top of page

Privacy Policy


This privacy notice explains how and why we process (collect, use, retain and share) the personal data of everyone who Black Box interacts with:

  • Our customers

  • Those who interact with us through our website

  • Our suppliers

  • Visitors to our premises

It also explains all your rights in relation to your personal data including how to contact us or the supervisory authorities in the event you have a complaint.

If you have any concerns about this notice or any questions about Black Box processing of data please contact ourselves or our Data Protection Officer on the details at the bottom of this document.


We collect a variety of information about people who interact with us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

For our customers, we need to process your name; email address; telephone number and data that allows us to process your order such as courses and quantities required, billing/invoice address and payment details.

For people who supply us with goods and services we need to collect and process your name, contact information and bank details or payment methods.

For people who visit our offices: we may collect your name and contact details. Our office operates CCTV for the prevention of crime so when visiting us your image will be stored in our CCTV system and held for a rolling 30 days.

For those who sign up to our marketing information we will need to collect and process your email address.

Those who interact with us through our website which use limited technologies and cookies to help us to deliver an effective, personalised and tailored user experience.

Those who interact with us on social media, Black Box do not take any data outside of social media platforms on which you make contact with us, unless you have asked us to do so – for example when answering queries raised through Facebook or you have indicated through Linkedin that you would like to receive communications from us. We do use your social media username or profile to re-post anything you tag us in, but this remains within the social media platform itself.

For more information about our use of social media see section below.


There are various points of contact when Black Box needs to process personal data.


When you:


  • Purchase our services

  • Contact us for help

  • Create an account on our website

  • Subscribe to our marketing publications

  • Request marketing to be sent to you

  • Contact us through social media platforms or request subscriptions through these services

  • Enter a competition, promotion or survey

  • Are involved in one of our customer surveys or focus groups

  • Give us some feedback

We also collect data through automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV, access control and communications systems.

We use instant messaging systems where customers or learners ask us to do so or where we re-post information within social media platforms.

In very limited circumstances and only where required, we may also collect personal data from third parties such as that which is available publicly e.g. Companies House.


We collect limited data at the time of payment:

  • If you pay us by BACS or Cheque we will securely record your account name, payment reference and amount against your order in our accounting systems.

  • If we pay you by BACS (in the event of a refund or payment to a supplier) we will need to receive your account name, sort code, account number and payment amount.

  • All payments by credit/debit card are handled securely by third party providers to ensure Black Box does not receive any sensitive payment data.


We will only use your personal data when there is a lawful and legitimate reason for doing so.

We use your personal data for the following reasons:

  • Where we need to perform the contract (including pre contract negotiations) for example when you purchase our services or where we buy services or supplies to enable us to run our business

  • Where we need to comply with a legal or regulatory obligation for example where we retain data for HMRC reporting purposes

  • When you give us your consent for example when you subscribe to our newsletters, updates or marketing. Black Box is always looking to learn from our customers so where a customer has consented to be involved in market research or customer focus groups we will engage with them so that our range of courses is up to date including the views from the perspective of those who use them

  • Legitimate interest: In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests For example, we may use your purchase history to send you or make available personalised offers.

  • Where you choose to leave us a review, we may do so through an independent third party and we may contact you regarding any issues you raise in the interests of improving our service

  • We may also send direct marketing emails to our customers and learners when you purchase or take a course with us and do not choose to opt out – this is often called a ‘soft opt in’. This marketing is always tailored to the recipient, and we do not undertake blanket marketing of any kind at any time

  • In very limited circumstances, we may combine the data of customers to identify trends and ensure we keep up with demand to develop new products and courses specific to them



As described above we do undertake marketing to subscribers, customers and those who have opted in. You have the right to opt out of receiving promotional communications at any time by using the ‘unsubscribe’ link in our emails.

Where you have unsubscribed from our email updates or where you ask us to stop sending promotional or other offers this will not affect any other interaction you have with Black Box.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further courses or content in the future, or if there are changes in the law, regulations, or the structure of our business.

We do not process data for any other party, nor do we sell data to any third parties for direct marketing purposes.


Our website includes links to third-party websites, plug-ins and applications. If you access other websites using the links provided, the operators of these websites may collect information from you which will be used by them in accordance with their own privacy policies, which may differ from ours. Therefore, if you use these links to leave our site and visit websites operated by third parties, we cannot be responsible for the protection and privacy of any information that you provide to them. Please check these policies before you submit any personal data to these websites.

