Skip to content



Information about us 

The Common Framework is a limited company registered in England and Wales under company number 08036815, whose registered office is at 11 Hitchings Way, REIGATE, Surrey, RH2 8EN.  The main trading address of The Common Framework Limited is the same as its registered office.

The Common Framework Limited is registered as a data controller for personal data under reference A8321527 as defined by the Data Protection Act 1998 and the EU General Data Protection Regulation (GDPR), which will become the Data Protection Act 2018.

This notice states:

What information we capture (click to find out more)

we gather:

  • traffic data about systems and browsers (i.e. network addresses, and types of systems and brokers) through Google Analytics (more details here)
  • preferences for the EU cookie banner, mobile view, Captcha completion and a random traffic tracking cookie through the Jetpack application within WordPress (more details here)
  • cookie tracking for email engagement from Hubspot (more details here)
  • contact information (i.e. title/forename/surname, email address) through enquiries via the ‘contact us’ page (via WordPress), our tools (governed by the terms and conditions of the operating system used) and through our professional activities with clients (i.e. title/forename/surname, email address, phone numbers) (processed within the Microsoft Office 365 Cloud system and various operating systems used by staff
  • special category personal data through employment activities and undertaking applications for security clearances.

How we use the information (click to find out more)

we use:

  • information from Google Analytics to determine how people use our site
  • information from Jetpack to track site usage and manage customer experience (i.e. Cookie popups and Captchas)
  • contact details entered from WordPress to communicate with individuals/organisations who have made an enquiry
  • contact detailed within Microsoft Office 365 to undertake commercial activities related to the provision of our tools and services (e.g. managing projects and sending reports).​

Our legal bases for processing information (click to find out more)

Legal obligations – we will process contact details, special category data (relating to the employment of staff) and financial information in accordance with our legal obligations under:

  • Anti-Terrorism, Crime and Security Act 2001

  • Borders, Citizenship and Immigration Act 2009

  • Bribery Act 2010

  • Business Names Act 1985

  • Civil Evidence (Scotland) Act 1988

  • Civil Evidence Act (Northern Ireland) 1971

  • Civil Evidence Act 1995

  • Communications Act 2003

  • Companies Act 1985

  • Companies Act 1989

  • Companies Act 2006

  • Computer Misuse Act 1990

  • Copyright and Rights in Databases Regulations 1997

  • Copyright, Designs and Patents Act 1988

  • Copyright, etc. and Trade Marks (Offences and Enforcement) Act 2002

  • Corporate Manslaughter and Corporate Homicide Act 2007

  • Counter-Terrorism Act 2008

  • Criminal Evidence (Northern Ireland) Order 1988

  • Criminal Justice and Immigration Act 2008

  • Criminal Justice and Public Order Act 1994

  • Data Protection Act 1998

  • Digital Economy Act 2017

  • Disability Discrimination Act 2005

  • Electronic Communications Act 2000

  • Employment Act 2002

  • Employment Rights Act 1996

  • Enterprise Act 2002

  • Equality Act 2006

  • Evidence Act (Northern Ireland) 1939

  • Fraud Act 2006

  • General Data Protection Regulation

  • Human Rights Act 1998

  • Income and Corporation Taxes Act 1988

  • Income Tax Act 2007

  • Insolvency Act 1986

  • Insolvency Act 2000

  • Latent Damage Act 1986

  • Limitation Act 1980

  • Obscene Publications Act 1959

  • Obscene Publications Act 1964

  • Police and Criminal Evidence (Northern Ireland) Order 1989

  • Police and Criminal Evidence Act 1984

  • Privacy and Electronic Communications (EC Directive) Regulations 2003

  • Protection from Harassment Act 1997

  • Protection of Freedoms Act 2012

  • Race Relations Act 1976

  • Regulation of Investigatory Powers Act 2000

  • Sex Discrimination Act 1975

  • Sex Offenders Act 1997

  • Taxes Management Act 1970

  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

  • The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011

  • Value Added Tax Act 1994

  • Welfare Reform Act 2012

  • Wireless Telegraphy Act 2006

  • Work and Families Act 2006

Contract – where we have entered into a financial contract with you as a result of the sale of a product, we will process contact details and financial information to service that contract.

Consent – we will only process personal information for contact purposes, as a result of consent, when they have been provided from the contact page, or unless they have been provided to us through our applications for that specific purpose.  We use personal information provided by users within our applications for the service the user has requested.

Special conditions – we will only process special category personal data as required for employment of staff.

How we handle personal information (click to find out more)

all personal information that is captured as part of the provision of our services are logged within an asset register, subject to risk assessment, application of controls and only handled/retained for the requirements stipulated in legislation, regulation and/or contractual obligation.

For clarity, applicable legal obligations are considered first, then applicable regulations,  contracts and finally consent; in all cases, the most stringent requirements shall apply to information handling and retrieval of assets and where they are captured, processed, communicated and/or stored.

All personal data is processed in alignment with:

How long we will retain personal information (click to find out more)

We will retain all details of financial transactions for seven years, all personal contact information gathered from our commercial activities will be retained for a year after project completion (or a year after last contact).

Any other personal information shall be assessed to determine if there are any other retention requirements from law, regulation and/or contractual obligations relevant to it, and these will be complied with.

Where clients request it, we shall immediately securely erase any personal information in our care where the requestor is the data controller and the personal information has come from them.

Your rights relating to personal information (click to find out more)

you have a range of rights with regards to your personal information (detailed within, if you wish to exercise these rights, then please use the contact us page.

Who we share personal data with (click to find out more)

we use:

  • Microsoft for Cloud hosting of email and Sharepoint
  • WordPress for website hosting
  • Hubspot for customer details

We do not share any information with either of these organisations, but we do store and process personal data using these services.  We do not engage either organisation as a data processor for your personal data.

We will share information as required by law with government agencies, in accordance with those statutes.

Our policy towards transfer of personal information outside of the EEA (click to find out more)

we do not knowingly use any service or system that processes personal information outside of the European Economic Area (EEA).  We take all reasonable steps to ensure that processing of personal information occurs within this zone.

Our policy towards processing of childrens personal data (click to find out more)

we do not provide information society services or services for children.  As such, we do not take specific measures for children, although this privacy notice is designed to be understood by a child over the age of 13 years of age.