Data Protection and Privacy for BNI · data in accordance with EU data protection principles once...

Data Protection and Privacy for BNI.com

Contents 1: Overview .......................................................................................................................... 5

1.1: What is Personal Data? .............................................................................................. 5

1.2: How does BNI use Personal Data? ............................................................................. 5

1.3: What steps does BNI take to secure Service Data? .................................................... 5

1.4: Where will Personal Data be stored? .......................................................................... 5

1.5: How does BNI Respond to Information Requests? ..................................................... 5

1.6: How does BNI respond to legal requests for Personal Data? ...................................... 6

2: What is GDPR? ............................................................................................................... 6

3: Principles ........................................................................................................................ 6

4: Individuals' rights ........................................................................................................... 8

4.1: The right to be informed .............................................................................................. 8

The right to be informed covers some of the key transparency requirements of the GDPR.

It is about providing individuals with clear and concise information about what you do with

their personal data. ............................................................................................................ 8

4.1.1: What information must be provided to you at the time your data is obtained by us?

...................................................................................................................................... 8

4.2: The right of access ..................................................................................................... 9

4.2.2. How do I make a Subject Access Request? ......................................................... 9

4.2.3:. What will happen if the request is manifestly unfounded or excessive? ............... 9

4.2.4: When will I receive the information requested? .................................................... 9

4.2.5. In what format will information be provided? ......................................................... 9

4.3: The right to rectification ............................................................................................ 10

4.3.1: Can we refuse to comply with the request for rectification for other reasons? .... 10

4.3.2: What will we do if we refuse to comply with a request for rectification? .............. 10

4.4: The right to erasure ................................................................................................. 10

4.4.1: Do we have to tell other organisations about the erasure of personal data? ....... 11

4.4.1: Will we erase personal data from backup systems? ........................................... 11

4.4.2: When does the right to erasure not apply? ......................................................... 11

4.5: The right to restrict processing .................................................................................. 12

4.6: The right to data portability ....................................................................................... 12

4.7: The right to object ..................................................................................................... 13

4.8: Rights in relation to automated decision making and profiling. .................................. 13

5: Your Information ........................................................................................................... 15

5.1: Franchisees .............................................................................................................. 15

5.1.1: Where do we get your data from? ...................................................................... 15

5.1.2: What data do we have? ...................................................................................... 15

5.1.3: What is our legal basis for processing your data? .............................................. 15

5.1.4: How do we use your data? ................................................................................. 15

5.1.5: Who do we share your data with? ...................................................................... 15

5.1.6: How do we keep your data secure? ................................................................... 16

5.1.7: How do we transfer your data safely internationally? .......................................... 16

5.1.8: How long will we keep your data? ...................................................................... 16

5.1.9: What rights do you have in relation to your data? ............................................... 16

5.1.10: Questions or concerns ..................................................................................... 16

5.1.11: Right to complain ............................................................................................. 16

5.2: Members .................................................................................................................. 17












5.3: Non-Members ........................................................................................................... 19












6: Retention periods ......................................................................................................... 21

7: Glossary ........................................................................................................................ 25

7.1: Key terminology ........................................................................................................ 25

7.1.1: Biometric data: ................................................................................................. 25

7.1.2: Consent: ........................................................................................................... 25

7.1.3: Data concerning health: .................................................................................. 25

7.1.4: Data controller: ................................................................................................ 25

7.1.5: Data Protection Bill: ......................................................................................... 25

7.1.6: Data processor: ................................................................................................ 25

7.1.7: Data subject: .................................................................................................... 25

7.1.9: Genetic data: .................................................................................................... 26

7.1.10: Personal data: ................................................................................................ 26

7.1.11: Personal data breach: .................................................................................... 26

7.1.12: Processing: .................................................................................................... 26

7.1.13: Profiling: ......................................................................................................... 26

7.1.14: Privacy by design: ......................................................................................... 26

7.1.15: Pseudonymisation: ........................................................................................ 26

7.1.16: Restriction on processing: ............................................................................ 26

7.1.17: Right of access: ............................................................................................. 26

7.1.18: Special categories of personal data: ............................................................ 27

8: External resources ........................................................................................................ 27

1: Overview

BNI supports over 200 Franchisees and 240,000 members in over 70 countries and

territories. Our members entrust us with large amounts of sensitive information.

