The British Aerosol Manufacturers' Association (BAMA or the Association) produced this privacy notice as required by the General Data Protection Regulation (GDPR), which applied from 25th May 2018, changing data protection law in the UK.
This privacy notice aims at giving you information on how BAMA collects and processes your personal data in compliance with GDPR.
- About BAMA
- What is personal data?
- What personal data does BAMA collect?
- How is personal data collected by BAMA?
- How is personal data used by BAMA?
- Lawful basis for processing personal data
- Data controller, data processors and data protection officer
- Data retention
- BAMA website and cookies
- Individuals’ rights
BAMA is a trade association which represents the UK aerosol industry. BAMA’s membership covers every aspect of the aerosol sector ranging from component and ingredient suppliers, to fillers, can makers and marketers. The Association offers a range of business support and technical advice as well as lobbying industry views to legislators and regulators. BAMA also organises courses and events, some of which are open to non-members, and produces a variety of publications and guides, which are made available to members free of charge and which non‑members may purchase.
What is personal data?
Personal data, or personal information, means any information about an individual from which that person can be identified.
What personal data does BAMA collect?
BAMA collects personal data relating to contacts within its member companies. Personal data which BAMA collects includes forename(s) and surnames, job titles, telephone numbers, email addresses, membership of BAMA committees and working groups, attendance at BAMA courses and events, special dietary requirements and whether a contact is the main contact for the BAMA member, the Company Representative, or not. In certain circumstances, such as to meet the information requirements of the Association’s bankers and for the operation of BAMA’s crisis management plan, BAMA collects additional personal data, such as board members’ home telephone numbers and addresses and personal mobile telephone numbers and email addresses. BAMA also generates and holds log-in details for the members’ area of the BAMA website.
In addition, BAMA collects personal data when that data is necessary for compliance with legal obligations, such as the data required by Companies House relating to the appointment of directors of the Association.
BAMA collects personal data relating to individuals who are not employees of, or linked to, its member companies. Personal data which BAMA collects relating to such “non-members” includes forename(s) and surnames, job titles, telephone numbers, email addresses, membership of BAMA committees and working groups open to “non-members”, attendance at BAMA courses and events and special dietary requirements.
BAMA does not collect any sensitive “special category”, children’s or criminal offences or convictions data.
How is personal data collected by BAMA?
Personal data is generally collected directly, in a variety of ways, including from membership application forms and via the annual membership renewal process; from courses and events booking forms; from forms for the purchase of publications and guides; and through contact via telephone and email. However, BAMA website visitor data is collected automatically. BAMA also takes photographs at events for use in the production of promotional materials, such as its quarterly newsletters. Although not collected by BAMA, personal data is also available from social media platforms.
How is personal data used by BAMA?
Personal data is used by BAMA for the general administration of the Association; to provide information relating to committees and working groups; to provide technical support and business advice to members; to provide information on courses and events; to provide publications and guides; in the production of promotional materials; for work with contacts in Government, other trade associations and other organisations; and for reviews of the use of its services.
In addition to sharing data when necessary for compliance with legal obligations, BAMA may share personal data with service providers, such as those who provide IT system, website and public relations services, and with professional advisors, such as its lawyers, bankers and accountants.
BAMA may share personal data with other third parties in the course of organising courses and events insofar as the names and affiliation of those who have registered to attend events may be shared with other delegates and speakers and with event organisers at event venues. Event organisers at event venues are also notified of special dietary requirements.
BAMA asks all third parties to maintain the security of personal data shared with them and authorises them to use the data only for the purposes for which it has been provided.
Personal data may also be shared with Government, other trade associations and other organisations to facilitate input on the basis of consent by representatives from BAMA members to the development of policy or other project work.
BAMA does not make available to any other third parties, nor does it sell, nor does it transfer outside the EU except with individuals’ informed consent, any personal data it holds.
Lawful basis for processing personal data
The GDPR requires organisations to identify the lawful basis for their processing of personal data. Six lawful bases are available for processing, namely “consent”, “contract”, “legal obligation”, “vital interests”, “public task” and “legitimate interests”.
“Legitimate interests” applies when processing is necessary for the legitimate interests of an organisation or the legitimate interests of a third party, unless there is a good reason to protect an individual’s personal data which overrides those legitimate interests.
BAMA considers, regarding personal data relating to contacts within its member companies, that, of the various lawful bases available, “legitimate interests” is the appropriate legal basis for its processing of personal data for the administration of the Association and for the provision of its services; except when the processing is necessary for compliance with legal obligations when the lawful basis is “legal obligation”; and except in specific cases where consent is sought, such as the processing of personal data for the Association’s crisis management plan, the use of photographs and other personal data in the production of promotional materials, the sharing of personal data with Government, other trade associations and other organisations for the development of policy or other project work, and the activation of cookies on the website, when the lawful basis is “consent”.
BAMA considers, regarding personal data relating to individuals who are not employees of, or linked to, its member companies, that, of the various lawful bases available, “consent” is the appropriate legal basis for its processing of personal data for the administration of BAMA committees and working groups open to “non-members”, for the promotion of its courses and events and publications and guides and for use in the production of promotional materials.
BAMA has reviewed whether the processing it carries out is necessary for these purposes and is satisfied that there is no other reasonable alternative.
Data controller, data processors and data protection officer
The GDPR applies to data “controllers” and to data “processors”.
For the purposes of the GDPR, the Association is the data controller in that it determines the purposes and means of processing personal data. The Association’s contact details are as follows:
British Aerosol Manufacturers’ Association
1 Viewpoint, Office Village, Babbage Road, Stevenage, SG1 2EQ
Tel: 01438 583583
The data processors for the purposes of the GDPR are those employees of the Association who are responsible for processing personal data on behalf of the controller. Data is held securely on the BAMA secure server, which has secure data backup and access and virus protection, and on the BAMA website.
BAMA has appointed Mr Patrick Heskins, the Association’s Chief Executive, as its data protection officer, responsible for monitoring compliance with the GDPR. Mr Heskins may be contacted via the Association’s contact details above or at firstname.lastname@example.org
In line with the requirement of the GDPR that organisations must not keep personal data for longer than they need it, in the event that contacts cease to be employed by BAMA members or cease to be contacts, their personal data is removed from the BAMA secure server and the BAMA website. In addition, their email addresses are removed from any relevant email lists.
BAMA website and cookies
Under the GDPR, individuals have the right to be informed about the collection and use of their personal data, a key transparency requirement of the Regulation, as well as the purposes for which their personal data is processed, retention periods for that personal data and with whom it will be shared, this “privacy information” being communicated via a privacy notice.
Under the GDPR, in the context of the collection and processing of personal data by BAMA, individuals have additional rights, namely the right to have access to their personal information; the right to the rectification of inaccurate information; the right to have it deleted; and the right in some circumstances to object to or restrict processing, all of which may be exercised by contacting BAMA or the BAMA data protection officer.
Equally BAMA contacts who do not wish to continue to be included in emailing lists can ask BAMA to remove their email addresses from such lists.
If you would like more information regarding this privacy notice and the GDPR, please contact BAMA or the BAMA data protection officer. More information on the GDPR may be found on the Information Commissioner’s Office (ICO) website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
26 July 2018