1. Policy Statement

  1. Everyone has rights with regard to the way in which their personal data in handled. During the course of our business activities we will collect, store and process personal data about our customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.
  2. Data users are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.

2. About this Policy

  1. The types of personal data that Behavox Limited and it’s Group (“we”, “our”) may be required to handle include information about current, past and prospective customers, suppliers and employees and others that we communicate with. Group means a Party’s subsidiaries, ultimate holding company and its subsidiaries, as defined in Section 1159 of the Companies Act 2006.
  2. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the General Data Protection Regulation 2016/679 (“GDPR”) and other applicable privacy and data protection laws (“Regulations”).
  3. This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
  4. This policy does not form part of any employee’s contract of employment and may be amended at any time.
  5. This policy has been approved by the legal team. It sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.
  6. The legal team is responsible for ensuring compliance with the Act and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the legal team.
  7. Our Fair Processing Notice is located at Schedule A (“FPN”).

3. Data Protection Terms

In this policy:

  • “data” means information stored electronically or in certain paper-based filing systems.
  • “controller” means the organisation that determines the purposes for which, and the manner in which data are, or are to be, processed. They are responsible for establishing practices and policies in line with the Regulations. We are the controller of personal data used in our business for our own commercial purposes.
  • “data subject” means a person who is identified or identifiable from data that is in our possession or is likely to come into our possession in the future.
  • “data users” mean those of our employees and contractors whose work involves processing personal data. Data users must protect the personal data they handle in accordance with this policy and any applicable data security procedures at all times.
  • “personal data” means data relating to a living data subject. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
  • “processing” means everything that can be done with data during it’s lifecycle from collection to destruction.
  • “processor” means a third party (such as a supplier or contractor) that acts on the instructions of the controller. The controller remains legally responsible for processing performed by a processor. We are the processor of all data processed on behalf of our customers. Employees are not processors.
  • “sensitive personal data” means information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

4. Data Protection Principles

Anyone processing personal data must comply with the eight enforceable data protection principles. These provide that personal data must be:

  • Processed fairly and lawfully;
  • Processed only for a specified and lawful purpose;
  • Adequate, relevant and not excessive for the purpose;
  • Accurate and up to date;
  • Not kept longer than necessary for the purpose;
  • Processed in accordance with Data Subjects’ rights;
  • Kept secure; and
  • Not transferred to people or organisations situated in countries without adequate protection.

5. Fair and Lawful Processing

  1. In the course of our business, we may collect and process personal data received directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and received from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
  2. For personal data to be processed fairly the data subject must have been provided with the FPN and the data collection cannot deceive or mislead as to the purpose of the processing.
  3. If we receive personal data about a data subject from other sources, we will provide the data subject with the FPN as soon as possible thereafter.
  4. The FPN will inform the data subject about the:
    – Controller’s identity and contact details;
    – DPO’s contact details (if any);
    – Purpose(s) of the processing and lawful basis relied upon for processing personal data;
    – Period for which data will be stored;
    – Existence of rights to request access, rectification, erasure or to object to processing;
    – Right to lodge a complaint with the Information Commissioner’s Office (“ICO”), and ICO’s contact details;
    – Recipients or categories of recipients of the Personal Data;
    – Intention to transfer data to another country and the level of protection in the destination country;
    – Whether provision of data is voluntary or mandatory, and consequences of failing to provide the data;|
    – Existence of any profiling; and
    – Existence of processing activities with a high risk.
  5. For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Regulations. These include, among other things, the data subject’s consent, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the controller is subject, or for the legitimate interest of the controller or the party to whom the data is disclosed.
  6. When sensitive personal data is being processed, additional conditions must be met.

6. Specified and Lawful Purpose

  1. We will only process personal data for the specific purpose(s), or in a manner compatible with the purpose(s), notified to the data subject when we first collect the personal data or as soon as possible thereafter (ie in accordance with the FPN provided to the data subject).
  2. We will only process personal data in a manner compatible with the purpose for which it was obtained.

7. Adequate, Relevant and Not Excessive

  1. We will ensure that adequate personal data is collected to satisfy the purpose(s) notified to the data subject, especially where the purpose(s) have an impact upon the data subject.
  2. We will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject.

