Who We Are
For the purposes of data protection legislation *, the data controller is BLS Stay Compliant Limited, York Science Park, Innovation Centre, Innovation Way, Heslington, York YO10 5DG.
We are registered with the Information Commissioner Office as a Data Controller Reg No: ZA090115
Our Commitments to You
To enable us to undertake our business objectives we collect and use personal data about individuals. We recognise the trust placed in us by individuals whose data we are entrusted with. This policy (together with any other documents referred to in it) sets out the basis on how any personal data we collect from you, or that you provide to us, or that we obtain about you will be processed by us. We are committed to ensuring that we do so in a manner that is both lawful and respects your privacy.
Please read the following carefully to understand our approach and practices regarding your personal data and how we will treat it. We take any complaints we receive very seriously. If you think our collection or use of your personal data is unfair, misleading or inappropriate, please bring it to our attention and we will be happy to provide any additional data or explanations needed. We also welcome suggestions for improving our procedures.
You can also contact the Data Commissioner’s Office at ICO, www.ico.org.uk or write to ICO, Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF or telephone 0303 123 1113 for advice or to make a complaint.
Your Privacy Rights
You have the right to be informed about how and why we process your personal data although those rights will not apply in all circumstances that we collect your data or to all the data that we hold about you. For example, we may need to continue to hold and process personal data to establish, exercise or defend our legal rights.
You have the right to be informed about how we use the data you provide, and we will try to be as transparent as possible in our interactions with you. Any time you give us personal data you have a right to be informed about why we need it and how we will use it. You can find most of the information you need in this Privacy Notice.
You can also find out more information about your privacy rights on the Information Commissioner’s Office website; www.ico.org.uk
If you have any questions, please contact us:
By post to BLS Stay Compliant Limited, York Science Park, Innovation Centre, Innovation Way, Heslington, York YO10 5DG.
By email at firstname.lastname@example.org
By phone to 01904 217788
Through our website bls-staycompliant.co.uk
You have the right to access your personal data.
You can request a copy of data we hold about you at any time.
You may choose to exercise your right of access through any of our contact methods, but we will ask you to provide documented evidence of your identity before we process your request. We may also contact you to clarify your request or to ensure we have all the data we need to fully meet your request.
Data Protection legislation requires us to respond to your request within one month of verifying your identity (or within 3 months for more complex cases). You’ll receive a full response as soon as we can reasonably provide one and we aim to resolve all subject access requests within 30 calendar days from confirming your identity. In more complex cases where we cannot provide a full substantive response within that time frame, we will write to you within 30 calendar days to explain why an extension is needed.
We don’t charge for subject access requests.
You have the right to ask us to correct inaccurate personal data we hold about you.
If you believe data we hold about you to be inaccurate or incomplete, you can ask us to correct it or complete it at any time, through any of our contact methods. Wherever possible, we will correct inaccurate or incomplete data immediately.
In more complex cases we will take reasonable steps to confirm the accuracy of the data we hold. Whilst we investigate the accuracy of the data, we will restrict the processing of the data in question.
We will let you know the outcome of our investigation as soon as we can. Any data we can verify as inaccurate will be corrected within one month of receiving your request.
You have the right to ask us to delete your personal data
In some circumstances you have the right to ask us to delete data we hold about you. For example, if we have asked for your consent to process your data, and you subsequently withdraw that consent.
We will respond to your request as soon as we can, and we will act on any requests granted within one month of your request.
Please note that we cannot delete any personal data where we have a specific legal or regulatory obligation to retain it. For example, this applies to outstanding debts and some HMRC requirements. In certain cases, we will be unable to delete your information if there are statutory grounds to retain it (i.e. legal requirements). If your request for deletion is refused, we will explain the reasons for refusal.
You have the right to ask us to restrict the use of your personal data
In some instances, you have the right to ask us to restrict the use of your personal data (for example if you’ve challenged the accuracy of the data we hold or have objected to our processing). We will restrict our use of your data whilst we investigate your objection or request to correct your data.
