As part of our operations, we need to obtain and process information. This information includes any offline or online from which a person can be identified. We try to ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
WHO WE ARE
Luton BID is the trading name of Luton BID Ltd which is a Private Limited Company registered in England and Wales.
Company Reg No: 09317619
A BID is a Business Improvement District
In this policy, references to ‘we’, ‘us’, ‘our’ and ‘The Company’ and ‘BID’ are to Luton Town Centre BID
References to ‘our website’ or ‘the website’ are to www.Lutonbid.co.uk
References to Company Staff or Employees are to those individuals directly employed by the BID
HOW TO CONTACT US
If you have any requests concerning your personal information or any queries with regard to these practices please contact
The BID Board
Email : info@Lutonbid.org
BID Telephone Number : 01582 510657
BID Registered Office Address and Trading Address
Luton BID Ltd, 3rd Floor, Tokko Youth Centre, 7 Gordon Street, Luton, Beds LU1 2QP
Please note that all personal data will be used and held in accordance with the requirements of Data Protection Legislation
You have the right to make a complaint about how your personal data is handled at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
INFORMING US OF CHANGES
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us
WHAT WE DO
We are Data Controllers of our own data which includes the data of:
Employees who work directly for our company
Self-employed people who act as business surveyors
Suppliers who supply our business directly
BID Levy Payers and their businesses located in our BID area
Third parties who have a direct interest in BID Operations
BID Host Activities including the use of Body Worn Cameras
Others who make enquiries via our website or other means of communication
We contract an Executive Director, who acts as our Data Processor in accordance with our instructions, to deliver our BID projects and our activities on our behalf.
We contract a Managing Agent, who acts as our Data Processor in accordance with our instructions, to deliver our BID projects and our activities on our behalf.
WHO IS COVERED UNDER THIS POLICY?
Employees of our company and its subsidiaries must follow this policy.
We request that any contractors, suppliers, partners and any other external entity that we work with are compliant with Data Protection Legislation and follow the principles in this policy where appropriate
HOW WE ADVISE OUR COMPANY STAFF ABOUT THE INFORMATION WE COLLECT
EMPLOYEES ARE REFERRED TO THE BID PRIVACY STANDARD (INTERNAL) POLICY WITH REGARD TO THE DATA THAT THEY HANDLE, TO THE BID EMPLOYEES DATA POLICY WITH REGARD TO THE DATA WE HOLD ON EMPLOYEES AND TO THE BID STAFF HANDBOOK.
THE TYPES OF DATA WE COLLECT ABOUT YOU
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender, details of your employer and place of work.
Contact Data includes billing address, delivery address, email address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Membership Data includes dates that you became a director or a member either of our own company., and information necessary for you to be registered on Company’s House as a director.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
o (Your IP Address is a string of numbers unique to your computer that is recorded by our web server when you request any page or component on the Website. This information is used to monitor your usage of the Website)
Usage Data includes information about how you use our website, products and services.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
The BID may be in receipt of Special Categories of Personal Data (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, criminal convictions or offences).
This would be provided via an Information Sharing Agreement with Partner Agents or from details of Criminal Behaviour Orders provided by the Police which are in the public domain or from the Local Authority with regard to court action they have undertaken on levy payment recovery.
This data is kept securely and only used with reference to reporting back to these groups or agencies in accordance with the relevant Information Sharing Agreement.
IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
HOW IS YOUR PERSONAL DATA COLLECTED
We use different methods to collect data from and about you including through:
Direct interactions. You may give us your details by filling in forms online or offline or by corresponding with us by post, telephone, email or otherwise.
This includes personal data you provide when you use our website or contact us directly to
- make an enquiry on our website
- apply for our products or services;
- create an account on our website;
- subscribe to our service or publications;
- request marketing to be sent to you;
- enter a competition, promotion or survey; or
- give us some feedback.
Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below
Technical Data from the following parties:
- analytics providers such as Google based outside the EU;
- advertising networks and
- search information providers
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
- Identity and Contact Data from data brokers or aggregators
- Identity and Contact Data from publicly availably sources such as Companies House and the Electoral Register .
For suppliers we collect information when we trade with them and this may arise very early in the process eg: at tender or quote stage.
We may collect or receive the following additional information relating to the BID area:
- NNDR Non Domestic Business Lists for specific areas from Local Authorities
- Business contact details collected via BID Teams
- BID Levy payers who sign up to be members of the BID company
- Information via BID websites or social media from members of the public
- Images of businesses, employees or members of the public
- It should be noted that data collection is often by word of mouth. This is then confirmed back to the person to get their confirmation that they are happy for us to keep this data and use it to communicate with them
Once this information is available to us, the following rules apply.
Our data will be:
- Accurate and kept up-to-date
- Collected fairly and for lawful purposes only
- Processed by the company within its legal and moral boundaries
- Protected against any unauthorized or illegal access by internal or external parties
Our data will not be:
- Communicated informally
- Stored for more than a specified amount of time
- Transferred to organizations, states or countries that do not have adequate data protection policies
- Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities)
In addition to ways of handling the data the company has direct obligations towards people to whom
the data belongs. Specifically we must:
- Let people know which of their data is collected
- Inform people about how we’ll process their data
- Inform people about who has access to their information
- Have provisions in cases of lost, corrupted or compromised data
- Allow people to request that we modify, erase, reduce or correct data contained in our databases
To exercise data protection we are committed to:
- Restrict and monitor access to special categories of personal data
- Develop transparent data collection procedures
- Train employees in online privacy and security measures
- Build secure networks to protect online data from cyberattacks
- Establish clear procedures for reporting privacy breaches or data misuse
- Include contract clauses or communicate statements on how we handle data
- Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)
We do not subject any personal data we hold to automated decision making including profiling
We do not deliberately collect or otherwise handle any data which relates to children.
HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
- Where we are acting in the public interest
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data.
See our policy BID Lawful basis for processing data for more details on the basis that we will rely on to process your personal data.
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out / unsubscribe links on any marketing message sent to you or by contacting us at any time.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
WHAT WE DO WITH THE INFORMATION WE COLLECT
We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:
- To communicate with the BID Levy payers, the BID Businesses and directors , to keep them updated on BID projects and activities and to process their activities and transactions
- To communicate with our suppliers and to process their activities and transactions
- To communicate with the public and other interested parties in relation to the BID and to process their activities and transactions
- To process your order, to provide after sales service (we may pass your details to another organisation to supply/deliver products or services you have purchased and/or to provide after-sales service).
- In certain cases we may use your email address to send you information on our services related to your enquiries to us or previous services we have provided you with.
- From time to time, we may also use your information to contact you for business survey and research purposes in relation to the BID you are located in. We may contact you by email or post.
CONTROLLING YOUR PERSONAL INFORMATION
You may choose to restrict the collection or use of your personal information in the following ways:
- You may check the ‘Optin box’ on any online or offline form to indicate your preference for receiving information by email and post opt in
- Whenever you are asked to fill in a form on the website or in person, look for the box that you can check to indicate that you do not want the information to be used by anybody for direct marketing purposes.
- If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at the email address at the top of this policy or selecting the unsubscribe option on our emails.
- If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.
- Please also see the section under Disclosures/Sharing your information with regard to how to restrict access to your data in the case of Third Party Links
WILL YOU BE SENT INFORMATION THAT YOU DID NOT ASK FOR?
We will use your personal information to keep you informed about the BID services and information about relevant projects and loyalty card promotions. This may be through a weekly or monthly email based newsletter or occasional postal newsletters.
Where appropriate you may be sent email communications relevant to content on the website or to keep you informed of relevant changes to the service, this may also include planned outages and operational changes to the website.
