Legal
Data Policy
Beauhurst’s Data Policy falls into three parts:
1. GDPR
2. Use of email addresses obtained from the Beauhurst platform
3. Data usage rights
PART 1
1. GDPR
We need to make sure that your and our processing of the Beauhurst Data complies with the requirements of the General Data Protection Regulation (EU) 2016/679 (the “EU GDPR“), the EU GDPR as incorporated into UK national law by virtue of the European (Withdrawal) Act 2018 (the “UK GDPR“) and the Data Protection Act 2018.
This Policy, together with our Terms, forms part of your Subscription Order. It comprises a balanced set of terms to support the assessment that our sharing of Beauhurst Data with you is in your and our legitimate interests and does not unduly prejudice the rights and freedoms of individuals to whom the Platform Personal Data relates. If you have any questions about it, please email our Data Protection Officer.
1.1. Definitions: In this Data Policy, the following terms shall have the following meanings (any definitions not found here will be in the main Terms):
(a) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, UK Data Protection Law, the EU GDPR and the EU e-Privacy Directive (Directive 2002/58/EC).
(b) “clause” means a clause of this Data Policy.
(c) “controller“, “processor“, “data subject“, “processing” (and “process”) and “special categories of data” shall have the meanings given in UK Data Protection Law.
(d) “Data Usage Tier” means one of the four tiers outlined in Part 3 of this Data Policy which determines the extent of your usage rights in relation to Beauhurst Data, including Platform Personal Data.
(e) “GDPR” means the EU GDPR and the UK GDPR.
(f) “Party” means you or Beauhurst, as party to a Subscription Order comprising the Beauhurst Terms and this Data Policy.
(g) “Permitted Purpose” is as defined in clause 1.2 below.
(h) “personal data” means any information relating to an identified or identifiable natural person (a data subject). This is one who can be identified, directly or indirectly, in particular by reference to an identifier.
(i) “Platform Personal Data” is any personal data made available to you via the Beauhurst Platform, as further described in Annex I below.
(j) “UK Data Protection Law” means:
(i) the UK GDPR;
(ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003); and
(iii) the Data Protection Act 2018.
1.2. Disclosure of data: Beauhurst will make available to you via the Beauhurst Platform certain personal data as further described in Annex I (the Platform Personal Data) to process strictly in accordance with the Data Usage Tier outlined in your Subscription (and subject to any restrictions outlined in Part 3) or as otherwise agreed in writing between Beauhurst and you (the “Permitted Purpose“).
1.3. Relationship of the parties: You acknowledge that Beauhurst is a controller of the Platform Personal Data made available via the Beauhurst Platform, and that you will process the Platform Personal Data as a separate and independent controller strictly for the Permitted Purpose. In no event will Beauhurst and You process the Platform Personal Data as joint controllers.
1.4. Legitimate Interests: The Parties acknowledge that for the purposes of UK Data Protection Law, the legal basis on which Beauhurst will facilitate access by you to the Platform Personal Data is the legitimate interests pursued by Beauhurst in building and operating its business of providing insights into UK companies and the surrounding ecosystem as well as those pursued by the Subscribing Organisation which may wish to invest in, or offer professional services or funding opportunities to such companies.
1.5. Compliance with law: Each of Beauhurst and you shall be separately responsible for complying with the obligations that apply to it as a controller under Applicable Data Protection Law.
1.6. Prohibited data: We shall not disclose any special categories of personal data to you for processing.
1.7. International transfers: Transfer of Platform Personal Data occurs whenever a User accesses the Beauhurst Platform.
Subscribing Organisation based in the EEA/UK: you shall not transfer the Platform Personal Data (nor permit the Platform Personal Data to be transferred) outside of the European Economic Area (“EEA“) and/or the United Kingdom (“UK“) unless you take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
Subscribing Organisation based outside the EEA/UK: If you are based outside the EEA/UK in a country that has not been deemed as ensuring adequate data protection within the meaning of Article 45 of the GDPR, you agree that the Standard Contractual Clauses (2021/914/EC) Module 1 (“Standard Contractual Clauses“) and the ICO’s UK Addendum to the Standard Contractual Clauses (“UK Addendum“) shall be incorporated by reference into your Subscription Order. For the purposes of populating the Appendices to the Standard Contractual Clauses and UK Addendum, the required information will be as set out in the Annexes to this Data Policy. In the event of any conflict between the Data Policy and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. In the event of any conflict between the Data Policy and the UK Addendum, the UK Addendum shall prevail.
