Updated 22 Nov 2021
This privacy notice provides an overview on how we use your personal data collected through the B Lab UK websites
We are part of a global movement. There are B Labs across the globe including Australia, East Africa, mainland Europe and North and South America. The B Lab Inc (global) website is based in the US and is under US jurisdiction and data protection regulations (https://bcorporation.net/ including the UK regional pages https://bcorporation.uk/). These global websites are not covered by this policy.
We believe it is very important to respect the privacy of individuals, and to make only safe and ethical use of the information that you provide. This B Lab UK policy complies with UK GDPR and the Data Protection Act 2018 (as amended).
1. Who we are
B Lab UK is a registered charity (No. 1164694) that launched in 2015. Our purpose is to redefine success in business through building a community of engaged businesses, raising awareness of the B Corp movement and championing change in the UK economy.
This policy covers how B Lab UK collects your information through its UK websites: http://bcorporation.uk https://bleaders.uk/, https://boardroom2030.co.uk , https://betterbusinessact.org/), and is referred to as “B Lab UK”, “we”, “us” and/or “our” in this policy.
We are the data controller in respect of all personal data collected via our website, email, telephone, or in person. We are registered as a data controller with the Information Commissioner’s Office ("ICO") the UK supervisory authority for data protection issues (www.ico.org.uk) and our registration number is ZA898211.
Whenever you submit your information to us, by these or any other means, we will collect and use such information in accordance with the terms of this policy, and we will ensure that all personal data we hold is treated properly and in accordance with applicable data protection legislation.
In accordance with data protection legislation, we are required to explain to you how we will treat any personal data which we collect from or about you. If you have any concerns about the way we have used, shared or processed your data you have the right to make a complaint to the ICO. However, we would always appreciate the opportunity to address your concerns before you approach the ICO so please do contact us in the first instance by email. Please see Section 11 on your rights.
Our contact details
Name: B Lab UK, registered charity, number 1164694
Registered Address: 20-30 Whitechapel Road, London E1 1EW
Postal Address: X+Why, 20-30 Whitechapel Road, London E1 1EW
Data Protection Officer: Eilish Kavanagh
The Commissioner’s contact details
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
2. When do we collect information about you?
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- when you contact us by any means (including via our websites, over the phone, by email or by post) with queries, complaints etc.
- when you create an account with us.
- when you use your account to request or buy products from us.
- when you engage with us on social media.
- when you choose to complete any surveys we send you.
- when you comment on or review any of our products or our services.
- when you opt in to receive our newsletter.
- when you take part in a prize draw, competition or survey.
- when you've given a third party permission to share with us the information they hold about you (for example, pursuant to a third party prize draw, competition or survey).
- When you are selected for re-engagement marketing campaigns, we check to ensure we are mailing you at your most up to date address where this data is available to us through third parties. We reflect any changes in your account to ensure we can continue to provide with information that you have consented to receiving.
Automated technologies or interactions:
As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. You are asked to consent to non-essential cookies when you use our website -please see our Cookie Use Policy for further details.
Third parties or publicly available sources
We may receive personal data about you from various third parties and public sources as set out below:
Technical Data from the following parties:
- analytics providers such as Google based outside the UK;
- advertising networks; and
- search information providers.
Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
- Event providers, e.g. Eventbrite when you register for an event
- Identity and Contact Data from data brokers or aggregators.
- Identity and Contact Data from publicly available sources.
3. What information do we collect about you?
Personal data is defined as information which directly or indirectly identifies an individual. It does not include data where the identity has been removed (anonymous data).
The personal data we collect depends on how you interact with us. We may collect and process the following information:
- Personal identifiers, for example, your name, date of birth, gender
- Contact details such as email address, postal address for billing or delivery and telephone/mobile number
- Transaction data: purchases and orders made by you and your password (if you set up an account on our website)
- Financial data: bank account and credit/debit card details if you place an order with us
- Marketing data: your communication and marketing preferences
- Profile data: your interests, preferences, feedback and survey responses
- Usage data: your on-line browsing activities on our websites
- Technical data: We may also automatically collect data about you such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website. We collect Technical data by using cookies and other similar technologies. Please refer to Cookies Policy for further information regarding the cookies used on our website.
- other publicly available personal data, including any which you have shared via a public platform (such as Twitter, Instagram or Facebook).
We may also collect, use and share Aggregated Data such as statistical or demographic data with our global network to monitor the growth of the movement. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.
