Privacy Notice

Last updated: 24 June 2024

NCC Group is committed to protecting and respecting your privacy. This Privacy Notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed. Please read this privacy notice carefully to understand our practices regarding how we will treat your personal data.

Your personal data is ultimately controlled by NCC Group plc, a company registered in England and Wales (registered number 04627044) whose registered office is at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.

Our Data Protection and Governance Officer can be contacted using the following email address:, or alternatively by writing to the address above and marking it for the attention of the Data Protection and Governance Officer.

For information on how the Website uses cookies, please visit our Cookie Policy.


What personal data does NCC Group collect and hold about you

We collect personal data that you provide voluntarily through:

  • filling in forms on the Website;
  • contacting us by phone, email or physical mail;
  • asking us to contact you in relation to services we provide;
  • subscribing to our mailing lists, newsletters or bulletins;
  • completing a survey we send you;
  • booking a seminar or event run by us;
  • ordering products or services from us;
  • requesting downloads of documentation or software;
  • requesting support related to software or services;
  • interacting with us on social media platforms (such as Linked In); or
  • reporting a problem with our Website.

The data we collect about you may include some or all of the following:

  • Name and job title;
  • Company or organisation;
  • Contact information, including email address and telephone number(s);
  • Demographic information such as postcode, preferences and interests;
  • Other information relevant to client surveys or similar research;
  • Information pertinent to fulfilling our Services to you; and
  • Any other personal information that you voluntarily choose to provide to us.

If we ask you to provide any other personal data not described above, the personal data that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point that you are asked to provide your personal data.

When you visit our Website, we may collect certain personal information automatically from your device.

Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification number, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our Website, including the pages accessed and links clicked.

Some of this information may be collected using cookies and similar tracking technology, as explained further in our Cookie Policy.

We may use legal public sources to obtain information about you. We may also obtain information from third party companies when permitted by law, for example, market data enrichment services which provide information about a company’s industry, size and contact details.


What data does NCC Group collect when you engage in recruitment activities?

If you engage in recruitment activities with NCC Group, such as applying for a role with us, we will have a number of legal and organisational reasons to collect and use your personal data. Please see the below privacy notice for more information:

Candidate Privacy Notice



What data does NCC Group collect when you visit our offices?

We meet visitors at our corporate offices, including:

  • clients;
  • external training providers;
  • job applicants;
  • suppliers; and
  • stakeholders.

If your visit is planned, we’ll send your name and visit information to reception before your visit. We ask all visitors to sign in and out at reception and show a form of ID. The ID is for verification purposes only, we don’t record this information.

We capture CCTV images of visitors to our offices for the purposes of security, including crime prevention and detection, and the apprehension and prosecution of offenders.

Any CCTV used outside of NCC Group offices, including the exterior of the building and in communal areas of multi-tenanted sites, is not operated by us, and we are not the controller. It will be under the control of the relevant building landlord.


How do we use your personal information, and what are our legal grounds?

In addition to using your information to fulfil our contract to provide you with requested products or services, we may also use your information in the following ways:

  • to monitor and improve our products, services and the Website;
  • to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about or that we feel may be of interest to you;
  • to notify you about changes to our services;
  • to administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • to enable us to comply with any legal or regulatory requirements.

The basis on which we collect your information

We collect much of your information on the grounds of: (i) legitimate interests (for example, to send you direct marketing about products and services similar to those you have purchased from us or negotiated or enquired about, or to help us administer the Website); and (ii) fulfilment of a contract with you (for example, to provide you with products or services you have purchased from us).

If we require your personal data for fulfilment of a contract with you (for example, to provide services or products to you or to receive payment from you), we may be unable to fulfil the contract without your personal data.

Where we rely on legitimate interests, our legitimate interests are the promotion of the products and services offered by NCC Group and the provision of information in respect of products and services you have already purchased from us or in which you have expressed an interest in purchasing. This may include analytics on the effectiveness of sales and marketing campaigns in relation to business to business activities.

If we are unable to rely on legitimate interests, fulfilment of a contract or any other ground set out in the GDPR (or other applicable privacy law) to process your personal data, we will obtain consent from you to the processing. This will be the case if, for example, you download documentation from us and we would like to send you marketing communications about our products and services. If you give us your consent, you can withdraw it at any time by clicking on the link in the email we send to you, or by emailing


Retention of your information

We will retain your personal information for as long as is necessary for the purpose for which it was collected based on our business needs, or for as long as we are legally or contractually required to do so.

