Data Protection and Privacy for BNI.com
Contents 1: Overview .......................................................................................................................... 5
1.1: What is Personal Data? .............................................................................................. 5
1.2: How does BNI use Personal Data? ............................................................................. 5
1.3: What steps does BNI take to secure Service Data? .................................................... 5
1.4: Where will Personal Data be stored? .......................................................................... 5
1.5: How does BNI Respond to Information Requests? ..................................................... 5
1.6: How does BNI respond to legal requests for Personal Data? ...................................... 6
2: What is GDPR? ............................................................................................................... 6
3: Principles ........................................................................................................................ 6
4: Individuals' rights ........................................................................................................... 8
4.1: The right to be informed .............................................................................................. 8
The right to be informed covers some of the key transparency requirements of the GDPR.
It is about providing individuals with clear and concise information about what you do with
their personal data. ............................................................................................................ 8
4.1.1: What information must be provided to you at the time your data is obtained by us?
...................................................................................................................................... 8
4.2: The right of access ..................................................................................................... 9
4.2.2. How do I make a Subject Access Request? ......................................................... 9
4.2.3:. What will happen if the request is manifestly unfounded or excessive? ............... 9
4.2.4: When will I receive the information requested? .................................................... 9
4.2.5. In what format will information be provided? ......................................................... 9
4.3: The right to rectification ............................................................................................ 10
4.3.1: Can we refuse to comply with the request for rectification for other reasons? .... 10
4.3.2: What will we do if we refuse to comply with a request for rectification? .............. 10
4.4: The right to erasure ................................................................................................. 10
4.4.1: Do we have to tell other organisations about the erasure of personal data? ....... 11
4.4.1: Will we erase personal data from backup systems? ........................................... 11
4.4.2: When does the right to erasure not apply? ......................................................... 11
4.5: The right to restrict processing .................................................................................. 12
4.6: The right to data portability ....................................................................................... 12
4.7: The right to object ..................................................................................................... 13
4.8: Rights in relation to automated decision making and profiling. .................................. 13
5: Your Information ........................................................................................................... 15
5.1: Franchisees .............................................................................................................. 15
5.1.1: Where do we get your data from? ...................................................................... 15
5.1.2: What data do we have? ...................................................................................... 15
5.1.3: What is our legal basis for processing your data? .............................................. 15
5.1.4: How do we use your data? ................................................................................. 15
5.1.5: Who do we share your data with? ...................................................................... 15
5.1.6: How do we keep your data secure? ................................................................... 16
5.1.7: How do we transfer your data safely internationally? .......................................... 16
5.1.8: How long will we keep your data? ...................................................................... 16
5.1.9: What rights do you have in relation to your data? ............................................... 16
5.1.10: Questions or concerns ..................................................................................... 16
5.1.11: Right to complain ............................................................................................. 16
5.2: Members .................................................................................................................. 17
5.2.1: Where do we get your data from? ...................................................................... 17
5.2.2: What data do we have? ...................................................................................... 17
5.2.3: What is our legal basis for processing your data? .............................................. 17
5.2.4: How do we use your data? ................................................................................. 17
5.2.5: Who do we share your data with? ...................................................................... 17
5.2.6: How do we keep your data secure? ................................................................... 18
5.2.7: How do we transfer your data safely internationally? .......................................... 18
5.2.8: How long will we keep your data? ...................................................................... 18
5.2.9: What rights do you have in relation to your data? ............................................... 18
5.2.10: Questions or concerns ..................................................................................... 18
5.2.11: Right to complain ............................................................................................. 18
5.3: Non-Members ........................................................................................................... 19
5.3.1: Where do we get your data from? ...................................................................... 19
5.3.2: What data do we have? ...................................................................................... 19
5.3.3: What is our legal basis for processing your data? .............................................. 19
5.3.4: How do we use your data? ................................................................................. 19
5.3.5: Who do we share your data with? ...................................................................... 19
5.3.6: How do we keep your data secure? ................................................................... 20
5.3.7: How do we transfer your data safely internationally? .......................................... 20
5.3.8: How long will we keep your data? ...................................................................... 20
5.3.9: What rights do you have in relation to your data? ............................................... 20
5.3.10: Questions or concerns ..................................................................................... 20
5.3.11: Right to complain ............................................................................................. 20
6: Retention periods ......................................................................................................... 21
7: Glossary ........................................................................................................................ 25
7.1: Key terminology ........................................................................................................ 25
7.1.1: Biometric data: ................................................................................................. 25
7.1.2: Consent: ........................................................................................................... 25
7.1.3: Data concerning health: .................................................................................. 25
7.1.4: Data controller: ................................................................................................ 25
7.1.5: Data Protection Bill: ......................................................................................... 25
7.1.6: Data processor: ................................................................................................ 25
7.1.7: Data subject: .................................................................................................... 25
7.1.9: Genetic data: .................................................................................................... 26
7.1.10: Personal data: ................................................................................................ 26
7.1.11: Personal data breach: .................................................................................... 26
7.1.12: Processing: .................................................................................................... 26
7.1.13: Profiling: ......................................................................................................... 26
7.1.14: Privacy by design: ......................................................................................... 26
7.1.15: Pseudonymisation: ........................................................................................ 26
7.1.16: Restriction on processing: ............................................................................ 26
7.1.17: Right of access: ............................................................................................. 26
7.1.18: Special categories of personal data: ............................................................ 27
8: External resources ........................................................................................................ 27
1: Overview
BNI supports over 200 Franchisees and 240,000 members in over 70 countries and
territories. Our members entrust us with large amounts of sensitive information.
