The data controller is The Chartered Institute of Marketing (CIM).

CIM is the professional body for marketing, registered in England and Wales (registration number RC000886). Our registered address is Moor Hall, Cookham, Maidenhead, Berkshire SL6 9QH, UK.

If you have any questions about CIM’s use of personal data, you can get in contact by writing to the Chief Data Officer at The Chartered Institute of Marketing, Moor Hall, Cookham, Maidenhead, Berkshire SL6 9QH, UK or at mydata@cim.co.uk

There are several ways we may collect information about you. These include:

• when you provide it to us by getting in contact (phone/email/web/webchat/in person), either directly or via a third-party vendor
• when you subscribe to our services or place an order with us
• when you interact with communications that we send to you
• if you are studying a CIM qualification, your study centre may share information with us
• if you are studying or join through an arrangement with your company, your company may share your personal information with us
• when you report a problem with CIM's websites or any of its services
• when you undertake a proctored online or virtual assessment
• if your call to our customer services team is recorded for training, quality or dispute resolution purposes
• if you register to use a third-party software for access to CIM products or services
• if you consent to the use of cookies when using our website
• if your image is captured at events or by CCTV at the Moor Hall site.

This can include, but is not limited to: name, date of birth, address, phone number, email address, job title, company name and VAT number, company address, payment details where relevant, CV (for demonstration of your expertise in relation to any skills-based activities you subscribe to), IP address, geographical location from where you accessed our website, information about how you use/interact with our websites and those belonging to our member benefit providers, information from cookies, information about your computer or other electronic device (tablet and browser type), email engagement metrics and your photographic image (for example when attending events, where photographic identification is required for undertaking online or virtual assessment, or where images have been captured by CCTV within the CIM Business Centre site).

For more information:

• CIM Cookies policy
• CCTV policy

CIM respects your data and has taken appropriate technical and organisational measures to ensure we have mitigated against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

CIM does not collect special category data as a matter of course. However, individuals may on occasion supply health-related information in relation to delivery of services by CIM. For example:

• Studying members may share such information should they require reasonable adjustments or special consideration on health grounds for CIM assessments, or where an emergency deferral is necessary. Dependent on the type of application, this information may be received directly from the member, or they may disclose this to their study centre who will in turn liaise with CIM.
• Members may share health-related data to support applications for adjustments such as reduced rate subscriptions or CPD exemptions.
• Guests and delegates attending the CIM Business Centre and other venues may elect to provide details of dietary or accessibility requirements.

Any such information is retained only for as long as is necessary for delivery of our services, is processed solely for this purpose and is destroyed securely once that purpose is complete.

Your information is used to process your purchases, to deliver our services, to highlight activities and initiatives that you may be interested in, and to improve our products, services and customer experience. Where appropriate, you can change your communication preferences via our Preference Centre accessed via the link provided in all our communications, or if you are a member, via the ‘My Account’ section of MyCIM.

Your personal data may be used:

• To deliver purchased products and services

  When you purchase products and services from CIM, we process your personal data because it is necessary for the performance of a contract with you, or in order to take steps at your request to enter into a contract.

• To deliver your membership benefits

  When you become a CIM member, one of the key features of your membership is access to the latest marketing insights, topical debate, inspiring events and a variety of member benefits. As such, we’ll contact you with opportunities that invite you to make the most of your membership. Data for these communications is processed on the basis of legitimate interest. If you elect to take advantage of any additional members services, any subsequent processing relating to those services will be performed on the basis of your consent, which you have the right to withdraw at any time.
  
  In addition to this, we’ll also contact you with important operational information regarding your membership (for example, notifying you of Governance activity or advising you when your renewal is due). In these instances, we process your personal data on the basis of our contractual obligations.

• For direct marketing purposes to promote our products and services

  If you are a current or recent customer, we may send you communications about selected CIM products and services that we believe may be relevant to you. In these circumstances, the processing of your personal data is performed on the basis of legitimate interest.
  
  If you are not a current or recent customer, you have the opportunity to opt-in to these communications via the preference links provided within all our communications. You will then receive your specified communications on the basis of consent.

• To deliver free resources, insights and informal learning

  For communications promoting complimentary products and services (for example, access to content or research outputs):

  • If you are a current or recent customer, your data will be processed on the basis of legitimate interest, and you have the right to object at any time.
  • If you are not a current or recent customer, your data will be processed on the basis of consent, which you may withdraw at any time.

