This is the Privacy Policy of OPP Limited, a company registered in England and Wales (registered number 2218212) whose registered offices are at Elsfield Hall, 15-17 Elsfield Way, Oxford OX2 8EP, UK (OPP) together with the European branch offices of OPP Limited (including OPP France, OPP Netherlands and OPP Germany). When we refer to “OPP”, “we”, “us” and “our” we mean OPP Limited and our European branch offices, as the controller or processor of data, as applicable.  

Introduction

OPP is committed to protecting and respecting your privacy, and to acting in compliance with current data protection legislation including the General Data Protection Regulation (EU) 2016/ 679 (GDPR). 

This Privacy Policy sets out how we handle data, including how we collect, store and use personal data, our legal bases for processing your personal data, information on transfers to third parties and international transfers, as well as your rights as a data subject. This version has been updated to reflect the strengthened rights of individuals under GDPR, to make it easier to understand and to provide more fairness and transparency to you by making additional information available. There is a Contents section at the beginning with quick links and a Glossary of terms at the end, to help you to navigate through the Privacy Policy and find information more quickly and easily.  There are also information boxes at the start of each section to summarise what is in each section.

Our approach to privacy

We adopt a layered approach to privacy and data protection:
  • This Privacy Policy sets out how we handle personal data.
  • We also use privacy notices at various points on our website and other systems where personal data is collected. These privacy notices appear as pop-ups or within forms for completion at data collection points. 
  • Our Data Protection Statement sets  out our commitment to GDPR and gives an overview of how we approach data protection and privacy generally, including the principles we adhere to.
  • Our Cookies Statement sets  out information relating to our use of cookies and you can manage your cookie preferences via our Manage your Cookie Preferences page. 
  • You can manage your marketing preferences via our Manage your Marketing Preferences page which  also enables you to opt-out of marketing communications. 

Contents

This Privacy Policy comprises:

  1. Who we are and other important information
  2. What personal data we collect
  3. How and when we collect your personal data
  4. How and why we use your personal data
  5. Who we transfer your personal data to
  6. International transfers of personal data
  7. How we keep your data secure
  8. Data retention and anonymisation
  9. Your legal rights
  10. Changes to your personal data
  11. How you can obtain personal data we hold about you
  12. How you can contact us and your right to complain
  13. Governing law
  14. Status of this Privacy Policy and Changes
  15. Glossary of terms 

1. Who we are and other important information

This section explains where this Privacy Policy is applicable and who we are and other important information including on our relevant supervisory authority and parent company.

This is the Privacy Policy of OPP Limited.  It sets out how we collect and process personal data through use of our products and services, use of our website, completion of our psychometric assessments, and other collection of personal data related to our business as provider of business psychology services.  Our psychometric assessments are designed for adults and therefore our assessments and websites are not intended for children (under 16 years of age) and we do not knowingly collect data relating to children.

This Privacy Policy also covers the European branch offices of OPP Limited (including OPP France, OPP Nederlands and OPP Germany). When we refer to “we”, “us” and “our” we mean OPP Limited and our European branch offices, as the controller or processor of data, as applicable.  Translated versions of this Privacy Policy are available in the following languages: French, Dutch, Flemish, Walloon, German, Danish and Russian.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing data protection matters. Our DPO is a member of OPP’s Board of Directors. Section 12 tells you  how you can contact OPP and the DPO. Our DPO is supported by a multi-functional data protection team.

OPP is registered with the UK Information Commissioner’s Office (ICO) under registration number Z7311902.  The ICO is the relevant Supervisory Authority for OPP Limited and its European branch offices (including OPP France, OPP Nederlands and OPP Germany).  Section 12 tells you how you can contact the ICO.

OPP is part of the CPP group of companies, including our parent company in the United States, CPP, Inc.  CPP’s Privacy Policy can be viewed at www.cpp.com.  CPP complies with the EU-US Privacy Shield Framework and Swiss-EU Privacy Shield Framework governed by the US Department of Commerce and has certified that it adheres to the Privacy Shield Principles.  CPP’s certification can be viewed at www.privacyshield.gov.

