Privacy notice & Data Protection 

Privacy notice

We are BODY ETHOS LTD. We’re a company registered in England and Wales with company number 11637905, whose registered address is at 61 Bridge Street, Kington, England, HR5 3DJ. In this privacy notice, we will refer to ourselves as ‘we’, ‘us’ or ‘our’. We are the Data Controller of the personal information we collect, hold and use about you, as explained in this notice.

You can get hold of us in any of the following ways:

  1. by emailing us at admin@bodyethos.co.uk; or

  2. by writing to us at 61 Bridge Street, Kington, England, HR5 3DJ.

We take the privacy, including the security, of personal information we hold about you seriously. This privacy notice is designed to inform you about how we collect personal information about you and how we use that personal information. You should read this privacy notice carefully so that you know and can understand why and how we use the personal information we collect and hold about you.

We do not have a data protection officer, but if you have any questions about this privacy notice or issues arising from it, you should contact data@bodyethos.co.uk, who is responsible for matters relating to data protection at our organisation, including any matters in this privacy notice. You can contact them using the details set out above.

We may issue you with other privacy notices from time to time, including when we collect personal information from you. This privacy notice is intended to supplement these and does not override them.

We may update this privacy notice from time to time. This version was last updated on 02 January 2021.

1. Key definitions

1.1. The key terms that we use throughout this privacy notice are defined below, for ease:

1.2. Data Controller: under UK data protection law, this is the organisation or person responsible for deciding how personal information is collected and stored and how it is used.

1.3. Data Processor: a Data Controller may appoint another organisation or person to carry out certain tasks in relation to the personal information on behalf of, and on the written instructions of, the Data Controller. (This might be the hosting of a site containing personal data, for example, or providing an email-marketing service that facilitates mass distribution of marketing material to a Data Controller’s customer base.)

1.4. Personal Information: in this privacy notice, we refer to your personal data as ‘personal information’. ‘Personal information’ means any information from which a living individual can be identified. It does not apply to information that has been anonymised.

1.5. Special Information – certain very sensitive personal information requires extra protection under data protection law. Sensitive data includes information relating to health, racial and ethnic origin, political opinions, religious and similar beliefs, trade union membership, sex life and sexual orientation and also includes genetic information and biometric information.

2. Details of personal information that we collect and hold about you

2.1. Set out below are the general categories and details of retention periods in relation to those categories (see section 8 below for more details about retention) and in each case the types of personal information that we collect, use and hold about you:

General Category

Types of Personal Data in that category

Retention Periods

Identity information

This is information relating to your identity such as your name (including any previous names and any titles that you use),

As long as you have subscribed to our services, and legal and accounting reasons.

Contact information

This is information relating to your contact details such as email address, addresses, telephone numbers

As long as legally required for accounting and legal reasons

Account information

This is information relating to your account with us (including username and password)

As long as you have subscribed to our services, and legal and accounting reasons.

Payment information

This is information relating to the methods by which you provide payment to us such as [bank transfer, credit or debit card] and details of any payments (including amounts and dates) that are made between us

As long as you have subscribed to our services, and legal and accounting reasons.

Transaction information

This is information relating to transactions between us such as details of the goods, services and/or digital content provided to you and any returns details

7 years for accounting and legal reasons

Survey information

This is information that we have collected from you or that you have provided to us in respect of surveys and feedback

12 months

Marketing information

This is information relating to your marketing and communications preferences

Website, Device and Technical Information

This is information about your use of our website and technical data which we collect (including your IP address, the type of browser you are using and the version, the operating system you are using, details about the time zone and location settings on the device and other information we receive about your device)

180 Days

2.2. The types of personal data we collect about you may differ from person to person, depending on who you are and the relationship between us.

3. Details of special information that we collect and hold about you

3.1. Special information is explained in section 1 above. We do not collect or hold any special information about you.

3.2. We do not collect information from you relating to criminal convictions or offences.

4. Details of how and why we use personal information

4.1. We are only able to use your personal information for certain legal reasons set out in data protection law. There are legal reasons under data protection law other than those listed below; but, in most cases, we will use your personal information for the following legal reasons:

  1. Contract Reason: this is in order to perform our obligations to you under a contract we have entered into with you;

  2. Legitimate Interests Reason: this is where the use of your personal information is necessary for our (or a third party’s) legitimate interests, so long as that legitimate interest does not override your fundamental rights, freedoms or interests;

  3. Legal Obligation Reason: this is where we have to use your personal information in order to perform a legal obligation by which we are bound; and

  4. Consent Reason: this is where you have given us your consent to use your personal information for a specific reason or specific reasons.

