Privacy Policy

MBA Group takes the privacy of all its customers and website users very seriously and takes great care with customer and user information

 

Created: 2026
Latest Review/Update: 02/2025

This policy is reviewed on an annual basis

 

 

1.     VERSION CONTROL

 

Version	Author	Approved By	Comments	Date
1	E Harris	S Aintaoui	Document created to summary all privacy aspects across the Group, merged with Use of Cookies Policy.	02/2026

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2.     PURPOSE

 

The organisation is committed to protecting the privacy and security of all personal data we process while providing Print, Digital Communications and related services. This Privacy Policy sets out how we process personal data both as a Data Controller and a Data Processor, in compliance with applicable data protection laws, including the UK GDPR, EU GDPR, the Data Protection Act 2018 and Data Use & Access Act 2025.

 

We also outline our approach to marketing, cookies, use of Artificial Intelligence (AI), and how we maintain security, confidentiality, and availability of information under ISO/IEC 27001:2022, Cyber Essentials and our AI governance aligned with ISO/IEC 42001:2023.

 

3.     OUR ROLE: DATA CONTROLLER AND DATA PROCESSOR

 

As a Data Controller

 

We act as a Data Controller for the personal data of:

 

• Clients (contact details, service history, estimates, contracts).
• Employees and Job Applicants (HR records, qualifications, employment history, copies of photo ID, background checks including references, DBS checks, credit checks, qualifications etc.).
• Suppliers and Contractors (contact information, contractual documents).
• Other Stakeholders who interact directly with our organisation (name, company, contact numbers, email addresses, communications).

 

We collect and use this data for:

 

• Contractual performance and business operations
• Legal compliance
• Internal HR management
• Financial processing and audit
• Communication and support

 

As a Data Processor

 

We act as a Data Processor when handling our clients’ data on their behalf. This includes:

 

• Storing, managing, and processing personal data provided by our clients as part of our service delivery.
• Operating strictly under client instructions and in accordance with contractual Data Processing Agreements (DPAs).
• Implementing appropriate technical and organisational measures to ensure data confidentiality, integrity, and availability.

 

4.     WHAT DATA WE COLLECT AND USE

 

Depending on your relationship with us, we may collect the following categories of personal data:

 

• Identity Data: Name, title, date of birth, job title
• Contact Data: Email address, phone number, postal address
• Employment Data: CVs, references, payroll info, HR records
• Client & Supplier Data: Contract details, service records, billing information
• Marketing Preferences: Opt-in/opt-out status, communications history
• Technical Data: Cookies, IP address, browser type, device information
• Usage Data: Website usage, clicks

 

5.     LEGAL BASIS FOR PROCESSING

 

We process personal data under the following lawful bases:

 

• Contractual necessity – for providing our services
• Legal obligation – for tax, employment, and regulatory compliance
• Legitimate interests – for business operations, fraud prevention, and service improvements
• Consent – for marketing and cookie usage (where applicable)

6.     SHARING OF DATA

 

It is important to note that the organisation does not sell or share your PII with third parties for third-party use. Any data shared with a third-party is only done so for the organisation’s marketing and sales purposes within the remit of a Data Controller (the Group) and Data Processor (supplier) relationship. In this circumstance, the Group ensures that data protection remains paramount and instructs strict data governance. For more information about our data protection procedures, please read the organisation’s Data Protection Policy

 

The organisation’s website may contain links to other third-party websites. the Group is only responsible for the privacy practices on this website and recommends you check the privacy policies and security procedures of every other website you visit.

 

As a Data processor, data will not be shared with any third parties, unless we have authorisation to do so from the Data Controller. We ensure that any third parties with whom we share data are bound by data protection obligations.

 

Based on the legal basis for processing, we may share personal data with:

 

• Service providers (e.g. HR, legal, payroll)
• Regulatory bodies and authorities when required by law
• Marketing platforms (with consent)

 

7.     INTERNATIONAL TRANSFERS

 

We will not transfer any data outside the UK or EEA unless instructed/authorised to do so and would ensure appropriate safeguards such as:

 

• Adequacy decisions
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)

 

8.     MARKETING

 

We may use your information to contact you about:

 

• New services
• Industry updates
• Events, webinars, or promotions

 

You will only receive marketing if you have provided consent or where legitimate interests apply. You can withdraw consent at any time by clicking “unsubscribe” or by contacting us.