CPP’s EU Representative in respect of its obligations under GDPR is CPP Oriel Limited, a subsidiary of CPP, registered in England and Wales under registered number 10192555, and registered with the ICO under registration number A8191002.  The CPP EU Representative and its designated person can be contacted at dleurep@cpp.com.

2. What personal data we collect

This section explains what types of personal data we might collect from you and the classification of this data (section 2.1). It includes information on any special category data (data which you might consider particularly sensitive) that might be collected (section 2.3).

2.1 Whether you are a customer, supplier or other business contact, respondent, or staff, we will collect and use your personal data in the manner and for the reasons set out in this Privacy Policy.  We collect most personal data directly from you however if we collect personal data indirectly, we refer to this explicitly in this Privacy Policy.  We have listed the types of personal data likely to be collected from persons according to the relationship that person has with us as follows:

Customers and suppliers (including individual contractors) and other business contacts

  • Identity data (including full name, username or similar identifier, title/ gender, job title, role, seniority)
  • Contact data (including billing address, delivery address, email address, telephone numbers)
  • Financial data (including bank account, payment card details)
  • Transaction data (including details about payments to and from you and/or your organisation and other details of products and services you have purchased from us)
  • Technical data (including internet protocol (IP) address, login data, browser type and version and other technology on the device used to access our websites)
  • Profile data (including username, password, purchases or orders made by you, your interests, preferences, feedback and survey responses)
  • Usage data (including information about how you use our websites, products and services)
  • Marketing and communications data (including your preferences in receiving marketing from us and your communication and cookie preferences)

Data will be collected in order for customers, suppliers and other business contacts to receive or supply products and services, as applicable, to manage contractual relationships on an ongoing basis, for account administration, and to provide updates and news about our products and services, events and other information that we think may be of interest to you. We also collect data through the use of cookies.  You can find more information on cookies in section 4.3 and our Cookies Statement.  

Respondents

Mandatory data:

  • Identity data (including full name, username or similar identifier, title/ gender, region)
  • Contact data (including email address)

Non-mandatory data:

  • where provided within responses to optional questions on OPPassessment, our web-based scoring and delivery platform:
    • age
    • qualification
    • nationality
    • ethnic origin
    • employment status
    • occupational level
    • job type      

Data will be collected from respondents taking our psychometric assessment questionnaires to complete the questionnaire, and for scoring and report generation.  Additionally, where feedback is given and/or where you participate in an assessment or development centre or other consultancy engagement run by our Professional Services team, additional data to that set out above may be provided by you and this will be collected by a practitioner and/or associated organisation or our Professional Services team, respectively, and used for the purposes of provision of services. 

On occasion we collect special category data from respondents taking our questionnaires (where such optional information is given in response to non-mandatory questions prior to completion of the questionnaire e.g. ethnicity as above) and potentially within assessment centre or other consultancy engagements.  Collection of such special category data is optional and is only provided by the data subject themselves. Special category data is only used in aggregated and anonymised form for research and product development purposes (see sections 2.2 and 4.1).

Visitors to the OPP website

Data collected may include the following, where provided:

  • Identity data (including full name, username or similar identifier, job title, title/ gender)
  • Contact data (including email address, telephone numbers)
  • Technical data (including internet protocol (IP) address, login data, browser type and version and other technology on the device used to access our websites)
  • Usage data (including information about how you use our websites, products and services)
  • Marketing and communications data (including your preferences in receiving marketing from us and your communication and cookie preferences)

Simply visiting OPP's websites does not require you to reveal personal data although some cookies recording session data will be collected (see section 4.3 and our Cookies Statement). If however you ask us for information, register with us, sign up to attend any of our events or receive our marketing material or otherwise express an interest in our products or services or report a problem, we collect any personal data you submit to us. 

Recruitment candidates

  • Identity data (including full name, title/ gender, job title, role, seniority, qualifications, education)
  • Contact data (including address, email address, telephone numbers)
  • Technical data (including internet protocol (IP) address, login data, browser type and version and other technology on the device used to access our websites)
  • Other information where provided by the recruitment candidate

Data will be collected from recruitment candidates applying to us for employment.  Where the application is not made online, the data may only include identity data and contact information, plus other information a candidate provides. Candidates may request, from OPP HR, a copy of our Privacy Statement, which is provided to all employees at commencement of employment and which sets out the types of personal data, collection, uses, transfers to third parties and ex-EEA, and data subject rights.  