BNI helps members maintain control of their privacy and data security in a myriad of ways:
• Data Security: Web server and browser security of BNI Connect (SSL & TLS
Certificates)
• Disclosure of Member Data: BNI only discloses Personal Data to third parties where
disclosure is necessary to provide the services or as required to respond to lawful
requests from public authorities.
• Access Management: We do not access or use member content for any purpose
other than providing, maintaining and improving BNI personals and as otherwise
required by law.
1.1: What is Personal Data?
The GDPR definition of ‘personal data’ is ‘any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person.’
BNI Worldwide Development Limited and our Franchisees are the controllers of our
members’ data and non-members data.
1.2: How does BNI use Personal Data?
We use Personal Data to operate and improve our services, help members access and use
the services, respond to member inquiries, and send communication related to the services.
1.3: What steps does BNI take to secure Service Data?
BNI prioritizes data security and combines enterprise-class security features with
comprehensive audits of our applications, systems, and networks to ensure member and
business data is always protected.
1.4: Where will Personal Data be stored?
BNI has data centres in the UK and this processor will be signing European Commission
approved Standard Contractual Clauses giving commitments to continue to protect personal
data in accordance with EU data protection principles once the UK leave the EU.
1.5: How does BNI Respond to Information Requests?
BNI recognizes that privacy and data security issues are top priorities for members.
BNI does not disclose Personal Data except as necessary to provide its services to its
members and comply with the law as detailed in our Privacy Policy found here.
1.6: How does BNI respond to legal requests for Personal Data?
In certain situations, we may be required to disclose personal data in response to lawful
requests by public authorities, including to meet national security or law enforcement
requirements. We may disclose personal data to respond to subpoenas, court orders, or
legal process, or to establish or exercise our legal rights or defend against legal claims. We
may also share such information with relevant law enforcement agencies or public
authorities if we believe it to be necessary in order to investigate, prevent, or take action
regarding illegal activities, suspected fraud, situations involving potential threats to the
physical safety of any person or as otherwise required by law
2: What is GDPR?
The General Data Protection Regulation (GDPR) and Ireland’s Data Protection Act 2018
came into effect on 25 May 2018, replacing the Irelands Data Protection Act 1988 and the
amended act of 2003.
GDPR addresses the processing of personal data and the free movement of such data. It
aims to strengthen the security and protection of personal data in the EU and harmonize EU
data protection law. Broadly, it sets out a number of data protection principles and
requirements that must be adhered to when personal data is processed.
GDPR also established the European Data Protection Board (“EPDB”), which ensures that
the data protection law is applied consistently across the EU and works to ensure effective
cooperation amongst data protection authorities
3: Principles
The General Data Protection Regulation (GDPR) introduces six principles. These are that
personal data must be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
2. Collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the initial purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed;
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken
to ensure that personal data that are inaccurate, having regard to the purposes for
which they are processed, are erased or rectified without delay;
5. Kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data
may be stored for longer periods insofar as the personal data will be processed
solely for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes subject to implementation of the appropriate
technical and organisational measures required by the GDPR in order to safeguard
the rights and freedoms of individuals;
6. Processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organisational
measures.
In addition, Article 5 (2) states, 'The controller [i.e., BNI] shall be responsible for, and be
able to demonstrate compliance with, paragraph 1 (‘accountability’).
4: Individuals' rights
4.1: The right to be informed
The right to be informed covers some of the key transparency requirements of the GDPR. It
is about providing individuals with clear and concise information about what you do with their
personal data.
Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about.
We call this ‘transparency information’.
4.1.1: What information must be provided to you at the time your data is obtained by us?
Under the GDPR, you can obtain:
• The identity and contact details of the controller [BNI];
• The contact details of the data protection officer;
o +353 94903 5202
o KOG Logistics Building, Ballinrobe Rd, Castlebar, Co. Mayo
• confirmation that personal data is being processed;
• a copy of that information;
• supplementary information about the processing i.e. information outlining:
• the purpose of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
• the existence of the right to request from BNI rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with BNI’s supervisory authority, Ireland’s Data Protection Commission;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
In addition, where personal data is transferred to a third country or international organisation,
you have the right to be informed of the appropriate safeguards in place.