We will respond to your request as soon as we can. If your objection is unsuccessful, we will only continue processing once we’ve let you know the outcome of the investigation.
Data related to these requests will not be automatically deleted unless you expressly ask us to.
You have the right to data portability
If you have given us your consent to process your data, and we use automated procedures, you have the right to move, transfer or copy that data to another system for your own purposes. We do not make use of any automated processes. If we decide to use such procedures in the future, we will update this Privacy notice and you may make a request for the appropriate data to be moved under your direction.
You have the right to ask us not to process your personal data
We process most of the personal data we collect under the lawful basis of ‘legitimate interest’. You have the right to object to our processing your personal data under this basis.
We will respond to your objection as soon as we can. In some cases, such as fraud prevention or network and information systems security, your objection may not be sufficient enough to override our Legitimate Interests. Where we believe there is a compelling reason to continue the processing, we will explain why we think this is.
We will action any requests to stop any direct marketing to you as soon as we receive your objection.
You can object to us using your data at any time through any of the above contact methods.
Lawful basis for processing
We must have a lawful basis for processing your information; this will vary on the circumstances of why we process and how we use your information, but typical examples include:
the activities are within our legitimate interests as a registered business that provides consultancy and training services,
the processing is necessary for compliance with a legal obligation to which we are subject e.g. we must provide certain contact information and other details about our services to HMRC or other such government organisations,
if we need to process someone’s personal data to deliver a contractual service to them; or because you have asked us to do something before entering into a contract (e.g. provide a quote),
you have given consent for us to process the information e.g. in relation to specific marketing or communication activities,
If we process any special categories of information i.e. information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, processing of genetic or biometric data for uniquely identifying individuals, health data, or data concerning your sex life or sexual orientation, we must have a further lawful basis for the processing.
This may include:
Article 9(2)(a) – In circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing.
Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on BLS or the data subject in connection with employment, social security or social protection.
Article 9(2)(c) – where processing is necessary to protect the vital interests of our staff and our clients, for example to protect their life or the life of somebody else.
Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
Article 9(2)(g) – where processing is necessary for reasons of substantial public interest.
Article 9(2(h) – where the processing is necessary for any health or social care purposes.
We process criminal offence data under Article 10 of the GDPR.
Examples of our processing of criminal offence data include pre-employment checks and declarations by an employee in line with contractual obligations.
We also maintain a record of our processing activities in accordance with Article 30 of the GDPR.
Schedule 1 conditions for processing special category data
BLS processes special category data for the following purposes under schedule 1 of the DPA 2018:
Part 1 paragraph 1: Employment, social security and social protection.
Part 1 paragraph 2: Health or social care purposes.
Part 2 paragraph 8: Equality of opportunity or treatment.
Part 2 Paragraph 10(1): Preventing or detecting unlawful acts.
Part 2 Paragraph 11(1) and (2): Protecting the public against dishonesty.
Schedule 1 conditions for processing criminal offence data
BLS processes criminal offence data for the following purposes under schedule 1 of the DPA 2018:
Part 1 paragraph 1: Employment, social security and social protection.
Part 2 paragraph 6 (a): Statutory purposes.
What information do we collect
It is important to us that we inform you about the information we collect and why we collect it. The information we collect and the reason for collecting it are different for different groups of individuals.
Information can be classed as ‘regular’ such as your name and address or ‘sensitive’ such as details about your health. The list below provides an overview of the types of information we collect and why.
We process information as follows:
your name, address and contact details, including telephone number and email address, and designations, roles or positions in your organisation;
the terms and conditions of our agreement with you or where you have expressed interest in our services;
details of your organisations bank account;
information about your preferred business contact (for example via another colleague);
details of your attendance at our training events and online courses;
your feedback and comments about our training events and online courses;
to provide a duty of care and arrange accessibility during training events, we request information about any medical, health or dietary conditions, including if you have a disability for which we need to make reasonable adjustments.
