Privacy and Cookie Policy

Contact BSRIA

This Privacy Notice sets out details about the personal data that we, BSRIA Limited , may collect and process about you. Personal data is information about an individual from which that person can be identified.

It covers:

  1. Website/telephone users
  2. Clients/Potential Clients
  3. Professionals we instruct
  4. Other parties to a matter
  5. Marketing recipients/event delegates
  6. Third parties we contact (or who contact us)
  7. Visitors to our premises

This Privacy Notice is non-contractual, regularly reviewed and may be amended by us from time to time. If we decide to change our privacy policy, we will post the amended policy on this page so that you are always aware of what information we collect, how we use it and under what circumstances we disclose it.

Please note that if we intend to further process your personal data for a purpose other than that for which it was collected, we shall provide you with information on this other purpose and all other information as set out in this notice.

We will not transfer your personal data to any country outside the European Economic Area.

In terms of retention periods, we will not keep your data for longer than is necessary. When deciding how long to hold your data we have regard to legal requirements (including any contractually agreed periods) and statutory limitation periods (under which it is prudent for us to retain records for longer periods).

Consent

Where we rely on consent to process your personal data, you have a right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

You can withdraw your consent to our processing at any time by contacting data.protection@bsria.co.uk. Please specify the type of processing that you are withdrawing your consent to in your email.

Your Rights

You have a number of rights in relation to the personal information that we process about you. You:

  • Have the right to be informed about your data (as set out in this Privacy Notice);
  • Can request access to your personal data;
  • Can request that your personal data be rectified if it is inaccurate or incomplete;
  • Can request that the processing of your personal data be restricted or erased in certain circumstances, for example, where the data is no longer necessary to meet its purpose;
  • Can object to processing in certain circumstances, for example where this is based on legitimate interests or involves direct marketing;
  • Can request to receive personal data that you have provided in a structured, commonly used and machine-readable format and can have this transmitted without hindrance where the data is processed on the basis of consent or performance of a contract;
  • Can lodge a complaint with the Information Commissioner’s Office.

If you wish to exercise any of these rights please contact data.protection@bsria.co.uk. If you wish to make a subject access request we ask that you complete the company’s Data Subject Access Request form.

Automated Decision Making (ADM)

ADM occurs when decisions are made about you by a computer or some other information analysing machine. Examples of this include the machine scanning of CVs, computer processed aptitude or personality tests and website profiling .

We do not use ADM.

Contact Details for Data Controller and Enquiries

BSRIA Limited is the data controller and can be contacted at Old Bracknell Lane West, Bracknell, Berkshire, RG12 7AH, UK.

If you have any enquiries re data protection or wish to exercise any of your rights please contact us at data.protection@bsria.co.uk.


1. WEBSITE/TELEPHONE USERS

BSRIA is committed to respecting your privacy. We have structured our website so that, in general, you can visit that part of the website which is accessible to non-members of BSRIA without identifying yourself or revealing any personal information. Once you choose to provide us with any information by which you can be identified, then you can be assured that it will only be used in accordance with this privacy notice.

We are committed to respecting the privacy of users entering this website and we recognise the importance of the responsible use of information collected on this site. We will do our best to maintain the accuracy of the personal information you supply to us. We will not sell or license your personally identifiable information to anyone.

In general, our service automatically gathers certain usage information about the numbers and frequency of visitors to our website. We only use such data in an aggregated form in our own data logs and web analytics tools such as Google Analytics. This collected data helps us to determine how much our customers use parts of the site, so we can improve our site for your use.

Also, BSRIA may provide aggregated statistics about our customers, sales, traffic patterns and related site information to reputable third party vendors, but these statistics will include no personally identifying information.

The type of data we hold

When you access our website, we may collect the following personal data:

  • Login data (i.e. username and password) which you input in respect of our subscriber/membership services;
  • Data you input into online forms. For example, if you are signing up to download a free guide you will be asked for your contact details;
  • On our website we may provide space for your comments and/or provide a short survey for you to complete. This is used to help us refine the content and relevance of our website.

For information you are asked to provide (as part of signing up to a service), you are obliged to provide this to enable us to perform the contract with you and/or to ensure our IT systems remain secure and effective. A failure to provide this may mean we are unable to provide you with the services you require.

For registered users on our website, we will track and record individual’s web activity such as document downloads, orders and requests to record the level service we provide and to inform of relevant products and services.

