GDPR Compliance Statement
We are committed to the principles inherent in the GDPR and particularly to the concepts of privacy by design, the right to be forgotten, consent and a risk-based approach. In addition, we aim to ensure:
Our Data Protection Officer (DPO) is Jonathan Watson, who works to promote awareness of the GDPR
Your data protection policy is available on our website and a copy has been made available to all employees and to contractors and suppliers associated with this organisation. It forms part of the induction training of all new staff and follow-up sessions will be put in place if the legislation changes or further guidance is available.
Right to be forgotten
We recognise the right to erasure, also known as the right to be forgotten, laid down in the GDPR. Individuals should contact
firstname.lastname@example.org with requests for the deletion or removal of personal data. These will be acted on provided there is no compelling reason for continued processing and that the exemptions set out in the GDPR do not apply. These exemptions include where the personal data is processed for the exercise or defence of legal claims and to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
Subject access requests
We recognise that individuals have the right to access their personal data and supplementary information and will comply with the one month timeframe for responses set down in the GDPR. As a general rule, a copy of the requested information will be provided free of charge although we reserve the right to charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive. If this proves necessary, the data subject will be informed of their right to contest our decision with the supervisory authority (the Information Commissioner’s Office (ICO)).
As set out in the GDPR, any fee will be notified in advance and will be based on the administrative cost of providing the information.
We will implement data protection “by design and by default”, as required by the GDPR. Safeguards will be built into products and services from the earliest stage of development and privacy-friendly default settings will be the norm. The privacy notice, which is on our website and which is provided to anyone from whom we collect data, explains our lawful basis for processing the data and gives the data retention periods. It makes clear that individuals have a right to complain to the ICO.
Privacy Information Notices
What personal data we collect
The personal data collected depends on how you use our website. You can browse the site, you can fill in forms on the website to request information or quotes from us, download documents from us, or you can subscribe to our emails, and other activities. The Group’s websites collect personal data to provide these services.
We collect information about you when you instruct us to provide advice; visit our website; subscribe to our newsletters or to receive our publications; apply for employment with us; attend one of our seminars; and engage in business dealings with us.
What we do with your personal data
When you visit our website, a record of your visit is made. This data includes your device’s IP address. That data is used completely anonymously, in order to determine the number of people who visit our website and the most frequently used sections of the site. This enables us to continually update and refine the site. If you use any forms on the website to send an email to us, a record will also be made of your email address and your telephone number.
The following table sets out how we handle your personal data and our legal basis for doing so under GDPR and the Data Protection Act 2018.
|What we do||Our legal basis under GDPR|
|Use the personal data that you provide on our web forms and questionnaires||Article 6(1)(b) – when you provide us with your personal data, for instance to obtain a quote for our services, this is a necessary step to take at the request of the data subject prior to entering into a contract|
|Provide our core services of health and safety, employment law advice, employment documentation and legal services||Article 6(1)(b) – this is necessary for the performance of a contract with you, our data subject|
|Provide our online services platforms – E-Learning||Article 6(1)(b) – this is necessary for the performance of a contract with you, our data subject|
|Contact you regarding the services we provide||Article 6(1)(f) – we need to contact you for our legitimate interests so that we can gather more information for the provision of our services, or to deliver those services most effectively|
|Retain your data under our data retention policy after your contract has expired||Article 6(1)(f) – we need to retain your personal data for only as long as necessary under the law to protect our legitimate interests|
|Where you require us to make Reasonable Adjustments to enable you to attend a meeting or interview, we may require further information from you.||Article 9(2)(a) of GDPR (explicit consent).
If this includes information about your physical or mental health, such information (being sensitive personal data, Special Category data), will only be used by us, with your explicit consent, to assess your eligibility for Reasonable Adjustments. We will not share or disclose it to others.
You can withdraw your consent as anytime by contacting us. Please note that we may not be able to process your request for Reasonable Adjustments if you do this.
The following table sets out the categories of personal data that we obtain.
|Name, postal address, email address, website, identification number, location data, online identifier – these are classed as personal data||This data is provided by you on our web forms and questionnaires, either to obtain a quote from us, subscribe to one of our newsletters, request a service from us or as part of the provision of your existing contractual services.|
|Special categories of personal data are racial or ethnic origin, political opinions, sex life, sexual orientation, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying a natural person, or data concerning health||This data is provided by you on our web forms and questionnaires.|
We may collect, hold, use and disclose the information collected to compile statistical data and to; maintain our database; develop/improve our website; respond to any email enquiries; notify you of any upcoming marketing, training or other events that you have opted in to; provide you with publications; manage quality control; manage systems administration; attend to compliance issues; provide you or your organisation with advice and determine suitability for employment.
We will not use or disclose your personal information for any other purpose which is not related (or in the case of sensitive information, directly related) to the above purposes without your consent unless otherwise authorised, required or permitted under the laws of England and Wales. BSS does not sell your data to third parties.
If you no longer wish to receive information about our services, please send an email email@example.com advising that you do not wish to receive further information.
Will we disclose your data?
No. BSS will not disclose data to any third parties.
The handling of these operations is governed by a data processing contract between us and our external service provider, ensuring a commitment to the principals of the GDPR and the Data Protection Act 2018. We ensure external service providers are only authorised to use personal data for the limited purposes specified in our agreement with them.
How long we keep your personal data
Personal data from our data subjects is retained in line with our data retention policy. The Group keeps most data for 7 years, which covers the 6 years by law in which we have to keep certain information for a minimum of 6 years plus the current year.
You have the following rights in relation to personal data held on you by BSS:
If you wish to learn more about these rights and how they operate, please look at the ICO’s website https://ico.org.uk/for-the-public/.
The Group does not operate any automated decision making systems.
You have a right to request a copy of the personal data that we hold about you. If you would like a copy of some or all of your personal data please email firstname.lastname@example.org