This may be by you completing forms on our websites (see above) or by corresponding with us by phone, e-mail, webchat or otherwise. This includes information you provide when you complete the membership application form on our websites, when you change/update your personal details, contact preferences etc. and when you report a problem with our sites.
To provide our services to you, we need to collect, process and store data about you that may be personal or sensitive in nature. We use your data to administer, support, improve and develop our business generally, to provide statistical data to meet our regulatory requirements and to enforce our legal rights. If we intend to use your data for a different purpose, we will do so in compliance with Data Protection legislation, wherever possible, by notifying you in advance.
We only use your data for the specific purpose(s) for which it has been provided or collected.
We collect and process various personal data from you and about you. In most cases, the data we collect about you is provided by you directly. This is one of the ways we can ensure the data we collect is as accurate and up to date as possible. We will usually do this when you first contact us, and we may ask you to confirm your details on subsequent contacts from time to time.
The type of data collected from you and obtained about you will vary depending on your relationship with us, the service you are requesting and your chosen method of contacting us. However, in almost all cases we are likely to ask you to provide:
Details to verify your identity and help us prevent fraud;
Business contact details (including phone number, e-mail address or social media labels) – to contact you about your account, update you about the services you’ve requested or received from us, or contact you with other data related to our business;
Financial data (including method of payment and bank account details) – to allow us to bill you for the services you receive from us and to manage your payment arrangements;
We may ask you for documented evidence of the above and will retain digital copies for validation and audit purposes.
We will only collect sensitive personal data about you with your explicit consent, and for a specified purpose which will be explained to you at the time.
If you contact us by phone we may retain a written record of the conversation.
If you contact us by post or e-mail we will retain a record of the contact.
If you use our website, we will retain a record of the contact and we may collect additional data about you to provide a better digital service and website functionality.
We may also obtain information about you from publicly accessible sources such as social media, the open electoral register or Companies House.
More detailed data on what we collect in different circumstances and how it will be used is set out below.
BLS Stay Compliant Ltd provides an informal, online chat capability to help our web site visitors with their queries and navigating around our website. Where the online chat facility is present it involves setting cookies and collecting information as described in more detail in other areas of this privacy notice.
We may collect personal data obtained during the chat facility for our own records and to improve our client services. The lawful basis for this is our desire to improve our customer experience and to retain your data for any potential marketing purposes under our legitimate interests. We will then absorb this data into our existing databases as described in other areas of this privacy notice.
How we collect data about you
We prefer to collect data directly from you, so we can ensure it’s as up to date and as accurate as possible. However, we also collect data about you from other sources.
We may receive data collected by our business associates or partners or sub-contractors relating to services they are delivering to you on our behalf, or to respond to a query or complaint that you have made.
Profiling and automated decision making
We do not carry out any profiling or automated decision making concerning your personal data that we hold.
What to expect when you contact us
If you contact us by phone or in writing (including e-mail, social media or via our websites) we may record, monitor or retain copies of your correspondence.
This is to allow us to:
assist our response to any queries you may have;
ensure we continue to offer you the best possible service;
maintain standards and help to develop our staff;
validate our compliance with regulatory obligations; and
retain our records up to date so that we can offer you the most suitable consultancy and training services, including marketing and promoting our business where appropriate consent has been given.
We also retain this data for several reasons, including our statutory responsibilities under legislation and to prevent fraud.
Contacting us by telephone
When you contact us by telephone, your telephone number may be added to our client management database so that we can contact you in future to maintain and update our records. Where appropriate we will use telephone number(s) recorded on our client management database to contact you to discuss our services or your contract etc.
We may also use a telephone number listed on our client management database to call or text you regarding the services you require.
Contacting us by post
Some post/mail received by us is scanned on to our systems and we will store letters or documents and attachments on our client management database.
