Cardinus is committed to protecting all personal data it holds irrespective of where it is located.

Cardinus supply a variety of risk management software programs and consultancy designed to assist in identifying and controlling risk. The aim is to comply with all relevant laws and policies. As such we receive and use customer employee personal data with the aim of enabling businesses to manage risk. We recognise that the lawful and correct treatment of personal data is very important to successful operations and to maintaining our customers’ confidence in ourselves.

Any personal data which we collect, record or use in any way whether it is held on paper, on computer or other media will have appropriate safeguards applied to it to ensure that we comply with the General Data Protection Regulations (GDPR) and the EU-U.S. Privacy Shield Framework.

Cardinus uses a self-assessment approach to assure compliance with the GDPR and the EU-U.S. Privacy Shield Framework, and periodically verify that this Privacy Notice is accurate, comprehensive for the information intended to be covered, prominently displayed, and is completely implemented and accessible. Cardinus is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

What will we do with your information

Personal data will not be used for purposes other than those for which it was collected, except where required by law. Personal data will be retained only if necessary for the fulfillment of those purposes.
There may be authorized third parties who have access to this data in order for Cardinus to supply these services, for example those providing data center infrastructure or consultants providing telephonic or onsite assessments. Cardinus shall remain liable for any such third party to comply with their obligations.

Direct Marketing

We have a responsible marketing policy and do not give details of our customers or related individuals to any other company. We may contact customers by mail, e-mail or telephone with details of products and services offered by Cardinus. To opt-out of marketing activities please email [email protected] or contact us via

Our commitment to you

Cardinus commits to answer any queries about your privacy and its collection or use of your Personal Information and encourages interested persons to raise any concerns using the contact details below.

UK and Europe:
Data Protection Officer
Cardinus Risk Management Limited
22 Bishopsgate
United Kingdom
[email protected]

United States
Data Protection Officer
Cardinus LLC
4725 Piedmont Row Drive Ste 600
NC 28210
United States of America
[email protected]

Europe & GDPR

In Europe and the UK, the lawful basis for Cardinus processing your personal data is legitimate interest and it adheres to the 6 principles of data protection as set out in GDPR. These principles state that personal data must be: –

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” Our purpose for holding personal data and a general description of the categories of people and organisations to whom we may disclose it are listed in the Data Protection register. Special Category data is held under the following conditions as per article 9(2) of the GDPR

Where we process and store special categories of data, we will take appropriate steps to evidence consent and it is held under the follow basis;

processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

and or

processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

The GDPR provides the following rights for individuals:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling

Further details of GDPR regulations can be found the Information Commissioner’s Office website,

US & Privacy Shield

In the United States, Cardinus LLC complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Cardinus LLC has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

Under the EU-U.S. Privacy Shield, Cardinus LLC remains liable if its service provider or agent processes Personal Information received under the Privacy Shield in a manner inconsistent with Privacy Shield Principles, unless Cardinus LLC was not responsible for the event giving rise to the damage.

If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit

To meet the requirements, Cardinus LLC will:

  • observe the conditions regarding the fair collection and use of personal data
  • meet our obligations to specify the purposes for which personal data is used
  • collect and process appropriate personal data limited only to the extent that it is needed to fulfil operational needs or to disclose and comply with any legal requirements, requests from law enforcement, or in the interest of national security.
  • ensure the quality of personal data used
  • apply strict checks to determine the length of time personal data is held
  • ensure that the rights of individuals about whom the personal data is held, can be accessed and fully exercised
  • take appropriate security measures to safeguard personal data
  • ensure that personal data is not transferred abroad without suitable safeguards.

Cardinus LLC has further committed to refer unresolved privacy queries under the EU-U.S. Privacy Shield Principles to an independent dispute resolution mechanism. If you have an unresolved privacy or data use concern that Cardinus LLC has not satisfactorily addressed, please contact your EU Data Protection Authority for resolution.

Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Start typing and press Enter to search