Article 13 Privacy Notice

Effective date: 01/06/2020     Version No: 1.0


Cognus Limited respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and sets out the basis on which any personal data we collect from you, or that you provide to us will be processed by us.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

Cognus Limited is the data controller and data processor, and responsible for your personal data (collectively referred to as “Cognus”, “we”, “us” or “our” in this privacy notice). Cognus also acts as a joint controller. This means that we work closely with partners, namely the London Borough of Sutton, in determining what data is collected and how it is used and processed.

This privacy notice tells you how we, Cognus, will collect and use your personal data for the purpose of providing support to educational settings, families and children/young people to enable them to access, enjoy and thrive in educational settings and in the community. More information about the services that we provide can be found at

Who we are

Cognus is a data controller, processor and joint controller. As such, we are registered with the United Kingdom Supervisory Authority.

Cognus ZA261762

Should you wish to contact Cognus for any reason, with comments, questions or suggestions about our privacy notice, or about the way we process your personal information, you should send your email to for the attention of Numi Bababunmi or Steve Broughton.

Alternatively, you can contact us at the following postal address or telephone number;

Cognus Limited,

Cantium House,

Railway Approach,



Tel: 020 8323 0450

Companies and websites

This privacy notice covers the following companies and websites.


Sutton Music Trust            



Purpose and Lawful basis for the processing of personal data

Cognus acts as a joint controller. This means that we work closely with partners, namely the London Borough of Sutton, in determining what data is collected and how it is used and processed. Cognus is a Data Controller and a Data Processor; for independent services we provide, Cognus determines what data is required and how this will be processed. Data will be collected from partner organisations including schools and other educational settings, through the use of cookies on the Cognus website, and via complaints as well as through our direct contact with you.

If you are employed by Cognus we will collect and use your personal data for the purpose of meeting our contractual obligations to you, to ensure that we are legally compliant with the appropriate legislation and to monitor and manage the business effectively. If you have any queries or require further information, the contact details of the Business Systems and Intelligence Manager can be found at the bottom of this page.

Cognus will process (collect, store and use) the information you provide in a manner compatible with the UK’s General Data Protection Regulations (GDPR). We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. Cognus is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.

Cognus collects and processes information about you so that you can effectively use our services. This information may include:

  • Contact details, including but not limited to name, title, address, email address and telephone number(s)
  • Date of birth
  • Gender
  • Residency details
  • Education records

We may also collect sensitive personal data, (including but not limited to):

  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Health or sex life and sexual orientation data
  • Relevant social care related information
  • Medical history, diagnoses and treatments
  • Lifestyle, social and personal circumstances

Why we need your information

In order for us to provide you with services to access education, we need to collect personal data asked for to assess your current situation and support you to receive the help that you need, either through a Cognus employee or through another service provider. In any event, we are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.

If you are employed by Cognus, for us to meet our contractual and legal obligations, we will need to collect and store your personal data.

In terms of being contacted for marketing purposes Cognus would contact you for additional consent.

Sharing your personal information

We may pass your personal data on to third-party service providers contracted to Cognus in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they provide on our behalf. When they no longer need your data to fulfil this service, they will dispose of the details in line with Cognus’s procedures. Cognus works in conjunction with the London Borough of Sutton and schools in the local area. It may be necessary to share your information so that we can provide services for and on behalf of these parties. You are welcome to contact us for further information relating how your data is used and shared with third parties.

How long we keep your personal information

We review our retention periods of the information we hold about you on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations. We will hold your personal information on our systems for as long as it is necessary for the relevant activity or service that we provide to you, or as required by law.

We will retain your information for the period in which your information is being used for service provision or for our wider functions. For further information, please email


If we have used Consent as a Lawful basis for processing, you have the right to withdraw that Consent at any time.  We will, of course, inform you of any other right that may the subsequently follow on, such as the Right to be Forgotten/Right of Erasure or the Right to Restrict Processing.

Statutory or Contractual

If we have used Statutory or Contractual provision as the Lawful Basis for processing, or taking steps at your request before entering into a contract at your request, or if you are obliged to provide your personal data, we will inform you of the consequences if you fail to provide said personal data.

Further Processing

If we intend to further process your personal data for a purpose other than that for which the data was collected,  we the data controller will provide you with information on that other purpose and any relevant information under Article 13(2) of the UK GDPR.

Your Rights

As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please email To process your request, they will ask you to provide two valid forms of identification for verification purposes. Your rights are as follows:

The right to be informed

As a data controller and data processor, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy notice and any related communications we may send you.

The right of access

You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:

a) The purposes of the processing
b) The categories of personal data concerned
c) The recipients to whom the personal data has been disclosed
d) The retention period or envisioned retention period for that personal data
e) When personal data has been collected from a third party, the source of the personal data

If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.

The right to rectification

When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.

The right to erasure (the ‘right to be forgotten’)

Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data.  This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.

Due to the complex nature of Consent and legal exemption, we are not always able to fulfil deletion (“Right to be Forgotten”) requests, and it is essential you understand this before accessing the service.

The right to restrict processing

You may ask us to stop processing your personal data. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies, you may exercise the right to restrict processing:

a) The accuracy of personal data is contested.
b) Processing of personal data is unlawful.
c) We no longer need personal data for processing, but the personal data is required for part of a legal process.
d) The right to object has been exercised, and processing is restricted pending a decision on the status of the processing.

The right to data portability

You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of Consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.

The right to object

You have the right to object to our processing of your data where;

a) Processing is based on legitimate interest;

b) Processing is for the purpose of direct marketing;

c) Processing is for the purposes of scientific or historic research; or

d) Processing involves automated decision-making and profiling.


Should you wish to make a complaint against Cognus for the way we process your personal information, it is your right to do so.   We hope that you contact us first at so that we may assist you.  However, it is your right to go straight to the Information Commissioner’s Office (ICO) using the contact detail below:

Information Commissioner’s Office;

Wycliffe House
Water Lane
Cheshire SK9 5AF

Livechat: via

Tel: 0303 123 1113 (local rate)