IMPORTANT NOTICE

This is the Privacy Notice of the British Franchise Association (company limited
by guarantee, registered number 01341267) whose registered office is at 85f
Park Drive, Milton Park, Milton, Abingdon, Oxfordshire, OX14 4RY (“BFA”, “we”,
“us” or “our”) and sets out how we collect and process your personal data. This
Privacy Notice also provides certain information that is legally required and lists
your rights in relation to your personal data.
This Privacy Notice relates to personal information that identifies “you”
meaning:

• individuals who are engaged by or otherwise involved with our
  franchisor members, franchisee members or affiliate members;
• individuals who are engaged by or otherwise involved with
  exhibitors at our exhibitions or franchisees of franchisor members;
• individuals involved with our Qualified Franchise Professional
  (“QFP”) scheme;
• individuals involved with our online courses including our Prospect
  Franchisee Certificate or Prospect Franchisor Certificate;
• individuals who browse our website;
• individuals involved with our suppliers or professional advisers;
• any other individuals outside our organisation with whom we
  interact.

If you are an employee, contractor or otherwise engaged in work for us, a
separate privacy notice applies to you instead.
We refer to personal information identifying you as “personal data” throughout
this Privacy Notice and paragraph 3 sets out further detail of what this includes.
Please read this Privacy Notice to understand how we may use your personal
data.
This Privacy Notice is not intended for children and we do not knowingly collect
personal data relating to children.
This Privacy Notice may vary from time to time so please check it regularly. This
version of this Privacy Notice was first published on 25th May 2018 and has not
been updated since.

HOW TO CONTACT US

For the purposes of relevant data protection legislation, we are a ‘controller’ of
your personal data in some situations. This means we determine the means and
purposes of processing your personal data. As a controller we use the personal
data we hold about you in accordance with this Privacy Notice.
If you wish to correct your personal data held by us or to opt out at any time
from receiving marketing correspondence from us or to alter your marketing
preferences please contact: communications@thebfa.org

If you have any questions about this privacy notice or how we process your
personal data, or if you would like to exercise your rights in relation to your
personal data, please contact us by:

• sending an email to privacy@bfa.org
• writing to us by post to: Compliance Department, British Franchise
  Association, 85f Park Drive, Milton Park, Milton, Abingdon,
  Oxfordshire, OX14 4RY
• calling us on: 01235 820470

CATEGORIES OF PERSONAL DATA WE COLLECT

The categories of personal data about you that we may collect, use, store, share
and transfer are:

• Individual Data. This includes personal data which relates to your
  identity, such as your first name, middle name, last name, prefix,
  username or similar identifier, job title, signature, date of birth and
  gender and your contact details such as your billing address,
  delivery address, email address and telephone numbers;
• Account and Profile Data. This includes personal data which
  relates to your account or profile on our website, such as your
  username and password, purchases or orders made by you, your
  interests, preferences, feedback and survey responses;
• Advertising Data. This includes personal data which relates to
  your advertising preferences, such as information about your
  preferences in receiving marketing materials from us and your
  communication preferences;
• Information Technology Data. This includes personal data which
  relates to your use of our website, such as your internet protocol
  (IP) address, login data, traffic data, weblogs and other
  communication data, browser type and version, time zone setting
  and location, browser plug-in types and versions, operating system
  and platform and other technology on the devices you use to access
  our website;
• Economic and Financial Data. This includes personal data which
  relates to your finances, such as your accounts where you are a
  sole trader or your bank account and payment card details where
  you are an individual purchasing a course or membership from us
  and information which we collect from you for the purposes of the
  prevention of fraud;
• Sales Data. This includes personal data which relates to the
  transactions you have conducted with us, such as details about
  payments to and from you, details of membership subscriptions or
  purchases from our shop;
• Audio and Visual Data. This includes personal data which is
  gathered using our CCTV or other recording systems in the form of
  images, video footage and sound recordings that is taken at any of
  our locations or otherwise by us for promotional purposes;
• Health Data. This includes personal data which is gathered
  for health and safety purposes including any accident report
  or claim log or any information you provide about allergies or
  other medical conditions;
• Market Research Data. This includes personal data which is
  gathered for the purposes of market research, such as the
  BFA/NatWest survey and our members’ survey.~

Other Categories

We may also create Personal Data about you, for example, if you contact us by
telephone to make a complaint, for example about our services, then we may
make a written record of key details of the conversation so that we can take
steps to address the complaint.

