Privacy Notice

CSS Assure Privacy Notice

This Privacy Notice is v2.1 and is valid from 00:01hrs on 14th November 2023. It replaces and supersedes all other Privacy Notices associated with CSS Assure.

We take your privacy very seriously. This Privacy Policy details what personal data we collect and how we shall use it.

We are a member of the Ampa group. Details of how we share your data with other members of the Ampa group are set out below.


Changes to this Privacy Notice.

We continually review our Privacy Notice and update it where necessary. We advise that you regularly check our Privacy Notice for updates. We do not wish to bother you with lots of minor amendments, but where we make significant changes to our policy, we may contact you to inform you.


Our Name & Contact Details.

CSS Assure is a trading name of Cyber Security Strategies Limited. Our contact details are:

Cyber Security Strategies Limited T/A CSS Assure

No.1, 1 Colmore Square
B4 6AA


Data Protection Officer Contact Details.

In observance of the UK General Data Protection Regulation and the Data Protection Act 2018, CSS Assure have chosen to establish a Data Protection Officer. Should you wish to contact our Data Protection Officer regarding a data protection matter you can do so by emailing or writing to:

Data Protection Officer

CSS Assure

No.1, 1 Colmore Square


B4 6AA


Personal data categories we collect

We may process different kinds of personal data which we have categorised as follows:

  • Identity Data: This may include first name, maiden name, last name, marital status, title, date of birth and gender.
  • Contact Data: This includes email address and telephone numbers.
  • Technical Data: This includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our application and website.
  • Usage Data: This includes information about how you use our website, products and services.
  • Marketing and Communications Data: This includes your preferences in receiving marketing from us and your communication preferences.
  • Aggregated Data: This includes statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
  • Special Categories of Personal Data: This includes health and vulnerability related data that you may voluntarily share with us during the fulfilment of our services to you. We will always ask for your explicit consent to record and share Special Category Data.


For what purposes do we process personal data, and what are the lawful bases by which we process data?

CSS Assure is a Data Processor for all data processed by us or our sub-processors on behalf of our clients, for the following purposes:


For What Purposes Do We Process Personal Data?
“CSS Assure processes your data to…”
What is the lawful basis by which we process the data?
Assist clients in general management and implementation of their data protection policy and data management systems. N/A we process on behalf of our clients as controllers
Assist clients in the management of GDPR individual Rights Requests N/A we process on behalf of our clients as controllers
Assist clients in the managing of their data breaches N/A we process on behalf of our clients as controllers
Provide data protection training to clients N/A we process on behalf of our clients as controllers
Provide assurance maturity audit to clients N/A we process on behalf of our clients as controllers
Provide penetration testing to clients to establish the security of their systems. N/A we process on behalf of our clients as controllers
Provide a CISO service to clients N/A we process on behalf of our clients as controllers
Provide investigations into a cyber related event N/A we process on behalf of our clients as controllers



CSS Assure processes Personal Data as a Data Controller for the following purposes:


For What Purposes Do We Process Personal Data?
“CSS Assure processes your data to…”
What is the lawful basis by which we process the data?
Administer and communicate with business clients to provide our services Contract
Communicate with clients on matters where we have a legitimate Interest to do so (see legitimate interest section below), via email, telephone, SMS text, postal mail and push notifications; Legitimate Interest
Communicate news, events, activities, and services provided by CSS Assure to those who have consented; Consent
Inform existing clients about CS Assure’s new products and services; Legitimate Interest
Request specific consent to share information about specific aligned/similar products/services with specific fulfilment partners; Legitimate Interest
Conduct B2B marketing activities to prospective or existing customers; Legitimate Interest
Update clients about changes to how we process their personal data and/or new processing activities via email, telephone, SMS text, postal mail; Legal Obligation
Gather feedback for service and product improvement via email, telephone, SMS text, postal mail; Legitimate Interest
Share testimonials, case studies and feedback on our website and future marketing; Consent
Resolve complaints and/or disputes; Legitimate Interest
Collect payments or arrears should we have the need to do so; Legitimate Interest
Employee and contractor management Contract
Protect our organisation, staff, associates, suppliers, partners and clients; Legitimate Interest
Prevent, detect and investigate fraud; Legal Obligation
Prevent, detect and investigate crime; Legal Obligation
Comply with the law; Legal obligation
Fulfil our statutory or regulatory obligations; Legal obligation
Maintain our own accounts and records; Legal obligation
For reporting, analytics, and product/service improvement (including training); Legitimate Interest
Improve and maintain data accuracy or completeness; Legitimate Interest
Personalise the online experience; Legitimate Interest
Conduct market research. Legitimate Interest


What are our legitimate interests for processing your data?

Where we have used legitimate interest as the lawful basis for processing your personal data, we may use your personal data to:

  • Direct market products and services to you via post, emails, telephone, SMS text and push notifications where they are similar/aligned to our current products and services;
  • Maintain our own accounts and records, including recording any contact we have with you via post, emails, telephone, SMS text and push notifications;
  • Prevent, detect and investigate fraud;
  • Prevent, detect and investigate crime;
  • Fulfil our statutory or regulatory obligations;
  • Reporting, analytics and product/service improvement, (including internal training);
  • Resolve complaints and/or disputes;
  • Improve data accuracy or completeness;
  • Track your email engagement;
  • Personalise your online experience. This could include customising the content and/or layout of our pages for individual users, for both visitors and contributors;
  • Conduct market research. Including research on the demographics, interests, and behaviour of our customers in order to help us gain a better understanding of different audiences and enable us to improve our service. This research may be carried out internally by our employees or we may ask another company to do this work for us. Data will be anonymised to protect your data rights for research purposes.
  • Verify staff suitability and experience for employment.
  • Verify eligibility to work in the UK.


