GBB Coaching & Consultancy Privacy Notice
Information about us
This website is owned and operated by GT English Enterprise Ltd – Trades as GBB Coaching.
We are a private limited company incorporated in England and Wales (registered company number 07989073). Our registered office is at 3 Selworthy, Furzton, Buckinghamshire England MK4 1HA.
In this notice, "we", "us", "our" and "GBB" refer to GBB Coaching & Consultancy. We are the controller in respect of the processing of personal data described in this notice. Please contact firstname.lastname@example.org for more information.
Our Policy Notice Terms
This notice describes our processing of personal data relating to our website visitors in connection with our business activities. We are the controller in respect of this processing, meaning that we determine why and how to carry out this processing.
This notice does not describe our processing activities in connection with our GBB app which we provide to our clients as a service. Our processing in connection with our GBB app is set out in a separate notice available on the GBB app, addressed specifically to users of the app.
Types of personal data we collect
Learning Portal – Learning Portal Account Data: information relating to our clients’ staff that we obtain in connection with setting up accounts to enable client’s staff members to access and use the Learning Portal, including their business email addresses and access permissions. These details are provided to us by our clients.
Purposes of processing: Recognising and authenticating client users accessing our Learning Portal. Legal bias: Our legitimate interests in providing our services to clients.
Enquiry data: information relating to website visitors who complete and submit forms on our website (such as our ‘Get in touch’, ‘Book a demo’ and ‘Request a call back’ forms), including name, email address, phone number, company name and any personal data included in the
subject or message content and any metadata associated with the communication (such as time and date of submission). This information is provided to us by people who complete and submit forms on our website, and our website generates the communication metadata associated with the forms.
Purposes of processing: Communicating with people, e.g. in response to an enquiry made using contact details or a web contact form on this website. Legal bias: Our legitimate interests in communicating with individuals that contact us.
Business contact data:
information relating to our clients’ or prospects staff and representatives that we obtain in connection with entering into and performing contracts for the provision of our products and services to clients, such as names, business email addresses, postal addresses, telephone numbers and job titles. This may be provided by the individuals themselves, by colleagues or resellers. We may also collect similar categories of data of staff or representatives from potential clients or prospects indirectly from publicly available sources such as Linked-in, industry bodies and licence data sets from reputable third parties.
Purposes of processing: Sending marketing communications to staff representatives of our clients and potential clients (see ‘Processing personal data for marketing purposes’ section below for further detail). Providing our services to clients and communicating with clients in connection with providing those services. Legal bias: Our legitimate interests in keeping our Learning Portal secure and limiting access and use to authorised users. Promoting our business and services, maintaining relationships with our clients, driving sales and sustaining and growing our business.
Email tracking data: information about whether recipients of our marketing-related emails open or click on links within marketing-related emails we send to them. This is obtained automatically by our email services provider using various technologies including tracking pixels.
Social media plugin data: technical data about our website visitors’ devices such as its IP address, browser type and version and operating system. This is collected by the plugin buttons embedded in our website.
Purposes of processing: Enabling people to share content from our website via social media.
Legal bias: Our legitimate interests in promoting our business, services and expertise.
Purposes of processing: Analysing use of our website, e.g. finding out how many people visit various parts of the site, so that we can assess how successful our website is and how it could be improved or developed. Keeping our website secure and functional.
Legal bias: Our legitimate interests in monitoring, maintaining and improving our website. Protecting our website and ensuring it works effectively.
information contained in or relating to any communications we receive, including any personal data contained in the communication content, address and
contact details and any metadata associated with the communication such as the date and time of sending. We obtain this data when people contact us by email, phone, or via social media.
Purposes of processing: Client relationship management, including dealing with complaints, keeping records of our interactions with clients and other people and keeping in contact with clients and other people with whom we have interacted. Legal bias: Our legitimate interests in providing a good quality service to clients, dealing effectively with complaints and maintaining relationships with clients.
Webinar registration data: information relating to people who register to join one of our webinars, including name, email address, company name, job title, country, discussion points in/leave times and technical data about the registering person’s device such as IP address, geographical location, browser type and version and operating system. We obtain this information when people complete and submit a registration form and our website automatically collects the technical data.
