about you may include any of the following (depending on the nature of our relationship):

  • personal and business contact details – such as your name, physical address, email address, telephone/mobile phone (personal and/or business), company you work for, company address, your job title/position
  • customer details and purchase history – such as username, password (if you register to use any of our products and services you may be asked to create a profile), customer ID, details of products or services purchased, and order, shipping and billing details
  • marketing preferences – such as whether or not you have asked to receive marketing communications from us and what type of information you are interested in receiving
  • your profile details – when you access some of our products or services (such as Educate) you may be asked to create a profile which will help us to track your learning activities, access to course materials, achievements (e.g. exam results or digital badges earned). Your profile may also enable you to gain access to other services we offer, such as BRCGS Professional
  • interactions with our online services and website(s) – such as how many times you visit our site or use our services, which pages you go to, traffic data, location data and the originating domain name of your internet service provider (obtained through the use of cookies on this site – see further Section 10 for how we used cookies)
  • data from social media sources – if you provide information about yourself on third party websites or social media sites, we may use that information to get to know you better and for our marketing purposes
  • data from third parties – if you have a relationship with third parties with whom we do business (for example, you have attended training courses provided by our ATEs or ATEPs, or you have participated in an audit carried out by a Certification Body, or you work for one of our suppliers of products and services), then we will obtain from those parties limited personal information about you, such as name, contact details, your location and the organisation for whom you work (if relevant).


When you fill in one of our forms, we will indicate where the provision of specific personal data is mandatory in order for you to receive the product or service you are requesting.  If you do not provide this mandatory information (e.g. your name and address when purchasing a product, or your email address when signing up for our newsletter) we will not be able to complete your request.

3. Purposes for which we use your personal data

We may use and disclosure your personal data (which we obtain as described above) for any of the following purposes: 

  • providing products and services to you – including processing your personal data for the purpose of account administration and management, order fulfilment, delivery, managing customer relations, billing and payment administration, fraud detection and prevention, providing customer support services, notifying you of developments in procedures or products which we believe will assist you in the use of the product or service you have purchased, and handling complaints and enquiries
  • direct marketing, including profiling and analytics – including processing your personal data to send you direct marketing communications, profiling and analysing customer interests, behaviour and preferences (to help us better understand our customers, improve our products and services and provide more tailored marketing communications and enhance customer satisfaction), marketing research
  • conducting our business, administration and management – including administering and managing our business activities, contracts and relationships with customers, suppliers and partners; maintaining our website(s); providing services to customers; managing and responding to data subject requests; and giving effect to customer marketing preferences
  • online tracking and analysis – including using cookies and similar technologies to track visitors to our sites and measure and analyse their use of our sites – see further Section 10.


4. Disclosures of your personal data

We will only disclose your data to:

  • other companies within the BRCGS group in connection with the purposes described in Section 3; and/or
  • our third-party service providers in connection with the services they are providing on our behalf, which may include hosting, software as a service, delivery and logistics, electronic payments systems, IT support services, and marketing related services. If we disclose your data to our third -party service providers, we will ensure it is protected under an appropriate contract and only used by our providers in connection with the services.


If you are identified in an audit report (e.g. as a point of contact for a Certification Body or an auditor), your personal data may be disclosed to third parties (such as our customers) who request access to that report.  Typically, your personal data is limited (e.g. an email or name).  Rest assured that we will put in place safeguards to protect your personal data whenever we make such a disclosure.

5. How long we keep your personal data

We will keep your personal data for as long as necessary in connection with the purpose for which we have obtained it (see Section 3) and in line with our internal retention policy.

6. Legal basis for processing

As the controller of your personal data, BRCGS is responsible for complying with applicable data protection laws.  When we collect, use and otherwise process your personal data (for the purposes described in Section 3) we do so based on the following legal grounds: 

  • where you purchase products or services from us, we process your personal data on the legal basis that it is necessary for the performance of the contract for the sale of those products and services, including taking payment, delivery and related after sales activities
  • where we process your personal data for direct marketing, including profiling and analytics, we do so on the legal basis that you have either given us your consent (e.g. by ticking an opt in box) or it is in our legitimate interests to do so provided that our interests do not override your interests that require protection of your personal data
  • where we process your personal data for administration and management, we do so on the legal basis that it is in our legitimate interests to do so provided that our interests do not override your interests that require protection of your personal data
  • where we process your personal data in connection with the use of cookies and similar technologies, we will do so on the legal basis that we have obtained your consent (this is requested when you first land on our website).


