Our commitment to you
The security of personal information is extremely important to us and we are committed to protecting and respecting your privacy. We aim to be honest and clear about how we handle the information we collect from you or create about you. We’ll never sell your personal data and will only share it with organisations we work with when necessary and the privacy and security of your data is assured.
Welcome to our Data Centre
Here at Boundless we strongly believe in the principles of data privacy and protection and don’t aim to just meet our regulatory requirements but exceed them. Details of how we collect, use and treat personal data are provided through Privacy Notices – we understand though that these can be lengthy and confusing and at times irrelevant to some people, so we have provided several clearer shorter notices to try and make them meaningful and relevant to the circumstances. We will detail how we collect, use, process and safeguard your personal information and any conditions under which we may need to share personal information through Privacy Notices, as required under the DPA 2018 and GDPR. We will also cover how information may be used for marketing and communication activities, your choices in this regard, your privacy rights and how the law protects you.
In addition to the information provided in our Privacy Notices, below we have set out some of the steps we have taken in regard to handling your personal data at Boundless.
Governance & Oversight – We use the Accountability Framework provided by the ICO in 2020 to ensure we meet their expectations in terms of the 7 Data Protection Principles. We have appointed a Data Protection Officer to provide a centralised contact for all thing’s privacy related. We invite independent 3rd parties to audit our compliance to Data Privacy and GDPR – in our last audit we were rated as ‘Excellent’.
Collection of Data – We collect data directly from individuals in most cases – when we do you will be provided with information on how this data will be used along with other information through a Privacy Notice. The main purpose of collecting data and processing it is for the management of membership accounts. We will only obtain personal data by lawful and fair means.
When we make any changes to the collection or use of personal data, we conduct a Data Protection Impact Assessment. A DPIA is a process designed to help to systematically analyse, identify and minimise the data protection risks and is generally a requirement if a potential high risk is identified. At boundless we go further and conduct such an assessment whenever we make a change to any process, system or new initiative to ensure we consider in a fair and transparent manner and implications.Data Processing – We will typically be the Data Controller of personal data and key reasons for processing data will be for the provision of a service to you. When personal data is processed, we establish a lawful basis for this activity. In almost all occasions this will be either with your consent, for a contractual reason (Membership Terms and Conditions), a legal obligation or due to a legitimate interest to either you or us. When using legitimate interest is the lawful basis, we conduct a Legitimate Interest Assessment based on the ICO’s guidance.
Data Protection – We adopt physical, technical and organisational measures to ensure the security of personal data. We have a Privacy Team led by our Data Protection Officer who ensure a continual awareness and training programme is carried out for all employees in regard to the importance of personal data and their obligations to protect it. We have a policy framework in place to address how data is used and protected from point of collection to deletion.
Data Sharing & Third Parties – We use a number of third parties for various services, from website hosting to mailing houses. We have a due diligence onboarding process that is used to ensure we only work with trusted partners and service providers. When data is shared with a third party we follow the ICO’s Data Sharing Code of Practice and ensure the appropriate contracts and data sharing agreements are in place.
Marketing – Boundless is a member of the Data & Marketing Association and follows their code, which is overseen by the Data & Marketing Commission. We also adhere to the ICO’s Direct Marketing Code of Conduct when processing data for Marketing purposes and follow the Privacy & Electronic Communications Regulations (2003). In most cases we use your consent for the provision of marketing to you which you can withdraw at any time.
Payment Card Handling – We have an active PCI-DSS (Payment Card Industry Data Security Standard) compliance programme and have been certified as PCI Compliant by Worldpay, our payment processor and acquirer. Card payment data is not
How to contact us – If you have any questions in relation to how we use your personal data or want to know more information that you can not find here, you can contact us in any of the following ways:
Web Chat – when available just click on the web chat function to be put in touch with one of our friendly Member Service Advisors.
Email – membership@boundless.co.uk
Post – Member Services, Boundless, 21 Station Street, Brighton, BN1 4DE
Telephone – call 03301 230374 (Lines open Mon - Sat 9am - 5pm)
Alternatively, you can contact our Data Protection Officer who will be happy to answer any questions or concerns you might have. You can contact him directly at dpo@boundless.co.uk.