Purposes of processing: Enabling people to participate in our webinars.
Legal bias: Our legitimate interests in demonstrating and promoting our expertise and engaging with clients and potential clients.
Processing personal data for marketing purposes
We send emails containing information about our business and services. We send these to individuals who are staff representatives of our clients and potential clients or who have previously enquired or corresponded with us about our services, for example by requesting to download promotional material on our website or receive our newsletter. If you do not wish to receive such communications from us, you can tell us by using the unsubscribe link in any email we send to you.
In addition to the purposes set out above, we may also process the personal data if and to the extent necessary for the following purposes:
Purpose: Establishing, exercising or defending legal claims
Legal bias: Our legitimate interests in defending legal claims
Purpose: Obtaining or maintaining insurance coverage, managing risks or obtaining professional advice
Legal bias: Our legitimate interests in protecting our business against risks
Purpose: Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator
Legal bias: Compliance with a legal obligation
Purpose: Protecting a person’s vital interests
Legal bias: Protection of vital interests
Explanation of legal bases
It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.
Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals to whom the personal data relate
Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation imposed by UK or EU law
Protection of vital interests: processing of personal data is necessary in order to protect the vital interests of any individual
Consent: the data subject has given consent to their personal data being processed for one or more specific purposes (a ‘data subject’ is an individual who can be identified from the data being processed).
Recipients of personal data
The personal data described in this notice may be shared with the following categories of recipients, where and to the extent necessary for the purposes described in this notice:
We use a number of service providers in connection with our website, services, communications and IT infrastructure, which involves those service providers processing some of the personal data described in this notice to the extent necessary to provide the relevant services. We currently use the following providers:
Nature of services: Office 365 business software services
Type of personal data processed: All categories of personal data described in this notice except usage data
Boss Media Ltd – (BuddyBoss)
Nature of services: Provision of web forms on our website and processing of data submitted via web forms. Enquiry data Provision/hosting of Learning Portal account data
Provision of comments submission and subscription functionality
Comment submission data Website analytics to analyse how our website is used
Usage data Marketing platform
Type of personal data processed: All categories of personal data described in this notice except usage data
Nature of services: Various marketing related software services:
Provision of web forms on our website and processing of data submitted via web forms
Provision/hosting of Learning Portal Provision of comments submission and subscription functionality
Website analytics to analyse how our website is used
Type of personal data processed:
Learning Portal account data
Comment submission data
All types of data described in this notice except usage data
Nature of Services: Registration and delivery of our webinars
Type of Personal Data Processed on: Webinar Registration Data
Nature of Services: Registration and delivery of our webinars
Type of Personal Data Processed on: Webinar Registration Data
Nature of services: Survey, via email, website, social media. For Market Research, customer satisfaction, employment engagement.
Type of personal data processed: Contact Information (for example name or email address). Usage data. Device and browser data. Information from page tags. Use first party and third party cookies and tracking services that employ cookies and page tags (also known as web beacons) to collect data about visitors to our websites. This data includes usage and user statistics. Log Data. Referral information.
Nature of services: Google calendar function for our webinars
Website analytics to analyse how our website is used (Google Analytics)
Type of personal data processed: Usage data
We have contracts with all our service providers to ensure that they treat the personal data they receive in compliance with applicable data protection laws, including that they only process the personal data described in this notice to the extent necessary to provide the services.
Insurers and professional advisers: such as lawyers, accountants and business and marketing consultants, but only if and to the extent necessary for them to carry out the work we engage them to assist us with, for example in relation to a legal claim made against us or obtaining insurance coverage.
Buyers/prospective buyers: if we propose to sell or do sell any of our business or assets, we may make personal data available to a prospective buyer for the purposes of pre-sale due diligence or to a buyer as information assets transferred as part of the sale – for example a prospective buyer may request details of any outstanding legal claim against us, or a buyer may acquire ownership of our business contacts/client databases.
There may also be circumstances in which we need to share personal data with other organisations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above, including complying with legal obligations to disclose information.
In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.