Aggregated Data

We also obtain and use certain aggregated data such as statistical or
demographic data for any purpose (“Aggregated Data”). Aggregated Data may
be derived from your personal data but does not directly or indirectly reveal your
identity. For example, we may aggregate your Information Technology Data to
calculate the percentage of users accessing a specific feature on our website.
However, if we re-combine or re- connect Aggregated Data with your personal
data so that it can directly or indirectly identify you, we treat the combined data
as personal data which will be used in accordance with this Privacy Notice.

Special Categories of Data

In addition, we may obtain certain special categories of your data (“Special
Categories of Data”), and this Privacy Notice specifically sets out how we may
process these types of personal data. The Special Categories of Data are: (i)
personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership; and (ii) the processing of
genetic data, biometric data for the purposes of uniquely identifying a natural
person, data concerning health or data concerning a natural person’s sex life or
sexual orientation.

We also collect information about criminal convictions and offences as part of our
accreditation process.

WHERE WE GET YOUR PERSONAL DATA FROM

We obtain your personal data from the following sources:

Directly from you, including via our website, by email, by post, by
telephone or in person at one of our events or otherwise. This could
include personal data which you provide when you:

• submit an application to become a member of the BFA;
• send a dispute form or response to us or other information as
  part of our informal conciliation, mediation or arbitration
  processes;
• send information in relation to your or someone else’s QFP
  qualification;
• submit an entry for a BFA award;
• submit a franchise case study for our website;
• send an exhibition application form and supporting
  information;
• create an account on our website;
• subscribe to our newsletter;
• place an order for a product in our online shop;
• request information on our products or services or for other
  marketing to be sent to you;
• enter into a competition or promotion;
• complete a survey from us or give us feedback; and
• email us, give us an engagement letter or otherwise provide
  us with your details in the course of business including as an
  employee of one of our suppliers or professional advisers.

From someone else who provides us with information containing
your personal information such as when they: 

• submit an application to become a member of the BFA;
• submit an application for an upgrade of membership with the
  BFA;
• submit an application for a re-accreditation of membership
  with the BFA;
• send a dispute form or response to us or other information as
  part of our conciliation, mediation or arbitration processes;
• send an application to become a QFP;
• send information in relation to your or someone else’s QFP
  qualification;
• pass us your details where you are nominated as a referee of
  a prospective BFA affiliate or sponsor of a prospective BFA
  franchisor member or franchisee member;
• complain to us about the actions of a BFA member;
• submit an entry for a BFA award;
• submit an entry for a BFA award; and
• complete a survey from us or give us feedback.

Automated technologies, such as CCTV or other recording
systems, cookies, server logs and other similar technologies. We
may automatically collect Information Technology Data about your
equipment, browsing actions and patterns by using cookies, server
logs and other similar technologies. We may also receive
Information Technology Data about you if you visit other websites
employing our cookies. Please see our cookie policy
www.thebfa.org/cookies-policy for further details.

Publicly available sources, such as:

• Companies House;
• HM Land Registry;
• Industry magazines.

HOW WE USE YOUR PERSONAL DATA & OUR BASIS FOR USING IT

Where we are relying on a basis other than consent

We may rely on one or more of the following legal bases when processing your
personal data. We have set out below the purposes for which we may process
your personal data:

Purpose for which we process your personal data:

To assess applications for new franchisor members, exhibition applicants,
franchisee members or affiliates of the BFA or individuals working towards
obtaining the QFP or an online course certificate like our Prospect Franchisee
Certificate or Prospect Franchisor Certificate and where applicable, to register
that person for membership or to receive our services.

Categories of personal data processed:

• Individual Data;
• Economic and Financial Data;
• Account and Profile Data.

The basis on which we can do this (this is what the law allows):

The processing is necessary:

• to Perform a contract with you; and
• our legitimate interest in the provision of our services.

Purpose for which we process your personal data:

In order to perform our contractual obligations to you (whether you are a
BFA member, BFA affiliate, professional working towards QFP status, customer
of our online shop or engaged by one of our suppliers). This would include:

• processing and performing any bookings on our events placed by you;
• providing our services to you;
• assessing information with respect to the grant of awards or
  qualifications;
• processing in relation to orders placed by us where you are a supplier;
  handling complaints about BFA members or affiliates;
• making or receiving payments, fees and charges and reclaiming VAT
  where applicable;
• audit purposes; and
• collecting and recovering money owed.