4.2: The right of access
4.2.2. How do I make a Subject Access Request?
Requests can be made by email, telephone or postal mail and should include reasonable
information to enable BNI to identify and locate the information sought. They must also be
accompanied by sufficient proof of identity (to ensure that your information is only disclosed
to you).
• Requests should be sent to:
• BNI Worldwide Development Ltd
Ballinrobe Road
Castlebar
Co. Mayo
F23 FT28
IRELAND
Phone: +353 94 902 1553
Email: [email protected]
4.2.3:. What will happen if the request is manifestly unfounded or excessive?
Where requests are manifestly unfounded, excessive or repetitive, BNI will either refuse the
request in which BNI will explain to the individual why it was refused and will inform them of
their rights to complain to the supervisory authority and to a juidicial remedy without undue
delay and at the latest within one month.
4.2.3.1: Do I have to pay a fee?
No. BNI will not charge a fee for routine subject access requests. However, in line with the
GDPR, BNI may charge a 'reasonable fee' where requests are manifestly unfounded,
excessive or repetitive. Am administrative fee may also be charged where requests for
further copies of the same information are requested.
4.2.4: When will I receive the information requested?
Information will be provided as soon as possible and within one month of receipt of your
Subject Access Request. In certain circumstances, BNI may extend the timeframe for
compliance by a further two months where requests are complex or numerous. Where this is
done, BNI will inform you of the intended extension within one month of receipt of the
request and explain why the extension is necessary.
4.2.5. In what format will information be provided?
Where requests are made electronically, information will be provided in a commonly used electronic format. Requests received by post will be responded to in paper form unless an alternative means of communication is specified by the applicant.
4.3: The right to rectification
Under the GDPR, individuals are entitled to have inaccurate or incomplete personal data
corrected or a supplementary statement included.
Where personal data has been disclosed to other parties, it is BNI’s responsibility to contact
each recipient and inform them of the need for correction unless this would be impossible to
do or involve disproportionate effort.
If you believe BNI holds inaccurate or incomplete personal data relating to you, please notify
In line with our legal obligations, we will respond to requests for rectification within one
month of the request.
4.3.1: Can we refuse to comply with the request for rectification for other reasons?
You can refuse to comply with a request for rectification if the request is manifestly
unfounded or excessive, taking into account whether the request is repetitive in nature.
If you consider that a request is manifestly unfounded or excessive you can:
1. request a "reasonable fee" to deal with the request; or
2. refuse to deal with the request.
In either case we inform you of our decision and why we did it.
4.3.2: What will we do if we refuse to comply with a request for rectification?
We will inform the individual without undue delay and within one month of receipt of the request about:
1. the reasons we are not taking action; 2. your right to make a complaint to the DPC or another supervisory authority; and 3. your ability to seek to enforce this right through a judicial remedy.
We will also provide this information if we request a reasonable fee or need additional information to identify the individual.
4.4: The right to erasure
Under Article 17 of the GDPR, individuals have a right to erasure, also known as a ‘right to
be forgotten’. This right can be exercised in the following circumstances:
1. Where the personal data held are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. Where the individual withdraws consent;
3. Where the individual objects to the processing and there are no overriding legitimate grounds for continued processing;
4. Where the personal data have been unlawfully processed;
5. Where the personal data have to be erased to comply with a legal obligation.
4.4.1: Do we have to tell other organisations about the erasure of personal data?
The GDPR specifies two circumstances where we should tell other organisations about the erasure of personal data:
1. the personal data has been disclosed to others; or 2. the personal data has been made public in an online environment (for example on
social networks, forums or websites).
If we have disclosed the personal data to others, we must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, we must also inform the individuals about these recipients.
The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data. When deciding what steps are reasonable you should take into account available technology and the cost of implementation.
4.4.1: Will we erase personal data from backup systems?
If a valid erasure request is received and no exemption applies then you will have to take steps to ensure erasure from backup systems as well as live systems. Those steps will depend on the particular circumstances, our retention schedule (particularly in the context of its backups), and the technical mechanisms that are available to us.
We will be absolutely clear with individuals as to what will happen to their data when their erasure request is fulfilled, including in respect of backup systems.
It may be that the erasure request can be instantly fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten.
If it cannot be immediately overwritten the backup data ‘beyond use’. We will ensure that we do not use the data within the backup for any other purpose, ie that the backup is simply held on your systems until it is replaced in line with an established schedule.
