The privacy and security of your personal information is extremely important to us. Please read this privacy notice carefully, as it explains how and why we use your personal data, to make sure you stay informed, so you can be confident when you share your information with us.

The purpose of this privacy notice is to inform you on how your personal data is used by us here at Parliament Hill when you visit or use our website parliament-hill.co.uk, when you make an online enquiry, engage with us on behalf of your employer or business, or when we engage with you about working together on a business to business basis or engage with us or express an interest in our services.

1. Who we are

In this notice whenever you see the words ‘we’, ‘us’, or ‘our’, it refers to Parliament Hill Ltd, a subsidiary of the Civil Service Motoring Association Limited and we are authorised and regulated by the Financial Conduct Authority (308448) and registered with the Information Commissioners Office under registration number Z8868557.

If you have any questions in relation to this privacy policy or how we use your personal data, you can contact us in any of the following ways:

Email:  info@parliament-hill.co.uk

Post: Parliament Hill, Britannia House, 21 Station Street, Brighton BN1 4DE

Telephone: 0207 710 9494 

We also have a Group Data Protection Officer who will be happy to answer any questions or concerns you might have. You can contact him directly at  dpo@boundless.co.uk.

2. Our services and products

Our services and products are intended for UK residents only and we do not knowingly collect personally identifiable information from anyone under the age of 13. This website is not intended for use by children and we do not knowingly collect data relating to children. If we become aware that we are holding any information about children under the age of 13, we will take any actions necessary to comply with data protection legislation, including, if appropriate, deleting the information. If you become aware that your child (under 13) has provided their personal information to us without your consent, please let us know as soon as possible so that we can take appropriate action.

Our online service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

3. What personal data do we collect?

Personal data is any information that can be used to identify an individual personally, that is collected, stored and used by us. We’ll only collect the personal data that we need, and when we do we are subject to UK legislations such as the Data Protection Act 2018 and UK General Data Protection Regulations and The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. We are responsible for your data as a ‘controller’ of any personal data we collect for the purposes of those laws.

3a) Personal Data Provided by you

We will collect information directly from you - this includes information you give when interacting with us, for example when you complete our online form to request information from us or to make an enquiry and may include:

• Name, email address, telephone number
• Details of your business, your role or position, job title, company details such as sector, company size etc

If using our website, we may collect technical information such as including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time-zone setting, browser plug-in types and versions, operating system and platform and, if you access our website via your mobile device, we will collect your unique phone identifier

Personal data you may pass may also include the names, contact details and their position within or to your organisation. We would expect that in passing us those personal details, that you have the data subject’s permission to do so. When we pass your personal data, regarding people within our organisation or who we deal with, then we will have obtained their permission to do so. Such exchange of personal data will only be used for the purposes of setting up and evaluating the viability of the benefit scheme including all pre-contract negotiation.

3b) Personal Data Automatically collected

We may automatically collect the following information from your use of our website:

• Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time-zone setting, browser plug-in types and versions, operating system and platform and, if you access our website via your mobile device, we will collect your unique phone identifier
• Usage data, meaning information about how you use our website, products and services, including, but not limited to, the full Uniform Resource Locators (URL) and query string, clickstream to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as but not limited to, scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number.
• The terms that you use to search our website.

4. How we use your personal data

Our primary goal in collecting personal information from you is to either respond to your enquiry, to provide you with information about Parliament Hill and how we can support you as an employer or Membership Group and what we can offer your employees or Members. We’ll only use your personal data on relevant lawful grounds as permitted by UK Data Privacy Legislation.

Under these data-protection laws, we can only use your personal data if we have a proper reason for doing so, such as:

• to comply with our legal and regulatory obligations
• for the performance of our contract with you or to take steps at your request before entering into a contract
• for our legitimate interests or those of a third party, or
• where you have given consent

If we are asked by the police, law-enforcement agency or any other regulatory or government authority investigating suspected illegal activities, we may need to disclose and exchange information with that authority to comply with our legal and regulatory obligations.