BNI helps members maintain control of their privacy and data security in a myriad of ways:

• Data Security: Web server and browser security of BNI Connect (SSL & TLS

Certificates)

• Disclosure of Member Data: BNI only discloses Personal Data to third parties where

disclosure is necessary to provide the services or as required to respond to lawful

requests from public authorities.

• Access Management: We do not access or use member content for any purpose

other than providing, maintaining and improving BNI personals and as otherwise

required by law.

1.1: What is Personal Data?

The GDPR definition of ‘personal data’ is ‘any information relating to an identified or

identifiable natural person (‘data subject’); an identifiable natural person is one who can be

identified, directly or indirectly, in particular by reference to an identifier such as a name, an

identification number, location data, an online identifier or to one or more factors specific to

the physical, physiological, genetic, mental, economic, cultural or social identity of that

natural person.’

BNI Worldwide Development Limited and our Franchisees are the controllers of our

members’ data and non-members data.

1.2: How does BNI use Personal Data?

We use Personal Data to operate and improve our services, help members access and use

the services, respond to member inquiries, and send communication related to the services.

1.3: What steps does BNI take to secure Service Data?

BNI prioritizes data security and combines enterprise-class security features with

comprehensive audits of our applications, systems, and networks to ensure member and

business data is always protected.

1.4: Where will Personal Data be stored?

BNI has data centres in the UK and this processor will be signing European Commission

approved Standard Contractual Clauses giving commitments to continue to protect personal

data in accordance with EU data protection principles once the UK leave the EU.

1.5: How does BNI Respond to Information Requests?

BNI recognizes that privacy and data security issues are top priorities for members.

BNI does not disclose Personal Data except as necessary to provide its services to its

members and comply with the law as detailed in our Privacy Policy found here.

1.6: How does BNI respond to legal requests for Personal Data?

In certain situations, we may be required to disclose personal data in response to lawful

requests by public authorities, including to meet national security or law enforcement

requirements. We may disclose personal data to respond to subpoenas, court orders, or

legal process, or to establish or exercise our legal rights or defend against legal claims. We

may also share such information with relevant law enforcement agencies or public

authorities if we believe it to be necessary in order to investigate, prevent, or take action

regarding illegal activities, suspected fraud, situations involving potential threats to the

physical safety of any person or as otherwise required by law

2: What is GDPR?

The General Data Protection Regulation (GDPR) and Ireland’s Data Protection Act 2018

came into effect on 25 May 2018, replacing the Irelands Data Protection Act 1988 and the

amended act of 2003.

GDPR addresses the processing of personal data and the free movement of such data. It

aims to strengthen the security and protection of personal data in the EU and harmonize EU

data protection law. Broadly, it sets out a number of data protection principles and

requirements that must be adhered to when personal data is processed.

GDPR also established the European Data Protection Board (“EPDB”), which ensures that

the data protection law is applied consistently across the EU and works to ensure effective

cooperation amongst data protection authorities

3: Principles

The General Data Protection Regulation (GDPR) introduces six principles. These are that

personal data must be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals;

2. Collected for specified, explicit and legitimate purposes and not further processed in a

manner that is incompatible with those purposes; further processing for archiving

purposes in the public interest, scientific or historical research purposes or statistical

purposes shall not be considered to be incompatible with the initial purposes;

3. Adequate, relevant and limited to what is necessary in relation to the purposes for

which they are processed;

4. Accurate and, where necessary, kept up to date; every reasonable step must be taken

to ensure that personal data that are inaccurate, having regard to the purposes for

which they are processed, are erased or rectified without delay;

5. Kept in a form which permits identification of data subjects for no longer than is

necessary for the purposes for which the personal data are processed; personal data

may be stored for longer periods insofar as the personal data will be processed

solely for archiving purposes in the public interest, scientific or historical research

purposes or statistical purposes subject to implementation of the appropriate

technical and organisational measures required by the GDPR in order to safeguard

the rights and freedoms of individuals;

6. Processed in a manner that ensures appropriate security of the personal data,

including protection against unauthorised or unlawful processing and against

accidental loss, destruction or damage, using appropriate technical or organisational

measures.

In addition, Article 5 (2) states, 'The controller [i.e., BNI] shall be responsible for, and be

able to demonstrate compliance with, paragraph 1 (‘accountability’).