4.4.2: When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
1. to exercise the right of freedom of expression and information; 2. to comply with a legal obligation; 3. for the performance of a task carried out in the public interest or in the
exercise of official authority;
4. for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
5. for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
1. if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
2. if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).
4.5: The right to restrict processing
Under the GDPR, individuals have a right to ‘block’ or suppress processing of personal data.
Personal data can be ‘blocked’ or suppressed in the following situations:
1. Where an individual contests the accuracy of the personal data. Processing of this data will be restricted until the accuracy of the personal data has been verified.
2. Where an individual has objected to the processing of their personal data (where processing was necessary for the performance of a public task or purpose of legitimate interests) Processing of this data will be restricted for the duration of the investigation into whether our legitimate grounds override those of the individual.
3. Where processing is unlawful and data subject requests restriction instead of erasure
4. Where BNI no longer requires the data but the data subject requires it to establish, exercise or defend a legal claim.
Where personal data has been disclosed to other parties, it is BNI’s responsibility to contact
each recipient and inform them of the need for correction unless this would be impossible to
do or involve disproportionate effort.
If you wish to ‘block’ or suppress the processing of personal data relating to you, please
notify
4.6: The right to data portability
Under the GDPR, an individual has the right to receive a copy of any personal data provided
by him/her to BNI in a structured, commonly used and machine-readable format (e.g. CSV).
The following categories of data are subject to the right to portability:
1. data processed on the basis of consent (Article 6 (1) (a)) or explicit consent (Article 9 (2));
2. data processed on a contract (Article 6 (1) (b);
3. data processed by automated means;
Where technically feasible, BNI will transfer the data directly to another controller on request
of the data subject. Where BNI is unable to comply with this duty, the subject will need to
arrange his/her own transfer.
Information will be provided free of charge.
If you would like to access your right to portability, please contact [email protected].
Once requested, BNI will respond to the request without undue delay and within one month.
Where the request is complex or BNI has received a number of portability requests, the
timeframe may be extended by a further .
4.7: The right to object
Under the GDPR, individuals have the right to object to:
1. processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including authority);
2. direct marketing (including profiling); and
3. processing for purposes of scientific/historical research and statistics.
Once requested, processing must stop unless:
1. BNI can demonstrate there are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
2. the processing is for the establishment, exercise or defence of a legal claim.
Individuals must have “grounds relating to his or her particular situation” in order to exercise
their right to object to processing for research purposes.
If you are conducting research where the processing of personal data is necessary for the
performance of a public interest task, you are not required to comply with an objection to the
processing.
4.8: Rights in relation to automated decision making and profiling.
Under the GDPR, individuals have the right not to be subject to a decision based purely on
automated processing, including profiling, which produces legal effects concerning him/ her
or similarly significantly affects him/ her. This right does not apply if the automated decision
making:
1. is necessary for entering into or performing a contract between the data subject and controller (e.g. the use of automated decision making to assign student college accommodation);
2. is authorised by Union or Member State Law applicable to the controller;
3. is based on the data subject’s explicit consent.
For any non-exempt automated decision making, BNI will:
1. provide individuals with information about the processing;
2. introduce a simple process for individuals to request human intervention and/or challenge a decision;
3. regularly review the process and system to ensure it works as intended.
For questions and concerns please email [email protected].
5: Your Information
5.1: Franchisees
5.1.1: Where do we get your data from?
Much of the data we hold on you comes from the information that you supplied on your
membership application form as well the information on BNI Connect. Additional information
may also have been provided by you as part of your interactions with us before applying or
once becoming a franchisee.
5.1.2: What data do we have?
Personal data including name, date of birth, postal address, email address, telephone
number and financial records.
5.1.3: What is our legal basis for processing your data?
• On the grounds of contractual requirement or to take steps to enter into a contract
with you e.g. to provide you with a Master Franchise Agreement;
• Because it is necessary for our or a third party’s legitimate interests;
• To allow us to comply with our legal obligations;
5.1.4: How do we use your data?
BNI may process your personal data for the following purposes:
• BNI uses the information collected from you to perform the contract we have entered
into with you to provide you with the benefits of being a BNI Franchisee.
• BNI also acts on behalf of its clients in the capacity of data processor. When working
exclusively as a data processor, BNI will be acting on the instruction of its client and
will work hard to ensure that the client is fully GDPR compliant.
5.1.5: Who do we share your data with?
BNI may share your data with:
• Employees and of BNI;
• Third parties that process data on behalf of BNI to support it in fulfilling its obligations
and responsibilities to and relationship with you (e.g. software and system providers);
• Government departments/agencies to whom we have a statutory obligation to
release information
• Law enforcement agencies such as the police or relevant authorities dealing with
emergency situations (only as required or appropriate and in line with Data Protection
legislation).
