Contact Us
ChatGPT Summarize Button

Introduction

GCC Data Protection is a brand owned and operated by Practical Data Protection Ltd, which is the data controller. We can always be contacted at [email protected].

This privacy notice is designed to serve the requirements of the KSA PDPL as well as the UK GDPR and the Data Protection Act 2018.

We are registered with the Information Commissioner’s Office (ICO), the UK’s data protection authority. Our registration number is ZB844000.

✓ You are in control of how we communicate with you – and you can change your preferences at any time by contacting us.

✓ We will ensure that your information is managed appropriately and in line with applicable laws and regulations.

✓ We will not transfer your data to third parties, except for individuals who conduct work for us and trusted partners who carry specialist processing e.g., accountant, bank for financial transactions.

✓ We have done all checks possible to verify that any third parties comply with data protection legislation and will only use them if we are satisfied that they take your privacy seriously.

Purpose and data

If you enquire about our services, we will collect the personal details that you provide us with. Where we wish to market, we only do so business-to-business, using names, job titles, company names, countries, and email addresses. We may also use your data to analyse feedback and interactions to improve our services.

Legal Basis

We manage enquiries, marketing, and service improvement under legitimate interests, which include:

Responding to enquiries to provide relevant information about our services.

Business-to-business marketing to share updates, offers, or relevant information.

Analysing interactions to improve the quality and relevance of our services.

We always provide clear options to opt out of further communication and fully respect your preferences. You can opt out at any time by emailing us at [email protected] or using the opt-out features included in any communication that we send out.

Retention of Data

We will retain your data for no more than two years, unless we enter into a contract with you. In such cases, your data will be retained in accordance with the terms of the contract and any applicable legal requirements.

Purpose and data

We collect personal data from clients to understand how we can assist with your data protection needs. We may collect further information to provide consultancy services. The personal data we process includes:

  • Names, email addresses, and other contact details of you or the staff we work with.
  • Details required for invoicing, which may include personal data.
  • Any additional information you provide to enable us to deliver our consultancy services.

We will not undertake any processing that is incompatible with these purposes unless we make this clear and obtain your consent.

Legal Basis

The lawful basis for processing personal data is:

  • Contract: If you are a party to the contract.
  • Legitimate Interests: If you are an employee of an organisation we contract with.

Retention of data

In the UK, where we have a contractual relationship, we will retain your data for a maximum of six years. In GCC countries, we will retain the data for a maximum of ten years. These periods are dictated by insurance and legal requirements.

For any data we process on your behalf as a data processor, it will be deleted or returned in accordance with the terms of our data processing agreement.

Purpose and Data

We collect personal data to manage and facilitate your participation in training sessions, webinars, and other events. We use third-party platforms such as Eventbrite for event registration and Microsoft Teams or Google Meet to host virtual meetings.  The personal data we process includes:

  • Names, email addresses, and other contact details necessary for event registration and participation.
  • Information you provide during the event (e.g., feedback or questions).
  • Payment details (if applicable) when events require payment, processed securely through Eventbrite.

Please note that when participating in virtual events, your name, email address, and other details (e.g., profile picture, if enabled) may be visible to other participants.

Legal Basis

The lawful basis for processing personal data is:

  • Contract: If you register for a paid event or if participation is subject to specific terms.
  • Legitimate Interests: For free events or when we communicate with individuals representing their organisations.

Retention of Data

We will retain personal data related to training and events for a maximum of two years following the event, unless longer retention is necessary for legal or accounting purposes.

Third-Party Platforms

We use the following platforms to facilitate events:


When using these platforms, your data is processed in accordance with their respective privacy policies. We recommend reviewing these policies to understand how your data is handled.

We are very mobile and travel and work in different territories and countries.

Therefore, we routinely transfer personal data collected from the UK and GCC countries to external regions, including Europe, the UK, North America and the Far East.

Wherever we are, all data stays in our environment, which is predominantly Microsoft 365. We do not download information onto local drives if it contains personal data. We also avoid collecting sensitive personal data of clients or third parties, although we do have a little sensitive personal data about our employees, which is covered by the UK GDPR as this is where we are headquartered.

For all transfers to countries with strong data protection laws, such as Europe or GCC countries, we have ensured our data transfers are compliant.

