Privacy Notice

CL Consortium Limited (trading as the Charity Learning Consortium)

Privacy Statement

CL Consortium Limited (trading as the Charity Learning Consortium) (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Notice explains how we collect, process, store, and share your personal information. It describes your rights and how to exercise them. Our approach ensures compliance with UK GDPR, Data Protection Act 2018, Data (Use and Access) Act 2025, and PECR.

Changes to the Privacy Notice

This version was last updated on 25th July 2025 and historic versions are archived here (https://charitylearning.org/privacy-notice-archive/).

1. Personal Data We Collect

We collect personal data from existing and prospective customers, including but not limited to:

  • Contact & identity: names, job titles, email addresses, telephone numbers, postal addresses.
  • Account & financial data: customer IDs, billing records, invoices, payment histories.
  • Meeting & event logs: meeting notes, evaluations, attendance records, feedback, event communications.
  • Website usage data: cookies, IP addresses, device and browsing information (see Section 5).
  • Support & communication logs: email exchanges, support tickets, chat logs.

Note: Data within our Learning Management System (LMS) is excluded from this Privacy Notice.

2. Legal Bases & Purposes for Processing

Purpose

Data

Legal Basis

Account management, invoicing, CRM

Contact, financial, meeting, support data

UK GDPR Art. 6(1)(b) – performance of contract; DUAA recognized legitimate interests (e.g., intra-group, marketing)

Marketing events/updates

Contact, event logs

UK GDPR Art. 6(1)(f) – legitimate interest; under DUAA, soft opt-in permitted

Website operation and analytics

Cookies, usage data

PECR compliance: limited-functionality cookies allowed without consent; clear opt‑out given

Legal obligations & fraud prevention

All relevant data

UK GDPR Art. 6(1)(c) – legal obligation; Art. 6(1)(f) – safeguarding business

We will not process special category data or rely on automated decision-making.

3. Direct Marketing Communications

Where we communicate with individuals who’ve previously engaged with us (e.g., registered interest or made purchases), we rely on recognised legitimate interests for relevant email marketing, offering opt-out options in every communication. 

We will only send direct marketing communications (e.g. newsletters, event invitations) where we have your consent or a lawful basis under PECR.

4. Cookies & Online Tracking

In line with DUAA and enhanced PECR:

  • Consent not needed for strictly necessary, performance, analytics, or functional cookies—provided clear information is given and opt-out is available
  • We do not set non‑essential third‑party tracking cookies without user consent.

Our Cookie Policy provides details.

5. Data Subject Rights

Under UK GDPR & DUAA:

  • Access: You have the right to access your personal data. We will provide it within one month, but may pause the clock while verifying your identity or clarifying your request (the “stop‑the‑clock” provision)
  • Rectification, erasure, restriction, portability, objection: available subject to data protection principles.
  • Withdraw consent at any time (e.g., marketing emails) by contacting us.

We log and acknowledge all data access/complaints within 30 days, as required under DUAA .

6. Data Retention

We retain your personal data only as long as necessary for:

  • The purposes we collected it for
  • Contractual obligations, billing, event follow‑up
  • Reporting requirements
  • Legal and tax obligations
  • Handling disputes or claims

When no longer required, data is securely deleted or anonymised.

7. Data Security & Breaches

We maintain appropriate organisational and technical controls to protect your data.

In the event of a personal data breach:

  • We notify the ICO within 72 hours if required
  • We will inform affected individuals “without undue delay”
  • We provide details of the breach, potential impact, mitigations, and support options

8. International Transfers

We only transfer personal data outside the UK to countries providing “essentially equivalent” protections, or where additional safeguards are in place, in line with DUAA updates to international transfer rules.

9. Transition on Closure or Sale

If CL Consortium Limited is sold, merged, or dissolved, we will securely transfer your personal data to the new entity under similar protection standards. If we cease to exist without a successor, personal data will be securely destroyed or anonymised.

10. Complaints & Contact

If you have concerns or complaints about our use of your personal data, please contact us:

  • Data Protection Officer: Martin Baker
  • Email address:  dataprotection@charitylearning.org
  • Postal address: Data Protection Officer, Charity Learning Consortium, Vine House, Selsley Road, North Woodchester, Stroud, Gloucestershire GL5 5NN.
  • Telephone number: 0203 974 1511

You may lodge a complaint with the UK Information Commissioner’s Office (ICO): ico.org.uk/concerns

11. Updates to This Notice

We will update this Privacy Notice as laws or our practices evolve. We encourage you to review it periodically. The latest version is dated 25 July 2025.

Approved by: Martin Baker

Data Protection Officer (CEO & Founder)

Reviewed & Approved: 25 July 2025
Effective Date: 25 July 2025

___________________________________________________________________________