The retention periods are set based on a number of criteria, including:

  • whether we are required by law to keep the information for a certain period of time,
  • whether you have withdrawn consent to the processing,
  • whether a contract has been performed,
  • the likelihood of us needing to retain the information in the event of a claim arising,
  • whether the data is still up to date, and
  • whether there are exceptions set out in the applicable data protection legislation that allow us to retain the personal data for a longer period or indefinitely.

The exact retention period varies depending on what the information is and the purpose it is used for, and this is subject to periodic review.

Any personal data that has reached the end of the retention period will be reviewed and securely destroyed or if we are unable, using reasonable effort, to delete or destroy the personal data, we will ensure that it is encrypted or protected by other security measures, such as anonymisation, so that it is not readily available or accessible by us.


Who do we share your personal information with?

We may share your personal information with any member of the NCC Group, which means our subsidiaries, our ultimate holding company and its subsidiaries unless this is prohibited by law or other applicable regulatory requirement. Our affiliated group entities can be found here.

We may disclose your personal information to third parties:

  • if the third party contracts with us to provide certain of the services you have requested and requires your personal information in order to do so, please see our list of sub processors;
  • if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • if NCC Group or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;
  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or to protect the rights, property, or safety of NCC Group, our customers, or others; where we use Service providers, business partners and sub-contractors for business administration, support, processing, services, or IT purposes; or
  • where you have consented to Cookies, as set out in our cookie policy.


Do Not Sell My Personal Information

NCC Group do not engage in the sale of personal data. Certain information may be shared with third parties through use of cookies – if you wish to opt-out of this sharing and the use of cookies please use the cookie preferences tool to indicate your preferences, which you can find on the bottom left corner of your browser window.

 For more information, please see the “Your rights” section below or contact us at


Where we store your personal data

NCC Group operates globally, therefore the information we process may be transferred outside your country of residence. As such, the below is designed to give you a clear understanding of any overseas transfers as it relates to your country of residence.

The data that we process about you may be transferred to, or stored at, a destination outside of your country of residence, it may also be processed by staff operating outside of your country of residence who work for us or for one of our suppliers/partners.

We will always take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice. The places your personal data may be transferred will either offer adequate protection for your personal data, as determined by the European Commission or the UK government, or we will make sure there are appropriate safeguards in place. Generally, NCC Group uses standard data protection/standard contractual clauses in line with the templates approved for use in the UK or those adopted by the European Commission.

We also have in place appropriate security measures to prevent your personal data from unauthorized access, use, alteration, disclosure, or loss.

If you would like to know more about the basis on which we may transfer your data please contact


Security of your Data

NCC Group has a thorough information security policy in place. As a result, NCC Group has implemented specific measures such as admission controls, system access controls, data access controls, transmission controls, input controls, job controls, availability controls, and segregation controls in order to ensure adequate protection of personal data. This includes specific measures such as the use of anti-virus applications, proper training protocols, systematic access management, and DDoS mitigation technologies.

NCC Group’s active approach to protect the integrity of the data includes, but is not limited to, technical and organizational measures such as proper system administration, regular backup procedures, the use of authentication codes, signature procedures, network controls, and proper training of employees and relevant third parties.


Your rights

There are a number of rights available to people under the different global privacy laws, including GDPR and the California Consumer Privacy Act (CCPA), which include:

  • access to your data and information about what data we hold, its source, the
  • purposes of processing your data and information on where this is shared or sold;
  • rectification of your data where it is inaccurate;
  • the right to be forgotten / to request that data is deleted;
  • the right to restrict the processing of data;
  • data portability;
  • the right to object;
  • the right to opt-out of the sale of your data; and
  • rights relating to automated decision-making
  • the right to non-discrimination


If you would like to exercise any of your rights in respect of your personal data, please contact us at or write to us at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.

You will not have to pay a fee to exercise any of the above rights unless your request is clearly unfounded, repetitive or excessive, in which case we may charge a reasonable administrative fee. Alternatively, we may refuse to comply with your request in these circumstances.

We try to comply with legitimate requests within one calendar month. However, if your request is particularly complicated or you have made a number of requests, it may take us longer than a month to respond and we will always notify where this is the case.


1. Access to your data

You have the right to ask us to confirm that we process your personal data, as well as to have access to and receive copies of the data we hold about you. This right also include being provided information on the categories of data held, the sources of any data we process and information on who this is shared with or sold to – for ease we have included the majority of this information within this privacy notice.