In each case, if you wish not to receive such communications, unsubscribe to the enewsletter (normally displayed at the end of the email) or unsubscribe from the settings in the webpage. If you have any queries regarding this issue, please contact us .
DISCLOSURES /SHARING YOUR INFORMATION
We may have to share your personal data with the parties set out below for the purposes set out above
We may need to pass the information we collect to other companies who act on the BID’s behalf, as our Managing Agents or our Executive Director, for BID project development or delivery, for administrative purposes.
We work with two Consultants
Our Executive Director is
Rob Purdie, Alchemetrix c/o Tidy Numbers, 19 Ferro Fields, Scaldwell Road, Brixworth, Lutonshire, NN6 9UA
Our Project Managers are
Partnerships for Better Business Ltd (pfbb UK).
Iron Gate House, 10 Iron Gate, Cathedral Quarter, Derby DE1 3FJ
- During BID Development work, NNDR data may be shared as part of our contract with our Managing Agents or Executive Director or theirs with the Council
- During BID Delivery or Project Support services for a BID, NNDR data and action with regard to recovery of levy payment will be shared between the BID and our Managing Agent or Executive Director for the BID in accordance with the Operating Agreement with the BIDs local authority.
- During BID Delivery or Project Support services for a BID, any data collected by either party relating specifically to business in the BID area is shared between the two parties, under a data sharing agreement, to enable them to fulfil their obligations under the contractual arrangements with us.
- We may also either directly supply or request our Managing Agents or Executive Director to supply your personal information to related NNDR team ,government bodies and law enforcement agencies but only: if we are required to do so by the BID Operating agreements, BID Regulations or requirements of any applicable law; if in our good faith judgement, such action is reasonably necessary to comply with legal process; to respond to any legal claims or actions; or to protect the rights of the BID, its customers and the public
- We may supply your personal information to third parties, such as our internet service providers (who help us administer our website) or the BID Public Relations Company or Mailing House. These third parties must at all times provide the same levels of security for your personal information as us and, where required, are bound by a legal agreement to keep your personal information private, secure and to process it only on our specific instructions.
- We may share your data with our magazines and apps if you participate in the voucher schemes.
- We may share your personal information to our hosting administrators who are based in the EU.
We will not share your data with other third parties unless we are obliged to disclose personal data by law, or the disclosure is ‘necessary’ for purposes of national security, taxation and criminal investigation, for our legitimate business interests, is in the public interest or we have your consent
External Third Parties
- We may use third parties to carry out certain activities, such as processing and sorting data, and issuing our e-mails for us.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
- We may use third parties to carry out certain activities such as monitoring how customers use the website. These third parties are listed below
- Google Analytics:
The component of Google Analytics (with the anonymizer function) has been integrated on our website. Google Analytics is a web analytics service. Web analytics is the collection, gathering, and analysis of data about the behaviour of visitors to websites. A web analysis service collects, inter alia, data about the website from which a person has come which sub-pages were visited, or how often and for what duration a sub-page was viewed. Web analytics are mainly used for the optimization of a website and in order to carry out a cost-benefit analysis of Internet advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.
- Linked In.
Components of the LinkedIn Corporation have been integrated on this website. LinkedIn is a web-based social network that enables users with existing business contacts to connect and to make new business contacts
LinkedIn receives information via the LinkedIn component that the data subject has visited our website, provided that the data subject is logged in at LinkedIn at the time of the call-up to our website. This occurs regardless of whether the person clicks on the LinkedIn button or not. If such a transmission of information to LinkedIn is not desirable for the data subject, then he or she may prevent this by logging off from their LinkedIn account before a call-up to our website is made.
Components of Twitter have been integrated on our website. Twitter is a multilingual, publicly-accessible microblogging service on which users may publish and spread ‘tweets’
The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, UNITED STATES.
Twitter receives information via the Twitter component that the data subject has visited our website, provided that the data subject is logged in on Twitter at the time of the call-up to our website. This occurs regardless of whether the person clicks on the Twitter component or not. If such a transmission of information to Twitter is not desirable for the data subject, then he or she may prevent this by logging off from their Twitter account before a call-up to our website is made.
