For the avoidance of doubt, where this policy refers to GSA, it applies to GSA Ltd and its subsidiaries.

The privacy and security of your personal information is extremely important to us. We are committed to ensuring that your privacy is protected, and we endeavour to use any information that you provide when using this website or our services in accordance with this privacy policy. This privacy policy explains what information we collect, how we process and protect any information you submit to us, and how we use it.

If you have any question regarding our privacy policy, please contact us.

Review of this privacy policy

We may update this privacy notice from time to time as necessary. This version was last updated on 3rd July 2024. If you have any question regarding our privacy policy, please contact us.


This privacy policy covers information that could identify you (“personal data”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information. It tells you about your privacy rights and how the law protects you. GSA are committed to protecting your privacy and the confidentiality of your personal information. Our policy is not just an exercise in complying with the law, but a continuation of our respect for you and your personal information. Our policy complies with UK law, including that required by the EU General Data Protection Regulation (GDPR). Except as set out below, GSA do not share, or sell, or disclose to a third party, any information collected through our website/portal.



Recorded, stored information irrespective of the medium by which it is recorded or on which it is stored. It may be on a computer or paper. Having been recorded in writing, it will still be an unlawful disclosure of data if it is subsequently given to someone directly or indirectly, verbally, on the telephone or even left on an answering machine.

Personal Data

Any information about an individual from which they can be identified, either taken on its own or combined with other information held by the data controller, or, in this case, the company. It may be factual data or an expression of opinion or intent. It may be something as simple as a telephone number or a piece of advice, such as (where X is data identifying the individual) “X is not right for this job” or “X should face disciplinary proceedings over this”. It does not have to be negative in nature and would still be personal data if it is complimentary or positive: “X is adjusting well to this difficult situation”.

Sensitive personal data

Data falling within particular categories of personal information, relating to any person’s: racial or ethnic origin; political beliefs, opinions, or affiliations; religious or some philosophical beliefs; membership or non-membership of trade unions; participation in, allegations pertaining to or the progress of or sentencing for any criminal acts or proceedings.

Data subject(s)

Any person to whom the personal information relates.


Global Secure Accreditation Limited is the controller and are responsible for your personal data (collectively referred to as GSA. “we”, “us” or “our” in this privacy notice)


Any action involving data including the passive retention of it. It denotes all stages from acquiring to disposing of data and all actions in between while the data processor is in control of the data such as recording, maintaining, storing, updating, or amending, disclosing, or deleting it.


GSA will ensure that all personal data is processed in accordance with the following fundamental principles. The company will:

  • Process personal data and sensitive personal data fairly and lawfully, in accordance with the data subject’s rights.
  • Ensure that personal data acquired for a specific purpose is adequate for and limited to that specific purpose.
  • Update personal data and instigate appropriate and proportionate procedures to keep it up to date.
  • Retain personal data no longer than necessary and destroy as appropriate.
  • Maintain personal data securely and instigate appropriate and proportionate procedures to prevent loss or misuse.
  • Carry out appropriate risk assessments for the transportation and delivery of personal data including transfer to a third party and/or outside the jurisdiction.
  • Facilitate access of all personal data held by the Company as lawful and appropriate, at no cost if information is concerning the data subject, and subject to exceptions at the request of a data which is ‘manifestly unfounded or excessive’ upon which payment of a fee will be reasonably determined by the Director of Services or Administration Head.

What information do we collect?