4.2. So that we are able to provide you with goods, we will need your personal information. If you do not provide us with the required personal information, we may be prevented from supplying the goods to you.

4.3. It is important that you keep your personal information up to date. If any of your personal information changes, please contact us as soon as possible to let us know. If you do not do this, then we may be prevented from supplying the goods to you (for example, if you move address and do not tell us, then your goods may be delivered to the wrong address.

4.4. Where we rely on consent for a specific purpose as the legal reason for processing your personal information, you have the right under data protection law to withdraw your consent at any time. If you do wish to withdraw your consent, please contact us using the details set out at the beginning of this notice. If we receive a request from you withdrawing your consent to a specific purpose, we will stop processing your personal information for that purpose, unless we have another legal reason for processing your personal information – in which case, we will confirm that reason to you.

4.5. We have explained below the different purposes for which we use your personal information and, in each case, the legal reason(s) allowing us to use your personal information. Please also note the following:

  1. if we use the Legitimate Interests Reason as the legal reason for which we can use your personal information, we have also explained what that legitimate interest is; and

  2. for some of the purposes, we may have listed more than one legal reason on which we can use your personal information, because the legal reason may be different in different circumstances. If you need confirmation of the specific legal reason that we are relying on to use your personal data for that purpose, please contact us using the contact details set out at the start of this privacy notice.

Purpose

Legal Reason(s) for using the personal information

To enrol you as a customer

Contract Reason

Legitimate Interests Reason (in order to [offer you other goods, services and/or digital content which helps us to develop our business)

To process your order, which includes taking payment from you, advising you of any updates in relation to your order or any enforcement action against you to recover payment

Contract Reason

Legitimate Interests Reason (in order to [recover money that you owe us])

To manage our contract with you and to notify you of any changes

Contract Reason

Legal Obligation Reason

To comply with audit and accounting matters

Legal Obligation Reason

For record keeping, [including in relation to any guarantees or warranties provided as part of the sale of goods, services and/or digital content

Contract Reason

Legal Obligation Reason

To improve the goods, services, and/or digital content that we supply

Legitimate Interests Reason (in order to improve the goods, services, and/or digital content for future customers and to grow our business)

To recommend and send communications to you about goods, services, and/or digital content that you may be interested in. More details about marketing are set out in section 11 below

Legitimate Interests Reason (in order to grow our business

Consent Reason

To ensure the smooth running and correct operation of our website

Legitimate Interests Reason (to ensure our website runs correctly)

To understand how customers and visitors to our website use the website and interact with it via data analysis

Legitimate Interests Reason (to improve and grow our business, including our website, and to understand our customer’s needs, desires and requirements)

4.6. Sometimes we may anonymise personal information so that you can no longer be identified from it and use this for our own purposes. In addition, sometimes we may use some of your personal information together with other people’s personal information to give us statistical information for our own purposes. Because this is grouped together with other personal information and you are not identifiable from that combined data we are able to use this.

4.7. Under data protection laws, we can only use your personal information for the purposes we have told you about, unless we consider that the new purpose is compatible with the purpose(s) we told you about. If we want to use your personal information for a different purpose that we do not think is compatible with the purpose(s) we told you about, then we will contact you to explain this and what legal reason is in place to allow us to do this.

5. Details of how we collect personal information and special information

5.1. We usually collect Identity Information, Contact Information, Payment Information, Transaction Information, Survey Information, Marketing Information, directly from you when you fill out a form, survey or questionnaire, purchase goods, services and/or digital content from us, contact us by email or in writing or otherwise. This includes the personal information that you provide to us when you subscribe to our mailing list enter a competition or survey.

5.2. We may also receive Website, Device and Technical Information automatically from technologies such as cookies that are installed on our website. To find out more about these please see our cookie policy, which is available www.bodyethos.co.uk/privacy-policy.

6. Details about who personal Information may be shared with

6.1. We may need to share your personal information with other organisations or people. These organisations include:

  1. Third parties who are not part of our group. These may include:

    1. Suppliers: such as IT support services, payment providers, administration providers, marketing agencies;

    2. Government bodies and regulatory bodies: such as HMRC, fraud prevention agencies,;

    3. Our advisors: such as lawyers, accountants, auditors, insurance companies;

    4. Mail platforms;

  2. any organisations that propose to purchase our business and assets, in which case we may disclose your personal information to the potential purchaser.

