The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data.

It requires that all personal data shall be: • Processed lawfully, fairly and in a transparent manner • Collected for specific and legitimate purposes • Accurate and kept up to date, and erased when not up to date • Not stored for any longer than necessary • Processed in a manner that ensures appropriate security against personal data

In order to undertake the services highlighted above it is necessary for Beond to process personal data belonging, but not limited, to clients, prospective clients, energy suppliers, third party providers and strategic partners. Business related data is not applicable under GDPR – which has the intention of protecting personal data.

Personal Data which we hold about you

Under GDPR, usually Beond will only ever process necessary personal data. This is limited to first name, last name, email address and both landline and mobile telephone numbers. No sensitive personal data will be collected or processed in any way.

Purposes for Storing and Processing Data

We will process personal data for the purposes of:

• Performing our obligations under any potential contract of engagement with Beond or
• Sending market or industry intelligence reports or
• Sending marketing information

Lawful basis for storing and processing data

Under the EU General Data Protection Regulation (GDPR) there are six lawful basis for processing personal data. These are detailed as follows:

• Consent. The individual has given clear consent for you to process their personal data for a specific purpose
• Contract. The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
• Legal Obligation. The processing is necessary for you to comply with the law (not including contractual obligations)
• Vital Interests. The processing is necessary to protect someone’s life
• Public Task. The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
• Legitimate Interests. The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) (Source: ico.org.uk, February 2018.)

The information relating to the six lawful basis for processing personal data is taken from the ICO website and the GDPR regulation documentation. Further information regarding the lawful basis for processing personal data can be found at ico.org.uk.

Other than employees, Beond stores personal data for the following types of individuals or businesses:

• Strategic partners
• Third party intermediaries
• Energy suppliers
• Clients
• Prospective clients

Clients and prospective clients can also be split into the following categories:

• Sole traders/partnerships
• All other type of business including but not limited to limited companies and PLCs

For the purposes of the GDPR, the Information Commissioner’s Office (ICO) treats sole traders and partnerships as retail consumers and not businesses so we have a further duty of care towards these individuals.

As a result, our business has decided on the 2 lawful bases below:

• Storing and processing personal data on behalf of sole traders/partnerships
  • Both the GDPR and The Privacy and Electronic Communications Regulations (PECR) treat sole traders and partnerships as retail consumers. As such we will have a greater duty of care for such clients. We will only store and process data on behalf of sole traders and partnerships when they have provided their consent for us to do so
• Storing and processing personal data on behalf of all other individuals and businesses that are not sole traders/partnerships
  • For all other individuals and businesses we will use the “Legitimate Interest” lawful basis for the ability to store and process personal data.

The rationale for such a decision is detailed below:

• Beond has carried out a Legitimate Interest Assessment (LIA) as advised by the ICO
• Storing personal data is necessary for the legitimate interests of Beond or a third party under contract with Beond. Balanced with the interests and fundamental rights and freedoms of the individuals
  • The interest for Beond is that we have to store our clients’ personal data in order to provide the services to those clients
  • For all prospective clients, the prospects database may have been built up over many years and is crucial to the success or failure of our business and it is therefore in our legitimate interest to store and process this personal data
  • For suppliers and other individuals it is in the interest of those suppliers and other individuals for us to provide market intelligence and other marketing material as we believe it provides valuable market and industry information
  • The Privacy and Electronic Communications Regulations (PECR) allows businesses to continue to send direct marketing information by email to businesses whilst providing an option to opt-out.

Legitimate Interest Assessment

Beond has carried out a Legitimate Interest Assessment (LIA) as advised by the ICO. Based upon that assessment it is deemed that the rights and freedoms of the data subjects would not be overridden in our processing of the personal data. Additionally, in no way would a data subject be caused harm by the data processing carried out by Beond. It is deemed that any processing of data will be limited to business matters, and therefore any risk of personal compromise is extremely unlikely. It is also deemed that direct marketing and sales is necessary in the context of keeping our clients and prospective clients informed about our services and important energy industry market intelligence and to generate business sales.