Staff

A Privacy Statement is provided to staff which sets out the types of personal data, collection, uses, transfers to third parties and ex-EEA, and data subject rights.  This is provided to all staff at commencement of employment.  Further information for staff will not be provided in this Privacy Policy; instead please contact OPP HR.

2.2 Special Category Data

Other than in respect of Respondents as above and OPP staff, we do not collect special category data (which includes details about race or ethnicity, religious beliefs, sex life or sexual orientation, trade union membership, health and genetic and biometric data).

2.3 If you fail to provide personal data

Where we need to collect personal data by law or under the terms of a contractual arrangement, and you fail to provide that data when requested as being mandatory, we may not be able to fulfil the terms of the contract or relationship that we have with you. 

3. How and when we collect your personal data

This section explains how and when we collect your personal data.

3.1 We may collect your personal data in the following direct ways: 

Customers and suppliers (including individual contractors) and other business contacts

Data will be collected: 

  • prior to, at commencement, and during the term of a contractual relationship when you request our products and services
  • when you complete forms on our site or for our products and services, including registering to use our site, subscribing to our services, posting material or using further services
  • when you enter a competition or promotion sponsored by us
  • when you contact us or report a problem to us, or provide feedback to us, or complete a survey
  • when you transact with us through our website or when you place orders with us over the phone or by email

Respondents

Data will be collected when you complete a psychometric assessment questionnaire via OPPassessment or otherwise. Data may also be collected from your associated organisation. Where feedback is given and/ or where you participate in an assessment or development centre or other consultancy engagement run by our Professional Services team, additional data to that set out above may be provided by you to the practitioner and/or associated organisation or our Professional Services team respectively, at the time of such feedback, assessment or engagement. 

Visitors to the OPP website

Simply visiting OPP's websites does not require you to submit personal data (although our cookies may collect certain personal data for statistical and analytical purposes). If however you ask us for information, register with us, sign up to attend any of our events or receive our marketing material or otherwise express an interest in our products or services or report a problem, we collect any personal data submitted to us at that time. 

We also collect data you share with us on blogs or chat forums at the time of submission of such data. This may be accessible to others and will be covered by our Acceptable Use Policy.

Recruitment candidates

Data will be collected from recruitment candidates at the time of applying to us for employment either online or by post or via an agency, and during any subsequent interactions as part of the recruitment process.  

Automated technologies or interactions

When you visit our websites and access resources on our websites, we may automatically collect Technical Data and Usage Data.  We collect this data via cookies including, where available, your IP address, operating system and browser type, for system administration. Our Cookies Statement  has more information on this.  You can manage your cookies via our Manage your Cookie Preferences page.

Third parties or publicly available sources

We may also collect personal data about you from third parties or publicly available sources including:

  • analytics providers (such as Google based outside the UK)
  • event organisers (such as BrightTALK, our webcast provider based in the UK, when you register for one of our events)

4. How and why we use your personal data

This section explains how we use your personal data (section 4.1) and how you may opt-out of marketing communications and how you can manage cookies.

It includes the legal bases on which we rely to process your data (section 4.2).

It also provides information on cookies (section 4.3).

4.1 How and why we use your personal data

Customers and suppliers (including individual contractors) and other business contacts

Personal data of customers (including Identity, Contact, Technical, Usage and Profile Data) will be used:

  • to provide you with products and services that you request from us
  • to manage our contractual relationship on an ongoing basis
  • for customer administration including carrying out our obligations arising from any contracts entered into between you and us and including retention of correspondence if you contact us
  • for us to form a view on what we think you may want or need, or what products, services or offers may be of interest to you (referred to as marketing) in order to provide you with information about our other products and services in which you may be interested, including our catalogue and our regular newsletter OPPinions, and, where relevant, information on organisations outside the UK who are authorised to offer OPP products and services, where you have not opted-out to be contacted for such purposes
  • to personalise our service to you, including ensuring that content from our site is presented in the most effective manner for you and your computer
  • to seek your views on products and services
  • to enable you to participate in interactive features of our service, when you choose to do so, including live chat features
  • for technical administration of our sites including notifying you about changes to our service
  • with further information on our products and services