For the purposes of Clause 11 of the Standard Contractual Clauses (“Redress”), the optional Clause (which reads as follows: “The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.”) is hereby deleted.
For the purposes of Clause 17 of the Standard Contractual Clauses (“Governing law”), the parties agree that this shall be the law of Ireland.
For the purposes of Clause 18 of the Standard Contractual Clauses (“Choice of forum and jurisdiction”), the parties agree that those shall be the courts of Ireland.
For the purposes of Clause 17 of the UK Addendum, the parties agree that the Approved Addendum (as defined in the UK Addendum) shall be populated by reference to this Data Policy and its Annexes and that any changes in formatting (including for the avoidance of doubt with respect to Part 1: Tables) shall not adversely affect the validity of the Subscription Order or the compliance with Applicable Data Protection Law of any international transfers of personal data made thereunder. The parties hereby acknowledge and agree that any such formatting changes do not reduce the standard of Appropriate Safeguards (as defined in the UK Addendum) provided.
For the purposes of Clause 19 of the UK Addendum, the parties agree that the Exporter shall be entitled to terminate the Addendum by providing written notice of the same to the Importer.
1.8. Security: You shall implement appropriate technical and organisational measures to protect the Platform Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Platform Personal Data (a “Security Incident“). Such measures shall include, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
1.9. Subcontracting: You shall not allow access to Platform Personal Data to any person outside the Subscribing Organisation without our prior written consent, unless you are on data Tiers 2 or 3 that allow you to share Platform Personal Data with Clients without our prior written consent, but restrictions must be adhered to (see Part 3).
1.10. Cooperation: In the event that either Party receives any correspondence, enquiry or complaint from a data subject, regulator or other third party (“Correspondence“) related to (a) the disclosure of the Platform Personal Data by Beauhurst to you for the Permitted Purpose; or (b) processing of the Platform Personal Data by the other Party or by a Client of a Subscribing Organisation, it shall promptly inform the other Party giving full details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Law.
1.11. Security incidents: Upon becoming aware of a Security Incident, you shall inform us without undue delay. You shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep us informed of all developments in connection with the Security Incident. Each Party agrees to provide reasonable assistance to the other to facilitate the handling of any Security Incident in an expeditious and compliant manner.
1.12. Deletion of Platform Personal Data: Further to paragraph 11.3 of the Terms, upon termination or expiry of this Agreement, you shall destroy all Platform Personal Data (including all copies of the Platform Personal Data) in your possession or control (including any Platform Personal Data disclosed to a third party outside the Subscribing Organisation, if your Data Tier permits such disclosure or we have consented to such disclosure). This requirement shall not apply to the extent that you are required by any EU (or any EU Member State) law or UK law to retain some or all of the Platform Personal Data, in which event you shall securely isolate and protect the Platform Personal Data from any further processing except to the extent required by such law. For the avoidance of doubt, this clause 1.12 shall not apply to Platform Personal Data which is processed by you in connection with you entering into a direct relationship with a company on the Beauhurst Platform for investment purposes or the provision of professional services (including in the context of any enquiries by the company in respect of such investment or services).
1.13. Audit: Should we have reasonable cause, you shall permit us (or our appointed third party auditors) to audit your compliance with this Data Policy, and shall make available to us all information, systems and staff necessary for us (or our third party auditors) to conduct such audit.
PART 2
2. USE OF EMAIL ADDRESSES OBTAINED FROM THE BEAUHURST PLATFORM
We provide business email addresses on the Beauhurst Platform so that you can directly approach the individuals to whom those business email addresses relate. Since the communication (by whatever means) of advertising or marketing material directed to particular individuals is defined as “direct marketing” (even if you are not explicitly selling something), you must be compliant with any applicable rules pertaining to email marketing, as well as Applicable Data Protection Law. Further, to enable us to support the assessment that the disclosure of such email addresses to you (and your subsequent use of those email address) is not unduly prejudicial to the rights and freedoms of the individuals to whom the email addresses relate, you must comply with each of the requirements below.
2.1. You are forbidden from using email addresses from the Beauhurst Platform to email more than 5 people in a single send (“Mailshots”). This is to ensure that any contact that you make is direct and deliberate, and you must ensure that this is the case. Further, if you have not received a response, you shall not contact an individual more than 4 times and you shall ensure that there is at least 4 days interval between one email to an individual and the next email to the same individual.
2.2. You must identify yourself in any email you send and include contact details, ideally a postal address, active email address, and a phone number.