4: Individuals' rights

4.1: The right to be informed

The right to be informed covers some of the key transparency requirements of the GDPR. It

is about providing individuals with clear and concise information about what you do with their

personal data.

Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about.

We call this ‘transparency information’.

4.1.1: What information must be provided to you at the time your data is obtained by us?

Under the GDPR, you can obtain:

• The identity and contact details of the controller [BNI];

• The contact details of the data protection officer;

o [email protected]

o +353 94903 5202

o KOG Logistics Building, Ballinrobe Rd, Castlebar, Co. Mayo

• confirmation that personal data is being processed;

• a copy of that information;

• supplementary information about the processing i.e. information outlining:

• the purpose of the processing;

• the categories of personal data concerned;

• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

• where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;

• the existence of the right to request from BNI rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

• the right to lodge a complaint with BNI’s supervisory authority, Ireland’s Data Protection Commission;

• where the personal data are not collected from the data subject, any available information as to their source;

• the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

In addition, where personal data is transferred to a third country or international organisation,

you have the right to be informed of the appropriate safeguards in place.

https://www.york.ac.uk/records-management/dp/individualsrights/rightofaccess/

mailto:[email protected]

4.2: The right of access

4.2.2. How do I make a Subject Access Request?

Requests can be made by email, telephone or postal mail and should include reasonable

information to enable BNI to identify and locate the information sought. They must also be

accompanied by sufficient proof of identity (to ensure that your information is only disclosed

to you).

• Requests should be sent to:

• BNI Worldwide Development Ltd

Ballinrobe Road

Castlebar

Co. Mayo

F23 FT28

IRELAND

Phone: +353 94 902 1553

Email: [email protected]

4.2.3:. What will happen if the request is manifestly unfounded or excessive?

Where requests are manifestly unfounded, excessive or repetitive, BNI will either refuse the

request in which BNI will explain to the individual why it was refused and will inform them of

their rights to complain to the supervisory authority and to a juidicial remedy without undue

delay and at the latest within one month.

4.2.3.1: Do I have to pay a fee?

No. BNI will not charge a fee for routine subject access requests. However, in line with the

GDPR, BNI may charge a 'reasonable fee' where requests are manifestly unfounded,

excessive or repetitive. Am administrative fee may also be charged where requests for

further copies of the same information are requested.

4.2.4: When will I receive the information requested?

Information will be provided as soon as possible and within one month of receipt of your

Subject Access Request. In certain circumstances, BNI may extend the timeframe for

compliance by a further two months where requests are complex or numerous. Where this is

done, BNI will inform you of the intended extension within one month of receipt of the

request and explain why the extension is necessary.

4.2.5. In what format will information be provided?

Where requests are made electronically, information will be provided in a commonly used electronic format. Requests received by post will be responded to in paper form unless an alternative means of communication is specified by the applicant.


4.3: The right to rectification

Under the GDPR, individuals are entitled to have inaccurate or incomplete personal data

corrected or a supplementary statement included.

Where personal data has been disclosed to other parties, it is BNI’s responsibility to contact

each recipient and inform them of the need for correction unless this would be impossible to

do or involve disproportionate effort.

If you believe BNI holds inaccurate or incomplete personal data relating to you, please notify

[email protected].

In line with our legal obligations, we will respond to requests for rectification within one

month of the request.

4.3.1: Can we refuse to comply with the request for rectification for other reasons?

You can refuse to comply with a request for rectification if the request is manifestly

unfounded or excessive, taking into account whether the request is repetitive in nature.

If you consider that a request is manifestly unfounded or excessive you can:

1. request a "reasonable fee" to deal with the request; or

2. refuse to deal with the request.

In either case we inform you of our decision and why we did it.

4.3.2: What will we do if we refuse to comply with a request for rectification?

We will inform the individual without undue delay and within one month of receipt of the request about:

1. the reasons we are not taking action; 2. your right to make a complaint to the DPC or another supervisory authority; and 3. your ability to seek to enforce this right through a judicial remedy.

We will also provide this information if we request a reasonable fee or need additional information to identify the individual.