 

Marketing Tools Used:

 

• Email campaigns
• SMS campaigns
• Video campaigns
• Social Media advertising
• Analytics tools

 

9.     USE OF COOKIES

 

In common with many other website operators, the Group uses a standard technology known as ‘cookies’ on their site.

 

Cookies are small files that are placed on your computer by your web browser. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

 

The Group’s use of cookies enables us to understand how frequently the website is visited from which areas of the world and at what times etc. This type of analytical information helps us to determine which are the most popular pages on our website and allows us to plan for periods of peak web traffic.

 

Most browsers automatically accept cookies, but you can usually change your browser to prevent cookies being stored. However, if you turn off cookies, this will limit the service that the Group and other website providers are able to provide you online.

 

The table below explains the cookies we use and why:

 

Cookie	Purpose
Cookie Banner	This cookie is used to control the appearance of the cookie’s information banner. This cookie is set on arrival to the site by default. It expires after a set time and is not set again unless a user changes their cookie settings.
Cookie Preference	This cookie is used to remember a user’s choice about cookies on the MBA Group website. This cookie is, by default, set on arrival to the site with a value of ‘True’.
Google Analytics	These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Click here for an overview of privacy at Google
YouTube Cookies	We will embed videos from our official YouTube channel (once launched) using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. Read more at YouTube’s embedding videos information page.

 

HOW TO CHANGE COOKIE SETTINGS

 

Most web browsers allow some control of most cookies through the browser settings.

 

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org  or www.allaboutcookies.org

 

10.   USE OF ARTIFICIAL INTELLIGENCE (AI)

 

We incorporate AI into our services to improve:

 

• Data Processing Efficiency
• Personalisation
• Predictive analytics
• Enhanced Digital Solutions

 

All AI systems are governed under our AI Framework aligned to ISO42001:2023. We maintain transparency, auditability, and fairness in AI operations and do not use AI for automated decision-making without human oversight.

 

Where AI is used to enhance digital services, personally identifiable information (PII) is not processed unless explicitly instructed by the data controller, based on their identified legal basis and legitimate interests for processing.

 

Individuals are advised not to input personally identifiable information (PII) into our digital services which use AI. Any PII that is voluntarily provided remains the sole responsibility of the individual. Such information may be processed by the AI tool to improve its functionality where a lawful basis, including legitimate interests, applies.

 

11.   SECURITY MEASURES

 

We maintain the confidentiality, integrity, and availability of data through our:

 

• ISO/IEC 27001:2022-certified Information Security Management System (ISMS)
• Cyber Essentials and Cyber Essentials Plus certification
• Encryption of data at rest and in transit
• Access control and authentication policies
• Regular staff training on data protection
• Incident detection and response protocols

 

12.   DATA RETENTION

 

We retain personal data only as long as necessary:

• To fulfil contractual or legal obligations
• In accordance with our retention policy
• Based on guidance from clients when acting as a Data Processor

 

After the retention period, data is securely deleted or anonymised.

 

13.   YOUR RIGHTS

 

You have rights under data protection laws, including:

 

• Access – request a copy of your data
• Rectification – correct inaccurate data
• Erasure – request deletion of your data
• Restriction – limit how we use your data
• Portability – receive your data in a usable format
• Objection – object to processing in certain cases
• Withdraw consent – for marketing or cookies

 

Should you wish to make a Subject Access Request (SAR), please find contact information below:

 

External Subject Access Requests: please write to:

 

Chief Compliance Officer

MBA Group Ltd

MBA House

Garman Road

London N17 0HW

 

If you are an employee and wish to make a SAR, please contact:

 

Group Head of HR

MBA Group Ltd

MBA House

Garman Road

London N17 0HW

Email: tcastiglione@mba-group.com

 

You can also contact us by using the form on our websites:

 

MBA Group Ltd                                            www.mba-group.com

VideoSmart Ltd                                            www.VideoSmart.com

Mabble Marketing – Intilery                      www.intilery.com

Studio Certain                                                                   www.studiocertain.com

 

14.   COMPLAINTS

 

If you are unhappy with how we handle your data, you may contact us directly or lodge a complaint with the relevant supervisory authority:

UK: Information Commissioner’s Office (ICO) – https://ico.org.uk

 

15.   UPDATES TO THIS POLICY

 

We review and update this Privacy Policy regularly to reflect legal or operational changes. The latest version will always be available on our website.

 

Sami Aintaoui

Chief Executive Officer