Last Update 11 March 2020 Effective Date 11 March 2020 Update Performed By Andrew Roberts, Director
We are committed to safeguarding the privacy of our website visitors and application users; in this policy we explain how we will treat personal data. By agreeing to this policy, you consent to your responsibilities outlined in this document.
1.0 Purpose & Scope
This policy sets out how BGL seeks to protect personal data and ensure that our staff understand the rules governing their use of the personal data to which they have access during their work. This policy requires staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed. For the purposes of this policy the use of the term ‘website and platform’ refers to both https://www.weekly10.com (marketing website) and https://pro.weekly10.net/ (the application). This policy may reference other official policies denoted by BGL-PL-XXX. These policies are available on request; however certain policies may be subject to a signed Non-Disclosure Agreement (NDA).
As our data protection officer (DPO), Andrew Roberts has overall responsibility for the day-to-day implementation of this policy. You should contact the DPO for further information about this policy if necessary.
a natural person whose personal data is processed by a controller or processor
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier.
Data which identifies to a user of the platform/website. This data is used for the administration of an account such as name, email address and contact details.
Data uploaded to or entered into the website or platform which is not user data. This includes employee goals, questions and feedback.
Technical & Organisational Measures (TOMs)
Technical measures which we have taken and organisational processes which we have implemented to ensure compliance to this policy.
Special categories of personal data (or
Special categories of data include information about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union
Sensitive Personal Data)
membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings, and genetic and biometric information.
‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Privacy by Design
An approach to our website and platform that promotes privacy and data protection compliance from the start. This is implemented through a variety of TOMs as highlighted within this policy.
This is the national body responsible for data protection. The supervisory authority for our organisation is the Information Commissioners Office (ICO).
Amazon Web Services (AWS)
We use AWS to provide our website and Software as a Service (SaaS) platform. Thus, AWS acts as a Data Processor as set out in this policy and the accompanying signed Data Processing Addendum (DPA)
3.0 Data Protection Roles & Responsibilities
BGL minimises the control and processing of personal data to the lowest necessary level. We only act as Data Controller for data required for the administration of customer accounts. For all remaining data stored and processed on our website and platform we and our cloud hosting partner (AWS) act as a Data Processor. 3.1 BGL and you are a joint Data Controller for the following personal data:
(a) A users’ full name (b) Email address (c) Mobile phone number (d) Business address (e) Profile images
3.2 You, as a customer are a Data Controller for the following personal data:
(a) Any data ‘content’ inputted into the website or platform that contains personal data other than that referenced in 3.1, which includes but is not limited to employee goals, questions, feedback and uploaded attachments
(b) Any data which is derived or generated from the analysis or reporting of personal data originating from either 3.2(a) or 3.1
3.3 BGL is a Data Processor for
(a) All data on the platform including data referenced in 3.1 and 3.2
3.4 AWS acts as a Data Processor as an authorized 3rd party to BGL for
(a) All data on the platform including data referenced in 3.1 and 3.2
4.0 Processing Anonymous Information
4.1 We use Google Analytics (GA) to monitor and optimize the performance of our website and platform. We have a signed DPA in place with Google to in relation to data processing. We send no Personal Data to GA. Using GA, BGL may collect, store and use the following kinds of anonymous information:
(a) Information about your computer and about your visits to and use of this website (including your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths);
(b) Information contained in or relating to any communication that you send to us or send through our website or email (including the communication content and metadata associated with the communication);
5.1 We obtain a Data Subject’s consent when a user either signs up to our website and platform or when we make modifications to this policy via our platform. We store a record of this consent for the control and processing of data set out in 3.1
5.2 You, as Data Controller, must obtain and record a Data Subject’s consent before recording their Personal Data as content within our website or platform.
6.0 Using Personal Information
6.1 BGL may use personal information outlined in 3.1 to: (a) administer the service we provide via our website and platform (b) personalise our website and platform for you; (c) enable your use of the services available on our website; (e) supply to you services purchased through our website or as part of a contract (f) send statements, invoices and payment reminders to you, and collect payments from you; (g) send you non-marketing commercial communications; (h) send you email notifications that you have specifically requested; (i) send you our email newsletter, if you have requested it (you can inform us at any time if you no longer require the newsletter); (j) send you marketing communications relating to our business which we think may be of interest to you, by post or, where you have specifically agreed to this, by email or similar technology (you can inform us at any time if you no longer require marketing communications); (k) provide third parties with statistical information about our users (but those third parties will not be able to identify any individual user from that information); (l) deal with enquiries and complaints made by or about you relating to our platform or website; (m) keep our website secure and prevent fraud; and (n) verify compliance with the terms and conditions governing the use of our website.