Personal data of suppliers and other business contacts (including Identity, Contact, Technical, Usage and Profile Data) will be used:

  • to receive products and services
  • to manage our contractual relationship on an ongoing basis
  • for supplier administration including carrying out our obligations arising from any contracts entered into between you and us and including retention of correspondence if you contact us
  • to provide updates and news about our products and services as such may be relevant to the services you provide

You can manage your marketing and other contact preferences through our Manage your Marketing Preferences page. You will receive marketing communications from us if you have requested information from us or purchased products or services from us or if you provided us or one of our service providers (including event organisers such as BrightTALK (our webcast provider)) with your details and, in each case, you have not opted out of receiving marketing. Where you opt-out of receiving marketing messages, we may need to communicate with you for administrative or operational reasons and therefore whilst you use our products and services and continue to wish to do so, it is not possible to opt-out of all communications with us, and therefore an opt-out may not apply to personal data provided to us as a result of purchase of products or services or other associated activities or transactions.

Respondents

Personal data collected from respondents taking our psychometric assessment questionnaires will be used:

  • to provide, on request from practitioners and/or your associated organisation, personalised computer-generated reports from completion by respondents of our psychometric assessment questionnaires, including via our web-based scoring and delivery platform, OPPassessment, or otherwise.  Sometimes we may combine respondent data with that of other respondents, for example to create team reports
  • where feedback is given, for the purposes of the feedback session between the respondent and practitioner
  • where you participate in an assessment or development centre or other consultancy engagement run by our Professional Services team, additional data provided by you may be used for the purposes of provision of our services
  • for research and product development purposes. Such data is collected through completion of our psychometric assessment questionnaires, including via OPPassessment or otherwise, for research and product development purposes in order to produce statistics of the type described in our technical product manuals, e.g. psychometric norms and validity data. You may be asked, as part of the testing process, to give your consent to the use of your personal data for research and product development purposes, and to answer additional optional research questions. If you decline from doing so, certain data is not collected or used for research and product development purposes. If you do consent, the personal data collected may include special category data (as set out in section 2) where you have submitted such but this will only be disclosed to third parties or published in the form of aggregated data as also explained in section 2, so no person will be identified or identifiable.

Visitors to the OPP website

Personal data (including Identity, Contact, Technical and Usage) will be used to form a view on what we think you may want or need, or what products, services or offers may be of interest to you (referred to as marketing) in order to provide you with further information on our products and services. You can manage your marketing and other contact preferences through our Manage your Marketing Preferences page . You will receive marketing communications from us if you have requested information from us or if you provided us or one of our service providers (including event organisers such as BrightTALK (our webcast provider)) with your details and, in each case, you have not opted-out of receiving marketing. Where you opt-out of receiving marketing messages, this will not apply to personal data provided subsequently if you then choose to purchase products or services and in relation to other subsequent associated activities or transactions.

Recruitment candidates

Recruitment candidate data will be used for the purposes of assessment of suitability to a role, as part of the recruitment process.  If a candidate is then offered and accepts a position with OPP, any data collected prior to commencement of employment will then be dealt with in accordance with the OPP staff Privacy Statement.  

Aggregated data

We also use aggregated data, including (i) cookies data (see s 4.3 and our Cookies Statement) and (ii) respondent data taken from the respondent responses to our psychometric assessments and from the optional question responses completed prior to taking the questionnaires, for the purposes of research and product development.  Aggregated data used within our research and product development functions is derived from your personal data but no personal data will be published or disclosed since it is aggregated and anonymised for the purposes of research and product development, and therefore no person is identified or identifiable from such data.  

Analytics

We also perform analytics, such as trends, sales intelligence, marketing effectiveness (such as click and open rates), uptake and progress.  You can manage your cookie preferences through our Manage your Cookie Preferences page. 

4.2 Legal basis for processing data

The purposes for which we use your data are set out below - these are commonly referred to as the legal bases which we rely on to process your data.  We may process your personal data for more than one legal basis depending on the specific purpose for which we are using each element of data. Further information can be provided on request. Where legitimate interest is the legal basis, we identify what our legitimate interests are below. 

Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending marketing communications to certain potential customers and where special category data is collected from respondents. Where consent is used as the legal basis for processing, you may withdraw consent at any time and section 9 has more information.

Purpose Lawful basis for processing
(including basis of legitimate interest)

Customers

  • registration of customer and management of relationship
  • providing updates on our terms
  • providing information on our products and services
  • seeking feedback on our products and services
  • enabling customers to participate in surveys and competitions
  • deliver relevant website content and advertisements to customers and measure or understand the effectiveness of the advertising we provide
 

Legitimate interest:

  • to provide products and services to our customers
  • to provide our psychometric assessments to our customers’ personnel
  • to monitor emails, call and other communications and activities related to your account to study how customers use our products and services
  • to keep our records updated
  • for good governance, accounting, and managing and auditing our business operations
  • to send you marketing communications
  • to grow our business and to inform our marketing strategy
  • to conduct research and product development to improve our products and services for the benefit of our customers and others

Customers

  • invoicing, managing payments, fees and charges
  • collecting and recovering money owed to us

 

Performance of a contract with customers
Performance of a contract with customers

Potential customers

  • contacting potential customers to ascertain interest in our products and services

Legitimate interest:

  • to send you marketing communications to ascertain your interest in provision of our products and services to corporate customers

Consent:

  • to send you marketing communications to ascertain your interest in provision of our products and services to consumer customers (including individual practitioners and sole traders)

Respondents

  • registration of respondent
  • completion of our psychometric assessments

Legitimate interest:

  • to provide our psychometric assessments and associated products to our customers’ personnel
  • to provide assessment or development centre services by our Professional Services team
  • for good governance, accounting, and managing and auditing our business operations
  • to keep our records updated
  • to conduct research and product development to improve our products and services for the benefit of our customers and others

Consent:

  • with respect to processing of optional special category data, to conduct research and product development to develop and improve our products and services
 

Suppliers and other third parties

  • registration of supplier and management of relationship

Legitimate interest:

  • to receive services in order to conduct our business and provide products and services to customers
  • to grow our business and to inform our marketing strategy
  • for good governance, accounting, and managing and auditing our business operations
  • to monitor emails, call and other communications and activities related to your account
  • to keep our records updated
 
Suppliers and other third parties
  • managing payments, fees and charges

Performance of a contract with suppliers and other third parties

Staff

  • provision of employment to staff and management of employer/ employee relationship

Performance of a contract with staff (relating to personal data generally)

Compliance with a legal right as employer (relating to special category data),

as further set out in staff Privacy Statement

Recruitment candidates

  • potential provision of employment

Legitimate interest:

  • to provide employment

Generally:

  • to administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
 

Legitimate interest:

  • to enable the running of our business, provision of administration and IT services and network security

Generally:

  • to use data analytics to improve our website, products/services, marketing, customer relationships and experiences

Legitimate interest:

  • to define types of customers for our products and services
  • to keep our website updated and relevant, to develop our business and to inform our marketing strategy

4.3 Cookies

We may use personal data collected by cookies for functional and analytical purposes, as set out in section 4.1. Please see our separate Cookies Statement for more information, including relating to those cookies which are strictly necessary for the provision of products and services to you. 

We use first party cookies set by ourselves only. Please note however that our website may include links to third party websites, plug-ins and applications. These websites, plug-ins and applications may use cookies over which we have no control. You may however restrict or block third party cookies through your browser settings and such blocking of cookies of third parties should not affect the functionality and use by you of our website. You can manage any cookies that OPP uses via our Manage your Cookie Preferences page.

5. Who we transfer your personal data to

This section explains who we might share your data with including where we transfer data to third parties for processing purposes.

5.1 We may have to share your personal data with third parties for processing or sub-processing purposes.  We undertake a selection process and periodic review in relation to processors and sub-processors. We may also share your personal data with controllers.  In general, our customers are controllers of both customer personal data and respondent personal data.  Our customers may be practitioners or organisations as set out in section 5.2.3. We enter into data processing agreements with both processors and controllers, as applicable.

