For the purposes of this Cookies Policy:

  • Company (referred to as either "the Company", "We", "Us" or "Our" in this Cookies Policy) refers to ISTO Ltd., International Standardized Testing Organization Ltd., Cranfield Innovation Centre, University Way, Cranfield, Milton Keynes MK43 0BT, England.
  • Cookies means small files that are placed on Your computer, mobile device or any other device by a website, containing details of your browsing history on that website among its many uses.
  • Website refers to sites hosted on the domain 
  • You means the individual accessing or using the Website, or a company, or any legal entity on behalf of which such individual is accessing or using the Website, as applicable.

Types of cookies we use

  • Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser.
  • Session Cookies Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.
  • Functionality Cookies Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.
  • Session and Persistent Cookies are administered by Us, if any.

We do not use Session Cookies nor Persistent Cookies.

If you have any questions about this Cookies Policy, You can contact us at

Privacy Policy

This privacy notice describes how we collect, use and store personal information about you during and after your business relationship with us, in accordance with the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR).

ISTO (International Standardised Testing Organisation) is a data controller. This means that we are responsible for deciding how we hold and use and store personal information about you. We are required under the DPA 2018 / UK GDPR to notify you of the information contained in this privacy notice.

We may update this notice at any time. If relevant (and feasible), we will notify you.

It is important that you read this notice, together with any other privacy notices we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using your personal information.

You may download a copy of this privacy notice.


We will comply with all relevant data protection law (including the DPA 2018 / UK GDPR). This requires that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.
  7. We are accountable as a Controller for the principles and individual rights with respect to the processing we undertake.


Personal data, or personal information, means any information about an individual from which that person can be identified, whether directly or indirectly. It does not include data where an individual cannot be identified (anonymous data).

For those who have signed up to our newsletter, we collect your email address.

For candidates, we collect:

  • Contact data including your full name, postal address, email address and telephone number.  
  • Data to verify you by including your day and month of birth, the last 4 digits of your Government-issued identification (ie, driving licence / passport, etc) and your unique candidate ID. 
  • The results of your test.

We will not collect or store any "special category", or sensitive personal information on you. 

This personal data is collected when you register for our test on our website – through your employer or an agent. We need to collect this data to fulfil our function as a test service provider.

This personal data is shared with external organisations who support our business operation, such as

  • Employees and associates of ISTO for the purposes of administering the test;
  • Third parties that process data on behalf of ISTO to support it in fulfilling its obligations to you – such as Paypal and Proctorio.
  • Accrediting bodies where applicable.

Access to personal data is permission-based and is stored in the UK and EU, therefore is covered by the existing adequacy agreement. 

Some partners, such as freelance contractors are not based in the EEA. In these cases, additional safeguards will be in place to permit this transfer, however Transfer Risk Assessments are conducted where appropriate.

We have put measures in place to protect the personal data we process – further details on these measures can be requested from us at

We rely on the following lawful bases for processing your personal data such as performance of a contract by handling candidate registration and exam results to fulfill certification obligations, legal obligation by retaining records for auditing and accreditation standards compliance, legitimate interests in using contact details to manage strategic relationships and utilising statistical analysis for quality improvement and candidate serving, and consent for non-essential uses including optional mailing lists where statements would outline purposes, retention, and withdrawal rights.

In the event of a data breach that may result in a high risk to your rights and freedoms, we have implemented procedures to promptly assess and notify affected individuals and the ICO, as required by the UK GDPR. We take data breaches seriously and strive to minimize any potential negative impact. Our services are intended for individuals who are 18 years of age or older. We do not knowingly collect personal data from individuals under the age of 18. If you become aware that a child under 18 has provided us with personal data, please contact us immediately.


As a Data Controller:
We need all the categories of personal data detailed above to allow us to conduct our business operation. Some of the grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you are a candidate, then we will need to process your data in line with our legal obligations. In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. 

The situations in which we will process your personal information are listed below.

  • Administration of a contract we have entered with you and providing our products and services to you.
  • Business management and planning, including accounting and auditing. In these instances, we will share your personal data with our accountants and associated reporting platforms. 
  • Planning for the on-boarding or termination of our contracting relationship.
  • Dealing with legal disputes involving you, or any disputes that may arise under the contract that we have with you or the way in which we provide our products and services to you.


We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. As a summary:

  • We will retain your data for up to 15 years. If you ask us to remove your data from this, we will do so immediately, as long as we are permitted to legally.
  • If the test is related to International Organisation for Standardisation (ISO) standards, we will retain your data for up to 5 years from the date an updated version is officially published. 
  • Our test service provider(s) will retain your data for 90 days to allow any queries or appeals to be handled.  


It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your Rights:
Subject Access Request – this enables you to receive a copy of the personal information we hold about you. To action this request, please email the data protection contact:
We require a suitable form of identification and under normal circumstances, we will supply this to you within one calendar month of your request and of identification being received.
No fee is usually payable; however, we may apply an appropriate fee if the request is deemed to be excessive, or repetitive.
Request Correction – this enables you to have any incomplete or inaccurate information we hold about you corrected.
Request Erasure – this enables you to delete or remove personal information when there is no good reason for us to continue processing it.
Object to Processing – in certain circumstances, you have the right to request we suspend the processing of your data. Please contact us if you require more information on this.
Request the Transfer – you have the right to request the transfer of your personal data to a third party. Please contact us if you require more information on this.
Right to Withdraw Consent – where we rely on consent to process your data, you have the right to withdraw this at any time, without giving reason. To withdraw your consent, please contact the data protection officer. Once received, we will not process your data for the reasons you have agreed to, unless we have another legal basis for doing so.
Right to complain – you have the right to complain at any time to the Information Commissioners’ Office (ICO) regarding data protection issues -

We reserve the right to update this privacy notice at any time. If you have any questions about it, please contact us at


All or any part of the contents of this website may be freely copied and distributed with the following restrictions: Excerpts, in any form or medium, must include a formal statement acknowledging that the International Standardized Testing Organization (ISTO) is the owner of the copyrighted material excerpted from this website. Copies and redistributions of this whole document, in any form or medium, must include the entire copyright notice and the restrictions shown on this page.


ISTO is committed to impartiality and objectivity in our operational processes. ISTO evaluates all candidates seeking ISTO qualifications without regard to race, colour, national origin, sex, age, religion, pregnancy, disability, military or veteran status, genetic predisposition, gender identity, sexual orientation, or other characteristics protected by the law.