6.2. Depending on the circumstances, the organisations or people who we share your personal information with will be acting as either Data Processors or Data Controllers. Where we share your personal information with a Data Processor, we will ensure that we have in place contracts that set out the responsibilities and obligations of us and them, including in respect of security of personal information.

6.3. We do not sell or trade any of the personal information that you have provided to us.

7. Details about transfers to countries outside of the EEA

7.1. We do not transfer your personal information outside of the EEA.

8. Details about how long we will hold your personal information

8.1. We will only hold your personal data for as long as is necessary. How long is necessary will depend upon the purposes for which we collected the personal information (see section 4 above) and whether we are under any legal obligation to keep the personal information (such as in relation to accounting or auditing records or for tax reasons). We may also need to keep personal information in case of any legal claims

8.2. You can contact us (using the details at the beginning of this notice) to request a copy of our retention policy, which sets out how long different types of personal data will be kept for.

9. Automated decision making

9.1. ‘Automated decision making’ is where a decision is automatically made without any human involvement. Under data protection laws, this includes profiling. ‘Profiling’ is the automated processing of personal data to evaluate or analyse certain personal aspects of a person (such as their behaviour, characteristics, interests and preferences).

9.2. Data protection laws place restrictions upon us if we carry out any automated decision making (including profiling) that produces a legal effect or similarly significant effect on you.

9.3. We do not carry out any automated decision making (including profiling) that produces a legal effect or similarly significant effect on you. If we do decide to do this then we will notify you and we will inform you of the legal reason we are able to do this.

10. Your rights under data protection law

10.1. Under data protection laws, you have certain rights in relation to your personal information, as follows:

  1. Right to request access: (this is often called ‘subject access’). This is the right to obtain from us a copy of the personal information that we hold about you. We must also provide you with certain other information in response to these requests to help you understand how your personal information is being used.

  2. Right to correction: this is the right to request that any incorrect personal data is corrected and that any incomplete personal data is completed.

  3. Right to erasure: (this is often called the ‘right to be forgotten’).This right only applies in certain circumstances. Where it does apply, you have the right to request us to erase all of your personal information.

  4. Right to restrict processing: this right only applies in certain circumstances. Where it does apply, you have the right to request us to restrict the processing of your personal information.

  5. Right to data portability: this right allows you to request us to transfer your personal information to someone else.

  6. Right to object: you have the right to object to us processing your personal information for direct marketing purposes. You also have the right to object to us processing personal information where our legal reason for doing so is the Legitimate Interests Reason (see section 4 above) and there is something about your particular situation that means that you want to object to us processing your personal information. In certain circumstances, you have the right to object to processing where such processing consists of profiling (including profiling for direct marketing).

10.2. In addition to the rights set out in section 10.1, where we rely on consent as the legal reason for using your personal information, you have the right to withdraw your consent. Further details about this are set out in section 4.5.

10.3. If you want to exercise any of the above rights in relation to your personal information, please contact us using the details set out at the beginning of this notice. If you do make a request, then please note:

  1. we may need certain information from you so that we can verify your identity;

  2. we do not charge a fee for exercising your rights unless your request is unfounded or excessive; and

  3. if your request is unfounded or excessive, then we may refuse to deal with your request.

11. Marketing

11.1. You may receive marketing from us about similar goods and services, where either you have consented to this, or we have another legal reason by which we can contact you for marketing purposes.

11.2. However, we will give you the opportunity to manage how or if we market to you. In any email that we send to you, we provide a link to either unsubscribe or opt out, or to change your marketing preferences. If you have an account with us, you can login to your account and manage your preferences there too. To change your marketing preferences, and/or to request that we stop processing your personal information for marketing purposes, you can always contact us on the details set out at the beginning of this notice.

11.3. If you do request that we stop marketing to you, this will not prevent us from sending communications to you that are not to do with marketing (for example in relation to goods that you have purchased from us).

11.4. We do not pass your personal information on to any third parties for marketing purposes.

12. Complaints

12.1. If you are unhappy about the way that we have handled or used your personal information, you have the right to complain to the UK supervisory authority for data protection, which is the Information Commissioner’s Office (ICO). Please do contact us in the first instance if you wish to raise any queries or make a complaint in respect of our handling or use of your personal information, so that we have the opportunity to discuss this with you and to take steps to resolve the position. You can contact us using the details set out at the beginning of this privacy notice.

13. Third-party websites

Our website may contain links to third-party websites. If you click and follow those links, then these will take you to the third-party website. Those third-party websites may collect personal information from you and you will need to check their privacy notices to understand how your personal information is collected and used by them.