4.4: The right to erasure

Under Article 17 of the GDPR, individuals have a right to erasure, also known as a ‘right to

be forgotten’. This right can be exercised in the following circumstances:

1. Where the personal data held are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

2. Where the individual withdraws consent;

3. Where the individual objects to the processing and there are no overriding legitimate grounds for continued processing;

4. Where the personal data have been unlawfully processed;


5. Where the personal data have to be erased to comply with a legal obligation.

4.4.1: Do we have to tell other organisations about the erasure of personal data?

The GDPR specifies two circumstances where we should tell other organisations about the erasure of personal data:

1. the personal data has been disclosed to others; or 2. the personal data has been made public in an online environment (for example on

social networks, forums or websites).

If we have disclosed the personal data to others, we must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, we must also inform the individuals about these recipients.

The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data. When deciding what steps are reasonable you should take into account available technology and the cost of implementation.

4.4.1: Will we erase personal data from backup systems?

If a valid erasure request is received and no exemption applies then you will have to take steps to ensure erasure from backup systems as well as live systems. Those steps will depend on the particular circumstances, our retention schedule (particularly in the context of its backups), and the technical mechanisms that are available to us.

We will be absolutely clear with individuals as to what will happen to their data when their erasure request is fulfilled, including in respect of backup systems.

It may be that the erasure request can be instantly fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten.

If it cannot be immediately overwritten the backup data ‘beyond use’. We will ensure that we do not use the data within the backup for any other purpose, ie that the backup is simply held on your systems until it is replaced in line with an established schedule.

4.4.2: When does the right to erasure not apply?

The right to erasure does not apply if processing is necessary for one of the following reasons:

1. to exercise the right of freedom of expression and information; 2. to comply with a legal obligation; 3. for the performance of a task carried out in the public interest or in the

exercise of official authority;

4. for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or

5. for the establishment, exercise or defence of legal claims.

The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:

1. if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or

2. if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).

4.5: The right to restrict processing

Under the GDPR, individuals have a right to ‘block’ or suppress processing of personal data.

Personal data can be ‘blocked’ or suppressed in the following situations:

1. Where an individual contests the accuracy of the personal data. Processing of this data will be restricted until the accuracy of the personal data has been verified.

2. Where an individual has objected to the processing of their personal data (where processing was necessary for the performance of a public task or purpose of legitimate interests) Processing of this data will be restricted for the duration of the investigation into whether our legitimate grounds override those of the individual.

3. Where processing is unlawful and data subject requests restriction instead of erasure

4. Where BNI no longer requires the data but the data subject requires it to establish, exercise or defend a legal claim.

Where personal data has been disclosed to other parties, it is BNI’s responsibility to contact

each recipient and inform them of the need for correction unless this would be impossible to

do or involve disproportionate effort.

If you wish to ‘block’ or suppress the processing of personal data relating to you, please

notify

4.6: The right to data portability

Under the GDPR, an individual has the right to receive a copy of any personal data provided

by him/her to BNI in a structured, commonly used and machine-readable format (e.g. CSV).

The following categories of data are subject to the right to portability:

1. data processed on the basis of consent (Article 6 (1) (a)) or explicit consent (Article 9 (2));

2. data processed on a contract (Article 6 (1) (b);

3. data processed by automated means;

Where technically feasible, BNI will transfer the data directly to another controller on request

of the data subject. Where BNI is unable to comply with this duty, the subject will need to

arrange his/her own transfer.

Information will be provided free of charge.

If you would like to access your right to portability, please contact [email protected].

Once requested, BNI will respond to the request without undue delay and within one month.

Where the request is complex or BNI has received a number of portability requests, the

timeframe may be extended by a further .

4.7: The right to object

Under the GDPR, individuals have the right to object to:

1. processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including authority);

2. direct marketing (including profiling); and

3. processing for purposes of scientific/historical research and statistics.

Once requested, processing must stop unless:

1. BNI can demonstrate there are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or

2. the processing is for the establishment, exercise or defence of a legal claim.

Individuals must have “grounds relating to his or her particular situation” in order to exercise

their right to object to processing for research purposes.

If you are conducting research where the processing of personal data is necessary for the

performance of a public interest task, you are not required to comply with an objection to the

processing.

4.8: Rights in relation to automated decision making and profiling.

