Privacy Policy


  1. About this Policy: purpose; scope; and application
  2. What is personal data?
  3. How to manage personal data: the key principles of personal data protection
  4. Privacy impact assessments: what are they and when do you need one?
  5. Record keeping
  6. How does CCISKE manage data privacy breaches? 
  7. What are the consequences of violation of this Policy?
  8. Further information


  1. About this Policy

1.1. Purpose 

In the course of our business, CCISKE collects, handles and stores personal data of our 

customers, employees, sellers, suppliers, contractors and other individuals (“Data 

Subjects”). This information is a valuable and sensitive asset, that must be managed 

respectfully, and in accordance with all applicable local and international laws. 

This Policy explains how any personal information which we process (or others process 

on our behalf) must be used in accordance with the law, and for CCISKE’s legitimate 

business purposes only. 

1.2. Scope 

This Policy covers: 

  • all personal data held by or on behalf of CCISKE, regardless of the media on which

that data is stored, or of which individuals own that personal data; and 

  • all processing of such personal data, including all collection, recording,

organization, storage, use, disclosure, transfer, deletion and any other handling of 

personal data. 


Data Privacy Policy | 2/5 


1.3. Application 

This Policy applies to all CCISKE’s employees; and to CCISKE’s sellers, suppliers, 

contractors and other third parties responsible for processing personal data for or on 

behalf of CCISKE, referred to in this Policy as our “Partners”. 

We expect all Partners to maintain our standards of data privacy, as set out in this 


  1. What is personal data?

Personal data is any information relating to an identified or identifiable person, 

including: name; address; date or place of birth; photographs or videos (including CCTV 

footage); contact details (e.g., telephone number, email, address); national identifiers 

(e.g., ID numbers); professional status (e.g., job title, employer); location; online 

identifiers (e.g., IP addresses); and personal preferences (e.g., shopping and browsing 

habits), among numerous other types of personal data. An identifiable person is one 

who can be identified, directly or indirectly, in particular by reference to an identification 

number or to one or more factors specific to his/her physical, mental, economic, cultural 

or social identity. 

Sensitive personal data or special category personal data contains information relating 

to a person’s race or ethnic origin, political opinions, religious or philosophical beliefs, 

trade union membership, genetic data, biometric data, health and sexual life or 



  1. How to manage personal data: the key principles of personal data protection

CCISKE adheres to the highest personal data protection standards which require personal 

data to be processed in accordance with the principles set out below. 

3.1. Lawfulness and fairness 

Personal data must be processed fairly and lawfully. 

CCISKE shall only process personal data if so required to comply with applicable laws 

(e.g., for the purpose of employee tax deductions) or if it has received affirmative 

consent i.e., the Data Subject must make a positive statement or tick a box by way of 


Processing of personal data in reliance on any other legal basis, and without consent of 

the Data Subject, requires express written approval from the CCISKE General Counsel, 

and is otherwise strictly prohibited. 

Processing of sensitive data requires express written approval from the CCISKE General 

Counsel, and is otherwise strictly prohibited. 

3.2. Transparency 

Personal data must be processed in a transparent manner. 


Data Privacy Policy | 3/5 


CCISKE ensures that Data Subjects are duly informed before they disclose their personal 

data, by a clear and comprehensive privacy notice. 

3.3. Purpose limitation and data minimization 

Personal data must be collected only for specified, explicit and legitimate purposes. 

Data collected must be adequate, relevant and limited to what is necessary for the 

identified purpose. 

Collecting personal data that the business does not require for a specified purpose 

exposes CCISKE to unnecessary legal risks. 

3.4. Accuracy 

Personal data must be accurate and kept up to date where necessary. CCISKE endeavors 

to maintain the accuracy of our records though: 

  • self-service systems e.g. our Seller Centre enables sellers to update their details 


  • regular verification exercises; and
  • by providing information to individuals so they know who to contact if their details 


3.5. Data Subject’s rights and requests 

Data Subjects are entitled to exercise various rights with respect to their own personal 

data, including but not limited to the following: 

  • withdrawing consent to processing of their personal data;
  • requesting access to their personal data; and
  • requesting erasure of their personal data in certain circumstances. 

