Business Comply Website Privacy Policy

BREXIT Temporary conditions (May 2020)

The UK Parliament has approved an ‘in principles’ agreement based on the UK Government’s negotiated agreement with the European Union.  This does not validate the UK’s legal equivalency with EU GDPR laws or the source directive.  With this in mind we are for the time being retaining all data relating to this marketing website and our membership portal entirely under UK law.  This policy is separate to the members portal.

Regardless, we continue to adhere to the UK Data Protection Act and the principles of the EU legislation until such time as the British Government reaches an equivalency agreement with the EU, by December 2020 at the latest.  If you have any questions on this please contact us direct.

The EU Courts of Justice overturned in mid-July the existing EU-USA Privacy Shield agreement (Schrems II judgement), not for the agreement itself because the USA maintains considerable surveillance of the general population. Once EU data went to the USA the American Government could what it liked with it and no comeback. We intend once both these situations are clarified to store individual’s data sourced regionally, within that region. We will continue to protect individual’s data using the EU GDPR as the over-riding principles when we see conflicts between national legislation occurring.

In Summary

This policy applies exclusively to this marketing Website, a separate policy applies to signed-up members of the services provided through our members portal.

For clarity;

  • your personal details provided through this web site are captured and processed entirely in the UK or the European Union.
  • for members, your personal details are collected through local portals processing in-country, then passed to a central UK membership database located in the South of England.

Business Comply Limited (BusinessComply) understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who visits this website, (“Our Site”) and as described in Parts 5 and 6, below, we do not collect personal data about you unless you contact us.

BusinessComply holds personal data for purposes incidental to marketing and meeting customer contractual commitments, for the purpose of employment and business associates, for the purpose of limited business-to-business marketing and, online discussion using our LiveChat service.

We do not trade in, or exchange, personal data in any form with third parties.

We do not scan communications for opinions or trends analysis, nor the promotion of advertising in anyway. 

Please read this Privacy Policy carefully and ensure that you understand it. It relates solely to our public Web Sites; membership work is carried out under specific terms and conditions which are different to this public facing policy.

Your acceptance of this Privacy Policy is deemed to occur by action upon first using of Our Site.

If you do not accept and agree with this Privacy Policy you must stop using Our Site immediately.

  1. Information About Us
    Our Site is owned and operated by Business Comply Limited registered in England under company number 12027682
    Data Protection Officer: Kenneth Tombs.
    Email address:
    Registered address: Manor House Cottage, Mill Lane, Pirbright, Surrey, GU24 0BN, United Kingdom.
    Telephone number: Number being replaced.
    We are regulated by the UK ICO and the French CNIL.
  2. What Does This Policy Cover?
    This Privacy Policy applies only to your use of Our public facing Site(s), which may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.
  3. What is Personal Data?
    Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) and the UK DPA 2018 Act, as ‘any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier’. Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
  4. We also anticipate the United States Safe-Harbor agreements and forthcoming state legislation in California.
  5. What are my rights?
    Under the GDPR, you have the following rights, which we will always uphold:
    a) The right to be informed about our collection and use of your personal data. This Privacy Policy should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 10.
    b) The right to access the personal data we hold about you. Part 9 will tell you how to do this.
    c) The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 10 to find out more.
    d) The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Part 10 to find out more.
    e) The right to restrict (i.e. prevent) the processing of your personal data).
    f) The right to object to us using your personal data for any particular purposes.
    g) The right to data portability. This means that, if you have provided personal data to us directly, and we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
    h) Rights relating to automated decision-making and profiling. We do not use automated profiling of personal data in this way.
    For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 10.
    Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
    If you have any cause for complaint about our use of your personal data, after you have spoken with us about it, you have the right to lodge a complaint with the Information Commissioner’s Office.
  6. What Personal Data Do You Collect?
    Subject to the following, we do not collect any personal data from you. We do not place cookies on your computer or device, nor do we use any other means of hidden data collection.
    If you send us an email, we may collect your name, your email address, and any other information which you choose to give us.
    This Website uses Google Analytics in an anonymous manner retaining such data for twelve months.
    This website does not use cookies for browsing or tracking purposes.
    The LiveChat online panel uses programmatic code to forward and track the viewing of content and requests for online discussion. Such records are held for twelve calendar months with the details of the correspondent.
  7. How Do You Use My Personal Data?
    If we do collect any personal data, it will be processed and stored securely, for no longer than is necessary considering the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights under the GDPR always. For more details on security see Part 8, below.
    As stated above, we do not generally collect any personal data. If you contact us and we obtain your personal details from your email, we may use them to respond to your email.
    All emails containing your personal data will be deleted no later than thirty working days after any subject access request has been resolved.
    You have the right to withdraw your consent to us using your personal data at any time, and to request that we delete it – subject to any statutory constraints.
    We will not share any of your data with any third parties for any purposes other than storage on an information or email service.
  8. How and Where Do You Store My Data?
    We primarily store your personal data within the European Economic Area (the “EEA”), primarily in Switzerland and France.
    We do not transfer your data to any 3rd party organisation for their use.
    All classes of data security are essential to us and to protect those data, we take the following measures:
    • Operate an ISO 27001 Information Systems Management System.
    • Have adopted industry best practices for ICT and operational security.
    • Use encryption and encrypted networks.
    • According to Business Impact Level requirements (BIL2xx), undertake technical penetration testing.
    • Operate using a high security client-to-client fully encrypted email system (ProtonMail) at BIL4xx plus.
  9. Do You Share My Personal Data?
    We do not share any of your personal data with any third parties for any purposes, subject to one important exception.
    In some limited circumstances we are legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a valid government authority.
    If any of your personal data is transferred to such a third party as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above in Part 7.
  10. How Can I Access My Personal Data?
    If you want to know what personal data, we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is located). This is known as a “subject access request”.
    All subject access requests should be documented and sent either by email or to the postal address shown in Part 10. We will need to verify your identity and location through an agreed mechanism to prevent identity theft or fraud.
    There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive vexatious requests) a fee may be charged to cover our administrative costs in responding.
    We expect to respond to your subject access request within ten working days and, in any case, not more than one month of receiving it. In some cases, however, particularly if your request is more complex, a maximum of three months may be required from the date we receive your request. You will be kept informed of our progress.
  11. How Do I Contact You?
    To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:
    Email address:
    Postal Address: Manor House Cottage, Mill Lane, Pirbright, Surrey, GU24 0BN, United Kingdom.
  12. Changes to this Privacy Policy
    We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.
    Any changes will be immediately posted on Our Site and you have accepted these terms of the Privacy Policy on your first use of Our Site following the alterations.
    We recommend that you check this page regularly to keep up-to-date.
    It is current at September 2020.