• To source visual imagery for marketing and publicity

  Photographs and video footage containing images of identifiable individuals may be taken during events and other face-to-face activities for marketing and publicity purposes. Where images are captured in this way, processing is conducted on the basis of legitimate interest. You will be notified of our intention to process such images in advance within the registration process and during the activity itself, images will only be used in relation to the specific activity you are involved in, and no further processing outside of the disclosed purposes will be undertaken without your explicit consent. You may object to the use of your data in this way at the point of registration, or thereafter by contacting the organisers.

• To issue digital accreditation for your achievements

  Many of our products and services, including membership and formal learning products, provide digital accreditation (e-badges) to demonstrate your achievements with us. For membership and qualifications, the associated processing will form part of your contract with us. If you hold a qualification or award, after ceasing membership this processing will continue on the basis of legitimate interest, to which you have the right to object at any time. Processing for digital badging in relation to all other products and services, such as training courses, will always be undertaken on the basis of legitimate interest, to which again you have the right to object.

• To better understand the needs of our customers

  We may contact you from time to time asking you to contribute to our research initiatives or other activities that enable us to better serve the needs of our needs and those of the industry as a whole. These communications will be conducted under the basis of legitimate interest.
  
  We also use behavioural and transactional data, such as IP address and cookie identifiers, to enhance our user experience and customer journey. Analysing this information allows us to tailor our offerings to meet individual needs and preferences and improve our overall service delivery. This is again performed under the basis of legitimate interest.

• To comply with our legal obligations and ensure compliance with our Constitution

  This includes adhering to applicable laws, regulations and legal processes, responding to lawful requests from public, legal and governmental authorities (legal requirement), as well as ensuring compliance with our Constitution (legitimate interest). Ensuring compliance with these legal and constitutional requirements is essential for maintaining the integrity and legitimacy of our operations, protecting the rights and safety of our customers, and upholding our commitment to lawful and ethical business practices.
  
  CIMConstitution

We will only share your data with third parties for the purposes of delivering our services, fulfilling any contracts we enter with you, where required by law or to enforce our legal rights.

Third party communications

CIM will not disclose your details to third parties for the purpose of receiving communications from those third parties, including relevant business information, unless you specifically consent to this type of communication.

Service providers

Only when necessary to deliver our services and run our business, we share your information with various providers who will act as data processors. These include:

• Telephone and email providers, IT services, hosting and third-party software providers
• Payment processing providers
• IT service providers
• Hosting providers
• Mailing houses and print/fulfilment companies
• Member benefit providers
• Digital accreditation (e-badge) provider
• Research agencies

We use Google Analytics and Google Signals to understand our users’ online behaviour and to support cross-device tracking and reporting. Any associated personal data is anonymised and not collected or processed by third parties.

Social media and third-party advertising partners

When you visit our website or interact with us on social media and other online platforms, we use cookies and other similar methods to collect specific types of anonymous and/or pseudonymised data about you.

We use tracking links and URL shortening services to collect data including the IP address and physical location of devices accessing the shortened link, the time and date of each access, the referring websites or services, and information about the link being shared on other third-party services such as social media platforms.

This processing is undertaken for the purposes of monitoring engagement and tailoring our products and services. Please visit our Cookie Policy for further information.

Payment information

CIM does not store credit/debit card details, except for the purposes of processing bookings for CIM Business Centre guests, when these details are stored securely and destroyed following payment. We may however retain bank details of individuals undertaking activities on behalf of CIM in order to make payments for reimbursement of expenses or other services received. CIM does not share financial information with any third parties. However, it may (in appropriate circumstances) use certain other companies to provide services to you, such as a credit card processing company or a Direct Debit service. These companies do not retain, share, store or use personal information for any purposes other than to provide this service to CIM.

Research

CIM may share your details with third parties for the purposes of conducting research on our behalf, including membership surveys, only when you have consented to your data being processed in this way. You may change your preferences at any time via our website.

Qualifications

When studying for a qualification with CIM, your name, email, membership number, IP address and photographic ID may be shared with providers of the online platforms that support our assessment delivery. Depending on the format of your assessment, these may include platforms for assessment submission, online marking, online assessment, live recorded assessments and online proctoring. If your assessment involves live assessment or online proctoring, your session’s audio and visual will be recorded.