 

Data Protection Policy

Part I: Policy details

1. What does this policy cover and who is covered?

1.1. BODY ETHOS LTD takes the protection of Personal Data seriously. Personal Data means any information from which a living individual (called a Data Subject) can be identified. It does not include information that has been anonymised. Personal Data can come in many forms: at its simplest, it may be a name, address and telephone number, but it can include a wide range of matters such as an individual’s opinion or their preferences. Under GDPR, an IP address is also considered to be Personal Data.

1.2. As a business, we are required to comply with the UK’s Data Protection Laws and we are fully committed to ensuring that compliance. The protection of Personal Data also has a big impact on our reputation as a business. As you are covered by this policy and your contract with us requires you to comply with it, you are also obliged to ensure that all Personal Data that you may handle, or to which you may have access as you carry out your contracted duties, is properly protected.

1.3. This is an internal policy that sets out how we handle the Personal Data of any individuals we deal with. It applies to all Personal Data held about our customers and potential customers, suppliers, business contacts and any other individuals who we deal with in the course of our business. It also applies to how we handle the Personal Data of our staff and other workers and to the Personal Data of our shareholders.

1.4. BODY ETHOS LTD keeps this data protection policy under regular review, so it may be updated from time to time. This version was last updated on 01 December 2020.

This policy is not part of your employment contract. BODY ETHOS LTD may amend it at any time.

2. Key terms and definitions

2.1. Data protection law contains a lot of technical terms. To make life easy, we’ve defined them upfront here so that you can get used to them.

Automated Decision Making: a decision made by automated means, without any human involvement.

Consent: the freely given, specific, informed and unambiguous consent of a living individual to whom the Personal Data relates (a Data Subject) to the Processing of their Personal Data. This consent must have been indicated by clear and affirmative action.

Data Controller: this is the organisation or person responsible for deciding how Personal Data is collected, stored and Processed.

Data Processor: a Data Controller may appoint another organisation or person to carry out certain tasks in relation to the Personal Data on behalf of, and on the written instructions of, the Data Controller. These tasks might include, for example, hosting of a website, running of marketing mailshots and providing payroll services.

Data Protection Laws: the Data Protection Act 2018 and the General Data Protection Regulation ((EU) 2016/679) (the GDPR) and such other laws as may be applicable from time to time, including any replacements.

Data Subject: a living individual to whom the Personal Data relates.

EEA: the European Economic Area (and the countries comprised in it).

GDPR: the General Data Protection Regulation ((EU) 2016/679).

ICO: the Information Commissioner’s Office.

Personal Data: any information from which a living individual (a Data Subject) can be identified. It does not apply to information that has been anonymised. Personal Data can come in many forms: at is simplest it may be a name, address and telephone number, but it can include a wide range of matters such as an individual’s opinion or their preferences. Under GDPR, an IP address is also considered to be Personal Data.

Process (or similar words): any activity (or series of activities) in relation to Personal Data, which can include collection, recording, retrieval, storage, consultation, use, alteration or amendment, transmission, disclosure or deletion or destruction of the Personal Data.

Profiling: automated Processing of Personal Data to evaluate certain things about a Data Subject (such as to analyse or predict aspects of that Data Subject’s personal preferences, behaviour or location).

Special Categories of Personal Data: under GDPR, these are certain more sensitive types of Personal Data. This is any information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation or anything that is health, genetic or biometric information.

Part II: Data Protection Responsibility

1. Compliance and compliance officers

1.1. BODY ETHOS LTD is required to comply with Data Protection Laws. Our directors, employees, workers, contractors and others in similar capacities are also required to comply with these laws. You must ensure that you read and understand this policy so that you know what you must and must not do, and what is required from you in relation to the handling and use of any Personal Data, in order for you and BODY ETHOS LTD to comply with the Data Protection Laws.

1.2. If you do not comply with this policy, we may take disciplinary action against you.

1.3. We have appointed data@bodyethos.co.uk as our data protection officer (referred to in this policy as the DPO ) who has overall responsibility for overseeing the BODY ETHOS LTD’s compliance with Data Protection Laws. You can contact them in the following ways:

  1. data@bodyethos.co.uk

1.4. You should contact the DPO if you have any questions or concerns about data protection, Data Protection Laws, this policy and any breach of the laws or this policy.

1.5. This policy also indicates specific situations when you must contact the DPO , for example, when there is a Personal Data breach, before you use or handle data in a new way or when you receive any request from an individual exercising any of their rights under the Data Protection Laws.