7.0 Disclosing Personal Information
7.1 BGL may disclose personal information from clause 3.1 where required to any of our employees or subcontractors insofar as reasonably necessary for the purposes set out in this policy.
7.2 BGL will not, without your express consent, supply personal information to any third party for the any purpose other than outlined in 7.1
7.3 BGL may disclose your personal information: (a) in connection with any ongoing or prospective legal proceedings where requested by a relevant authority; (b) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
(c) to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.
7.4 Except as provided in this policy, we will not provide your personal information to third parties.
7.5 We will not disclose or control any content from clause 3.2 which you enter or upload to our website or platform to 3rd parties except as necessary to comply with law or a court order.
8.0 Data Transfers
8.1 Information that we collect may be stored, processed and transferred only within the United Kingdom (as of January 2018).
9.0 Retaining Personal Information
This Section 9 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal information.
9.1 Personal information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
9.2 Without prejudice to 9.1, we will delete personal data falling within the categories set out below at the date/time set out below: (a) User data (i.e. email, profile information) outlined in 3.1 will be deleted 60 days after an account has been closed. (b) All content (i.e. Goals and questions) outlined in 3.2 which may contain personal data will be deleted 60 days after an account has been closed. We will retain report data for a maximum of 5 years for an active account. (c) All attachment data outlined in 3.2 which may contain personal data will be deleted 60 days after an account has been closed. We will retain attachment data for a maximum of 5 years for an active account.
9.3 Notwithstanding the other provisions of this Section 9, we will retain documents (including electronic documents) containing personal data: (a) to the extent that we are required to do so by law; (b) if we believe that the documents may be relevant to any ongoing or prospective legal proceedings; and (c) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk).
10.0 Security of Personal Information
10.1 We will take reasonable technical and organisational measures (TOMs) to prevent the loss, misuse or alteration of your personal information.
10.2 We will store all the personal information you provide on secure (multi-factor authenticated and firewall-protected) servers. Personal data is encrypted at rest on our database using AES256 encryption and when sent over internal and external networks (via HTTPS). As detailed in our ‘Server Security Policy’ BGL-PL-103.
10.3 All electronic financial transactions performed through our website and application are handled by a third-party payment provider. We do not store any payment details on our servers.
10.4 You are responsible for keeping the password you use for accessing our website confidential; we will not ask you for your password (except when you log in to our website or platform)
10.5 As joint Data Controller for user data our employees or sub-contractors may have access to this information only for the purposes of providing support or in the operation of the platform
10.6 As a Data Processor for your content our employees or sub-contractors do not have unencrypted access to your content
10.7 Both personal data and content is backed up regularly (no less than daily) as detailed in our Backup Policy BGL-PL-105 and tested in-line with our Business Continuity Plan (BCP) BGL-PL104. All back-ups are stored in an encrypted state.
11.0 Data Breach Identification & Notifications
11.1 We continuously test and validate our website and platform for vulnerabilities using a variety of means including penetration testing, ethical hacking, cross-site scripting testing and security scanning.
11.2 We continuously monitor our infrastructure, website and platform for threats and attacks using a variety of means including tools provided to us by our cloud infrastructure partner AWS.
11.3 We will notify the ICO as soon as feasibly possible but within 24 hours of a data breech. Where our 3rd party infrastructure provider (AWS) reports a data breach relating to our platform we will notify the ICO immediately upon receipt of information.
11.4 All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to: (a) Investigate the failure and take remedial steps if necessary (b) Maintain a register of compliance failures (c) Notify the ICO of any compliance failures that are material either in their own right or as part of a pattern of failures (d) Any member of staff who fails to notify of a breach, or is found to have known or suspected a breach has occurred but has not followed the correct reporting procedures will be liable to disciplinary action.
11.5 The full procedure for how we identify and handle a Data Breach is detailed in our Information Security Incident Procedure BGL-PL-107
12.0 Your Rights
12.1 BGL endeavor to make all personal information for which we are Data Controller available to our users via their personal platform account. However, a Data Subject may instruct us to provide all personal information we hold via a Subject Access Request; We will provide this service free of charge within 28 days of request under the following conditions: (a) The individual supplies appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address) (b) For unfounded or excessive, or repetitive requests we reserve the right to charge a reasonable fee to cover administration costs
12.2 BGL may withhold personal information if required to do so by law.
12.3 A Data Subject may instruct us at any time not to process or delete their personal information. In doing so they may not be able to use our services. We will do this within 28 days of request under the following conditions: (a) The individual supplies appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address)
12.4 A Data Subject will expressly agree in advance if we are to use their personal information for marketing purposes.
We have implemented a range of TOMs to ensure that we adopt a Privacy by Design approach to the development and operation of our website and platform. Several key measures are highlighted below:
13.1 Our staff and sub-contractors have no access to your ‘content’. Data is encrypted and is not available from our support or operational accounts or dashboards. We only act as a ‘Data Processor’ for this data
13.2 All data where we act as a ‘Data Controller’ is prohibited from being printed and is only viewable on secure internally viewable dashboards to relevant employees
13.3 All data is encrypted at rest using AES-256 encryption algorithms. When back-ups are made, these are stored in an encrypted state
13.4 All data in transit over a network both internally and externally (internet) is encrypted using SSL or TLS technologies
13.5 Our platform runs entirely on AWS. We have an agreed DPA in place with AWS which is ensures AWS operates under GDPR standards and regulations.