Under the GDPR, individuals have the right not to be subject to a decision based purely on

automated processing, including profiling, which produces legal effects concerning him/ her

or similarly significantly affects him/ her. This right does not apply if the automated decision

making:


1. is necessary for entering into or performing a contract between the data subject and controller (e.g. the use of automated decision making to assign student college accommodation);

2. is authorised by Union or Member State Law applicable to the controller;

3. is based on the data subject’s explicit consent.

For any non-exempt automated decision making, BNI will:

1. provide individuals with information about the processing;

2. introduce a simple process for individuals to request human intervention and/or challenge a decision;

3. regularly review the process and system to ensure it works as intended.

For questions and concerns please email [email protected].


5: Your Information

5.1: Franchisees

5.1.1: Where do we get your data from?

Much of the data we hold on you comes from the information that you supplied on your

membership application form as well the information on BNI Connect. Additional information

may also have been provided by you as part of your interactions with us before applying or

once becoming a franchisee.

5.1.2: What data do we have?

Personal data including name, date of birth, postal address, email address, telephone

number and financial records.

5.1.3: What is our legal basis for processing your data?

• On the grounds of contractual requirement or to take steps to enter into a contract

with you e.g. to provide you with a Master Franchise Agreement;

• Because it is necessary for our or a third party’s legitimate interests;

• To allow us to comply with our legal obligations;

5.1.4: How do we use your data?

BNI may process your personal data for the following purposes:

• BNI uses the information collected from you to perform the contract we have entered

into with you to provide you with the benefits of being a BNI Franchisee.

• BNI also acts on behalf of its clients in the capacity of data processor. When working

exclusively as a data processor, BNI will be acting on the instruction of its client and

will work hard to ensure that the client is fully GDPR compliant.

5.1.5: Who do we share your data with?

BNI may share your data with:

• Employees and of BNI;

• Third parties that process data on behalf of BNI to support it in fulfilling its obligations

and responsibilities to and relationship with you (e.g. software and system providers);

• Government departments/agencies to whom we have a statutory obligation to

release information

• Law enforcement agencies such as the police or relevant authorities dealing with

emergency situations (only as required or appropriate and in line with Data Protection

legislation).

• The BNI-case basis. Disclosures will be made in full accordance with the data

protection legislation and only where necessary. Consent will be sought from you

where appropriate and you will be told about such disclosures unless exceptional

circumstances apply.

5.1.6: How do we keep your data secure?

BNI takes information security extremely seriously and has implemented appropriate

technical and organisational measures to protect personal data including the upgrade of. SSL & TLS Certificates. Access to information is restricted on a need-to-know basis and

security arrangements are regularly reviewed to ensure their continued suitability.

5.1.7: How do we transfer your data safely internationally?

In certain circumstances, it is necessary to transfer your Personal Data outside the

European Economic Area (EEA). For transfers out of the EU and Switzerland and to the

United States of America, BNI Global, LLC has self-certified that it complies with the EU-US

and Swiss-US Privacy Shield Framework as prescribed by the US Department of Commerce

regarding the retention, use, collection, and notice principles. BNI additionally adheres to the

Privacy Shield Framework recommendations pertaining to the transfer of information to third

parties, access, security, data integrity and purpose limitation and enforcement.

For transfers to non-EEA countries other than the U.S.A., the normal safeguard used is

standard contractual clauses approved by the European Commission. These clauses require

the parties to them to apply EU data protection principles to the processing of the personal

data transferred under the contracts.

5.1.8: How long will we keep your data?

BNI will retain your data in line with legal requirements or where there is a business need.

Retention timeframes will be determined in line with the BNI’s Records Retention Policy.

5.1.9: What rights do you have in relation to your data?

Under the General Data Protection Regulation, you have a right of access to your data, a

right to rectification, erasure (in certain circumstances), restriction, objection or portability (in

certain circumstances). You also have a right to withdraw consent. You can verify or correct

information at any time by following the guidance here,

5.1.10: Questions or concerns

If you have any questions about this privacy notice or concerns about how your data is being

processed, please contact the [email protected].

5.1.11: Right to complain

If you are unhappy with the way in which the BNI has handled your personal data, you have

a right to complain to BNI Worldwide’s supervisory authority, Ireland’s Data Protection

Commission (www.dataprotection.ie).