Below are the key times and purposes we will process your data and under what lawful basis:

Ref	Personal data processed	Purpose of processing	Lawful basis for processing
i	Name, email address, contact number	When completing an online form or contacting us.	Legitimate interest – responding to your request for information
ii	Name, contact details	When collected from a public place, to offer further information about working together.	Legitimate business interest – business interest in providing a service to your business
iii	Name, email address	Sending emails to provide information about us.	Consent – you can change your consent at any time
iv	Technical and usage data	To use data analytics to improve our website, marketing and experience.	Legitimate interest

We would also be handling some of that data for our legitimate business interests. That could include, but is not limited to, the maintenance of legal records, task management, staff training and monitoring, record keeping and reporting back to give us your contact details, seeking advice from others and or contacting some specific benefit providers in the hope that a specific benefit/deal might be arranged for your organisation and your members. We may use suppliers who provide basic services to us as a commercial business and in providing their services they may have access to certain data either held by us, which they require in providing their service to us or that might pass through them.

If we discuss setting up benefit web pages, then we may involve the person we use to set up parts of the benefit web sites who will be acting as our processor when working under our instructions.

We may use IT services to design and set up a log in process or help us with the design of the benefit web site. We may use copy write services for the production of marketing material and financial promotions. We may obtain sign off of financial promotions and benefit pages from benefit providers. In doing these items we may convey, instructions, comments or opinions given by you to us with an identifier as to the source of such instructions, comments or opinions. We may need to contact Benefit Providers in the management and negotiation of Benefits.

We do not use any personal data of, nor use, any automated decision making or profiling decisions.

5. Updating your personal data

We want you to remain in control of your personal data. If at any time, you want to update or amend your personal data you can use the following methods to contact us:

• Email: info@parliament-hill.co.uk
• Post: Parliament Hill, Britannia House, 21 Station Street, Brighton BN1 4DE
• Telephone: 0207 710 9494

You can also submit a request to our Group Data Protection Officer if required.

6. Cookies & our website

Cookies are small text files stored on your computer when you visit certain websites. We use first-party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience. We also use third-party cookies (cookies that are set by an organisation other than the owner of the website) for the purposes of website measurement and targeted advertising.

In order to comply with the rules around cookies and other related tracking, our websites have a cookie management tool through Cookie Script, which places the control of data collection in your hands. Further information can be found in our cookie policy.

We use  Hotjar  on our website in order to better understand a user’s needs and to optimise the service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback should you choose to provide it. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices (in particular device's IP address (captured and stored only in anonymised form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website).

Hotjar stores this information in a pseudonymised user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s  privacy  You can opt-in to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites through our cookie management tool.

7. Keeping your personal data

We will retain your personal information only for as long as is reasonably necessary to satisfy the purposes for which it was collected, and for the purposes of satisfying any legal, accounting or reporting and regulatory requirements. These legal and other requirements require us to retain certain records for a set period of time.  In addition, we retain certain records in order to resolve queries and disputes that may arise from time to time. The retention of employee records is further subject to other laws which require us to keep records for specific time periods, namely:

• Retention of general enquiries – we will retain it for a reasonable period (up to 5 years) in case of further queries from you.
• Record of discussions and negotiations – This data will be stored by us for up to a period of 12 months after discussions have concluded if no agreement is reached, or such other times as may be required by law, or regulatory rules. If the benefit agreement goes ahead then that storage period would normally be for the length of the benefit period plus up to a further seven years or such other times as may be required by law, or regulatory rules if longer. Data stored and processed by other data controllers will be stored and processed at their discretion.

When it is no longer necessary to retain your personal data, we will delete or anonymise it.

