Benefits Communication Limited (“Benefits Communication”) is dedicated to protecting the confidentiality and privacy of information entrusted to us. Please read this Privacy Notice to learn about what information we hold, how we use and protect it.
This notice applies to any personal data we hold about individuals. In this notice “you” refers to any individual whose personal data we hold or process. “Personal data” means information that relates to you as an identified or identifiable person.
This notice is governed by the EU General Data Protection Regulation (the “GDPR”).
Who we are
Benefits Communication (“we” or “us”) provide an online, cloud-based benefits portal for companies, and their employees, to manage their employee benefits. Benefits Communication is a “data processor” and processes data provided to us by third parties e.g., company employers or companies who may be appointed by an employer to administer the portal on your employer’s behalf.
Benefits Communication Limited is registered, and operates, in England & Wales: registered number 0911418.
Who can you contact for privacy questions or concerns?
You may contact the UK Information Commissioner’s Office at https://ico.org.uk/concerns/handling/ to report concerns you may have about our data handling practices.
Lawful basis for processing your personal data
We may rely on the following lawful reasons when we collect and process your personal data to operate our business and provide our products and services.
- To fulfil a contract we have with your employer;
- You have provided your consent for the processing of data. This may have been provided to your employer; or
- When it is in our legitimate interests – we may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced, including delivering the professional services your employer may have engaged us to provide; or
- To comply with legal and regulatory obligations.
What information do we collect about you?
We may collect and process the following categories of personal data about you.
|Financial||Your financial position, status and history.|
|Contact||Your name, where you live and how to contact you.|
|Socio-Demographic||This includes details about your work or profession, your gender, marital status, nationality.|
|Employee Benefits||Details about your employee benefits.|
|Communications||What we learn about you through any communications. This may be communications that we have with your employer.|
|Family and beneficiary||Marital status, dependants, and other relationships, including names and dates of birth|
|National Identifier||A number or code given to you by a government to identify who you are, such as a National Insurance or social security number, or Tax Identification Number (TIN).|
|Technical and Geographical||When you log onto our portal, we collect information which includes your Internet Protocol (IP) address, your log-in information, your geographical location, your browser and browser plug-in type and version, and your operating system and platform.|
How do we collect personal data?
Directly. This will include any information you provide when you talk to us on the phone, including recorded calls, and notes we may make, or any other communications; and Technical and Geographical data.
Indirectly. We obtain personal data indirectly about individuals from a variety of sources, including the following:
- Employers – the majority of the information that we process will be provided by your employer. Your employer will provide personal data about you to us in order for us to deliver our services to you;
- Other third-party providers – some employers may appoint a company to administer their employee benefit scheme. In such cases, your employer may pass information relating to you to the benefit administration company who will in turn process this information on our portal. You do not have to supply any personal information to us, but our services may not be operable in practice without providing data to us.
What we use your personal data for
We use personal information for the purpose for which it has been provided to us, or to fulfil legal or regulatory requirements if necessary. We have a legitimate interest in holding and processing information provided to us in order to provide our services, as well as manage our relationship with you or your employer, including providing you or your employer with notifications about any changes to the services we offer.
We use your IP address to diagnose problems with our server, report aggregate information, and determine the fastest route for your computer to use in connecting to our website and portal (collectively called “site”), and to administer and improve the site.
Sharing your information
We will share your personal information with companies where they have been appointed by your employer to administer your employer’s employee benefit schemes.
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. We may share your information with certain suppliers who may assist us with the management of employee benefits or IT services.
Where we do supply your personal data to a third party, they will only be authorised to process it for specified purposes and not for use for their own purposes.
We have put in place appropriate measures to protect the security of your information.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will retain an individual’s personal data for so long as the purpose your employer has provided it for still exists, unless a longer retention period is required or permitted by law, including:
- To respond to a question or complaint, or to show whether we gave you fair treatment.
- To obey rules that apply to us about keeping records, generally 3-8 years.
We may also keep your data for longer than 8 years if we cannot delete it for other legal, regulatory or technical reasons. As an example, we are required to hold pension transfer information indefinitely.
For any category of personal data not specifically defined in this notice, and unless otherwise specified by applicable law, the required retention period for any personal data will be deemed to be 7 years from the date of receipt by us of that data.
We will only use your personal information for those purposes and will make sure that your privacy is protected at all times.
Your privacy rights
The GDPR gives you the following rights in respect of personal data we hold about you:
|The right of access||You have the right to see personal data that is held about you and a right to have a copy provided to you.|
|The right to correction||If at any point you believe that the personal data we hold about you in inaccurate, you can ask to have it corrected.|
|The right to erasure (the ‘right to be forgotten’)||You may ask us to delete or remove personal data if there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), if we may have processed your information unlawfully or if we are required to delete your personal data to comply with local law.
We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
|The right to object to processing||Unless we have overriding legitimate grounds for such processing, you may object to us using your personal data if you feel your fundamental rights and freedoms are impacted.|
|The right to restrict processing||You can request that we no longer process your personal data in certain ways, whilst not requiring us to delete the same data.|
|The right to data portability||You can request the transfer of your personal information to another party (where technically possible).|
|Right to withdraw consent||If we are relying on your consent as the basis on which we are processing your personal data, you have the right to withdraw your consent at any time.|
If you would like to exercise any of your above rights, please contact the Data Protection Manager in writing (or email) as detailed above.
We will endeavour to comply with such requests as soon as possible but in any event we will comply within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).
If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to the Information Commissioner’s Office (ICO) and our Data Protection Manager.
If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible.
Our websites may contain links and references to other websites. Please be aware that this notice does not apply to those websites. Please review the destination websites’ privacy policies before submitting personal data on those sites. In addition, if you came to us via a third-party site, we cannot be responsible for the privacy policies and practices of the owners or operators of that third-party site.
We use strictly necessary and functional cookies to enable you to move around the website and portal efficiently and to provide basic features e.g., cookies that enable a faster browsing experience. No tracking or performance cookies are used.
Transferring your information outside Europe
We store personal data on servers located in the European Economic Area (EEA) and transfer data to other parties within the EEA. There are certain cases where your employer may request we transfer your personal data to another company in contract with them or within their group of companies that is situated outside the EEA. We carry out these requests on the understanding that your employer, in their capacity as the “data controller”, can provide “sufficient guarantees” that the requirements of the GDPR will be met and that your rights will be protected.
Notification of changes to the contents of this notice
We will post details of any changes to our policy to our website, to help ensure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.
Policy towards children
Our services are not intended for and should not be accessed by individuals under 16. Our policy is not to intentionally or knowingly collect, process, maintain or use personal information from any individual under the age of 16.