5.2: Members


Much of the data we hold on you comes from the information that you supplied on your

membership application form as well the information on BNI Connect. Additional information

may also have been provided by you as part of your interactions with us before applying or

once becoming a member.



number, Job type and attendance records.


Typically, data will be processed:


with you e.g. to provide you with a the ability to join a BNI Chapter;

• because it is necessary for our or a third party’s legitimate interests;

• to allow us to comply with our legal obligations;




into with you to provide you with the benefits of being a BNI Member.






• employees and of BNI;

• third parties that process data on behalf of BNI to support it in fulfilling its obligations


• government departments/agencies to whom we have a statutory obligation to release

information

• law enforcement agencies such as the police or relevant authorities dealing with


legislation).





Where BNI, Government or their respective agents hold personal information provided by

members, they may need to check the accuracy of this information against external data

sources. Any such checks will be made in compliance with data protection law.







European Economic Area. In respect of such transfers, For transfers out of the EU and

Switzerland and to the United States of America, BNI Global, LLC has self-certified that it

complies with the EU-US and Swiss-US Privacy Shield Framework as prescribed by the US

Department of Commerce regarding the retention, use, collection, and notice principles. BNI

additionally adheres to the Privacy Shield Framework recommendations pertaining to the

transfer of information to third parties, access, security, data integrity and purpose limitation

and enforcement.











processed, please contact [email protected].





5.3: Non-Members


Much of the data we hold on you comes from the information that you supplied on your visit

to a BNI Chapter as well the information on BNI Connect.



number, Job type.


Typically, data will be processed:


with you e.g. to provide you with a the ability to join a BNI Chapter;

• because it is necessary for our or a third party’s legitimate interests;

• to allow us to comply with our legal obligations;



• For the legitimate interests of members, franchisees and BNI to help manage visits to

BNI Chapters.


into with you to provide you with the opportunity of being a BNI Member.






• employees and of BNI;

• third parties that process data on behalf of BNI to support it in fulfilling its obligations


• government departments/agencies to whom we have a statutory obligation to release

information

• law enforcement agencies such as the police or relevant authorities dealing with


legislation).





Where BNI, Government or their respective agents hold personal information provided by

members, they may need to check the accuracy of this information against external data

sources. Any such checks will be made in compliance with data protection law.







European Economic Area. In respect of such transfers, For transfers out of the EU and

Switzerland and to the United States of America, BNI Global, LLC has self-certified that it

complies with the EU-US and Swiss-US Privacy Shield Framework as prescribed by the US

Department of Commerce regarding the retention, use, collection, and notice principles. BNI

additionally adheres to the Privacy Shield Framework recommendations pertaining to the

transfer of information to third parties, access, security, data integrity and purpose limitation

and enforcement.











processed, please contact [email protected].





6: Retention periods

Department Records Retention Period Retention Period Justification

Human Resources

Job Applications

1 year after notifying candidates of the outcome of the recruitment exercise. (If

transitioning from candidate to employee, information will be maintained for life of employment and 8 years afterwards)