As a result, Beond will rely on the Legitimate Interest lawful basis for storing and processing personal data on behalf of all individuals that are not sole traders or partnerships.

Per the ICO guidance, Beond can confirm:

• We have checked that legitimate interests is the most appropriate basis
• We understand our responsibility to protect the individual’s interests
• We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision
• We have identified the relevant legitimate interests
• We have checked that the processing is necessary and there is no less intrusive way to achieve the same result
• We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests
• We only use individuals’ data in ways they would reasonably expect
• We are not using people’s data in ways they would find intrusive or which could cause them harm
• We do not process the data of children
• We have considered safeguards to reduce the impact where possible
• We will always ensure there is an opt-out / ability to object
• Our LIA did not identify a significant privacy impact, and therefore we do not require a DPIA
• We keep our LIA under review every six months, and will repeat it if circumstances change
• We include information about our legitimate interests in our privacy notice

How we Procure Personal Data

At Beond we procure data in a variety of ways, collected in line with the lawful basis of ‘Legitimate Interests’. We collect and process personal data in the following ways.

• Primary research – Beond has a small UK based in-house team who gather data relating to key decision makers at organisations from publicly available sources including the website of each business
• Secondary research – Beond has a small UK based in-house team who use existing publicly available sources to gather the information relating to key decision makers including but not limited to the Directors’ Register at Companies House, Dun & Bradstreet and LinkedIN
• Purchase – Beond has not, to this date, procured personal data from third party data vendors but we reserve the right to do so in the future. If we do decide to procure personal data then all third party data vendors will be checked for GDPR compliance and to ensure the validity and accuracy of data

How we Ensure Data Validity Beond ensure the validity of the personal data contained within their client management software. The team continually cleanse the data, completing a full cleanse cycle of both business and personal data at least once every 12 months. Any records found to be out of date are placed into a deletion queue which is securely purged four times in a 12 month period. Beond takes data cleansing extremely seriously as this ensures a highly compliant solution as well as a high calibre solution for all Beond’s clients.

Data Storage and Retention

The personal data held is processed and stored in the UK within a secure environment. Beond has a continual cycle of cleansing and refreshing data, all data is verified at least once in a 12 month cycle. Any invalid records are labelled invalid.

Sharing personal data with third parties

It is sometimes necessary for Beond to outsource certain services to third party providers. As a result, personal data will be passed to these third party providers by Beond. Beond will only pass personal data to a third party provider when there is an agreement in place between Beond and that third party provider, which addresses GDPR compliance by both parties.

Request to Object

Any individual has the right to object to receiving correspondence from Beond. All emailed correspondence provided to individuals will have an “unsubscribe” link. Individuals can unsubscribe by clicking on this link or by writing to Beond at the following address:

Data Compliance Beond Group Ltd Building 11 Chiswick Business Park 566 Chiswick High Road London W4 5YS

All requests will be processed within 30 days. Please note that this applies only to the processing of your personally identifiable data, not that of the business data which does not fall under the remit of GDPR.

Request for Deletion

Any individual has the right for their personal data to be deleted by Beond. If you request deletion, we will remove any data we hold about you from our client management software.

We will process your request within 30 days.

Please make your request in writing by emailing: data-compliance@beondgroup.com or by writing to: Data Compliance, Beond Group Ltd, Building 11, Chiswick Business Park, 566 Chiswick High Road, London, W4 5YS.

Request for Data Held

You may request that we send you all of the data we hold that relates to you. Please make your request in writing; By emailing: data-compliance@beondgroup.com or by writing to: Data Compliance, Beond Group Ltd, Building 11, Chiswick Business Park, 566 Chiswick High Road, London, W4 5YS.

We will process and respond to your request within 30 days, this service will be free of charge.

Policy review

This policy was last reviewed and updated on the 5th April 2018. Policies are periodically reviewed to ensure compliance with the current compliance environment.