CILEX (Chartered Institute of Legal Executives) Privacy Statement

A. Who We Are and How to Contact Us

CILEX (Chartered Institute of Legal Executives) is the Governing Body for the Chartered Legal Executives, Paralegals, and other Legal Professionals. CILEX, as a professional association provides professional development, support, and guidance to its Members. It delivers legal education and training through CILEX Law School (CLS), qualifications through its Awarding Body function and independent regulation through CILEX Regulation (CRL).

CILEX is incorporated by Royal Charter (RC000850). Our registered address is: CILEX, 2nd Floor, The Pinnacle, Midsummer Boulevard, Milton Keynes, MK9 1BP.

CILEX is an Awarding Organisation and it is required to share Personal Data with our Regulators, appropriate Government Agencies and Partner Organisations.

In most circumstances, CILEX is the Data Controller, in relation to the Personal Data that it holds and the processing activities that it undertakes as outlined below. This means that CILEX decides why and how the Personal Data that it holds is processed and that where it delegates the sharing of that data to other companies within CILEX and those those companies act as Data Processors.

Below is a description of a controller responsibility:

• CILEX (Chartered Institute of Legal Executives): Membership, Governance, Communications

• CILEX Law School: Education, Exams, Learning Platforms

• CILEX Regulation: Regulatory Functions

• CILEX Foundation: Grants and Financial Assistance

Each entity acts as an independent Data Controller for its own processing activities unless otherwise stated.

If you have any questions about this Privacy Statement, then please log in to myCILEX Portal and go to Contact Us, then select ‘Data Protection: Query and Request’ on ‘My Query Relates to’ section. If you do not have access to the myCILEX Portal or you do not wish to log your details on the system, please contact us by email at [email protected].

B. How We Communicate with You

CILEX communicates with members, students and other individuals for a range of purposes connected with the delivery of our services and activities.

Service communications: We may send you service related and operational communications that are necessary to administer your membership, qualifications, assessments, regulatory obligations or interactions with CILEX. These communications are not marketing and are sent on the basis of contractual necessity, legal obligation or our legitimate interests. You may not be able to opt out of these communications while you continue to engage with our services.

Marketing communications: CILEX only sends marketing communications in accordance with the “How We Communicate With You” section of this Privacy Statement. Marketing communications are sent only where we are permitted to do so by law, and individuals You can manage your marketing preferences at any time through your account settings, by using the unsubscribe link in any marketing email, or by contacting us using the details set out in this Privacy Statement. Withdrawing consent will not affect service communications.

C. How and Why We Obtain Personal Data

CILEX only processes Personal Data, where we have a lawful basis to do so. This will depend on the activity, that we collect it for e.g., to provide Membership Services. In some instances, there may be more than one lawful basis for which we process your Personal Data.

The lawful bases for processing Personal Data can include Consent of the Data Subject, Contractual Necessity, Compliance with a Legal Obligation, Vital Interests, Public Interests and Legitimate Interests.

The lawful bases, which are relevant to CILEX are primarily, as follows:

1. Consent of the Data Subject

CILEX processes Personal Data, where you have given consent, including for newsletters, surveys, consultations, events, products, services and sending you marketing communications. You may withdraw your consent for marketing communications at any time.

2. Compliance with a Legal Obligation

CILEX processes Personal Data where there is a necessity to comply with legal obligations. This includes providing regulatory information to The Office of Qualifications and Examinations Regulation (Ofqual) or Department for Education (DfE), Qualification Wales, CCEA; regulation as an Approved Regulator under the Legal Services Act 2007 in the public interest, such as the maintenance of the CILEX Authorised Practitioners Directory). This also includes, but is not limited to, providing Personal Data to regulators, law enforcement bodies, and statutory bodies.

3. Legitimate Interests

Where we rely on legitimate interests to process personal data, these interests include maintaining professional and educational standards, supporting members and students, improving our services and qualifications, ensuring effective organisational governance, communicating essential service information, and protecting our systems and users from fraud or misuse.