Additional Information and Code Of Conduct

More on Our Privacy Policy
Part of  our business is in delivering advice and guidance on data privacy and protecting the information of individuals, combined with other compliance and governance functions.
We take this commitment seriously and have adopted ethics that reflect our business position.

Our Policy is straightforward and applied consistently to both online and managed services, if you have any questions about our approach please email us or use our Live Panel on this Web Site.

Our Policy is compliant with the new United Kingdom’s Data Protection Act 2018, that came into force on May 25th 2018, regarding data privacy and electronic commerce.
This Policy applies to both public information and customer agreements and supports our ISO27001 governance internally.

Our policies apply to all media methods be it printed, to desktop or mobile devices more widely, including Apps published on major App stores such as operated by Google Play, Microsoft, or Apple.

Important note:
This Website is for commercial users only.
You should assume that everything you see or read on Our Site is copyrighted unless otherwise noted and may not be used without the permission of ‘Business Comply.’
‘Business Comply’ does not warrant or represent that your use of materials provided through or on this website will not infringe rights of third parties.
We are not responsible for any 3rd party policies, conditions or practices enforced by App store providers when downloading our App products or from other third parties.
You agree to respect our Web Site and customer portals and not to use them for any immoral, criminal, or disruptive purposes in any manner.

Data Processor and Controller
Business Comply operates as a data controller for all internal functions such as staffing and statutory purposes. It also acts as a data controller for members personal details. Our hosting is provided by Microsoft on the Azure platform and we use no other third parties for data processing all processing is on our own cloud services.
We are not responsible for any other Data Controllers’ policies, practices, conditions, or statutory compliance, though we maintain legal agreements that set out our expectations in terms of cooperation and compliance.
There are customer projects that require the importation and exportation of personal data to organisations operating within national legal regimes that have no EU equivalence status. In such an event we operate with legal agreements or will put in place Binding agreements through the Information Commissioner’s Office in the United Kingdom.

Business Comply only collects information that is necessary for our governance, consulting and compliance services and to use it in a way you would reasonably expect. In collecting and using this information we are committed to protecting your personal privacy.