• The BNI-case basis. Disclosures will be made in full accordance with the data
protection legislation and only where necessary. Consent will be sought from you
where appropriate and you will be told about such disclosures unless exceptional
circumstances apply.
5.1.6: How do we keep your data secure?
BNI takes information security extremely seriously and has implemented appropriate
technical and organisational measures to protect personal data including the upgrade of. SSL & TLS Certificates. Access to information is restricted on a need-to-know basis and
security arrangements are regularly reviewed to ensure their continued suitability.
5.1.7: How do we transfer your data safely internationally?
In certain circumstances, it is necessary to transfer your Personal Data outside the
European Economic Area (EEA). For transfers out of the EU and Switzerland and to the
United States of America, BNI Global, LLC has self-certified that it complies with the EU-US
and Swiss-US Privacy Shield Framework as prescribed by the US Department of Commerce
regarding the retention, use, collection, and notice principles. BNI additionally adheres to the
Privacy Shield Framework recommendations pertaining to the transfer of information to third
parties, access, security, data integrity and purpose limitation and enforcement.
For transfers to non-EEA countries other than the U.S.A., the normal safeguard used is
standard contractual clauses approved by the European Commission. These clauses require
the parties to them to apply EU data protection principles to the processing of the personal
data transferred under the contracts.
5.1.8: How long will we keep your data?
BNI will retain your data in line with legal requirements or where there is a business need.
Retention timeframes will be determined in line with the BNI’s Records Retention Policy.
5.1.9: What rights do you have in relation to your data?
Under the General Data Protection Regulation, you have a right of access to your data, a
right to rectification, erasure (in certain circumstances), restriction, objection or portability (in
certain circumstances). You also have a right to withdraw consent. You can verify or correct
information at any time by following the guidance here,
5.1.10: Questions or concerns
If you have any questions about this privacy notice or concerns about how your data is being
processed, please contact the [email protected].
5.1.11: Right to complain
If you are unhappy with the way in which the BNI has handled your personal data, you have
a right to complain to BNI Worldwide’s supervisory authority, Ireland’s Data Protection
Commission (www.dataprotection.ie).
5.2: Members
5.2.1: Where do we get your data from?
Much of the data we hold on you comes from the information that you supplied on your
membership application form as well the information on BNI Connect. Additional information
may also have been provided by you as part of your interactions with us before applying or
once becoming a member.
5.2.2: What data do we have?
Personal data including name, date of birth, postal address, email address, telephone
number, Job type and attendance records.
5.2.3: What is our legal basis for processing your data?
Typically, data will be processed:
• On the grounds of contractual requirement or to take steps to enter into a contract
with you e.g. to provide you with a the ability to join a BNI Chapter;
• because it is necessary for our or a third party’s legitimate interests;
• to allow us to comply with our legal obligations;
5.2.4: How do we use your data?
BNI may process your personal data for the following purposes:
• BNI uses the information collected from you to perform the contract we have entered
into with you to provide you with the benefits of being a BNI Member.
• BNI also acts on behalf of its clients in the capacity of data processor. When working
exclusively as a data processor, BNI will be acting on the instruction of its client and
will work hard to ensure that the client is fully GDPR compliant.
5.2.5: Who do we share your data with?
BNI may share your data with:
• employees and of BNI;
• third parties that process data on behalf of BNI to support it in fulfilling its obligations
and responsibilities to and relationship with you (e.g. software and system providers);
• government departments/agencies to whom we have a statutory obligation to release
information
• law enforcement agencies such as the police or relevant authorities dealing with
emergency situations (only as required or appropriate and in line with Data Protection
legislation).
• The BNI-case basis. Disclosures will be made in full accordance with the data
protection legislation and only where necessary. Consent will be sought from you
where appropriate and you will be told about such disclosures unless exceptional
circumstances apply.
Where BNI, Government or their respective agents hold personal information provided by
members, they may need to check the accuracy of this information against external data
sources. Any such checks will be made in compliance with data protection law.
5.2.6: How do we keep your data secure?
BNI takes information security extremely seriously and has implemented appropriate
technical and organisational measures to protect personal data including the upgrade of. SSL & TLS Certificates. Access to information is restricted on a need-to-know basis and
security arrangements are regularly reviewed to ensure their continued suitability.
5.2.7: How do we transfer your data safely internationally?
In certain circumstances, it is necessary to transfer your Personal Data outside the
European Economic Area. In respect of such transfers, For transfers out of the EU and
Switzerland and to the United States of America, BNI Global, LLC has self-certified that it
complies with the EU-US and Swiss-US Privacy Shield Framework as prescribed by the US
Department of Commerce regarding the retention, use, collection, and notice principles. BNI
additionally adheres to the Privacy Shield Framework recommendations pertaining to the
transfer of information to third parties, access, security, data integrity and purpose limitation
and enforcement.