We have assessed that this processing is necessary to achieve these purposes and does not override individuals’ rights and freedoms. Legitimate Interests Assessments are carried out where required, and individuals have the right to object to processing based on legitimate interests.

The law allows us to do so provided that the processing is fair, balanced and it does not unduly impact on your rights.

We may also rely on a Third Party’s Legitimate Interests, such as when an organisation has requested information or services from us and your Legitimate Interests, which may be the case in some of the examples given above (such as where you have made an enquiry).

4. Contractual Necessity

CILEX processes Personal Data to fulfil a Contract or take steps linked to a Contract. CILEX relies on a contractual obligation to provide the Products and/or Services to communicate with its Customers, in relation to the provision of the contracted Products and Services or to provide Administrative Support.

5. How We Process Personal Data

CILEX collects and processes Personal Data. Your Personal Data, however, it is provided to us, will be used for the purposes specified in this Privacy Statement or otherwise notified to you. In particular, we may use your Personal Data:

1. a. To provide you with services, products, or information that you have requested (including Membership Services and to enrol you on courses);
2. b. To administer examinations, applications, membership and to manage Employer accounts, in accordance with any related statutory or regulatory obligations. This may include background checks and Employer references;
3. c. To provide further information about our work, services, activities, or products;
4. d. To answer your questions or requests and to communicate with you in general;
5. e. To manage relationships with our members, with employers and other stakeholders and those who engage with our services and publications;
6. f. To further our organisational aims in general;
7. g. To analyse and improve our work, services, activities, products, or information (including our website) or for our internal records;
8. h. To report on the impact and effectiveness of our work;
9. i. To run and administer our Websites, keep them safe and secure and to ensure that content is presented in the most effective manner for you and for your device;
10. j. To register and administer your participation in events;
11. k. To process your application for a job or volunteer role with us, when you apply through our job vacancies page (including to conduct background checks and employer references);
12. l. For training and/or for quality control;
13. m. To audit and/or to administer our accounts;
14. n. To satisfy legal obligations, which are binding on us, for example, in relation to regulatory, government and/or law enforcement bodies with whom we may work with (for example, requirements relating to the payment of tax or Anti-Money Laundering);
15. o. For the prevention of fraud or misuse of services; and/or
16. p. For the establishment, defence and/or enforcement of legal claims.

The Personal Data We Collect, How We Collect It and Where Is It Stored

CILEX is committed to respecting the Personal Data that you supply us. The Personal Data that we collect will be relevant to the purposes for which it is to be used, and we will do our utmost to ensure that such Personal Data will be accurate, complete, and kept up to date. Whenever Personal Data is obtained from you, you will have access to information explaining how that Personal Data will be used.

1. The Personal Data We Collect

CILEX may collect, store, and otherwise process the following kinds of Personal Data:

1. a. Name and Contact Details, including Address, Telephone Number, Email Address, and Emergency Contact Details;
2. b. Date of Birth;
3. c. Financial Information, such as bank details and/or credit/debit card information;
4. d. Information about your computer or mobile device and your visits to and use of this website, including for example, your IP address and geographical location;
5. e. Video and Audio Recording, if you choose to take an online test or examination through the Online Invigilation Platform;
6. f. Unique Candidate Identifiers/Unique Learner Numbers;
7. g. Examination Results, the information about your Membership and your interactions with CILEX;
8. h. Details of your qualifications and experience and;
9. i. Through Cookies on our Website.

For further information on our Cookies Banner and the use of Google Analytics, please read our website Cookies Policy.

2. Special Categories of Personal Data

Special Categories of Personal Data/Sensitive Personal Data is: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for this purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sexual orientation.

We may also collect Special Categories of Personal Data, such as gender, ethnicity, etc., whether you have a disability or any other protected characteristics (particularly related to where reasonable adjustments or access arrangements may be needed) and any information relating to a background check.

Such data will only be collected and/or provided to us if you have provided your Explicit Consent or if we are otherwise permitted to receive and process it under the UK Data Protection Legislation.

