This Privacy Notice sets out details about the personal data that we, BSRIA Inc., may collect and process about you. Personal data is information about an individual from which that person can be identified.
Please note that if we intend to further process your personal data for a purpose other than that for which it was collected, we shall provide you with information on this other purpose and all other information as set out in this notice.
In terms of retention periods, we will not keep your data for longer than is necessary. When deciding how long to hold your data we have regard to legal requirements (including any contractually agreed periods) and statutory limitation periods (under which it is prudent for us to retain records for longer periods).
Where we rely on consent to process your personal data, you have a right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
You can withdraw your consent to our processing at any time by contacting firstname.lastname@example.org. Please specify the type of processing that you are withdrawing your consent to in your email.
You have a number of rights in relation to the personal information that we process about you. You:
If you wish to exercise any of these rights please contact email@example.com.
Automated Decision Making (ADM)
ADM occurs when decisions are made about you by a computer or some other information analysing machine. Examples of this include the machine scanning of CVs, computer processed aptitude or personality tests and website profiling.
We do not use ADM.
Contact Details for Data Controller and Enquiries
BSRIA Inc., is the data controller and can be contacted at 225 West Washington Street, Suite 2200, Chicago, Illinois, 60606, USA
If you have any enquiries re data protection or wish to exercise any of your rights please contact firstname.lastname@example.org.
1. WEBSITE/TELEPHONE USERS
BSRIA is committed to respecting your privacy. We have structured our website so that, in general, you can visit that part of the website which is accessible to non-members of BSRIA without identifying yourself or revealing any personal information. Once you choose to provide us with any information by which you can be identified, then you can be assured that it will only be used in accordance with this privacy notice.
We are committed to respecting the privacy of users entering this website and we recognise the importance of the responsible use of information collected on this site. We will do our best to maintain the accuracy of the personal information you supply to us. We will not sell or license your personally identifiable information to anyone.
In general, our service automatically gathers certain usage information about the numbers and frequency of visitors to our website. We only use such data in an aggregated form in our own data logs and web analytics tools such as Google Analytics. This collected data helps us to determine how much our customers use parts of the site, so we can improve our site for your use.
Also, BSRIA may provide aggregated statistics about our customers, sales, traffic patterns and related site information to reputable third party vendors, but these statistics will include no personally identifying information.
The type of data we hold
When you access our website, we may collect the following personal data:
For information you are asked to provide (as part of signing up to a service), you are obliged to provide this to enable us to perform the contract with you and/or to ensure our IT systems remain secure and effective. A failure to provide this may mean we are unable to provide you with the services you require.
For registered users on our website, we will track and record individual’s web activity such as document downloads, orders and requests to record the level service we provide and to inform of relevant products and services.
Most browsers are initially set up to accept cookies. If you prefer you can reset your browser either to notify you when you have received a cookie or to refuse to accept cookies. It is important to note that if you choose not to accept cookies, or you set your browser not to accept cookies, you may not be able to use certain features on our site.
Log files are also created when persons visit our website. They allow us to record visitors` use of the websites and include your IP address. We put together log file information from all our visitors, which we use to make improvements to the content and layout of the websites and to the information in it, based on the way that visitors move around it.
Your IP address is recorded automatically when you access our website to assist us in monitoring and improving content and for security reasons. You are, therefore, obligated to provide this when accessing the website.
Telephone users: we may monitor, record, store and use any telephone communication with you in order to check any instructions given to us, for training purposes and to improve the quality of our customer service.
The purposes of processing
Where you have signed up to events or for updates your data is also processed for marketing purposes (please see marketing below).
Legal basis for processing
Website users: we process this data as it is necessary for our legitimate interests, namely to keep records of user experiences, provide the information or services you have requested, improve our services, ensure our services remain accurate and up to date, study how our website is used and popular content, for marketing strategies/communications and to maintain and grow our business.
We also process data as required by law, including, to comply with legal obligations such as security obligations in data protection legislation (such as prevention of unauthorised access).
We do not rely solely on consent to process your data, however, where you have signed up for services we may also process your data on the basis of your consent.
Telephone users: we process this data as it is necessary for our legitimate interests, namely to resolve disputes that may arise from the placing of verbal orders and to clarify details of verbal customer orders.
Sharing your data
Your data will be shared internally with our IT and marketing departments. It may also be provided to the management at BSRIA (and their support staff and subordinates where appropriate) to the extent necessary for their role and to make decisions about the business, however, this will usually be in an anonymised format (e.g. statistics). Records of telephone calls with us may be provided to the management at BSRIA (and their support staff or subordinates where appropriate) where necessary to resolve disputes arising from verbal orders by customers and to clarify details of customer orders.