5.2.8: How long will we keep your data?
BNI will retain your data in line with legal requirements or where there is a business need.
Retention timeframes will be determined in line with the BNI’s Records Retention Policy.
5.2.9: What rights do you have in relation to your data?
Under the General Data Protection Regulation, you have a right of access to your data, a
right to rectification, erasure (in certain circumstances), restriction, objection or portability (in
certain circumstances). You also have a right to withdraw consent. You can verify or correct
information at any time by following the guidance here,
5.2.10: Questions or concerns
If you have any questions about this privacy notice or concerns about how your data is being
processed, please contact [email protected].
5.2.11: Right to complain
If you are unhappy with the way in which the BNI has handled your personal data, you have
a right to complain to BNI Worldwide’s supervisory authority, Ireland’s Data Protection
Commission (www.dataprotection.ie).
5.3: Non-Members
5.3.1: Where do we get your data from?
Much of the data we hold on you comes from the information that you supplied on your visit
to a BNI Chapter as well the information on BNI Connect.
5.3.2: What data do we have?
Personal data including name, date of birth, postal address, email address, telephone
number, Job type.
5.3.3: What is our legal basis for processing your data?
Typically, data will be processed:
• On the grounds of contractual requirement or to take steps to enter into a contract
with you e.g. to provide you with a the ability to join a BNI Chapter;
• because it is necessary for our or a third party’s legitimate interests;
• to allow us to comply with our legal obligations;
5.3.4: How do we use your data?
BNI may process your personal data for the following purposes:
• For the legitimate interests of members, franchisees and BNI to help manage visits to
BNI Chapters.
• BNI uses the information collected from you to perform the contract we have entered
into with you to provide you with the opportunity of being a BNI Member.
• BNI also acts on behalf of its clients in the capacity of data processor. When working
exclusively as a data processor, BNI will be acting on the instruction of its client and
will work hard to ensure that the client is fully GDPR compliant.
5.3.5: Who do we share your data with?
BNI may share your data with:
• employees and of BNI;
• third parties that process data on behalf of BNI to support it in fulfilling its obligations
and responsibilities to and relationship with you (e.g. software and system providers);
• government departments/agencies to whom we have a statutory obligation to release
information
• law enforcement agencies such as the police or relevant authorities dealing with
emergency situations (only as required or appropriate and in line with Data Protection
legislation).
• The BNI-case basis. Disclosures will be made in full accordance with the data
protection legislation and only where necessary. Consent will be sought from you
where appropriate and you will be told about such disclosures unless exceptional
circumstances apply.
Where BNI, Government or their respective agents hold personal information provided by
members, they may need to check the accuracy of this information against external data
sources. Any such checks will be made in compliance with data protection law.
5.3.6: How do we keep your data secure?
BNI takes information security extremely seriously and has implemented appropriate
technical and organisational measures to protect personal data including the upgrade of. SSL & TLS Certificates. Access to information is restricted on a need-to-know basis and
security arrangements are regularly reviewed to ensure their continued suitability.
5.3.7: How do we transfer your data safely internationally?
In certain circumstances, it is necessary to transfer your Personal Data outside the
European Economic Area. In respect of such transfers, For transfers out of the EU and
Switzerland and to the United States of America, BNI Global, LLC has self-certified that it
complies with the EU-US and Swiss-US Privacy Shield Framework as prescribed by the US
Department of Commerce regarding the retention, use, collection, and notice principles. BNI
additionally adheres to the Privacy Shield Framework recommendations pertaining to the
transfer of information to third parties, access, security, data integrity and purpose limitation
and enforcement.
5.3.8: How long will we keep your data?
BNI will retain your data in line with legal requirements or where there is a business need.
Retention timeframes will be determined in line with the BNI’s Records Retention Policy.
5.3.9: What rights do you have in relation to your data?
Under the General Data Protection Regulation, you have a right of access to your data, a
right to rectification, erasure (in certain circumstances), restriction, objection or portability (in
certain circumstances). You also have a right to withdraw consent. You can verify or correct
information at any time by following the guidance here,
5.3.10: Questions or concerns
If you have any questions about this privacy notice or concerns about how your data is being
processed, please contact [email protected].
5.3.11: Right to complain
If you are unhappy with the way in which the BNI has handled your personal data, you have
a right to complain to BNI Worldwide’s supervisory authority, Ireland’s Data Protection
Commission (www.dataprotection.ie).
