WHAT IS THIS NOTICE ABOUT?

This Data Privacy Notice explains how we collect and use personal information in a number of different situations.

The Notice consists of this Overview section, and various other sections describing the processing we may undertake dependent on the relationship(s) we may have with you.

WHO IS THE DATA CONTROLLER OF MY DATA?

The contact details of each of the Company's data controllers and, where applicable their representatives and relevant data protection contact, are available on the contact us page.

If you have a contractual relationship with us, BSL Ltd will be the data controller of your personal information.

In addition, where processing of personal information is carried out by another group company for its own purposes, that other group company may also be a data controller of your personal information.

HOW DO YOU USE MY PERSONAL INFORMATION?

The sections of this Notice will help you understand how we manage and use your personal information in our relationship or interactions with you.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If the way that personal information will be managed differs from the details provided in this Notice or is incompatible with the original purpose the data was collected for, additional information regarding this processing will be provided to you.

If necessary, we will collect consent from you and advise you of the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your relationship with us that you agree to any request for consent from us.

Please note that we may process your personal information without your knowledge or consent, in compliance with the information set out in this Notice, where this is required or permitted by applicable law.

We may amend the content of the Notice from time to time to keep it up to date with current legal requirements and the way we operate our business.

WHAT IS THE BASIS ON WHICH YOU JUSTIFY PROCESSING MY PERSONAL INFORMATION?

In order to carry out any processing of your personal information, we need to ensure that we have a particular reason to do so. We have set out the reasons we have for processing your personal information in the various sections of this Notice.

The reasons that we have for processing your personal information directly relate to the legal grounds for processing set out in the GDPR and local laws. We have also identified these legal grounds within this Notice where they apply.

Please contact us if you have any questions or would like more detail regarding our reasons for processing your personal information.

WHAT ARE THE GENERAL LEGAL GROUNDS FOR PROCESSING PERSONAL INFORMATION?

The general legal grounds for processing all types of your personal information and what they mean are described further below:

The processing is needed for a contract with you.

We can process your personal information where the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract. This means that we can carry out the actions needed to conclude or execute our contract with you.

The processing is needed so that we can comply with our legal obligations.

We can process your personal information where this processing is necessary for compliance with a legal or regulatory obligation to which we are subject. Therefore, we can carry out any actions we need to take in order to comply with applicable laws.

The processing is needed for our legitimate interests.

We can process your personal information where the processing is necessary for our legitimate interests, provided that those interests are not overridden by your interests or rights.

Where we are relying on this ground as the basis for our processing, we will tell you what our legitimate interests are and you will see these in this Notice.

We can carry out any actions we consider are needed for these interests, as long as we consider that the processing in question does not negatively infringe on your rights and interests.

You have given your consent to the processing.

We can process your personal information where you have given clear consent for us to process such personal information for a specific purpose.

The processing is needed for vital interests.

We can process your personal information where the processing is necessary to protect someone's life.

The processing is needed for a public task.

We can process your personal information where the processing is necessary for us to perform a task in the public interest or an official functions, and the task or function has a clear basis in law.

WHAT ARE THE ADDITIONAL LEGAL GROUNDS ON WHICH YOU JUSTIFY PROCESSING MY SPECIAL CATEGORIES OF PERSONAL INFORMATION?

In order to carry out any processing of your special categories of personal information, we need to ensure that we have a particular reason to do so, in addition to the general legal grounds set out above. This reason needs to relate to one of the additional legal grounds for processing set out in the GDPR and local laws.

We have set out the reasons we have for processing your special categories of personal information in this Notice, along with the relevant general and additional legal ground for processing. These additional legal grounds for processing special categories of personal information and what they mean are described further below:

The processing is needed for carrying out our employment law obligations.

We can process special categories of personal information where the processing is necessary for us to carry out any actions we need to undertake in order to comply with our obligations under employment, tax and health and safety law.

The processing is needed for occupational medicine.

Our external and internal occupational health advisers can process special categories of personal information where the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, or to provide a medical diagnosis.

The processing is necessary for substantial public interests.

We can process special categories of personal information where the processing is necessary for reasons of substantial public interest, as set out in the applicable local law. These are explained in this Notice, where relevant.

The processing is needed to protect your life or the life of another.

We can process special categories of personal information where the processing is necessary to protect your vital interests or that of another person where you are physically or legally incapable of giving consent. This means that we can process your special categories of personal information in exceptional emergency situations, such as a medical emergency, for example.

The processing is needed for legal claims.

We can process your special categories of personal information if the processing is necessary for the establishment, exercise or defence of legal claims.

WHAT IF I DON'T PROVIDE YOU WITH MY PERSONAL INFORMATION?

In some cases, you will be free to withhold personal information from us, however if you do withhold specific information we may not be able to continue our relationship with you, if we believe we require the relevant information to support the effective and efficient administration and management of that relationship.

For example, for employees, we require your identity information, contact and payroll information in order to pay you. If this is not provided, we may be unable to manage our contractual relationship.

