1. Information we collect
1.1 Personal information that you give us
You, your employer or your scheme trustee/administrator may give us personal information about you by using the online forms provided on our website, completing order forms, setting up an account with us, or by contacting us by phone, e-mail or other means. This includes, for example, when personal information is provided to us in order to receive our services. You or your employer may also give us personal information about you when you are, or it is offering or providing services, to us.
Such personal information may include:
(a) Information about you
(i) Your name
(ii) Address and post code
(iii) Email address
(iv) Telephone number
(v) Your job title
(vi) Company name
(vii) Company address
(viii) Account information
(x) Date of birth
(xi) Salary and pension details (and other financial information such as information about employee benefit schemes)
(xii) Marital status
(xiii) Health information
(xiv) Information provided in correspondence
(xv) Updates in information provided to us
(b) Information about the services we provide to you
(i) Information needed to provide services to you
(ii) Customer services information
(iii) Customer relationship management and marketing information
(c) Information about services we receive from you or your employer
(i) Your website
(ii) Supplier due diligence information
(iii) Work contact information (phone number, postal address, email address)
Some of the personal information that we collect about you or which you or your employer or provides to us about you may be special categories of data. Special categories of data include information about racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, your physical and mental health or sexual life.
Please note that we need certain types of personal information so that we can provide services to you or so you, or your employer, can provide services to us. If you do not provide us with such personal information, or ask us to delete it, you may no longer be able to access our services or provide goods and services to us.
1.2 Personal information we collect about you
(a) Each time you visit our website we may automatically collect any of the following information:
(i) technical information, including the Internet protocol (IP) address used to connect your computer to the internet, domain name and country which requests information, the files requested, browser type and version, browser plug-in types and versions, operating system and platform;
(ii) information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time), time and length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, traffic data, location data, weblogs and other communication data and information provided when requesting further service or downloads.
(b) We may intercept, monitor and/or keep records of email communications entering and leaving our systems.
(c) If you contact us on social media, we will collect certain information about you from your social media page and through your interactions with us or with information about our services.
(d) If you are a journalist or work for an institution/trade association in our industry, we may collect information about you from public sources.
(e) If you are a customer or a supplier (or a potential customer or supplier) or work for one of them (including as a consultant), we may obtain information about you from your company’s website.
(f) We may acquire personal information from third party providers in order to promote and market our services. Any such marketing will be carried out in accordance with section 10.
(g) We may acquire personal information in relation to the members of the schemes to which we provide services from third parties such as insurance companies and medical professionals.
2. Use of information
We, or third party data processors acting on our behalf, collect, use and store the personal information listed above for the following reasons:
2.1 Visiting our website:
(a) to allow you to access and use our website;
(b) to provide technical support;
(c) to provide you with the information and services that you request from us;
(d) to ensure the security of our services and our website;
(e) to recognise you when you return to our website; and
(f) for improvement and maintenance of our website and preparing reports or compiling statistics in order to improve our services. Such details will be anonymised as far as is reasonably possible and you will not be identifiable from the information collected.
2.2 Receiving goods and services from you
(a) to enable us to receive and manage services from you (including supplier due diligence, payment and expense reporting and financial audits);
(b) for health and safety records and management;
(c) to assess your working capacity;
(d) to confirm information on CVs and perform reference checks, to assess you or your employer’s suitability to work for us; and
(e) for equal opportunities monitoring.
2.3 Providing services to you
(a) to provide relevant services and support to you, your employer or scheme trustee/administrator;
(b) to deal with any enquiries or issues you have about our services, including any questions you may have about how we collect, store and use your personal information, or any requests made by you for a copy of the information we hold about you.
(c) to send you certain communications (including by email or phone) about our services such as service announcements and administrative messages (for example, setting out changes to our terms and conditions and keeping you informed about our fees and charges);
(d) to allow you to attend our events;
(e) for health and safety and quality assurance; and
(f) to carry out statistical analysis and market research.
2.4 For internal corporate reporting, business administration, ensuring adequate insurance coverage for our business, ensuring the security of company facilities, research and development, and to identify and implement business efficiencies.
2.5 To comply with any procedures, laws and regulations which apply to us – this may include where we reasonably consider it is in our legitimate interests or the legitimate interests of others to comply, as well as where we are legally required to do so.