5.2 We share your personal data with third parties and for the purposes as set out below:

5.2.1 Group affiliates (acting as processors):

  • other companies in our group of companies including our parent company and licensor, CPP, Inc. which is based in the US and which (i) provides resources in relation to IT, legal, HR, finance, marketing and Professional Services functions; (ii) contracts for shared IT and system administration services; as well as (iii) to fulfil internal reporting requirements

5.2.2 Third parties (acting as processors):

  • suppliers based in the US and EU who provide IT, database and system administration services as well as suppliers providing web, logistics or other services to you connected to the service we provide
  • licensors in the US and EU for scoring and report generation (including CPP, Inc.) in relation to our psychometric assessments 
  • associates and partners based in Europe who provide training services on our behalf
  • enquirers requiring information about practitioners’ certification
  • professional advisers including lawyers, bankers, auditors, debt collection agencies and insurers based in the Europe who provide banking, legal, insurance and accounting services
  • HM Revenue & Customs, regulators and other authorities based in Europe who require reporting of processing activities in certain circumstances 
  • suppliers based in Europe who provide analytics services
  • potential acquirers to whom our business or business assets may be transferred
  • law enforcement agencies or regulators where we believe, in good faith, that it is necessary to comply with the law or regulatory obligation or to protect the safety of OPP, our customers or their clients, or the public or to enforce or apply our terms of business or other contracts

5.2.3 Third parties (acting as controllers):

  • where a respondent completes one of our psychometric assessments under the direction of a practitioner, we will share the respondent’s results with that practitioner in order that they may give appropriate feedback to the respondent.  The practitioner may also share the results or a summary, with another practitioner within the same organisation employing the respondent, as applicable and with the organisation employing the respondent as applicable
  • where a respondent also attends an assessment or development centre and/or consultancy engagement run by our Professional Services team, personal data may be shared with the practitioner from our Professional Services team, with another practitioner within the same organisation employing the respondent, as applicable, and with the organisation employing the respondent as applicable
  • where respondent data is combined with that of other respondents, for example for the purposes of team reports, this may be similarly shared
  • enquirers requiring information about practitioners’ certification (including customer organisations by whom practitioners are employed)

5.3 We require all third party suppliers to respect the security of your personal data and to treat it in accordance with the law. We do not allow our suppliers to use your data for their own purposes, and we require that processing is in accordance with our instructions.  We enter into written data processing agreements with suppliers that receive personal data from us.

A list of third party suppliers to whom we transfer personal data can be seen here.

6. International transfers of personal data

This section explains where we transfer data outside the European Economic Area (EEA) and what safeguards are in place for those transfers.

6.1 We share your personal data with third parties as set out in section 5, some of whom may be located outside the EEA as follows:

  • other companies in our group of companies including our parent company and licensor, CPP, Inc. which is based in the US
  • suppliers who provide IT, database and system administration services, based in the US

Where personal data is transferred outside the EEA, we take all reasonably necessary steps to ensure that your data is treated securely and in accordance with this Privacy Policy and the requirements of the law.  Such measures include, where applicable, by ensuring that the recipients to which it is sent are (i) within countries where the European Commission has made an adequacy decision with respect to the data protection laws of such country, or (ii) certified under the EU-US Privacy Shield Framework or Swiss-US Privacy Shield Framework, or (iii) covered through the entering into of EU standard contractual clauses for transfers of data (also referred to as model contracts) or binding corporate rules, and monitoring such protections to ensure the adequacy of such measures. 

A list of third parties to whom we transfer personal data outside the EEA, together with the relevant safeguard mechanism can be seen here.

One such third party located outside the EEA that receives personal data from us is CPP, Inc., our parent company and licensor. CPP is located in the US and receives personal data for business operational and administration purposes, including customer, supplier, partner, employee and other third party data. In addition, CPP receives personal data that has been collected from the completion by respondents of certain of our psychometric assessment questionnaires, via our computer-scoring services (including our web-based scoring and delivery platform, OPPassessment), or otherwise, for the purpose of scoring the questionnaire. In this event, only mandatory data (as set out in section 2.1) is transferred to CPP.