2.3. You must include in each email a clear and simple way for anyone you email to opt out of your communications.
2.4. If someone objects to or opts out of your marketing, you must immediately add them to a ‘do not contact’ list and stop communications with them. You must screen all your marketing against this list to make sure you don’t contact anyone who has opted out.
2.5. You must ensure that you are fully compliant with any Applicable Data Protection Laws, including where applicable European Directive 2002/58/EC, also known as ‘the e-privacy Directive’ (and any and all applicable national data protection laws made under or pursuant to such Directive). It is your responsibility to keep up to date with any changes in the law, in particular following the introduction of the proposed new e-Privacy Regulation, which is due to replace European Directive 2002/58/EC.
PART 3
3. DATA USAGE RIGHTS
Access to the Beauhurst Platform is based on four Data Usage Tiers. Please only refer to the tier that pertains to your Subscription, as outlined in the Subscription Summary. You may not access or use the Beauhurst Platform and / or the Beauhurst Data or permit any Data User to access or use the Beauhurst Platform or the Beauhurst Data in breach of the Data Usage Tier applicable to your Subscription.
Tier Zero: User Use Only
Tier One: Internal Use
Tier Two: Client Use
Tier Three: Marketing Use
3.1. Definitions: In this Part 3, the following terms shall have the following meanings (any definitions not found here are in the main Terms):
(a) Accelerator means any organisation that runs an accelerator programme profiled on the Beauhurst Platform;
(b) Activity means any notable action or event performed by or in respect of an Entity, as included on the Beauhurst Platform, including, but not limited to, a transaction, the publication of a news article, an accelerator attendance, and / or the appointment of a new key Person;
(c) Client means any of your customers or bona fide prospective customers;
(d) Company means a commercial business profiled on the Beauhurst Platform;
(e) Entity means an organisation profiled on the Beauhurst Platform including, but not limited to, a Company, Fund or Accelerator.
(f) Fund means an investment organisation, including (but not limited to) private equity firms, venture capital firms, and hedge funds, that is profiled on the Beauhurst Platform;
(g) Person means any named individual on the Beauhurst platform, including but not limited to any director, shareholder, or Company employee;
3.2. Tier Zero: User Use Only
Individual Users may use Beauhurst Data, including any Platform Personal Data, subject to the following restrictions:
(a) You must ensure that Platform Personal Data is only used and shared in a manner which is compliant with Applicable Data Protection Law;
(b) Only a User may access Beauhurst Data on the Beauhurst Platform and each User may only share or make available Beauhurst Data with other active Users on Your Subscription. These rights are subject to paragraph 9.7 of the Terms, so where any Subscribed Teams are identified in the Subscription Summary, Beauhurst Data may not be accessed, used, shared or made available by or with anyone outside of such Subscribed Teams.
3.3. Tier One: Internal Use
You have rights to use Beauhurst Data, including any Platform Personal Data, within your Subscribing Organisation, subject to the following restrictions:
(a) You must ensure that Platform Personal Data is only used and shared in a manner which is compliant with Applicable Data Protection Law;
(b) Anyone to whom you make Beauhurst Data available (including Data Users) or with whom you share it must be explicitly made aware of (and adhere to) the restrictions in place in respect of your rights to use that information and is strictly forbidden from making it available or sharing it with anyone outside of the Subscribing Organisation. It is your responsibility to ensure this is the case, and Beauhurst shall treat any breach of this rule and/or Applicable Data Protection Law by any person who has been provided with Beauhurst Data as if such breach had been committed by you or your Data Users directly. These rights are subject to paragraph 9.7 of the Terms, so where any Subscribed Teams are identified in the Subscription Summary, Beauhurst Data may not be accessed, used, shared or made available by or with anyone outside of such Subscribed Teams.
3.4. Tier Two: Client Use
(a) You must ensure that Platform Personal Data is only used and shared in a manner which is compliant with Applicable Data Protection Law;
(b) You have rights to use Beauhurst Data, including any Platform Personal Data, within your Subscribing Organisation subject to the following restrictions:
(i) Anyone to whom you make Beauhurst Data available (including Data Users) or with whom you share it must be explicitly made aware of (and adhere to) the restrictions in place in respect of your rights to use that information and is strictly forbidden from making it available or sharing it with anyone outside of the Subscribing Organisation. It is your responsibility to ensure this is the case, and Beauhurst shall treat any breach of this rule and/or Applicable Data Protection Law by any person who has been provided with Beauhurst Data as if such breach had been committed by you or your Data Users directly. These rights are subject to paragraph 9.7 of the Terms, so where any Subscribed Teams are identified in the Subscription Summary, Beauhurst Data may not be accessed, used, shared or made available by or with anyone within your Subscribing Organisation but outside of such Subscribed Teams.
(c) You have rights to make available and share (“share“) Beauhurst Data, which includes Platform Personal Data, with your Clients subject to the following restrictions:
(i) Sharing of Beauhurst Data is done on a one-to-one basis with each Client and is not Published, shared or otherwise made available in any fashion whatsoever (for example through a marketing email or used in a seminar or conference);
(ii) The information being shared is directly relevant to the Client in question and to your particular engagement with them;
(iii) You cannot, unless agreed otherwise with Beauhurst in writing, sell any Beauhurst Data to a Client – no transaction may take place in exchange for any Beauhurst Data, and (as outlined in paragraph 9.8 of the Terms) you must not grant or allow any Client to have access to the Beauhurst Platform;
(iv) You may not provide Beauhurst Data, which includes Platform Personal Data, to a Client for their own marketing or lead-generation purposes, or permit any Client to use Beauhurst Data for such purposes;
(v) Clients must not themselves or through any other party use or permit the use of email addresses from the Platform to contact any Persons;
(vi) You shall procure that, in respect of any processing of Beauhurst Data by a Client, the Client shall comply with all Applicable Data Protection Laws;
(vii) You shall procure that, in respect of any processing of Beauhurst Data by a Client, the Client shall delete all Beauhurst Data either at the termination of your Subscription to Beauhurst or at the end of your relationship with the Client, whichever is soonest;
(viii) Anyone to whom you make Beauhurst Data available (including Data Users) or with whom you share it must be explicitly made aware of (and you must require them in writing to adhere to) the restrictions set out in this Data Policy. This must include a strict prohibition on sharing Beauhurst Data with anyone else, including within the Client’s own organisation. It is your responsibility to ensure this is the case, and Beauhurst shall treat any breach of this rule and/or Applicable Data Protection Law by any person who has been provided with Beauhurst Data as if such breach had been committed by you or your Data Users directly.
3.5. Tier Three: Marketing Use
(a) You have rights to use Beauhurst Data, including any Platform Personal Data, within your Subscribing Organisation subject to the following restrictions:
(i) You must ensure that Platform Personal Data is only used and shared in a manner which is compliant with Applicable Data Protection Law;
(ii) Anyone to whom you make Beauhurst Data available (including Data Users) or with whom you share it must be explicitly made aware of (and adhere to) the restrictions in place in respect of your rights to use that information and is strictly forbidden from making it available or sharing it with anyone outside of the Subscribing Organisation. It is your responsibility to ensure this is the case, and Beauhurst shall treat any breach of this rule and/or Applicable Data Protection Law by any person who has been provided with Beauhurst Data as if such breach had been committed by you or your Data Users directly. These rights are subject to paragraph 9.7 of the Terms, so where any Subscribed Teams are identified in the Subscription Summary, Beauhurst Data may not be accessed, used, shared or made available by or with anyone within your Subscribing Organisation but outside of such Subscribed Teams.
(b) You have rights to make available and share (“share”) Beauhurst Data, which includes Platform Personal Data, with your Clients subject to the following restrictions:
(i) Sharing of Beauhurst Data is done on a one-to-one basis with each Client and is not broadcast in any fashion whatsoever (for example through a marketing email or used in a seminar or conference);
(ii) The information being shared is directly relevant to the Client in question and to your particular engagement with them;
(iii) You cannot, unless agreed otherwise with Beauhurst in writing, sell any Beauhurst Data to a Client – no transaction may take place in exchange for any Beauhurst Data, and (as outlined in paragraph 9.8 of the Terms) you must not grant or allow any Client to have access to the Beauhurst Platform;
(iv) You may not provide Beauhurst Data, which includes Platform Personal Data, to a Client for their own marketing or lead-generation purposes, or permit any Client to use Beauhurst Data for such purposes;
(v) Clients must not themselves or through any other party use or permit the use of email addresses from the Platform to contact any Persons;
(vi) You shall procure that, in respect of any processing of Beauhurst Data by a Client, the Client shall comply with all Applicable Data Protection Laws;
(vii) You shall procure that, in respect of any processing of Beauhurst Data by a Client, the Client shall delete all Beauhurst Data either at the termination of your Subscription to Beauhurst or at the end of your relationship with the Client, whichever is soonest;
(viii) Anyone to whom you make Beauhurst Data available (including Data Users) or with whom you share it must be explicitly made aware of (and you must require them in writing to adhere to) the restrictions set out in this Data Policy. This must include a strict prohibition on sharing Beauhurst Data with anyone else, including within the Client’s own organisation. It is your responsibility to ensure this is the case, and Beauhurst shall treat any breach of this rule and/or Applicable Data Protection Law by any person who has been provided with Beauhurst Data as if such breach had been committed by you or your Data Users directly.
