Privacy Policy

Introduction

The ESG Institute Limited ("the Company", "we", "us") is committed to protecting the personal data entrusted to us and to using it only in accordance with applicable data‑protection legislation. This Privacy Policy explains how we collect, use, disclose, store and protect personal information in the course of our operations, including training, consultancy and research services. It also sets out the rights available to data subjects.

Legal Framework

The Company is established in the Isle of Man and is therefore subject to the Data Protection Act 2018 (Isle of Man), which gives direct effect to the United Kingdom General Data Protection Regulation (UK GDPR) via the Applied GDPR. Where we process personal data in the European Economic Area or transfer data to the EEA, we comply with the EU GDPR. We also observe relevant sectoral regulations, including the Telecommunications (Security) Act 2021 (IoM) for electronic communications and any guidance issued by the Isle of Man Information Commissioner.

Scope

This Policy applies to all personal data processed by the Company relating to clients, programme participants, employees, contractors, suppliers, website visitors and any other identifiable individual. It covers processing carried out in any location and by any means, including paper files, electronic systems, CCTV and portable devices.

Key Definitions

Personal data means any information relating to an identified or identifiable person. Special category data includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade‑union membership, genetic or biometric data, health data and data concerning a person’s sex life or sexual orientation. Processing covers any operation performed on personal data, such as collection, storage, alteration, disclosure or destruction.

Principles of Processing

We process personal data lawfully, fairly and transparently; for specified, explicit and legitimate purposes; only to the extent necessary; with accuracy; for no longer than necessary; and with appropriate security. These principles guide our decisions about what data to collect and how to handle it.

Lawful Bases

We rely on one or more of the following bases under Article 6 of the Applied GDPR: performance of a contract with the data subject; compliance with a legal obligation; legitimate interests pursued by the Company or a third party (balanced against the rights of the individual); consent where required; protection of vital interests; or performance of a task carried out in the public interest. Special category data is processed only where an additional condition in Article 9 applies, such as explicit consent or the fulfilment of employment‑law obligations.

Collection and Use of Personal Data

We collect personal data directly from individuals (e.g., when they register for a course, request information, apply for employment or sign up to a mailing list) and from third parties such as employers, referees or publicly available sources. The data collected typically includes name, contact details, role, organisation, payment information and course records. We use this information to deliver our services, manage relationships, administer the website, comply with legal duties, improve our offerings and, where permitted, send relevant communications. We do not sell personal data.

Data Sharing and Disclosure

Personal data may be shared with trusted third‑party service providers who perform functions on our behalf, such as IT hosting, payment processing, certification bodies and professional advisers. These parties are bound by confidentiality and data‑processing agreements. We may also disclose data where required by law, to protect vital interests or to establish, exercise or defend legal claims. International transfers outside the Isle of Man and the UK are made only where an adequacy decision exists or appropriate safeguards (such as standard contractual clauses) are in place.

Security Measures

We implement technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. Measures include encryption, access controls, secure email, regular penetration testing, staff training and incident‑response procedures. All employees and contractors are required to adhere to the Company’s Information‑Security Policy and to report any suspected data breach immediately to the DPO.

Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, to satisfy legal, accounting or reporting requirements, or to protect the Company’s legitimate interests. Retention periods are documented in the Data‑Retention Schedule. When data is no longer required, it is securely deleted or anonymised.

Data Subject Rights

Under the Applied GDPR, individuals have the right to: access their personal data; rectify inaccuracies; erase data in certain circumstances ("the right to be forgotten"); restrict processing; object to processing based on legitimate interests or direct marketing; and obtain data portability. No decision producing legal or similarly significant effects is made solely by automated means. Requests should be submitted in writing to the DPO, who will respond within one month, subject to extensions permitted by law.

Cookies and Online Tracking

Our website uses essential cookies to enable core functionality and analytics cookies to understand usage patterns. Where non‑essential cookies are employed, we seek user consent via a cookie banner. Cookie preferences can be adjusted at any time through the browser’s settings or the website’s cookie‑management tool.

Data Breaches

A personal‑data breach is any incident that compromises the confidentiality, integrity or availability of personal data. All suspected breaches must be reported to the DPO without delay. Where the breach is likely to result in a risk to individuals’ rights and freedoms, the DPO will notify the Isle of Man Information Commissioner within seventy‑two hours and, where required, communicate the breach to affected individuals promptly.

Contact Details

Questions, requests or complaints regarding this Policy or our data‑processing practices should be directed to:

Data Protection Officer
The ESG Institute Limited
21 Keeill Pharick Park
Email: mail@the-esg-institute.org

Individuals also have the right to lodge a complaint with the Information Commissioner, PO Box 69, Douglas, Isle of Man, IM99 1EQ (www.inforights.im) if they believe their data‑protection rights have been infringed.

Review

This policy is to be reviewed every two years, or earlier if there are significant changes in law or our operations.

Latest update: June 30, 2025.

This Policy is non‑contractual and may be amended at the Company’s discretion.