This is a public notice detailing how Berea works with the Personal Data of customers, partners and similar.
The security and fair treatment of your Personal Data and associated rights is very important to us. We will endeavour to uphold your rights, treat your information with all due respect, and ever work to keep it held securely and in confidence. To achieve this aim, this document presents:
- What Personal Data is ('definitions')
- Who we are
- How and why we use your Personal Data ('purposes')
- Your rights as a Data Subject
- How to interact with us
We have sought to present this Privacy Notice in plain-English. Some of the definitions below relate to legal concepts and are provided for your reference. Should you ever have any query please contact us and we will be happy to help.
Information relating to living, identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, customers, suppliers and marketing contacts.
Personal Data we gather about you may include:
- Your contact details, including telephone numbers, email address and office address.
- Information about your role, including your job title.
Special categories of Personal Data
Sensitive Personal Data shall by definition include:
- Personal Data about an individual's racial or ethnic origin,
- Political opinions,
- Religious or similar beliefs,
- Trade union membership (or non-membership),
- Physical or mental health or condition,
- Criminal offences, or related proceedings.
The purposes for which Personal Data may be used by us: Personnel, administrative, operational, financial, regulatory, payroll and business development purposes.
Business purposes include the following:
- The legal and lawful delivery of our services.
- Compliance with our legal, regulatory and corporate governance obligations and good practice.
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests.
- Ensuring business policies are adhered to (such as policies covering email and internet use).
- Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking.
- Investigating complaints.
- Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments.
- Monitoring staff conduct, disciplinary matters.
- Marketing our business.
- Improving our services.
The electronic and physical locations where we store Personal Data.
Our business, Berea Associates Limited, is the Data Controller for the Personal Data we directly capture from Data Subjects.
Our business acts as a Data Processor for other organisations for whom we deliver services. Similarly, our own subcontractors, and other service providers to whom we entrust Personal Data for the delivery of our services are legally considered our own Data Processors.
This is a legal consideration under data protection legislation. Data Subjects provide Consent for their Personal Data to be used for one or more explicit purposes relevant to the services provided by our business.
A Data Subject is a living, identifiable individual located within the European Union.
Personal Data Breach
A Personal Data Breach is the unauthorised disclosure of Personal Data into an untrusted environment. An example would be the accidental emailing of a spreadsheet containing Personal Data to an unintended recipient.
Who we are
Where you submit Personal Data to us directly, Berea is legally obligated as a ‘Data Controller’. In a capacity where we have been provided with your Personal Data by a partner’s business, we are legally obligated as a ‘Data Processor’.
Should you wish to interact with us regarding any query on Personal Data, our contact details are provided below.
- Contact: Aaron Yates, Chief Executive
- Telephone: 0116 287 3600
- Email: firstname.lastname@example.org
How and why we use your Personal Data
As a business Berea provides the following types of service:
- The production and provision of web-based software (Cyber AMI) for use by individuals in a customer’s business.
- The manufacture and retail of tangible goods (Cyber Safety At Work) for purchase by individuals in a customer’s business.
- Professional services (consultancy and similar).
In order to be able to provide these services to you, we must be able to identify you in some manner, to be able to deliver your service to you specifically.
Where we are capturing your Personal Data to provide a service, we will always seek your Consent in order to do so.
Where we are provided with your Personal Data to legally fulfil a service to you that you have requested, we will endeavour to make you aware that we have processed and handled your Personal Data.
This Privacy Notice lays out how we will fulfil our obligations to you in the safe and legal treatment of your Personal Data. Should you have any queries, please contact us using the contact details above.
We will never use your Personal Data for a business purpose without your explicit consent. If we require your Personal Data for any other Purpose we will seek you consent prior to undertaking any processing activity. We will never sell your Personal Data to any third party for any reason (except if considered as an asset where Berea is acquired by another business).
For your reference our business will only provide services to individuals aged over 18 years.
Your Personal Data
It is your responsibility to ensure the Personal Data we hold about you is accurate and up-to-date. Please contact us if you have any queries regarding your Personal Data.
Where you directly contract us to provide a service
We will only collect the necessary Personal Data to fulfil the service you have requested. Your Personal Data will be retained for no more than 24 months after the required purpose, except where we are bound by other legal obligations to do so.
Where we are provided with your Personal Data to fulfil a service on behalf of a partner
We will only accept the minimum Personal Data to be able to deliver the service. Your Personal Data will be retained for no longer than 24 months following the delivery of the service. The originating service provider may retain your Personal Data for longer, and you should speak with that party if you have any queries.
Your Rights as a Data Subject
- You have the right to know what Personal Data we hold about you.