2. The Accountability Principle

2.1. BODY ETHOS LTD is required to comply with the Data Protection Laws and to demonstrate its compliance with the Data Protection Laws (this is referred to in Data Protection Laws as the Accountability Principle).

Required measures

2.2. We are required to put in place measures to meet the requirements of the Accountability Principle and these measures include:

  1. adopting this Data Protection Policy;

  2. providing regular training to staff on Data Protection Laws and this Data Protection Policy (and other related policies, as relevant);

  3. implementing a ‘data protection by design and default’ approach (see Part VI, Section 1);

  4. having in place written contracts with any third parties who Process Personal Data on our behalf (see Part IV, Section 3.4);

  5. recording and maintaining documentation that sets out in full BODY ETHOS LTD’s Processing activities (see this Part (below));

  6. implementing appropriate security measures (see Part IV, Section 1);

  7. recording and, where necessary, reporting Personal Data breaches (see Part V, );

  8. conducting data protection impact assessments for uses of Personal Data that are likely to result in high risk to Data Subjects’ interests and where required by Data Protection Laws (see Part VI, Section 2);

  9. conducting regular reviews and, where necessary, implementing updates to the above measures.

Record Keeping

2.3. The DPO has in place a central written record that explains in full all of the Company’s Processing activities.

2.4. Where we are a Data Controller, these records must include (as a minimum):

  1. our name and contact details and those of any joint Controllers

  2. (where applicable) the name and contact details of any data protection officer appointed

  3. Why the Personal Data is being processed

  4. a description of the categories of people covered (the Data Subjects)

  5. a description of the categories of Personal Data involved

  6. a description of the categories of recipients to who the Personal Data will be disclosed (including details of transfers of Personal Data outside of the EEA, the details of the third country or organisation and the safeguards in place)

  7. details of retention periods – i.e. for how long the data will be kept, and

  8. a description of the technical and organisational security measures that BODY ETHOS LTD has put in place to protect the Personal Data.

2.5. Where we also act as a Data Processor, these records must include (as a minimum):

  1. our name and contact details

  2. (where applicable) the name and contact details of any data protection officer appointed

  3. the name and contact details of each Data Controller (including details of any data protection officer appointed by the Data Controller)

  4. the categories of Processing carried out on behalf of each Data Controller

  5. details of transfers of Personal Data outside of the EEA and the safeguards in place (including the name of the third countries or organisation), and

  6. a description of the technical and organisational security measures that BODY ETHOS LTD has put in place to protect the Personal Data.

2.6. These records can only be kept up to date if the DPO is kept fully informed about our Processing activities. So, where you or your team/department intend to carry out any new Processing, disclose Personal Data to a new third party, transfer Personal Data abroad, or do any of the other matters that may affect the records or other documentation that BODY ETHOS LTD has in place, then you should contact the DPO before carrying out these activities, to ensure that all documentation can be updated and to ensure that as a business, we remain compliant with Data Protection Laws.

Part III: Data protection principles

1. Overview

1.1. The GDPR has 6 main principles for the Processing of Personal Data. These are:

  1. Personal Data must be Processed lawfully, fairly and transparently (Principle 1);

  2. Personal Data must only be collected and Processed for specified, explicit and legitimate purposes (Principle 2);

  3. Personal Data must be adequate, relevant and limited to what is necessary for the purpose(s) for which it is Processed (Principle 3);

  4. Personal Data must be accurate and where necessary, kept up to date (Principle 4);

  5. Personal Data must not be kept for longer than is necessary for the purposes for which it is Processed (Principle 5);

  6. Personal Data must be Processed securely and appropriate measures must be taken to protect against unauthorised or unlawful Processing and against all accidental loss, destruction or damage to the Personal Data (Principle 6).

1.2. We have set out below more detail about each of the above principles and how they apply to you and BODY ETHOS LTD.

2. Lawfulness, fairness and transparency (Principle #1)

2.1. Personal Data must be Processed lawfully, fairly and transparently.

2.2. BODY ETHOS LTD must only collect and Process Personal Data where it has a lawful reason for doing so. Those lawful reasons are set out in the GDPR and include:

  1. BODY ETHOS LTD has the Consent of the Data Subject to Process their data for specific purpose(s);

  2. Processing is necessary in order for BODY ETHOS LTD to perform its obligations in relation to an existing contract or a contract it is about to enter into with the Data Subject;

  3. Processing is necessary for a legal obligation that BODY ETHOS LTD is subject to;

  4. Processing is necessary to protect the vital interests of the Data Subject or another person;

  5. Processing is necessary in BODY ETHOS LTD’s or a third party’s legitimate interests, but only so long as those legitimate interests do not override the fundamental rights and freedoms of the Data Subject.

