Policy Statement
Business Matching UK is committed to protecting the personal data of individuals and ensuring compliance with the General Data Protection Regulation (GDPR) as applicable in the UK. This policy outlines our approach to data protection, ensuring transparency, accountability, and the safeguarding of data subjects' rights.
Policy Objectives
The objectives of this policy are:
- Embed a culture of data protection and accountability across all functions of Business Matching UK Ltd
- Ensure all staff understand their obligations in relation to handling personal data
- Minimise data protection risks through clear procedures and appropriate security measures
- Ensure timely and lawful handling of data subject rights requests
- Maintain transparency and trust with members, suppliers, and stakeholders
Scope
This policy applies to all employees, contractors, and stakeholders involved in the processing of personal data within Business Matching UK. It covers all personal data processed by the organisation, whether in electronic or physical formats.
Company Information
| Company Name: | Business Matching UK Limited |
| Company Number: | 16147262 |
| Registered Office: | Town Hall Chambers, High Street East, Wallsend, Tyne and Wear, NE28 7AT, United Kingdom |
| Data Protection Officer (DPO): | Carol Ann Pugh |
Roles and Responsibilities
| Senior Leadership: |
|
| Data Protection Officer (DPO): |
|
| Employees (includes volunteers): |
|
| IT Department: |
|
Definitions
| All Staff: | All staff are those under full/part time or casual worker employment as well as any Sub-contractor that is undertaking works for or on behalf of the organisation that have signed up to this Policy. |
| Contractor: | An external individual or company engaged to perform work or services on behalf of the organisation. |
| Data Controller: | The organisation or individual who determines the purposes and means of processing personal data. |
| Data Protection Officer (DPO): | The designated individual within the organisation responsible for overseeing data protection strategy and implementation, ensuring compliance with UK GDPR, and serving as the point of contact for data subjects and regulatory authorities. |
| Data Processor: | An entity or individual responsible for processing personal data on behalf of the Data Controller. |
| Data Subject: | Any natural person whose personal data is processed. |
| Employee (includes Volunteers): | Any individual employed by the organisation on a full-time, part-time, or voluntary basis. |
| IT Department: | The designated team or personnel responsible for maintaining technical safeguards, system security, and monitoring IT infrastructure for vulnerabilities and threats. |
| Personal Data: | Any information that relates to an identifiable individual, including but not limited to names, addresses, email addresses, and identification numbers. |
| Processing: | Any activity or set of activities performed on personal data, including collection, recording, organisation, storage, retrieval, or destruction. |
| Senior Leadership: | Leader in an organisation who holds a position of authority and responsibility for strategic planning, decision-making, and overall management of a specific department or the entire organisation e.g. Director, Manager, Team Leaders. |
| Special Categories of Personal Data: | Sensitive data that includes racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data. |
| Third Party: | Any individual or organisation, excluding the Data Subject, Data Controller, or Data Processor, who is authorised to process personal data under the direct authority of the Data Controller or Data Processor. |
Data Protection Principles
Business Matching UK adheres to the UK GDPR’s principles of data processing. We ensure personal data is:
Lawfulness, Fairness, and Transparency: Data processing must be lawful, fair, and transparent to data subjects.
Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimisation: Data collected must be adequate, relevant, and limited to what is necessary for the intended purpose.
Accuracy: Data must be accurate and, where necessary, kept up to date.
Storage Limitation: Data must be kept in a form that permits identification of data subjects for no longer than necessary.
Integrity and Confidentiality: Data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Lawful Basis for Processing
We process personal data under one or more of the following legal bases:
- Consent: For example, where individuals choose to receive networking bulletins, event updates, or allow non-essential cookies
- Contract: When we enter into a formal agreement with a member or service provider, such as for membership, sponsorship, or event participation
- Legal Obligation: Where we are required to retain records for tax, financial, or regulatory compliance
- Legitimate Interests: To operate, secure, and improve our platform and services, facilitate professional networking, and support our business objectives, provided these interests are not overridden by individual rights
Data Subject Rights
Business Matching UK respects the rights of individuals under the UK GDPR, including:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making and profiling
Requests relating to these rights should be submitted in line with our Subject Access Request Policy and Procedure.
Third Parties and International Transfers
We only share personal data with third-party processors and service providers who meet our data protection and security standards. Contracts are in place to ensure these parties act only under our instructions and safeguard personal data. We do not currently transfer data outside the UK or EEA. If this changes, we will ensure that appropriate safeguards are implemented in line with UK GDPR.
Data Security
We implement technical and organisational measures to protect data:
- Secure systems and encrypted communications
- Access controls and user authentication
- Staff training and confidentiality agreements
- Secure disposal and data handling procedures
Records Management and Retention
Data is retained according to our Data Retention Policy, which outlines the duration data is held for legal, operational, and membership-related purposes. A summary of these periods is included in Appendix B of the internal Privacy Policy.
Data Breach Management
Any actual or suspected personal data breach must be reported to the DPO immediately.
In the event of a data breach, Business Matching UK will:
- Notify the Information Commissioner's Office (ICO) within 72 hours if the breach poses a risk to individuals' rights and freedoms
- Inform affected data subjects where necessary
- Document all breaches and mitigation actions taken
For more detailed information refer to our Data Breach Response Procedure.
Communication of the Policy
This policy will be communicated to all employees during induction and made available to stakeholders as required. Updates or critical alerts related to this policy will be shared via official communication channels such as emails, internal notices, or company bulletins.
Review and Update
This policy will be reviewed annually or following significant changes in operational activities or legislative requirements. Updates will be documented and communicated to all relevant stakeholders.