British Association for Chemical Specialities (BACS or the Association) produced this privacy notice as required by the General Data Protection Regulation (GDPR), which applied from 25 May 2018, changing data protection law in the UK.
This privacy notice aims to give you information on how BACS collects and processes your personal data in compliance with the GDPR.
- About BACS
- What is personal data?
- What personal data does BACS collect?
- How is personal data collected by BACS?
- How is personal data used by BACS?
- Lawful basis for processing personal data
- Data controller and data processors
- Data retention
- BACS website cookies
- Individuals’ rights
BACS is a not-for-profit trade association whose members, currently totalling around 130, operate in the speciality chemicals sector of the chemicals supply chain. BACS provides members with access to timely, targeted and relevant information on industry and regulatory developments and aims to provide a collective voice for members to represent their interests at the UK and international levels by working to shape and mitigate the impact of legislation on their businesses. BACS also runs seminars, conferences and training courses which are open to non-members as well as to members.
What is personal data?
Personal data, or personal information, means any information about an individual from which that person can be identified.
What personal data does BACS collect?
BACS collects personal data relating to contacts within its member companies, as well as data relating to those individuals who are members in their own right. Personal data which BACS collects includes first name(s) and surnames, telephone numbers, job titles, email addresses, membership of BACS sector groups, special dietary requirements, whether a contact is the main contact for the BACS member or not, and, occasionally, home and website addresses. BACS also generates and holds BACS website members’ area access user names and passwords.
In addition, BACS collects personal data when that data is necessary for compliance with legal obligations, such as the data required by Companies House relating to the appointment of directors of the Association.
Personal data which BACS collects relating to non-members includes first name(s) and surnames, telephone numbers, job titles, email addresses, special dietary requirements and whether contacts are members of BACS sector groups on a guest basis.
BACS does not collect any sensitive “special category”, children’s or criminal offences or convictions data.
How is personal data collected by BACS?
Personal data is generally collected directly in a variety of ways, including from membership application forms, booking and feedback forms for BACS members’ meetings, seminars, conferences and training courses and through contact via telephone and email. However, when website cookies are used data is collected automatically.
How is personal data used by BACS?
Personal data is used by BACS for the general administration of the Association; to provide information, predominantly by email, on industry and regulatory developments and on members’ meetings, seminars, conferences and training courses; for work with contacts in Government, other trade associations and other organisations; and for reviews of the use of its services.
In addition to sharing data when necessary for compliance with legal obligations, BACS may share personal data with service providers such as those who provide IT and system administration services and with professional advisors such as its lawyers and accountants.
BACS may share personal data with other third parties in the course of organising events such as members’ meetings, seminars, conferences and training courses insofar as the names and affiliation of those who have registered to attend events may be shared with other delegates and speakers and with event organisers at event venues. Event venue event organisers are also notified of special dietary requirements.
BACS asks all third parties to maintain the security of personal data shared with them and authorises them to use the data only for the purposes for which it has been provided.
Personal data may also be shared with Government, other trade associations and other organisations to facilitate input on the basis of consent by representatives from BACS members to the development of policy or other project work.
BACS does not make available to any other third parties, nor does it sell, nor does it transfer outside the EU, any personal data it holds.
Lawful basis for processing personal data
The GDPR requires organisations to identify the lawful basis for their processing of personal data. Six lawful bases are available for processing, namely “consent”, “contract”, “legal obligation”, “vital interests”, “public task” and “legitimate interests”.
“Legitimate interests” applies when processing is necessary for the legitimate interests of an organisation or the legitimate interests of a third party, unless there is a good reason to protect an individual’s personal data which overrides those legitimate interests.
BACS considers that, of the various lawful bases available, “legitimate interests” is the appropriate legal basis for its processing of personal data for the administration of the Association and for the provision of its services, except when the processing is necessary for compliance with legal obligations when the lawful basis is “legal obligation”, and except in specific cases where consent is sought when the lawful basis is “consent”. BACS has reviewed whether the processing it carries out is necessary for these purposes and is satisfied that there is no other reasonable alternative.
Data controller and data processors
The GDPR applies to data “controllers” and to data “processors”.
For the purposes of the GDPR, the Association is the data controller in that it determines the purposes and means of processing personal data. The Association’s contact details may be found at the foot of this page.
The data processors for the purposes of the GDPR are members of the BACS secretariat, including the Company Secretary and the BACS office administrator and accountant, who are responsible for processing personal data on behalf of the controller. Data is held securely on the BACS database and on the BACS website.
In the event that contacts cease to be employed by BACS members or cease to be contacts, their personal data is removed by the BACS office administrator from the BACS database and BACS website. In addition, their email addresses are removed from any relevant email lists.
BACS website cookies
Cookies are small files that with user consent, unless they are “essential” to the website when they do not need user consent, are downloaded to a user’s computer on accessing a website. They are used to store information that may be read and used by that website on that and on subsequent occasions.
The BACS website uses three cookies. The first of these is known as a “session” cookie. This cookie does not hold any personal or company details and is removed when the user closes his or her browser. This cookie is “essential” for use of the website.
The other two cookies are only downloaded when users, BACS members only, successfully login to the members’ area of the website with the “Remember me on this computer” option selected. These cookies are required for the operation of this function, which is activated on the basis of consent.
More detailed information on these cookies, including the deletion and inactivation of the members’ area cookies, may be found on the BACS website.
Under the GDPR, individuals have the right to be informed about the collection and use of their personal data, a key transparency requirement of the Regulation, as well as the purposes for which their personal data is processed, retention periods for that personal data and with whom it will be shared, this “privacy information” being communicated via a privacy notice.
Under the GDPR, in the context of the collection and processing of personal data by BACS, individuals have additional rights, namely the right to have access to their personal information; the right to the rectification of inaccurate information; the right to have it deleted; and the right in some circumstances to object to or restrict processing, all of which may be exercised by contacting the BACS office administrator.
Equally BACS contacts who do not wish to continue to be included in emailing lists can ask the BACS office administrator to remove their email addresses from such lists. Similarly, BACS members who no longer wish to receive information via the website information menu system may themselves de-select the information they no longer wish to receive or can ask the BACS office administrator to do this for them.
If you would like more information regarding this privacy notice and the GDPR, please contact the BACS office administrator at firstname.lastname@example.org More information on the GDPR may be found on the Information Commissioner’s Office (ICO) website.