Privacy Notice and Data Protection Policy (GDPR)

R2B Training & Consultancy

Privacy Notice and Data Protection (GDPR)

At R2B Training & Consultancy we take data protection and privacy seriously. On this page you can choose the level of detail you need:

Read our Privacy Notice – How We Use Your Information (plain‑language summary for clients and participants).
Read our Data Protection Policy (GDPR) (full policy with detailed principles, roles and procedures).

R2B Training & Consultancy

Privacy Notice – How We Use Your Information

1. Who We Are

R2B Training & Consultancy (“R2B”, “we”, “us”) provides specialist training and consultancy services for investigators, enforcement officers and related professionals.

You can contact us about data protection at:

Email: admin@r2b.uk
Website: https://www.r2b.uk

2. What Information We Collect

We may collect and process:

Identity and contact details – name, job title, organisation, email address, phone number, correspondence.
Booking and participation details – course bookings, attendance, certificates, feedback, learning needs and related course records.
Accessibility and support information – information you choose to share about access needs or reasonable adjustments.
Business and finance information – organisation name, invoicing details and payment records (usually at organisation level, not card details).
Website and technical data – IP address, browser type, pages visited and similar analytics data, collected via cookies and similar technologies provided by our website platform (Wix) and, where enabled, tools such as Google Analytics. For more detail, see our Cookies Policy.

We only collect information we genuinely need to run and improve our services.

3. How We Get Your Information

We usually collect information:

Directly from you – for example, when you complete a contact or booking form, sign up for updates, attend training, or communicate with us by email or phone.
From your organisation – for example, when a manager or commissioner books places on a course and provides delegate details.
From our website and online tools – for example, through cookies and usage analytics where these are enabled and permitted.

4. Why We Use Your Information (Purposes and Lawful Bases)

We use your personal data for:

4.1 Providing Training and Consultancy

Managing enquiries, bookings, delivery, certification and follow‑up.

Lawful bases: contract (or steps prior to entering into a contract) and/or legitimate interests.

4.2 Running and Improving Our Business

Managing relationships, monitoring demand for courses, evaluating and improving our services.

Lawful basis: legitimate interests, balanced against your rights and interests.

4.3 Communication

Responding to enquiries, sending joining instructions, and (where lawful) sending information about relevant courses or services.
Lawful bases: contract, legitimate interests, or consent for certain marketing.

4.4 Legal and Regulatory Obligations

Accounting and tax, safeguarding, responding to lawful requests from authorities or regulators.
Lawful basis: legal obligation.

Where we process more sensitive information (for example, health information for accessibility), we only do so where an additional lawful condition applies (such as explicit consent or another condition under the UK GDPR/Data Protection Act 2018).

5. Who We Share Your Information With

We only share personal data where it is lawful and necessary. This may include:

Your employer or commissioning organisation – for example, attendance lists, evaluation summaries or certificates, where this forms part of the service.
Service providers who support our work – for example, email and cloud services, video‑conferencing platforms, website hosting, analytics and other IT providers.
Professional advisers – for example, accountants or legal advisers, where data is relevant to their work for us.
Statutory and regulatory bodies – where we are required to do so by law, for example HMRC or safeguarding bodies.

We do not sell personal data. Where third‑party providers process data on our behalf, we aim to ensure appropriate agreements and security measures are in place.

6. International Transfers of Personal Data

Where possible, we use UK‑ or EEA‑based services.
If personal data is transferred outside the UK/EEA (for example, by a cloud, email or analytics provider), we aim to ensure appropriate safeguards are in place, such as an adequacy decision or standard contractual clauses, in line with UK data protection law.

7. How Long We Keep Your Information

We keep personal data only for as long as necessary for the purposes described above, or to meet legal and regulatory requirements. Typical retention periods include:

Course and client records – generally up to 7 years after the last activity.
Financial records (invoices, receipts) – at least 6 years from the end of the financial year.
Routine correspondence – for as long as needed for the relevant matter.
Marketing contact details – until you opt out or we identify that details are clearly out of date.

When data is no longer needed, we delete it securely or anonymise it so that individuals can no longer be identified.

8. Your Data Protection Rights

You have several rights in relation to your personal data, including the right to:

Access – request a copy of your personal data and information about how we use it.
Rectification – ask us to correct inaccurate or incomplete data.
Erasure – ask us to delete your data in certain circumstances (“right to be forgotten”).
Restriction – ask us to limit how we use your data in specific situations.
Data portability – in some cases, receive your data in a structured, commonly used format or ask us to transfer it to another controller.
Object – object to certain types of processing, including processing based on legitimate interests and direct marketing.
Withdraw consent – where we rely on consent, you can withdraw it at any time.

