GDPR Compliance

Our commitment to protecting your personal data under UK data protection law.

Last updated: January 2024

Verdant-Cryptic Education Limited is committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains our approach to data protection compliance and your rights as a data subject.

Our Role as Data Controller

For most processing activities related to our education services, we act as the data controller. This means we determine the purposes and means of processing personal data. Our registration details are:

Data Controller: Verdant-Cryptic Education Limited
Registered Address: 47 Bartholomew Close, London EC1A 7BL
Company Number: 12847563
Contact: [email protected]

Lawful Bases for Processing

We rely on different lawful bases depending on the nature of processing:

Contract Performance (Article 6(1)(b))

Processing necessary to deliver educational services you have enrolled in, including:

  • Managing your learner account and access credentials
  • Delivering programme content and assessments
  • Processing payments and issuing invoices
  • Providing certificates and verifying qualifications
  • Responding to support requests

Legitimate Interests (Article 6(1)(f))

Processing where we have identified a legitimate business interest that does not override your rights, including:

  • Improving our services based on aggregated usage patterns
  • Fraud prevention and security measures
  • Marketing similar services to existing customers
  • Maintaining business records and analytics

We conduct balancing tests to ensure our interests do not override individual rights and maintain records of these assessments.

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal requirements, including:

  • Financial record keeping for tax purposes
  • Regulatory reporting to education authorities
  • Responding to lawful requests from authorities

Consent (Article 6(1)(a))

Where we process based on consent, including:

  • Sending marketing communications to non-customers
  • Placing non-essential cookies
  • Sharing information with third parties beyond service delivery

Consent can be withdrawn at any time without affecting the lawfulness of processing before withdrawal.

Your Data Subject Rights

Under UK GDPR, you have the following rights:

Right of Access (Article 15)

You may request confirmation of whether we process your personal data and access to that data. We provide this information free of charge within one month. Requests can be made by email to [email protected].

Right to Rectification (Article 16)

You may request correction of inaccurate personal data or completion of incomplete data. For learner records, you can update most information directly through your account portal.

Right to Erasure (Article 17)

You may request deletion of personal data when:

  • Data is no longer necessary for the original purpose
  • You withdraw consent (where consent is the lawful basis)
  • You object to processing and no overriding grounds exist
  • Data has been unlawfully processed

This right does not apply where we must retain data for legal compliance, establishment of legal claims, or archiving in the public interest.

Right to Restriction (Article 18)

You may request restriction of processing while we verify accuracy of contested data, determine legitimate grounds for processing, or while you exercise other rights.

Right to Data Portability (Article 20)

You may request personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.

Right to Object (Article 21)

You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds. You have an absolute right to object to direct marketing.

Rights Related to Automated Decision-Making (Article 22)

We do not make decisions based solely on automated processing that produce legal or similarly significant effects. Assessment outcomes involve human review.

Data Protection Measures

We implement appropriate technical and organisational measures as required by Article 32:

Technical Measures

  • Encryption of personal data in transit using TLS 1.2 or higher
  • Encryption of stored data using industry-standard algorithms
  • Regular vulnerability assessments and penetration testing
  • Secure backup procedures with tested recovery processes
  • Access logging and monitoring for security events

Organisational Measures

  • Data protection training for all staff
  • Access control policies limiting data access to authorised personnel
  • Confidentiality agreements with all employees and contractors
  • Regular review of data processing activities
  • Incident response procedures for potential breaches

International Data Transfers

Some personal data may be transferred outside the UK when using cloud services or international service providers. We ensure such transfers comply with Chapter V of UK GDPR through:

  • Adequacy decisions where the destination country provides adequate protection
  • Standard contractual clauses approved by the Information Commissioner
  • Binding corporate rules for intra-group transfers
  • Specific derogations where applicable

Data Breach Procedures

In the event of a personal data breach, we follow procedures compliant with Articles 33 and 34:

  • Assessment of breach severity and risk to individuals
  • Notification to the Information Commissioner's Office within 72 hours where required
  • Communication to affected individuals without undue delay where the breach is likely to result in high risk
  • Documentation of all breaches regardless of notification requirement

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 when processing is likely to result in high risk to individuals, including:

  • Introducing new learning technologies
  • Processing data at scale
  • Systematic monitoring of learner progress

Records of Processing Activities

We maintain records of processing activities as required by Article 30, documenting:

  • Categories of data subjects and personal data
  • Purposes of processing
  • Recipients of personal data
  • International transfers and safeguards
  • Retention periods
  • Technical and organisational security measures

Third-Party Processors

We engage processors in compliance with Article 28, ensuring:

  • Written contracts specifying processing scope and obligations
  • Adequate security measures
  • Restrictions on sub-processing
  • Assistance with data subject rights
  • Data deletion or return upon contract termination

Exercising Your Rights

To exercise any of your rights:

  1. Send a written request to [email protected]
  2. Include sufficient information to identify you
  3. Specify which right you wish to exercise

We will respond within one month. This period may be extended by two months for complex requests, with notification within the initial month. We may request additional information to verify your identity.

Complaints

If you believe we have not handled your personal data appropriately, you may:

  1. Contact us directly to resolve the issue
  2. Lodge a complaint with the Information Commissioner's Office

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk

Updates to This Information

We review our data protection practices regularly and update this page accordingly. Material changes affecting your rights will be communicated directly where appropriate.