As a convenience to BSRIA customers, our website contains links to third party websites. Clicking on those links may allow third parties to collect your personal data. We do not have control over such websites and would encourage you to read the privacy notices for websites you visit.
2. CLIENTS/POTENTIAL CLIENTS
You are obliged to provide this information to enable us to perform our contract or to take steps to enter into a contract with you and to enable us to comply with statutory obligations, such as verifying identity and source of funds for anti-money laundering purposes. If you do not provide this information we may not be able to provide any services to you.
To enable us to:
Your data will be shared internally to the extent necessary to carry out our obligations under our contract with you and/or in line with the purposes set out above. Contact details of committee/network members may be shared within the committee/network to help communication between parties.
Where you are making payments to us, card payments are processed securely through the third party Sage Pay system where details are entered directly. For web orders, we capture and hold a partial amount of your payment card details which is required for security purposes and is mandated by SagePay. We hold these partial card details securely with restricted access and do not hold enough data to make future transactions. If we receive written card payment details, we securely destroy this information once the payment is processed. Your data may also be shared with our bank as necessary.
Your contact details may also be shared with our marketing team to ensure you are invited to events and provided with updates that we believe may be of interest to you. Please note, you have a right to opt out of any marketing communications (see below section on ‘Marketing’).
We may need to share your data with professional advisers we contract with such as specialist sub-contractors and accreditation bodies to obtain advice in relation to the matter you have instructed us on.
We will also share your personal information with third parties where required by law (for example to comply with anti-money laundering legislation) and where it is necessary to administer the working relationship with you (as stated above). We may also need to share personal data with third parties such as potential buyers of the business where applicable (the recipient of this information will be bound by confidentiality restrictions if the data cannot be anonymised). Once we have completed our obligations under our contract with you, your personal data will be archived. Hard copy files are securely stored by us until they are destroyed following a retention period required for potential litigation.
3. PROFESSIONALS WE INSTRUCT
This may include specialist sub-contractors, accreditation bodies, ICT providers, financial services providers and marketing agencies.
We will hold your contact details (such as name, email and phone number) and the advice you provide as per the terms of our contract with you.
You are obliged to provide this information to enable us to perform the contract entered into with you or to make enquiries to potentially engage your services. A failure to provide this information may mean we are unable to enter into a contract with you or may leave you exposed to claims.
To ensure we can contact you and you can provide the service contracted or make enquiries to obtain said service. We also retain this data to ensure we have a record of services to establish/exercise/defend legal claims and to assess the provision of future services from you.
This is processed to enable us to perform the contract we have entered into but is also necessary for our legitimate interests (being able to comply with our obligations to our client under our contract with them, maintain a record of advice provided, to assess suitability for instructions and to establish/exercise/defend legal claims) and the legitimate interests of our client. We also process on the basis of consent where you have agreed to provide your services.
Your data will be shared internally to the extent necessary to carry out our functions under our contract with you and our client. This is likely to include sharing data with our client (on whose matter you are instructed), the staff members responsible for the work, their supervisor and subordinates, together with our IT and finance teams, where appropriate.
Your contact details may also be shared with other staff at the company for the purposes of considering future instructions to you.
4. OTHER PARTIES TO A MATTER
Other parties to a matter may include Government departments, Non-Governmental Organisations, Advisory & Standard committees and Educational establishments.
We may be informed by you or by a third party of your name and contact details if you are involved on a particular matter we are instructed on.
In these instances, the likely data we will hold on you will be your name, the organisation you work for and your contact details. It may also include information that you have given us or our client and your opinion on matters.
The personal data is processed to ensure we are able to contact relevant parties on a matter.
It may also be processed to provide further information relevant to the matter in question.
We process this on the basis of our legitimate interests (to be able to advise our client) and our clients’ legitimate interests.
We may also process this data on the basis of consent (if you have provided these details to us yourself) and where required by law (e.g. pursuant to a court order).
Your data will be shared internally to the extent necessary to carry out our contract with our client and ensure the smooth running of the matter in question. This is likely to include sharing data with our client, the staff member responsible for the work, their supervisor and subordinates, finance and IT.
5. MARKETING RECIPIENTS/EVENT DELEGATES
We may process your personal data including your name, employer, job title and email address for marketing purposes.