To exercise these rights, please contact admin@r2b.uk. We may need to verify your identity before acting on a request.

You also have the right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we handle your data:

Website: https://ico.org.uk

9. How We Protect Your Information

We take appropriate technical and organisational measures to protect personal data, including:

Role‑based access controls and strong passwords.
Limiting access to those who need information to perform their role.
Using reputable, secure cloud and communications services.
Keeping software and security tools up to date.
Securely disposing of paper and electronic records when no longer needed.

Everyone working with or for R2B is expected to handle personal data carefully and in line with this Privacy Notice and our Data Protection Policy (GDPR).

10. Language and Accessibility

We aim to align our materials with the Plain English approach and recognised accessibility requirements wherever possible, so that legal and procedural concepts are presented clearly and can be used in practice by a wide range of learners.
We strive to avoid unnecessary jargon, explain essential technical terms, and present information in accessible formats, while retaining statutory terminology where this is necessary for legal accuracy. If you notice any mistakes, unclear wording or have suggestions for improvement, please contact us at admin@r2b.uk.

11. Updates to This Privacy Notice

We may update this Privacy Notice from time to time, for example to reflect changes in law, guidance or our services.
The latest version will always be available on our website and will show the date of the most recent update.

For more detailed information about how we handle personal data, including principles, roles and breach procedures, see our Data Protection Policy (GDPR) below.

R2B Training & Consultancy

Data Protection Policy (GDPR)

1. Purpose

This policy sets out how R2B Training & Consultancy collects, uses, stores and protects personal data in line with UK data protection law.

It explains our responsibilities, the rights of individuals, and how we handle personal data fairly, lawfully and transparently.

2. Scope

This policy applies to:

all R2B staff, associates and contractors
all personal data we process in the course of our training, consultancy and business activities
personal data relating to participants, clients, enquirers, suppliers and other contacts

It covers personal data held in any format, including paper records, emails, documents, databases, messaging platforms and online systems.

3. Legal framework

This policy is based on:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Privacy and Electronic Communications Regulations (PECR)

It should be read alongside:

Equality, Diversity and Inclusion Policy
Safeguarding and Safer Working (Adults) Policy
Modern Slavery and Human Trafficking Policy
Complaints and Concerns Policy

4. Key definitions

Personal data: any information that identifies, or could identify, a living person (for example, name, email address, phone number, job title, IP address).
Special category data: more sensitive personal data (for example, health, racial or ethnic origin, religious beliefs, sexual orientation) that requires additional protection.
Processing: anything done with personal data, including collecting, storing, using, sharing or deleting it.
Data subject: the person to whom the personal data relates.
Data controller: the organisation that decides why and how personal data is processed (R2B in this context).
Data processor: an organisation that processes data on behalf of R2B (for example, cloud service providers, mailing platforms).

5. Data protection principles

R2B will ensure that personal data is:

Lawful, fair and transparent – we process data on a valid legal basis and explain what we do with it.
Collected for specified, explicit and legitimate purposes – we use data only for clear, stated reasons.
Adequate, relevant and limited – we only collect what we genuinely need.
Accurate and kept up to date – we take reasonable steps to correct or remove inaccurate data.
Kept no longer than necessary – we keep data only for as long as it is needed for the stated purpose or legal requirements.
Secure – we protect data against unauthorised or unlawful processing, loss, damage or destruction.

We are also accountable for demonstrating that we comply with these principles.

6. Lawful bases for processing

R2B will only process personal data where at least one lawful basis applies, including:

Consent – the individual has given clear, informed consent (for example, to receive marketing emails or be recorded in a session).
Contract – processing is necessary to deliver a service or take steps before entering into a contract (for example, course bookings, issuing invoices).
Legal obligation – processing is required by law (for example, tax and accounting records, safeguarding reports).
Legitimate interests – processing is necessary for our legitimate business interests (for example, maintaining contact with clients, evaluating and improving services) and does not override individuals’ rights.

For special category data (for example, health information for reasonable adjustments, optional diversity monitoring), we will only process where an additional condition applies (such as explicit consent or substantial public interest).