The lawful bases we rely on are limited to the following:

• Explicit consent (Article 9(2) (a)) where individuals voluntarily provide special catergory data, such as, equality, diversity, disability or health information, for example to request reasonable adjustments or to support inclusion monitoring.

• Employment, social security or social protection law (Article 9 (2) (b) ) where processing is necessary in connection with employment, recruitment and workforce management, including obligations relating to health, equality and workplace adjustments.

• Establishment, exercise or defence of legal claims (Article 9(2) (f) ) where processing is necessary for complaints, disputes, appeals ,disciplinary matters or the defence of legal claims.

• Substantial public interest (Article 9 (2) (g)) where processing is necessary to carry out regulatory, safeguarding or professional standards functions, including oversight roles performed by CILEX Regulation. This processing is carried out in accordance with the appropriate policy document and suitable safeguards.

Where the processing described in this Privacy Statement is likely to result in a high risk to individuals’ rights and freedoms, including online examination invigilation involving video and audio monitoring, CILEX has completed Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the UK GDPR. These assessments are used to identify and mitigate privacy risks and are reviewed where there are material changes to the processing activities.

3. How We Collect Personal Data

1. a. When you give your Personal Data to any part of CILEX directly.

For example, Personal Data that you give to us, when you communicate with us by email, phone or letter, such as when you apply to and become a member, complete a CILEX survey, take a test or examination, join a Specialist Reference Group (SRG), report a problem or sign-up to receive our communications.

2. b. When we obtain it indirectly.

For example, your Personal Data is provided by you to an approved training provider may be shared with us by training or learning providers, after you enrol for a course or submit your apprenticeship application form, in relation to which we provide the relevant qualification/assessments (as CILEX acts as an End-Point Assessment Organisation for apprenticeships) and we may also conduct background checks and obtain employer references or receive your Personal Data from dependent applicants to the CILEX Foundation.

Very often, your Personal Data will have been provided to us by your employer at your request or with your agreement with them.

3. c. When it is available publicly

Your Personal Data may be available to us from external publicly available sources. For example, depending on your privacy settings for social media services, we may access Personal Data from those accounts or services.

d. When you visit our website

When you visit our website, we automatically collect the following types of Personal Data;

• Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.

• Information about your visit to the websites, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.

• Through Cookies and the use of Google Analytics on our website – please refer to our Cookies Policy.

In general, we may combine your Personal Data from these different sources set out in sections a-d above, for the purposes set out in this Statement.

4. Complaints

Where you lodge a complaint, your Personal Data will be used to correspond with you. A complaint can be made in writing or by telephone. We encourage complaints to be made in writing by completing a ‘Contact Us’ form by logging into your myCILEX account via the CILEX website, wherever possible. We will get in contact by email regarding your complaint, in accordance with the CILEX Complaints Policy. To exercise your rights, please see section H of this Privacy Statement.

5. Access to your Personal Data

We take reasonable steps to ensure that the Personal Data that we hold will be accurate and up to date. You can check the Personal Data that we hold about you if you are a member through your myCILEX account. Alternatively, you can ask us to check by using the website’s Contact Us Form and selecting ‘Data Protection: Query and Request’ on ‘My Query Relates to’ section. If you do not have access to the myCILEX Portal or do not wish to log your details on the system, please contact us by email at [email protected].

Children’s Personal Data

CILEX services and websites are not directed at children, and we do not knowingly collect or process personal data relating to children under the age of 16 without appropriate consent. Where access to CILEX services requires registration, individuals are asked to confirm that they are aged 16 or over. In some circumstances, we may receive personal data relating to individuals under the age of 16 indirectly, for example via an employer, training provider or third party acting on their behalf.

Where we are aware that personal data related to a child under 16, we will only process that data where a parent or person with parental responsibility has provided consent, or where we are otherwise permitted to do so under the UK data protection legislation. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data as soon as possible.

