PCI PAL Global Privacy Notice
Effective Date: 3rd December 2025, Version 1.0
1. Introduction and Contact Information
PCI PAL (referred to as “we” “our” and “us”) is committed to protecting the privacy and security of your personal data and we have developed this data protection notice (“notice”) to inform you of the personal data we collect, what we do with your personal data, what we do to keep it secure as well as the Rights you have over your personal data.
Throughout this notice we refer to global data protection legislation which includes:
• The UK GDPR, Data Protection Act 2018, PECR 2003 and Data (Use and Access) Act 2025
• The EU GDPR and e-Privacy Directive
• Canadian PIPEDA 2014
• Australian Federal Privacy Act 1988 and Australian Privacy Principles (“APP”)
• US Federal and State Privacy laws as applicable
The above also includes any new or replacement legislation which may come into force from time to time.
PCI PAL is a data controller where we have determined the purposes of why personal data should be collected and processed. We act as a data processor for when we provide our services to our clients and act on their instructions (see below).
As we are a UK based organisation we are registered with the Information Commissioners Office (the ICO) with registration numbers ZA202963 and Z7602903.
You can contact any one of our global offices using our details included in our contact us sub-page.
We have appointed an external Data Protection Officer (DPO) and their details are as follows:
Name: RA Data Protection Ltd
Website: https://radataprotection.com/
Email: [email protected]
You can also use the above contact information to raise or discuss any data protection matters, complaints and/or concerns.
We have also appointed an EU GDPR Representative called Saltire Data Protection Services Limited and are based in Ireland. If you would like to contact our EU GDPR Representatives you can do so by clicking this link and following instructions.
Our Lead EU Supervisory Authority is the Irish Data Protection Commission link.
Please note PCI PAL is a B2B/B2G company and does not provide any B2C services at anytime.
2. Legal Basis for Data Processing
Data protection legislation requires us to identify an appropriate legal bases to process personal data. The legal basis we rely on as a data controller are detailed below:
• Consent
• Contractual Obligation
• Legal Obligation
• Vital Interests
• Legitimate Interests
Also due to the nature of our organisation we may need to process special category personal data (e.g. health data). Where we process special category personal data we ensure the relevant condition is identified and documented as required.
3. Data Subjects
Due to our business activities, we may process personal data of the following individuals (“data subjects”):
• Enquirers
• Customers
• Social media users
• Job applicants
• Employees (current and former)
• Suppliers/Vendors
The above list is representative and non-exhaustive.
4. Personal Data We Collect
The personal data we process consists of the below:
• Name
• Postal address (including country)
• Email address
• Telephone number
• Recruitment data (e.g. CVs)
• CCTV images
The above list is non-exhaustive and representative.
5. How We Collect Personal Data
We collect personal data through different ways. Examples include:
• Through our websites
• Through calls, emails, letters
• Social media interactions
The above list is non-exhaustive and representative.
6. How We Use Personal Data
We will only use your personal data for the below processing activities:
• To communicate with you regarding our services and non-marketing news
• To process job applications
• For our internal records
• To process any orders and refunds
• To update and improve our website
• For any legal disputes and defend legal claims
• Marketing news and communications
• To protect our premises and security of our employees
• Handle any enquiries or complaints
The above list is non-exhaustive and representative.
7. PCI PAL as a Data Processor
For the services and products we offer to our customers we act as a data processor under data protection legislation. We do not determine the purposes of how and why personal data should be collected and processed and act under our clients instructions who are the data controllers.
We have a Data Processor Agreement (‘DPA’) which you can access via this link which covers our roles, responsibilities and obligations with data processing and is reviewed regularly with our DPO and legal team. If you have any questions or concerns to the DPA please do not hesitate to contact us using our details above.
8. Third-Parties Who We May Share Personal Data With
We do not rent, sell or purchase personal data to and from other organisations. In order to ensure we can complete various activities we may need to share personal data to other third parties we contract. Below are examples of who we may share personal data with:
• Employee benefit providers
• Legal and compliance advisers
• Third party software vendors and suppliers for technical assistance
The above list is non-exhaustive and representative. Where we are required to share data with third parties, we will work with them to ensure the correct agreement is put into place.
Please note there may also be instances where we may need to share personal data with a competent law enforcement body, regulatory body, government agency, court, or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation or (ii) to exercise, establish or defend our legal rights.