7. What data we collect and why

The types of personal data we may collect include:

Course participants and clients

name, job title, organisation
contact details (email, phone)
booking and attendance information
course feedback, assessment or certification details
accessibility needs or other relevant information provided voluntarily
invoicing and payment details (usually at organisation level)

Staff, associates and contractors

contact and identity details
contractual and payment information
qualifications, references and (where appropriate) DBS details
records of work carried out for R2B

Suppliers and professional contacts

names and contact details
business and invoicing information

Website and online services

technical data such as IP addresses, browser type and pages visited, via cookies and analytics tools (where enabled)

We use this data to:

deliver and manage training and consultancy
maintain business relationships
manage bookings, payments and records
meet legal and regulatory obligations
communicate about services, updates and opportunities, where lawful to do so

8. Sharing personal data

R2B will only share personal data where it is lawful and necessary, for example:

with clients/commissioners (for example, attendance lists, evaluation summaries, certificates)
with venues or caterers (for example, names for registers, essential dietary requirements)
with professional advisers (for example, accountants, legal advisers)
with service providers acting on our behalf (for example, email, cloud storage, video‑conferencing platforms)
with statutory bodies where required by law (for example, HMRC, safeguarding authorities, police)

Where third parties process data on our behalf, we will ensure there is an appropriate written agreement and that they implement suitable security measures.

We do not sell personal data.

9. International transfers

Where possible, we aim to store and process data within the UK or European Economic Area.

If data is transferred outside the UK/EEA (for example, through international cloud services), we will ensure that appropriate safeguards are in place, such as:

adequacy decisions; or
approved contractual clauses or equivalent protections.

10. Retention and deletion

We keep personal data only for as long as necessary for the purposes for which it was collected or to meet legal obligations.

Typical retention periods include:

course and client records: generally up to 7 years after the last activity
financial records (invoices, receipts): at least 6 years from the end of the financial year
routine communications: for as long as needed for the relevant matter
marketing data: until consent is withdrawn or data is clearly outdated

When data is no longer needed, we will delete it securely or anonymise it so it can no longer identify individuals.

11. Individual rights

Individuals whose data we process have the following rights:

Right of access – to request a copy of their personal data and information about how it is used.
Right to rectification – to have inaccurate or incomplete data corrected.
Right to erasure – to request deletion of personal data in certain circumstances.
Right to restrict processing – to ask us to limit how we use their data in specific situations.
Right to data portability – to receive certain data in a structured, commonly used format or have it transferred to another controller (where applicable).
Right to object – to object to processing based on legitimate interests or for direct marketing.
Rights related to automated decision‑making and profiling – R2B does not currently use automated decision‑making that produces legal or similarly significant effects.

Requests to exercise these rights should be made using the contact details in section 16.

We may need to verify identity before responding.

12. Security of personal data

R2B takes appropriate technical and organisational measures to protect personal data, including:

using strong passwords and access controls
restricting access to data to those who need it for their role
using reputable, secure cloud services and tools
keeping software and security tools up to date
secure disposal of paper and electronic records when no longer needed

Everyone working with or for R2B must handle personal data carefully and follow this policy.

13. Personal data breaches

A personal data breach is any security incident that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If a breach is suspected or identified, R2B will:

act promptly to contain and assess the incident
take reasonable steps to reduce any potential harm
keep a record of the incident and actions taken
notify the Information Commissioner’s Office (ICO) within 72 hours where required by law
inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms

All staff, associates and contractors must report actual or suspected breaches immediately using the contact details in section 16.

14. Roles and responsibilities

Business owner / Data Protection Lead

overall responsibility for data protection compliance and this policy
handling queries, requests and complaints related to data protection
deciding when to report incidents to the ICO or other bodies

Staff, associates and contractors

follow this policy and any related guidance
only access personal data that is necessary for their role
keep data secure and confidential
report suspected breaches or concerns without delay

R2B is not currently required to appoint a formal Data Protection Officer; this will be kept under review.

15. Training and awareness

R2B will provide proportionate data protection awareness for staff and associates, including:

access to this policy
guidance on handling personal data securely
updates where there are significant changes in law, practice or systems

16. Contact and complaints

For questions about this policy or to exercise your data protection rights, please contact:

R2B Training & Consultancy
Email: admin@r2b.uk
Website: https://www.r2b.uk

If you are unhappy with how we handle your personal data, you can also contact the Information Commissioner’s Office (ICO):

Website: https://ico.org.uk

17. Monitoring and review

This policy will be reviewed at least annually, or sooner if there are significant changes in law, guidance or our activities.

Any updates will be communicated to staff and associates and, where relevant, updated on our website.

Document information

Policy owner: R2B Training & Consultancy
Effective date: March 2026
Review date: March 2027
Contact: admin@r2b.uk | 07935 837 937 | https://www.r2b.uk

Data Protection Policy GDPR

Privacy Notice - How We Use Your Information