If you believe that we might have any Personal Data from or about anyone aged 16 or under without the consent of a Parent or Guardian, please send us a message by logging in to myCILEX Portal and go to Contact Us, then select ‘Data Protection: Query and Request’ on ‘My Query Relates to’ section. Alternatively, you can contact us by email on [email protected].

6. Storage of Data

Personal Data collected by CILEX is stored on secure IT systems. This Personal Data can be accessed throughout CILEX, except where it is unsuitable to do so, in which case appropriate measures are put in place to ensure Personal Data can only be accessed by those with a need to know.

No external person will have access to CILEX records, except in circumstances outlined in the Privacy Notice and Privacy Statement.

Any third party contracted by CILEX to process Personal Data on its behalf will be requested to have security measures in place to protect the Personal Data and to treat such data, in accordance with UK Data Protection Legislation. We also set up Data Processing Agreements with our third party or supplier contracts. In the event of any contract relating to International Data Transfers the additional applicable documents will be in place such as EC SCCs (European Commission’s Standard Contractual Clauses), IDTA (International Data Transfer Assessment) or ICO Addendum. CILEX has put in place procedures to deal with any Potential Data Security Incident (PDSI) and they will notify you and the UK Information Commissioner’s Office (ICO), when appropriate of any data breach, where we are legally required to do so.

7. Marketing

We may contact you for marketing purposes related to our products and services and our website unless you let us know that you do not want to receive marketing communications from us. Your agreement to the use of your personal information for these purposes is optional and if you decline to provide your agreement, your visit to and use of the website will not be affected. You can opt in or opt out of your Communication Preferences via the myCILEX Portal at any time or unsubscribe via the email link.

E. Sharing Personal Data

CILEX only shares personal data where it is necessary, lawful and proportionate to do so, and where appropriate safeguards are in place.

We may share personal data with the following categories of recipients, for the purposes set out in this Privacy Statement:

• Other CILEX group entities, including CILEX Law School, CILEX Regulation and CILEX Foundation, where this is necessary to deliver qualifications, regulatory functions, membership services or related activities. Each entity acts as an independent data controller for its own processing activities unless otherwise stated.

• Service providers and suppliers who process personal data on our behalf, such as IT system providers, assessment platforms, analytics providers, payment processors and professional advisers. These organisations act as data processors and are required to process personal data only on our instructions and in accordance with UK data protection legislation.

• Regulators, government bodies and statutory authorities where we are required to share personal data to meet legal or regulatory obligations, including bodies such as Ofqual and other relevant oversight authorities.

• Training providers, assessment partners and employers where this is necessary to administer qualifications, assessments, apprenticeships or employer funded services.

• Law enforcement agencies or other bodies where disclosure is permitted or required by law, for example where necessary for the prevention or detection of crime or to comply with legal processes.

We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.

If we undergo a merger or re-organisation, in doing so we may acquire or transfer Personal Data as part of that transaction, but your Personal Data would continue to be used for the same purpose. CILEX’s recent acquisitions in 2023 have included the IOP (Institute of Paralegals) and PPR (Professional Paralegal Register).

1. Sharing Data with Overseas Approved Training Providers

Where a member is studying at an overseas CILEX approved training provider, they will share the Member’s Personal Data with us in the form of their Name, Membership Number, and Name of Examination. Examination results will be shared in return by us with the CILEX Approved Training Provider.

2. International Data Transfers

CILEX may transfer Personal Data to organisations outside of the United Kingdom, where this is necessary to support our activities, for example where we use third-party service providers.

Where personal data is transferred outside the UK, CILEX ensures that appropriate safeguards are in place in accordance with UK data protection legislation. These safeguards include:

• transfers to countries that are subject to a UK adequacy decision, where the UK government has determined that the destination country provides an adequate level of data protection; or

• the use of approved contractual safeguards, such as the UK International Data Transfer Agreement (IDTA) or, where applicable, the UK Addendum to the EU Standard Contractual Clauses, together with appropriate assessments of the level of protection afforded to the data.