If you email us, we will respond to you using the email address you gave us. We may add your email address to our client management database, and it may be used for future communications.
Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with our business policies. Emails are stored, archived and deleted in line with our data security and data retention policies.
Contacting us via social media
We strongly advise not to post your personal contact or other sensitive data on our public social media site. If you contact us using social media to report an issue, we will ask you to contact us by other means to gather any appropriate information. We will suggest an alternative contact method if we think this is more appropriate.
Making a complaint
If you make a complaint to us, we will follow our own internal complaints process. We may need to share details about your complaint internally to fully investigate.
If the complaint relates to a service provided by a third party, we will share data with them to resolve your complaint. If a complainant doesn’t want data identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will only use the personal data we collect to process the complaint and to check on the level of service we provide.
We will retain complaints in line with our data retention policy. This means that data relating to a complaint will be retained for seven years from closure.
Visiting our website
Each time you visit our website we will automatically collect the following data:
Technical data – This includes the Internet Protocol address (IP address) used to connect your device to the Internet, your login data, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
Location data – When using one of our location-enabled services on our website, we may collect and process data about your actual location. If you wish to use the feature, you’ll be asked to consent to your data being used for this purpose. You can withdraw your consent at any time either by modifying the location settings of your web browser or the location awareness permissions of your mobile device.
Session data – data about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction data (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our client service number.
We use data gathered through cookies and similar technologies to measure and analyse data on visits to our websites, to tailor the websites to make them better for clients and site visitors and to improve technical performance (see below for more data). We don’t use the data to identify you personally or to make any decisions about you.
Our website may also contain links to and from other websites including our partners or other Information Governance advisors.
If you follow a link to any of these websites, please note that we do not have control over these websites or their content. These websites have their own privacy policies, and we cannot accept any responsibility or liability for these. We recommend that you review the website terms and conditions that are applicable to the third-party website.
Data about cookies we use
The services contained in this section enable the Owner to monitor and analyse web traffic and can be used to keep track of User behaviour.
Google Analytics – https://analytics.google.com/analytics/web
Google Analytics is used to understand how the website is being used where upon changes can be made to improve the User experience.
Data is gathered about how the User progresses via their IP address.
The Data Controller ensures that the IP Anonymization is enabled and the specific location of the User is not identifiable.
The Data collected by Google Analytics will only be used by the Data Controller for the benefit of the Website and not shared with any 3rd parties.
The Data is stored with Google Analytics for 26 months which enables the Data Controller to analyse over annual trends.
By filling in the contact form with their Data, the User authorises this Application to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header.
Personal Data collected: email address, first name, last name and phone number.
Gravity Forms – https://www.gravityforms.com
Gravity Forms is used to compose the online forms which are found in ‘Contact Us’ and ‘Subscribe to Newsletter’ pages within the Website.
Your data is not processed until the mandatory fields of the form are completed and the form submitted.
Your data is emailed directly to the Data Controller and processed via their email protocols.
Your data is then completely deleted from the Websites Database within 24 hours.
Updating or deleting the Users Data. This can be done either by clicking the links at the foot of the Newsletter emails or by contacting the Data Controller.
Using your data to provide our services
Most of the data we collect from you or about you is to help us to improve and manage our services to you and to make business management decisions according to your needs or the services we provide. We will use this data to invoice you for the services or to update you on your training event or contract.
Falling into arrears or failure to pay your bill
If you fail to pay your invoice as required under the terms and conditions of our agreement, or fall into arrears, the data that we hold about you may be used to recover arrears in line with our regulatory obligations. In doing so, we may use third party debt collection / management companies and credit reference agencies to assist us. This will involve sharing your data with them.
Data we share with others
In most circumstances we will not disclose your personal data without your consent. However, there are circumstances where we need to share some of your data to meet our regulatory obligations or where we are permitted to under Data Protection legislation.