Business need as determined by Human Resources

Pre-Employment Assessments


Resumes Business need as determined by

Human Resources

Interview Notes Business need as determined by

Human Resources

Equal Opportunity Monitoring Business need as determined by

Human Resources

Collective Work Agreement Business need as determined by

Human Resources

Master Franchise Candidate Information


Offer Letter

life of employment and 8 years afterwards


Employment Contract Business need as determined by

Human Resources

Background Check Business need as determined by

Human Resources

Form I-9 Business need as determined by

Human Resources

Certificate of Education, Qualifications, IDs


Boot camp completion Business need as determined by

Human Resources

Training Records Business need as determined by

Human Resources

Signed Handbook Business need as determined by

Human Resources

Payroll & Compensation Records


Time Keeping/Wage Earning Records


Employment Benefits Business need as determined by

Human Resources

Performance Reviews/Assessments



Incentive Plans Business need as determined by

Human Resources

Terminations Business need as determined by

Human Resources

Healthcare Documentation Business need as determined by

Human Resources

COBRA Business need as determined by

Human Resources

Short/Long Term Disability Records


Maternity Records Business need as determined by

Human Resources

Accident Records Business need as determined by

Human Resources

Grievance Records Business need as determined by

Human Resources

Accounting and Finance

Compensation

life of employment and 8 years afterwards

Regulatory/Litigation/Business Need

Pension Regulatory/Litigation/Business

Need

Health Care Regulatory/Litigation/Business

Need

Invoices w/Payment

life of engagement and 10 years afterwards


Electronic Payment Records Regulatory/Litigation/Business

Need

W-9

life of engagement and 10 years afterwards


W-8 Regulatory/Litigation/Business

Need

Invoices Regulatory/Litigation/Business

Need

Check Stubs Regulatory/Litigation/Business

Need

Legal

Corporate Documents for various company-owned

entities

life of engagement and 10 years afterwards, unless litigation hold required


Copies of identification documents of execs, e.g., passports, driver licenses,

etc.


Vendor Contracts Regulatory/Litigation/Business

Need


Member complaints / demands for refund


Franchise Disclosure Documents


Audited Financial Statements Regulatory/Litigation/Business

Need

Franchise Agreements; Sub franchise Agreement, Master

Franchise Agreements (including all related

supplements or exhibits)


Incorporation documents for EDs’ entities


Certificates of Insurance for EDs


Purchase Sale Agreements and any associated

supplements or exhibits; transfer/assignment

agreements


Litigation files Regulatory/Litigation/Business

Need

Court Orders Regulatory/Litigation/Business

Need

Requests for Departure from Records Retention Plan


Requests to be forgotten Regulatory/Litigation/Business

Need

Legal department notes (confidential & privileged work

product)


NDAs with vendors/potential contractors


Privacy Policy and Terms of Service for various sites/apps


Trademark and IP-related License/Transfer/Assignment

Agreements


Operations and Training

Podcasts 3 yrs. Business need as determined by

Training

Conference Audio 3 yrs. Business need as determined by

Training

Training Manuals 3 yrs. Business/Litigation Need

Training Records/Training Events

life of membership and 10 years afterwards Business/Litigation Need

ND Operations Manual 15 yr. Business/Litigation Need

ED Operations Manual 10 yr. Business/Litigation Need

Online Training - MSP, LTT 3 yrs. Business/Litigation Need


Technology

Email (7 years) life of employment and 8 years afterwards Regulatory/Litigation/Business

Need

Online Documents (Permanent; business Need)

life of employment and 8 years afterwards Regulatory/Litigation/Business

Need

User life of membership and 10 years afterwards Regulatory/Litigation/Business

Need

Member life of membership and 10 years afterwards Regulatory/Litigation/Business

Need

Visitor 2 Years Business need

Prospect 2 Years Business need

Prospective Visitor 2 Years Business need

Event Attendee 2 Years Business need

Drop Member (Alumni) life while membership active and 10 years

afterwards Regulatory/Litigation/Business

Need

Expired Member life while membership active and 10 years

afterwards Regulatory/Litigation/Business

Need

Referral Slips life of membership and 7 years afterwards Regulatory/Litigation/Business

Need

TYFCB Slips life of membership and 7 years afterwards Regulatory/Litigation/Business

Need

CEU Slips life of membership and 7 years afterwards Regulatory/Litigation/Business

Need

1-1 Slips life of membership and 7 years afterwards Regulatory/Litigation/Business

Need

Invoice life of membership and 10 years afterwards Regulatory/Litigation/Business

Need

Letter of Credit life of membership and 7 years afterwards Regulatory/Litigation/Business

Need

Payment life of membership and 10 years afterwards Regulatory/Litigation/Business

Need

Membership application life of membership and 10 years afterwards Regulatory/Litigaion/Business

Need

Audit Logs life of membership and 10 years afterwards Regulatory/Litigation/Business

Need

Marketing Web Forms

Non-Member; 2 yr. after last activity Business need as determined by

Marketing

Member; 7 yrs. of last activity Business need as determined by

Marketing


Activity = Opened emails, completed forms, visitation to a webpage

7: Glossary

7.1: Key terminology The General Data Protection Regulation (GDPR) includes a number of slightly revised

definitions as well as new concepts and terminology. The definitions below are drawn

directly from the Regulation and will be unpicked over the coming months to include BNI

specific worked examples. In the meantime, if anything is unclear please contact for further

guidance.

7.1.1: Biometric data:

Means personal data resulting from specific technical processing relating to the

physical, physiological or behavioural characteristics of a natural person, which allow or

confirm the unique identification of that natural person, such as facial images or

dactyloscopic data.