We may track your visit to our site by giving you a cookie when you enter. Cookies are pieces of information sent to your browser on a web server and stored on your computer's hard drive for record keeping purposes. Cookies cannot be used to obtain other information from your hard disk. We use Cookies to make visiting our site easier. Cookies allow us to save passwords for you so that you will not have to re-enter them the next time you visit. Cookies are also used to collect statistical information and may be used to identify individuals.

Most browsers are initially set up to accept cookies. If you prefer you can reset your browser either to notify you when you have received a cookie or to refuse to accept cookies. It is important to note that if you choose not to accept cookies, or you set your browser not to accept cookies, you may not be able to use certain features on our site.

Log files are also created when persons visit our website. They allow us to record visitors` use of the websites and include your IP address. We put together log file information from all our visitors, which we use to make improvements to the content and layout of the websites and to the information in it, based on the way that visitors move around it.

Your IP address is recorded automatically when you access our website to assist us in monitoring and improving content and for security reasons. You are, therefore, obligated to provide this when accessing the website.

Telephone users: we may monitor, record, store and use any telephone communication with you in order to check any instructions given to us, for training purposes and to improve the quality of our customer service.

The purposes of processing

  • To register you as a new client/user and provide services to you as requested;
  • To be able to contact you in relation to the service and effectively manage our relationship with you;
  • To enable us to ensure efficiency and security of our systems (e.g. prevention of unauthorised access) and make improvements where necessary, including for user experience of the website;
  • To help resolve disputes arising from verbal orders by customers and to clarify details of verbal customer orders;
  • To make business decisions about the provision of services and our website.

Where you have signed up to events or for updates your data is also processed for marketing purposes (please see marketing below).

Legal basis for processing

Website users: we process this data as it is necessary for our legitimate interests, namely to keep records of user experiences, provide the information or services you have requested, improve our services, ensure our services remain accurate and up to date, study how our website is used and popular content, for marketing strategies/communications and to maintain and grow our business.

We also process data as required by law, including, to comply with legal obligations such as security obligations in data protection legislation (such as prevention of unauthorised access).

We do not rely solely on consent to process your data, however, where you have signed up for services we may also process your data on the basis of your consent.

Telephone users: we process this data as it is necessary for our legitimate interests, namely to resolve disputes that may arise from the placing of verbal orders and to clarify details of verbal customer orders.

Sharing your data

Your data will be shared internally with our IT and marketing departments. It may also be provided to the management at BSRIA (and their support staff and subordinates where appropriate) to the extent necessary for their role and to make decisions about the business, however, this will usually be in an anonymised format (e.g. statistics). Records of telephone calls with us may be provided to the management at BSRIA (and their support staff or subordinates where appropriate) where necessary to resolve disputes arising from verbal orders by customers and to clarify details of customer orders.

As a convenience to BSRIA customers, our website contains links to third party websites. Clicking on those links may allow third parties to collect your personal data. We do not have control over such websites and would encourage you to read the privacy notices for websites you visit.


2. CLIENTS/POTENTIAL CLIENTS

The type of data we hold

  • Contact details of those instructing us (such as name, job title, address and email address) or potential clients;
  • In some instances, we may require documentation to verify identity including passport or driving licence details for individuals or details of shareholders and directors from Companies House for organisations;
  • Information about the matter you are instructing us on;
  • In the case of persons part of a BSRIA committee or network: information arising from committee/network meetings;
  • In some instances, we may also need to carry out credit checks or other financial checks with (and obtain personal data from) the HMRC or similar financial organisations;
  • Where fees are charged for a service, we will hold financial information and transaction details, including a partial amount of payment card details;
  • We may also need to process personal data from third parties which are necessary for the performance of the contract with you.

You are obliged to provide this information to enable us to perform our contract or to take steps to enter into a contract with you and to enable us to comply with statutory obligations, such as verifying identity and source of funds for anti-money laundering purposes. If you do not provide this information we may not be able to provide any services to you.

The purposes of processing

To enable us to:

  • Perform our contractual obligations (including contacting you, providing services or advice to you) or take steps to enter into a contract (e.g. provide a quotation);
  • Preparatory steps to deal with your enquiry to potentially engage you as a client;
  • Verify identity and source of funds where legally required to do so (for example, in accordance with anti-money laundering legislation);
  • Retain a record for the defence of legal claims or insurance purposes;
  • Market services to you (such as updates and event invitations) which we consider would be of interest to you;
  • Retain a record for the purpose of audits or audit requests from clients and for external audits/quality checks;
  • Keep account of fees paid or payable for services and financial information as necessary to complete transactions;
  • Produce and retain information and guidance from committee, network and similar meetings.

