Data Privacy Notice

Bibra is committed to protecting the privacy and security of your Personal Data, and we want to ensure you understand your rights and our responsibilities when it comes to your Personal Data.

This data privacy notice describes how we handle your Personal Data throughout our relationship, whether you are a client or prospect, a potential business partner, or just a member of the public hoping to get to know us better or access educational content by exploring our website or getting in touch.

If you are an employee, consultant, agency worker or candidate, please refer our Data Privacy Notice for Employees, Consultants, and Workers (available upon request to the Privacy Lead). This website and our services are not intended for children and we do not knowingly collect data relating to children.

Our Privacy Lead is responsible for overseeing our privacy program. If you ever have any questions or concerns about how we handle your Personal Data, please contact:

Ashleigh Ace, Commercial Director

Bibra toxicology advice & consulting
Cantium House
Railway Approach
Wallington
Surrey SM6 0DZ
UK

Tel: +44 (0)20 8619 0770

E-mail: [email protected] (FAO Ashleigh Ace)

Regardless of where, why or how we obtain or Process your Personal Data, we comply with Data Protection Law (DP Law). DP Law protects ‘data subjects’ in the UK and EU (that’s you) by imposing stricter obligations on ‘data controllers’ (that’s us) and ‘data processors’ (those that help us) when we ‘process’ ‘personal data’. Click here to see our glossary below under ‘Personal Data’, ‘Processing’, ‘Controller’, ‘Processor’.

In a nutshell, DP Law applies to any data that might identify you, wherever or however we got it, whatever we do with it and wherever we Process it, even if someone else Processes it on our behalf, and even if we send it outside the EEA.

This means that whenever we Process your Personal Data we do so:

• Lawfully: Only if we can justify it on one of the following Lawful Bases:
  • Consent – this means you have given us permission, which you can withdraw at any time. We need your explicit consent to process sensitive data like health-related data (Special Data) or to transfer your Personal Data outside the EEA where we don’t have another basis for doing so
  • Legitimate Interest – to help fulfil a legitimate business objective (see the ‘Why’ column of our At-a-Glance table) after confirming we’ve only used what’s reasonably necessary and proportionate to meet that objective and struck the right balance between our interests and yours (Legitimate Interests Assessment (LIA)).  Generally speaking, we need this it to operate our business, generate leads and sales, make sure our relationship with you runs smoothly, and protect the Personal Data and commercial data we hold by securing our network and information systems
  • Contractual necessity – to enter into or fulfil our contract, including to generate a quote
  • Legal obligation – to comply with the law (e.g. tax reporting, Anti-Corruption)
  • Vital interests – in rare instances where one of the others don’t apply but we need your Personal Data to protect your vital interests or those of another person
• Fairly and transparently: we strike the right balance between our interests and yours and we tell you what we do with your Personal Data
• For a specific purpose: we won’t use your Personal Data for another incompatible purpose unless the law permits or requires us to
• Using the least amount reasonably necessary
• Ensuring it is accurate, complete and up-to-date
• For a limited time: Only for as long as reasonably necessary, and then we either destroy it or de-identify it so it can’t be linked back to you
• Securely: managing our people and designing our processes and technology to ensure end-to-end confidentiality, integrity and availability
• Within the UK/EEA: we don’t transfer your Personal Data outside the EEA except as permitted under DP Law. We use appropriate safeguards for consistent protection and ensure third parties we rely on do so as well
• With your rights in mind: We make it easy for you to exercise your rights (see Your Rights)

The types of Personal Data we Process about you are grouped under the following categories:

• Identity Data: first name, last name, company name, title
• Contact Data: billing address, trading/physical address (if different from billing address), email address and telephone numbers, contact name(s)
• Financial Data: bank details (if you are a supplier of ours), invoices we send (if you are a client of ours)
• Transaction Data: details about payments to and from you and other details of products and services you have purchased from us (e.g. Membership, TRN subscription) or for which you have sought a quote or additional information through our Contact Us form or via email
• Profile Data: purchases or orders made by you, your company ‘category’/SIC code, preferences, feedback on work
• Marketing and Communications Data: your preferences in receiving marketing and newsletters from us – including do-not-call and unsubscribe requests (suppression lists), cookie preferences, and your preferred communication methods
• Client Data refers to Personal Data we receive or generate in connection with matters for which you’ve sought our expertise: director or employee names or details, emails, text messages, internal or external documents you’ve shared

We conduct Legitimate Interests Assessments (LIA’s) whenever we rely on Legitimate Interests and, where appropriate, Data Protection Impact Assessments (DPIAs). You can find more detailed information by contacting our Privacy Lead.