8. Accurate and Up-to-date

  1. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
  2. We will provide data subjects with the means to obtain a copy of, and correct any inaccuracies in, their personal data.

9. Timely Processing

  1. We will not keep personal data longer than is necessary for the purpose(s) for which it was collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.

10. Data Subject’s Rights

  1. We will process all personal data in line with data subjects’ rights, in particular their rights to:
    – Access to a copy of the information comprising their personal data;
    – Object to processing that is likely to cause or is causing damage or distress;
    – Prevent processing for direct marketing;
    – Object to decisions being taken by automated means; and
    – Have inaccurate personal data rectified, blocked, erased or destroyed.
  2. We will put in place means and procedures to enable data subjects to exercise their rights without excessive delay or expense.

11. Data Security

  1. We will take appropriate technical and organisational security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
  2. Personal data will only be transferred to a processor if they agree in a written contract to maintain appropriate security measures.
  3. In the event of a breach of data security we will comply with the Regulations and notify affected data subjects and the ICO, and the relevant privacy regulators outside of the European Economic Area as required by applicable local laws.

12. External Transfers

  1. We may transfer any personal data to a State (country) outside the European Economic Area (“EEA”), provided that one or more of the following conditions applies:
    – The country to which personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms;
    – The data subject has given consent;
    – The transfer is necessary for one of the reasons set out in the Regulations, including the performance of a contract with the data subject, or to protect the vital interests of the data subject;
    – The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims; and/or
    – Adequate safeguards have been put in place to protect the rights of data subjects.
  2. Subject to the requirements in this section, personal data we hold may also be processed by staff operating outside the EEA who work for us or our suppliers and contractors.

13. Disclosure and Sharing

  1. We may share personal data we hold with any member of our Group.
  2. We may also disclose personal data we hold to third parties:
    – In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets;
    – If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets;
    – In order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject; or to protect our rights, property, or safety of our employees, customers, or others;
    – For the purposes of fraud protection and credit risk reduction; and
    – In accordance with the FPN.

14. Direct Marketing

  1. We will only send direct marketing materials consistent with the recipient’s consent.
  2. We will only make marketing lists available to third parties for direct marketing purposes within the scope of the recipient’s consent.
  3. All direct marketing materials will include relevant particulars of the business and any promotional offer, be clearly identifiable as a commercial communication, and will provide the recipient the ability to withdraw or modify their consent.

15. Data Subject Access Requests

  1. Data subjects must make a formal request for information we hold about them. This must be made in writing. Employees who receive a written request should forward it to their manager immediately.
  2. When receiving telephone enquiries, we will only disclose personal data if the following conditions are met:
    – We will check the caller’s identity to make sure that information is only given to the data subject or their authorised representative.
    – We will suggest that the caller put their request in writing together with proof of identification if we are not sure about the caller’s identity and where their identity cannot be checked.
  3. We will comply with our Data Subject Access Procedure.

16. Compliance and Disciplinary Action

  1. Compliance with this policy is mandatory for all our employees who process personal data. Failure to comply may result in disciplinary action up to and including termination of employment.

17. Changes to this Policy

  1. We reserve the right to change this policy at any time without notice.

Last revised: 27 March 2018

Previous versions: 19 February 2018

SCHEDULE A

FAIR PROCESSING NOTICE

1. The following fair processing notice (“FPN”) is a broad description of the way this organisation/ controller processes personal data as required by the General Data Protection Regulation 2016/679 (“GDPR”) and other applicable privacy laws.

2. Consent

  1. You consent to the processing of your personal data in accordance with this FPN, as updated from time to time.
  2. You consent to receive direct marketing from us and third parties identified in this FPN, by mail, email, telephone, SMS, and by any other method of electronic mail as defined by and for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (UK).
  3. You consent to your personal data being disclosed to the third parties, and for the purposes, described in this FPN, as updated from time to time.
  4. You may withdraw consent at any time by contacting us by the methods set out on our website.

3. Data Protection and Privacy Policy

  1. Processing is conducted in accordance with our Data Protection and Privacy Policy.
  2. Controller (“we” “our” “us”): Behavox Limited, a company registered in England under number 09066452 whose registered office is at 68 South Lambeth Road, London, England, SW8 1RL
  3. We use various processors who perform administrative and other functions on behalf of our business, a list of which shall be made available on request.