Where you have consented to the processing of your data, you may withdraw that consent at any time by contacting us – see Section 14.

7. Managing your marketing preferences

When we process your personal data for marketing purposes, as described in Section 3 and Section 6, we may contact you by email, SMS and/or post, as well as by telephone (if you have provided us with your number).  You can unsubscribe from marketing communications at any time by: 

  • contacting us using the details in Section 14
  • clicking on the unsubscribe link in any marketing message you receive from us
  • managing your marketing preferences via the preference centre accessible here – this will enable you to unsubscribe from all communications or select the ones you would prefer to receive (including the means by which we may contact you).


Please note it can take up to 30 days for your unsubscribe request to be implemented and for future communications to cease, in that time you may receive messages that have already been scheduled for sending.

8. Your privacy rights

Under EU data protection laws, you have the right to:

  • access your personal data – you have the right to receive a copy of the personal data we hold about you. We may require the request to be in writing, accompanied by proof of identity (to ensure we only provide the data to the right person)
  • withdraw your consent to direct marketing – you can exercise your right to withdraw consent to marketing at any time by contacting us and telling us you no longer want to receive marketing from us
  • rectification – if you think any of the personal data, we hold about you is inaccurate, you can ask us to correct it. Simply contact us and include your name, address and/or email address (this will help us ensure we accept amendments only from the correct person – we may ask for proof of identity in some cases)
  • restriction – in limited circumstances you may be able to require us to restrict our processing of your personal data. For example, if you consider the data, we hold is inaccurate and we disagree with you, the processing of that data may be restricted until the accuracy has been verified
  • erasure – you may ask us to delete your data if you think that we no longer have a lawful basis for holding onto it, or if you just want to withdraw your consent to our use. Please contact us and tell us what data you want us to delete and why
  • portability – in limited circumstances you may be entitled to have the personal data you have provided to us sent electronically to you so that you can provide it to another organisation
  • complain to the Information Commissioner’s Office – you have the right to lodge a complaint with the Information Commissioner’s Officer if you think our processing of your personal data infringes applicable law. You can find information on how to do this at


To exercise any of your rights, please contact us using the details set out in Section 14.

9. Security

We take the security of personal data very seriously.  We employ security technology, including firewalls and encryption to safeguard personal data and have procedures in place to ensure that our systems and databases are protected against unauthorised disclosure, use, loss and damage. 

Personal data on our systems is only accessible by appropriately trained staff and approved third-party service providers who need to access your personal data as part of their job.  All access is tracked through individual login credentials and audit trails.

We only use third party service providers where we are satisfied that the security, they provide for your personal data is at least as protective as the security we use ourselves.

10. Transfers of your data out of the EU

We may sometimes make transfers of personal data to countries outside the European Union, for example, to our group companies and/or the third parties identified in Section 4 who may be located in countries such as the United States, Canada and India.  If we transfer personal data out of the European Union, we will take appropriate measures to ensure that such data is protected in accordance with this Privacy Notice and applicable privacy laws.

11. Cookies

We use cookies when you visit our website(s).  For more information, please see our Cookie Policy.

If you do not want to accept cookies, you can change your browser settings so that cookies are not accepted.  If you do this, please be aware that you may lose some of the functionality of this website.  For further information about cookies, including how to disable them, please go to

12. Links to other websites

Please note, this website may contain links to other websites that are not controlled by us.  These links are provided for your convenience.  We are only responsible for our privacy practices and our security.  We recommend you check the privacy policies for any other websites that you visit.

13. Changes to this Privacy Notice

Privacy laws and practice are constantly developing, and we aim to meet industry standards.  Our policies and procedures are, therefore, under regular review.  We may, from time to time, update our security and privacy policies.  We will ensure our website has our most up to date Privacy Notice and suggest you check this page periodically to review our latest version.

14. Contact us

For any queries about this Privacy Notice or to exercise any of your privacy rights, please contact us by email or by post at BRCGS Customer Service, 2nd Floor, 7 Harp Lane, London EC3R 6DP.