The obligations that we have to our Regulators
We have legal obligations to share data with our regulators and other third parties identified in law. We may disclose your personal data to third parties if we are under a duty to disclose or share your personal data to comply with any legal obligation. We do not require your consent to process your data in this way.
Where necessary we will be required to supply personal data to HMRC, the Department for Work and Pensions DWP, the police, fraud agencies or UK Visas and Immigration. Under Data Protection legislation we are permitted to share this data with them without your consent and we are not required to notify you that this has taken place. We will always fulfil our duty to support the prevention and detection of crime by statutory agencies.
Agreements we have with other organisations for sharing data
We share your payment data (bank account; sort code; direct debit mandates etc) with some banking institutions to process your payments.
Trusted Partners we use who may have access to your data
We use trusted partners to help us process your personal data and provide services to you. For example; we contract Stripe, a global leader in card payments processing technology and solutions to enable clients to book our training events.
They operate reliable and secure proprietary technology platforms that enable us to accept payments across multiple channels.
All our data processors have a binding contract with us that restricts their access to and handling of your personal data to only what is necessary in performance of their contract.
From time to time we may require legal assistance and may need to share your personal data with our legal advisers or our insurance company or other professional advisors to obtain advice or make a claim.
How we store your data and how we keep it secure
All client personal data is stored on our systems on secure servers. We operate a suite of IT and security policies to ensure your data is kept secure, including appropriate access and auditing controls.
We use anti-virus software and fire walls to protect against cyber-attack. Regrettably, the transmission of data via the internet is not entirely secure.
Although we will do our best to protect your personal data, we cannot guarantee the security of data you send to us that is outside of our security arrangements; any transmission is at your own risk.
We also operate strict physical security at all our sites and employees all receive security and data protection awareness training.
You may store your personal data on your local device, such as your computer or mobile phone to assist you in your repeated use of our services. We have no control over inappropriate access to this data. You can delete this data at any time using the facilities of your Internet browser or mobile device.
Where we transfer data to third parties to enable them to process it on our behalf (see the data about Trusted Partners above), we ensure that the providers meet or exceed the relevant legal or regulatory requirements for transferring data to them and retaining it secure.
Storing or transferring your data outside the European Economic Area (“EEA”)
We do not transfer or store your personal data to any third countries or international organisations.
How long we will retain your data
We only retain your data for as long as we need it. We will retain certain data (e.g. contact data and bank details) for as long as you have a relationship with us. Our data retention policy is our guide to keeping your personal data, but the length of time depends on the purpose of the processing.
Generally, we retain:
client correspondence, complaints, invoices and tasking records for up to seven years;
general enquiries for our services for up to three years;
data subject requests (e.g. subject access requests and objections) for up to two years;
social media posts (in third party systems) for up to six months, unless related to a complaint.
After which time your personal data will be either deleted or anonymised.
These retention periods may be extended in certain limited cases as prescribed or permitted by law – e.g. because of an incident or accident requiring investigation or to seek or defend a legal claim.
If we sell or buy any other business or assets, or merge with another business or organisation or carry out internal corporate restructuring, your data may be disclosed to new or prospective business partners or owners or the new corporate entities.
Changes to Our Privacy Notice
We review this notice regularly as part of our internal processes or as our services, activities, or regulatory requirements change. It’s subject to change at any time, but the most up to date version is published on our website: bls-staycompliant.co.uk.
By post to BLS Stay Compliant Limited, York Science Park, Innovation Centre, Innovation Way, Heslington, York YO10 5DG.
By email at email@example.com
By phone to 01904 217788
Through our website bls-staycompliant.co.uk
* Data protection legislation means the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000(SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and all other applicable laws and regulations relating to processing of personal data and privacy in any applicable jurisdiction as amended and replaced, including where applicable the guidance and codes or practice issued by the UK Information Commissioner or such other relevant data protection authority.
Privacy notice: Updated: December 2021