In most cases we will have received this data from you directly when you have signed up for services or events, however, we may also obtain data from publicly available sources such as your employer’s website or from accredited third party data suppliers.
Where fees are charged for a service, we will hold financial information and transaction details, including a partial amount of payment card details.
You are not obliged to provide this information, however, if you do not do so we may not be able to provide the services requested (for example, to receive updates, we would need a valid email address).
You may opt out of marketing communications by emailing email@example.com. Alternatively, each of our marketing communications contain an ‘opt out’ hyperlink so that you can opt out easily at any time.
Photography or video may be used at our events. You will be notified about this before or during the event. If you do not wish to be photographed or videoed, please let us know by emailing firstname.lastname@example.org.
Purposes for processing
We may process this personal data to send you marketing updates by email (and in some cases by post) such as industry news, new services and event invitations that we believe may be of interest to you or that you have expressly requested.
If you have opted out of marketing updates, we may retain your personal data as a record of those who have opted out to ensure that we do not contact you further for these purposes.
Photography and video are used for publicity and event review purposes.
We process this data on the basis of consent and legitimate interests, namely to maintain and grow our business.
Where fees are charged for a service, we process this data on the basis of consent and/or to perform the contract that we have entered into with you.
Sharing of data
We will always treat your personal data securely and with respect and do not share this with other organisations save where you have expressly asked us to do so.
Your personal data is shared internally with relevant staff members, and our marketing and IT teams. We may use external marketing companies for marketing purposes. We use a third party email service (CommuniGator) to send out electronic communications. In respect of hard copy mailings, we may supply contact details to mailing houses in order for fulfilment – such data is not used for any other purpose and is destroyed by the mailing house following each mailing. Save for this, we do not envisage needing to share your personal data with external marketing companies and will only do so if it is necessary for particular tasks assigned to them pursuant to their role.
Where fees are charged for a service, our finance team will also have access to your personal data to the extent necessary to recover payments from you and record your payment record and financial details. Card payments are processed securely through the third party Sage Pay system where details are entered directly. For web orders, we capture and hold a partial amount of your payment card details which is required for security purposes and is mandated by SagePay. We hold these partial card details securely with restricted access and do not hold enough data to make future transactions. If we receive written card payment details, we securely destroy this information once the payment is processed. Your data may also be shared with our bank as necessary.
Where you sign up to attend events ordinarily a badge stating your name and organisation (and/or a sign in sheet stating the same) will be on display at the event which others attending the same event may have sight of.
6. THIRD PARTIES WE CONTACT (OR WHO CONTACT US)
We may process your personal data including your name and contact details where you have contacted us (e.g. for information) or where we have obtained your information from a public source or third party and wish to request information. If we receive any communication from you then we will also process any data contained within your request.
An example may be where you are a prospective employer and contact us for a reference or, similarly, where we seek a reference for someone we intend to employ. Another example may be where we contact you to see if you would be interested in hosting a joint event or where we seek to use your business service, vice versa, or where you market to us.
This covers a variety of requests and, in most cases, we do not envisage you being obliged to provide your personal data. If you are requesting information from us, not providing this data may mean we are unable to respond.
The purpose of us processing your personal data is to allow us to respond to your request or to seek information.
We process this data on the basis of our legitimate interests. These are likely to include assessing job applicants’ suitability for roles and growing our business and network.
Your data will be shared internally with those parties relevant to the information request. If your request requires this, it may be shared with other external parties.
7. VISITORS TO OUR PREMISES
BSRIA operates CCTV systems at its premises and therefore will process images of anyone entering our sites. In locations that have CCTV there are signs displayed notifying you that CCTV is in operation.
In addition, data logging visits to our premises will be held, and may include your name, job title, the company you work for, the purpose of your visit, who you are visiting, and the date and time of your visit.
The purpose of us processing data captured by CCTV is to detect and observe intruders, for the detection and investigation of crime, manage security risks, reduce the risk of sabotage to the Company, counter fraud, deal with alleged harassment and to provide evidence for investigations and litigation.
Data logged from visits to BSRIA’s premises is processed to permit visitors onto site, restrict access to areas, manage security risks and in order to register visits for health and safety purposes.
We process this data on the basis of our legitimate interests. Such interests are set out in the ‘purposes for processing’ section above.
Data from visits to our premises will be shared internally with staff as necessary to administer your visit and to review records of it, in line with the purposes set out above. We will only disclose CCTV images to third parties for the purposes as stated above. CCTV images will not be released to the media or placed on the internet for entertainment purposes.