We will provide the information you request as soon as possible and in any event:

  • within one month of receiving your request if made under the right of access under GDPR; or
  • within 45 days of receiving your request if made under the CCPA.

If we need more information to comply with your request, we will let you know.


2. Rectification (correction) of your data

If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to rectify it. We will make the correction within one month, unless we don’t feel the change is appropriate for us to make, In that case, we’ll let you know why. We will also let you know if we need more time to comply with your request.


3. Right to be forgotten

In some circumstances, you have the right to ask us to delete the personal data we hold about you when:

  • we no longer need your personal data for the purpose for which we collected it;
  • we have collected your personal data on the grounds of consent and you withdraw that consent;
  • you object to the processing and we don’t have any overriding legitimate interests to continue processing the data about you;
  • we have unlawfully processed your personal data (i.e. we have failed to comply with GDPR or CCPA); and
  • the personal data has to be deleted to comply with a legal obligation.

There are certain situations in which we are entitled to refuse to comply with a request. If any of those apply, we’ll let you know.


4. Right to restrict processing

In some circumstances, you are entitled to ask us to stop processing your personal data. But, while this means we must stop actively processing your personal data, we don’t have to delete it. This right is available if:

  • you believe the personal data we hold isn’t accurate – we’ll cease processing it until we can verify its accuracy;
  • you have objected to us processing the data– we’ll stop processing it until we have determined whether our legitimate interests override your objection;
  • if the processing is unlawful; or
  • if we no longer need the data but you would like us to keep it because you need it to establish, exercise, or defend a legal claim.


5. Data portability

Where NCC Group acts as a Data Controller, you have the right to ask us to provide your personal data in a structured, commonly- used and machine-readable format so that you are able to transfer the personal data to another data controller. This right only applies:

  • to personal data you provide to us;
  • when processing is based on your consent or for performance of a contract (i.e., the right does not apply if we process your personal data on the grounds of legitimate interests); and
  • if he processing is automated.

We’ll respond to your request as soon as possible and in any event within one month. If we need more time, we’ll let you know.


6. Right to object

You are entitled to officially object to us processing your personal data:

  • if the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority;
  • for direct marketing purposes (including profiling); and/or
  • for the purposes of scientific or historical research and statistics.

We will stop processing your data if you have ground for objecting unless we can show that there are legitimate compelling grounds that override your interests, rights, and freedoms or the processing is for the establishment, exercise or defence of legal claims.


7. Right to Opt-Out of the Sale of your data

  • You have the right, at any time, to direct a business that sells personal information about you to third parties not to sell your personal information.
  • A business that has received direction not to sell a consumer’s personal information shall be prohibited from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.

Any objections relating to the sale or use of personal data for marketing purposes shall be actioned without question or undue delay.


8. Right to Disclosure of Information Sold

Under the CCPA, Californian residents have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to you:

  • The categories of personal information that the business collected about you.
  • The categories of personal information that a business sold about you and the categories of third parties to whom the personal information was sold,
  • The categories of personal information that the business disclosed about you for a business purpose

9. Right to Non-discrimination

NCC Group shall not discriminate against any person who exercises their rights under the CCPA, the GDPR or any other applicable data privacy legislation.

This includes, but is not limited to:

  • denying services;
  • charging different rates for services;
  • providing different levels or quality of services

NCC Group do not offer financial incentives for the collection or use of personal data. If NCC Group were to offer any financial incentives for the collection or use of personal information, including but not limited to the sale of personal information or the deletion of personal information, it shall notify consumers and provide the option for consumers to opt-in. Such an opt-in may be revoked at any time by the consumer by clicking the unsubscribe link or contacting


Our website may contain links to our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check their policies before you submit any personal data to them.

Contact us

Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to

If you have any concerns about the ways in which we process your personal data, you have a right to complain to the relevant supervisory authority in your jurisdiction. We’d encourage you to contact us first, so we can address with your concerns.

The contact information for the relevant supervisory authorities is set out below:


Information Commissioner’s Office

0303 123 1113

European Union

Contact the supervisory authority in your location by consulting the list here


Office of the Australian Information Commissioner

1300 363 992


Personal Data Protection Commission

+65 6377 3131


National Privacy Commission

+632 5322 1322

United States

Contact the Attorney General within your State – information on who your Attorney General is can be found here.

Changes to this Privacy Notice

Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy notice.