CPP has entered into EU standard contractual clauses for transfers of data with OPP (also referred to as a model contract, updated in March 2018), ensuring appropriate safeguards. Furthermore, CPP complies with the EU-US Privacy Shield Framework and Swiss-EU Privacy Shield Framework governed by the US Department of Commerce and has certified that it adheres to the Privacy Shield Principles.  CPP’s certification can be viewed at www.privacyshield.gov.

7. How we keep your data secure

This section explains how we keep your data secure (section 7.1).

It also explains how you can help keep your own data secure by not sharing your username and passwords with others (section 7.3).

It also explains that third party sites linked to via our website are not covered by this Privacy Policy (section 7.4).

7.1 We are committed to ensuring the security of processing and the ongoing confidentiality, integrity, availability and resilience of systems and services as such relate to personal data that we hold, in order to prevent accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access. 

In our roles as both controller and processor, we implement appropriate technical and organisational measures to ensure a level of information security appropriate to the risk. Our IT infrastructure and software applications are built to provide secure deployment of services, encrypted storage of back-up data with end-user privacy safeguards, encrypted communications between services, and safe operation by customers. 

Respondent data is only accessible by certain OPP staff that support and administer the scoring and report-generation systems including our web-based scoring and delivery platform, OPPassessment. Respondent data access is based on a need to know basis.

7.2 Additionally, our staff, associates and consultants are bound to comply with confidentiality provisions and Privacy Statements, in addition to completing mandatory privacy and data protection training. We have various policies that specifically address responsibilities and expected behaviour with respect to the protection of confidential information.

7.3 We have procedures for incident and breach investigation and notification.  Where our assessment of the likely risk to the individuals involved concludes a breach of personal data may result in risk to the rights and freedoms of individuals, we shall promptly inform individuals (and associated controllers and the relevant supervisory authority where applicable) of any such breach, as required by law and in accordance with any contractual terms.    

7.4 You should note that where we have given you (or where you have chosen) a username and/or password which enables you to access certain parts of our websites, or use our products and services, you are responsible for keeping the username and password confidential. You should not share these details with anyone. 

7.5 This Privacy Policy applies only to information collected by OPP (including our European branch offices). Links within our website to third party sites, plug-ins and applications are not covered by this Privacy Policy.  If you link to other websites, we encourage you to read their own privacy policies. We are not responsible or liable for those policies. 

8. Data retention and anonymisation

This section explains how long we retain data for (section 8.1) including specific information on respondent data retention periods (section 8.2) and where we may anonymise data and retain it in the form of aggregated data (section 8.3).

8.1 We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected the data, including for the purposes of satisfying any legal, accounting or reporting requirements. 

The periods that we retain data for are set out in our internal Data Retention and Destruction Policy. This sets out the types of data that OPP collects and the retention periods and destruction methods for such data. 

To determine the appropriate retention periods for personal data, we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the personal data and whether we can achieve those purposes through other means, together with applicable legal requirements, including certain statutory retention periods.  For example, by law, we have to keep: (i) certain customer and supplier information for seven years for tax and audit requirements (this period is 10 years in relation to OPP France and OPP Germany).

If you require further information on specific retention periods, please contact us (see section 12 for how to contact us).

8.2 In relation to personal data collected as a result of completion of our psychometric assessments by respondents (comprising personal data collected through our web-based scoring and delivery platform, OPPassessment, or other means) and as set out in section 2.1, such is retained for a period of 18 months, after which it is periodically anonymised (unless otherwise agreed with a customer in writing in which event the period may be shorter or longer than 18 months but in no event longer than 36 months). 

After such anonymisation, it is not possible to order new reports or reprints of previously ordered reports, since the personal data from the originating questionnaire and the report will have been deleted.  If you require a report for any candidate who completed a questionnaire more than 18 months previously, the candidate must complete a new questionnaire and submit it to for scoring and report generation in the usual manner. 

8.3 Any research data retained thereafter (in order to produce statistics of the type described in our technical product manuals, e.g. psychometric norms and validity data) no longer constitutes personal data as it is anonymised and aggregated on OPP systems prior to use for research and product development purposes.  This aggregated data is used for research and product development to improve our products and services, as well as for marketing, to develop and improve our products and services, and for strategic or other research purposes.  This aggregated data is derived from your personal data but does not represent personal data since it is aggregated and anonymised and therefore no person is identified or identifiable from such data.  Aggregated data may be used indefinitely without further notice to you. 