2.3. Where the lawful reason BODY ETHOS LTD is relying on is Consent, there are specific requirements that must be complied with:

  1. the Consent itself must provide the Data Subject with sufficient information to ensure that they are informed and understand what they are being asked to consent to;

  2. the Consent must be by way of positive action – that is the Data Subject must positively agree. Silence and pre-ticked boxes do not count as Consent.

  3. any request for Consent must be separate to any other matters – for example, it should not be a condition of a contract or terms and conditions.

  4. records of Consent must be kept (for example, you must record when and how the Data Subject consented and what they were told).

2.4. The GDPR requires BODY ETHOS LTD to keep a record of the lawful reason(s) it relies on to Process Personal Data. If you plan on carrying out Processing for a new purpose, you are not sure which lawful reason applies to the Processing or if you need help with ensuring that any Consent is GDPR compliant, contact the DPO .

2.5. If BODY ETHOS LTD Processes any Special Categories of Personal Data, then it must identify the relevant lawful reason for Processing (as set out above) and it must also identify a separate condition for Processing those Special Categories of Personal Data. Those separate conditions include (amongst others):

  1. the Data Subject has provided their explicit Consent;

  2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of BODY ETHOS LTD, or of the Data Subject, under employment and social security and social protection law;

  3. Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent;

  4. Processing relates to Personal Data that are manifestly made public by the Data Subject;

  5. Processing is necessary for the establishment, exercise or defence of legal claims; and

  6. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

2.6. If you are intending to collect any Special Categories of Personal Data, are not sure which of the separate conditions applies or if you need help with ensuring that any Processing of Personal Data is GDPR compliant, contact the DPO .

2.7. As part of the fairness element of Principle 1, the BODY ETHOS LTD should only Process Personal Data in ways that a Data Subject would reasonably expect.

2.8. As part of the transparency element of Principle 1, where BODY ETHOS LTD is acting as Data Controller, it must provide Data Subjects with certain information about its use of their Personal Data. This is usually done via a privacy notice. BODY ETHOS LTD is required to comply with the following:

  1. The privacy notice must be in writing, clear, concise, transparent and intelligible using clear and plain language (i.e. no jargon).

  2. The privacy notice must cover all the requirements required by the Data Protection Laws.

  3. Where we collect the Personal Data directly from the Data Subject, we must provide the privacy notice to the Data Subject at the point of first collection of the Personal Data.

  4. Where we receive Personal Data indirectly (for example, from a third party or from a public source), we must provide the privacy notice to the Data Subject within a reasonable time of receiving the Personal Data (and no later than one month after receiving it) or, if earlier than that month deadline, at the point of first communication with the Data Subject or before the Personal Data is disclosed to a third party.

2.9. BODY ETHOS LTD already has in place privacy notice(s) to cover its current activities. These are available from www.bodyethos.co.uk/privacy-policy. You should check these very carefully to see if they are suitable – and if they are not, or you are not sure if they are suitable, or if you have any questions in relation to them, then you should contact the DPO for assistance and advice.

3. Purpose Limitation (Principle #2)

3.1. Personal Data must only be collected and Processed for specified, explicit and legitimate purposes.

3.2. You must not Process any Personal Data for any purposes that are incompatible with the original purposes that were disclosed (via a privacy notice) to the Data Subject when the Personal Data was first collected.

3.3. If you do intend to Process the Personal Data for further purposes, you must first speak to the DPO prior to taking any actions, who will be able to advise you on whether it is possible and if so what steps need to be taken to comply with Data Protection Laws. DPO will also need to update the documentation that BODY ETHOS LTD has in place relating to the Processing of Personal Data to cover the new purposes.

4. Data Minimisation (Principle #3)

4.1. Personal Data must be adequate, relevant and limited to what is necessary for the purpose(s) for which it is Processed.

4.2. You should only collect the Personal Data you actually require to carry out your work. You should not collect anything beyond this.

4.3. You must not Process Personal Data for any reason other than to carry out your work.

5. Accuracy (Principle #4)

5.1. Personal Data must be accurate and where necessary, kept up to date.

5.2. You must ensure that when Personal Data is collected that it is accurate. You should check the accuracy of the Personal Data on regular occasions. If Personal Data is not up to date or is inaccurate, you must update the Personal Data or erase it, without delay, after taking into consideration the purposes for which the Personal Data was collected.

