Candor Group Limited Privacy Notice

Please read this Privacy Notice carefully as it contains important information to help you understand how and why we process any personal information that you give to us.

In this Privacy Notice the terms, 'we' or 'us' is Candor Group Limited trading as Candor Group, Cando, Cando Training and Candor.

We provide risk management and compliance support to law firms, estate agents, accountants and surveyors.

Your privacy is important to us and we are committed to keeping your information secure and managing it in accordance with our legal responsibilities under applicable data protection laws.

We are registered with the UK Information Commissioner's Office (ICO) as a data controller under registration number ZA382655.

The Information We Collect and Process

“Personal data” is any information that relates to you and that identifies you either directly from that information or indirectly, by reference to other information that we have access to. The personal data we collect, and how we collect it, depends upon how you interact with us. Categories of personal data that we collect include:

  • Contact information, including your address, email address and telephone number;
  • Name and job title;
  • Information about the organisation you work at;
  • Photograph and video or audio content, including you;
  • Information about your professional qualifications and registrations, such as your SRA, CLC, ICAEW, FCA registration number);
  • Learning and development records (such as test results);
  • Data on how you use our main website and the online Cando compliance learning platform to improve our service to you;
  • Information you provide when requesting information or assistance from us;
  • Information on your and our services;
  • Technical information such as Internet Protocol (IP) address, browser type and version, time zone setting and location, browser plug in types and versions, operating system and platform and other technology on the devices you use to access our website;
  • Payment information and financial information, including bank details and bank account for the organisation you work for;
  • Other personal information such as your National Insurance Number and home contact details, such as your current and previous address(es) and employment history;
  • Identity information such as your passport, driving licence, utility bills, marriage certificate, Decree Absolute, Change of Name Deed, National Identity Card;
  • Financial details such as your salary; and
  • Employment/ self employment status.

We also collect and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

Special Categories of Personal Data

Special categories of personal data include information about any individual’s health and other categories of personal information which are closely protected.

We do not generally process such information, unless you have voluntarily provided this to us, or it is relevant to the compliance service you or the organisation you work for have asked us to provide you/ them with. For example, where we are advising you or you’re the organisation you are working at on a disciplinary matter, you may advise us of health issues of you or someone in your organisation or the organisation you work at, to allow us to provide you with advice, prepare correspondence for the regulator or other third party on your behalf.

We will process sensitive information where you have provided this information to us and have agreed that we can use this information to deliver products and services to you. Where possible we shall seek to minimise the collection and use of such special categories of personal data.

More information on special categories of personal data can be found on the Information Commissioner’s website.

How We Collect Your Information

We use different methods to collect data from you and about you, including through:

  • Direct interactions. You may give us personal information as stated above by filling in forms or by corresponding with us by phone, email or otherwise.
  • Automated platform or interactions. As you interact with Candor Group or Cando Learning website, we may automatically collect technical and usage information about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technology.
  • Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:
    • Technical and usage information from analytics providers such as Google based outside the EU; and
    • Personal and identity information from other professional services such as estate agents or financial brokers, solicitors, accountant. From publicly available sources such as Companies House and the regulators, including the SRA/ CLC/ICAEW/ FCA and ICS.

How We Use Your Information

We only use your personal data fairly and where we have a lawful reason to do so.

We use your information to:

  • Provide risk and compliance consultancy services to you, your organisation or the organisation you work for;
  • Internal record keeping;
  • Arrange software and training in risk and compliance to you, your organisation or the organisation you work for;
  • Provide and service your relationship with us;
  • To promote and market the services of Candor Group, Cando Training and Cando;
  • To comply with our legal responsibilities to regulatory bodies;
  • To engage with partners and third parties that supply us goods and services;
  • To manage queries or complaints you or your organisation have about the services you receive from us;
  • To monitor the quality of service we deliver to you, and ensure it meets your expectations;
  • Improve our products and services;
  • Periodically send you promotional emails about new products or services, special officers or other information to the email address you have provided.

How We Process Your Information

We will process your information in order to meet out contractual obligations to the organisation you work at, where we have a legitimate interest to do so, where we are permitted by law or to comply with applicable laws and regulation. We rely on the following legal basis in these areas:


In some cases you will give us consent to use your information in a certain way. If you have given us consent to use your data in a certain way, and we have no other legal basis for doing so, we will rely on your consent. The activities we rely on your consent are:

  • Sending you marketing information including offers, and information about our service; and
  • Sending you updates on risk and compliance within your service area

You will always have the right to withdraw your consent at any time. If you wish to withdraw your consent please contact Priya Patel by email at

Legal Obligations

We will rely on our legal obligations to process information for the following purposes:

  • Complying with our responsibilities to regulators and under applicable legislation; and
  • Defending a legal claim
Performance of a Legal Contract

We will process information that relates to the services we are providing you, or receiving from you, or providing or receiving from the organisation you work at, that our bound by an Approval to Proceed of service contract. The areas of processing data to enter into, or fulfil and legal contract are:

  • Delivering services to you under contract and keeping you updated with changes or information relating to those services;
  • When we are processing information from you to arrange a contract between us, such as when you give us your details to enter into an Approval to Proceed with us, including providing you with a proposal or fee estimate; and
  • Performance of any legal contract as s supplier or client.
Legitimate Interest

We may rely on legitimate interest to process your information. When we do this we will have assessed our legitimate interest to consider the rights and freedoms of the data subject, such as administering the service we provide to you or the organisation you work at, including invoicing or auditing.