International transfers of personal data
The personal data we process is hosted and stored on servers situated in the United Kingdom (UK. We transfer some personal data to the service providers described in the ‘Recipients of personal data’ section above that are based in countries outside the UK and European Economic Area (EEA). Below we describe these transfers and the safeguards in place to protect personal data once it has been transferred.
Our use of Microsoft services involves a transfer of all types of personal data described in this notice to the U.S.A. or any other country in which Microsoft or its sub-processors operate. These transfers are governed by Microsoft’s Standard Contractual Clauses which can be viewed here
Microsoft Corporation also participates in the EU-U.S. Privacy Shield and its registration can be viewed here
Adobe Inc. - Adobe Inc. (our US company) has certified to the EU-US and Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the transfer of personal information from the European Economic Area (EEA) and Switzerland to the United States. To learn more about the Privacy Shield programme or to view the certification for Adobe Inc., please seehttps://www.privacyshield.gov/.
Our use of Bluejeans services involves a transfer of webinar registration data to the U.S.A. Bluejeans Video Communications, Inc. participates in the Privacy Shield and its registration can be viewed here
SurveyMonkey is certified under and complies with both the EU-US and Swiss-US Privacy Shield programs, which legalised the collection, use, transfer, and retention of personal data from Europe to the US. This method for transfer of personal data has been invalidated by the European courts and so can direct customers to their Data Processing Agreements (DPA)with SCCs section below.
Our use of Google Analytics and calendar services involves a transfer of usage data outside the EEA–to Google LLC in the U.S.A. and to its sub-processors in the U.S.A. and elsewhere. Google LLC participates in the Privacy Shield and its registration can be viewed here
In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the European Economic Area in connection with the purposes described in the ‘Other processing purposes’ section above, such as to comply with a legal obligation or defend or bring a legal claim. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.
Explanation of international transfer terms referred to in this section:
Privacy Shield: this is an adequacy decision of the European Commission in respect of the transfer and subsequent processing of personal data to and by organisations in the U.S. who self-certify their compliance with the Privacy Shield Framework Principles contained in Annex II to the European Commission Implementing Decision (EU) 2016/1250 of 12 July 2016. Further information can be found on the Privacy Shield website: and in the ICO guidance.
Adequacy decision: this means an official decision adopted by the European Commission that a country (or a territory or specified sector within a country) or international organisation ensures an adequate level of protection for personal data.
Standard contractual clauses: these are standard data protection clauses for data transfers between EU and non-EU countries adopted by the European Commission pursuant to a decision of the European Commission that those clauses provide an adequate level of protection for personal data transferred between the parties to those clauses.
See the Europa website for more information on, and links to, the standard contractual clauses: Binding corporate rules: these are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises, which must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers, be legally binding and enforced by every member of the group. See the Europa website for more information on, and links to, the standard contractual clauses here.
Binding corporate rules: these are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises, which must include all general data protection principles and enforceable rights to
ensure appropriate safeguards for data transfers, be legally binding and enforced by every member of the group. See the Europa website for more information on, and links to, the standard contractual clauses.
Security of personal data
We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.
Information submitted via our website is encrypted in transit using industry standard Secure Sockets Layer (SSL) with 256-bit AES encryption.
It is important that you keep your password for accessing the Learning Portal secret at all times.
Unfortunately, the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
We will notify affected individuals and any applicable regulator of any personal data breach where we are legally required to do so.
Retention and deletion of personal data
We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and applicable legal requirements.
Our retention periods and criteria
We will apply the following general retention periods and/or retention criteria to the personal data described in this notice:
Business contact data: We keep this for the duration of the relevant client contract and for a period of 6 years after termination or expiry of the contract. However, we may keep some of this data for marketing purposes for a different period.
Learning Portal account data: We keep this for 6 months after the client’s contract with GBB has ended or upon the client’s request if earlier.
Enquiry data: The submitted web forms are stored for one year. We receive the data in the form of emails, which we store in accordance with our usual email archiving processes. However, we may keep some of this data for marketing purposes for a different period – see ‘Retention and deletion of personal data for marketing purposes’ section below.
