Cardinus Risk Management Privacy Policy

Cardinus is committed to protecting all personal data it holds irrespective of its form or where it is located.
Cardinus adheres to all data protection laws in the countries in which it operates and regularly reviews its controls and procedures to ensure continued compliance.

Cardinus offers various risk management software, services and products to organisations and individuals designed to help them identify and control their own organisational risks.

In offering these products and services, Cardinus will often need to process personal data on behalf of the instructing party (the client) with the specific aim of assisting them in understanding and reducing the risks they face.  When Cardinus collects, records or uses any personal data, all appropriate safeguards will be applied to ensure the relevant legislation is adhered to at all times.

What will we do with your information
Personal data will not be used for purposes other than those for which it was collected, except where required by law.  Personal data will only be retained for as long as is necessary to fulfil those purposes.

Who we share your information with
Cardinus do allow third parties access to certain personal data in order to fulfil their obligation in supplying certain services to its clients.  Any third parties granted access must commit to adhering to certain controls and procedures and accept joint liability with Cardinus for their actions when accessing personal data.
Cardinus shares data with data centres and invention assessors including consultants who carry out risk evaluations on their behalf such as ergonomists, driver trainers, surveyors, or personal safety advisors.

Direct Marketing
We have a responsible marketing policy and do not share details of our customers or related individuals to other companies. We may contact our customers by mail, e-mail or telephone with details of products and services offered by Cardinus if consent has been granted.  Consent can be withdrawn at any time by emailing [email protected] or contacting via the website

Lawful Basis
The lawful basis for Cardinus processing personal data is legitimate interest and adheres to key principles of data protection as set out in GDPR regulations and UK Data Protection Act 2018.

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

Your Rights
Individuals have various rights under privacy legislation.  A summary of these rights is set out below

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

EU-US Data Privacy Framework
In 2023, the European Commission issued an adequacy decision on the EU-U.S. Data Privacy Framework (DPF). This new voluntary Framework, which replaces the Privacy Shield program, provides a mechanism for companies to transfer personal data from the EU to the United States in a privacy-protective way consistent with EU law.

Cardinus complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Cardinus has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view Cardinus’ certification, please visit

Under the EU-U.S. Data Privacy Framework, Cardinus remains liable if its service provider or agent processes Personal Information received under the DPF in a manner inconsistent with its Principles, unless Cardinus was not responsible for the event giving rise to the damage.

If there is any conflict between the terms in this privacy policy and the DPF principles, the DPF principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit

Cardinus is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

To meet the requirements, Cardinus will:

  • observe the conditions regarding the fair collection and use of personal data
  • meet our obligations to specify the purposes for which personal data is used
  • collect and process appropriate personal data only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
  • ensure the quality of personal data used
  • apply strict checks to determine the length of time personal data is held
  • ensure that the rights of individuals about whom the personal data is held, can be fully exercised
  • take appropriate security measures to safeguard personal data
  • ensure that personal data is not transferred abroad without suitable safeguards.

Cardinus will only disclose an individual’s non-public personal information to third parties where required to the extent necessary to meet a legal obligation, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Cardinus commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO)) with regard to unresolved complaints concerning its handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

You may also have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms.  Additional information can be found here:

Questions and complaints
If you have any questions or complaints about our processing of your personal data, you can contact us in writing at the address or email below.

UK and Europe:
Data Protection Officer
Cardinus Risk Management Limited
22 Bishopsgate
United Kingdom
[email protected]
United States
Data Protection Officer
Cardinus LLC
4725 Piedmont Row Drive Ste 600
NC 28210
United States of America
[email protected]

Further information can be found at

Last Reviewed: 23 April 2024

Start typing and press Enter to search