In addition, we are required to share assessment completion data with the Department for Education as part of our regulated qualifications. This data may also be shared with our regulators (OfQual, CEA and Qualification Wales) in the event of any investigations.

Exam venues: If you are sitting your exam with an independent or bespoke exam venue, it may be necessary to share your name, membership number, email address and telephone number with the venue. This will only be provided for the purpose of the centre contacting you regarding your attendance and if necessary collection of additional pre-agreed fees. The data is deleted/destroyed once the exam has been completed.

Membership and Accreditation:

• Verification requests

  CIM may receive verification requests relating to individuals’ membership and qualifications. For Governance and disciplinary matters, it may be necessary for CIM to confirm your membership status, grade and Chartered Marketer status to a third party without your consent. Outside of these circumstances, CIM will not share any information unless a valid consent form, signed by you, accompanies the request.

• Digital accreditation

  When you become a member or complete any formal learning with CIM (qualifications and training courses) your full name, email and member/qualification achieved will be shared with our chosen provider so that you can receive the relevant badge to denote your achievement.

• Chartered Marketers and CPD

  CIM provides a service for members to record their CPD online through a third-party processor. CIM will use the information recorded for management of CPD and Chartered Marketer status and as part of its wider monitoring of members’ progress.
  
  We have a policy of transparency regarding the names of our Chartered Marketers and as such, we publish each individual’s name and CIM Region on our website. Members may request that their name be removed by contacting our Customer Services team.

• Mentoring

  We will share the details of members who register on our Mentoring Programme with their mentor/mentee in order to initiate the mentoring relationship. These activities are subject to the terms of the mentoring agreement that all parties sign up to as part of the process.

• Disciplinary

  If a member of any grade is subject to a disciplinary case, data will be shared with relevant parties in order to investigate the case. Where the complaint is upheld, CIM will publish their name and the outcome of the disciplinary case. Any such processing will be completed on the basis of our own legitimate interests.

Job site

When you complete your profile within the CIM job site, the information you provide becomes available to recruiters registered with the site. If you have uploaded your CV, our customers who ask for CVs matching your registered details will receive your CV and profile. These may be direct recruiters, employment consultants or other organisations. This site is administered on CIM’s behalf by The Access Group, who also have access to your data solely for the purposes of delivering this service.

Partners

Where you are purchasing discounted CIM products or services through our partnership activities with other organisations, we will share your data with that other organisation for the purposes of verifying your eligibility for the discount.

Where you are booking to attend a course or event run by one of our learning partners, your data will be shared with that organisation who will process it solely for the purposes of administering the activity.

Sharing your information for legal reasons

CIM will share your information when required to do so in order to comply with a common law or statutory obligation. For example, this may include information surrounding criminal acts or threats to public security.

Transfer of your information outside the UK or European Economic Area (EEA)

• Regions and study centres: If you are a member of a CIM Region outside of the UK or EEA, or registered with a study centre outside of the UK or EEA, information that CIM collects may be transferred to that Region or study centre, which may not have data protection laws in force equivalent to those within the UK/EEA. CIM will nevertheless take steps to ensure that personal data transferred is adequately protected. Any data transferred in this way will be securely encrypted and, once it has been used for the purpose it was transferred, it will be deleted.
• Payment processing: To facilitate secure and efficient payment processing, we share certain personal data with our payment processor based in the United States. This transfer is conducted in compliance with applicable data protection laws, with rigorous security measures in place to safeguard your personal information throughout the process.
• Digital badging: When purchasing membership or learning products, CIM will transfer your name, email, membership grade/qualification/award/course completed (as appropriate) to a partner organisation based in the United States for the purpose of providing digital accreditation.
• Live assessment: When you undertake a live assessment with CIM, the video and audio from your session will be handled by a proctoring organisation based in the US, and may be accessed by examiners based outside of the UK and EEA via secure and compliant platforms.
• Website redevelopment: We are currently undertaking a website redevelopment project, for which some of our agency support services may be performed in Moldova. As such your data may be accessed by our trusted partners in Moldova in compliance with applicable data protection laws.

Any transfer of data outside the UK of EEA will be conducted in accordance with the rules for restricted transfers under current legislation. Outside of the circumstances described above, we will not transfer your personal data to any country outside the UK or EEA.

