BikeSafe Privacy Notice

Your privacy is important to us.  This Privacy Notice explains how BikeSafe and its partner the Motorcycle Industry Association collects, stores, uses, discloses, retains and destroys personal data[1], the steps we take to ensure that it is protected and also describes the rights individuals have in regard to their personal data handled by BikeSafe[2].

The use and disclosure of personal data is governed in the United Kingdom by the Data Protection Act 2018 it is supplemented by the General Data Protection Regulation (GDPR) and incorporates the Law Enforcement Directive (LED).  Nick Adderley, The Assistant Chief Constable of Staffordshire Police, is registered with the Information Commissioner as the Data Controller for BikeSafe and is obliged to ensure that the Motorcycle Industry Association (MCIA) handles all personal data on their behalf in accordance with the Data Protection Act and the GDPR. The Data Processor for BikeSafe is Karen Cole of the Motorcycle Industry Association

Staffordshire Police and the BikeSafe takes its responsibility very seriously and ensures that personal data is handled appropriately in order to secure and maintain individuals’ trust and confidence in the BikeSafe scheme. References to BikeSafe include references to the Motorcycle Industry Association in their partnership under GDPR regulations.

  1. Why do BikeSafe collect and use personal information

BikeSafe collects, stores, uses, discloses and retains personal data for the following broad purposes:

  1. The population of the Customer Relations Management side of the website for the purpose of booking a person on a BikeSafe workshop.
  2. The completion of a pre-workshop survey.
  3. The completion of an ‘on day’ survey monitoring customer experience.
  4. The distribution and evaluation of the two follow up surveys post workshop, one at 12 months and one at 24 months.

The provision of services supplied by the Motorcycle Industry Association support the monitoring of the BikeSafe project’s key performance indicators and are based around rider behaviour both prior to and post workshop attendance.

  1. Whose personal data do BikeSafe handle?

In order to carry out the purposes described under section 1 above BikeSafe may collect, store, and use (see section 8 below) and retain personal data relating to an individual booking on to a BikeSafe workshop.

BikeSafe will only use appropriate personal information necessary to fulfil a particular purpose or purposes.  Personal data could be information which is held on a computer, in a paper record such as a file, as images, but can also include other types of electronically held information.

[1] ‘Personal Data’ is defined in Article 4 of the General Data Protection Regulation (GDPR).  In practical terms it means any information handled by BikeSafe that relates to an identified or identifiable natural person; an identifiable natural person is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

[2] This document is designed to help satisfy the rules on giving privacy information to data subjects in Articles 12, 13 and 14 of the GDPR.

[1] ‘Personal Data’ is defined in Article 4 of the General Data Protection Regulation (GDPR).  In practical terms it means any information handled by BikeSafe that relates to an identified or identifiable natural person; an identifiable natural person is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

[1] This document is designed to help satisfy the rules on giving privacy information to data subjects in Articles 12, 13 and 14 of the GDPR.

  1. What types of personal data do BikeSafe handle?

 In order to carry out the purposes described under section 1 above BikeSafe may collect, store and use (see section 8 below) and retain personal data relating to or consisting of the following:

  • Personal details such as
  • Name
  • Address including post code
  • date of birth
  • gender
  • telephone number
  • Where did you hear about us
  • Motorcycle make and model
  • Customer type
  • Card details (Number, expiry and CVC number)

BikeSafe will only use appropriate personal data necessary to fulfil a particular purpose or purposes.  Personal data could be information which is held on a computer, in a paper record such as a file, as images, but can also include other types of electronically held information.

  1. Where do BikeSafe obtain personal data from?

 In order to carry out the purposes described under section 1 above BikeSafe may collect personal data from the BikeSafe website and any paper record completed by a potential BikeSafe attendee or by a person on their behalf, completed with a view to using the data for an application for a workshop only.

  1. Which lawful basis do we use to process this information?

BikeSafe collect and use information in relation to the BikeSafe scheme. The lawful bases that they rely on are detailed below:

Consent: the individual has given clear consent for BikeSafe to process their personal data for a specific purpose.

Contract: the processing is necessary for a contract of services BikeSafe has with the individual.

Legitimate interests: the processing is necessary for BikeSafe’s legitimate interests or the legitimate interests of a third party (the MCIA).

  1. How do BikeSafe handle personal data?

 In order to achieve the purposes described in section 1 BikeSafe will handle personal data in accordance with the Data Protection Act 2018, the GDPR and LED.  For personal data processed under Part 2 which applies to general processing under the GDPR, BikeSafe will ensure that any personal data is:

  • Processed lawfully, fairly, and in a transparent manner in relation to individuals;
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
  • Accurate and, where necessary, kept up to date;
  • Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

BikeSafe will strive to ensure that any personal data used by us or on our behalf is not excessive, reviewed appropriately and securely destroyed when no longer required.  BikeSafe will also respect individuals’ rights as detailed in section 9 below.

  1. How do BikeSafe ensure the security of personal data?

 BikeSafe takes the security of all personal data under our control very seriously.  We will comply with the relevant parts of the Data Protection Act 2018, the GDPR and LED relating to security. We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them.  These procedures are continuously managed and enhanced to ensure up-to-date security.

