1.1 BR Special Tuning may collect, keep and use personal data or information about individuals for specific and lawful purposes. Individuals could include customers and suppliers.
This privacy notice sets out how we the company comply with our data protection obligations and seek to protect personal information relating to you. It outlines how we gather, use and (ultimately) delete personal information and sensitive personal information in accordance with the data protection principles.
1.2 We are committed to complying with our data protection obligations. We understand that your personal data is important to you, and we have a responsibility to you to ensure that the information we collect and use is done so proportionately, correctly and safely.
1.3 We also have an obligation to be concise, clear and transparent about how we obtain and use personal information relating to you and what we do with the information when it is no longer required.Being transparent with you and providing accessible information about how we use your information builds trust and demonstrates our commitment to the General Data Protection Regulations, hereafter referred to as ‘GDPR’. (Regulation (EU) 2016/679).
2. Our Details
2.1 BR Special Tuning is registered as a ‘data controller’ with the Information Commissioner’s Office (ICO). Our registration number is 8014433.
Head Office Address
BR Special Tuning, Unit 7 Stoney Hill Industrial Estate, Whitchurch, Ross-On-Wye, HR9 6BX, UK
3. Purpose of processing
3.1 We collect, hold and use personal data received by you to enable us to provide our services to you. The amount and type of information we hold about you depends on the services we are providing for you. We will not ask you for any information which is not necessary for the particular service we are providing to you.
4.1 “Personal data” means any information relating to a person who can be identified, directly or indirectly, from that information. This could include your name, your identification number, location data, online identifier (such as IP address) or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that person.
4.2 Some of the services we provide may require us to process your ‘special categories of personal data’. These special categories of personal data are of a sensitive nature, and might include health data or financial data. The definition ‘special categories’ of personal data has been extended to now include biometrics data (such as facial images) and genetic data (such as the analysis of a biological sample).
4.3 “Processing” means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it.
4.4 “Data Subject” means the data subject to whom the personal data relates.
4.5 “GDPR” means the General Data Protection Regulation(Regulation (EU) 2016/679).
4.6 “ICO” means the Information Commissioners Office, the governing body for Data Protectionin the UK.
5. Conditions of Processing
5.1 When we process your personal data we will do so in accordance with the six data protection principles. These principles are designed to protect you, and ensure that we:
a). Process your information lawfully, fairly and in a transparent manner;
b). Use your information for a specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with that purpose;
c). Only obtain adequate, relevant and limited information to allow us to carry-out the purpose for which it was obtained;
d). Ensure the information we hold about you is accurate and, where necessary, kept up to date;
e). Keep any information for no longer than necessary for the purposes for which it was collected; and
f). Process your information in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6. Lawfulness of processing
6.1 Paragraph 5.1a) above stipulates that the processing of personal data shall be undertaken ‘lawfully’. To show the processing is being undertaken lawfully one of the following conditions should apply (unless an exemption applies):
a) You have given consent to the processing of your personal data for one or more specific purposes;
(for example a university retaining personal data for alumni purposes):
b) Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering
into a contract. (For example if you purchase goods from an online shop to be delivered then the shop will need to process your personal
details to allow them to perform the contract and deliver the goods to you);
c) Processing is necessary for compliance with a legal obligation which BR Special Tuning is subject to.
(For example processing staff personal data to comply with our legal obligation to disclose employee salary details to HMRC);
d) Processing is necessary to protect your vital interests or the vital interests of another natural person.
(For example if an data subject is admitted to A & E following a road accident, then the disclosure to the hospital of data subjects
medical history may be necessary in order to protect his/her vital interests);
e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested
in the Company (this would include most of a Local Authorities functions); and
f) Processing is necessary for the purposes of the legitimate interests. (For example a university using personal data for fundraising purposes).
6.2 When considering which lawful basis applies, we will:
6.2.1 except where the processing is based on consent, satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis
(ie that there is no other reasonable way to achieve that purpose)
6.2.2 document our decision as to which lawful basis applies, to help demonstrate our compliance with the data protection principles;
6.2.3 include information about both the purposes of the processing and the lawful basis for it in our privacy notice; and
6.2.4 where sensitive personal information is processed, also identify a lawful special condition for processing that information and document it.