We will keep hold of your data for no longer than necessary. The duration will depend on any legal obligations we have (such as tax recording purposes), the nature of any contracts we have in place with you, the existence of your consent or our legitimate interests as a business.

Legal requirements: It is our legal obligation to retain the following data:

• When you purchase from us, we retain the associated financial transaction information for a period of six years following the end of the financial year during which you purchased from us. It is our legal obligation to keep these records for tax purposes.
• In instances where material is purchased under the Copyright, Designs and Patents Act 1988, the copyright declaration forms are retained for a period of seven years.
• Personnel records are retained for a period of 7 years following the termination of employment.
• Accident reports are retained for 3 years in order to comply with RIDDOR (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013) and Health & Safety Executive guidelines.

Enquiries

Unless you provide consent for future contact during your enquiry, we will keep your information for as long as is required to respond and complete your enquiry, and for a further 2 years, before deleting your information. For corporate solutions, this duration is extended to a period of 7 years due to the nature of the contracting process in this area. Recordings of phone calls to our customer contact centre, taken for training purposes, quality monitoring or dispute resolution purposes, will be retained for 3 months.

Customer records

Where a customer record holds several different areas of product engagement data, all personal data and product history will be retained until the end of the final retention period has been reached.

• Membership: Membership information will be retained for a period of 10 years from the ceasing of your last membership in order to verify your member status and recent history to third parties on request, or to allow you to re-join as a member. In the event of a disciplinary case against a current member, the case records will be retained for a period of 6 years.
• Qualifications, assessments and apprenticeships: Qualifications information, including assessment results, will be retained for 25 years for the purposes of verifying your CIM qualifications.
• Live assessment recordings are retained for 18 months to meet our external regulation audit requirements.
• Online proctoring recordings will be retained for 30 days. In the event of any issues arising with the assessment, this may be extended for up to 1 year.
• Training, corporate solutions and events: These records will be retained for a period of 7 years in order to maintain your development record.
• Registration for complimentary activities or content: Your data will be retained for the duration of your involvement and will be destroyed after a further 2 years.

Job site

If you haven’t accessed your account for over 2 years, we reserve the right to delete your account. In addition, we reserve the right to remove CVs that include content that we consider to be illegal or offensive.

CCTV

CCTV is in operation across the CIM Business Centre site in Cookham, UK. The footage is retained for a period of 30 days after which is it deleted. However, in the event of an incident on site, relevant footage may be retained until the completion of any associated investigation. For full details, please refer to our full CCTV policy.

Photographic and video images

Images and recordings from events and other in-person activities will be held securely for a period of 3 years after which they will be destroyed.

Automated profiling

Details on your interactions with CIM may be used to review the relevance and quality of the products and services we offer. However, we do not undertake any automated profiling for the purposes of making decisions regarding your eligibility for or involvement with CIM activities.

Assessment by multiple choice

Within our qualifications, we use an automated system to mark candidate responses to multiple choice assessments. This system is designed to ensure accuracy, consistency, and fairness in the assessment process and the data collected through this system will be securely stored and used solely for the purpose of evaluating exam results. Access to this data is restricted to authorised personnel only, and all information will be handled in accordance with our privacy and data protection policies.

Artificial intelligence and chatbots

In order to protect the privacy and confidentiality of our employees, customers and other contacts, it is our policy that no personal data will be shared with any AI chatbots or automated systems. This is necessary to ensure that sensitive information is not inadvertently exposed to algorithms or platforms that could compromise data security or be used in ways that are not fully transparent or controllable. By maintaining strict control over personal data, we uphold our commitment to safeguarding your privacy and complying with all relevant data protection regulations.

Subject to certain limitations, you have the right to:

• Request a copy of the information we hold about you and be told about its use.
• Request that CIM rectifies or deletes your information, or restricts processing if you have concerns over its accuracy, deletion or fair and lawful use.
• Object to the processing of your personal data, where this processing is based on the legitimate interests of CIM, where it involves direct marketing, or where it is completed for research or statistical purposes.
• Withdraw consent to the use of your information. All of our communications contain a link to our website where you can manage your preferences at any time. You can also contact mydata@cim.co.uk to request changes to the communications you receive.
• Receive your personal data in a portable, commonly used, machine-readable format to transfer to another data controller. However, in some circumstances we may be unable to provide you with some or all of your personal data, for example, if it compromises the confidentiality of a third party.