GBG use and secure your personal data whilst you are using the GBG website www.gbgplc.com or www.loqate.com, when you enter into a contract with GBG to provide services to your organisation, you visit one of our offices, or you apply for a job at GBG. If you are interested in how we collect and process personal information about you through our products and services, please see our Products & Services Privacy Notice.
GBG take the protection and security of your personal data very seriously and this policy sets out our responsibilities under the General Data Protection Regulation 2016 (‘GDPR’) and other applicable laws in England and Wales relating to the processing and security of personal data.
We have offices in 19 locations, and our registered head office is located within the United Kingdom.
GB Group Plc
Chester Business Park
Company Registration Number: 02415211
If you have any questions about how your personal data is used by GBG, please contact our Data Protection Officer by email at DPO@gbgplc.com or call +44 (0)1244 657277.
This policy was last updated on 6th August 2020.
Browsing our website: When you browse our website www.gbgplc.com or www.loqate.com, we will collect the Internet Protocol (IP) address of the device you are using, but will be unable to identify you at this point. We collect this data so that we can identify where customers are dropping out of the website and identify areas of improvement to make the experience more engaging for our customers.
Requesting a brochure: When you request a brochure from us, we will collect the following information from you:
Requesting a call back: when you request a call back from us, we will collect the following information from you:
Subscribing to our marketing lists: Where you have consented to receive marketing from GBG, we will collect the following information from you:
Requesting further information from us: Where you request further information from us by completing a form on our website in relation to our products and services, your details will be added to our marketing database to receive marketing from GBG relevant to the products and services you have an interest in. We will collect the following data from you:
Conferences and events: As a global organisation, GBG attends worldwide events and have marketing team members located around the world. GBG will obtain from the event organiser a delegate list of all attendees who have consented to their personal data being shared with GBG.
Entering into an agreement with GBG: When your organisation enters into an agreement with GBG to provide products and services, we will collect additional information, which is necessary for:
All personal data we collect is held electronically within our Customer Relationship Management systems (CRM) which are hosted in the United Kingdom.
GBG will share your information with third-party service partners who are acting on behalf of GBG as our data processor. Below are the details of whom GBG will share your personal data with and why:
HubSpot Inc.: provides GBG with an email marketing solution, which delivers marketing emails on our behalf. HubSpot is headquartered in the US and their product infrastructure is hosted on Amazon Web Services in the United States, with some services being routed through the Google Cloud Platform in Germany. We share the following personal data with HubSpot:
Price Waterhouse Coopers: supports GBG with our CRM systems and, as a result, their teams located in Poland may access the live system for technical support.
Microsoft: our Dynamics 365 CRM system is cloud-based and hosted by Microsoft in the UK. In addition, when you visit our website you will be directed to the Microsoft Azure instance in the region nearest to you (Ireland, Hong Kong, California, or London) and the data will be stored in Ireland.
CustomerSure: carries out our Voice of the Customer surveys and is based in the UK. In order to determine customers’ level of satisfaction following their interaction with GBG at various pre-defined trigger points, CustomerSure will receive personal information from GBG's CRM systems. This is used to facilitate the sending of an email requesting completion of a survey and, following that, analysis of and appropriate reaction to the feedback received. The data is processed by CustomerSure in the UK with the exception of the disaster recovery backups, which are hosted in Ireland.
Brace Digital: provides development and technical support of our website and is located in the UK.
GBG can assure you that we have taken all reasonable technical and organisational measures necessary to protect the personal information that our third-party service partners may access.
Where you have consented to receive marketing from GBG we will only market to you via the channel you have consented to (such as email, telephone etc.). As stated above, we use a third party service provider, HubSpot, to manage our email marketing solution. When you receive an email from GBG it will include an unsubscribe link, which you can click on if you wish to unsubscribe from our marketing lists. We will then add your email address to our suppression list, which will ensure you do not receive any further marketing from GBG.
Please be assured we do not sell your personal data to third parties for marketing purposes.