13.6 Our Server Security Policy BGL-PL-103 defines strict access limits to our production environment to only those employees or sub-contractors that have a declared reason for access
13.7 We have a well-defined Information Security Incident Procedure BGL-PL-107 which details how we handle a Data Breach on our platform as both a ‘Data Controller’ and ‘Data Processor’
13.8 Our platform is built on modern up to date and well maintained technology with inherently secure data processing. We maintain security updates using an automated update process handled by AWS.
14.0 General Staff Guidelines
14.1 The only people able to access data covered by this policy are those who need it for their work.
14.2 Data is not shared informally. When access to confidential information is required, employees can request it from their line managers.
14.3 BGL provides training to all employees to help them understand their responsibilities when handling data.
14.4 Employees keep all data secure, by taking sensible precautions and following the guidelines of our Server Security Policy BGL-PL-103
14.5 Personal data is not to be disclosed to unauthorised people, either within the company or externally.
14.6 Content is not viewable by BGL staff members or sub-contractors unless explicitly approved by the respective customer.
15.0 Third Party Websites
15.1 Our website or platform may include hyperlinks to, and details of, third party websites.
15.2 We have no control over, and are not responsible for, the privacy policies and practices of third parties.
16.0 Updating Information
16.1 If a Data Subject believes personal information we hold as a Data Controller is incorrect, they may notify us at firstname.lastname@example.org and we will update this information as soon as possible (at most within 7 days of notification).
17.2 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
17.3 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
17.4 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
17.5 We both session and persistent cookies on our website.
17.6 The names of the cookies that we use on our website, and the purposes for which they are used, are set out below: (a) We use _utma (unique visitor cookie), _utmb (session cookie) and _utmc (session cookie) to analyse your movement through our website and improve the overall user experience.
17.7 Most browsers allow you to refuse to accept cookies; for example: (a) in Internet Explorer (version 11) you can block cookies using the cookie handling override settings available by clicking “Tools”, “Internet Options”, “Privacy” and then “Advanced”; (b) in Firefox (version 47) you can block all cookies by clicking “Tools”, “Options”, “Privacy”, selecting “Use custom settings for history” from the drop-down menu, and unticking “Accept cookies from sites”; and (c) in Chrome (version 52), you can block all cookies by accessing the “Customise and control” menu, and clicking “Settings”, “Show advanced settings” and “Content settings”, and then selecting “Block sites from setting any data” under the “Cookies” heading.
17.8 Blocking all cookies will have a negative impact upon the usability of many websites.
17.9 If you block cookies, you will not be able to use all the features on our website.
17.10 You can delete cookies already stored on your computer; for example: (a) in Internet Explorer (version 11), you must manually delete cookie files (you can find instructions for doing so at http://windows.microsoft.com/en-gb/internetexplorer/delete-manage-cookies#ie=ie-11); (b) in Firefox (version 47), you can delete cookies by clicking “Tools”, “Options” and “Privacy”, then selecting “Use custom settings for history” from the drop-down menu, clicking “Show Cookies”, and then clicking “Remove All Cookies”; and (c) in Chrome (version 52), you can delete all cookies by accessing the “Customise and control” menu, and clicking “Settings”, “Show advanced settings” and “Clear browsing data”, and then selecting “Cookies and other site and plug-in data” before clicking “Clear browsing data”.
17.11 Deleting cookies will have a negative impact on the usability of many websites
18.0 Audits, monitoring and training
18.1 This policy will be reviewed every 12 months, or sooner in-line with any changes in data protection legislation or personal data collection, control and processing
18.2 This policy will be audited every 12 months during our BCP testing cycle as detailed in our Business Continuity Plan (BCP) BGL-PL-104.
18.3 BGL provides training to all employees to help them understand their responsibilities when handling data in-line with the latest legislation. Employees and sub-contractors are required to participate in ICO online training at least once every 12 months
19.1 BGL may update this policy from time to time by publishing a new version on our website.
19.2 We will notify you of changes to this policy by email and/or through our platform.
14.0 Data Protection Registration
14.1 We are registered as a data controller with the UK Information Commissioner’s Office.