Comment submission data: Comments are stored for 6 months and email addresses given for the purpose of subscribing to the comment thread will be stored in accordance with our standard archiving processes in place from time to time. However, we may keep email addresses for marketing purposes for a different period – see ‘Retention and deletion of personal data for marketing purposes’ section below.
Webinar registration data: Registration forms are stored for one year. However, we may keep names and email addresses for marketing purposes for a different period – see ‘Retention and deletion of personal data for marketing purposes’ section below.
Social media plugin data: we do not store this data.
Correspondence data: We store emails in accordance with our usual email archiving processes. Messages via social media are stored in accordance with the social media providers’ data storage policies. However, we may keep names and email addresses for marketing purposes for a different period – see ‘Retention and deletion of personal data for marketing purposes’ section below.
- Usage data: The statistical reports provided to us by InGear Media are retained by us for 90 days; the reports provided to us by InGear Media are retained by us for 365. However, these contain only aggregated data that do not enable us to identify individual users.
- Email tracking data: this is stored in our website database account for 30 days after the tracked event
Retention and deletion of personal data for marketing purposes
We keep data relating to our clients’ staff representatives that is useful for marketing purposes (such as names, business email addresses, job titles and company details) for the purposes of sending marketing emails unless/until we receive an ‘unsubscribe’ request (in which case we will retain the details on a suppression list to ensure no further emails are sent) or until we receive an ‘undeliverable’ response (in which case we will delete the details from our records).
Retention and deletion of personal data for other purposes
These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation, protecting a person’s vital interests or the establishment, exercise or defence of legal claims
Cookies we use
What is a cookie?
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server.
Cookies are either "persistent" cookies or "session" cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser.
Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies.
Third party analytics service providers
We use Google Analytics, LinkedIn Tracking and Facebook Pixel to analyse the use of our website. These services gather information about use of our website, such as the number of unique interactions that take place on our website and overall patterns of usage. This information is gathered using cookies and used to create aggregate statistics about the use of our website.
Most computers and mobile devices automatically accept cookies by default, but you can change your browser settings to refuse to accept cookies, delete cookies or notify you when cookies are set. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
- Chrome: https://support.google.com/chrome/answer/95647?hl=en
- Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
- Opera: http://www.opera.com/help/tutorials/security/cookies/
- Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-deletemanage-cookies
- Safari: https://support.apple.com/en-gb/HT201265
- Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
You can learn more about cookies by visiting www.allaboutcookies.org which includes useful information on cookies and how to block them using different types of browser.
You can block Google Analytics by downloading and installing the Google opt-out browser add-on available here or by blocking third party cookies in your browser options.
Please note that if you block all cookies including those necessary to enable you to use and navigate the website, you may not be able to take full advantage of the functionality of the website.
You have a number of different rights you might be able exercise against us in relation to personal data about you that we process. These are rights to:
- access your personal data
- obtain rectification or erasure of your personal data
- restrict and/or object to processing of your personal data • have your personal data ‘ported’ to you or another organisation
- complain to a supervisory authority about our processing of your personal data
- withdraw consent to our processing of your personal data (where you have given consent)
The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarised these rights and explained how you can request to exercise them.
Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us.
Erasure: You have the right to the erasure of your personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim.
Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent.
Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate
grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).
Data portability: where processing of your personal data is based on performance of a contract or your consent and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
Complain to a supervisory authority: If you consider that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
Withdraw consent: where any processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to email@example.com, in addition to any other contact methods specified in this notice. Please be aware that if your request relates to any processing that we carry out as a processor on behalf of your employer, we will inform you this and advise you to make the request to your employer, because they will be the controller in relation to that processing who is responsible under data protection laws for responding to your request.
How to complain to a supervisory authority: To make a complaint to a supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. Relevant contact details for the UK supervisory authority, the ICO, can be found here: https://ico.org.uk/concerns/.
We are registered as a fee payer with the UK Information Commissioner's Office. Our data protection registration number is ZA069844.
For enquiries relating to this notice or our processing of personal data, please contact us on 01908 526782 or email us at: firstname.lastname@example.org. You can also contact us using the web contact form.
Changes to this notice
We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.