Legal basis for processing

  • To perform the contract that we have entered into with you or take steps to enter into a contract;
  • It is also necessary for our legitimate interests (to provide the service efficiently, to maintain accurate records for the defence of legal claims, to retain accreditations, to maintain and grow our business, for the production of industry relevant information and guidance);
  • Consent;
  • To comply with our legal and regulatory requirements.

Sharing your data

Your data will be shared internally to the extent necessary to carry out our obligations under our contract with you and/or in line with the purposes set out above. Contact details of committee/network members may be shared within the committee/network to help communication between parties.

Where you are making payments to us, card payments are processed securely through the third party Sage Pay system where details are entered directly. For web orders, we capture and hold a partial amount of your payment card details which is required for security purposes and is mandated by SagePay. We hold these partial card details securely with restricted access and do not hold enough data to make future transactions. If we receive written card payment details, we securely destroy this information once the payment is processed. Your data may also be shared with our bank as necessary.

Your contact details may also be shared with our marketing team to ensure you are invited to events and provided with updates that we believe may be of interest to you. Please note, you have a right to opt out of any marketing communications (see below section on ‘Marketing’).

We may need to share your data with professional advisers we contract with such as specialist sub-contractors and accreditation bodies to obtain advice in relation to the matter you have instructed us on.

We will also share your personal information with third parties where required by law (for example to comply with anti-money laundering legislation) and where it is necessary to administer the working relationship with you (as stated above). We may also need to share personal data with third parties such as potential buyers of the business where applicable (the recipient of this information will be bound by confidentiality restrictions if the data cannot be anonymised).

Once we have completed our obligations under our contract with you, your personal data will be archived. Hard copy files are securely stored by us until they are destroyed following a retention period required for potential litigation.


3. PROFESSIONALS WE INSTRUCT

This may include specialist sub-contractors, accreditation bodies, ICT providers, financial services providers and marketing agencies.

The type of data we hold

We will hold your contact details (such as name, email and phone number) and the advice you provide as per the terms of our contract with you.

You are obliged to provide this information to enable us to perform the contract entered into with you or to make enquiries to potentially engage your services. A failure to provide this information may mean we are unable to enter into a contract with you or may leave you exposed to claims.

The purposes of processing

To ensure we can contact you and you can provide the service contracted or make enquiries to obtain said service. We also retain this data to ensure we have a record of services to establish/exercise/defend legal claims and to assess the provision of future services from you.

Legal basis for processing

This is processed to enable us to perform the contract we have entered into but is also necessary for our legitimate interests (being able to comply with our obligations to our client under our contract with them, maintain a record of advice provided, to assess suitability for instructions and to establish/exercise/defend legal claims) and the legitimate interests of our client. We also process on the basis of consent where you have agreed to provide your services.

Sharing your data

Your data will be shared internally to the extent necessary to carry out our functions under our contract with you and our client. This is likely to include sharing data with our client (on whose matter you are instructed), the staff members responsible for the work, their supervisor and subordinates, together with our IT and finance teams, where appropriate.

Your contact details may also be shared with other staff at the company for the purposes of considering future instructions to you.


4. OTHER PARTIES TO A MATTER

Other parties to a matter may include Government departments, Non-Governmental Organisations, Advisory & Standard committees and Educational establishments.

The type of data we hold

We may be informed by you or by a third party of your name and contact details if you are involved on a particular matter we are instructed on.

In these instances, the likely data we will hold on you will be your name, the organisation you work for and your contact details. It may also include information that you have given us or our client and your opinion on matters.

The purposes of processing

The personal data is processed to ensure we are able to contact relevant parties on a matter.

It may also be processed to provide further information relevant to the matter in question.

Legal basis for processing

We process this on the basis of our legitimate interests (to be able to advise our client) and our clients’ legitimate interests.

We may also process this data on the basis of consent (if you have provided these details to us yourself) and where required by law (e.g. pursuant to a court order).

Sharing your data

Your data will be shared internally to the extent necessary to carry out our contract with our client and ensure the smooth running of the matter in question. This is likely to include sharing data with our client, the staff member responsible for the work, their supervisor and subordinates, finance and IT.


5. MARKETING RECIPIENTS/EVENT DELEGATES

The type of data we hold

We may process your personal data including your name, employer, job title and email address for marketing purposes.

In most cases we will have received this data from you directly when you have signed up for services or events, however, we may also obtain data from publicly available sources such as your employer’s website or from accredited third party data suppliers.

Where fees are charged for a service, we will hold financial information and transaction details, including a partial amount of payment card details.