As part of the account management process, GBG will on a regular basis enquire if the personal data we hold about you is correct. You can also ensure your personal data is correct by:
Where we have collected your personal data for marketing purposes, we will retain your personal data for 6 months following our last engagement or contact or until you inform us that you no longer wish to receive marketing from us.
For account management purposes, we will retain the personal data for as long as we have the relationship with your organisation. If GBG no longer have a relationship with your organisation, then we will only keep the relevant information, such as invoices, for audit purposes for 6 years after the relationship with GBG has ended.
For GBG Data Supplier prospects, we will retain your personal data for 12 months following our last engagement or contact. Once GBG are informed you are no longer the contact we need to liaise with or you leave your organisation, we will remove your details from our system.
GBG is able to transfer data to our processors located in the United States (i.e. HubSpot and Microsoft) as they are Privacy Shield certified.
In addition, as a global organisation, we have sales teams located all over the world. It will be necessary for your personal data to be transferred to them for account management activities and, where you have provided consent, for marketing purposes. GBG will ensure the transfer of any personal data outside of the EEA is subject to appropriate safeguards.
Social media: If you contact us through one of our GBG social media accounts by either a publicly visible message or a private direct message, this will be handled by our Communications Team. You will be asked to send your enquiry to the relevant team and provided with their email address. Messages received on social media containing personal data are deleted within one week.
We do not track individuals and the analytics data we receive is not at a granular level. We do not scrape data from LinkedIn. GBG uses Sales Navigator to process personal data within LinkedIn. Obtaining personal data from LinkedIn by any other method is against the terms and conditions of LinkedIn and against GBG policy.
Emails: We use Office 365 encryption (TLS/SSL, IPSec, AES) and Mimecast to encrypt and protect email traffic. In addition, email filtering software is currently in place to monitor all incoming and outgoing emails for inappropriate or malicious content, spam, and unencrypted proprietary and/or personal data.
Purpose and legal basis for processing: We process the information mentioned in this section in order to be able to reply to any queries we receive and enhance the services we provide, which we believe also benefits our customers. The legal basis we rely on to process your personal data is Article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests, subject to a balancing test to ensure our interests are not overridden by yours.
Analytics: We use Google Analytics to measure how users interact with our website in order to understand which parts of our sites are doing well, how people arrive at our site and so on. We use this information to improve our website. Google will not associate your IP address with any other data held by it. You can learn more about Google Analytics here or opt-out if you wish here.
Search facility: The search facility on our website does not collect any personal data. Search queries and results are logged anonymously to help us improve the website and search functionality, but we do not have the ability to identify any individuals.
Security and performance: We keep a record of traffic data, which is logged automatically by our server, such as your IP address and any error messages visitors may encounter. Any traffic data we process in order to monitor our website is anonymized when required for analytics.
Purpose and legal basis for processing: We process the information mentioned above for carefully considered and specific purposes mentioned in each section, which are in our legitimate interests to enable us to enhance the services we provide, which we believe also benefits our customers. This is in accordance with Article 6(1)(f) of the GDPR subject to a balancing test to ensure our interests are not overridden by yours.
Visitor book: We meet visitors at our offices, including:
Our visitors are asked to sign in and out at reception. The information collected will be; name, company, who you’re visiting, time in/time out, vehicle license plate number (if applicable), and date. This information will be contained in the visitor’s badge, which you will be required to wear throughout your visit.
At the end of each working week, the visitor forms are securely destroyed.
If your visit is planned, we will send your name and visit information to reception prior to your visit so they are expecting you.
Purpose and legal basis for processing: It is important GBG capture the details of visitors to our offices for various reasons, including but not limited to health and safety, fire safety, building security, and safety of our team members. To process visitor information, we rely on Article 6(1)(f) of the GDPR, which allows for processing on the basis of legitimate interests, subject to a balancing test to ensure our interests are not overridden by yours.
Digital sign-in system: If you visit our London office, you will be asked to use our digital sign-in system. We will require your full name, the company you are coming from, and date of visit. Visitor data is kept for 3 months.