2.6 To establish, exercise or defend our legal rights – this may include where we reasonably consider it is in our legitimate interests or the legitimate interests of others, as well as where we are legally required to do so.
2.7 If you contact us on social media, to monitor your interactions with us and our brand online, where it is in our legitimate interests to do so for market research and for planning future marketing campaigns.
2.8 If you are a journalist, where it is in our legitimate interests to contact you to invite you to write a news article about our services; to invite you to events, send you promotional material and for press releases.
3. Legal basis for use of your personal information
(b) our use of your personal information is necessary for complying with our legal obligations (for example, providing information to HMRC); or
(c) where neither (a) nor (b) apply, use of your personal information is necessary for our legitimate interests or the legitimate interests of others (for example, to ensure the security of our website). Our legitimate interests include to:
(i) run, grow and develop our business;
(ii) operate our website;
(iii) select appropriately skilled and qualified suppliers;
(iv) ensure a safe working environment for our staff and visitors;
(v) marketing, market research and business development;
(vi) provide services to our customers, make and receive payment, provide customer services and to know the customer that we are providing services to;
(vii) place, track and ensure fulfilment of orders with our suppliers; and
(viii) for internal group administrative purposes.
3.2 We may use your special categories of data where you have provided your consent (which you may withdraw at any time after giving it, as described below).
3.4 If we rely on your consent for us to use your personal information in a particular way, but you later change your mind, you may withdraw your consent by contacting us at email@example.com and we will stop doing so. However, if you withdraw your consent, this may impact the ability for you to be able to provide services to us (for example, if those services require health assessments that involve use of your special categories of data) or for us to provide services to you.
(a) offer you a more tailored experience in the future, by understanding and remembering your particular browsing preferences;
(b) manage our website by enabling us to develop the content and functionality of the website to better meet the needs of users;
(c) track information on our systems and identify categories of users by items such as address, browser type and pages visited; and
(d) analyse the number of visitors to different areas of the website and to ensure that the website is serving as a useful, effective information source.
5. Sharing your personal information
5.1 We may share your personal information with any company that is a member of our group, where it is in our legitimate interests to do so for internal administrative purposes (for example, ensuring consistent and coherent delivery of services to our customers, management information, corporate strategy, compliance, auditing and monitoring, research and development and quality assurance). We may also share your personal information with our group companies where they provide products and services to us.
5.2 We will share your personal information with the following categories of third parties:
(a) our service providers and sub-contractors, including but not limited to our online benefits software provider, payment processors, suppliers of technical and support services, insurers, logistic providers, and IT service providers;
(b) companies that assist us in our marketing, advertising and promotional activities; and
(c) analytics and search engine providers that assist us in the improvement and optimisation of our website.
5.3 We will also disclose your personal information to third parties:
(a) where it is in our legitimate interests to do so to run, grow and develop our business:
(i) if we sell or buy any business or assets, we may disclose your personal information to the prospective seller or buyer of such business or assets;
(ii) if substantially all of Broadstone or any of its affiliates’ assets are acquired by a third party, in which case personal information held by Broadstone will be one of the transferred assets;
(b) if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;
(c) in order to enforce or apply our terms and conditions or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or
(d) to protect the rights, property, or safety of Broadstone, our staff, our customers or other persons. This may include exchanging personal information with other organisations for the purposes of fraud protection and credit risk reduction.
5.4 Save as expressly detailed above, we will never share, sell or rent any of your personal information to any third party without notifying you and, where necessary, obtaining your consent. If you have given your consent for us to use your personal information in a particular way, but later change your mind, you should contact us and we will stop doing so.
6. Retention of personal information
6.1 We keep your personal information for no longer than necessary for the purposes for which the personal information is processed. The length of time we retain personal information for depends on the purposes for which we collect and use it and/or as required to comply with applicable laws and to establish, exercise or defend our legal rights, for example:
(a) In general customer personal information will be deleted when the customer relationship ends (however personal information may be retained if such information needs to be transferred to an alternative service provider or if required to defend any legal claims);
(b) FCA regulated activity advice will be retained in line with regulatory requirements.
6.2 Further information on the length of time during which we retain your personal information can be found in our Records Management Policy/Records Retention Rules. A copy is available upon request
7. Security of your information
7.1 Broadstone is committed to protecting personal information from loss, misuse, disclosure, alteration, unauthorised access, unavailability and destruction and takes all reasonable precautions to safeguard the confidentiality of personal information, including through use of appropriate organisational and technical measures. Organisational measures include physical access controls to our premises, restricting access on a need to know basis, staff training, adequate business continuity and disaster recovery procedures and locking physical files in filing cabinets. Technical measures include use of encryption, using secure web portals to send special categories of personal information, passwords for access to our systems and use of anti-virus software. Additionally Broadstone has secured Cyber Essentials certification and Broadstone’s datacentre is ISO 27001 accredited.
7.2 In the course of provision of your personal data to us, your personal information may be transferred over the internet. Although we make every effort to protect the personal information which you provide to us, the transmission of information over the internet is not completely secure. As such, you acknowledge and accept that we cannot guarantee the security of your personal information transmitted to our website and that any such transmission is at your own risk.
7.3 Where we have given you (or where you have chosen) a password which enables you to access an online account, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
8. Transfers of personal information
8.1 The personal information may be used, stored and/or accessed by third party data processors. This may be for the purposes listed in section 2 above, the provision of our services to you, your employer or scheme trustee/administrator, the receipt of services from you or your employer, the processing of transactions and/or the provision of support services.
(a) in the case of US based entities, entering into European Commission approved standard contractual arrangements with them, or ensuring they have signed up to the EU-US Privacy Shield (see further https://www.privacyshield.gov/welcome); or
(b) in the case of entities based in other countries outside the EEA, entering into European Commission approved standard contractual arrangements with them.
8.3 Further details on the steps we take to protect your personal information, in these cases is available from us on request by contacting us by email at Liz Kane, Head of Compliance (020 3689 6900 or firstname.lastname@example.org) at any time.
9. Third party websites
10.1 We may collect and use your personal information for undertaking marketing by email, or phone.
10.2 We may send you certain marketing communications (including electronic marketing communications to existing customers) if it is in our legitimate interests to do so for marketing and business development purposes.
10.3 However, we will always obtain your consent to direct marketing communications where we are required to do so by law and if we intend to disclose your personal information to any third party for such marketing.
10.4 If you wish to stop receiving marketing communications, you can contact us by email at email@example.com at any time, by calling 020 3869 6900 during business hours or by clicking on the unsubscribe link which will be located in all our marketing communications.
11. Your rights
11.1 You have certain rights in relation to your personal information. If you would like further information in relation to these or would like to exercise any of them, please contact us by email at Liz Kane, Head of Compliance (020 3689 6900 or firstname.lastname@example.org) at any time. You have the right to request that we:
(a) provide access to any personal information we hold about you;
(b) update any of your personal information which is out of date or incorrect;
(c) delete any personal information which we are holding about you;
(d) restrict the way that we process your personal information;
(e) prevent the processing of your personal information for direct-marketing purposes;
(f) provide your personal information to a third party provider of services;
(g) provide you with a copy of any personal information which we hold about you; or
(h) consider any valid objections which you have to our use of your personal information.
11.2 We will consider all such requests and provide our response within a reasonable period (and in any event any time period required by applicable law). Please note, however, that certain personal information may be exempt from such requests in certain circumstances.
11.3 If an exception applies, we will tell you this when responding to your request. We may request you provide us with information necessary to confirm your identity before responding to any request you make.
12. Comments and questions
12.1 If you have any queries or complaints about our collection, use or storage of your personal information, or if you wish to exercise any of your rights in relation to your personal information, please contact Liz Kane, Head of Compliance (020 3689 6804 or email@example.com) We will investigate and attempt to resolve any such complaint or dispute regarding the use or disclosure of your personal information.
12.2 You may also make a complaint to the data protection authority in the European Union country where we are based or where we process personal information that relates to offering services to you in the European Union. In the UK, the relevant supervisory authority is the Information Commissioner’s Office (‘ICO’). Information on how to lodge a complaint can be found on the ICO’s website https://ico.org.uk/concerns/. Alternatively you may seek a remedy through local courts if you believe your rights have been breached.