Your privacy is important to us
This privacy notice explains how BikeSafe and its contracted agents, will collect, store, use, disclose, retain and destroy personal data1, along with the steps we take to ensure that it is protected and the rights individuals have in regard to their personal data being handled by BikeSafe2.
The use and disclosure of personal data is governed in the United Kingdom by the Data Protection Act 2018 and is supplemented by the General Data Protection Regulation (GDPR), plus incorporates the Law Enforcement Directive (LED). BikeSafe is registered with the Information Commissioner and as such, has a dedicated data controller. The BikeSafe data controller is obliged to ensure that BikeSafe contracted agents will handle all personal data on their behalf in accordance with the Data Protection Act and the GDPR.
BikeSafe, their national co-ordination body, data controller and BikeSafe contracted agents take their responsibility very seriously to ensure that personal data is handled appropriately in order to secure and maintain individuals’ trust and confidence in the BikeSafe scheme. References to BikeSafe include BikeSafe contracted agents in their partnership under GDPR regulations.
1. Why do BikeSafe collect and use personal information?
BikeSafe collects, stores, uses, discloses and retains personal data for the following broad purposes:
- Population of the Customer Relations Management (CRM) aspect of the website for the purpose of booking places on a BikeSafe workshop.
- Facilitate completion of a pre-workshop survey.
- Implementation of customer experience survey at the end of BikeSafe workshops.
- Distribution and evaluation of the two post workshop follow-up surveys – at 12 months and at 24 months.
- Provision of services supplied by BikeSafe contracted agents to support the monitoring of the BikeSafe project’s key performance indicators, based around rider behaviour both prior to and post workshop attendance.
- Sending other relevant motorcycle and rider safety information, including sign-posting to post-test training providers.
2. Whose personal data do BikeSafe handle?
In order to carry out the purposes described under section 1 above – BikeSafe may collect, store, and use (see section 8 below) and retain personal data relating to an individual booking on to a BikeSafe workshop.
BikeSafe will only use appropriate personal information necessary to fulfil a particular purpose or purposes. Personal data could be information which is held on a computer, in a paper record such as a file, as images, but can also include other types of electronically held information.
1 ‘Personal Data’ is defined in Article 4 of the General Data Protection Regulation (GDPR). In practical terms it means any information handled by BikeSafe that relates to an identified or identifiable natural person; an identifiable natural person is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3. What types of personal data do BikeSafe handle?
In order to carry out the purposes described under section 1 above BikeSafe may collect, store and use (see section 8 below) and retain personal data relating to or including the following:
- Email address
- Address including post code
- date of birth
- telephone number(s)
- Where users heard about BikeSafe
- Motorcycle make, model and engine size
- Post-test training experience
- Information pertaining to rider habits, attitudes and riding style
- Card details (Number, expiry and CVC number)
- Any other information required to efficiently administer BikeSafe
BikeSafe will only use appropriate personal data necessary to fulfil a particular purpose or purposes. Personal data could be information which is held on a computer, in a paper record such as a file, as images, but can also include other types of electronically held information.
4. Where do BikeSafe obtain personal data from?
In order to carry out the purposes described under section 1 above BikeSafe may collect personal data from the BikeSafe website and any paper record completed by a potential BikeSafe attendee or by a person on their behalf, completed with a view to using the data for an application for a workshop only.
5. Which lawful basis do we use to process this information?
BikeSafe collect and use information in relation to the BikeSafe scheme. The lawful bases that they rely on are detailed below:
Consent: the individual has given clear consent for BikeSafe to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract of services BikeSafe has with the individual.
Legitimate interests: the processing is necessary for BikeSafe’s legitimate interests or the legitimate interests of a third party i.e. BikeSafe contracted agents.
6. How do BikeSafe handle personal data?
In order to achieve the purposes described in section 1 BikeSafe will handle personal data in accordance with the Data Protection Act 2018, the GDPR and LED. For personal data processed under Part 2 which applies to general processing under the GDPR, BikeSafe will ensure that any personal data is:
- Processed lawfully, fairly, and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
- Accurate and, where necessary, kept up to date;
- Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
BikeSafe will strive to ensure that any personal data used by us or on our behalf is not excessive, reviewed appropriately and securely destroyed when no longer required. BikeSafe will also respect individuals’ rights as detailed in section 9 below.
7. How do BikeSafe ensure the security of personal data?
BikeSafe takes the security of all personal data under our control very seriously. We will comply with the relevant parts of the Data Protection Act 2018, the GDPR and LED relating to security. We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to ensure up-to-date security.