For example, we do some limited profiling based on your past purchasing behaviours or requests, to target products, services, educational content, and conferences to you that we’re quite confident you’ll like, and avoid bombarding you with those you won’t. To do this, we need to learn more about you and your preferences, but we ensure we have appropriate safeguards to prevent this information from being misused and ensure we strike the right balance:

• Only what we need: Our Commercial Team, Managing Director and the Toxicologists you work with do things the old-fashioned way. They get to really know their clients and their interests, and they stay up-to-date on industry developments and advances in research so they can alert you to changes that might impact your business and require attention. They know your business and what your concerns are because they’ve worked closely with you in the past. This personal touch, and the relationship they maintain with you, helps them tailor their communications to you.
• When we need it, and only by those who need it:
  • Our Commercial Team and Toxicologists. Only our Commercial Director can view your account history information, and we have implemented additional safeguards
  • We never let third parties use your information for their own purposes, and we prevent this by giving them only what they need and as little Personal Data as possible, for example by pseudonymising our project numbers (for project monitoring) to protect your company name and contact information, securely transmitting it to protect your identity
  • We don’t disclose identifiable information about your company or individuals within it. Even when we describe our achievements, we take care to sanitise the information to avoid revealing who our customers are (see our Recent Projects for an example of this), unless you expressly choose to provide a testimonial
• We’ve struck the right balance: we’ve conducted Legitimate Interest Assessments (LIA) where appropriate, to confirm our use of any Personal Data you provide is fair
• Even so…it’s optional: You can object to this activity by opting out at any time. Simply contact our Privacy Lead (Ashleigh Ace) or disable our marketing cookies on your cookie dashboard

If we can’t process this Personal Data, or if it’s inaccurate, we may not be able to perform the contract we have entered into with you (e.g. provide you with the TRN subscription you’ve requested and paid for), or we may be prevented from complying with our legal obligations (e.g. doing our due diligence under Anti-Money Laundering rules) or Legitimate Interests (managing credit risk by vetting prospects). If we aren’t able to get profile, technical, usage and marketing and communications data (e.g. ad clicks, customer feedback, page visits) it will be difficult for us to optimise our services or website or meet consumer demands and serve up content we think you’ll like, which means you might either receive communications that aren’t suited to you, or you may miss out ones tailored to you, like alerts for certain educational content or regarding major regulatory developments.

Special Data requires higher levels of protection. We don’t collect Special Data or Criminal Records Data related to our customers or prospects.

If you click on a link to third-party content, like an ad, this will either take you to those third-party sites or applications or send your Personal Data to that third party related to your click. We have no control over their use of your Personal Data in this regard.  We encourage you to read the Data Privacy Notice of websites you visit. Where there are Third Party Cookies and trackers on our website, our Cookie Notice provides links.

Need-to-know is the default…

• Within the company: only those individuals within our company or the third parties listed under the ‘With Whom’ column of the At-a-Glance table can see or access your Personal Data, and they only Process the specific data they need to fulfil their tasks. We have implemented internal measures to enforce this need-to-know access and to ensure those who do Process it do so on our instructions and under a duty of confidentiality
• With our service providers and vendors: we do not allow our third-party service providers to use your Personal Data for their own purposes. We only permit Processors to Process your Personal Data for specified purposes and in accordance with our instructions. We minimise how much of your Personal Data needs to be transferred to ensure this objective is met

Wherever we Process your Personal Data jointly with another Controller (Joint Controller), we establish clear lines of accountability to ensure your rights are respected and our obligations are met, and we adhere to the principles and approach we mentioned earlier to minimise how much Personal Data we use.

In all cases, we require third parties to respect the security of your Personal Data and to treat it in accordance with DP Law through binding contracts.

We also share your Personal Data with other third parties in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your Personal Data with the other parties if and to the extent required under the terms of the transaction and on the basis of Legitimate Interests. This ensures seamless service for you, regardless of who owns the business. Still, we will notify you if this is the case and you will have the right to object to this transfer.

We may also need to share your Personal Data with a regulator or to otherwise comply with the law. This may include making returns to HMRC, disclosures to financial services regulators  and disclosures to shareholders such as directors’ remuneration reporting requirements.

We primarily Process your Personal Data – including back-ups and archives – in the EEA and in countries the European Commission has recognised as providing adequate levels of protection (Adequate countries): (full list tbc)

Certain systems or databases we use are partially or entirely hosted outside the EEA in third countries that haven’t been listed as Adequate (our accounting system; Xero). However, we have put in place the following appropriate measures to ensure that it is treated by those third parties in a way that is consistent with and which respects the EU and UK Data Protection Laws: (e.g. standard contractual clauses with Cloudflare, our website hosts).  Contact our Privacy Lead to find out more.

We’ve implemented measures to prevent your Personal Data from accidental loss, unauthorised use, access, alteration or disclosure. We’ve implemented procedures and safeguards to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are available upon request.

We will only retain your Personal Data for as long as necessary to fulfil the purposes we mentioned in our At-a-Glance table, including to satisfy any legal, accounting, or reporting requirements.  This will vary according to the Personal Data involved and the purpose.

We consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we use it, whether we can achieve those purposes through other means, and the applicable legal requirements. To illustrate:

• We generally hold onto Financial Data for 7 years to satisfy tax and corporate reporting requirements
• We hold onto identifiable Marketing Data for 1 year post-campaign
• We retain our suppression lists (do-not-call/unsubscribe) because we have an ongoing legal obligation under Direct Marketing rules

In some circumstances we may aggregate or anonymise your Personal Data so that it can no longer be associated with you, in which case we may use it without further notice to you. We do this for purchasing statistics, historical operations data, or to analyse sales and marketing trends.

You have various rights with respect to your Personal Data:

We will need to confirm your identity to confirm your right to access the information or exercise any of your other rights. This is to prevent Personal Data being disclosed to anyone who has no right to receive it.

You can find out more about your rights by visiting the Information Commissioner’s Office website.

If you are unhappy with the way we handle your personal data, we encourage you to contact our Privacy Lead first so we can try to address your concerns. You may complain to the Information Commissioner’s Office. You can find details here.