Our Privacy Notice
Black Mountain (Europe) Ltd and Subsidiaries is committed to protecting the privacy and security of your personal information.
This Privacy Notice describes how we collect and use the personal information about you during and after your working relationship with us and to provide a service to you in accordance with the General Data Protection Regulation (GDPR). ‘Personal information’ means all information that relates to an identified or identifiable individual.
This notice does not form part of a contract to provide services or any other contract. We reserve the right to update this notice at any time.
Who this notice applies to
This notice applies to all clients and potential clients of Black Mountain (Europe) Ltd and Subsidiaries of whom we hold personal data.
The Principles of GDPR
Under the principles, organisations must be able to demonstrate that any personal data they handle is:
• Processed lawfully, fairly and transparently
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary
• Accurate and, where necessary, kept up to date
• Kept for no longer than is necessary where data subjects are identifiable
• Processed securely and protected against accidental loss, destruction or damage
Definitions under GDPR
• Data Subject – means an individual who is the subject of personal data.
• Data Controller – A person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data is, or is to be, processed.
• Data Processor – In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Information we collect
We collect personal information about you when you visit our website, contact us and / or enquire about or enrol to services offered by Black Mountain Group. We may use this personal information along with other information collected during our relationship with you.
We collect personal information from you such as your contact details, payment information, information relating to your use of our products and services and your marketing choices.
In addition to this, we collect personal information from you in the following ways:
• Through online forms, and online services that we offer (some of which may be managed by third parties on our behalf)
• Whilst providing customer support through email or via the telephone
• Through the process of maintaining and upgrading our services
• Through means such as communications protocols, e-mail communications and cookies
• Through your interest in the Black Mountain Group services advertisements placed on third part sites
Personal and sensitive data
Personal data is any information relating to any person who can be identified either directly or indirectly, such as their name, or an identification number, a location, online data or through factors specific to physical, psychological, genetic, mental, economic, cultural or social identity of that person.
Under GDPR, it is legitimate to process sensitive personal data where necessary. For example – to carry out an employment contract or collective agreement obligation. What counts as sensitive personal data is information on racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation, and genetic or biometric data.
Using your personal data: the legal basis and purposes
To provide a service to you:
We’ll process your personal data:
• To take steps at your request before entering into any contract or service with us
• To update our records
Legitimate business purposes:
• For good governance, accounting and managing and auditing our business operations
• To provide excellent customer service, and conduct other administrative tasks necessary to provide our services
• To help manage risk
• To build a relationship and better understand our customers and their requirements
Legal and Compliance obligations:
• When you exercise your rights under data protection law and make requests
• For compliance with legal and regulatory requirements and related disclosures
• To protect our legal position in the event of any legal proceedings
• Retaining records containing your personal information as required under applicable law
Lawful grounds for processing:
We as a Company may process personal information lawfully for a number of reasons, including in order to:
• Perform a contract
• Comply with a legal obligation
• Protect the clients or another individual’s vital interests
• Carry out a task in the public interest, or in exercising official authority vested in the employer
• Protect the legitimate interests of the Company or a third party, except where this is overridden by the interests or rights of the employee.
Under the General Data Protection Regulation (GDPR) you have a number of rights with regards to your personal data. You have the right to request from us access to and rectification of your data as well as for it to be erased and to restrict processing of your data in certain circumstances.
If you have provided consent for the processing of your data you have the right to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent has been withdrawn.
You also have the right to lodge a complaint with the information Commissioners Office (ICO) if you feel that we have not complied with GDPR requirements regarding your personal data.
In summary, data subjects have the:
• Right to be informed about the processing of your personal data
• Right to rectification if your personal data is inaccurate or incomplete (requests to amend data will normally have to be processed within 1 month)
• Right of access to your personal data and supplementary information, and the right to confirmation that your personal data is being processed
• Right to be forgotten by having your personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it again (employers will have to respond without undue delay or and within 1 month of the request)
• Right to restrict processing of your personal data, for example, if you consider that processing is unlawful or the data is inaccurate
• Right to data portability of your own personal data for your own purposes (you will be allowed to obtain and reuse your data)
• Right to object to the processing of your personal data for direct marketing, scientific or historical research, or statistical purposes
Sharing and transferring personal data
We will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you. Subject to applicable data protection law, we may share your personal data with:
• Subcontractors and other persons who help us to provide our products and services
• Companies and other persons providing services to us
• Our legal and professional advisors, including auditors
• Government bodies and agencies in the UK and overseas (e.g. HMRC), who may in turn share it with relevant overseas tax authorities and regulators
• In an emergency or to otherwise protect your vital interests
• To protect the security or integrity of our business operations
• To other parties connected with your account
• Anyone else where we have your explicit consent or where it is required by law.
In certain circumstances your information may be transferred outside of the EEA or to an international organisation to comply with our legal or contractual requirements. Safeguards are in place to ensure the security of your data.
If there is a requirement in the future to process your data for a purpose other than for which it was collected, we will always provide you with notice and the information on that purpose and any other relevant information.
Record keeping and Data retention periods
We will maintain clear and accessible records of all data processing activities.
Data will only be kept for as long as is necessary to fulfil the purpose identified or as required by law. Where there is a legal requirement to keep the data, we will comply with the statutory retention periods.
Automated decision making and processing and consent
Under GDPR, the current methods of requesting consent to collect and process your data have been reviewed. In some situations, consent is not required – for example to fulfil legal or contractual obligations. However, we may approach you for written consent to allow us to process particularly sensitive data. If we do so , we will provide you with the full details of the information required and the reasons why, so that you can carefully consider whether to provide consent.
Automated decision making involves processing your personal data without human intervention. We may do this to decide which marketing communications are suitable for you. All this activity is on the basis of our legitimate interests, to protect our business and to improve and develop our products and services.
Subject to your choices and based upon the information you provide to us, we may send you communications by email and post. You can withdraw your consent at any time by contacting us.
Should you have any queries regarding this notice or data protection in general, the Company’s Data Protection Officer is Steven Fedor and they can be contacted by telephone +44 (0) 203 968 5835 or by email firstname.lastname@example.org