Privacy Policy

The BCI Privacy Policy

Please read this information carefully. It provides important advice, guidance and information about your personal data.


Who are we

We are the Business Continuity Institute (BCI), the world’s leading institute for business continuity. Established in the United Kingdom in 1994, the BCI has established itself as the leading membership and certifying organization for Business Continuity (BC) professionals worldwide.

We are a data controller, and we are processing your personal data.  The Privacy Notice applies to all personal data  that we process in respect of individuals that use our website, subscribers, existing and potential members, our licensed partners, approved instructors, our contractors and suppliers, potential employees, including consultants and other individuals that contact us. Personal Data means information that can reveal your identify such as your name, email, telephone number. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you. 


Categories of data held

We may collect, use, store and transfer different kinds of personal data about you which we have described as follows:
•    Identity Data including your first name and last name. 
•    Contact Data means the data we use to contact you including your billing address, delivery address, email address and telephone number.
•    Financial Data means the payment method and card used to process your payments . We do not store or process your card details ourselves. These are processed and stored on one of our contracted third-party service providers. 
•    Transaction Data means details about transactions you have made on our website including the payments to and from you along with other details of any courses or subscriptions you have purchased from us.
•    Technical Data means details about the device(s) you use to access our website including your internet protocol (IP) address, browser type and version, location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
•    Profile Data includes your username (email address), your login data, purchases or orders made by you, your interests, preferences, feedback and survey responses.
•    Employment, education and training details: your current position and information which may be relevant to your accreditation, including information which relates to your education and professional training 
•    Usage Data includes information about how you use our website, products and services. This includes your browsing patterns and information such as how long you might spend on one of our webpages and what you look at and for on our website, the page that referred you to our site and the click stream during your visit to our website, page response times and page interaction information (clicks you make on a page). 
•    Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
•    In the case of employees and potential employees only, we may collect certain sensitive data about you such as information concerning your racial or ethnic origin,  trade union activities, physical or mental health). This information will be obtained when you apply for a job with us or if you have disclosed this during your employment with us.


How we collect personal data

We use different methods to collect data from and about you such as when you fill in forms online, when you correspond with us by post, phone, email or recording information from face to face meetings. 

If you are potential employee, we may collect personal data about you through external recruitment agencies and through any background checks we may carry out with your consent.

We may collect personal data through our use of cookies, cookies are used to distinguish you from other users of the website and to remember your preferences. This helps us to provide you with a good experience when you use the website and also allows us to improve our website. For detailed information on the cookies we use please, see our cookie policy.


Lawful basis 

We will only use personal data of data subjects when the law permits, and we will use all such personal data in accordance with this Privacy Notice, the Data Protection Act 2018 and General Data Protection Regulation (“GDPR”). 

We will only use your personal data when the law allows us to do so. Most commonly the basis we will rely on to use your personal data is: 
•    Where we need to perform a contract and/or we are about to enter a contract and/or we have entered into a contract with you;
•    Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us;
•    Where we need to comply with a legal or regulatory obligation, for example where we are your employer or because a public authority compels us to; and
•    Where you have given us your clear consent before the processing. Consent refers to any positive act whereby you signify your agreement (i.e. by clicking a tick box. where your agreement by a clear opt-in to processing for a specific purpose.) Consent will only be valid if it is a freely given, specific, informed and an unambiguous indication is given. You can withdraw your consent at any time by contacting us. 
We will only send you direct marketing communications by email or text if we have your consent. You have the right to withdraw that consent at any time by contacting us. We will get your express opt-in consent before we share your personal data with any third party for marketing purposes. 


Purposes

We will use your data in a variety of ways:
•    To register you as a member or delegate and to facilitate our communications with you;
•    To manage payments and collecting money owed to us for subscription fees or to fulfil our contract with you; 
•    To manage our relationship with you (suppliers, customers, employees and potential employees);
•    To deliver goods and services to you;
•    To administer our records of membership and certification and training;
•    To use data analytics to improve the website or our services;
•    To assess your suitability for a position you have applied for with us;
•    To comply with our obligations as employer;
•    To carry out background checks, where permitted for insurance purposes; and 
•    To keep accurate records and to exercise or defend our legal rights or comply with our legal obligations.  


Disclosures

We may share your personal data with third parties that operate our systems such as customer relationship management, call answering services, external IT systems or our third-party advisors such as accountants or lawyers. In respect of potential employees, your data will be shared internally with the recruitment team which consists only of those employees who need access. 
We may also share your personal data to public authorities including HM Revenue & Customs, when required by law to do so. We may disclose your personal data to prospective sellers or buyers of our business or assets we assign or where we novate any of our rights and obligations.  We never have, and never will sell your data or use it for any other purpose outside of this Privacy Notice. 


Transfers

It may be necessary to transfer personal information outside the UK and the European Economic Area (EEA), to countries or territories around the world. We will ensure that any transfers of your personal data outside the EEA will only be made with appropriate safeguards to protect your enforceable rights and provide effective legal remedies. 


Data Retention

We will only retain personal data for as long as strictly necessary to fulfil the purposes that it was collected including for the purposes of complying with any legal, accounting or report requirements and when we assert or defend legal claims. By law we have to keep basic information about our customers and members, after they cease being our customers for six years. 
The BCI will also retain your personal data until it becomes inaccurate, at which time we will endeavour to bring the data up-to-date. If we are unable to verify the accuracy of your data, we will delete the appropriate records.


Data Source

We use different methods to collect data from and about you such as when you fill in forms online, when you correspond with us by post, phone, email or recording information from face to face meetings. 

If you are potential employee, we may collect personal data about you through external recruitment agencies and through any background checks we may carry out with your consent. 

We may collect personal data through our use of cookies, cookies are used to distinguish you from other users of the website and to remember your preferences. This helps us to provide you with a good experience when you use the website and also allows us to improve our website. For detailed information on the cookies we use please, see our cookie policy.


Your rights

With regard to your personal data, you may contact us to request;
•    withdrawal of your consent
•    access to your data
•    rectification or erasure of your personal data,
•    ask for a restriction of processing
•    to object to processing and
•    request data be ‘ported’ to another Data Controller

We explicitly bring to your attention your right to object to our processing of your personal data. You have the right to object at any time to processing of personal data concerning you for marketing, which includes profiling to the extent that it is related to such direct marketing. Please use the contact details below if you wish to exercise any of your rights. Please refer to our Subject Access Request Policy for more details. 

You are advised that you have a right to lodge a complaint with a supervisory authority. As a UK registered company, this would be the UK Information Commissioner. Their contact details and other information and guidance can be obtained from www.ico.org.uk. The data controller reference number at the BCI is ZA386332.


Information security

The BCI takes reasonable technical and organisational precautions to prevent the loss, misuse or alteration of personal data. All information provided is stored on secure (password- and firewall-protected) servers and devices.


Data protection policy amendments

The BCI may update this policy from time to time by posting revisions here. Please check here occasionally for any changes.

Other websites

The BCI accepts no responsibility for the content, privacy policies or practices of other websites.


Contact us

You can use any of the channels below to contact us about your personal data.
bci@thebci.org
BCI Forum Limited, t/a The Business Continuity Institute
10-11 Southview Park,
Marsack Street,
Caversham,
Berkshire,
RG4 5AF
United Kingdom

Telephone: +44 0118 947 8215

Please note that in the interests of your safety, we will be unable to discuss your personal data until we have positively identified you. This may require us to contact you via email for confirmation of your identity.