Where we transfer to countries that do not have data protection laws or very weak ones, we have conducted a thorough assessment in line with Chapter 2 of the KSA Transfer Regulation and determined that we can implement effective security measures and manage access controls to safeguard data subject rights without compromise. This ensures that all our data transfers are compliant with applicable data protection laws and do not undermine the rights and freedoms of the data subjects involved.

We use the following Microsoft products:

Teams, SharePoint and Outlook which are supported within the EEA. We will only use Microsoft Forms if requested or approved by our clients. We have a Data Protection Impact Assessment in place for the use of Microsoft 365 and appropriate standards by backup servers in the UK.

Microsoft have confirmed that other tools such as Microsoft Forms are backed up on servers operating procedures for our staff to ensure safe usage.

We use other services in addition:

We will not share your information with any third parties for the purposes of direct marketing.

All personal information is kept in secure SharePoint folders within the Microsoft environment. All devices have 2FA and are encrypted. All cloud-based applications for hosting, storing, and processing your data, depending on the service or contract we have with you, fall under Microsoft products. Their privacy policy can be found here: https://privacy.microsoft.com/en-gb/privacystatement

Under data protection law you have certain rights that you can exercise in regard to your personal data, these are outlined below:

✓ You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

✓ You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

✓ You have the right to ask us to erase your personal information in certain circumstances. 

✓ You have the right to ask us to restrict the processing of your information in certain circumstances.

✓ You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests. Your right to portability only applies to information you have given us.

✓ On occasion we may rely on consent for a legal basis and on such occasions, you have the right to withdraw this consent at any time. The same is true for legitimate interest unless there is an overriding reason not to and this aligns with the law.

✓ You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right applies when we are processing your data with your consent or for the performance of a contract and when we are carrying out the processing by automated means.

Your rights are not absolute in some cases and exemptions and/or restrictions may apply. You can find out more about your rights on the ICO or SDAIA websites, depending on where you are based. If you are the data subject of one of our clients and you make an information rights request with us, we will refer your request to them as the data controller.

What are cookies?

This Cookies Policy explains what cookies are and how we use them, the types of cookies we use i.e, the information we collect using cookies and how that information is used, and how to manage the cookie settings.

Cookies are small text files that are used to store small pieces of information. They are stored on your device when the website is loaded on your browser. These cookies help us make the website function properly, make it more secure, provide better user experience, and understand how the website performs and to analyze what works and where it needs improvement.

How do we use cookies?

As most of the online services, our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data.

The third-party cookies used on our website are mainly for understanding how the website performs, how you interact with our website, keeping our services secure, providing advertisements that are relevant to you, and all in all providing you with a better and improved user experience and help speed up your future interactions with our website.

Types of Cookies we use

Manage cookie preferences

Cookie Settings

You can change your cookie preferences any time by clicking the above button. This will let you revisit the cookie consent banner and change your preferences or withdraw your consent right away.In addition to this, different browsers provide different methods to block and delete cookies used by websites. You can change the settings of your browser to block/delete the cookies. Listed below are the links to the support documents on how to manage and delete cookies from the major web browsers.

https://support.google.com/accounts/answer/32050

Safari: https://support.apple.com/en-in/guide/safari/sfri11471/mac

Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?redirectslug=delete-cookies-remove-info-websites-stored&redirectlocale=en-US

Internet Explorer: https://support.microsoft.com/en-us/topic/how-to-delete-cookie-files-in-internet-explorer-bca9446f-d873-78de-77ba-d42645fa52fc

If you are using any other web browser, please visit your browser’s official support documents.

If you have any concerns about our use of your personal information or any queries about our processing activities, you can contact us.

You also have the right to complain to the ICO or SDAIA (depending on where you are based) if you are unhappy with how we use or have used your data.

This Privacy Notice will be reviewed annually and as and when relevant legislation or when our data processing activities change. The last review of this Privacy Notice took place on 1st December 2025. 

A boutique consultancy of data protection experts, helping companies in the GCC comply with data protection laws.

Practical Data Protection Ltd, a company registered in the UK at 20 Wenlock Road, London N1 7GU, United Kingdom, Companies House Registration Number 15101061 is trading under the brand name GCC Data Protection.

© Practical Data Protection Ltd