Back to Top

Data Privacy Notice for clients

RBA International Limited  and its subsidiaries and affiliated companies care about your privacy and are committed to processing your personal information in accordance with fair information practices and applicable data privacy laws.

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the Data Protection Act 1998 and the General Data Protection Regulation 2016/679 (the “GDPR”).

In the case of a corporate contract involving registrations with more than one delegate/user/candidate, it is the responsibility of the client to share this data privacy notice with all the parties involved/registered to inform them of their rights and of how their data will be processed.

Who are we?

RBA International will be what’s known as the ‘Controller’ of the personal data you provide to us. We collect personal data about you which does includes name, address, email, phone number, bank details. This means RBA International decides how your personal data is processed and for what purposes.


How do we process your personal data?

RBA International complies with its obligations under the Data Protection Act / GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.


We use your personal data for the following purposes

  • For Contract customers
    • To enable us to provide ongoing support to Candidates;
    • To administer customer records;
    • To maintain our own accounts and records.

We also use your personal data

  • to maintain, support and manage websites, access, and other related services that individuals have requested.
  • to inform individuals of alerts and notifications related to their access to the websites; as applicable
  • to contact individuals about their opinions of current services or of potential new services that may be offered.


What is the legal basis for processing your personal data?

  • Processing is necessary for the performance of a learning/service agreement contract with the data subject;
  • Processing is necessary for the provision of support and related services;
  • Processing is necessary for compliance with a legal obligation;
  • Processing is necessary to protect the vital interests of a data subject or another person;
  • Processing is necessary for the performance of a task carried out in the customers interest or in the exercise of official authority vested in the data controller;
  • Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.

The processing relates only to existing customers and there is no disclosure to a third party without consent (except in cases of legal intervention, where we are obliged by law to divulge such information).

Sharing your personal data

Your personal data will be treated as strictly confidential and will be shared only with contacts you have specifically asked us to share data with. We will only share your data with third parties outside of RBAI International with your consent.


Where do we store your data?

All the personal data we process is processed by our staff in our London and Irish offices. We store customer and related data in our CRM system, which is an application running on the servers within our London office.

For the purposes of IT hosting, backups, cloud services and maintenance this information is located on secure servers in UK and Ireland.

We have a Data Protection regime in place to oversee the effective and secure processing of your personal data which will continue to be monitored.

Data access control

We have security arrangements in place to guard against unauthorised access, improper use, alteration, destruction or accidental loss of your personal information. Both hard and soft version of the documents containing personal information are safe, and their access is restricted based on our legal obligations, contract requirements and your consent.

We have previously implemented measures and will continue, to prevent our systems from being used by unauthorised persons. This is achieved by having:

  • individual and role-based user accounts.
  • centralised, standardised password management and password policies.
  • deactivation of user accounts after 3 failed login attempts.


Individuals that are granted access to our systems, are only able to access the data that is required to be accessed within their scope of responsibilities and to the extent covered by their respective access permission; and such data cannot be read, copied, modified or removed without specific authorisation. This is accomplished by:

  • authentication at operating system level.
  • segregation of duties and authorisations between users, administrators and system developers.
  • remote access only via VPN including appropriate authorisation and authentication

Logging of system and network activities to produce an audit trail in the event of system misuse.


How long do we keep your personal data?

We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed if it is no longer required. Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information.


Your rights and your personal data

  • Unless subject to an exemption under the Data Protection Act / GDPR, you have the following rights with respect to your personal data:
  • The right to request a copy of your personal data RBAI International holds about you;
  • The right to request that RBA International corrects any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for RBA International to retain such data;
  • The right to request that RBA International provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable);
  • The right to lodge a complaint with the Information Commissioners Office.




Data Breaches:

All data breaches (accidental disclosures/losses of personal data) MUST be reported to the Data Protection Officer, as soon as the breach has been discovered so that appropriate measures can be taken to recover the data and limit any damage. The Lafferty Group is obliged to report any breaches to the Information Commissioner Office (ICO) within 72 hours.

You can contact the Information Commissioners Office on 0303 123 1113 or via email or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.