CCISKE’s Data Subject Rights Handling Guidance sets out processes for managing and 

responding to Data Subject requests, including mechanisms for communicating with 

Partners who may hold the relevant personal data in order to execute such responses. 

3.6. Storage limitation 

Personal data must not be kept for any longer than is necessary. CCISKE requires 

personal data to be anonymized or destroyed once the purpose for retaining that data, 

or the relevant time in the Document Retention Policy, has expired. 


Data Privacy Policy | 4/5 


3.7. Security, integrity and confidentiality 

Personal data must be processed in a manner which ensures its security using 

appropriate technical and organizational measures to protect against accidental loss, 

destruction or damage. 

Security measures should be proportionate to the level of confidentiality and sensitivity 

of the personal data. 

It is CCISKE’s goal to ensure security of personal data by: 

  • anonymizing or pseudonymizing personal data wherever this is possible without 

compromising the purpose; 

  • putting in place appropriate contractual arrangements to ensure an appropriate 

level of protection for personal data when it is shared with a third party; and 

  • carrying out due diligence, as part of the supplier onboarding process, to verify

that any third party suppliers who hold or have access to personal data on our 

behalf, meet our data protection standards. 


3.8. Transfer limitation 

Personal data must not be transferred across borders without the appropriate 

safeguards and consents being in place. 

CCISKE maintains a record of all personal data transfers and requires you to inform and 

obtain approval from the CCISKE General Counsel in respect of any personal data that is 

transferred across borders. 


  1. Privacy Impact Assessments: what are they and when do you need one?

Privacy Impact Assessments are a tool which allow you to identify, assess and mitigate 

privacy risks. They can also help you to design more efficient and effective processes 

for handling personal data. 

CCISKE requires a Privacy Impact Assessment to be completed where the activity falls 

outside CCISKE’s existing data map e.g. transferring data to a new supplier or collecting 

a new category of data. 

  1. Record keeping

CCISKE maintains a full and accurate data map of all personal data processing activities 

and data flows, including details of records of Data Subjects consents and the 

procedures for obtaining consents. 

We expect our Partners to maintain detailed data maps in respect of all personal data 

that they process on behalf of CCISKE, and to make this information available to CCISKE. 


Data Privacy Policy | 5/5 


  1. How does CCISKE manage data privacy breaches? 

CCISKE has in place procedures to deal with any suspected personal data breach and will 

notify affected individuals and applicable regulators where legally required to do so. 

If you know or suspect that a personal data breach has occurred, immediately contact


  1. What are the consequences of violation of this Policy?

Failure to comply with this Policy is a serious compliance breach. 

Non-compliance is a disciplinary matter for employees. If you are a contractor, seller 

or supplier, it may constitute a breach of your contract with CCISKE and we may review, 

and/or terminate, your assignment with us. 

  1. Further information

The following documents contain further helpful information on how CCISKE manages 

personal data: 

  • CCISKE Privacy Impact Assessments Template and Guidance 
  • CCISKE Online Privacy & Cookie Notice 
  • CCISKE Document Retention Policy 
  • CCISKE Data Subject Rights Handling Guidance 

If you are an employee of CCISKE and you have any questions about this Policy, or 

require approval of the General Counsel, please contact the lawyer responsible for your 


If you are a Partner of CCISKE and you have any questions about this Policy or you 

require any approvals, please contact your CCISKE relationship manager. 

If you know or suspect that a personal data breach has occurred, immediately contact


Oh hi there 👋
Welcome to CCISKE Marketplace.

Sign up to receive awesome content in your inbox, every month.

We don’t spam! Read our privacy policy for more info.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
  • Attributes
  • Custom attributes
  • Custom fields
Click outside to hide the compare bar
Compare ×
Let's Compare! Continue shopping