6. Storage Limitation (Principle #5)

6.1. Personal Data must not be kept for longer than is necessary for the purposes for which it is Processed.

6.2. You must not keep Personal Data from which a Data Subject is identifiable for longer than is necessary for the purpose(s) for which we originally collected the Personal Data. Those purposes would also include any legal, accounting, regulatory or similar obligations we have to retain the Personal Data.

6.3. BODY ETHOS LTD has in place retention policies that set out retention periods for different types of data and information (including Personal Data) with which you must comply. These retention policies are available from www.bodyethos.co.uk/privacy-policy.

7. Security, integrity and confidentiality (Principle #6)

7.1. See Part IV, Section 1 immediately below for more details about this Principle 6.

Part IV: Rights and obligations

1. Security

1.1. Principle 6 requires that Personal Data must be Processed securely and appropriate measures must be taken to protect against unauthorised or unlawful Processing and against all accidental loss, destruction or damage to the Personal Data.

1.2. Security, integrity and confidentiality of Personal Data is of paramount importance. BODY ETHOS LTD has implemented, and keeps under review, technical and organisational measures and safeguards to ensure the security of Personal Data. Security of Personal Data involves protecting the Personal Data against unauthorised or unlawful Processing and against all accidental loss, destruction or damage to the Personal Data. BODY ETHOS LTD regularly tests the effectiveness of the measures and safeguards it has in place and implements updates where necessary.

1.3. Although measures must be implemented and adhered to in relation to all Personal Data, extra measures and precautions must be considered in order to protect Special Categories of Personal Data and Personal Data that relates to criminal allegations, proceedings, convictions and offences, given the highly sensitive nature of such data.

2. The Data Subject’s rights

2.1. The GDPR provides individuals with lots of rights in relation to their Personal Data. All staff should familiarise themselves with these rights so that they can recognise any requests that may be sent to them by Data Subjects. Those rights include:

  1. the right for the Data Subject to have access to their Personal Data (also known as subject access requests, and sometimes incorrectly referred to as freedom of information requests);

  2. the right for the Data Subject to have inaccurate personal data rectified, or completed if it is incomplete;

  3. the right for the Data Subject to have their Personal Data erased (also known as the right to be forgotten) (only certain circumstances);

  4. the right for the Data Subject to request the restriction or suppression of their Personal Data (only in certain circumstances);

  5. the right for the Data Subject to receive or ask for the Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format (only in certain circumstances);

  6. the right for the Data Subject to object to Processing of their Personal Data for direct marketing purposes;

  7. the right for the Data Subject to object to Processing of their Personal Data (in certain circumstances);

  8. the right for the Data Subject to object to decisions based solely on Automated Decision Making, including Profiling;

  9. the right for the Data Subject to withdraw their Consent to Processing of Personal Data;

  10. the right for the Data Subject to be informed about the Processing of their Personal Data; and

  11. the right to complain to the ICO.

2.2. If you receive any of the above requests from a Data Subject, you should immediately contact the DPO. The DPO will either take responsibility for the request and respond to it accordingly or will advise you on what to do.

2.3. It is extremely important that before responding to any request or taking any action in respect of it, that the identity of the person making the request is verified as the Data Subject in order to ensure that Personal Data is not disclosed to any third party or in any way altered or rights exercised by someone other than the Data Subject.

3. Disclosure of/sharing Personal Data

3.1. BODY ETHOS LTD must only disclose or share Personal Data where it is permitted to do so by Data Protection Laws. As a general rule, this means we must not share or disclose Personal Data to third parties.

3.2. Sharing/disclosing Personal Data can cover many scenarios. In its simplest form, it could be sending Personal Data to a third party by email. However, it can also cover upload (and therefore disclosure) of Personal Data on to systems that BODY ETHOS LTD uses but that are run by third parties (e.g. our suppliers and service providers).

3.3. In addition to the above, there are specific rules around the transfer of Personal Data outside of the EEA. The transfer of Personal Data to a country outside of the EEA occurs when that Personal Data is sent or transferred to or viewed or accessed in a country outside of the EEA.

3.4. Where you do need to share or disclose Personal Data to a third party, BODY ETHOS LTD must ensure that the following conditions have first been met/are in place:

  1. that third party has a business need to have access to that Personal Data (for example, if they can carry out the services required without the Personal Data, or with information that has been anonymised, then the Personal Data should not be disclosed to them);

  2. that the disclosure of the Personal Data was explained in the privacy notice given to the relevant Data Subject and if their Consent is required, this has been obtained;

  3. the third party has entered into a contract with BODY ETHOS LTD that contains GDPR-compliant clauses in relation to the sharing/disclosure of Personal Data;

  4. to the extent not covered in a written contract with the third party, BODY ETHOS LTD must have received assurances from the third party surrounding the security measures it has in place to protect the Personal Data shared with/disclosed to it; and

  5. where the sharing/disclosure will result in a transfer of Personal Data outside of the EEA, then this complies with such safeguards and measures as are required by GDPR.