Purpose and legal basis for processing: We use this system to make signing in visitors more efficient and as a way of recording any invoice data necessary to handle our payments to suppliers related to use of our facilities. We rely on legitimate interests as the lawful basis for processing such data under Article 6(1)(f) of the GDPR, subject to a balancing test to ensure our interests are not overridden by yours.
Wi-Fi: In order to access our on-site guest Wi-Fi, you will need to be on the list of authorised users to access the network. When connecting to the GBG GUEST WI-FI network, you will be asked to enter in the email address of a GBG nominee, who will authorise your request for internet access. Once the GBG nominee has granted you permission, you will have access to the network. We monitor access to our internet, and log traffic information such as the IP address, sites visited, times and dates, log on times and log off times. This data is held for 12 months.
Our purpose for processing this information is to provide you with access to the internet while visiting our office and ensuring it is accessed in accordance with our policies. We are able to process this data on the basis of our legitimate interests in accordance with Article 6(1)(f) of the GDPR, subject to a balancing test to ensure our interests are not overridden by yours.
Purpose and legal basis for processing: The purpose for processing this information is to provide you with access to the internet while visiting our office. We are able to process this data on the basis of our legitimate interests in accordance with Article 6(1)(f) of the GDPR, subject to a balancing test to ensure our interests are not overridden by yours.
CCTV: Closed-circuit television (CCTV) operates both inside and outside our Chester, Kuala Lumpur, London, Melbourne, Nottingham, Turkey, and Worcester offices.
Generally, recordings will be retained for up to 30 calendar days, after which they will be deleted. Imagery required for investigative or evidential purposes may be retained beyond 30 days and is securely disposed of upon completion/conclusion of the purpose for which it was retained. Our Chester, Kuala Lumpur and Nottingham offices must retain the images for 90 days in order to comply with PCI-DSS requirements.
Recordings are retained in a secure environment and are only accessible by authorised personnel who have a legitimate reason to do so.
Any CCTV used in our Edinburgh, Liverpool or New York offices is not operated by us, so we are not the data controller. It will be under the control of the relevant building landlord.
Purpose and legal basis for processing: GBG uses CCTV imagery for the purposes of maintaining the safety and security of our building and team members, and for investigative purposes as evidence to support the effective management of any incidents. We rely on legitimate interests as the lawful basis for processing such data under Article 6(1)(f) of the GDPR, subject to a balancing test to ensure our interests are not overridden by yours.
What personal data GBG collect and why: When you apply online for a position with GBG we will use the information you provide to assist in the recruitment and selection process. There is information we require in order to process your application, which within the software is depicted as mandatory fields. GBG may also seek additional information from other sources, for example, by using your references in the final stages of the recruitment process.
You have the opportunity to provide information in relation to additional adjustments required for the recruitment process to assist you. This is to ensure we enable all individuals to compete on equal terms. You may choose to provide some special category data here, such as ethnicity, religious beliefs or medical conditions, but it is not required and can be provided at a later date.
Purpose and legal basis for processing: Our purpose for processing your data in the event of a job application is to assess your suitability for the role. We rely on Article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request before entering into a contract.
With regard to any special category data you provide, we collect this information to monitor equality and diversity to ensure we comply with legislation such as the Equality Act 2010. We therefore rely on compliance with a legal obligation under Article 6(1)(c) of the GDPR as the lawful basis for processing and Article 9(2)(a) of the GDPR, since we collect such special category data for the purposes of carrying out our obligations in the field of employment.
Data retention: Information provided on the application form and any information obtained from other sources will be retained in all cases in hard copy format and/or electronically only for as long as is required for the purposes of:
Your data is retained for 3 months within be/hired, our internal HR platform, then it is automatically deleted. If you would like your data deleted sooner, please contact firstname.lastname@example.org so we can raise this as a request for Access UK Ltd to complete on our behalf.
If your recruitment process goes beyond 3 months, you will be aware of this, with your personal data then held by GBG for the duration of the recruitment process.
If you are successful with your application, the personal data you have supplied to us will form part of your employment record.