6: Retention periods
Department Records Retention Period Retention Period Justification
Human Resources
Job Applications
1 year after notifying candidates of the outcome of the recruitment exercise. (If
transitioning from candidate to employee, information will be maintained for life of employment and 8 years afterwards)
Business need as determined by Human Resources
Pre-Employment Assessments
Business need as determined by Human Resources
Resumes Business need as determined by
Human Resources
Interview Notes Business need as determined by
Human Resources
Equal Opportunity Monitoring Business need as determined by
Human Resources
Collective Work Agreement Business need as determined by
Human Resources
Master Franchise Candidate Information
Business need as determined by Human Resources
Offer Letter
life of employment and 8 years afterwards
Business need as determined by Human Resources
Employment Contract Business need as determined by
Human Resources
Background Check Business need as determined by
Human Resources
Form I-9 Business need as determined by
Human Resources
Certificate of Education, Qualifications, IDs
Business need as determined by Human Resources
Boot camp completion Business need as determined by
Human Resources
Training Records Business need as determined by
Human Resources
Signed Handbook Business need as determined by
Human Resources
Payroll & Compensation Records
Business need as determined by Human Resources
Time Keeping/Wage Earning Records
Business need as determined by Human Resources
Employment Benefits Business need as determined by
Human Resources
Performance Reviews/Assessments
Business need as determined by Human Resources
Department Records Retention Period Retention Period Justification
Incentive Plans Business need as determined by
Human Resources
Terminations Business need as determined by
Human Resources
Healthcare Documentation Business need as determined by
Human Resources
COBRA Business need as determined by
Human Resources
Short/Long Term Disability Records
Business need as determined by Human Resources
Maternity Records Business need as determined by
Human Resources
Accident Records Business need as determined by
Human Resources
Grievance Records Business need as determined by
Human Resources
Accounting and Finance
Compensation
life of employment and 8 years afterwards
Regulatory/Litigation/Business Need
Pension Regulatory/Litigation/Business
Need
Health Care Regulatory/Litigation/Business
Need
Invoices w/Payment
life of engagement and 10 years afterwards
Regulatory/Litigation/Business Need
Electronic Payment Records Regulatory/Litigation/Business
Need
W-9
life of engagement and 10 years afterwards
Regulatory/Litigation/Business Need
W-8 Regulatory/Litigation/Business
Need
Invoices Regulatory/Litigation/Business
Need
Check Stubs Regulatory/Litigation/Business
Need
Legal
Corporate Documents for various company-owned
entities
life of engagement and 10 years afterwards, unless litigation hold required
Regulatory/Litigation/Business Need
Copies of identification documents of execs, e.g., passports, driver licenses,
etc.
Regulatory/Litigation/Business Need
Vendor Contracts Regulatory/Litigation/Business
Need
Department Records Retention Period Retention Period Justification
Member complaints / demands for refund
Regulatory/Litigation/Business Need
Franchise Disclosure Documents
Regulatory/Litigation/Business Need
Audited Financial Statements Regulatory/Litigation/Business
Need
Franchise Agreements; Sub franchise Agreement, Master
Franchise Agreements (including all related
supplements or exhibits)
Regulatory/Litigation/Business Need
Incorporation documents for EDs’ entities
Regulatory/Litigation/Business Need
Certificates of Insurance for EDs
Regulatory/Litigation/Business Need
Purchase Sale Agreements and any associated
supplements or exhibits; transfer/assignment
agreements
Regulatory/Litigation/Business Need
Litigation files Regulatory/Litigation/Business
Need
Court Orders Regulatory/Litigation/Business
Need
Requests for Departure from Records Retention Plan
Regulatory/Litigation/Business Need
Requests to be forgotten Regulatory/Litigation/Business
Need
Legal department notes (confidential & privileged work
product)
Regulatory/Litigation/Business Need
NDAs with vendors/potential contractors
Regulatory/Litigation/Business Need
Privacy Policy and Terms of Service for various sites/apps
Regulatory/Litigation/Business Need
Trademark and IP-related License/Transfer/Assignment
Agreements
Regulatory/Litigation/Business Need
Operations and Training
Podcasts 3 yrs. Business need as determined by
Training
Conference Audio 3 yrs. Business need as determined by
Training
Training Manuals 3 yrs. Business/Litigation Need
Training Records/Training Events
life of membership and 10 years afterwards Business/Litigation Need
ND Operations Manual 15 yr. Business/Litigation Need
ED Operations Manual 10 yr. Business/Litigation Need
Online Training - MSP, LTT 3 yrs. Business/Litigation Need
Department Records Retention Period Retention Period Justification
Technology
Email (7 years) life of employment and 8 years afterwards Regulatory/Litigation/Business
Need
Online Documents (Permanent; business Need)
life of employment and 8 years afterwards Regulatory/Litigation/Business
Need
User life of membership and 10 years afterwards Regulatory/Litigation/Business
Need
Member life of membership and 10 years afterwards Regulatory/Litigation/Business
Need
Visitor 2 Years Business need
Prospect 2 Years Business need
Prospective Visitor 2 Years Business need
Event Attendee 2 Years Business need
Drop Member (Alumni) life while membership active and 10 years
afterwards Regulatory/Litigation/Business
Need
Expired Member life while membership active and 10 years
afterwards Regulatory/Litigation/Business
Need