4. Purposes of Data Processing

  1. We process personal information to enable us to:
    – Promote our goods and services;
    – Undertake research;
    – Deliver updates and news that may be of interest to various data subjects;
    – Maintain our accounts and records;
    – Communicate with, support and manage our current, past and prospective customers, suppliers and employees; and
    – Other purposes from time to time, which will be updated to this notice.
  2. Processing for the above purposes is conducted on the following conditions for legitimate processing:
    – Consent of the data subject;
    – Contractual necessity;
    – Non-contractual legal obligation of the controller; and/or
    – Legitimate interests of the controller or third party.

5. Data Subjects

  1. We process personal data about our:
    – Customers and clients;
    – Employees and potential employees (eg candidates and applicants);
    – Professional advisers and consultants;
    – Suppliers and service providers;
    – Complainants and enquirers; and
    – Persons involved in our business.

6. Categories of Personal Data

  1. We process personal data including:
    – Personal details;
    – Family details;
    – Contact details;
    – Lifestyle and social circumstances;
    – Education and employment details;
    – Financial details;
    – Goods or services provided; and
    – Internet browsing habits and interests.
  2. We also process sensitive classes of personal data that may include:
    – Racial or ethnic origin;
    – Political opinions;
    – Religious or philosophical beliefs;
    – Trade-union membership;
    – Mental and physical health; and
    – Sex life.

7. Recipients of Personal Data

  1. We may share Personal Data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in Section 1159 of the Companies Act 2006 (UK).
  2. We share data with various contractors performing administrative and other functions on behalf of our business, a list of which shall be made available on request.
  3. Where necessary or required we share information, including personal data, with the following categories of third party recipients:
    – Family, associates and representatives of the person whose personal data we are processing;
    – Suppliers and service providers; and
    – Crime and taxation authorities when requested under an appropriate power.
  4. We may also disclose personal data to third parties:
    – In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets;
    – If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets;
    – In order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject; or to protect our rights, property, or safety of our employees, customers, or others;
    – For the purposes of fraud protection and credit risk reduction; and
    – Other third parties from time to time, which will be updated to this notice.

8. Transferring Data Outside the EEA

  1. We regularly transfer personal information overseas. Where this is necessary this may be to countries or territories around the world. We are required to ensure that when we need to do this we comply with the GDPR.
  2. We currently transfer personal data to the following jurisdictions:
  3. Other jurisdictions external to the European Economic Area from time to time, which will be updated to this notice.

9. Provision of Personal Data

  1. Provision of personal data is mandatory in the case of employees to the extent such data is necessary to perform our contractual and non-contractual legal obligation, otherwise voluntary.

10. Profiling

  1. Profiling of employees is conducted using the Behavox software platform to the limits of the capabilities of such platform, for the purpose of optimising business operations and on the legal basis of legitimate interests of the controller.

11. High Risk Processing Activities

  1. None

12. Data Subject Rights

  1. As the data subject, you have the right to access to a copy of the information comprising your personal data, such access requests can be lodged by contacting us via the methods set out on our website, or for current employees by contracting the legal team.
  2. As the data subject you have rights to:
    – Object to processing that is likely to cause or is causing damage or distress, such request can be made here;
    – Prevent Processing for direct marketing;
    – Object to decisions being taken by automated means; and
    – Have inaccurate personal data rectified, blocked, erased or destroyed.
  3. Such rights may be exercised by contacting us via the methods set out on our website, or for current employees by contracting the legal team.
  4. You have the right to lodge a complaint concerning our compliance with the data protection principles with the Information Commissioner here: https://ico.org.uk/concerns/

13. Data Retention Period

  1. We retain personal data indefinitely or until it is no longer required.

14. Data Protection Compliance Measures

  1. We complete a data protection impact assessment prior to any significant change to our processing activities or data recipients. We complete periodic data protection audits, at least once per year to ensure ongoing compliance with the data protection legislation.

This policy does not form part of any employee’s contract of employment and it may be amended at any time.

Last revised: 3 July 2018

Previous versions: 6 June 2018