Privacy Notice

Introduction
The British Standards Institution (ICO registration Z7888292) (“BSI”) takes your privacy
very seriously. This Privacy Notice is intended to set out your rights and answer any queries
you may have about your personal data. If you need more information, please contact:
PrivacyTeam@bsigroup.com

If you have entered into a contract with one of our subsidiaries or group companies, the
controller of your data will be the BSI company or companies stated in your contract (BSI
Standards Limited (ICO registration ZA342039), BSI Assurance UK Limited (ICO registration
ZA341951) and/or BSI Cybersecurity and Information Resilience (UK) Limited (ICO
registration Z1767162)) and/or the BSI company to which you provide any additional
consent. In all other circumstances, the controller of your data will be The British Standards
Institution.

Our personal data handling policy and procedures have been developed in line with the
requirements of the 1995 European Union Data Protection Directive (Directive 95/46/EC)
and the General Data Protection Regulation and applicable national law.

1. What personal data do we collect?

We collect and process personal data about you when you interact with us and our products
and when you purchase goods and services from us. The personal data we process includes:

  • name;
  • username and password;
  • home or work address, email address and/or phone number;
  •  job title;
  •  payment and delivery details, including billing and delivery addresses and credit card
    details, where you make purchases from us;
  • personal data related to the browser or device you use to access our website;
  •  internet browser and operating system;
  •  recordings of calls you make to our customer service team; and
  •  any other personal data you provide.

2. How do we use this personal data and what is the legal basis for this use?

We process the personal data listed in paragraph 1 above for the following purposes:

  • to establish and fulfill a contract with you, for example, if you make a purchase from
    us or enter into an agreement to provide or receive services. This may include
    verifying your identity, taking payments, communicating with you, providing
    customer services and arranging the delivery or other provision of products or
    services. We require this information in order to enter into a contract with you and
    are unable to do so without it;
  • to comply with applicable law and regulation;
  • in accordance with our legitimate interests in protecting BSI’s legitimate business
    interests, role as the National Standards Body, and legal rights, including but not
    limited to, use in connection with legal claims, compliance, regulatory and
    investigative purposes (including disclosure of such information in connection with
    legal process or litigation);
  • with your express consent to respond to any comments or complaints we may
    receive from you, or to investigate any complaints received from you or from others,
    about our website or our products or services;
  • we may use information you provide to personalise (i) our communications to you;
    (ii) our website; and (iii) products or services for you, in accordance with our
    legitimate interests;
  • to monitor use of our websites and online services. We may use your information to
    help us check, improve and protect our products, content, services and websites,
    both online and offline, in accordance with our legitimate interests;
  • if you provide a credit or debit card, we may also use third parties (such as POS
    payment providers) to check the validity of the sort code, account number and card
    number you submit in order to prevent fraud, in accordance with our legitimate
    interests and those of third parties;
  • we may monitor any customer account to prevent, investigate and/or report fraud,
    terrorism, misrepresentation, security incidents or crime, in accordance with
    applicable law and our legitimate interests;
  • in circumstances where you contact us by telephone, calls may be recorded for
    quality, training and security purposes, in accordance with our legitimate interests;
    and
  • we may use your information to invite you to take part in market research or
    surveys.

We may also send you direct marketing in relation to BSI’s relevant products and services.
Electronic direct marketing will only be sent where you have given your consent to receive
it, or (where this is allowed) you have been given an opportunity to opt-out. We will not
send you direct marketing of third party products or services although our own products or
services may on occasion include co-operation with third parties. You will continue to be
able to opt-out of electronic direct marketing at any time by following the instructions in the
relevant communication.

3. With whom and where will we share your personal data?

We may share your personal data with our subsidiaries to process it for the purposes of
inter-group administration and to deliver products or services where elements of these are
provided by BSI group companies other than those with which you have directly contracted.