We rely on legitimate interest to train our staff to meet the learning and development needs of our personnel.

We rely on legitimate interests in some cases to invite you to certain events, such as webinars or conferences. Our legitimate interest is to provide information to our clients and contacts the will support their use of our services that could be of benefit to them.

How Long Do We Retain Your Information

We will retain your personal information in accordance with applicable laws. We will protect your personal data and implement appropriate technical and organisational security measures to protect it against any unauthorised or unlawful processing and against any accidental loss, destruction, or damage.

We have robust information security management systems in place to protect your personal data.

We will take reasonable steps to destroy or anonymise personal information we no longer need for the purposes we have set out above.

  • All records held in paper format are returned to your organisation or destroyed immediately once we have provided the necessary service under our Approval to Proceed;
  • All electronic records of end client information is held for 6 years. Thereafter these are destroyed, unless you request that we retain these for a longer period;
  • We will retain any advice provided you electronically for a period of 6 years, thereafter this will be destroyed;
  • We will retain firm specific information, including information on you or your personnel for 6 years from when the contract between us comes to an end;
  • We will retain information on financial transactions between you and us for a period of 7 years to comply with HMRC requirements to keep accurate records that can be audited; and
  • Contact information, such as your name and email address will be retained on our database with your consent and for one year following your withdrawal of any such consent.

Who We Share Your Information With

Where necessary or required, we share information with:

  • Regulatory authorities and law enforcement agencies to comply with our legal obligations, including the ICO, the police and intelligent agencies;
  • Professional advisers and consultants that help us manage our systems and services to achieve our objectives;
  • Our accountants and solicitors that are engaged to provide services required by law, such as filing financial information with HMRC;
  • Credit reference agencies to check your identity in accordance with our legal obligations;
  • Insurers for the purpose of providing you with appropriate financial cover for an identified insurable risk, or in connection with any claim made by you, your organisation or the organisation you work at against us;
  • Other third parties, provided you have given us consent to do so as part of the service(s) we deliver to you, your organisation, the organisation you work at to fulfil our obligations to you;
  • Other Government Departments such as HMRC and Companies House to fulfil your and our legal obligations;
  • Experts and Barristers advising us on any particular issue that has arisen;
  • Our Auditors and external assessment bodies to achieve and maintain any regulatory or Quality Assurance Standards and accreditations which meet our legal obligations and enable us to provide exceptional services to you;
  • We may use data processors, such as software developers/ designers in the course of running the business including CRM providers, email communication platforms, social media platforms and help desk management systems;
  • We will use third party hosting providers to provision and host our software platforms
  • Storage and archiving providers to ensure your information is protected securely and backed up

Transferring Your Data Outside the EEA

We do not routinely transfer data outside of the EEA. If it is necessary to transfer your personal data outside the EEA we will notify you of the reasons and the legal basis for doing so, any relevant risk assessments that we want to make you aware of, and the safeguards in place to protect your rights and freedoms.

You may access our Cando Learning Platform outside of the EEA by logging on using your web browser. You must ensure you accessing the portal securely in accordance with your organisation’s information management and data security policies.


In order to ensure we maintain confidentiality in the services we provide please note:

  • We will only collect information that we believe to be relevant and required to understand your requirements and to conduct our business
  • We will use your client information to provide you with better services and products
  • We will not disclose your information to any external organisations unless in accordance with this Privacy Notice
  • We aim to keep your information up to date
  • We maintain strict security systems designed to prevent unauthorised access to your information by unauthorised parties, and
  • All our personnel with permitted access to your information are specifically required to observe our confidentiality obligations.

Your Rights

You have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
    You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
    You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    • if you want us to establish the data’s accuracy;
    • where our use of the data is unlawful but you do not want us to erase it;
    • where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
    • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
    Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Complaints Process

If you have a complaint about how we have handled your personal information you may contact us using the details below and we will investigate your complaint.

You also have the right to complain to the Information Commissioner’s Office - ( ).

We may change the content or services found on our website and Learning platform at any time and without notice, and consequently our Privacy Notice may change at any time in the future.

Contact Us

You can contact us by writing to our Managing Director, Priya Patel (

Telephone enquiries can be made to 07985 772 999.