Categories of personal data processed:

• Individual Data; Economic and Financial Data; and Sales Data.

The basis on which we can do this (this is what the law allows):

The processing is necessary:

• to perform any contract entered into with you; and
• our legitimate interest in recovering debts owed to us and in the
  provision of our services and operation of our business.
• Purpose for which we process your personal data:

In order to manage our relationship with you including:

• to send you important notices such as communications about
  changes to our terms and conditions and policies (including this
  Privacy Notice);
• to provide you with important real- time information about our
  events, services or products (e.g. a change of time or location due
  to unforeseen circumstances); and
• to send you information you have requested;

to deal with your enquiries; and to ask you to leave a review or feedback
on us.

Categories of personal data processed:

• Individual Data;
• Account and Profile Data;
• Sales Data; and Advertising and Marketing Data.

The basis on which we can do this (this is what the law allows):

The processing is necessary:

• to perform any contract entered into with you;
• to comply with the law; and
• for our legitimate interests in the management and operation of our
  business, to keep our records updated and to study how guests use our
  products/services.
• Purpose for which we process your personal data:

In order to carry out surveys of our franchisor members’ franchisees as part of
the franchisor’s membership application.

Categories of personal data processed:

• Individual Data

The basis on which we can do this (this is what the law allows):

The processing is necessary for our legitimate interests in the management
and operation of our business.

• Purpose for which we process your personal data:

For our dispute resolution service:

• where a franchisee makes a complaint about a BFA member franchisor,
  we will process the information provided including any personal data and
  we will notify the franchisor of the complaint including details of the
  complainant; where a BFA member makes a complaint about another BFA
  member we will process the information provided including any personal
  data and we will notify the BFA member of the complaint including details
  of the complainant.

Categories of personal data processed:

• Individual Data

The basis on which we can do this (this is what the law allows):

The processing is necessary:

• to perform any contract entered into with you;
• for our legitimate interests in the management and operation of
  our business, and
• the complainant has given their consent to the processing.

Purpose for which we process your personal data:

In order to comply with our own legal obligations, e.g. health and safety
legislation, or to assist in an investigation (e.g. from the police).

Categories of personal data processed:

• Individual Data;
• Audio and Visual Data; and Health Data

The basis on which we can do this (this is what the law allows):

The processing is necessary for us to comply with the law.

• Purpose for which we process your personal data:
In order to use your personal data in life or death situations and there is no
time to gain your consent (e.g. in the event of an accident at one of our
locations or events and we have to give your personal details to medical
personnel).

Categories of personal data processed:

• Individual Data; and
• Health Data

The basis on which we can do this (this is what the law allows):
The processing is necessary in order to protect the vital interests of an
individual.

Purpose for which we process your personal data:
In order to administer and protect our organisation, deal with any misuse of
our website and to comply with our security policies at our locations.
Categories of personal data processed:

• Individual Data;
• Account and Profile Data;
• Audio and Visual Data; and
• Information Technology Data.

The basis on which we can do this (this is what the law allows):
The processing is necessary:

for our legitimate interest in provision of administration and IT
services, network security, to prevent fraud and in the context of a
business reorganisation or group restructuring exercise; and

necessary to comply with the law.
• Purpose for which we process your personal data:
In order to make suggestions and recommendations to you about goods or
services that may be of interest to you, deliver relevant website content and
advertisements to you and to measure or understand the effectiveness of our
advertising.

Categories of personal data processed:
• Individual Data;
• Sales Data;
• Information Technology Data; and
• Advertising and Marketing Data.
The basis on which we can do this (this is what the law allows):

The processing is necessary for our legitimate interests to study how guests
use our products/services, to develop our products and services and ensure our
marketing is relevant to you, to grow our business and to inform our marketing
strategy.
(We will only rely on legitimate interests to market to you where we are sending
marketing to your corporate email address or work number or you gave your
details when you purchased membership, products or services from us.
Otherwise, we will rely on consent.)
• Purpose for which we process your personal data:
For internal purposes to use data analytics, to identify usage trends,
determine and measure the effectiveness of promotional campaigns and
advertising and to improve our website, products/services, marketing, customer
relationships and experiences.

Categories of personal data processed:

• Information Technology Data;
• Advertising and Marketing Data; and
• Advertising and Market Research Data.

