Privacy Policy

Business and Human Rights Lawyers Association Limited – Privacy Notice

Business and Human Rights Lawyers Association Limited (Company number: 14489585) ("BHRLA", "we", "our" or "us") respects the privacy of the individuals whose personal data we collect("you" or "your").

This privacy notice(the "Privacy Notice") provides information, for the purposes of the GeneralData Protection Regulation (EU) 2016/679 of the EuropeanParliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as it forms part of domestic law of theUnited Kingdom by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR"),the UK Data Protection Act 2018 ("DPA") and other applicable national data protection laws, concerning howBHRLA processes and protects your personal data that we may receive as part of your registering and interactions with BHRLA.

The terms "controller", "processor","data subject", "personal data", "process", "processes", and "processing" used in this Privacy Notice have the meanings given to them in theUK GDPR.

Controllership

BHRLA is an independent 'controller' in respect of its processing of your personal data. We are responsible for ensuring that we hold and use your personal data in compliance with the UK GDPR and theDPA and other applicable national data protection laws.

The personal data that we collect about you

We collect a certain amount of personal data about you, which may include your name, email address, telephone number, app and website tracking information, information you or your representative organisation provide us by becoming a member, partnering with us, subscribing to our mailing list or by emailing us.

We do not collect or process any special categories of personal data (such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data), nor do we collect any information about criminal convictions and offences.

The purpose for processing your personal data

We may process your personal data for the purposes of providing you with access to bhrla.org, membership and partnership opportunities, BHRLA activities and related services. We may also process your personal data as follows:

• communicate with you and respond to your enquiries, including responding to complaints and attempting to resolve them;
• send you promotional and marketing materials, newsletters or other related communications (including making suggestions and recommendations to you about activities and services that may be of interest to you);
• conduct research, analysis and app and website tracking to improve the quality of our marketing and the experience of and relationships with our members and others who have expressed an interest in our activities;
• communicate with you about operational changes to our services and website: for example, if we were to change our membership or participation structure or change this Privacy Notice;
• comply with our legal and regulatory obligations (including verifying your identity and conduct identity and background checks for anti-money laundering, fraud, credit and security purposes) and to exercise our legal rights;
• administer auditing, billing, account statement and reconciliation activities and other internal and payment-related functions;
• administer and protect BHRLA and this website(including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
• develop, manage and improve our services and the website (including conducting research and analysis) and to test new services and features of the website;
• ·run BHRLA in an efficient and proper way, including in respect of our financial position, business and operational capability, corporate governance, audit, strategic planning and communications;
• monitor and/or record your communications with us for quality control, training, security and regulatory purposes; and
• exercise our rights in agreements and contracts to which we are a party

What is the legal basis of the processing?

When we process your personal data, we may rely on:

• Article 6(1)(b) UK GDPR to the extent such processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into any such contract, including processing and conducting enquiries in relation to applications for membership and engaging with us through membership, partnership and other similar arrangements relating to our services and activities; and
• Article 6(1)(f) UK GDPR to the extent such processing is necessary for the purposes of the legitimate interests we pursue to the extent we have concluded that our processing is not overridden by your interests or fundamental rights or freedoms that require the protection of personal data. Examples of this might include website tracking, marketing or advertising and processing for the purposes of compliance with our internal policies and procedures;
• Article 6(1)(a) UK GDPR where we have obtained your consent to the relevant processing activity (NB – we will not generally rely on this processing ground where we are able to rely on another processing ground instead). To the extent we rely on your consentfor any processing activity, you are free to withdraw it at any time by emailing us (see "ContactingUs" below).

Who will your personal data be shared with? / Who are the recipients of your personal data?

We may share your personal data with any third parties that help us provide services, with legal or other professional advisors and with regulators, prosecutors and law enforcement authorities which regulate us. We may also share your personal data with our affiliates in order to provide these services.

Any such transfers will be in compliance with our obligations as a controller under the UK GDPR, the DPA and other applicable national data protection laws. Some of these persons may process your personal data in accordance with our instructions and others will themselves be responsible for their use of your personal data.

The disclosures described in this Privacy Notice may involve transferring your personal data to countries outside the UK and EEA which may not have similarly strict data privacy laws. When this occurs, we will ensure that any such transfers are carried out in compliance with applicable law, including, where necessary, being governed by data transfer agreements designed to ensure that your personal data is protected, on terms approved for this purpose by the UK or EU.

We will never sellyour personal data and in all cases, BHRLA will ensure that your personal data is only disclosed for the purposes set out above and in compliance with applicable data protection laws.

Marketing preferences

You can change your marketing preferences by clicking on the unsubscribe option at the bottom of our marketing emails. We will endeavour to give effect to your preference changes as soon as possible but please note that it can sometimes take up to 7 days for a change to become effective due to the way in which our systems are configured.

Retention and deletion of your personal data

We intend to keep your personal data accurate and up to date and, as a general principle, we do not retain your personal data for longer than we need it (except in anonymised / statistical form). We will delete or anonymise any information that we hold about you when it is no longer required for the purposes set out above, or where longer, such period as is required or permitted by law or regulatory obligations which apply to us. Specific information about our record retention policies is available on request. Please contact us (see "Contacting Us" below).

Automated decision-making techniques (including profiling)

We do not envisage your personal data will undergo any automated decision making.

Your rights in relation to your personal data

TheGDPR and other applicable laws provide you (as the data subject) a number of absolute or qualified legal rights in relation to the processing of your personal data. These rights include (with some exceptions):

• the right to know what personal data we process and a right of access to such personal data;
• the right to request any incomplete or inaccurate personal data to be corrected;
• the right to object to our processing of your personal data;
• the right to require us to delete your personal data in some limited circumstances;
• the right to object to our processing of some or all of your personal data on grounds relating to your particular situation which are based on legitimate interests, at any time (and require such personal data to be deleted). If you object, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for such processing which override your interests, rights and freedoms or where it is necessary for the establishment, exercise or defence of legal claims; and
• a "data portability" right to require us to transfer your personal data to you or to a new service provider in a structured, commonly used and machine-readable format.

If you wish to exercise any of the rights referred to above, please contact us using the details set outunder "Contacting us"below.

We review and verify data protection rights requests. We apply non-discriminatory principles when we action requests relating to your data, in accordance with applicable data protection laws and principles.

We exercise particular care when receiving a request to exercise these rights on your behalf by a third party. We will ensure that the third party is correctly authorised by you to receive there quested information on your behalf.

If you wish to exercise any of these rights, please contact us (see "Contacting Us" below).You can also lodge a complaint about our processing of your personal information with the office of the UKInformation Commissioner (http://www.ico.gov.uk/).

When exercising any of these rights, we may request specific information from you to prove your identity to our satisfaction so that we can safeguard your personal data from unauthorised access by someone impersonating you.

Contacting us

If you would like further information on the collection, use, disclosure, transferor processing of your personal data, or to exercise of any of the rights listed above, please address questions, comments and requests to engage@bhrla.org.

Changes to this policy

Any changes we make to this PrivacyNotice in the future will be posted to our website.

Effective from 2 May 2023