8.4 In some circumstances, you can ask us to delete your data (see section 9 on your right to erasure).

9. Your legal rights

This section explains your legal rights in relation to your personal data held by us, including your right to:

  • access your data
  • ask for correction of your data
  • ask for erasure of your data
  • object to our processing your data
  • request your data be transferred to a third party
  • withdraw consent where consent is the legal basis of processing.

It also explains how you can opt-out of direct communications and the consequences of this.

You have the right to:

  • Request access to your personal data (commonly known as a “subject access request” or “SAR”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.  We have a Subject Access Request policy which sets out in brief our process for dealing with SARs.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data. This enables you to object to processing where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent. You may withdraw consent at any time where we are relying on consent as the legal basis on which we process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdrew your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Where we are a processor in respect of your personal data, we will inform the relevant controller of your request and assist and co-operate with the controller for them to fulfil the request.

9.2 No fee

You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, if a request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee. Alternatively, in certain circumstances, we may refuse to comply with your request.  

9.3 Further information

We may need to request specific information from you to help us confirm your identity or verify your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. 

10. Changes to your personal data

This section explains what you should do if any of your data provided to us changes.

It is important that the personal data we hold about you is accurate and current.  In order for us to ensure this, please keep us informed of any changes at any time to the personal data that we hold about you.

11. How you can obtain personal data we hold about you

This section explains your rights to obtain information we hold on you and the process for doing so.

If you wish to request access to the personal data we hold about you, you can request this by writing to or emailing our Data Protection Officer – see Section 12 for details on how you can contact us. 

12. How you can contact us and your right to complain

This section explains how you can get in touch with us if you have any query about data protection or privacy matters.

It tells you who to contact if you have a complaint about how OPP handles data protection and privacy matters.

This is the Privacy Policy of OPP Limited including European branch offices (OPP France, OPP Netherlands and OPP Germany). 

If you have any questions about this Privacy Policy or data protection or privacy matters generally, please contact OPP’s Data Protection Officer: 

Email: dpo@opp.com 
Telephone: +44 1865 404500

or write to us at:

OPP Limited 
Elsfield Hall, 15–17 Elsfield Way
Oxford OX2 8EP, UK

Whilst we hope that you will not need to, if you do wish to complain about how we handle personal data, you may contact our Data Protection Officer as above. 

You also have the right to complain to the relevant data protection Supervisory Authority.  The UK Information Commissioner’s Office (ICO) is the relevant Supervisory Authority for OPP Limited and its European branch offices. We would appreciate the chance to deal with your concerns before you approach the ICO. You can however contact the ICO as follows:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF

Email: casework@ico.org.uk
Telephone: +44 303 123 1113
Website: www.ico.org.uk  

13. Governing law

This section explains the governing law which applies to this Privacy Policy and any changes according to applicable local laws.

This Privacy Policy is governed by English law and the place of performance of obligations will be England. Certain local laws may be different to English law and the GDPR. Please contact us for any local variations. 

14. Status of this Privacy Policy and Changes

This section explains when this Privacy Policy became effective and our right to change it from time to time.

This Privacy Policy is effective from 25th May 2018. It covers OPP Limited and its European branch offices in Europe (including OPP France, OPP Netherlands and OPP Germany). We may change it from time to time so please check regularly to keep informed of updates.

15. Glossary of terms

This section explains the meaning of certain terms used within this Privacy Policy.

Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person 
Special category data means personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, including those revealing racial or ethnic origin, political opinions or trade union membership, genetic data, biometric data, data concerning health or a person’s sex life or sexual orientation
Controller means the natural or legal person, public authority, agency of body which alone, or jointly with others, determines the purposes and means of the processing of personal data
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law) 
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to
Customer means the organisation or individual who has contracted with OPP for provision of products and services 
Practitioner means an individual who is registered with OPP as qualified to administer one or more of our psychometric assessments to respondents, to interpret reports compiled from respondent responses and to provide feedback to respondents
Respondent means an individual who will take or has taken one of our psychometric assessments via OPPassessment or otherwise, through a practitioner and where applicable, associated organisation.