CILEX takes additional steps, where required, to ensure that personal data remains adequately protected when transferred internationally, including contractual, organisational and technical safeguards.

Further information about international transfers and the safeguards in place can be requested by contacting the CILEX Privacy Officer.

The UK currently benefits from an EU adequacy decision, subject to periodic review. We keep this position under review and will update this notice if the adequacy status changes.

3. Qualifications/End Point Assessments

If you are taking CILEX exams or assessments, CILEX will share your Personal Data with CILEX Approved Training Providers, our Assessment Providers, CILEX Assessors and Panel Members and CILEX Regulators e.g., Ofqual, Qualification Wales, CCEA and/or CILEX Regulation. CILEX will share the Personal Data of Apprentices with the Education and Skills Funding Agency (ESFA), which operates the process for issuing Apprenticeship Certificates on behalf of the Secretary of State and with Apprentices’ Employers, in relation to CILEX provision of the End Point Assessment.

CILEX may also share data with the Department for Education (DfE) and the Institute of Apprenticeships and Technical Education in its role, as an Awarding Body and End Point Organisation.

With your consent, Personal Data (specifically your Name and Email Address) can be supplied by CILEX to CMI (The Chartered Management Institute) for the purposes of log in account creation to access CMI Learning Resources and without this you will not be able to log in and access these Learning Resources. You can withdraw your consent at any time by closing your CMI account and/or by contacting the CMI. Any information submitted by you to the CMI Website to create a Profile or for any other purpose within the CMI Account, at this point CMI will then become the Data Controller of this Personal Data and for these purposes, please contact their Data Protection Officer: [email protected]. and please see their Privacy Policy: Data Privacy – CMI (managers.org.uk). You can manage your CMI communication preferences or unsubscribe at the bottom of any non-essential emails that you may receive from CMI.

4. Financial Information

CILEX does not store credit or debit card details, and it does not share financial information with third parties. However, when paying for goods or services online, CILEX uses a credit card processing company or a Direct Debit service to complete these transactions. These companies do not retain, share, store or use Personal Data for any purposes other than to provide this service to CILEX. We adhere to PCI-DSS compliance for the processing of all card payments.

5. Advertising Cookies

CILEX uses cookies and similar technologies on its websites to ensure it functions properly, to understand how visitors use the site, and to improve user experience. Strictly necessary cookies are used to enable core functionality such as page navigation, access to secure areas of the website and session management. These cookies are essential for the website to operate and do not require user consent.

We also use analytical cookies to collect information about how visitors use our website. These cookies help us understand website usage patterns and improve our services. Analytical cookies are only set where you have provided your consent via our cookie banner. CILEX does not place analytics or other non-essential cookies on your device unless you have actively consented to their use. You may refuse or withdraw your consent at any time through the cookie management tool available on our website.

For detailed information about the cookies we use, their purpose, duration, and how to manage your preferences, please see our Cookies Policy for further information.

6. Verification Requests

CILEX may sometimes respond to verification requests of qualification or Membership status from current or prospective employers, employment agencies, regulators or other third-party contacts.

F. Automated Decision-Making

CILEX uses systems and tools that support automated processing as part of its administrative and operational activities, for example to manage application or workflows. However, CILEX does not make decisions about individuals that are based solely on automated processing and which produce legal or similarly significant effects on individuals, as defined under Article 22 of the UK GDPR.

Where automated tools are used to support decision-making, those decisions are subject to human review and oversight. If this position changes, CILEX will update this Privacy Statement and provide individuals with clear information about the nature of the decision-making, the logic involved, and their rights.

G. How Long Do We Keep Your Personal Data?

CILEX retains Personal Data for as long as it is necessary to fulfil the purposes for which it is being processed (including to comply with the relevant UK Legislation or Regulatory requirements and/or to resolve legal disputes).