You are not obliged to provide this information, however, if you do not do so we may not be able to provide the services requested (for example, to receive updates, we would need a valid email address).

You may opt out of marketing communications by emailing data.protection@bsria.co.uk. Alternatively, each of our marketing communications contain an ‘opt out’ hyperlink so that you can opt out easily at any time.

Photography or video may be used at our events. You will be notified about this before or during the event. If you do not wish to be photographed or videoed, please let us know by emailing events@bsria.co.uk.

Purposes for processing

We may process this personal data to send you marketing updates by email (and in some cases by post) such as industry news, new services and event invitations that we believe may be of interest to you or that you have expressly requested.

If you have opted out of marketing updates, we may retain your personal data as a record of those who have opted out to ensure that we do not contact you further for these purposes.

Photography and video are used for publicity and event review purposes.

Legal basis for processing

We process this data on the basis of consent and legitimate interests, namely to maintain and grow our business.

Where fees are charged for a service, we process this data on the basis of consent and/or to perform the contract that we have entered into with you.

Sharing of data

We will always treat your personal data securely and with respect and do not share this with other organisations save where you have expressly asked us to do so.

Your personal data is shared internally with relevant staff members, and our marketing and IT teams. We may use external marketing companies for marketing purposes. We use a third party email service (CommuniGator) to send out electronic communications. In respect of hard copy mailings, we may supply contact details to mailing houses in order for fulfilment – such data is not used for any other purpose and is destroyed by the mailing house following each mailing. Save for this, we do not envisage needing to share your personal data with external marketing companies and will only do so if it is necessary for particular tasks assigned to them pursuant to their role.

Where fees are charged for a service, our finance team will also have access to your personal data to the extent necessary to recover payments from you and record your payment record and financial details. Card payments are processed securely through the third party Sage Pay system where details are entered directly. For web orders, we capture and hold a partial amount of your payment card details which is required for security purposes and is mandated by SagePay. We hold these partial card details securely with restricted access and do not hold enough data to make future transactions. If we receive written card payment details, we securely destroy this information once the payment is processed. Your data may also be shared with our bank as necessary.

Where you sign up to attend events ordinarily a badge stating your name and organisation (and/or a sign in sheet stating the same) will be on display at the event which others attending the same event may have sight of.


6. THIRD PARTIES WE CONTACT (OR WHO CONTACT US) 

The type of data we hold

We may process your personal data including your name and contact details where you have contacted us (e.g. for information) or where we have obtained your information from a public source or third party and wish to request information. If we receive any communication from you then we will also process any data contained within your request.

An example may be where you are a prospective employer and contact us for a reference or, similarly, where we seek a reference for someone we intend to employ. Another example may be where we contact you to see if you would be interested in hosting a joint event or where we seek to use your business service, vice versa, or where you market to us.

This covers a variety of requests and, in most cases, we do not envisage you being obliged to provide your personal data. If you are requesting information from us, not providing this data may mean we are unable to respond.

Purposes for processing

The purpose of us processing your personal data is to allow us to respond to your request or to seek information.

Legal basis for processing

We process this data on the basis of our legitimate interests. These are likely to include assessing job applicants’ suitability for roles and growing our business and network.

Sharing of data

Your data will be shared internally with those parties relevant to the information request. If your request requires this, it may be shared with other external parties.


7. VISITORS TO OUR PREMISES

The type of data we hold

BSRIA operates CCTV systems at its premises and therefore will process images of anyone entering our sites. In locations that have CCTV there are signs displayed notifying you that CCTV is in operation.

In addition, data logging visits to our premises will be held, and may include your name, job title, the company you work for, the purpose of your visit, who you are visiting, and the date and time of your visit.

Purposes for processing

The purpose of us processing data captured by CCTV is to detect and observe intruders, for the detection and investigation of crime, manage security risks, reduce the risk of sabotage to the Company, counter fraud, deal with alleged harassment and to provide evidence for investigations and litigation.

Data logged from visits to BSRIA’s premises is processed to permit visitors onto site, restrict access to areas, manage security risks and in order to register visits for health and safety purposes.

Legal basis for processing

We process this data on the basis of our legitimate interests. Such interests are set out in the ‘purposes for processing’ section above.

Sharing of data

Data from visits to our premises will be shared internally with staff as necessary to administer your visit and to review records of it, in line with the purposes set out above. We will only disclose CCTV images to third parties for the purposes as stated above. CCTV images will not be released to the media or placed on the internet for entertainment purposes.