Data Protection Policy

As a data processor, Project & Commercial Dispute Resolutions Ltd (‘Project CDR’), (from now on in this policy named as the Organisation) are committed to protect the privacy and security of all employees’, customers’, suppliers’, clients’ or any individuals’ personal data information we might process. The Organisation processes different categories of data obtained from various sources (contracts of employment, company and site inductions, job applications, training records, company web pages), and at all time this data is managed in accordance with the General Data Protection Regulation (GDPR).

Compliance with the GDPR is described by this policy and supported by other relevant documents such as the Company Social Media policy, HR Data Protection Policy, Data Access Confirmation, Data Protection Consent, in addition to relevant processes and procedures. Compliance with data protection legislation is the responsibility of all direct or indirect Employees of the organisation who access and/or process personal data.

The GDPR and this policy applies to all of the Organisation’s personal data processing, including those from customers, employees, suppliers and any other personal data the Organisation processes from any source.

Partners and any third parties working with or for the organisation, and who have or may have access to personal data, will be expected to have read, understood and to comply with this policy.

Any breach of the GDPR or this policy will be dealt with under the Company Disciplinary Procedure and may also be treated as a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

The organisation will only process personal data under the following circumstances:

  • The data subject has given consent to the processing

  • Processing is necessary for performance of a contract between the two parties

  • Processing is necessary for compliance with a legal obligation

  • Processing is necessary to protect the data subject’s vital interests

  • Processing is necessary in order to protect a public interest or exercise official authority

  • Processing is necessary for the purpose of legitimate interests, so long as fundamental rights and freedoms aren’t infringed.


“Data subject” -any living individual who is the subject of personal data held by the organisation.

"Personal data" -any information that relates to an individual who can be identified from that information. "Special categories of personal data" -information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

“The Organisation” – Project & Commercial Dispute Resolutions Ltd (‘Project CDR’).

“Processing” any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal data breach” a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.


As a data processor, the organisation must conduct personal data management in accordance with the data protection principles as set out in Article 5 of the GDPR.

  • Personal data must be processed lawfully, fairly and transparently

  • Personal data can only be collected for specific, explicit and legitimate purposes

  • Personal data must be adequate, relevant and limited to what is necessary for processing

  • Personal data must be accurate and kept up to date with every effort to erase or rectify without delay.

  • Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.

  • Personal data must be processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Access to personal data shall be limited only to personnel who require access for legitimate business needs and appropriate security should be in place to avoid unauthorised sharing of information.

When personal data is deleted this should be done safely in such a way that the data is irrecoverable. The Organisation shall ensure that personal data retained is adequate, relevant and limited only to what is necessary in relation to the purposes for which they are processed. The Organisation takes the privacy of Employees, Customers and Suppliers very seriously and will never disclose, share or sell data without consent, unless required to do so by law or contract.

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the organisation shall promptly assess the risk to the rights and freedoms of those affected and if appropriate report this breach to the ICO (‘Information Commissioner’s Office’). In the case that you consider you or anyone from the organisation has come across any of the above, the Employee must immediately inform the Project CDR GDPR representative by sending a mail to

Retention period

The Organisation will retain the personal data. However, individuals may execute his/her rights to rectification or erasure of data, or to restrict or object to processing. To make such a request, may be contacted. This policy is subject to modification.