7. Processing ‘special categories’of personal data
7.1 All personal data is not the same, and some information is more sensitive than others. As such, special rules apply when processing these ‘special categories’ of personal data. Special categories’ of personal data include:
- Racial or ethnic origin;
- Political opinions;
- Religious and philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person; and
- Sex life/sexual orientation.
7.2 Processing of these types of personal data is prohibited unless one of the conditions below applies (in addition to a condition from paragraph 6):
a). The data subject has given explicit consent to the processing;
b). It is necessary for the purposes of carrying out the obligations and exercising specific rights of the Company or of the data subject in the field of
employment and social security and social protection law. (For example employee equal opportunities data);
c). Processing is necessary to protect the vital interests of the data subject or of another natural person, where the data subject is physically or
legally incapable of giving consent. (For example a life or death situation);
d). Processing is carried out by a not-for-profit entity with a political, philosophical, and religious or trade union aim in the course of
it's legitimate activities;
e). Processing relates to personal data which is manifestly made public by the data subject. (The personal data is already in the public domain);
f). Processing is necessary for the establishment, exercise or defence of legal claims;
g). Processing is permitted where it is necessary for reasons of substantial public interest. (For example a natural disaster);
h). Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee,
medical diagnosis, the provision of health or social care or treatment. (Medical treatment);
i). Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to
health (Such as foot and mouth disease); and
j). Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
7.3 Before processing any sensitive personal information, staff must notify the data protection officer of the proposed processing.
7.4 Sensitive personal information will not be processed until:
7.4.1 the assessment of the processing has taken place referred to in paragraph 6.2 has taken place; and
7.4.2 the data subject has been properly informed (by way of a privacy notice or otherwise) of the nature of the processing, the purposes
for which it is being carried out and the legal basis for it.
8.1 Consent for processing personal data
The Company may also provide services which will require your consent to process your personal data.
(for example – Payments via Sagepay, Worldpay and Paypal)
In circumstances as described above your consent to process your personal data must be ‘specific, informed, active and affirmative, meaning it must be clear and freely given by you after we explain what further processing we would like to do with your personal data. You can therefore make an informed decision about whether you consent to the processing or not. You are in control and you can withdraw your consent at any stage by contacting the data protection officerat firstname.lastname@example.org (Please note however that any processing that has taken place up to the time that you withdraw consent will be considered lawful).
8.2 Consent for processing special categories of personal data
In respect of ‘special categories’ of personal data we will require your ‘explicitconsent’ to further process this type of personal data under Sub Section 7a). above. This means your consent must be very clear and specific, and again you can withdraw your consent at any stage by contacting the data protection officer at email@example.com.
Where BR Special Tuning seeks to disclose sensitive personal data such as medical details to third parties, we will do so only with your prior explicit consent. There may be occasions where we may have to disclosure your personal data if it is required or permitted by law, for example in relation to crime prevention/detection. In these cases, we do not require your specific consent or explicit consent for the disclosure of your personal data.
8.3 Recording/managing consent
Once your consent is obtained we will keep a record of when you consented, the information you were provided with prior to consent and how you consented. Consent is part of your ongoing relationship with our company, and will therefore be managed appropriately and reviewed at least every two years. As previously stated, you have the right to withdraw their consent at any stage.
9. Data protection impact assessments (DPIAs)
9.1 Where processing is likely to result in a ‘high risk’ to a data subject’s rights (eg where BR Special Tuning is planning to use a new form of technology),
we will, before commencing the processing, carry out a DPIA to assess:
9.1.1 whether the processing is necessary and proportionate in relation to its purpose;
9.1.2 the risks to data subjects; and
9.1.3 what measures can be put in place to address those risks and protect personal information.
10.1 Personal information (and sensitive personal information) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained. The Company will keep the personal information for a period of the time necessary to provide our services to you or as legally required in accordance with the GDPR (See clause 4.5).
11.1 The Company will use appropriate technical and organisational measures to keep personal information secure,
and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
These may include:
11.1.1 making sure that, where possible, personal information is pseudonymised or encrypted;
11.1.2 ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
11.1.3 ensuring that, in the event of a physical or technical incident, availability and access to personal information can be restored in a
timely manner; and
11.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security
of the processing.
