The General Data Protection Regulation (GDPR)
Who is the Data Controller?
Hills Balfour Ltd
Data Controller contact details
Email: [email protected]
Tel: +44 (0)207 593 1700
What is personal data?
Personal data means any information which relates to a living individual who can be identified either directly or indirectly by reference to an identifier such as their name, email address and other personal details.
Why do we process your personal data?
We process your personal data for the following purposes:
- Respond to enquiries or requests that you send us
- To invite you to events related to your job where we are the Data Controller and where our client is the Data Controller and we are the Data Processor under contract
- To send you marketing information where we and/or our clients have lawful grounds.
- Staff administration including payroll and payroll administration, tax calculations and payments
- Performance assessments
- The provision of employee benefits including healthcare and maternity benefits
- Sickness, parental, volunteering and other types of leave
- Promotion and succession planning
- To monitor compliance with our policies and procedures
- General administration
- Regulatory requirements
- Other processes related to the above
We do not knowingly process personal data of children under 16.except if you bring your family on one of the events or tours. We will retain the data only until the tour or event has finished and as described in our Data Retention Policy.
Improved rights under the General Data Protection Regulation
You have some improved rights under the GDPR.
- Data Subject Access Request: You have the right to access the personal information we may hold about you. On receipt of such a request we will endeavour to respond to you as soon as possible, but at least within one calendar month. You must provide us with 2 forms of personal identity to ensure that we only disclose to you information which is relevant to you personally. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
- Rectification: You have the right to request that we amend any personal information that may be incorrect or require updating.
- Erasure: You have the right to request that we delete any personal information pertaining to you. Any questions about these rights may be sent to [email protected]
- The right to restrict processing. Individuals have a right to ‘block’ or suppress processing of personal data. If you decide to do this, we will continue to store the data, but not further process it until we have agreed a solution to the issue you have raised.
Do we collect any special categories of personal data?
Sometimes we need to process special categories of personal data with information you supply in order to note any health information, such as disabled access, and your dietary requirements.
Do we collect data from third party or public domain sources?
We may collect your personal data from you, a member of staff, face to face, or from a public source where we believe that you will be interested in what we do. Where we collect personal data from third party or public domain source we provide a means to opt-out or unsubscribe on every message we send you.
Information on our grounds for lawful processing?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where we need to comply with a legal or regulatory obligation.
- Where we have your consent
Legitimate Interest means the interest of Hills Balfour Ltd or our clients
We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at [email protected].
As required under GDPR we have conducted a Legitimate Interest Assessment in relation to sending marketing information. We assessed the balance of your rights with ours and our clients. We believe you will not be disadvantaged by receiving our communications and we can demonstrate under GDPR that we have a legitimate interest in using your data for marketing purposes. You always have a choice of opting out or unsubscribing or by contacting us at [email protected]
How to stop receiving communications.
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:
You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time at [email protected]
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a contract we may have with you.
We will not send marketing communications to individuals who have unsubscribed, opted-out or otherwise asked us to stop direct marketing. Where we collect contact information from you which may be used for marketing purposes, we will let you know how to stop receiving such information if that’s what you prefer.
Marketing research and surveys
We may contact you from time to time to seek your views via a short survey to inform our strategic direction, your thoughts about our work, and other matters. You always have the choice about whether to take part in our research.
Is data processed outside of the EEA?
Where our clients are located outside of the European Economic Area, they control the data and local or national rules apply. Data where Hills Balfour is the Data Controller is processed in the UK.
Is data shared with 3rd parties and if so, who?
We may have to share your personal data with the parties set out below for the purposes set out in the table below. External Third Parties are all based in the United Kingdom.
- Service providers acting as Data Processors who provide IT and system administration services.
IT services - Priority One
- Professional advisers acting as Data Processors including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
Pension Actuaries NEST
Bankers HSBC Bank Plc
HR Law at Work
Lawyers Osborne Clarke LLC
Data Protection Consultants – Opt-4
- HM Revenue & Customs, regulators and other authorities acting as Data Processors who require reporting of processing activities in certain circumstances.
- Marketing, communications.
Website – Hills Balfour International DMCC (Dubai)
Email broadcasting – MDSG; Swiftpage; Mail Chimp
Database – Database Vision
Digital Marketing - Digital Spring
Social Media Content - Chute
- Our clients in the travel industry who represent travel destinations, hotel groups, cruise lines, convention centres, travel technology, airlines, government offices, sports organisations, insurance companies, shopping outlets, tour operators and attraction venues.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Where we disclose personal data to our suppliers in order for them to process personal data on our behalf, we have a contract in place compliant with the GDPR to ensure the security of any personal data that each Data Processor or sub-processor processes.
Cookies and Similar Technologies
What are cookies?
Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. There are different types of cookies: some are essential for the site to operate properly, whereas others are aimed at enhancing and personalising your user experience. Cookies can help us to understand how consumers are interacting with our website, which helps us to improve our site and deliver a better service to you.
What types of cookies are there?
Strictly necessary cookies.
Generally, these cookies will be essential first-party session cookies. Not all first-party session cookies will fall into the strictly necessary category for the purposes of the Cookie legislation. Strictly necessary cookies will generally be used to store a unique identifier to manage and identify the user as unique to other users currently viewing the website, in order to provide a consistent and accurate service to the user.
These cookies are essential in order to enable you to move around the website and use its features, such as signing-up to receive emails from us.
These cookies generally collect information about how visitors use our website, for instance which pages visitors go to most often, and the pages that they don’t. This helps us to understand and improve the site so it is easy to use and includes helpful content. They allow us to fix bugs or glitches on the website. These cookies don’t collect information that identifies visitors, so we can’t identify you. For example, we use "Google Analytics" cookies (a web analytics service provided by Google, Inc).
These cookies allow our website to remember the choices you make as you browse the site. They provide more enhanced and personal features. The information collected is anonymised and they cannot track your browsing activity on other sites once you leave our site
Type of cookie
These cookies allow websites to remember information and settings for the next user visit, making browsing more practical and rapid, because, for example, it is no longer necessary to make a login.
Google Analytics Cookies
We use Google Analytics to monitor traffic levels, search queries and visits to this website. These cookies enable Google to determine whether you are a return visitor to the site, and to track the pages that you visit during your session.
Used to distinguish users
Used to distinguish users
Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>
How to turn off cookies
For more information go to http://www.allaboutcookies.org/
Data security – how we protect your data
We follow appropriate security procedures in the collection, storage and use of your Information so as to prevent unauthorised access by third parties.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We process data at our offices at Cornwall House, 58 Southwark Bridge House, London, SE1 0AS with access restrictions in place and at the sites of our Data Processors within the UK. Our IT specialist retains our data at a different location equally protected behind the appropriate firewalls and other security devices.
However, unfortunately, the transmission of Information via the Internet is not completely secure. We cannot ensure the security of your Information transmitted by you to us via the internet. Any such transmission is at your own risk and you acknowledge and agree that we shall not be responsible for any unauthorised use, distribution, damage or destruction of your Information, except to the extent we are required to accept such responsibility by the GDPR, the Privacy and Electronic Communications Regulations or the Data Protection Act. Once we have received your Information we will use security procedures and features to prevent unauthorised access to it.
External links not covered by this policy
Please remember that when you use a link to go from our website to another website or you request a service from a third party, our Policy no longer applies. Your browsing and interaction on any other website or your dealings with any other third party service provider, is subject to that website’s or third party service provider’s own rules and policies. We do not monitor, control, or endorse the Information collection or privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third party service provider that you deal with and to contact them if you have any questions about their respective privacy policies and practices. This Policy applies solely to Information collected by us through our website or services and does not apply to these third party websites and third party service providers.
How long do we keep your data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us at [email protected]
Please be advised that if you visit our premises CCTV is in operation for security purposes in the main entrance hall and on each floor of the office.
What to do if you have a concern.
Please contact us first on [email protected] and we will do our best to help you. If you are not satisfied you may contact the Regulator of GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003, updated 2004 and 2011 is the Information Commissioner’s Office. If you feel you wish to draw the Regulator’s attention to the way and the purposes for which we are processing personal data, you may contact the ICO by clicking here
Content and copyright.
All content included on this site, including text, images, software, motion videos and graphics are the property of Hills Balfour or our clients and are protected by UK copyright laws. The material on this website is for personal and information use only. Unauthorised reproduction, distribution, display or transmission is strictly prohibited. All Hills Balfour and GTI logos, names and graphics are trademarks of Hills Balfour and may not be reproduced or used for any product or purpose unrelated to Hills Balfour without express permission.
May 25th 2018