Who will see or have access to your personal information?
Unless required to provide your personal information to others by law, by court order or to investigate suspected fraud or other unlawful activity, your information will used solely by persons working in, or for, Business Comply.
These people may include our member service staff, country agents, sub-contractors, accountants, lawyers, financial planners, paralegals, underwriters, risk assessors, claims managers, investigators, statisticians, re-insurers, and professional advisers.
Our information systems and files are secured from un-authorised access and our staff and contracted agents and service providers have been informed contractually of the importance we place on protecting your privacy and their role in helping us to do this. Some information is retained for up to seven years to comply with legal requirements.

Why do we need to collect this information?
We need this information to provide our governance and compliance products or services. If you have chosen, ‘opted in’ we will send you details of related products and services or their updates. At any time, if you no longer wish to receive this additional marketing material let us know, and we will remove your details from our direct marketing listings. We will respect any request ‘to be forgotten’ made, subject to any customer contractual arrangements in affect with you at the time.

Jurisdiction and applicable law
We have nominated for the time being the United Kingdom Information Commissioner’s Office as our General Data Protection Regulations Supervising Authority. We also report to other EU Supervisory Authorities from time to time on behalf of customers.
The English and Welsh Courts have exclusive jurisdiction over any claim arising from or related to a visits to this Web Site or our other services. English Law and practice will apply entirely to these terms and conditions.

What if I want to check what personal information you hold about me?
Subject to any legal restrictions, we are happy to meet your request for access to the personal information we hold about you. There is no cost to you in providing this information unless your request is complex. We reserve the right to refuse subject access request where we believe them to be vexatious or attempting to create a denial of service. We have processes to ensure that all information you disclose is kept accurately, is complete and up to date. You must promptly notify us if there are any changes to your personal information.
If you believe there are errors in our records about you, please let us know and we will be happy to investigate and correct any inaccuracies. In the unlikely event that we do not agree with you as to the need for a correction of your personal information, you may request a correction statement be associated with your information and we will take reasonable steps to do this. Our privacy policy has been formulated to appropriately address your privacy rights and obviate any need for you to make a complaint, however, you retain your right to make a complaint to the Information Commissioner’s Office.

Accessing our site and online services
Access to our Website is permitted on a temporary basis and we reserve the right to withdraw or amend the service without notice.
As a customer where you have access to one of our portals, you are responsible for making all arrangements necessary for you to have access to our site or portal. You are also responsible for ensuring that all persons accessing the site through your internet connection are aware of these terms and that they comply with them. Separate terms may apply for customers and will be set out in the specific service definition document.
Where you are provided with a user ID, password, federated sign-on or any other piece of information as part of our security procedures, you must treat this information as confidential and you must not disclose it to any third party.
You agree in using this Web Site or portals not to post or use for onward transmission any unlawful, threatening, defamatory, obscene, scandalous, inflammatory or profane material or any material that could constitute or encourage conduct that would be considered a criminal offence, give rise to civil liability, or otherwise violate any law.

Our Website changes regularly
We update our website regularly and so may change the content at any time. If the need arises, we have the option to suspend the site or to close it indefinitely.
We may at any time revise our policy by updating this page. You are automatically bound by any such revisions and should periodically visit this page to ensure familiarity with our policy.
Information about you and your visits to our site
We process information about you in accordance with our privacy policy. By using the Web Site you consent to such processing and you warrant that all data provided by you is accurate.

Linking to our site
You may link to our home page, provided you do so in a way that is fair and legal and which does not damage our reputation or take advantage of it. In particular, you must not establish a link in such a way as to suggest any form of association, approval, or endorsement on our part where none exists. Our site must not be framed on any other site, nor should you establish a link to any part of our site other than the home page. We reserve the right to withdraw and enforce this linkage permission without notice.

Further information
If you would like further information on our privacy policy or if you have any concerns over the privacy protection of the information you have given to us or that we have collected from others, please contact us at St Anne’s Lodge.
This Website(s) is the intellectual property and copyright © 2017-2020 Business Comply Limited and all its content, ideas and know-how provided

Our Code Of Conduct
Our legal duty-of-care is to the customer and none other.
We will be impartial, balanced, and independent in judgment and action, taking reasonable steps to be assured of our advice and recommendations.
Our analysts and staff will act transparently and in-good-faith on behalf of our customers and their data subjects, in the spirit of the GDPR.
We will promptly inform a customer of any conflicts of interest arising out of our duties.
We will treat as confidential all information which is obtained through our working with accreditation bodies and professionals.
We will not allow confidential information to be disclosed to third parties, unless required by law or local regulation.
In the event of a conflict or dispute, the matter will be referred to the Centre for Effective Dispute Resolution (CEDR) in the City of London for an appointed mediator to adjudicate.

©Business Comply Limited 2020 | Various images Getty, Unsplash and Dreamstimes

Updated May 2020