8. Who do BikeSafe disclose personal information to?
In order to carry out the purposes described under section 1 above BikeSafe may disclose personal information to the named company responsible for the capture of data for the purpose of completing the aforementioned surveys. The company is currently Road Safety Analysis. It will be made only with the necessary controls in place and the data is de-personalised before sharing.
9. What are the rights of the individuals whose personal data is handled by BikeSafe?
The GDPR provides certain rights for individuals.
The right to be informed – this area is covered by this privacy notice
The right of access – A Subject Access request. The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal data processed by BikeSafe as detailed under Article 15 of the GDPR. Individuals have the right to access their personal data. This is commonly referred to as subject access. Individuals can make a subject access request verbally or in writing. BikeSafe has one month to respond to a request and cannot charge a fee to deal with a request in most circumstances. Where a limitation is in place the individual must be given an explanation of the reasons, unless providing this information undermines the purpose of imposing the restriction.
The right to rectification – Under Article 16 of the GDPR, individuals have the right to have inaccurate or incomplete personal data rectified. An individual can make a request for rectification verbally or in writing. BikeSafe has one calendar month to respond to a request. In certain circumstances BikeSafe can refuse a request for rectification. This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
The right to erasure – Under Article 17 of the GDPR, individuals have the right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- When the individual withdraws consent;
- When the individual objects to the processing and there is no overriding legitimate interest for continuing with the processing;
- When the personal data was unlawfully processed;
- When the personal data has to be erased in order to comply with a legal obligation;
The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing. BikeSafe has one month to respond to a request. The right is not absolute and only applies in certain circumstances. This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.
The right to restrict processing – Under Article 18 of the GDPR, individuals have the right to restrict the processing of personal data, for example, if an individual believes that the data is incorrect, but it is not possible to confirm the accuracy of the data. This is an alternative to requesting the erasure of their data. Individuals will have the right to restrict the processing of their personal data by BikeSafe where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information BikeSafe holds or how BikeSafe has processed their data. In most cases BikeSafe will not be required to restrict an individual’s personal data indefinitely but will need to have the restriction in place for a certain period of time. Where a request is received the individual must be informed in writing as to whether BikeSafe has granted the request; and if BikeSafe has refused, the reasons why.
The right to data portability – Under Article 20 of the GDPR, individuals have the right to data portability which allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without hindrance to usability. The personal data must be provided in a structured, commonly used and machine-readable form. The information must be provided free of charge.
The right to object – Article 21 of the GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies BikeSafe may be able to continue processing if BikeSafe can show that they have a compelling reason for doing so. BikeSafe must tell individuals about their right to object and an individual can make an objection verbally or in writing. BikeSafe has one calendar month to respond to an objection.
Rights in relation to automated decision-making including profiling – The GDPR has provisions on automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. The GDPR applies to all automated individual decision-making and profiling. Article 22 of the GDPR has additional rules to protect individuals if BikeSafe are carrying out solely automated decision-making that has legal or similarly significant effects on them. BikeSafe can only carry out this type of decision-making where the decision is necessary for the entry into or performance of a contract; or authorised by Union or Member state law applicable to the controller; or based on the individual’s explicit consent. BikeSafe must identify whether any of our processing falls under Article 22 and, if so, make sure that we give individuals information about the processing; introduce simple ways for them to request human intervention or challenge a decision and carry out regular checks to make sure that our systems are working as intended.
An individual has the right to withdraw their consent – An individual has the right to withdraw consent and this can be done in writing or by contacting ‘us‘.
click here to contact BikeSafe.
Individuals have the right to complain to the Information Commissioner’s Office if they believe that they are/have been adversely affected by the handling of personal data by BikeSafe or BikeSafe contracted partners or Northamptonshire Police. Such complaints should be made direct to the Information Commissioner.
click here to contact the Information Commissioner.
10. How long does BikeSafe retain personal data?
BikeSafe keeps personal data for as long as is necessary for the particular purpose or purposes for which it is held and in no case longer than a period of 2 years and 1 month from the date of the attended workshop.
BikeSafe will also retain data from a person or persons who have registered an interest on the website but have not yet taken a workshop. This data will be referred to as being on a waiting list and will be retained for a maximum period of 18 months giving the person or persons time to choose a suitable date or workshop. When the person or persons leave the waiting list, they will be under the terms of a booked person and this section will no longer be valid.
A person or persons who start the booking process but do not complete the process initially will be deemed not to be waiting for a workshop. BikeSafe will keep their data for a period not exceeding 1 month to be able to assist them in completing the booking.
11.Data Protection Officer
Any individual with concerns over the way that BikeSafe handles their personal data or for further details on any of the above may contact the Data Protection Officer (DPO). To contact the BikeSafe DPO, please click here.
12. Further information
Policy last updated: 17th March 2019.