Privacy Policy

Our Data protection acts and procedures

Our Data Protection Policy

We value the trust you place in us by giving us your data. We will always use your data in a way that is fair and worthy of that trust. That means letting you know what information we collect and why, how we use it and who to contact if you have any concerns. We will also do everything we can to protect the data we hold about you.

General principles

We adhere strictly to the Principles of Data Protection, as set out in the General Data Protection Regulation (GDPR). This includes the obtaining, holding, using or disclosing of such data and covers computerised records, as well as manual filing systems and card indexes.

  • We will hold the minimum data necessary. All such data is confidential and will be treated with due care.
  • We have proper safeguards to protect all data we hold. It will be kept safe from unauthorised access, accidental loss or destruction.
  • All data we hold will be obtained for a specified and lawful purpose, and processed fairly and lawfully in accordance with your rights.
  • We will hold your data for up to seven years for financial, legal and regulatory compliance.
  • We will not transfer your data to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

How we collect data

We will collect data through email, face-to-face contact and requests for contact details of HQ employees for retailers.

How we use your data

We will use your data on the grounds of Legitimate Interest ie where we believe there is benefit to both us and you.

Usage will include communicating with you via email, phone, post and SMS to provide:

  • updates and information in line with our Aims and objectives
  • events which will impact the city centre and potentially your business
  • any useful information relating to Nottingham BID
  • results of activity and events.

In order for our business to operate, we will use data we collect for clients and supplier companies for the following purposes:

  • financial and accounting procedures, including, but not limited to, quoting, raising purchase orders, sending statements, discussing payments and invoicing
  • credit checking
  • contractual matters
  • human resource matters.

Your right to be informed

We will email you to inform you that we hold information about you, with a link to our Data Protection Policy. We will inform you of any update to this policy via email.

How we store your data

We will only store data on our approved secure environments, which are GDPR compliant, including:

  • CRM Platform
  • Email service provider
  • Email software
  • Data stored on local PCs and other devices will be protected with a strong password and encrypted.
  • Data will be removed from local PCs and other devices, and any memory sticks or cloud storage platforms, as soon as it is no longer required.
  • All hard copies will be kept in a locked cabinet or drawer and put away when not in use.

How to access your data

You have the right to request access to the data we hold on you.

Please provide two forms of identification from the following to prove the data relates to you:

  • Passport
  • Driving licence
  • Birth certificate
  • Utility bill (from last 3 months)
  • Current vehicle registration document
  • Bank statement (from last 3 months)

Within one month of receiving your request, we will contact you with details of how you can access your data.

Please contact data@nottinghambid.com

Correcting your data

If you notice any errors in your data, you have the right to request that your record is updated. We will respond within one month.

Please contact data@nottinghambid.com

If you object to us holding your data or want to restrict its usage

You have the right to opt out of all data usage or to restrict what we can do with your data. We will respond within one month.

Please contact data@nottinghambid.com

Having your data erased

You have the right to request all information about you is erased from our systems.

Although we respect your wish to remove all data we hold, there is a level of data we may need to retain for legal, accounting and compliance reasons. We will review your request and tell you what data we can remove. We will do our best to respond within one month.

Please contact data@nottinghambid.com

Transferring your data

When transferring your data, either internally or externally to clients or partners, we will ensure that the recipient is authorised to receive the data.

If we are transferring the data via email, we will take the following steps:

  • If possible, we will de-personalise the information before transfer. This may not be possible with some items of data.
  • The data will be encrypted and protected with a strong password.
  • The password will be sent separately from the email, either by telephone or instant messaging platform.
  • The email will be deleted from the inbox/sent items folder and the deleted items folder as soon as the dataset has been exported.
  • We will log the date, time, recipient, filename, format, method of transfer and classification of the data in the transference log. We will also obtain a read receipt.

Operational procedures to protect your data

To ensure our employees are aware and comply with data policies we have:

  • Presented and communicated our policies to all employees
  • Updated the company handbook
  • Developed an induction procedure for all new employees
  • Updated employee contracts so any action leading to a breach of data policy will be considered ‘gross misconduct’.

Reporting a potential data breach

If we suspect a data breach of any kind, we will report it to the Information Commissioner’s Office immediately.

If you suspect a data breach, which you believe may have involved us and the information we hold on you, please email data@nottinghambid.com with the subject ‘Data Breach’ and we will respond within 72 hours.

Data accountability

Our appointed Data Controller (the individual within our organisation who ensures our data policies and processes are followed and enforced) is:

The GDPR in the UK is governed by the ICO – WWW.ICO.ORG.UK