  1. Who do BikeSafe disclose personal information to?

In order to carry out the purposes described under section 1 above BikeSafe may disclose personal information to the named company responsible for the capture of data for the purpose of completing the aforementioned surveys. The company is currently Road Safety Analysis. It will be made only with the necessary controls in place and the data is de-personalised before sharing.

  1. What are the rights of the individuals whose personal data is handled by BikeSafe?

The GDPR provides certain rights for individuals.

The right to be informed – this area is covered by this privacy notice

The right of access – A Subject Access request.  The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal data processed by BikeSafe as detailed under Article 15 of the GDPR. Individuals have the right to access their personal data. This is commonly referred to as subject access. Individuals can make a subject access request verbally or in writing. BikeSafe has one month to respond to a request and cannot charge a fee to deal with a request in most circumstances. Where a limitation is in place the individual must be given an explanation of the reasons, unless providing this information undermines the purpose of imposing the restriction.

The right to rectification – Under Article 16 of the GDPR, individuals have the right to have inaccurate or incomplete personal data rectified. An individual can make a request for rectification verbally or in writing. BikeSafe has one calendar month to respond to a request. In certain circumstances BikeSafe can refuse a request for rectification. This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).

The right to erasure – Under Article 17 of the GDPR, individuals have the right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
  • When the individual withdraws consent;
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing with the processing;
  • When the personal data was unlawfully processed;
  • When the personal data has to be erased in order to comply with a legal obligation;

The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing. BikeSafe has one month to respond to a request. The right is not absolute and only applies in certain circumstances. This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.

The right to restrict processing – Under Article 18 of the GDPR, individuals have the right to restrict the processing of personal data, for example, if an individual believes that the data is incorrect but it is not possible to confirm the accuracy of the data.  This is an alternative to requesting the erasure of their data. Individuals will have the right to restrict the processing of their personal data by BikeSafe where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information BikeSafe holds or how BikeSafe has processed their data. In most cases BikeSafe will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time. Where a request is received the individual must be informed in writing as to whether BikeSafe has granted the request; and if BikeSafe has refused, the reasons why.

The right to data portability – Under Article 20 of the GDPR, individuals have the right to data portability which allows individuals to obtain and reuse their personal data for their own purposes across different service.  It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without hindrance to usability. The personal data must be provided in a structured, commonly used and machine readable form. The information must be provided free of charge.

The right to object – Article 21 of the GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies BikeSafe may be able to continue processing if BikeSafe can show that they have a compelling reason for doing so. BikeSafe must tell individuals about their right to object and an individual can make an objection verbally or in writing. BikeSafe has one calendar month to respond to an objection.

Rights in relation to automated decision making including profiling – The GDPR has provisions on automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. The GDPR applies to all automated individual decision-making and profiling. Article 22 of the GDPR has additional rules to protect individuals if BikeSafe are carrying out solely automated decision-making that has legal or similarly significant effects on them. BikeSafe can only carry out this type of decision-making where the decision is necessary for the entry into or performance of a contract; or authorised by Union or Member state law applicable to the controller; or based on the individual’s explicit consent. BikeSafe must identify whether any of our processing falls under Article 22 and, if so, make sure that we give individuals information about the processing; introduce simple ways for them to request human intervention or challenge a decision and carry out regular checks to make sure that our systems are working as intended.

An individual has the right to withdraw their consent – An individual has the right to withdraw consent and this can be done in writing or by contacting the BikeSafe office at;

info@bikesafeadmin.co.uk

or by calling 02476 408034

or in writing to

BikeSafe c/o The Motorcycle Industry Association

1 Rye Hill Office Park,

Birmingham Rd,

Coventry

CV5 9AB                                   

Individuals have the right to complain to the Information Commissioner’s Office if they believe that they are/have been adversely affected by the handling of personal data by BikeSafe or its partners the MCIA or Staffordshire Police.  Such complaints should be made direct to the Information Commissioner:

www.ico.org.uk

The Information Commissioner’s Office,

Wycliffe House,

Water Lane,

Wilmslow,

Cheshire,

SK9 5AF

Telephone: 0303 123 1113

  1. How long does BikeSafe retain personal data?

 BikeSafe keeps personal data for as long as is necessary for the particular purpose or purposes for which it is held and in no case longer than a period of 2 years and 1 month from the date of the attended workshop.

BikeSafe will also retain data from a person or persons who have registered an interest on the website but have not yet taken a workshop. This data will be referred to as being on a waiting list and will be retained for a maximum period of 18 months giving the person or persons time to choose a suitable date or workshop. When the person or persons leave the waiting list, they will be under the terms of a booked person and this section will no longer be valid.

A person or persons who start the booking process but do not complete the process initially will be deemed not to be waiting for a workshop. BikeSafe will keep their data for a period not exceeding 1 month to be able to assist them in completing the booking.

  1. Contact Us

 Any individual with concerns over the way that BikeSafe handles their personal data or for further details on any of the above may contact the Data Protection Officer (DPO) via the email address info@bikesafeadmin.co.uk or via the telephone number 02476 408034.