4. How and why we will use the information that you have given us
We have set out in table format a description of all the ways we plan to use your personal data, and which of the legal bases under the UK General Data Protection Regulation (UK GDPR) we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
(a) Your consent. You can remove your consent at any time. You can do this by contacting us at firstname.lastname@example.org
(b) We have a contractual obligation.
(c) We have a legal obligation.
(d) We have a legitimate interest.
5. Legitimate Interests
As noted in the ‘How and why we will use information about you’ section above, we occasionally process your personal information under the ‘legitimate interests’ legal basis. Where this is the case, we have carried out a Legitimate Interests’ Assessment (LIA) to ensure that we have weighed your interests and any risk posed to you against our own interests; ensuring that they are proportionate and appropriate.
Processing for our legitimate interests may include (i) fraud prevention and compliance; (ii) certain marketing and promotional activities; (iii) the provision and operation of referral marketing programmes; (iv) network and information systems security; (v) data analytics; (vi) enhancing, modifying or improving our service; (vii) identifying usage trends; or (viii) determining the effectiveness of campaigns or advertising.
How do you get my consent?
When you provide us with personal information to register on our website, send us an email that requires a response, sign up for training or a newsletter, or participate in a survey, where you provide us with your email address, we imply that you consent to our collecting it and using it for that specific reason only.
If we ask for your personal information for a secondary reason, such as to send you updates, information or marketing material, we will ask you directly for your expressed consent, or by asking you to update your preferences.
How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by contacting us at email@example.com
7. Third Parties
We will never sell or give your personally identifiable information to third parties.
The internet works as a global environment. This means that using it to collect and process personal data often involves the international transmission of data, and on occasions processing of personal data by third parties (including social media companies) outside the European Economic Area.
Although this may happen, we can reassure you that the data will always be held securely and in line with the requirements of UK data protection legislation. However, we want you to be aware that by communicating electronically with us, you understand and agree to our processing of personal data in this way
We may store personal information in locations outside the direct control of B Lab UK (for instance, on servers or databases co-located with hosting providers such as Google – we use Google EMEA Ltd which is based in the Republic of Ireland, within the EEA).
8. International Transfers
Our websites covered by this policy (see Section 1 above) are hosted in the UK and all data provided to us is stored within servers located in the UK or the European Economic Area (“EEA”). Sometimes we may need to transfer personal data we collect from you to third-party data processors in countries that are outside the EEA - for example, this might be required in order to fulfil your order, process your payment details or provide support services. If we do this, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- The transfer is to a third party located in a country that has been deemed to provide an adequate level of protection for personal data by the European Commission.
- The transfer is subject to use of a contract approved by the European Commission which gives personal data the same protection it has in Europe.
- The transfer is to a third party based in the US which is part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
In the absence of an adequacy decision in respect of the relevant country, or appropriate safeguards as detailed above, we will not transfer your personal data outside of the EEA unless we have a lawful basis for doing so (for example, because you have explicitly consented to the proposed transfer).
9. How we store your personal information
Your information is securely stored on Google Cloud EMEA Ltd servers based in the EEA, specifically the Republic of Ireland.
We only retain your personal data for as long as we need it for the purpose for which it was collected. Whilst taking into consideration our legal obligations, we will on an ongoing basis:
- review the length of time we retain your personal data
- consider the purpose or purposes for which we hold your personal data for in deciding whether (and for how long) to retain it
- securely delete your personal data if it is no longer needed for such purpose or purposes, and
- update, archive or securely delete your personal data if it goes out of date.
For further information on how long we retain your personal data please contact us using the contact details set out in section 1 above.
10. Children's policy
B Lab UK does not knowingly collect or solicit personal information from anyone under the age of 18 or knowingly allow such persons to register on our websites. If you are under 18, please do not send any information about yourself to us, including your name, address, telephone number, or email address. In the event that we learn that we have collected personal information from a child under age 18 without verification of parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 18, please contact us at firstname.lastname@example.org
11. Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
We may need to ask you for evidence to verify the information you wish to amend or delete, in order to prevent fraud.
Please contact us by email or our postal address above [Section 1] if you wish to make a request.
12. How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at:
B Lab UK, X+Why, 20-30 Whitechapel Road, London E1 1EW
You can also complain to the ICO if you are unhappy with how we have used your data, or dealt with your complaint.
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk