Privacy Policy

Introduction

This Privacy Notice explains in detail the types of personal data we may collect about various individuals when they interact with us. It also explains how we’ll store and handle that data, and keep it safe.

We know that there’s a lot of information here but we want individuals to be fully informed about their rights, and how Bury Lodge uses personal data.

Our overriding principle is that we will only use personal data in a way that an individual would reasonably expect. For example, client email addresses only to communicate out the service we provide or staff ID documents to prove right to work in the UK.

We hope the following sections will answer any questions you have but if not, please do get in touch with us.

It’s likely that we’ll need to update this Privacy Notice from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish. It will always be on our website.

THE LEGAL BASIS FOR PROCESSING PERSONAL DATA

The GDPR regulations set out a number of different reasons for which a company may collect and process personal data, including:

CONSENTIn specific situations, we can collect and process personal data with the individual’s consent.

For example, when a potential client ticks a box to receive email newsletters or when a staff member ticks a box to confirm they are happy to share details of their DBS checks with clients.

CONTRACTUAL OBLIGATIONS

In certain circumstances, we need personal data to comply with our contractual obligations.

For example, if a client requires a monthly audit emailed to them we will need to collect their email address. If a member of staff joins our team we will need to collect their bank details to pay them.

LEGAL COMPLIANCE

If the law requires us to, we may need to collect and process personal data.

For example, we must collect and maintain copies of passports and/or visas to meet the Home Office requirements for proof to work in the UK.

LEGITIMATE INTEREST

In specific situations, we require personal data to serve the legitimate interests of an individual or Bury Lodge. This will always be in a way which would reasonably be expected as part of running our business and which does not materially impact that individual’s rights, freedom or interests.

For example, we will maintain email addresses of people who have asked for a quotation from us in the past and continue to use that data to stay in touch for when our services are needed. That will always be through personal contact (not mass emails) unless you consent to joining our mailing list.

We will also use contact details to deliver marketing information by post, email or phone telling you about products and services that we think might interest you.

WHEN DO WE COLLECT PERSONAL DATA?

We collect data from Clients, Potential Clients and Suppliers:

• from publicly available sources such as Google, Companies House and other public sources
• from individuals during telephone conversations, face-to-face meetings, email exchanges, letter correspondence and social media interactions
• from 3rd party data providers
• from our online quote request form
• during our site survey and quotation process
• through our new client sign up process, on-boarding or fact finding at initial meetings
• through our tender and other new supplier sign up procedures

We collect data from Job Applicants:

• from the online and/or paper application form
• from recruitment consultants and head-hunters
• from direct approaches by email and post
• from individuals during telephone conversations, face-to-face meetings, email exchanges, letter correspondence and social media interactions
• through phone and face-to-face interviews
• from referees provided by the Job Applicant
• from psychometric testing we may undertake

We collect data from Employees and Sub-Contractor Employees:

• during the on-boarding process
• from paper timesheets and fingerprint clocking in/out machines
• during day-to-day HR processes (e.g. appraisals, disciplinary, etc)
• from individuals during telephone conversations, face-to-face meetings, email exchanges, letter correspondence and social media interactions
• from emails held on our email server

We collect data from Competitors:

• from publicly available sources such as Google, Companies House and other public sources
• from 3rd party data providers
• from individuals during telephone conversations, face-to-face meetings, email exchanges, letter correspondence and social media interactions
• from requests made under the Transfer of Undertaking Protection of Employees (TUPE) legislation
• from M&A advisors who represent companies potentially looking to exit

We collect data from Office Visitors:

• from their arrival at reception
• in the event of a Health and Safety incident

We collect data from Website Visitors:

• from cookies
• from 3rd party marketing providers including Google, Ghostery, Leadfeeder and other 3rd party tracking tools that have theor own GDPR policies in place.

WHAT PERSONAL DATA DO WE COLLECT?

From Clients, Potential Clients and Suppliers:

• individual names, phone numbers, email addresses and social media accounts
• correspondence

From Job Applicants:

• personal information including nationality, normal CV information and application form answers
• correspondence
• information about their current package
• interview notes
• medial history
• referee responses
• psychometric test results

From Employees and Sub-Contractor Employees – same as from Job Applicants plus:

• proof of ID and right to work in the UK
• proof of address
• P45, NI number, tax code and other normal tax information
• bank account details
• emergency contacts
• normal HR records
• correspondence
• emails sent and received
• details of any RIDDOR incidents on client sites
• timesheet data of hours worked as well as authorise and unauthorised absence

From Competitors:

• individual names, phone numbers, email addresses and social media accounts
• correspondence
• From Head Office Visitors:
• personal details
• details of any Health And Safety incidents

From Website Visitors:

• device and IP address information held in a cookie
• personal details entered into web forms

HOW AND WHY DO WE USE PERSONAL DATA?

For Clients:

• to deliver our service and maintain customer satisfaction
• to send invoices and conduct credit control
• to handle customer service queries

For Potential Clients

• to market and sell our services to appropriate people

For Suppliers

• to manage the services we receive from our suppliers
• to deliver sub-contracted services to our clients
• to query invoices and make payments

For Job Applicants:

• to assess suitability for the role

For Employees and Sub-Contractor Employees:

• to verify the employee is who they say they are
• to verify their right to work in the UK
• to ensure the correct hours are delivered to clients
• to pay them for the work done and deduct appropriate tax at source
• to manage their Health and Safety
• to record any details of RIDDOR incidents
• to manage them in their day-to-day job and to develop them as individuals
• to keep them informed of important news and events at the Bury Lodge or its related business
• to meet the safeguarding requirements of our clients (e.g. schools)

For Competitors:

• to manage TUPE transfers
• for M&A activity

For Office Visitors:

• to record people on site in case of emergency
• to record any details of Health and Safety incidents.
• See: hse.gov.uk

For Website Visitors:

• to identify visitors who have subsequently contacted us by phone or webform
• to gather personal details to allow us to make contact as requested
• How Do We Protect Personal Data?
• We take data security very seriously. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.

This includes:

• Holding all electronic files on password protected secure email and file servers and on locked personal IT devices with planned and controlled access rights
• Only working with reputable SaaS providers with appropriate security measures in place
• Designing a file storage structure that ensures appropriate documents are only accessed by members of our team that need access
• Establishing a strong password policy with regular forced change of passwords
• Holding paper documents in locked filing cabinets on site
• Maintaining a GDPR risk register that assesses risk of data breaches and drives mitigating action

HOW LONG DO WE HOLD PERSONAL DATA?

Data for all individuals (regardless of category) will be held for 7 years after our last contact with them.

We have taken this decision to enable a consistent ‘7 years’ rule to apply to all personal data we hold across all categories. A consistent rule will ensure greater compliance and will not compromise the individual’s interests, rights & freedoms.

WHO DO WE SHARE PERSONAL DATA WITH?

We sometimes share your personal data with trusted third parties. For example, with our 3rd party IT company or with our lawyers or accountants.

HERE’S THE POLICY WE APPLY TO THOSE ORGANISATIONS TO KEEP YOUR DATA SAFE AND PROTECT YOUR PRIVACY:

We provide only the information they need to perform their specific services.
They may only use your data for the exact purposes we specify in our contract with them.
We work closely with them to ensure that your privacy is respected and protected at all times.
If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.

Examples of the kind of third parties we work with are:

• IT companies who support our website and other business systems
• SaaS companies who provide operational systems we use to run our business
• Sub-contractors who deliver elements of our service
• Professional advisors, consultants and our banks
• Government agencies such as HMRC, the Home Office and law enforcement/regulators bodies
• 3rd party DBS checking companies
• Recruitment companies and consultants
• Web marketing companies such as Google, Ghostery, LeadFeeder
• We will never share your data with third parties for their own purposes (e.g. other companies who want to sell to you).

WHERE PERSONAL DATA MAY BE PROCESSED

Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA).

If a 3rd party supplier of ours is based outside the UK (e.g. Google) then personal data may be collected and transferred outside the EEA.

If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you wish for more information about these contracts please contact us.

Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.

WHAT RIGHTS DO INDIVIDUALS HAVE OVER THEIR PERSONAL DATA?

Outlined below is an overview of individuals’ rights under GDPR. Individuals have the right to request:

• Access to the personal data we hold about you, free of charge in most cases
• The correction of your personal data when incorrect, out of date or incomplete
• The deletion of your data where applicable
• That we stop processing your personal data
• To object to the processing of your data for legitimate reasons or direct marketing
• To exercise your rights above please contact The Data Officer, Vithal House, 35 Gorst Road, London, NW10 6LA.

If we choose not to action your request we will explain to you the reasons for our refusal.

YOUR RIGHT TO WITHDRAW CONSENT

Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

WHERE WE RELY ON OUR LEGITIMATE INTEREST

In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.

We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

DIRECT MARKETING

You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.

CHECKING YOUR IDENTITY

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.

If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.

OUR CONTACT DETAILS AND CHIEF DATA OFFICERThe Data Officer is Teresa Higgins

Our contact details are:

Bury Lodge
Bury Lodge Lane,
Stansted,
CM24 8QE

CONTACTING THE REGULATOR

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

You can contact them by calling 0303 123 1113.

Or go online to www.ico.org.uk/concerns (opens in a new window; please note we can’t be responsible for the content of external websites)

If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence. Details can be found in Section 16.

REVIEWING OUR DATA PROTECTION POLICY AND PRIVACY NOTICES

We regularly review and, where necessary, update our privacy information. You may look at our GDPR policy here

If we plan to use personal data for a new purpose, we update our privacy information.

If that purpose is not something an individual would reasonably expect we communicate the changes to individuals before starting any new processing.