Black Box websites use Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not directly identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our websites.



Information or comments you post or disclose on Black Box’s social media platforms (for example, Facebook, Linkedin, Twitter, or other social media applications) is public and will be treated as such for the purposes of this notice and Black Box’s use of that data. Black Box cannot control the use of information disclosed in such platforms. You should always take care and exercise caution when posting or disclosing information in public spaces, this includes personal information or data. Content posted in Black Box’s social media pages, including advice and opinions, represents the views of the individuals who post that content and such individuals bear sole and exclusive responsibility for the posting of that content. Black Box does not necessarily endorse, support, verify, or agree with any content posted on our social media pages and forums.



Black Box websites include social media widgets, such as the Facebook, LinkedIn, Twitter buttons and widgets, such as the “Share” button (embedded in specific articles). Social Media widgets are either hosted by a third party or hosted directly on Black Box’s website. Your interactions with these widgets are governed by the privacy policy of the company providing it. These widgets may collect (a) your IP address, (b) which Black Box webpage you are visiting, and (c) may set a cookie to enable the feature to function properly. Black Box advises anyone using these widgets to be aware of the privacy notices related to each widget.

To use the information when completing work on behalf of Black Box whether as joint controller of data for example our accountants.

In each case, the legal basis on which we process data in these circumstances is our legitimate interest to ensure our business can be continued by a purchaser. If you object to our use of personal data in this way, the relevant seller or buyer of our business may not be able to provide products or services to you.

In certain circumstances we may also need to share your personal data if we are under a duty to disclose or share personal data in order to comply with any legal obligation.


We know how much data security matters to all our customers and everyone we interact with. With this in mind, we will treat your data with the utmost care and take all appropriate steps to protect it. The information that you provide is stored securely whether it be digital or physical.

Across our business we have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instruction and they are subject to a duty of confidentiality.

We secure access to all transactional areas of our websites and apps using ‘https’ technology and all payment transactions are encrypted (using SSL technology) – payments are handled securely under contract by external providers such as PayPal/SagePay.

Access to your personal data is password-protected, and any sensitive data is protected through appropriate use of encryption technologies. All systems are password protected which expect strong passwords and require regular changes.

We continually maintain firewalls, malware and anti-virus software. We maintain and monitor systems which alert Black Box to any potential data attack.

Any data which is accessed off site or on a mobile device is kept on devices which require secure password access and are kept locked when not in use and never left unattended.

We monitor our systems for possible vulnerabilities and attacks, and we carry out random penetration testing to identify ways to further strengthen security.

Any documentation retained in paper form is kept in our offices which are access controlled and secure at all times. All paper documents are access protected.

Only relevant members of staff will have access to the information you provide to us. All members of staff receive appropriate data protection training at induction, and it is refreshed annually to ensure each is aware of their data responsibilities. All staff are aware that any breach of our data protection policy could result in a breach of their contract of employment and could result in disciplinary action and potentially dismissal.

Our offices are protected by security and CCTV in order to prevent any criminal offence or threat to data security.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

These measures and procedures are audited and reviewed regularly.



If your data is transferred outside of the UK or EEA, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the UK or EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you wish for more information about these contracts please contact our Data Protection Officer.

Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.



We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We currently retain limited financial information which includes personal data for 7 years to satisfy HMRC regulations.


Access - The right to be provided with a copy of your personal information (the right of access).

Rectification - The right to require us to correct any mistakes in your personal information.

To be forgotten - The right to require us to delete your personal information—in certain situations.

Restriction of processing - The right to require us to restrict processing of your personal information—in certain circumstances, eg if you contest the accuracy of the data.

Data Portability  - The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations.

To Object - The right to object:

  • at any time to your personal information being processed for direct marketing (including profiling);

  • in certain other situations to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests.

Not to be subject to automated individual decision making - The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the UK General Data Protection Regulation. For citizens of the European Union Black Box applies the same standards through compliance with EU GDPR – more information can be found through individual countries local data protection authorities for example CNIL in France

If you would like to exercise any of those rights, please:

  • Let us have enough information to identify you (e.g. your full name, address, email and customer or matter reference number)

  • Let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill)

  • Let us know what right you want to exercise and the information to which your request relates

Your right to withdraw consent

  • Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent. You can do this by contacting us or our Data Protection Officer on the details below

Where we rely on our legitimate interest

  • In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation

  • We will then stop processing your information unless we believe we have a legitimate overriding reason to continue processing

bottom of page