CST Professional Development Ltd – Privacy Policy 

This Privacy Policy is edited by CST Professional Development Ltd, a Private Limited Company registered in England and Wales.and having its registered office at Suite 1, Whiteley Mill offices, 39 Nottingham Road, Stapleford, Nottingham NG9 8AD. CST Professional Development Ltd is registered with Companies House under the number 10354936. (hereafter, the “Data Controller”). 

The Data Controller offers a platform for peer to peer networking, sharing of resources and other CST Professional Community related business (hereafter, the “Platform”) to its users which have subscribed on the Platform and as such have a user account (hereafter, the “Users”). The Platform is available at the following url address https://community.cstuk.org.uk/ 

The Data Controller uses a solution called “Hivebrite”, which enables the import and export of user lists and data, the management of content and events, the organisation of emailing campaigns and opportunity research and sharing as well as the management of funds and contributions of any kind. 

In this regard, the Data Controller collects and processes User’s personal data in accordance with the Privacy and Cookie policy. 

The Data Controller is particularly aware and sensitive with regards to the respect of its Users privacy and personal data protection. The Data Controller commits to ensure the compliance of the processing it carries out as data controller in accordance with the Data Protection Law. 

Data Protection Law is the UK GDPR / Data Protection Act 2018. 

The Data Controller has put in place an appropriate privacy and cookie policy to be fully transparent on how the personal data of Users are processed within the use of the Platform and services provided. 

This privacy policy is intended for the Users of the Platform of the Data Controller. 

Data Controller has appointed a Data Protection Officer (hereinafter “DPO”) you may contact at the following address: [email protected]  

 

Date of last update: 11/09/2023 

 

  1. COLLECTED PERSONAL DATA  

 

1.1 When subscribing on the Platform 

When subscribing to the Platform, the User is informed that its following personal data is collected for the purpose of creating a user account: 

Mandatory data 

  • First name ;  

  • Last name ; 

  • Email address; 

  • Trust name 

  • Job title 

The User is informed that it is not possible to access the Platform without providing the mandatory data strictly necessary to create an account and authenticate the User. 

 

1.2 During the use of the Platform 

The User may validly publish, at its own initiative, any content on the Platform which shall be kept by the Company: 

  • Posts 

  • Documents 

  • Recordings and videos 

  • Photos 

  • Comments 

The User is aware that  when using the Platform, the User may decide to provide « sensitive data » within the meaning of Data Protection Law, for example, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, concerning sexual orientation, etc. By providing such sensitive data, the User agrees to their processing by the Platform in the conditions set forth in this Privacy Policy.  

      

  1. THE PURPOSE OF THE DATA PROCESSING 

The Data Controller and its subcontractors process personal data that are freely transferred by the User when accessing the services proposed by the Platform for the following purpose: 

 

Purpose 

Legal basis  

Creation and management of a user account 

processing is necessary for the performance of a contract to which the data subject is party 

First and last name – to identify the individual as an existing CST member 

processing is necessary for the performance of a contract to which the data subject is party 

Email address – to identify the individual as an existing CST member and to communicate with them 

processing is necessary for the performance of a contract to which the data subject is party 

Job title – to support the identification of individuals and ensure individuals are in the most relevant professional community for their occupation 

processing is necessary for the performance of a contract to which the data subject is party 

Profile picture – to support online networking 

the data subject has given consent to the processing of his or her personal data for one or more specific purposes 

Areas of interest – to support networking and facilitating connection on the community platform 

processing is necessary for the performance of a contract to which the data subject is party 

Geographic location (to city level) - to support networking and facilitate member to member connections based on location 

processing is necessary for the performance of a contract to which the data subject is party 

DFE Region - to support networking and facilitate member to member connections based on location 

processing is necessary for the performance of a contract to which the data subject is party 

Organisation name/employer name – to support identification of individuals as being members of CST 

processing is necessary for the performance of a contract to which the data subject is party 

 

 

 

  1.  DATA RETENTION PERIOD 

The Data Controller informs the User that the personal data related to the User Account is retained only during the length of the User’s subscription on the Platform. 

Following the termination of said subscription, the data collected upon the subscription as well as the content published by the User on the Platform shall be deleted after a period of twelve (12) months. Any data kept within the system will be “anonymised”. 

 

  1. DATA TRANSFERS 

The Users’ data are stored in the European Economic Area (EEA) by the Data Controller, its subsidiaries and its trusted service providers. However, depending on the processing, the Users’  data may also be transferred in a country outside the EEA, to our trusted service providers and subsidiaries. 

When transferring data outside the EEA, the Data Controller ensures that the data are transferred in a secured manner and with respect to the Data Protection Law. When the country where the data are transferred does not have a protection comparable to that of the EU, the Data Controller uses “appropriate or suitable safeguards”.  