Sharing your personal data

CSS Assure may share your personal data externally to the business. Where we share your information, we shall do so for the following reasons:

  • Where we have your “Consent” to do so. Where we process your data under the consent lawful basis you have the right to withdraw consent. Please refer to “Your Right to Withdraw Consent” section below;
  • Where necessary to fulfil the services and/or products we are “Contracted” to provide to you;
  • Where we have a “Legal Obligation” and are required by law and to law enforcement agencies, judicial bodies, government entities, tax authorities or regulating bodies around the world, this includes communicating with you to update you about our privacy notice and changes to how we process your personal data;
  • Where we have “Legitimate Interest” to do so, including;
    • For the purposes listed in the “What are our legitimate interests for processing your data?” section above.
    • Where one of our registered trading styles and/or current associated Ampa Group businesses provides a product or service similar/aligned with our organisation’s aim to help clients maximise the potential of their data in a fair, lawful and transparent manner that we do not currently provide ourselves, or for reporting, analytics and service improvement purposes. Presently these include:
      • Shakespeare Martineau LLP (trading as Shakespeare Martineau, Lime Solicitors, Marrons Planning and Corclaim)
      • Shakespeare Martineau Scotland
      • Mayo Wynne Baxter LLP
      • Coadax LLP
      • Ampa Holdings LLP
      • Ampa Ventures Ltd
    • Where we believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites;
    • Where required for a proposed sale; reorganisation; transfer; financial arrangement; asset disposal; or any other transaction relating to our business and/or assets held by our organisation.
    • Where we outsource support functions of our organisations to trusted partners. The categories of these recipients include:


Categories Who we use Privacy Notice
IT support & systems provider Not presently used; although, we may choose to do so in the future N/A
Cloud based services & software Microsoft 365
Security Operations Centre Service Darktrace
Security and Compliance Platform Qualys
Outsourced telephone and web-based communications Moneypenny
Payment service providers Paypal
Web analytics service providers Google Analytics
Social Media Provider LinkedIn
X (Twitter)
Customer Relationship Management System Hubspot
Legal Support Providers Shakespeare Martineau LLP
Cookie Provider Cookiebot
Training and Compliance Documentation Platform Metacompliance
Cyber Security Contractor Periculo


Where we choose to share your personal data with 3rd Parties we will, where appropriate, ensure that they have signed a contract that requires them to:

  • Abide by the requirements of all relevant data protection and privacy legislation;
  • Treat your information as carefully as we would;
  • Only use the information for the purposes it was supplied (and not for their own purposes or the purposes of any other organisation); and
  • Allow us to carry out checks to ensure they are doing all these things.

If you provide your data through a third party, we may share data with that lead provider in order to assist with the management of the services and to streamline client contact.


International Personal Data Transfer – Countries & Organisations.

CSS Assure may transfer personal data to countries outside of the UK. Specifically, we use data processors based in the Isle of Man, Gibraltar, France, Spain, Turkey and South Africa.

If data is transferred outside of the UK to a third country without a current ‘adequacy decision’ in place, CSS Assure will put in place an appropriate safeguard mechanism as described in GDPR Chapter 5, which obliges the recipient to protect your information to the same standard required by the UK General Data Protection Regulation.


Personal Data Retention Period

CSS Assure Ltd maintains a retention schedule which defines for how long we will store your personal data. We will only store personal data for as long as we have a legitimate need to retain it, either for statutory/legal reasons or because we need the data to be able to provide you with services or for other legitimate business needs.

When we no longer need this information, we will anonymise your data and/or dispose of it securely.

A copy of our retention schedule is available by request to the DPO.

Personal data may be held in paper and/or electronic format. Email correspondence and any notes from meetings are stored electronically. We may also retain information in spreadsheets or other systems which assist us with administration.


The rights available to individuals in respect of the processing

Unless subject to an exemption under legislation, you have the following rights with respect to your personal data:

  • Your right of access.You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about your Right to Access here. In most cases CSS Assure Ltd will not charge for this service however we do have the right to charge an administrative cost should we feel the request is excessive (excessive means that you submit a subject access request multiple times for the same or similar information). Fees will not exceed £50. Information will be provided within 28 calendar days from the day you request it. We will take all reasonable steps to verify your identity before providing you with details of any personal information we may hold about you.
  • Your right to data portability.This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about your Right to Data Portability here.
  • Your Right to Withdraw Consent. If we are processing your data based on having your consent to do so, and you subsequently wish to withdraw your consent, you may do so and we will act on your instructions.

If you wish to exercise any of your individual rights, you can do so via the support team by emailing -


Automated decision-making, including profiling.

CSS Assure Ltd does not use currently use automated decision-making tools or profiling in the processing of your personal data.


Your Right to Lodge a Complaint with the ICO

You have the right to lodge a complaint with the UK’s Supervising Authority: The Information Commissioners Office. Prior to lodging a complaint, CSS Assure would like the opportunity to address any complaint you may have.

Should you have a complaint please in the first instance contact our Data Protection Officer by calling or writing to:

Data Protection Officer

CSS Assure

No.1, 1 Colmore Square


B4 6AA


If your complaint has not been resolved, you can lodge a complaint with the Information Commissioner’s Office via email or by writing to:

Information Commissioner’s Office
Wycliffe House
Water Lane
SK9 5AF.

Or by telephone on 0303 123 1113.