12. International transfers of your personal data
BR Special Tuning does not transfer personal data outside of the European Economic Area (EEA). The EEA includes all European Union countries and the following three non-European Union countries Iceland, Liechtenstein and Norway.
13. Staff administration
13.1 BR Special Tuning will process personal information relating to its current and former staff and data subjects, (who have applied for permanent or temporary jobs at BR Special Tuning for the purposes of managing their contract of employment, the work of BR Special Tuning, pay and/or pensions, discipline and other personnel matters).
14. Information Sharing
14.1 To ensure that we can provide you with the best possible service we may have to share your personal data between our internal teams or external partners. Our external partners include:
14.2 We may also share your information with third parties, other than those who either process information on our behalf or because of a legal requirement/entitlement, and it will only do so if necessary or where permitted under the GDPR.
15. Statistical Data/Research
15.1 We may also process your personal data (including special categories of personal data) for the purpose of research or compiling statistical data
using Google Analytics (See Clause 18.4)
15.2 Statistical data/Research
Statistical data or statistical analysis will not allow the identification of any specific data subject nor will it have any impact on any data subject’s
entitlement to our services and/or facilities. We may use your personal information to administer our site and internal operations including data
analysis, statistical and survey purposes (see also cookies). If we require your specific or explicit consent to do this then we shall seek your
consent in advance and only after outlining to you the purpose of the proposed processing. You will have the option to withdraw your consent
at any stage.
16. Your rights
16.1 You have certain rights in relation to the personal information we hold about you. These rights are as follows:
- Right to be informed – you have a right to be told how BR Special Tuning use your personal data. BR Special Tuning communicate the right to be informed via this privacy notice.
- Right of access – you have the right to request a copy of the information that we hold about you. (This right is similar to a subject access request).
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to erasure (right to be forgotten) – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restrict processing – where certain conditions apply to have a right to restrict the processing.
- Right of data portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing, the performance of a legal task and scientific or historical research.
- Right to object to automated processing, including profiling.
- The right to withdraw consent - If the legal basis for our processing of your personal information is consent then you have the right to withdraw that consent at any time.
16.2 Some of the rights are complex, and there are circumstances where your rights will not apply, for example the right to erasure will not apply if your personal data is required for legal proceedings. It is recommended that you read the relevant guidance notes on BR Special Tuning’s website, or on the ICO’s website for further information
17. How to exercise your rights
17.1 You may exercise any of your rights in relation to your personal data by writing to us at the address above. To avoid delay in dealing with your request please ensure that you confirm in your request which right you wish to exercise along with the reasons why.
17.2 The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
17.3 We will respond to your request within 30 days, by either providing you with the information requested, requesting further information from you, or requesting further time to complete your request, if for example the request is substantial or we need to obtain information from various departments within BR Special Tuning.
17.4 BR Special Tuning can also refuse your request. In the event that BR Special Tuning refuses your request we will provide you with reasons why, as well as provide you with details of how you can challenge or appeal our decision. You will also be informed of your right to legally challenge our decision with the ICO.
18. Links to other websites
18.1 BR Special Tuning’s website may contain links to other websites run by other organisations. This privacy notice applies only to BR Special Tuning website‚ so we encourage you to read the privacy notices on the other websites you visit. We cannot be responsible for the privacy notices and practices of other sites even if you access them using links from our website.
19.1 We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the "last updated" date at the top of this notice. We will also inform you of any amendments to this privacy notice.
19.2 BR Special Tuning encourages you to periodically visit BR Special Tuning’s web site to review this notice and to be informed of how BR Special Tuning is protecting your information.
19.3 If you require general information about the Data Protection Act or General Data Protection Regulations (Regulation (EU) 2016/679), information is
available on the Information Commissioner’s website.
20.1 If you wish to make a complaint about how BR Special Tuning are processing your personal data, then in the first instance please contact the data protection officer at firstname.lastname@example.org.
20.2 If you are still dissatisfied with how BR Special Tuning have handled your complaint then you have the right to complain to the
Information Commissioners Office (ICO). The ICO can be contacted as follows:
The Information Commissioner
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 08456 30 60 60