Full privacy policy

When processing your information, we must comply with the six enforceable principles of good practice. These provide that your personal information must be:

• processed lawfully, fairly and in a transparent manner,
• processed for specified, explicit and legitimate purposes,
• adequate, relevant and limited to what is necessary,
• accurate and kept up-to-date,
• kept for no longer than is necessary, and
• processed in a manner that ensures appropriate security.

We may collect, use, store and transfer different kinds of personal information about you, including:

• Identity Data, such as your name, marital status, title, date of birth, gender;
• Contact Data, such as your home address, email address and telephone numbers;
• Financial Data, such as bank account details;
• Document Data, such as your vehicle registration document, and copies of your driving licence, passport, utility bill and other documents that verify your identity;
• Transaction Data, including details about payments to and from you, and other details of products and services you purchase from us;
• Company Data, including the name of the organisation you represent, and that organisation’s Contact Data, Financial Data and Transaction Data;
• Technical Data, including IP addresses, MAC addresses or other device name/identifier, your log-in data (including usernames and identification number), browser type and version, time-zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and network information relating to security logs or alerts (such as malicious files, network fragment, process details, domain name and network connections),
• Profile Data, such as your username, password, purchases or orders made by you, your interests, preferences, feedback and survey responses;
• Usage Data, including information about how you use our website, products and services; and
• Marketing Data, such as your preferences in receiving marketing from us and our third parties, and your communication preferences.

Information relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, criminal convictions, sex life or sexual orientation, or certain types of genetic or biometric data is known as ‘special category’ data.

During the course of dealing with you, we do not expect to collect any ‘special category’ data about you.

.

We may obtain personal information by directly interacting with you, such as:

• creating an account on, or otherwise using, our website;
• entering into an agreement with us for products or services;
• subscribing to our services or publications, or otherwise requesting marketing material to be sent to you; or
• corresponding with us by phone, email, letters or otherwise.

We may obtain personal information via automated technology when you interact with our website by using cookies, server logs and other similar technologies.

We may also collect personal information about you from third parties or publicly-available sources, such as:

• public bodies and regulatory authorities;
• analytics providers (such as Google);
• advertising networks;
• search information providers; and
• providers of technical, payment and delivery services.

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

• you have given us consent;
• we need to perform a contract we are about to enter into, or have entered into, with you;
• where it is necessary for our or a third party’s legitimate interests, and your interests and rights do not override those interests; or
• where we need to comply with a legal or regulatory obligation.

Particular purposes for which we will use your personal information, and the legal basis for that use, are as follows:

We will only use your personal information for the purpose(s) for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Without your personal information, we cannot register you or your organisation (as the case may be) as a new customer.  That means that we will be unable to provide you or your organisation with any products or services.

We may share your personal information with the parties set out below:

• public bodies and regulatory authorities;
• other companies within our group;
• other personnel within your organisation, or any other organisation that is party to or otherwise has a legitimate interest in the agreement between us and your organisation;
• providers of IT and system administration services to our business;
• our professional advisers;
• analytics and search engine providers that assist us in the improvement and optimisation of our website; and
• third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this policy.

We require all third parties to respect the security of your personal information and to treat it in accordance with the law.

To assist in the protection of your data, we work with carefully selected third party service providers who supply cybersecurity products and services to monitor the endpoints of all public interfaces with our systems and networks in order to proactively detect, investigate and respond to potential threats. As part of this activity, Technical Data is:

• collected, stored, used, transferred and processed by our chosen cybersecurity partners to help keep our assets, systems and networks safe; and
• used by our chosen cybersecurity partners to develop, enhance and improve their security products and services to benefit us and their wider customer bases. The transfer (and retention) of data relating to the latest security threats is fundamental to ensure the cybersecurity protections offered by our partners remain up to date and effective at keeping personal information secure. Where a cybersecurity partner uses personal information in this way, it is a controller of such data.  

Please see:

• the section above headed “Information You Give Us” for an explanation of what constitutes Technical Data; and
• the section below headed “Your Rights” for details on how to obtain more information on the processing of personal information for reasons of cybersecurity.

While we operate within the UK and EU, your personal information may be transferred to (or stored by) carefully selected third party service providers that we work with, located in countries outside of the UK or EU. Where this is the case, we ensure that appropriate safeguards are in place for that transfer and storage as required by applicable data protection law.

Please see the section below headed “Your Rights” for details on how to obtain more information on how we keep your personal information secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

The length of time that we will store your data will depend on the ‘legal basis’ for why we are using that data, as follows:

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

Where our cybersecurity partners use Technical Data to develop, enhance or improve their security products and services to benefit us and their wider customer bases, separate retention periods will apply (determined by the relevant cybersecurity partner itself as controller). You can obtain more information on this by contacting us below.

