CDRL Privacy Policy

Updated: 25th May 2018


Consumer Dispute Resolution Limited (“CDRL”) is a not for profit alternative dispute resolution (ADR) provider, approved under the Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015. CDRL is dedicated to safeguarding and protecting your privacy when visiting our site or communicating with us.

Please read this Privacy Statement carefully as it applies when you visit our site or use our service. This Statement is applicable exclusively to our site (inclusive of our ADR channels – RetailADR, AviationADR, UtilitiesADR, Consumer Arbitration, Data Arbitration and CommsADR), and not to other websites that may be viewed by users via links present on the site.

We do update this Statement from time to time so please do return and review this regularly.

This Privacy Statement explains how we obtain and utilise your personal data. All your personal data shall be held and used in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and national laws implementing GDPR and any other legislation relating to the protection of personal data.

  1. Collection and use of personal information

You provide us with the information we collect and use about you. If you ask us to look into a dispute you have with a company, we will ask you to authorise them to provide us with their side of the story. They will provide any relevant information about you, your account(s) the goods or service etc.

We collect personal data in order to provide and operate our service effectively. We additionally collect data of third parties and prospective employees. We will only collect the minimum personal information needed to complete a task and will not collect information just in case.

We will take care of your personal data and will only use it to process your enquiry or investigate your complaint and to help us improve service quality. Following completion of the complaint investigation, your information may be used as the basis for creating an anonymous case report and this may, in turn, be used to build scenarios for training and reporting purposes but these will contain no personal information.

The personal data we collect includes:

  • Full name
  • Full address
  • Email address
  • Mobile and/or landline telephone number

Information received from your device or software may also be collected and stored.   This information can include an IP address, browser type, domain names, access times and website address.

  1. How we obtain personal data

At points in our site, we invite or request you to submit your contact details or other information about yourself or your organisation, or to send us emails which will, of course, also identify you.

We collect personal data via electronic webforms or via phone or face to face contact.

We do record our telephone calls for quality and training purposes. You will be told about this in a recorded message before your call is put through to a member of staff. Calls that are recorded for these purposes will be kept secure, will not be disclosed outside of CDRL and will be deleted after a maximum period of 12 months. However, you are entitled to object to this and can choose to opt out of call recordings by following the instructions.


  1. Retention and deletion policy

When you provide us with your personal information we will only retain it for as long as we need to, to make sure that we have dealt with all aspects of your enquiry or complaint. In practice, this means that we will keep your name and address for a minimum of six months if you make an enquiry or submit a complaint which is deemed to be out of scope (as per the scheme rules).

Once we have archived your complaint and provided a determination to you, we will only store all personal data for 12 months. After this, the information will be deleted. All personal information held by CDRL will be deleted in a structured, secure and timely manner.

  1. Disclosure of your personal information

In order to process your complaint we shall usually need to disclose the personal information you send us to the company. We may then need to disclose it to a third party such as an independent expert, to help us determine the case.

To help us process our work we have contracts with companies who provide us with services such as IT support. Where they process your data for us our contract with them makes clear that they must hold it securely and only use it as we instruct them to. If your case raises issues which we think might be more appropriate for one of the regulators, we will only pass your information on with your consent.

Examples of the types of third parties we will engage with to provide our service are;

  1. Web developers who are specifically engaged in the development of World Wide Web applications, or applications that are run over HTTP from a web server to a web browser. Developers also assist in updating the software we use to process complaints.
  2. Phone system software and service providers who supply our telephone systems.
  3. Cyber security services, which complete checks and maintain our cyber security system.
  4. Printing services whom supply our printing machines and maintenance.
  5. Website hosts provide our server space and web services.


All such parties are required to maintain the confidentiality of your information by agreeing to provide adequate protections for personal data in line with GDPR and other data protection laws.


  1. Website

Your privacy is important to us. Our privacy policy is intended to give you confidence in the privacy and security of the personal information we obtain from you.

We promise to protect your privacy and treat the information you give us as confidential. Please note: We are not responsible for any use of your personal information you provide to third-party websites that may be accessed via our Website or Websites. We recommend that you review the privacy policy of any third-party applications or websites that you use.

  1. Changes to the privacy policy

Changes in this policy will be posted on our Website. You are advised to check our Websites regularly to view our most recent privacy policy.

  1. Access to your information

Clients and individuals have the right to access information held about them to ensure that such personal data is accurate and relevant for the business purposes for which it was collected.

To understand what personal information we hold, you will need to place a Subject Access Request in writing to Stephanie Lewis, our nominated Data Protection Officer, at We have one month within which to provide the information you request and will provide you a copy of the information free of charge.

  1. Our legal basis for processing

Under GDPR, the grounds which we rely upon to process your personal data are:

  • You may voluntarily provide us with your consent to process your data for a particular purpose.
  • It may be necessary for compliance with our legal or contractual obligations.
  • It may be necessary for the purposes of legitimate business – either we, or a third party, will need to process your information for the purposes of our (or a third party’s) legitimate interests, provided we have established that those interests are not overridden by your rights and freedoms, including your right to have your personal data secured.
  1. Incident handling

We will report all serious data breaches to the Information Commissioner’s Office (“ICO”) within 72 hours which result in the loss, release or corruption of personal data.

The definition of a serious breach is where CDRL’s data security has been compromised resulting in the loss or disclosure of a client’s personal or sensitive data which could prove detrimental to the individual’s financial, physical or emotional well-being. Detrimental effect would include information leading to;

  • Identify theft
  • Financial hardship
  • Insurance exclusion
  • Volume affected – 10 individuals

A non-reportable breach will be the compromise of CDRL’s data security resulting in the loss or disclosure of staff members’ personal data where there is no particular sensitivity and would not result in an individual being adversely affected.

All breaches are recordable and will be documented in our Personal Data Security Breach Log.

  1. Your rights

GDPR and other applicable data protection legislation afford you a variety of rights, we are obliged to tell you these rights include:

  • The right to be informed about how your personal data is being used (as per this Statement).
  • The right to access the personal data we hold on you.
  • The right to request we rectify any incorrect personal data we hold about you.
  • The right to request we delete your data, or stop processing it, in some circumstances.
  • The right to stop any unauthorised transfer of your data to a third party.
  • The right to complain to your data protection regulator with regards to the way in which we process your persona data — in the UK, the Information Commissioner’s Office.
  • The right to withdraw your consent. If you object to us processing your personal data, or if you have provided your consent to processing and you later decide to withdraw it, we will respect your choice in accordance with our legal obligations. Should you wish to exercise this right, please contact Stephanie Lewis, our nominated Data Protection Officer, at

Your objection (or withdrawal of any previously given consent) could mean that we are unable to perform the actions necessary to achieve a purpose. Please note you may also not be able to make use of our services without such information. After your consent has been withdrawn, we may still be able to process your personal data, only to the extent required or otherwise permitted by law. This is particularly in connection with exercising or defending our legal rights and/or meeting our legal and regulatory responsibilities.