- You have the right to request we cease processing your Personal Data.
- You have the right to revoke your consent to your Personal Data being processed (except where necessary to legally delivery a contracted service).
- You have the right to request we not make decisions about you automatically and can prefer human intervention (where possible).
- You have the right to request that we not profile you based on your Personal Data without human intervention (where possible).
- You have the right to request we delete all Personal Data we hold about you (where legally we are able to do so).
- You have the right to request a copy of any Personal Data we hold about you, which must be provided to you in a commonly used electronic format.
- You have the right for your Personal Data to be stored and processed securely and have confidence that it will not be disclosed to an unauthorised party.
- You have the right to make a complaint if you are dissatisfied with the how we have honoured your rights.
It must be noted that there is no charge to request information from us. We are only permitted to make a charge if:
- Your request is unfounded.
- Your request is excessive.
- Your requests are repetitive in nature.
Interacting with us regarding your rights
Making a 'Subject Access Request'
You have the right to request a copy of the Personal Data we hold about you. This process is defined as a ‘Subject Access Request’. The request must be made in writing, by email or post, to the contact details provided above.
We will acknowledge receipt of your request and will respond to the request at the latest within 20 working days from receipt. When making your request you must provide all necessary information to support your query, including:
- Your name and contact details,
- The reason for your request and the data you are seeking,
- How we can contact you.
There are exemptions to Subject Access Requests that may prevent us from honouring your request. This may include the request being overly broad, or your request may infringe the rights of another individual. We will always attempt to honour your request and will fully explain, if we are unable to do so, why, and what can be done to progress the request further.
Your right to receive data in a commonly used electronic format
Due to the nature of the services we provide, it may be that we are unable to honour all requests. We will always seek to provide you with data that you or your service provide can easily reuse.
Your right to request we restrict processing
You have the right to request that we restrict processing any Personal Data we hold about you. This request should be made in writing to the contact identified above, stating the reason for your request, and the timeframe required for processing to be restricted. Will will acknowledge your request and respond within 5 working days.
Your right to request the deletion of Personal Data
You have the right to request that we delete or destroy any Personal Data that we hold on you. This request should be made in writing, by post or email, to the contact identified above. We will acknowledge your request and respond within 5 working days. We may be unable to honour requests that infringe on our other legal obligations, or in relation to a dispute, or where the deletion affects the rights of another party.
Your rights in relation to automated decision making and profiling
We do not make use of Personal Data for automated decision making or profiling in the delivery of our services to you. If you believe this not to be the case, please contact us.
Making a complaint
You have the right to make a complaint if we fail to honour your rights. We hope you never have need to do so, however in such an instance our business operates a three-stage complaints process, as follows:
- In the first instance please send in writing, by post or email, your complaint to the contact named above. We will acknowledge receipt of your complaint. You will receive a response within five working days.
- If we fail to resolve your issue with our response, you may escalate your complaint to our Chief Executive. Please indicate in writing, again either by post or email, for your desire for the complain to be escalated. We will acknowledge receipt of your complaint and will respond to you within 5 working days.
- If you remain dissatisfied with how we have handled your complaint, you have the right to seek redress through the data protection supervisory authority. Please assemble all necessary information and submit your complaint here: https://www.ico.org.uk
Securing your Personal Data
We undertake comprehensive technical measures to reduce the likelihood your Personal Data will be accessed by an unauthorised party. For operational security we cannot disclosure the measures undertaken, however we are able to comment that our organisation seeks at all times to comply with (at the very least) the requirements of the following specifications:
- Cyber Essentials
We will always endeavour to store and process your Personal Data within the geographic confines of the European Economic Area (‘EEA’). If we are unable to do so, we will always ensure that our Data Processors comply with the same or greater level of assurance over use of your Personal Data than ourselves.
In the event of a Personal Data Breach
As a responsible Data Controller and Data Processor, in the event that Personal Data is disclosed to unauthorised individuals, we will notify you in writing as soon as possible. We take a great number of precautions to prevent this from happening, however should an incident arise we will detail what Personal Data was affected and the steps we are taking to manage the issue going forwards.
Our use of Data Processors
It is possible that we may entrust your Personal Data to other businesses to help us deliver our service to you. Our business will only operate with partners that adhere to a similar or greater level of assurance than ourselves. When you request a service from us, to legally discharge the contract entered into, we must always assume your Consent for Personal Data to be shared with partners where strictly necessary to do so.
Your feedback is very important to us. Should you have any queries, or desire any clarification regarding this Privacy Notice, please contact us and we will be happy to discuss with you.