8. How we secure your data

Information system and data security is imperative to us to ensure that we are keeping our members safe. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable information. We have taken technical and organisational measures to secure your data, including:

• This website has a secure https:// address (URL). This means that a SSL certificate is in place so that if you submit any data via the website, then your information is encrypted whilst it is being transmitted to the applicable database or email server
• We limit access to your personal data to those who have a genuine business need to access it. Only employees who need the information to perform a specific job are provided with access to your data. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality. Contracts will be in place to protect any personal data
• All our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibility and requirements set out in our information security policies.
• We conduct privacy impact assessments in accordance with data-privacy guidelines
• We implement appropriate measures and controls, including monitoring and physical measures, to the processing and storage of data
• We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so
• We require, through the use of contract and security reviews, our third-party vendors and providers to protect any personal information with which they are entrusted in accordance with our own policies and procedures
• We invite third-party auditors to measure our compliance with a variety of regulations, including data privacy and for accounting purposes
• When we use Legitimate Interest as a legal basis for processing personal data, we conduct a Legitimate Interest Assessment in line with recommendations from the ICO. This balance test looks at the protection of your rights and data with our use of such data. These assessments are reviewed by our Data Protection Officer to ensure the rights of members is maintained.

The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

9. Disclosing your information to third parties

When we allow third parties acting on behalf of Parliament Hill to access your information, we will always have complete control of what they see, how long they see it and what they are allowed to do with it by imposing strict contractual obligations on them such as data-sharing agreements. We do not sell or share your personal information for other organisations to use.

We use a number of third parties, whom provide their services to us for various reasons, such as IT Support providers. In these circumstances, we will remain the controller of any personal data and they act as a data processor and suitable contracts, data processing agreements and terms will be agreed between both parties.

Personal data collected and processed by us may be shared with the following groups where necessary:

• Employees
• Third-party cloud hosting and IT infrastructure providers who host our website and provide IT support in respect of the website

Also, under strict contractually controlled conditions:

• Contractors
• Service providers providing services to us
• Advisors
• Agents
• Auditors

We may also disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use or cookie policy and other agreements; or to protect the rights, property, or safety of Parliament Hill, our members, clients and employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

10. Where your personal data is held

Information system and data security is imperative to us to ensure that we are keeping our members safe.

Your data may be held at our offices, third-party agencies, services providers, representatives and agents as described earlier.

If we transfer data outside the UK into the European Economic Area (EEA), we will implement appropriate suitable safeguards to ensure that such personal data will be protected as required by applicable data protection law and for the subsequent transfer from the EEA back to the UK.

11. Your rights

You have the following rights, which you can exercise free of charge:

Access	The right to be provided with a copy of your personal information (the right of access)
Rectification	The right to require us to correct any mistakes in your personal information
To be forgotten	The right to require us to delete your personal information—in certain situations
Restriction of processing	The right to require us to restrict processing of your personal information—in certain circumstances, for example, if you contest the accuracy of the data
Data portability	The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object	The right to object: —at any time to your personal information being processed for direct marketing (including profiling); —in certain other situations to our continued processing of your personal information, for example, processing carried out for the purpose of our legitimate interests.
Not to be subject to automated individual decision-making	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you
Right to withdraw consent	If you have given us your consent to use your personal information, you can withdraw your consent at any time. This might impact our ability to provide goods and services to you

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the  Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

• Send a written request by either email or letter to our Data Protection Officer (please see ‘Who We Are’)
• email, call or write to our Data Protection Officer (please see ‘Who We Are’)
• let us have enough information to identify you
• let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
• let us know what right you want to exercise and the information to which your request relates

12. How to complain

If you have any queries, concerns or wish to make a complaint you should contact our Data Protection Officer with any query or concern about the use of your information.

The Data Protection Act 2018 gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at  ico.org.uk/concerns/  or telephone:  0303 123 1113 .

13. Changes to this privacy notice

Because of these ongoing changes, changes or amendments in the law we will need to update this notice from time to time. If and when our data practices change, we will notify you of the changes via this page where the current version of the Privacy Policy will be published.

Where appropriate, we will notify you of any significant changes usually by email, but occasionally in another more appropriate format such as letter. We encourage you to check this page frequently also.