When the service providers to whom personal data are transferred, are located in the United States, these transfers are governed by the standard data protection clauses adopted by the Commission.  

Contact the DPO at the following address [email protected].  

 

  1.   COMMITMENT OF THE DATA CONTROLLER 

The Data Controller commits to process User’s personal data in compliance the Data Protection Law and undertake to, notably, respect the following principles: 

  • Process User’s personal data lawfully, fairly, and in a transparent manner; 

  • Only collect and process the Users’ data for the strict purpose as described under article 2 of the present privacy policy; 

  • Ensure that the personal data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 

  • Do the best efforts to ensure that the personal data processed are accurate and, if necessary, kept up to date and take all reasonable steps to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; 

  • Keep personal User’s data for no longer than is necessary for the purposes for which they are processed; 

  • Put in place all necessary technical and organizational appropriate measures in order to ensure the security, confidentiality, integrity, availability and the resilience of the process systems and services; 

  • Limit the access to the Users’ data to the persons duly authorized to this effect; 

  • Guarantee to the Users their rights under the Data Protection Law in relation to the processing of their data and make the best efforts to satisfy any request, where this is possible. 

 

  1. EXERCISE OF THE USERS’ RIGHTS 

The User is duly informed that it disposes at any time, depending on the legal basis of the processing, a right to access, to rectification, to erasure, to restriction of processing, to data portability, and to object. 

When processing is based on User’s consent, the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal. 

The User can exercise its rights by sending an email to the following address [email protected] ​     ​ or by mail at the following address ​CST Professional Development Ltd, Suite 1, Whiteley Mill Offices, 39 Nottingham Road, Stapleford, Nottingham NG9 8AD​ provided that the User justifies his/her identity. 

In addition, in the event the User considers that its rights have not been respected, the User of which the personal data is collected can lodge a complaint before the competent supervisory authority. For any additional information, you can review your rights on the websites of the competent authorities.  

The competent supervisory authorities are listed on the following website: 

http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.  

 

  1. COOKIES 

The Data Controller informs the User that Hivebrite, as well as its subcontractors, uses a tracking technology on its terminal such as cookies whenever the User navigates on the Platform subject to the conditions described in the Data Controller Cookie Policy  https://cstuk.org.uk/cookie-policy 

 

  1. RECIPIENT AND PERSONS AUTHORIZED TO ACCESS THE USERS’ DATA  

 

Only authorized persons working for the Data Controller and, in some cases, its subsidiaries, can access your personal data. The Data Controller makes its best effort to ensure that these groups of people remain as small as possible and maintain the confidentiality and security of User’s personal data. 

 

The Data Controller also uses trusted service providers to carry out a set of operations on his behalf for hosting. The Data Controller can also use service providers in the tech industry, editors of specific tools integrated in the Platform for technical purposes. 

      

The Data Controller only provides service providers with the information they need to perform the service and ask them not to use your personal data for any other purpose. The Data Controller does his best to ensure that all these trusted service providers only process the personal data on our documented instructions and provide sufficient guarantees, in particular in terms of confidentiality, expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of the applicable legislation, including for the security of processing.  

 

The Data Controller may be required to disclose or share your personal data to comply with a legal obligation, or to enforce or apply our terms of use/sale or any other conditions you have accepted; or to protect the rights, safety or property of CST Professional Development Ltd, its customers or employees. 

 

List of the main service providers: 

 

Service Provider 

Service 

You can consult the privacy policy by clicking on the following link: 

KIT UNITED 

 

44 rue la fayette  

75009 Paris 

France 

HIVEBRITE solution 

 

 

 https://hivebrite.com/privacy-policy 

 

 

Google Cloud Platform 

Gordon House, 4 Barrow St,  

Dublin, Ireland 

Hosting of all data and content produced / provided by the User, as well as images, profile pictures and backups 

https://cloud.google.com/security/privacy/ 

 

 

Amazon AWS 

38 avenue John F. Kennedy,  

L-1855, Luxembourg 

 

https://aws.amazon.com/compliance/gdpr-center/ 

Sentry 

132 Hawthorne Street San Francisco,  

CA 94107 

USA 

  

Production and storage of error logs enabling our developers 

to correct the code 

https://sentry.io/privacy/ 

Sendgrid 

375 Beale Street, Suite 300, 

San Francisco, CA 94105 

USA 

Sending of emails from the Platform 

https://api.sendgrid.com/privacy.html 

Hivebrite, Inc. 

16 Nassau St,  

New York, NY 10038, 

USA 

Customer support for the Platform 

 https://hivebrite.com/privacy-policy