BRIGHT PARTNERSHIPS WORLDWIDE LIMITED
Bright Partnerships a company incorporated in England and Wales whose registered office is at Munro House, Portsmouth Road, Cobham, Surrey, KT11 1PP, and trading at 8 Boundary Row, London, SE1 8HP (registered number 08828386) (“we/us/our”) holds personal data about our employees, clients, suppliers and other individuals for a variety of business purposes.
It is important to us to be transparent and provide accessible information to individuals about how we will use their personal data. We are committed to respecting your privacy and to complying with applicable data protection and privacy laws.
The Purpose of this Policy
This policy applies to all products and services provided by us, and sets out how we seek to protect personal data. This policy also ensures that staff understand the rules governing their use of personal data to which they have access in the course of their work. This policy is effective from 24th May 2018.
Application of Policy
This policy applies to all of our staff and we will ensure that they are familiar with this policy and comply with its terms.
Notification of changes to this Policy
We may supplement or amend this policy by adding additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
Responsibility for this Policy
Our Head of Agency Operations has overall responsibility for the day-to-day implementation of this policy.
Post: 8 Boundary Row, London, SE1 8HP
Telephone: +44 (0)203 714 3850
2. THE INFORMATION WE COLLECT
We sometimes collect the following data:
• Full name and job title
• IP address and other data associated with your computer
• Demographic information e.g. postcode
• Additional information provided by you may include:
o Preferences and reminders
o Home address
o Telephone number
o Mobile phone number
o Date of birth
o Payment and bank account information
• Automatically generated information created while you use this website may include:
o Transactional information
o Clickstream information
3. HOW WE COLLECT YOUR DATA
We may collect personal data:
• When we meet you in person;
• When we speak to you by telephone;
• When you correspond with us by email;
• When you participate in any activities or promotions administered by us;
• When you fill in forms and questionnaires; or
• When you visit our website.
4. HOW WE USE YOUR DATA
We may seek to use your personal data for business purposes that may include the following:
• To process and deliver services to you or to pay for services we use including:
o management of payments, fees and charges
o the collection and recovery of money owed to us
• To improve our products and services; provide relevant offers and fulfil transactions
• Internal record keeping.
• Compliance with our legal, regulatory and corporate governance obligations and good practice.
• Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests.
• Ensuring business policies are adhered to (such as policies covering email and internet use).
• Operational reasons, such as training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring.
• Investigating complaints.
• Protecting you, providing you with customer service, preventing fraud, operating this website on your behalf and responding to your request.
• Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments.
• Monitoring staff conduct, disciplinary matters.
• Marketing our business, including but not limited to:
o Promotional emails and updates about new products, special offers or other information we may think is of interest to you
o Market research purposes, by email, phone or mail
Any and all information passed to us by any third party will be treated in accordance with this policy.
5. OUR PROCEDURES
Privacy by design & default
Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The Head of Agency Operations will be responsible for conducting any Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.
Privacy settings will be set to the most private by default, except when it does not have a negative impact on the data subject.
Fair and lawful processing
We will always seek to process personal data fairly and lawfully in accordance with the rights of the individuals. This generally means that we will not process personal data unless the individual whose details we are processing has consented to this happening.
The processing of all data must be:
• Necessary to deliver our services and the services that we deliver on behalf of our clients.
• In our legitimate interests and not unduly prejudicing the individual’s privacy.
• In most cases this provision will apply to routine business data processing activities.
Sensitive personal data
In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed, and to whom it will be disclosed.
Accuracy and relevance
We will seek to ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this, or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the Head of Agency Operations.
We keep personal data secure against loss or misuse. We are committed to protecting the confidentiality of your information and will take all reasonable measures to secure your information including, encryption, third party audits, access controls and security testing.
Where other organisations process personal data as a service on our behalf, our Head of Agency Operations will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
Storing data securely
• In cases when data is stored on printed paper, it will be kept in a secure place where unauthorised personnel cannot access it.
• Printed data will be shredded when it is no longer needed.
• Data stored on a computer will be protected by strong passwords.
• The Head of Agency Operations will approve any use of the cloud to store data.
• Servers containing personal data will be kept in a locked, and secure location.
• Data will be regularly backed up in line with the company’s backup procedures.
• Data will never be saved directly to mobile devices such as laptops, tablets or smartphones, unless absolutely necessary to administer an off-site event or project.
• All servers containing sensitive data will be approved and protected by security software and a strong firewall.
Transferring data internationally
There are restrictions on international transfers of personal data. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
• Where we use certain service providers, we may use specific contracts approved by the European Commission, which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield, which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Processing data in accordance with the individual’s rights
We will abide by any request from an individual not to use their personal data for direct marketing purposes.
We will not send direct marketing material to anyone electronically (e.g. via email) unless they have given us positive consent to receiving our marketing material and that consent will be recorded and stored.
Employees will receive training as part of the induction process. Further training will be provided at least once a year or whenever there is a substantial change in the law or our policy and procedure. This will cover:
• The law relating to data protection.
• Our data protection and related policies and procedures.
Completion of training is compulsory.
The personal data that we collect is subject to active consent by the data subject. This consent can be revoked at any time.
A cookie is a small file, which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
• Investigate the failure and take remedial steps if necessary
• Maintain a register of compliance failures
• Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures
6. WHO WILL YOUR INFORMATION BE SHARED WITH?
Your personal data is an important part of our business. We do not sell your information to third parties. We will only share your information as set out below and with your express consent. All information sharing is only done on the basis of being necessary and to fulfil legitimate business purposes. For example:
• Payment card information may be shared with payment processors to facilitate card transactions.
• Bank account information may be shared with our bank to facilitate payment into your account.
• Information may be shared with third parties to fulfil our role, fulfil transactions including payment information, and shipping. If further consent is required to pass your personal data to third parties, you may be contacted in order to give your positive consent for this purpose.
We may disclose your personal information to third parties in limited circumstances as follows:
• Where we engage the business services of a third party to provide services directly to us. We will carry out the necessary due diligence on any third party that we use to ensure that they fully comply with data protection regulations. Any third party will be engaged for a specific purpose and they will be strictly prohibited from using your personal data for any other purposes.
7. DATA RETENTION
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
8. RIGHTS TO YOUR DATA
• You have the right to access information held about you.
• Upon request, you will have the right to receive a copy of your data.
• You can ask us to correct any inaccurate information held about you.
• You may also request that your data is transferred directly to another system.
• You may request that any information held on you is deleted or removed, where there is no good reason for us to continue to process. This includes any third parties who process or use that data. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you (if applicable) at the time of your request.
If we can help with any of these, please email us at firstname.lastname@example.org.
These requests will be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.
9. DATA AUDIT AND REGISTER
Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
10. LINKS TO OTHER WEBSITES
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to deliver the best quality services and to provide all users of our services with the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or we are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at email@example.com
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
This is defined as information relating to identifiable individuals, clients, suppliers, marketing contacts, job applicants, current and former employees, agencies, contractors and other staff.
The type of personal data we may gather might include: individuals’ contact details, educational background, financial and payment details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.
This is defined as personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings. Any use of sensitive personal data will be strictly controlled in accordance with this policy.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.