Use of data processors: GBG will share your information with third party service partners, who are acting on behalf of GBG as our data processor:
Access UK Ltd: provides GBG with the software which controls the be/hired process. This is hosted in the UK. GBG is unable to change the questions which have been asked or the process within the system you are taken through. Whilst Access UK controls the “how” from a software perspective and hosts this platform, your personal data is gathered by GBG as the data controller, so we decide on why this is processed, who it is shared with, etc. The aCloud Recruitment Team at Access UK (Deployment/Development & support) appoints one individual in the hosting team with access to the server for support and maintenance purposes only.
CEB Inc: provides GBG with a global talent assessment platform which is hosted in the US. As part of your application, you may be requested to complete this assessment via a separate link. To generate this link, GBG will need to have shared your name and email address. The data entered is then determined by you.
Other third parties: Where you have engaged with an external recruitment agency they will have shared your details with GBG for a role they have notified you about. The recruitment agency also acts as a data controller.
We are unable to be more explicit in this statement as to who they are as we work with a large number of agencies globally. If you would like more information regarding your personal data, please contact us by email at email@example.com or by writing to: Privacy and Data Compliance, GBG, The Foundation, Chester Business Park, Chester, CH4 9GB.
We may also contact the named referee(s) you have supplied in order to provide a reference on you. Or once your application has been successful, your details may be shared with other third parties, such as a payroll provider. You will be notified of any further processing at the appropriate time.
Accuracy of your personal data: You enter your own information, so please ensure it is correct. If this needs to be updated, please contact firstname.lastname@example.org who will be able to facilitate your request.
International data transfers: As a global organisation, a transfer taking place will depend on where in the world you are based and the role you have applied for.
The platform on which be/hired is hosted by Access UK is in the United Kingdom, so if you only apply for a role in the European Economic Area (EEA) and do not complete a talent assessment, no international data transfer will have taken place. If you are in the EEA, and you do complete a talent assessment, your name and email address will have been transferred to CEB Inc., which is based in the US and is Privacy Shield certified.
Depending on the role you have applied for, we may need to transfer your personal data to other companies within GBG for administrative purposes. For example if you are based within the EEA, we may need to transfer your personal data outside of the EEA if you have applied for a role in a non-EEA country/territory.
IS0 27001 Certification: GBG are a global specialist in identity data intelligence for some of the largest organisations in the world, which is why GBG aim to set the highest standards of information security and in doing so, have developed an Information Security Management System (ISMS) to meet the requirements of the ISO 27001:2013 standard. Its aim is to protect the confidentiality, integrity and availability of GBG and client held information resources and assets, thus safeguarding GBG and its clients from unauthorised access, compromise and/or disclosure of data.
PCI-DSS Certification: Some of the services we provide are compliant with the Payment Card Industry Data Security Standard (PCI DSS). Being compliant with PCI DSS means that we are doing our very best to keep our customers’ valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. PCI ensure technical and operational strengths to raise the bar on our security.
Cyber Essentials Certification: In addition to the above, we have services that are Cyber Essentials accredited, this helps prevent the vast majority of cyber-attacks. Having a Cyber Essentials badge enables us to:
As an individual, you have rights under the GDPR regarding the use of your personal data, these are:
Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds under the GDPR is satisfied.
You can send these requests to email@example.com or by post to:
Privacy & Data Compliance Team
GB Group Plc
Chester Business Park
Or you can make a request in person or call +44 (0)1244 657277.
You are not required to pay any charge for exercising your rights. We have one calendar month to respond to you. If GBG are unable to comply with your request, we will provide you with an explanation.
We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by GBG then please write to us at:
Privacy & Data Compliance Team
GB Group Plc
Chester Business Park
Alternatively, you can email us at firstname.lastname@example.org.
GBG will investigate and respond within 10 working days. This allows us time to investigate your complaint thoroughly.
Where you believe that GBG have not taken our responsibilities with your personal data seriously, you have the right to complain to the UK Supervisory Authority. Its details are:
Information Commissioner’s Office
Telephone number: +44 (0)303 123 113 or +44 (0)1625 545 745
If you are a U.S. resident, please refer to our U.S. Privacy Statement, which also contains specific information that is relevant to Californian resident’s rights under the California Consumer Privacy Act.