The basis on which we can do this (this is what the law allows):
The processing is necessary for our legitimate interests in defining types of
customers for our products and services, to keep our website updated and
relevant, to develop our business and to inform our marketing strategy.
• Purpose for which we process your personal data:
To communicate with you about, and administer your participation in, special
events, programs, promotions, any prize draws or competitions.
Categories of personal data processed:

• Individual Data;
• Account and Profile Data;
• Sales Data;
• Information Technology Data; and
• Advertising and Marketing Data.

The basis on which we can do this (this is what the law allows):
The processing is necessary:

• for performance of a contract with you; and
• for our legitimate interests to promote our business
• Purpose for which we process your personal data:

In order to enforce or apply our terms of use, terms and conditions of supply
and other agreements with third parties.

Categories of personal data processed:
o Individual Data;
o Account and Profile Data;
o Sales Data; and Economic and Financial Data

The basis on which we can do this (this is what the law allows):
The processing is necessary for our legitimate interests in protecting our
business and property and recovering debts owed to us.
In addition, we may lawfully process Special Categories of Data in
certain ways. We set these out below along with the legal bases on
which we process these Special Categories of Data:
• Purpose for which we process your personal data:
o In order to use our knowledge of any health-related personal data
you disclose to us in the event of illness or injury or some other
related emergency; and
• In order to use information about your health in providing our services to
you, where you have published in a public forum that you are suffering
from a particular health condition (e.g. a dietary condition when booking
to attend a seminar or event with us).
Categories of personal data processed:
Health Data.
The basis on which we can do this (this is what the law allows):
The processing is necessary to comply with social protection law in the case of a
health and safety incident recorded at any of our locations or in order to protect
the vital interests of you or another individual where you or the individual is
physically or legally incapable of giving consent.
• Where we may rely on consent
We would like to use your personal data for a variety of different purposes. For
certain of these purposes it is appropriate for us to obtain your prior consent.
These are as follows:
• where we would like to use photos or images taken of you in promotional
materials on our social media, website or other materials;
• where you provide personal information that you agree may be published
in the public domain including in a magazine, press release or on our
website (in a franchise case study or otherwise);
• where, in the provision of our services to you, we need to use the Special
Categories of Data that you provide to us;
• to send an exhibition application form to you;
• in relation to the use of our dispute resolution process, where the
complainant has given their consent (see table above);
• where you are not a member and specifically ask us to send you
marketing on our membership, upcoming events, courses or other
services we think you may like to hear about.
The legal basis of consent is only used by us in relation to processing that is
entirely voluntary – it is not used for processing that is necessary or obligatory
in any way.
You may at any time withdraw the specific consent you give to our processing
your personal data. Please contact us using the contact details set out in
paragraph 2 or click on the unsubscribe link on our marking email or (If you are
a member) you can also log onto your online account with us and manage your
preferences there.
Please note even if you withdraw consent for us to use your personal data for a
particular purpose we may continue to rely on other bases to process your
personal data for other purposes.
• WHO RECEIVES YOUR PERSONAL DATA
We may disclose your personal data to:
• our third party data processers who may process data on our behalf to
enable us to carry out our usual business practices including WorkBuzz
Analytics Ltd for the purpose of membership accreditation, upgrade, and
re-accreditation surveys, business that provide our accountancy software,
relationship management software, external archiving services, direct
debit software, website, banking facilities etc. Any such disclosure will
only be so that we can process your personal data for the purposes set
out in this Privacy Notice;
• hotels or venues that provide accommodation to you when you book an
event with us that includes accommodation;
• third parties operating plugins or content (such as Twitter, Facebook,
Instagram) on our website which you choose to interact with;
• fellow attendees at our events that you book onto;
• HMRC, legal and other regulators or authorities, including those who
request your personal data or to report any potential or actual breach of
applicable law or regulation;
• external professional advisers such as accountants, bankers, insurers,
auditors and lawyers;
• law enforcement agencies, courts or other relevant party, to the extent
necessary for the establishment, exercise or defence of legal rights;
• third parties where necessary for the purposes of prevention,
investigation, detection or prosecution of criminal offences or the
execution of criminal penalties;
• third parties which are considering or have decided to acquire some or all
of our assets or shares, merge with us or to whom we may transfer our
business (including in the event of a reorganisation, dissolution or
liquidation);
• our PR agency and customer feedback;
• our external judges who adjudicate our awards programmes and the QFP;
and
• our Board and Committee members.
• PERSONAL DATA ABOUT OTHER PEOPLE WHICH YOU PROVIDE TO
US
If you provide personal data to us about someone else (such as one of your
directors or employees, or any of your franchisees (where you a franchisor), or
someone with whom you have business dealings) you must ensure that you are
entitled to disclose that personal data to us and that, without our taking any
further steps, we may collect, use and disclose that personal data as described
in this Privacy Notice.
You must ensure the individual concerned is aware of the various matters
detailed in this Privacy Notice, as those matters relate to that individual,
including our identity, how to contact us, the way in which we collect and use
personal data and our personal data disclosure practices, that individual’s right
to obtain access to the personal data and make complaints about the handling of
the personal data, and the consequences if the personal data is not provided.
• ACCURACY OF YOUR PERSONAL INFORMATION
It is important that the personal data we hold about you is accurate and current
and we take all reasonable precautions to ensure that this is the case but we do
not undertake to check or verify the accuracy of personal data provided by you.
Please keep us informed if your personal data changes during your relationship
with us either by logging onto your account on the website or by contacting us.
We will not be responsible for any losses arising from any inaccurate,
inauthentic, deficient or incomplete personal data that you provide to us.
• INTERNATIONAL TRANSFERS OF PERSONAL DATA
It is possible that personal data we collect from you may be transferred, stored
and/or processed outside the European Economic Area.
In connection with such transfers:
• the relevant safeguard in place is the standard data protection contractual
clauses between us and the recipient and a copy can be obtained by
contacting us using the contact details set out in paragraph 2; or
• this is made on the basis of an adequacy decision, namely:
o the Privacy Shield for transfers to the US; or
o the European Commission has decided that the relevant non-EU
country ensures an adequate level of protection.
Our website server is hosted in United States of America and transfers are made
on the basis of the Privacy Shield.
• HOW LONG WE WILL STORE YOUR PERSONAL DATA FOR
We will store your personal data for the time period which is appropriate in
accordance with our data retention policy, a copy can be obtained by contacting
us using the contact details set out in paragraph 2.
• WITHOLDING NECESSARY PERSONAL DATA
In certain circumstances the provision of personal data by you is a requirement
to comply with the law or a contract, or necessary to enter into a contract.
It is your choice as to whether you provide us with your personal data necessary
to enter into a contract or as part of a contractual requirement. If you do not
provide your personal data then the consequences of failing to do so may mean
that we are unable to provide services to you. For example if you do not provide
your bank account details when applying for an event, membership or purchase
that required payment then we will not be able to provide that service.
• YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
Subject to applicable law including relevant data protection laws, in addition to
your ability to withdraw any consent you have given to our processing your
personal data (see paragraph
), you may have a number of rights in connection with the processing of your
personal data, including:
• the right to request access to your personal data that we process or
control;
• the right to request rectification of any inaccuracies in your personal data
or, taking into account the purposes of our processing, to request that
incomplete data is completed;
• the right to request, on legitimate grounds as specified in law:
o erasure of your personal data that we process or control; or
o restriction of processing of your personal data that we process or
control;
• the right to object, on legitimate grounds as specified in law, to the
processing of your personal data;
• the right to receive your personal data in a structured, commonly used
and machine- readable format and to have your personal data transferred
to another controller, to the extent applicable in law; and
If you would like to exercise any of the rights set out above, please contact us
using the contact details set out in paragraph 2.
You may also have the right to lodge complaints regarding the processing of
your personal data with the Information Commissioner’s Office or other relevant
supervisory body. Please see https://ico.org.uk/concerns/ for how to do this.
• TECHNICAL AND SECURITY MEASURES
We take the security your personal data seriously and have technical and
organisational measures to ensure a level of security appropriate to the risk.
We use a mixture of measures including utilising technology to combat
cybersecurity, data management techniques, user access and management
procedures, physical security and guidelines for personnel.
Our measures are aimed at having the ability to:
o ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services; and
o restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident.
• LINKS TO OTHER WEBSITES
This Privacy Notice only applies to us. If you link to another website from our
website, you should remember to read and understand that website’s privacy
notice as well. We do not control unconnected third-party websites and are not
responsible for any use of your personal data that is made by unconnected third
party websites.