Referral Slips life of membership and 7 years afterwards Regulatory/Litigation/Business
Need
TYFCB Slips life of membership and 7 years afterwards Regulatory/Litigation/Business
Need
CEU Slips life of membership and 7 years afterwards Regulatory/Litigation/Business
Need
1-1 Slips life of membership and 7 years afterwards Regulatory/Litigation/Business
Need
Invoice life of membership and 10 years afterwards Regulatory/Litigation/Business
Need
Letter of Credit life of membership and 7 years afterwards Regulatory/Litigation/Business
Need
Payment life of membership and 10 years afterwards Regulatory/Litigation/Business
Need
Membership application life of membership and 10 years afterwards Regulatory/Litigaion/Business
Need
Audit Logs life of membership and 10 years afterwards Regulatory/Litigation/Business
Need
Marketing Web Forms
Non-Member; 2 yr. after last activity Business need as determined by
Marketing
Member; 7 yrs. of last activity Business need as determined by
Marketing
Department Records Retention Period Retention Period Justification
Activity = Opened emails, completed forms, visitation to a webpage
7: Glossary
7.1: Key terminology The General Data Protection Regulation (GDPR) includes a number of slightly revised
definitions as well as new concepts and terminology. The definitions below are drawn
directly from the Regulation and will be unpicked over the coming months to include BNI
specific worked examples. In the meantime, if anything is unclear please contact for further
guidance.
7.1.1: Biometric data:
Means personal data resulting from specific technical processing relating to the
physical, physiological or behavioural characteristics of a natural person, which allow or
confirm the unique identification of that natural person, such as facial images or
dactyloscopic data.
7.1.2: Consent:
Means any freely given, specific, informed and unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her.
7.1.3: Data concerning health:
Means personal data related to the physical or mental health of a natural person,
including the provision of health care services, which reveal information about his or her
health status.
7.1.4: Data controller:
Means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of
personal data; where the purposes and means of such processing are determined by the
Union or Member State law, the controller or the specific criteria for its nomination may be
provided for by Union or Member State law.
7.1.5: Data Protection Bill:
A complete data protection framework that addresses derogations from the GDPR as
well general data, law enforcement data and national security data rules. The Bill will replace
the Data Protection Act, 1998 and sit alongside the GDPR.
7.1.6: Data processor:
Means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller.
7.1.7: Data subject:
A natural person whose personal data is processed by a data controller or processor.
7.1.9: Genetic data:
Means personal data relating to the inherited or acquired genetic characteristics of a
natural person which give unique information about the physiology or the health of that
natural person and which result, in particular, from an analysis of a biological sample from
the natural person in question.
7.1.10: Personal data:
Any information relating to an identified or identifiable natural person ('data subject');
an identifiable natural person is one who can be identified directly or indirectly, in particular
by reference to an identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person.
7.1.11: Personal data breach:
Means a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or
otherwise processed.
7.1.12: Processing:
Means any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
7.1.13: Profiling:
Means any form of automated processing of personal data consisting of the use of
personal data to evaluate certain personal aspects relating to a natural person, in particular
to analyse or predict aspects concerning that natural person's performance at work,
economic situation, health, personal preferences, interests, reliability, behaviour, location or
movements.
7.1.14: Privacy by design:
An approach to project management that considers privacy issues at the initial
design stage as well as throughout project delivery.
7.1.15: Pseudonymisation:
Means the processing of personal data in such a manner that the personal data can
no longer be attributed to a specific data subject without the use of additional information,
provided that such additional information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are not attributed to an identified
or identifiable natural person.
7.1.16: Restriction on processing:
Means the marking of stored personal data with the aim of limiting their processing in
the future.
7.1.17: Right of access:
i.e. a right for data subjects to obtain from the controller confirmation as to whether or
not personal data is being processed and, where it is being processed, a right to be given
access to that data and answers to various questions outlined in Article 15 of the Regulation.
For further information, see BNI's guidance available here.
7.1.18: Special categories of personal data:
i.e. personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs or trade union membership or the processing of genetic data, biometric
data for the purposes of uniquely identifying a natural person, data concerning health or data
concerning a natural person's sex life or sexual orientation.
8: External resources
DPO.ie
Data Protection.ie
Data Protection Act 1988
Data Protection (Amendment) Act 2003
http://www.eugdpr.orgw
European Commission, Article 29 Working Party, http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083
European Commission, Data protection, http://ec.europa.eu/justice/data-protection/index_en.htm
JISC, Data Protection, https://www.jisc.ac.uk/guides/data-protection