Retention periods vary depending on the type of personal data and the purpose for which is it processed. The criteria we use to determine retention periods include legal and regulatory obligations, the nature of our relationship with you, the need to maintain accurate records of qualifications and professional status, and limitation periods for potential legal claims. By way of example, qualification and assessment records may be retained for extended periods, including where necessary for verification purposes, while website analytics and technical data are retained for shorter, defined periods in accordance with our Cookie Policy.

Where data is no longer required, it is securely deleted or anonymised. Further details about retention periods are set out in the CILEX’s Data Retention Policy, which is available on request.

H. Your Individual Rights

The Rights of the Individual are:

1. • The Right to be Informed – Data Subjects have the right to be informed about the collection, sharing, protection, and use of their Personal Data.
2. • The Right of Access – Data Subjects have the right to request access to any personal information that we hold.
3. • The Right to Rectification – Individuals have a right to have inaccurate Personal Data rectified, removed, or completed, if it is incomplete. If the Personal Data is found to be incorrect, but it is unable to be updated, this should be removed.
4. • The Right to Erasure – Under certain circumstances, a Data Subject may request for us to delete their information that we retain regarding them, with the exception of any information that we are legally required to retain and for the other exemptions set out in UK Data Protection Legislation (our right to get your data deleted | ICO).
5. • The Right to Restrict Processing – Data Subjects have the right to request the restriction or suppression of their Personal Data, in certain circumstances.
6. • The Right to Data Portability – Individuals may request a copy of their data for reuse across different services, which should be provided in a way, so that information can be copied or transferred from one IT environment to another safely and securely without affecting tis usability.
7. • The Right to Object – Data Subjects have the right to object to the processing of their Personal Data, in certain circumstances. For example, individuals have an absolute right to stop their data being used for direct marketing.
8. • Rights Concerning Automated Decision Making and Profiling – We may only carry out this type of decision-making, where the decision is either necessary for the entry into or performance of a contract, authorised by EU or UK law applicable to the Data Controller or it is based on the individual’s Explicit Consent.

In certain cases, CILEX can refuse to comply with a request, if it is manifestly unfounded or excessive. To decide, if a request is manifestly unfounded or excessive, CILEX must consider each request on a case-by-case basis.

If you have any questions about how CILEX process your Personal Data or you would like to exercise any of your rights of the individual under the UK Data Protection legislation, log in to myCILEX Portal and go to Contact Us, then select ‘Data Protection: Query and Request’ on ‘My Query Relates to’ section. If you do not have access to the myCILEX Portal or do not wish to log your details on the system, please contact us by email at [email protected].

You also have the right to lodge a complaint with the UK’s Information Commission (IC). Their contact details are:

The Information Commission

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel No: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

Website: www.ico.org.uk

I. Legislation

“UK Data Protection Legislation” means All applicable UK Data Protection and Privacy legislation in force from time-to-time, including the General Data Protection Regulation (EU) 2016/679, the UK Data Protection Act 2018 and the Privacy and Electronic Communications (EU Directive) Regulations 2003 (as amended) (PECR) and any superseding legislation and all other applicable laws, regulations, statutory instruments and/or any codes, practice or guidelines issued by the relevant data protection or supervisory authority in force from time to time and applicable to a Party, relating to the processing of Personal Data and/or governing individual’s rights to privacy.

J. Freedom of Information Act 2000 (FOIA)

CILEX is not listed as a ‘public body’ for the purposes of the FOIA and therefore, it is not under a duty to comply with the provisions of the FOIA.

K. Reviewing the Privacy Statement

CILEX will review and update this Privacy Statement from time to time, when changes to our processes or procedures and systems are made, if UK legislation and regulations change or if new circumstances require it.

If this Privacy Statement changes in any way, we will put an updated version on the website. Regular review of this page ensures that you are always aware of what Personal Data we collect, how we use it and under what circumstances.

CILEX will make reasonable efforts to contact and update those affected, if the changes are significant in nature.

Statement Approval
Date of Issue:	January 2023
Review Date:	April 2026
Version:	1.7
Procedure Owner:	Corporate Compliance Manager
Approved By:	Corporate Policy Review Panel (CPRP)