7.1.2: Consent:

Means any freely given, specific, informed and unambiguous indication of the data

subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies

agreement to the processing of personal data relating to him or her.

7.1.3: Data concerning health:

Means personal data related to the physical or mental health of a natural person,

including the provision of health care services, which reveal information about his or her

health status.

7.1.4: Data controller:

Means the natural or legal person, public authority, agency or other body which,

alone or jointly with others, determines the purposes and means of the processing of

personal data; where the purposes and means of such processing are determined by the

Union or Member State law, the controller or the specific criteria for its nomination may be

provided for by Union or Member State law.

7.1.5: Data Protection Bill:

A complete data protection framework that addresses derogations from the GDPR as

well general data, law enforcement data and national security data rules. The Bill will replace

the Data Protection Act, 1998 and sit alongside the GDPR.

7.1.6: Data processor:

Means a natural or legal person, public authority, agency or other body which

processes personal data on behalf of the controller.

7.1.7: Data subject:

A natural person whose personal data is processed by a data controller or processor.

7.1.9: Genetic data:

Means personal data relating to the inherited or acquired genetic characteristics of a

natural person which give unique information about the physiology or the health of that

natural person and which result, in particular, from an analysis of a biological sample from

the natural person in question.

7.1.10: Personal data:

Any information relating to an identified or identifiable natural person ('data subject');

an identifiable natural person is one who can be identified directly or indirectly, in particular

by reference to an identifier such as a name, an identification number, location data, an

online identifier or to one or more factors specific to the physical, physiological, genetic,

mental, economic, cultural or social identity of that natural person.

7.1.11: Personal data breach:

Means a breach of security leading to the accidental or unlawful destruction, loss,

alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or

otherwise processed.

7.1.12: Processing:

Means any operation or set of operations which is performed on personal data or on

sets of personal data, whether or not by automated means, such as collection, recording,

organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,

disclosure by transmission, dissemination or otherwise making available, alignment or

combination, restriction, erasure or destruction.

7.1.13: Profiling:

Means any form of automated processing of personal data consisting of the use of

personal data to evaluate certain personal aspects relating to a natural person, in particular

to analyse or predict aspects concerning that natural person's performance at work,

economic situation, health, personal preferences, interests, reliability, behaviour, location or

movements.

7.1.14: Privacy by design:

An approach to project management that considers privacy issues at the initial

design stage as well as throughout project delivery.

7.1.15: Pseudonymisation:

Means the processing of personal data in such a manner that the personal data can

no longer be attributed to a specific data subject without the use of additional information,

provided that such additional information is kept separately and is subject to technical and

organisational measures to ensure that the personal data are not attributed to an identified

or identifiable natural person.

7.1.16: Restriction on processing:

Means the marking of stored personal data with the aim of limiting their processing in

the future.

7.1.17: Right of access:

i.e. a right for data subjects to obtain from the controller confirmation as to whether or

not personal data is being processed and, where it is being processed, a right to be given

access to that data and answers to various questions outlined in Article 15 of the Regulation.

For further information, see BNI's guidance available here.

7.1.18: Special categories of personal data:

i.e. personal data revealing racial or ethnic origin, political opinions, religious or

philosophical beliefs or trade union membership or the processing of genetic data, biometric

data for the purposes of uniquely identifying a natural person, data concerning health or data

concerning a natural person's sex life or sexual orientation.

8: External resources

DPO.ie

Data Protection.ie

Data Protection Act 1988

Data Protection (Amendment) Act 2003

http://www.eugdpr.orgw

European Commission, Article 29 Working Party, http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083

European Commission, Data protection, http://ec.europa.eu/justice/data-protection/index_en.htm

JISC, Data Protection, https://www.jisc.ac.uk/guides/data-protection

https://www.dpo.ie/

https://www.dataprotection.ie/docs/Home/4.htm

http://www.irishstatutebook.ie/eli/1988/act/25/enacted/en/html

http://www.irishstatutebook.ie/eli/2003/act/6/enacted/en/html

http://www.eugdpr.org/

http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083

http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083

http://ec.europa.eu/justice/data-protection/index_en.htm

http://ec.europa.eu/justice/data-protection/index_en.htm

Date post:	14-Mar-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times