Privacy Policy

In most instances when BioCity Group collects personal data, we are the Data Controller.  As Data Controller, we are responsible for ensuring our systems, processes, suppliers and people comply with data protection laws in relation to the information we handle.

All our people must abide by this policy when handling personal data and take part in any required data protection training.

When we need to let you know about additional privacy information not contained in this policy we will let you know at the point that we collect the relevant personal data from you, or within a reasonable period of obtaining your personal data if we get it from someone other than you.

Our Data Protection Principles

BioCity Group takes your privacy very seriously and has therefore adopted the following principles to govern our use, collection and disclosure of your personal data.

Your personal data will:

• be processed fairly and lawfully and to the extent required under local law with valid and informed consent;
• be obtained for specific and lawful purposes;
• be kept accurate and up to date;
• be adequate, relevant and not excessive in relation to the purposes for which it is used;
• not be kept for longer than is necessary for the purposes for which it is used;
• be processed in accordance with the rights of individuals;
• be kept secure to prevent unauthorised processing and accidental loss, damage or destruction; and
• not be transferred to, or accessed from, another jurisdiction where these core principles cannot be met unless it is adequately protected.

We are only allowed to use your personal data if we have a proper reason to do so.

Data protection law sets out a number of different reasons we may collect and process your personal data. The lawful basis will depend on the specific activity for which we are collecting your personal data, but will usually be one of the following:

• You have given us permission to do so: In specific situations, we can collect and process your data with your consent – e.g. when you sign up to receive email or postal communication from us. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with particular activities.

• We need to perform a contract for you: In some instances, we need to process your personal data to comply with our contractual obligations with you. For example, if you ask to attend an event and let us know about special dietary requirements, we need your contact details to update you about the event arrangements and to let you know of any changes, and we will also need to pass some of your personal data on to our caterer.

• We need to comply with a legal obligation: We may be legally bound to collect and process your data. For example, if someone is involved in any criminal activity or fraud affecting us, we need to pass details, which could include personal data, to law enforcement.

• It is in our legitimate interest: We require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, we may use your event attendance history to offer more personalised event offers. We can only use this lawful basis if our legitimate interests do not override your individual interests, rights and freedoms.

You have rights over your personal data.  Under data protection law:

• we have to inform you about the collection and use of your personal data, including our purposes for processing your personal data, how long we will keep your data and who we will share your data with (known as the right to be informed);
• you can ask whether we are processing your personal data and if so, ask for a copy of your information (known as the right of access);
• you can ask for information to be corrected (known as the right to rectification);
• you can ask for information to be erased or deleted (known as the right of erasure);
• you can ask for us to limit or restrict processing (known as the right to restrict processing);
• you can ask us to send you a copy in a structured digital format or ask for us to send it to another party (known as the right to data portability);
• you can object to us processing your data, in particular where we use the data for direct marketing, including profiling for direct marketing purposes.  The right to object does not apply if we must process the data to meet a contractual or legal requirement (known as the right to object);
• you have the right not to be subject to a potentially damaging decision being taken without human intervention (known as rights related to automated decision making and profiling).

Some rights, however, may be limited. We may be obliged by law or regulation to keep information.  We must respect other people’s privacy as well, which means we may need to redact or remove information where it includes personal data about someone else, even if it is connected to your data.  On occasion there may be a compelling legitimate interest to keep processing data.

If you want a copy of your data, to object to how we use your data, or ask us to delete it or restrict how we use it or, please see ‘Getting in touch’ below.

You also have a right to complain to an EU data protection authority.  This can be where you live, work or where the matter occurred. In the UK, the authority is the Information Commissioner’s Office, please see ‘Contacting the regulator’ below

We only keep your data for as long as is necessary for the purpose it was collected. After that period, your data is deleted or anonymised.  We may also aggregate your personal data with other data to use for business planning and analysis.

At times we need to share your personal data with trusted third parties e.g. delivery couriers, IT companies, credit card processing services and so on. We only provide what they need and they cannot use your data for anything other than the purposes that they have your data for. Your data is deleted or rendered anonymous if we stop working with the third party.

Sharing your data with third parties for their own purposes

We will never sell or trade your contact details with any third parties without you giving us your express consent to do so e.g. if you ask to attend an event which is being run explicitly as a joint event with a third-party.

There are some instances where we may have to share your information based on our legal obligations, for instance:

• Legal, compliance, regulatory and investigative purposes, including for government agencies and law enforcement.
• When you exercise your rights under data protection legislation, including when you ask to subscribe or unsubscribe from our marketing communications.

Where practical, your personal data will be stored within the European Economic Area (the EU plus Iceland, Lichtenstein and Norway) (EEA).  This includes data stored in physical format at our sites and in digital format in our own and our service providers systems.

Sometimes we may need to send or store your data outside of the EEA.  For example, to follow your instructions, to comply with a legal duty or to work with or receive services from our service providers who we use to support the operation of our business. If we do transfer information outside of the EEA, we will make sure that it is protected by using one of these safeguards:

• Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Some non-EEA countries have been deemed to give adequate protection by the EU.
• Put in place a contract with the recipient that means they must protect it to the same standards as the EEA or use other mechanisms and measures to achieve adequate protection. We also may use the Standard Contractual Clauses published by the EU.
• Transfer it to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA.
• Binding corporate rules. These are internal rules adopted by group companies to allow international transfers of personal data to entities within the same corporate group located in countries which do not provide an adequate level of protection.

Our website, apps and marketing emails use cookies and similar technology. Full information is in our Cookie Notice.

Our Company Secretary is responsible for overseeing and monitoring our compliance with data protection laws and this policy.

If you want to make a request in line with your rights, you have any concerns regarding the way in which we are processing your personal data, or you just have a question relating to our processing of your personal data, please contact us by email at [email protected] or write to us at:  The Company Secretary, BioCity Head Office, Pennyfoot Street, Nottingham, NG1 1GF.

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try to put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office by calling 0303 123 1113 or going online to www.ico.org.uk/concerns.