(c) You have additional rights to Publish Beauhurst Data subject to the following limitations:
(i) You may not Publish any Platform Personal Data under any circumstances;
(ii) You will not Publish more frequently than once per week on average over any three-month period;
(iii) Each time you Publish, you may not individually identify more than ten Entities or Activities;
(iv) Each time you Publish, you may not use more than five pieces of aggregate data or statistics derived from the Beauhurst Platform;
(v) Anything that is Published must be clearly attributed to Beauhurst (including a link back to beauhurst.com);
(vi) Anything that you Publish must strictly be for your own activities – you are forbidden from using Beauhurst to undertake any marketing/PR/associated activities for another brand or business.
If you’re ever unsure about what you can share or Publish, or if you want to exceed the limits detailed above, please do get in touch with us to discuss.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. Name: Business Funding Research Ltd
Address: Fourth Floor, Brixton House, 385 Coldharbour Lane, London, SW9 8GL
Official registration number: 07312969
Contact person’s name, position and contact details: Nina Coldham, Data Protection Officer, dataprotection@beauhurst.com
Activities relevant to the data transferred under these Clauses: Provision of Beauhurst Data via the Beauhurst Platform
Signature and date: Set out in signature block below
Role (controller/processor): Controller
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
2. Name: As set out in the Subscription Summary
Address: As set out in the Subscription Summary
Contact person’s name, position and contact details: As set out in the Subscription Summary
Activities relevant to the data transferred under these Clauses: Provision of Beauhurst Data via the Beauhurst Platform
Signature and date: Set out in signature block below
Role (controller/processor): Controller
B. DESCRIPTION OF DATA ACCESSED VIA THE BEAUHURST PLATFORM
Data subjects
The Platform Personal Data accessed concern the following categories of data subjects:
● Directors, shareholders and employees of companies on the platform, and individuals involved in the ecosystem (funds, accelerators, universities) included within the Beauhurst Platform.
Categories of data
The Platform Personal Data accessed concern the following categories of data:
● Details pertaining to businesses on the Beauhurst Platform, including but not limited to: names, business contact details (business email address, business telephone number), job title, details of shareholdings, and details of company directorships.
Sensitive data (if appropriate)
The Platform Personal Data accessed do not concern any categories of sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Continuous basis.
Nature of the processing
Collection, recording, structuring, organisation, retrieval and access.
Purposes of the transfer(s)
Access is for the following purpose:
● To facilitate usage by the Subscribing Organisation in accordance with the Data Usage Tier identified in its Subscription Summary and further described in Part 3 of the Data Policy.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
For the duration of this Subscription Order.
Recipients
Subject always to the provisions of this Subscription Order, the Platform Personal Data accessed may be disclosed only to the following recipients or categories of recipients:
● Subscribing Organisation: Users (as defined in the Subscription Order) duly authorised by the Subscribing Organisation to have access to Beauhurst Data for the Permitted Purpose and employees at a Subscribing Organisation if the Subscribing Organisation is on Data Tiers 1, 2 or 3
● Public bodies and law enforcement authorities: Duly authorized staff at public bodies and law enforcement authorities who make enquiries of the Subscribing Organisation in accordance with applicable law.
● Clients of Subscribing Organisation If a Subscribing Organisation is on Data Tier 2 or 3 it may share Platform Personal Data with its Clients. This can only be done on a one to one basis subject to certain restrictions being imposed on the Client in accordance with Part 3 of this Data Policy.
C. COMPETENT SUPERVISORY AUTHORITY
As set out in Clause 13 of the Standard Contractual Clauses.
Data protection registration information of Beauhurst (where applicable)
● Information Commissioner Registration Number for Business Funding Research Limited (trading as Beauhurst): Z291194X
Contact points for data protection enquiries
Nina Coldham
Email: dataprotection@beauhurst.com
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
● Measures of pseudonymisation and encryption of personal data
● Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
● Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
● Measures for user identification and authorisation
● Measures for the protection of data during storage
● Measures for ensuring physical security of locations at which personal data are processed
● Measures for ensuring events logging
● Measures for internal IT and IT security governance and management
● Measures for ensuring limited data retention
● Measures for ensuring accountability
● Measures for ensure appropriate data security & protection training for relevant individua