Personal information may be collected from you in various ways, for example:

  • Technical information regarding your computer and about your visits to and use of this website (this includes information about your browser, your IP address, your general location as determined from your IP address and provided by your browser, the site which you used, and the links followed when leaving our site, browser type and version, time zone setting, browser plug-in types and versions, screen resolution, operating system, and platform). This information is also collected through cookies. Please see our dedicated cookie policy for additional information.
  • When you register for our services and voluntarily provide information
  • When you voluntarily provide information to request additional information regarding our services or in response to questionnaires or interactive content, or to register for updates.
  • Via direct interactions, including but not limited to face-to-face meetings, telephone, and email or other digital means of contact.
  • When you conduct activities on our site (for example, when you purchase a product or service, we record what you purchased etc.} we may collect your name and contact details, details of your subscription to our services.
  • Cookies to track and optimise webpage behaviour. Should a person object, they are free to turn off cookies in their local browser.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and biometric data). Nor do we collect any information about criminal convictions and offences, other than as set out in our Recruitment Privacy Policy.

All information you provide to us is stored on our secure servers or those of our third-party data storage providers.

Technical and security information relating to hotels is stored separately, on a separate and discrete server, from all forms of personal and identifying information.

Data we process

We may collect, use, and store personal data about your identity and contact information, including information such as First Name, Last Name, Company, Email and Telephone details that you may have provided to us. This information will be used for the purposes of your enquiry. We may additionally use this information to understand your needs and provide you with a better service, and for the following reasons:

  • To supply subscribed services.
  • For statistical purposes and analysis for management purposes in order to administer the website or improve our products and services.
  • Internal record keeping, and administrative purposes, and to inform you about our events, services or products, or other related information that we think would be of interest to you, as explained above.
  • Adapting our products and services to better meet customer requirements.
  • To communicate marketing messages, newsletters and details of our business or the businesses of carefully selected third parties which we think may be of interest to you by post or email or similar technology (you can inform us at any time if you no longer require marketing communications)
  • To complete the Accreditation assessment process.
  • From time to time, we may also use your information to contact you for market research purposes or to customise the website according to your interests.

How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the service/subscription contract we are about to enter or have entered with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

Further information about the types of lawful basis that we will rely on to process your personal data is provided below:

  • Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
  • Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
  • Sometimes, we must process your information to comply with a statutory obligation.
  • For example, we may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order. This may include your personal information.

Your information will not be disclosed to any third party unless you have given your consent to such disclosure. You may at any time ask us to refrain from sending you marketing messages by sending us an email with the words UNSUBSCRIBE in the subject box to [email protected], telephoning us or selecting UNSUBSCRIBE in all email outreach sent by GSA.

We may disclose aggregated statistics about our site visitors, clients, and sales to describe our services to prospective partners, advertisers and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifying information.

Third-Party Services we use

We use the following third-party services to provide services to our customers:


GSA and partners use the PointerPro platform to allow customers (potential) to answer a series of questions on travel risk management to allow them to understand their travel risk and gain insight into the next steps. The deliverable is a generated PDF by the platform, and depending on entry point into the platform, GSA or partners may contact the customer for further service offerings.

We collect the following information: Name, Email Address, Organisation and Phone Number. This information is stored in the platform within AWS hosted in Ireland, EU. We use this information to deliver the report and contact the customer for any post questionnaire queries. This information and questionnaire answers will be kept for 6 months on the PointerPro platform before being deleted for our account.

Questionnaire answers (anonymised before use) may be used to generate trends / statistics in hotel travel risk.

Third-Party Services we may share data with

We use the following third-party services to track and monitor visitor flows and behaviour.

Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage to help us measure the performance of our website. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. Google’s privacy policy is available in full at

Social Media Services

Some pages of our website may connect with the following social media services. These may use third party cookies to connect with your own account to provide personalised content. If you share our content through social media, for example by liking us on Facebook, following or tweeting about us on Twitter, or giving us a’+ 1′ via Google Plus, those social networks will record that you have done so and may set a cookie for this purpose.


