External Stakeholders Privacy Statement

BMS Section 1 : Business Management/ BM194/01


Bennett Hay Ltd is strongly committed to protecting personal data.  This privacy statement outlines why and how we collect and use personal data pertaining to our external stakeholders within the requirements of the General Data Protection Requirements (GDPR) 2018.


Data Sources

Our policy is to collect only the personal data necessary for agreed purposes

  1. Bennett Hay processes personal data about existing and potential clients and/or individuals associated with them using a customer relationship management system, Sales Force.
    1. The collection of personal data about contacts and the addition of that personal data to the Sales Force is initiated by Bennett Hay colleagues and will include name, employer name, contact title, phone, email and other business contact details.
    2. Data regarding potential clients may be collected from other sources such as business directories or other publicly available sources.
    3. Data for prospective clients is sometimes obtained from a reputable GDPR compliant data list company based on client company details that have already provided the necessary consent
  2. We collect and process personal data about our clients in order to manage the relationship, and meet our contractual obligations.  Where we need to process personal data to provide our services, we ask our clients to provide the necessary information and provide consent.
  1. We collect and process personal data about our suppliers (including subcontractors and individuals associated with our suppliers and subcontractors) in order to manage the relationship, contract, to receive products and services from our suppliers and, where relevant, to provide professional products and services to our clients.
    1. The personal data about our suppliers is provided by them directly, with their consent.


Types of Data

We collect and use the personal data of our external stakeholders in order to manage and maintain our relationship with those individuals and their associated businesses, including:

  • Contact details;
  • Business activities;
  • Information related to the services we provide
  • Information about management and employees.



What is the legal basis for processing the information?

We process personal data in order to run our business, and meet our contractual obligations, including:

  • to administer and manage our relationship with clients;
  • to administer and manage our relationship with suppliers
  • developing our businesses and services (such as identifying potential new clients)
  • processing of financial transactions, including payment for good and services



Sharing and Storing Personal Data

  1. We will only disclose personal data about external stakeholders to third parties if we are legally obliged to do so;
    1. HMRC – for tax purposes
    2. Regulators associated with our services – for example the Environmental Health Organisation.
  • Law enforcement upon request.

or where we need to comply with our contractual duties and have appropriate consent;

  1. All personal data is stored centrally on the secure, cloud based storage system ‘Dropbox’, and on our Information Management System ‘Indicater’
  2. Details of how long we will keep personal data can be found in our Data Management Procedure BM126, and will vary dependent on the type of data and legitimate business interest.
  3. We have security measures in place to protect our and external stakeholders information (including personal data), further details of which can be found in our Data Management Procedure BM126 or by emailing our Data Protection Officer, Claire Huish as below



Individual rights

Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) individuals have a number of rights with regards to their personal data, which we recognise;

  1. Individuals have the right to request from us access to and rectification or erasure of their personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
  2. If an individual has provided consent for the processing of personal data they have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before the consent was withdrawn.
  3. Individuals have the right to lodge a complaint to the Information Commissioners’ Office if they believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to their personal data.



Identity and contact details data protection officer

Any concerns regarding how personal data is processed can be addressed as follows:

Claire Huish, Data Protection Officer at

or at the company registered office;

One Friar Street,





Related Documents 

Data Management Procedure BM126

tempus vulputate, at eget velit, fringilla