1. Introduction

1.1 The purpose of this document is to outline:

• How MATCPD LIMITED ensures compliance with the UK GDPR and Data Protection Act 2018

• The roles and responsibilities relevant to internal compliance

• How compliance with this policy is monitored

This policy applies to processing of personal data carried out by MATCPD LIMITED, including processing carried out by joint controllers, contractors, and processors.

1.2 MATCPD LIMITED adheres to the six data protection principles, ensuring personal data is:

• Processed lawfully, fairly, and transparently

• Collected for specified, explicit, and legitimate purposes

• Adequate, relevant, and limited to what is necessary

• Accurate and kept up to date

• Retained only as long as necessary

• Processed securely to maintain confidentiality and integrity

1.3 MATCPD LIMITED implement appropriate measures to demonstrate compliance and accountability, minimising risks to individuals' rights and freedoms.

1.4 In addition, the accountability principle requires us to be able to evidence our compliance with the above six principles and make sure that we do not put individuals at risk because of processing their personal data. Failure to do so, can result in breach of legislation, reputational damage, or financial implications due to fines. To meet our obligations, we put in place appropriate and effective measures to make sure we comply with data protection law.

1.5 Staff have access to relevant policies, procedures, and training materials, including:

• Record Retention Schedule

• Appropriate Policy Document for Special Categories and Criminal Offence Data

• Data protection training resources

2. Information Covered by Data Protection Legislation

2.1 "Personal data" refers to any information relating to an identified or identifiable natural living person.

2.2 Pseudonymised data falls under data protection laws, whereas anonymised data does not, provided it cannot be re-identified.

2.3 Special category data includes information on:

• Racial or ethnic origin

• Political opinions

• Religious or philosophical beliefs

• Trade union membership

• Genetic data

• Biometric ID data

• Health data

• Sexual life and/or sexual orientation; and

• Criminal data (convictions and offences)

3. Our Commitment

3.1 MATCPD LIMITED is dedicated to lawful, fair, and transparent processing of personal data for customers, staff, and other stakeholders.

3.2 Privacy Notices: We publish up-to-date privacy notices on our website and provide them when collecting personal data.

3.3 Training: All staff undergo mandatory annual training on data protection and cybersecurity, with additional training during induction.

3.4 Data Breaches: We have procedures to detect, report, and investigate personal data breaches, notifying the ICO and affected individuals when necessary.

3.5 Data Subject Rights: We handle requests related to data subject rights, including access, rectification, erasure, and objection.

3.6 Data Protection Impact Assessments (DPIAs): We conduct DPIAs for high-risk processing activities to assess and mitigate risks.

3.7 Records of Processing Activities (ROPAs): We maintain comprehensive records of our data processing activities.

3.8 Policies and Procedures: We have established policies and procedures to guide staff in data protection matters.

3.9 Contracts: We ensure that contracts with third parties include data protection clauses compliant with UK GDPR.

4. Roles and Responsibilities

4.1 The Board of MATCPD LIMITED oversees data protection compliance and governance.

4.2 Data Protection Officer (DPO): Pippa Lloyd

Email: data@matcpd.com

The DPO advises on compliance, conducts DPIAs, manages data breaches, and handles data subject requests.

4.3 All employees, associates, and contractors must adhere to data protection policies and ensure the security of personal data they handle.

5. The Information We Collect

We collect personal data when you:

• Register for events or training sessions

• Confirm participation as a speaker or chairperson

• Submit abstracts or proposals

• Use our contact and survey forms

• Subscribe to updates or newsletters

• Begin but do not complete a booking

• Attend virtual events and provide details via online platforms

• Participate in event evaluations

• When you visit our website, we use Google Analytics to gain insights into how users interact with the site. This data is aggregated and anonymised, meaning it does not allow us to identify individual users. For more information on how to opt out of tracking, please refer to our Cookies Policy page

6. How We Use Your Information

We process your personal data for the following purposes:

• Event management: To handle your booking, communicate any updates, include your details (name, job title, and organisation) on delegate and attendance lists, issue attendance certificates, and provide session reminders and other relevant information related to your booking

• Communications: To keep you informed about upcoming events, relevant updates, and special offers

• Marketing: To contact you via email, phone, or post with news and events related to those you’ve attended or shown interest in. You may opt out at any time by using the unsubscribe link in our emails or by contacting us directly

• Website improvement: To enhance our website and services through the use of aggregated, anonymised analytics data

Payments are securely handled by our third-party provider, Stripe (see Stripe's Data Processing Agreement). We do not store your credit or debit card information.

We also use Google Analytics to understand and improve user experience on our website. This data is anonymised and does not identify individual users. For details on managing tracking preferences, see our Cookies Policy page.

7. Security

We implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, alteration, disclosure, or destruction.

8. Cookies and Tracking Technologies

Our website uses cookies to enhance user experience and analyse site usage.

Cookies are categorised as:

• Strictly Necessary Cookies: Essential for website functionality.

• Performance Cookies: Help us understand how visitors interact with our website.

Users can manage cookie preferences through their browser settings. More information can be found here on our Cookie Policy webpage.

9. Links to Other Websites

Our website may contain links to external sites. We are not responsible for the privacy practices of other websites and encourage users to read their privacy policies.

10. Controlling Your Personal Information

MATCPD LIMITED will not share your personal data outside of the Keystone group of companies or with any third parties unless one of the following conditions applies:

· Transactional Necessity: Where sharing is necessary to fulfil or support the delivery of a service you have requested—for example, processing event bookings, issuing CPD certificates, or managing attendance

· With Your Consent: Where you have explicitly given consent for your information to be shared

· Legal Obligation: Where we are legally required to do so by law, regulation, court order, or other lawful authority

In any case where your data is shared with a third party, we will take appropriate steps to ensure it is handled securely, in line with data protection legislation and your rights. All third parties are required to process your data in accordance with the UK GDPR and only for the purposes specified.

If your personal data is ever transferred outside the European Economic Area (EEA) or the USA, we will ensure that adequate safeguards are in place to protect your information, such as using only providers who adhere to recognised data protection frameworks or by implementing Standard Contractual Clauses.

You have the right to:

• Access the personal data we hold about you

• Request correction or deletion of your data

• Object to or restrict certain processing activities

• Withdraw consent at any time, where processing is based on consent

To exercise these rights, contact our DPO at data@matcpd.com

11. Legal Basis for Processing

We process personal data based on:

• Contractual necessity: To fulfil our obligations when you register for events

• Legitimate interests: For marketing and service improvement, balanced against your rights

12. Data Controller and Processor

MATCPD LIMITED is the data controller. For certain activities, we may engage third-party processors under strict contractual obligations to ensure data protection compliance.

13. Monitoring and Review

Our DPO monitors compliance with this policy and reports to the Board. This policy is reviewed regularly to ensure ongoing compliance with data protection laws.

Annex A – Glossary

• Personal data: Any information relating to an identifiable living individual who can be identified from that data, or from that data and other data. This includes not just being identified by name but also by any other identifier such as ID number, location data or online identifier, or being singled out by any factors specific to the physical, physiological, genetic, mental, cultural or social identity of the individual.

• Processing: Anything that is done with personal data, including collection, storage, use, disclosure, and deletion.

• Special category personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.

• Controller: The organisation (or individual) which, either alone or jointly with another organisation (or individual) decides why and how to process personal data. The Controller is responsible for compliance with the DPA and GDPR.

• Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

• Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.