We use functionality from Twitter to display personalised content or to allow you to share content with your followers. We do not have any direct access to personal information relating to your Twitter account. For detail on Twitter’s privacy policy please visit /


We use functionality from LinkedIn to share blogs, articles, and services to allow you to share content with your connections. We do not have any direct access to information relating to your LinkedIn account. For detail on Linkedln’s privacy policy please visit


We use functionality from Facebook to display personalised content or to allow you to share content with your followers including blogs, articles, and services. We do not have any direct access to personal information relating to your Facebook account. For detail on Facebook’s privacy policy please visit


We use functionality from Instagram to share images, posts, and services to allow you to share content with your connections. We do not have any direct access to personal information relating to your Instagram account. For detail on Instagram’s privacy policy please visit  Data policy | Instagram Help Centre

Email Communication Services

We may use third-party services to send emails, if utilised they will indirectly have access to a portion of your activity and some of your personal details. Once an email leaves our systems that we use directly, it may be routed through any number of other systems.

Third-party links

This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Compliance with the law

Our privacy policy has been compiled to comply with the law of every country or legal jurisdiction in which we aim to do business. If you think it fails to satisfy the law of your jurisdiction, we should like to hear from you. However, ultimately it is your choice as to whether you wish to use our website. By using our site, you consent to the collection and use of information by us.

Subject Access Requests

Under certain circumstances, all data subjects have rights under data protection laws in relation to your personal data. These include:

Request Access

All data subjects have the legal right to request details of information held about them by the company. This enables them to receive a copy of the personal data that we hold about them and to check that we are lawfully processing it.

Any subject access requests received by managers or other employees should be referred to the Office Manager. The company will respond to any subject access requests promptly, and in any event within a month of the request.

Data Correction

You have the right to require us to rectify any inaccurate personal information we hold about you. You also have the right to have incomplete personal information we hold about you completed, by providing a supplementary statement to us.

Erasure of Data

This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. If you would like us to destroy information held about you, please let us know. However, please note that if you use any of our services which require you to provide personal information, deleting our records will mean that you will need to resubmit it to continue using such services. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Processing Restriction

This enables you to ask us to suspend the processing of your personal data in the following scenarios:

(a) if you want us to establish the data’s accuracy.

(b) where our use of the data is unlawful, but you do not want us to erase it.

(c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or

(d) you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

All requests will be handled without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:

  • any requested information to clarify the request.
  • any information requested to confirm the requester’s identity.

Data Breach Notification

GSA shall immediately inform the relevant parties/entities in writing and by e-mail of any Personal Data Breach of which the Company becomes aware, but in no case longer than twenty-four (24) hours after it becomes aware of the Personal Data Breach. The notification to the relevant parties shall include all available information regarding such Personal Data Breach, including information on:

  • the nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records.
  • the likely consequences of the Personal Data Breach; and
  • the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

GSA shall promptly take all necessary and advisable corrective actions and shall cooperate fully with the relevant parties/entities in all reasonable and lawful efforts to prevent, mitigate or rectify such a breach.

Sale of Business

If our business is sold, we will transfer your personal information to a third party:

  • if we sell or buy any business or assets, we will provide your personal information to the seller or buyer (but only to the extent we need to, and always in accordance with data protection legislation); or
  • if GSA or the majority of its assets are acquired by somebody else, in which case the personal information held by GSA will be transferred to the buyer.

We process your personal information for this purpose because we have a legitimate interest to ensure our business can be continued by the buyer. If you object to our use of your personal information in this way, the relevant seller or buyer of our business may not be able to provide services to you.

In some circumstances we may also need to share your personal information if we are under a duty to disclose or share it to comply with a legal obligation.

Contact us

We welcome your views about our website and our privacy policy.

If you would like to contact us with any queries or comments, please send an e-mail to [email protected] or alternatively write to GSA, One Croydon, 12-16 Addiscombe Road, Croydon, CR0 0XT. To find out more about your rights under the GDPR, visit the Information Commissioner’s website (

Subscribe to our newsletter to keep up to date with all the latest news

Areas of interest

Marketing permissions

Please select all the ways you would like to hear from GSA Global:

You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please see our privacy policy.

We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices.