1. Controller
BUSINESS CERTIFICATION BUREAU LTD, company number 17254091, is the controller for personal data described in this notice. Contact: contact@bcbgb.com; 1 Schrier Ropeworks, Arboretum Place, London, United Kingdom, IG11 7FL.
2. Scope
This notice covers website visitors, enquirers, applicants, client representatives, business owners and officers, certificate users, professional partners, suppliers and other contacts. A service-specific privacy statement may supplement this notice.
3. Personal data we may collect
- identity and contact information;
- job title, employer, authority and professional details;
- company, officer, ownership and control information;
- enquiry, service, payment and correspondence records;
- identity and verification evidence provided through approved secure channels;
- public-register and due-diligence information relevant to the agreed service;
- website technical, security and preference data; and
- complaint, rights-request and audit records.
4. Sources
We may obtain data directly from you, your organisation, an authorised professional partner, public registers, identity-verification providers, screening sources, service providers and other lawful sources relevant to the agreed purpose.
5. Purposes and lawful bases
- Enquiries and contracting: steps before contract and legitimate interests in responding and administering business relationships.
- Certification and verification: contract, legitimate interests in operating a trustworthy credential system and, where applicable, legal obligation.
- Corporate services and onboarding: contract, legal obligation and legitimate interests in fraud and risk prevention.
- Monitoring and status management: contract and legitimate interests in preserving certification integrity.
- Security, complaints and legal claims: legal obligation and legitimate interests in protecting rights, systems and users.
- Marketing: consent where required, or legitimate interests for proportionate business-to-business communications with an opt-out.
6. Special-category and criminal-offence data
We do not request sensitive data through the public enquiry form. Where a regulated onboarding or verification process lawfully requires special-category or criminal-offence information, BCB will identify an appropriate condition, apply additional safeguards and use a secure channel.
7. Sharing and public enquiry delivery
We may share data with authorised personnel, professional advisers, identity and verification providers, secure technology and hosting providers, payment providers, public authorities where required, professional partners acting under documented roles, and a recipient you authorise to access a credential. We do not sell personal data.
The public enquiry form is submitted through the FormSubmit form-delivery service and forwarded to contact@bcbgb.com. FormSubmit and the relevant hosting or email providers process the submitted fields to transmit the enquiry. Do not use this route for passports, bank statements, payment credentials, special-category data or other sensitive evidence. BCB will provide an approved secure route if such evidence is required after initial triage.
8. Public certificate information
A live certificate record should publish only the information necessary to verify the credential, such as legal entity details, certificate ID, trust level, scope summary, dates and status. Personal data will be minimised and access may be controlled by a PIN or other security measure.
9. International transfers
Where data is transferred outside the United Kingdom, we use an available adequacy decision, appropriate contractual safeguards or another lawful transfer mechanism, together with supplementary measures where required.
10. Retention
We retain data only as long as reasonably necessary for the purpose, applicable legal and regulatory requirements, certification history, dispute handling and security. Retention periods vary by record type and service. Unaccepted enquiries should be reviewed for deletion sooner than active client and legally required records.
11. Security
We use organisational and technical measures appropriate to the risk, including access control, secure transfer, data minimisation, supplier controls, record keeping and incident procedures. No online system is completely secure.
12. Your rights
Depending on the circumstances, you may have rights of access, correction, erasure, restriction, objection, portability and withdrawal of consent. You may also challenge solely automated decisions where the legal right applies. We may need to verify identity before acting.
13. Complaints
Contact us first so we can investigate. You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk.
14. Changes
We may update this notice. Material changes will be highlighted where appropriate and the effective date will be revised.