In addition, for representatives of suppliers or customers, if we do not have your identity and contact information, we will not be able to communicate with you regarding the relevant commercial transaction between the Company and that supplier or customer.

WHERE DO YOU GET MY PERSONAL INFORMATION FROM?

In most cases, we receive the personal information directly from you. You either provide this to us at the outset of our relationship or do so at another time during your interactions with us. This will include personal information that you input into a form or through any self-service function, as well as information that you give to the HR team, your Company contact and to any member of our workforce.

We may create personal information about you during your relationship with us - see internal sources in the table below.

In some cases, we get personal information about you from third party sources - see external sources in the table below.

Internal sources

In addition to the personal information that you provide to us, we may generate some further personal information internally. This will usually be generated by HR, line management or your Company contact, as appropriate.

In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings and email and Internet access logs), if and to the extent permitted by applicable laws. In these circumstances, the data may be collected by us or a third party provider of the relevant service on our behalf.

External sources

We may also obtain some information from third parties.

If you are a representative of a supplier or a customer, we may receive your personal information directly from that company or from your colleagues. We may also use third parties to carry out anti-money laundering, anti-bribery and corruption and Know Your Client checks.

If you are an employee, we may obtain references from a previous employer, medical reports from external professionals, information from tax authorities, benefit providers or from a third party that we engage to carry out a background check (where permitted by applicable law).

WHEN DO YOU SHARE MY INFORMATION WITH OTHERS?

Within the Company, your personal information can be accessed by or may be disclosed internally on a need-to-know basis - see internal recipients in the table below.

Your personal information may also be accessed by third parties, including suppliers, advisers, national authorities and government bodies - see external recipients in the table below. We have sought to identify these parties in this Notice.

In addition, there are circumstances where we may need to disclose your personal information to third parties, to help manage our business and deliver our services. We may disclose your personal information to third parties if:

• >We sell or buy any business, in which case we may disclose your personal information to the prospective seller or buyer of such business;
• BSL Ltd or substantially all of its assets are acquired by a third party, in which case personal information held by it about you will be transferred to that third party;
• We are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation, or in order to enforce or apply our legal rights, in which case we may share your personal information with our regulators and law enforcement agencies in the EEA and around the world, or to our legal advisers;
• It is necessary to protect the rights, property, or safety of BSL Ltd, our customers, suppliers or others, in which case we may disclose your personal information to our legal advisers and other professional services firms; and
• They provide services to us connected with your relationship with us.

Where these third parties (or any others) act as a data processor (for example, a benefits provider), they carry out their tasks on our behalf and upon our instructions for the reasons that we have set out in this Notice. In this case your personal information will only be disclosed to these parties to the extent necessary to provide the required services.

Internal recipients

Internal recipients of your personal information may include:

• local, and global departments, including line management and team members;
• local and executive management responsible for managing or making decisions in connection with your relationship with the Company or when involved in a process concerning your relationship with the Company (including, without limitation, staff from Compliance, Legal, Audit and Security);
• system administrators; and
• where necessary for the performance of specific tasks or system maintenance by staff in teams such as the Finance and IT departments.

Personal information may also be shared inside of the Company between certain interconnecting IT systems.

In addition, where relevant, certain basic personal information (which may include your name, location, job title, contact information and any published skills and experience) may also be accessible to the Company's employees for the purposes set out in this Notice.

External recipients

External recipients of your personal information may include:

• service providers;
• tax authorities,
• regulatory authorities,
• our insurers,
• bankers,
• IT administrators,
• lawyers,
• auditors,
• investors,
• consultants and other professional advisors,
• payroll providers
• administrators of our benefits programs, and
• our Customers

Personal information contained in our IT systems may be accessible by providers of those systems, their associated companies and sub-contractors (such as those involved with hosting, supporting and maintaining the framework of our HR information systems).

We expect these third parties to process any data disclosed to them in accordance with the contractual relationship we have with them and applicable law, including with respect to data confidentiality and security.

In addition, we may share personal information with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.

IS ANY OF MY PERSONAL INFORMATION TRANSFERRED OVERSEAS?

We share your personal information within BSL Ltd as set out in this Notice. Some of the people who access your personal information may not be in the same country as you and may be outside of the EEA.

In addition, some of the external organisations we share your personal information with may be located outside of the EEA. We will always take steps to ensure that any transfer of information outside the EEA is carefully managed to protect your privacy rights:

• we will only transfer personal information to countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights,
• transfers to service providers and other third parties will be protected by contractual commitments (such as the European Commission-approved Standard Contractual Clauses), certification schemes (for example, the EU - U.S. Privacy Shield for the protection of personal information transferred from within the EU to the United States of America) or other legally acceptable mechanisms that ensure an adequate level of protection, and
• any requests for information we receive from law enforcement or regulators will be carefully checked before personal information is disclosed.

If you have any questions regarding overseas transfers, please contact us for further details.

HOW LONG DO YOU RETAIN MY PERSONAL INFORMATION?