You have various legal rights in relation to the information you give us, or which we collect about you, as follows:

• You have a right to access the information we hold about you, together with various information about why and how we are using your information, to whom we may have disclosed that information, from where we originally obtained the information and for how long we will use your information.
• You have the right to ask us to rectify any information we hold about you that is inaccurate or incomplete.
• You have the right to ask us to erase the information we hold about you (the ‘right to be forgotten’). Please note that this right can only be exercised in certain circumstances and, if you ask us to erase your information and we are unable to do so, we will explain why not.
• You have the right to ask us to stop using your information where: (i) the information we hold about you is inaccurate; (ii) we are unlawfully using your information; (iii) we no longer need to use the information; or (iv) we do not have a legitimate reason to use the information. Please note that we may continue to store your information, or use your information for the purpose of legal proceedings or for protecting the rights of any other person.
• You have the right to ask us to transmit the information we hold about you to another person or company in a structured, commonly-used and machine-readable format. Please note that this right can only be exercised in certain circumstances and, if you ask us to transmit your information and we are unable to do so, we will explain why not.
• Where we use/store your information because it is necessary for our legitimate business interests, you have the right to object to us using/storing your information. We will stop using/storing your information unless we can demonstrate why we believe we have a legitimate business interest which overrides your interests, rights and freedoms.
• Where we use/store your data because you have given us your specific, informed and unambiguous consent, you have the right to withdraw your consent at any time.
• You have the right to object to us using/storing your information for direct marketing purposes.

If you wish to exercise any of your legal rights, please contact our DPO’s office by writing to the address at the top of this policy (see section headed “Introduction”), or by emailing us at DPO-Office@bca.com. 

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You can also contact us if you would like more information about:

• the storage of your data;
• the safeguards that are in place to protect your data; or
• our cybersecurity partner and its use of your data.

To do so, please contact our DPO office using the details in the section of this notice headed “Introduction”.

Hvad er en cookie?

En cookie er en lille tekstfil, der gemmer internetindstillinger. Cookien downloades af din internetbrowser første gang, du besøger et websted.

Nogle cookies er ekstremt nyttige, fordi de kan forbedre din brugeroplevelse, når du vender tilbage til et websted, du allerede har besøgt. Dette forudsætter, at du bruger den samme enhed og den samme browser som før; hvis det er tilfældet, vil cookies huske dine præferencer, vide hvordan du bruger webstedet, og tilpasse det indhold, du får vist, så det er mere relevant for dine personlige interesser og behov.

Typer af cookies Der er fire kategorier af cookies: strengt nødvendige cookies, præstationscookies, funktionscookies og marketingcookies.

• Strengt nødvendige cookies er essentielle for at muliggøre, at du kan bevæge dig rundt på webstedet og bruge dets funktioner. Uden disse cookies kan nogle tjenester ikke leveres – for eksempel at huske tidligere handlinger, når du navigerer tilbage til en side i samme session.
• Præstationscookies indsamler oplysninger om, hvordan et websted bruges – for eksempel, hvilke sider en besøgende ofte besøger. Disse cookies gemmer ikke personlige oplysninger eller oplysninger, der gør det muligt at identificere brugeren. Disse cookies bruges udelukkende til at forbedre webstedets ydeevne og dermed brugeroplevelsen.
• Funktionscookies gør det muligt for et websted at gemme information, der allerede er indtastet (såsom brugernavne, sprogvalg og din placering), så det kan tilbyde dig forbedrede og mere personlige funktioner. Disse cookies indsamler anonyme oplysninger og kan ikke spore dine bevægelser på andre websteder.
• Marketingcookies bruges til at levere annoncer og andre kommunikationer, der er mere relevante for dig og dine interesser. De bruges også til at begrænse antallet af gange, du ser en annonce, og til at hjælpe med at måle effektiviteten af reklamekampagner.

Håndtering af cookie-indstillinger på dette websted Selvom du når som helst kan deaktivere nogle cookies helt i din browser, er det vigtigt at bemærke, at hvis du ændrer dine indstillinger og blokerer visse cookies, vil du ikke være i stand til at få fuldt udbytte af nogle funktioner på vores side.

Cookies, der er essentielle, også kendt som 'strengt nødvendige' cookies, muliggør funktioner, uden hvilke du ikke ville kunne bruge webstedet som tiltænkt. Disse cookies gemmes kun på din computer, mens du faktisk browser webstedet, og i løbet af sessionen. Strengt nødvendige cookies kan ikke deaktiveres.

You can ask us to stop sending you communications at any time by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you.

We do not use automated decision-making processes.

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at DPO-Office@bca.com.

You can also complain to the ICO if you are unhappy with how we have used your data.

• ICO address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• ICO Helpline no: 0303 123 1113
• ICO website: https://www.ico.org.uk

Any changes we make to our policy in the future will be posted on our website.