We may also share your personal data with the below third parties:

  • our professional advisors such as our auditors and external legal and financial
    advisors;
  • marketing and communications agencies where they have agreed to process your
    personal data in line with this Privacy Notice;
  • market research companies;
  • our suppliers, business partners and sub-contractors; and/or
  • search engine and web analytics.

Personal data may be shared with government authorities and/or law enforcement officials if
required for the purposes above, if mandated by law or if needed for the legal protection of
our legitimate interests in compliance with applicable laws. Personal data may also be
shared with third party service providers who will process it on behalf of BSI for the
purposes above. Such third parties include, but are not limited to, providers of website
hosting, maintenance, call centre operation and identity checking.

In the event that our business or any part of it is sold or integrated with another business,
your details will be disclosed to our advisers and those of any prospective purchaser and will
be passed to the new owners of the business.

4. How long will you keep my personal data?

We will not keep your personal data for any purpose longer than necessary to fulfill the
original or a compatible purpose. In some instances, we are required to retain certain
information by law or due to our role as the National Standards Body, and for as long as
reasonably necessary to meet regulatory or accreditation requirements, resolve disputes,
prevent fraud and abuse, or enforce our terms and conditions. Where this is the case, your
personal data will only be processed for the relevant legitimate purpose and not used for
marketing.

Where you are a customer, we will keep your personal data for the length of any
contractual relationship you have with us and after that for a period of up to 3 years unless
you are a customer purchasing Standards in which event we will keep your information
for up to 5 years in line with the Standards lifecycle.

Where you are a prospective customer and you have expressly consented to us
contacting you, we will only retain your personal data for this purpose (a) until you
unsubscribe from our communications; or, if you have not unsubscribed, (b) while you
interact with us and our content; or (c) for 2 years from when you last interacted with us or
our content.

In the case of any contact you may have with our customer services team, we will retain
your details for as long as is necessary to resolve your query and for two weeks after the
query is closed.

We may retain your personal data for a time beyond the specified retention period, to allow
for information to be reviewed and any deletion to take place. After it is no longer necessary
for us to retain your personal data, we dispose of it securely according to our Document &
Information Retention Policy.

5. Where is my data stored?

The personal data that we collect from you may be transferred to, and stored outside the
European Economic Area (“EEA”). It may also be processed by staff operating outside the
EEA who work for us or for one of our suppliers, in which case the third country’s data
protection laws will have been approved as adequate by the European Commission or other
applicable safeguards will be in place. Further information may be obtained from our Privacy
Team.

6. What are my rights in relation to my personal data?

You have the right to ask us not to process your personal data for marketing purposes. You
can exercise your right to prevent such processing by checking certain boxes on the forms
we use to collect your data, clicking the unsubscribe button on any communication we have
sent to you or by contacting us.

Where you have consented to us using your personal data, you can withdraw that consent
at any time.

If the information we hold about you is inaccurate or incomplete, you can notify us and ask
us to correct or supplement it.

You also have the right, with some exceptions and qualifications, to ask us to provide a copy
of any personal data we hold about you.

Where you have provided your data to us and it is processed by automated means, you may
be able to request that we provide it to you in a structured, machine readable format.

If you have a complaint about how we have handled your personal data, you may be able to
ask us to restrict how we use your personal data while your complaint is resolved. In some
circumstances you can ask us to erase your personal data (a) by withdrawing your consent
for us to use it; (b) if it is no longer necessary for us to use your personal data; (c) if you
object to the use of your personal data and we don’t have a good reason to continue to use
it; or (d) if we haven’t handled your personal data in accordance with our obligations.

7. Where can I find more information about BSI’s handling of my data?

Should you have any queries regarding this Privacy Notice, about BSI’s processing of your
personal data or wish to exercise your rights you can contact BSI’s Privacy Team using this
email address: PrivacyTeam@bsigroup.com. If you are not happy with our response, you
can contact the Information Commissioner’s Office: https://ico.org.uk/

© The British Standards Institution - Powered by bsi. | Intellectual property | Privacy policy