We will retain your personal information for as long as is reasonably necessary for the purposes explained in this Notice.

In some circumstances we may retain your personal information for longer periods of time than is needed for those purposes described in this Notice. For instance: where we are required to do so in accordance with legal, regulatory, tax or accounting requirements; to ensure that we have an accurate record of your dealings with us in the event of any complaints or challenges; or if we reasonably believe there is a prospect of litigation relating to your relationship with us.

We maintain policies governing the creation, retention and disposal of records in our care. These policies set out our requirements for the management of records, including guidance on keeping personal information as current as possible, securely deleting records and irrelevant or excessive data, and storing information anonymously or in a manner which no longer identifies you.

HOW DO YOU MANAGE THE PERSONAL INFORMATION ABOUT OTHER INDIVIDUALS, OTHER THAN MYSELF?

Apart from personal information relating to you, you may also provide us with personal information of third parties, for instance, your family or dependants, or your colleagues. Where this may be the case, we have set this out in this Notice.

Before you provide information about others to us, you must first inform these individuals that you intend to provide their details to us and of the processing to be carried out by us, as detailed in this Notice.

WHAT ARE MY RIGHTS?

Right to access and correct your personal information

The Company aims to ensure that all personal information is correct. You also have a responsibility to ensure that changes to your personal information are notified to the Company as soon as possible so that we can ensure that your data is up-to-date.

You have the right to request access to any of your personal information that the Company may hold, and to request correction of any inaccurate data relating to you.

You should note that we do not always need to comply with your requests, but we will ensure that this is explained to you if this is the case.

Data portability

Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the reason or legal ground for processing, and that personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to the Company in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.

Right to rectify or erase personal information

You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it.

You can also request that we erase your personal information in limited circumstances where:

• it is no longer needed for the purposes for which it was collected; or
• you have withdrawn your consent (where the data processing was based on consent); or
• you have made a successful objection (see right to object); or
• it has been processed unlawfully; or
• it is necessary to comply with a legal obligation to which we are subject.

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:

• for compliance with a legal obligation; or
• for the establishment, exercise or defence of legal claims.

Right to restriction of processing

You have the right to restrict our processing of your personal information but only where:

• you contest the accuracy of the personal information, pending us taking sufficient steps to correct or verify its accuracy;
• the processing is unlawful but you do not want us to erase the data;
• we no longer need the personal information for its original purpose, but we require it for the establishment, exercise or defence of legal claims; or
• you have objected to processing justified on legitimate interest grounds (see below), pending verification as to whether the Company has compelling legitimate grounds to continue processing.

Where personal information is subjected to restriction in this way, we will only process it with your consent; for the establishment, exercise or defence of legal claims; or to protect the rights of another natural or legal person.

Right to withdraw consent

Where you have provided us with your consent to process data, you have the right to withdraw such consent at any time. You can do this by (i) in some cases deleting the relevant data from the relevant IT system (although note that in this case it may remain in back-ups and linked systems until it is deleted in accordance with our policy) or (ii) contacting us.

Right to object to processing justified on legitimate interest grounds

Where the reason for processing your personal information is our legitimate interests, you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or where we need to process the data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as the legal ground for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.

Right to object to automated decision making

You have the right to object to any decision that significantly affects you being taken solely by a computer or other automated process. In such a case, you have the right to obtain human intervention, to express your point of view, and to contest the automated decision.

Right to object to how we use your personal information for direct marketing purposes

You can request that we change the manner in which we contact you for marketing purposes. You can request that we not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.

Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction

You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the EEA. We may redact data transfer agreements to protect commercial terms.

Right to complain to a supervisory authority

You also have the right to lodge a complaint with a supervisory authority, in particular in your country of residence, if you consider that the processing of your personal information infringes applicable law.

Further information

For further information regarding your rights, or to exercise any of your rights, please contact us.

HOW DO I EXERCISE MY RIGHTS?

If you wish to exercise your rights, you should contact us or make contact with your usual BSL Ltd contact or manager.

We may ask you for proof of identity when making a request to exercise any of these rights. We do this to ensure we only disclose information or change account details where we know we are dealing with the right individual.

We will not ask for a fee, unless we think your request is unfounded, repetitive or excessive. Where a fee is necessary, we will inform you before proceeding with your request.

We aim to respond to all valid requests within one month. It may however take us longer if the request is particularly complicated or you have made several requests. We will always let you know if we think a response will take longer than one month. To speed up our response, we may ask you to provide more detail about what you want to receive or are concerned about.

We may not always be able to fully address your request, for example, if it would impact the duty of confidentiality we owe to others, or if we are otherwise legally entitled to deal with the request in a different way.

WHAT IF I WANT MORE INFORMATION?

If you are not satisfied with the level of information provided in this Notice, you can ask us about your personal information using the details provided.

HOW DO YOU MANAGE CHANGES TO THIS NOTICE?

We may amend this Notice from time to time, for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business.

• Last Updated: September 2019
• Category: Privacy Notice