9. CCTV
We operate CCTV in and around our premises. We operate CCTV in line with our legitimate interests, prevention and detection of crime and health and safety purposes. For more information to our use of CCTV you can contact us using our details above.
10. Call Recordings
We don’t record calls made into our telephone lines but if our clients are experiencing any technical product difficulties we will ask for consent to record telephone calls in order to resolve issues. After the technical difficulty has been resolved we will delete any recordings made. For more information you can contact us using our details above.
11. Children’s Data
Our products and services are not aimed towards children and we do not market to children either.
12. Recruitment
We advertise roles on the careers section of our websites, and on other websites (e.g. LinkedIn). You can find more information to how we process recruitment data in our recruitment privacy notice.
13. Marketing and Social Media
We carry our marketing communications to help ensure those who have expressed an interest in our marketing and promotional activities are contacted with these updates, but only when we have captured their consent via our website. Our marketing communications is carried out by our marketing teams in the UK and USA.
We use social media sites such as X and LinkedIn to share news, updates and for promotional activities as a few examples. Our use of social media enables us to interact with customers (including potential customers), reach new audiences and showcase our products and services as a few examples. When you interact with us on social media through means such as “likes”, “shares” or leaving comments this enables us to see certain social media details (e.g. names, social media handles and photos). We don’t record or copy any social media profiles or details, but you should be aware when interacting with us on social media, other users or viewers can view your profile and any comments/feedback and it is your responsibility to ensure you have set up suitable and appropriate privacy settings for your use of social media.
14. Global Data Transfers
As with many global companies there may be instances of where your personal data may need to be transferred to other countries. These countries may be in the European Economic Area (EEA; The EU member states, Norway, Iceland and Liechtenstein), in an adequate listed country or in other third countries who may not have strict and similar data protection laws to the UK.
Where we have identified personal data needs to be transferred outside the UK we will ensure there is a legitimate purpose for the data transfer, it is documented where needed and the correct data transfer mechanism under data protection law is relied on. For more information you can contact us using our details below.
15. Cookies
For details on the cookies we use on this website and how you can change your consent, please see our cookie notice on our website.
16. Links to Other Websites
Our website contains links to other third party websites. We have no control or are liable of these sites, the content on these sites and how these sites protect your personal data. Please refer to their own privacy notices within them.
17. Data Retention
As a data controller we will retain personal data to provide our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations. We will retain personal data for as long as necessary in line with various requirements, such as for example, best practice recommendations (e.g. ICO recommendations), relevant guidelines (e.g. ACAS guidance) or for as long as mandated under specific legislation (e.g. HMRC requirements). We will also determine appropriate retention periods based on our legitimate interests where identified.
As a data processor we will retain personal data for as long as required as set by our client data controllers.
At the end of the retention period personal data will be securely deleted or anonymised.
18. Data Security
We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. If we become aware of any loss, misuse, alteration of personal data we will investigate the incident at hand and report (when needed to relevant parties) such instances. You can also view our various security framework credentials on our website as well.
19. Data Subject Rights
Under data protection legislation individuals have the following rights:
1. Right to be informed
2. Right to access personal data
3. Right to rectify personal data
4. Right to erase personal data
5. Right to object to personal data
6. Right to have data ported
7. Right to restrict personal data
8. Right to not have personal data processed by automated means and profiled
If you would like to exercise any of the above Rights you can do so by sending a written request using details above. Please note we may ask for ID (e.g. passport scan, drivers license etc) to verify identity where needed. Upon successful verification we will delete and remove all copies of ID received.
Should we also require extension of time to help fulfil any Right requests, we will be sure to contact requestors as soon as possible with reason(s) why an extension is needed and when Right requests can be fully carried out and completed.
Please also note that if we receive a Rights request as a data processor, we will forward the request to the client controller who may then contact you directly for additional information or to confirm if the Right is exercised or not.
20. Concerns and Complaints
If you have any concerns and/or complaints to this privacy notice and/or to how we process personal data please contact us using our details above.
You can make a complaint to data protection authorities at any time however we hope that you would consider raising any issue or complaint you have with us first. Below is a list of authorities and contact links:
• UK ICO link
• Irish Data Protection Commission link
• Australian Office of the Australian Information Commissioner link
• Office of the Privacy Commissioner of Canada (English) link
• US North Carolina Department for Information Technology link
We will check these links for updates and amendments from time to time.
21. Privacy Notice Updates
We will review this notice and make changes to it from time to time. We recommend that you check this notice to see where changes have been made and to ensure you are able to review updated information at all times.