3.5. If you have any questions relating to the sharing or disclosure of Personal Data, including whether the sharing/disclosure complies with the above requirements, then please contact the DPO . Before disclosing Personal Data to a new third party, or entering into a contract with a new supplier/service provider that involves the disclosure of Personal Data, contact the DPO , so that they can assist with ensuring compliance with Data Protection Laws and can ensure that all internal policies, procedures, documents and records are updated (where required).

Part V: Personal Data breaches

1. A personal data breach is where a breach of security occurs that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

2. Although it is impossible to provide an exhaustive list of what constitutes a personal data breach, examples include:

  1. an email containing Personal Data being sent to the wrong person

  2. papers or records containing Personal Data being stolen or left in a public place

  3. access to Personal Data by an unauthorised staff member or by a third party

  4. access to our systems by a hacker or similar authorised access

3. A personal data breach can be accidental or deliberate.

4. If you become aware of a personal data breach, or if you suspect a personal data breach has occurred or is occurring, then you must immediately inform the DPO as a matter of urgency. This is especially important because BODY ETHOS LTD has limited timescales to investigate the personal data breach and, if required, report it to the ICO. If you have any records, information or documentation relating to the personal data breach, then you should also provide these to the DPO .

5. The DPO will be responsible for investigating and dealing with the personal data breach. The DPO will decide whether the personal data breach needs to be reported to the ICO and/or relevant Data Subjects. If the DPO does decide that the personal data breach needs to be reported to the ICO, then they will do so within 72 hours after BODY ETHOS LTD became aware of the breach.

6. The DPO will maintain a register of all data protection breaches (whether or not such breaches are reported to the ICO).

Part VI: Data-protection-related matters

1. Data protection by design and default

1.1. Data Protection Laws require BODY ETHOS LTD to ensure that data protection is integrated into all of our Processing activities and practices.

1.2. This means that BODY ETHOS LTD must implement technical and organisational measures at the very beginning of a project and throughout its lifecycle of its Processing activities, systems, programmes and practices. For example, data protection should be at the heart of any new IT Systems, services, practices or policies that involve Personal Data.

1.3. It also means that BODY ETHOS LTD must have a data-protection-first approach, such as ensuring that Personal Data is automatically protected by our systems, only those staff with a business need-to-know have access to the Personal Data and by ensuring that we only Process Personal Data that is necessary to the purposes for which it is Processed. It is linked to Principle 2 (Purpose Limitation) and Principle 3 (Data Minimisation).

2. Data protection impact assessments

2.1. It is also good practice for DPIAs to be carried out for any major projects that involve the Processing of Personal Data or where Processing is large scale, involves Profiling or monitoring, involves Special Categories of Personal Data or relates to vulnerable individuals.

2.2. If you think that a DPIA is required, or if you are not sure if one is required, you should contact the DPO who will be able to assist you.

2.3. A DPIA must:

  1. describe the nature, scope, context and purposes of Processing;

  2. assess necessity, proportionality and compliance measures;

  3. identify and assess the risks to Data Subjects; and

  4. identify any additional measures that may reduce those risks.

3. Direct Marketing

3.1. Any marketing to customers and other business contacts must be carried out strictly in compliance with Data Protection Laws and laws relating to marketing.

3.2. The marketing laws are complex and depend on how the marketing is to be conducted (e.g. letter, telephone or email) and who the intended recipients are (e.g. individuals (including sole traders and partners of partnerships) or companies).

3.3. Before undertaking any direct marketing, you must contact the DPO who will be able to assist you in ensuring compliance with the marketing laws and the Data Protection Laws.

3.4. Data Subjects have the right to opt out receiving direct marketing at any time. If you receive a request objecting to direct marketing or a Data Subject opts out/unsubscribes from receiving it, then you should promptly ensure that this is noted on our database. Under Data Protection Laws, rather than deleting their details off our database, we are allowed to retain just enough information to record their marketing preferences so that we can ensure that no further marketing is sent to them in the future.

If you have any questions about this data protection policy or other matters relating to data protection, please contact the DPO on the contact details set out in this policy (Part II, Section 1.3).