Components of, YouTube have been integrated on this website. YouTube is an Internet video portal that enables video publishers to set video clips and other users free of charge, which also provides free viewing, review and commenting on them.
The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, UNITED STATES. The YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, UNITED STATES.
YouTube and Google will receive information through the YouTube component that the data subject has visited our website, if the data subject at the time of the call to our website is logged in on YouTube; this occurs regardless of whether the person clicks on a YouTube video or not. If such a transmission of this information to YouTube and Google is not desirable for the data subject, the delivery may be prevented if the data subject logs off from their own YouTube account before a call-up to our website is made.
- Facebook , Whats App and Instagram
Components of the enterprise Facebook have been integrated onto our website. Facebook is a social network. Whats App and Instagram are owned by Facebook.
The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. If a person lives outside of the United States or Canada, the controller is the Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Facebook always receives, through the Facebook component, information about a visit to our website by the data subject, whenever the data subject is logged in at the same time on Facebook during the time of the call-up to our website. This occurs regardless of whether the data subject clicks on the Facebook component or not. If such a transmission of information to Facebook is not desirable for the data subject, then he or she may prevent this by logging off from their Facebook account before a call-up to our website is made.
We do not transfer your personal data outside the European Economic Area (EEA).
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will comply with this in line with our internal Data Breach Policy
PERIOD OF TIME THAT DATA WILL BE KEPT /DATA RETENTION
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
- Data relating to clients and suppliers will be maintained for such periods as are laid down by the professional bodies responsible for the conduct of the Company and/or statutory and regulatory requirements.
- Data relating to BID Levy payers will be maintained for 7 years after BID Delivery is completed.
- Data relating to project delivery will be retained for 7 years after the end of the BID Development or 7 years after BID Delivery is completed.
Where data has been collected from individuals who have undertaken the following activities for a BID, the retention period for this data will be for 7 years after BID Delivery is completed.
- Create an account on our website;
- Subscribe to our service or publications;
- Request marketing to be sent to you;
- Enter a competition, promotion or survey;
- Give us some feedback
- Data relating to BID Levy payers
In the event of a BID not being renewed, other data will be kept by a nominated authority for a period of 7 years.
YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under data protection laws in relation to your personal data. To exercise these rights, please contact us.
You have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. Please note that we do not handle data that is applicable for data portability.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
SUBJECT ACCESS REQUESTS
You may request details of personal information which we hold about you under the Data Protection Legislation. Subject Access Requests will be dealt with in line with Data Protection Legislation
If you would like a copy of the information held on you, or to exercise any of the rights set out above, please contact us to request a BID Subject Access Request Form
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If you respond to our request within 7 days, we can comply with the 30 day response time. If you take longer than 7 days we will require additional days to respond (this will relate to the number of additional days over 7 days that you have taken to respond)
When we may not comply with a Subject Access Request
If we feel that your request is vexatious, or complying with it would involve disproportionate effort on our part, breach the confidence of someone else or breach the law then we will not comply with it and we may not inform you of the reason for non-compliance (depending on what that reason is)
Given that the Internet is a global environment, using it to collect and process personal data necessarily involves the transmission of data on an international basis. This means for instance that data you pass to us may be processed outside the European Economic Area, although the data will always be held securely and in line with the requirements of UK data protection legislation. By communicating electronically with us, you acknowledge and agree to our processing of personal data in this way.
REFERENCES TO BID POLICIES
The following BID Policies are available upon request in writing to us (See Section How to Contact us)
BID Lawful basis for processing data
BID Host Specific Activity (Including Body Worn Video Equipment) Policy And Procedure
BID Subject Access Request Form Template
We will keep our policy under review.
This policy was last updated on 26th February 2019
Historic versions can be obtained by contacting us.