Privacy Policy

1. Introduction

The MRCA Association is committed to protecting the privacy and personal data of individuals who interact with the Association, including members, applicants, partners and website visitors.

This Privacy Policy explains how personal data is collected, used, stored and protected in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and related legislation.

2. Data Controller

The data controller responsible for processing personal data is:

MRCA Limited
Company number 17127856
Registered in England and Wales
16-17 Old Bond Street
Bath, BA1 1BP – United Kingdom

3. Data Protection Contact

For any questions relating to personal data or this Privacy Policy, individuals may contact the MRCA Data Protection Officer at: dpo@mrca.org.uk.

4. Personal Data Collected

The MRCA may collect and process the following categories of personal data:

• Identification and contact information (name, email address, professional contact details);
• Professional information (role, expertise, areas of activity, geographic markets);
Information provided as part of membership or certification applications;
• Technical data related to website usage (IP address, browser type, access logs);
• Any information voluntarily submitted through forms or communications.

The MRCA does not intentionally collect sensitive personal data unless strictly necessary for verification or compliance purposes.

Where identity verification is required, documentation is processed in accordance with the safeguards described below.

Identity Verification and Professional Due Diligence

MRCA requires government-issued photo identification as part of the application process for Verified status and certain professional designations, including the Chartered Programme.

Identity verification is conducted in order to:

  • Confirm applicant identity
  • Protect the integrity of the MRCA professional register
  • Prevent impersonation or misuse of credentials
  • Maintain trust in MRCA designation

Identity documentation is:

  • Used solely for verification purposes
  • Access-restricted to authorised personnel
  • Not publicly disclosed
  • Not used for commercial purposes

Identity verification documents are retained only for the time necessary to complete the verification process and are securely deleted thereafter. Identity verification documents are retained for a maximum of 60 days following verification.

Thereafter, only confirmation of verification status is retained within the member record.

Alternative verification methods may be considered where appropriate.

5. Purpose of Processing

Personal data is processed for the following purposes:

• Assessing and managing membership or certification applications;
• Maintaining accurate membership records;
• Communicating with members and applicants regarding MRCA activities;
• Ensuring compliance with MRCA professional standards and policies;
• Operating and improving the MRCA website and services;
• Meeting legal and regulatory obligations where applicable.

Personal data is not used for commercial marketing or third-party advertising purposes.

6. Legal Basis for Processing

Personal data is processed on one or more of the following legal bases:

• Consent provided by the individual;
• Performance of membership-related arrangements;
• Legitimate interests of the MRCA in operating a professional association;
• Compliance with legal obligations.

Identity verification procedures are processed under the MRCA’s legitimate interests in maintaining the integrity, credibility, and trust of its professional register.

Where consent is required, individuals may withdraw consent at any time.

7. Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory or professional requirements.

Retention periods may vary depending on the nature of the data and the individual’s relationship with the MRCA.

Identity verification documents are retained as described in Section 4.

8. Data Sharing

Personal data may be shared only where necessary and limited to:

• Service providers supporting MRCA operations (e.g. hosting, administrative tools);
• Legal or regulatory authorities where required by law.

The MRCA does not sell, rent or trade personal data to third parties.

9. International Transfers

Where personal data is processed or accessed outside the United Kingdom, appropriate safeguards are applied to ensure an adequate level of data protection in accordance with applicable laws.

10. Data Security

The MRCA implements appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction.

11. Individual Rights

Individuals have the right to:

• Access their personal data;
• Request correction of inaccurate or incomplete data;
• Request erasure of personal data, where applicable;
• Object to or restrict certain processing activities;
• Request data portability where applicable;
• Lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority, or with their local data protection authority where applicable.

Requests may be submitted to dpo@mrca.org.uk. Requests will be handled within one month in accordance with applicable data protection laws.

12. Cookies and Website Data

The MRCA website may use cookies or similar technologies to ensure proper functioning and to improve user experience.

Details regarding cookies are provided separately where required.

13. Changes to This Policy

This Privacy Policy may be updated from time to time.

The version published on the MRCA website shall apply.

14. Contact

For privacy-related enquiries, please contact: dpo@mrca.org.uk.