We apply the UK Data Protection Act (incorporating the EU General Data Protection Regulation (GDPR)) to all our global operations unless the local equivalent law is stronger.
The UK Data Protection Act (and GDPR) works in two main ways. It gives individuals rights over how their personal information is used and sets out rules for organisations that process personal information.
Our Cookies policy describes what cookies we use on our website and their purpose.
Exercising your rights concerning the processing of your personal information
When exercising your rights, you must give us a request in writing, by post or by email. Although you should submit a request in writing, if you would like to speak to someone in person, you may contact us by telephone.
Protección de Datos
Pº General Martínez Campos, 31
28010 - Madrid
Telephone: +34 91 337 35 00
In the UK:
Information Governance Advisor (Disclosures)
58 Whitworth Street
Phone: +44(0) 161 957 7624
We may need to ask you to provide:
- proof of your identity
- proof of your home address
- any information that we reasonably need to locate the information you have requested (for example details of the British Council offices or staff that you have had contact with and when)
We will not start looking for your information until we confirm your identity.
Right to access personal information
Any individual has a right to ask for a copy of the personal information held about them. This means that you can ask for the information that the British Council holds about you. This is known as the right of ‘subject access’.
Right to restrict processing of personal information
In some situations, you have the right to require us to restrict the processing of your personal information. We may restrict your personal information by temporarily moving the information to another processing system, making the information unavailable to users, or temporarily removing published information from a website. We may also use technical methods to ensure the personal information is not subject to further processing and cannot be changed. When we have restricted processing of personal information, this will be clearly indicated on our systems.
You can require us to restrict processing in the following circumstances:
- We are processing your personal data unlawfully and you do not want us to delete the information but restrict it instead.
- You are concerned that the information we hold about you is inaccurate. You can ask us to restrict the information until we are able to determine whether the information is accurate or inaccurate.
- We no longer need the information for the purposes for which we collected it, but they are needed by you for the establishment, exercise or defence of legal claims.
- You have objected to the processing (see below) and we need to decide whether the legitimate interests we have to process the information override your fundamental rights.
Processing you think is unlawful
If you tell us that you think we are processing your personal information unlawfully, but you do not want the information to be erased, you have the right to require us to restrict the processing of that information.
We will ask you for an explanation about why you think the processing is unlawful and may also ask that you provide evidence to support this view.
Processing of personal information you think is inaccurate
You can tell us if you think the personal information, we are processing about you, is factually inaccurate. You can require us to restrict how we use your personal information until we can verify the accuracy of the information. We will ask you for an explanation about why you think the information is inaccurate and may also ask that you provide some supporting evidence of the alleged inaccuracy.
If we find that personal information, we are processing about you, is inaccurate we will take appropriate steps to correct the information.
Personal information no longer needed by the British Council, but needed by you in connection with a legal claim
In most circumstances, we will securely delete or dispose of personal information when we no longer need it for our legitimate business purposes. Our approach to retention is outlined in our corporate retention schedules.
However, if personal information we no longer need would assist you in establishing, exercising or defending a legal claim, you can require us to keep the information for as long as necessary. We may ask you to provide an explanation and any available supporting evidence that a legal claim is on-going or contemplated.
Right to object to processing
You have the right to object to the British Council processing your personal data in the following circumstances:
Personal information used for direct marketing
If we are using your personal information to send you direct marketing, you have the right to object at any time. If you exercise this right, we will stop processing your personal information for direct marketing purposes. However, we may keep your information on a “suppression list” to ensure your information is not added to any marketing lists at some point in the future.
Automated decision making and profiling
‘Profiling’ is automated use of personal data held on computer to analyse or predict things which have a legal effect, or other similarly significant effect, on the individual. Examples would include economic situation, health, personal preferences or interests and location. You have the right not to be subject to a solely automated decision (that is, a decision made electronically, with no human intervention), and this may include profiling (although there is no general right to object to profiling). If you are concerned the British Council has made a solely automated decision about you, you can object.
Please note, British Council is allowed to carry out automated decisions with no human intervention where you have given your explicit consent to this processing (although you have the right to withdraw your consent).
We are also permitted to make automated decisions with no human intervention in the following circumstances:
- The automated decision is necessary to enter into, or perform a contract, or complete a contract involving you and the British Council, e.g making an electronic purchase.
- The automated decision is allowed under a law passed at European Union level, or at the level of European Union or EEA member state level (i.e., is allowed under a national law) or UK level. The law will provide safeguards to protect your rights and freedoms.
However, you still have a general right to object in both of the above circumstances, providing reasons why you think the processing is having a negative effect on you. If you do object, we will carefully consider your reasons, and decide whether to review the decision-making process in your specific case.
Right to erasure of personal data (“the right to be forgotten”)
In the following circumstances, you have the right to require that British Council securely deletes or destroys your personal information:
- If the personal information we hold about you is no longer necessary for the purposes for which we originally collected it.
- The processing is based on consent - if you have previously given your consent to British Council collecting and processing your personal information, and you notify us that you withdraw your consent. Please note: withdrawing your consent does not mean the processing of your personal data which occurred before the withdrawal was unlawful.
- We are processing your personal information for direct marketing purposes, and you want us to stop.
- If you think British Council has processed your personal information unlawfully.
If you think any of the above situations apply, we may ask you for an explanation and further information to verify this.
Right to data portability
If you have provided your information to British Council, you have the right to request and receive a copy of that information in a structured, commonly-used and machine-readable format.
You also have the right to ask us to send the information we hold about you to another organisation.
There are some situations in which the right to data portability does not apply. For further information, please contact: IGDisclosures@britishcouncil.org.
Your right to complain to a national data protection regulator (data protection supervisory authority)
If you think we have processed your personal information unfairly or unlawfully, or we have not complied with your rights under GDPR, you have the right to complain to a national data protection regulator.
Complaints about how we process your personal information can be considered by the UK data protection regulator, the Information Commissioner’s Office (ICO). The ICO can be contacted using the following details:
Information Commissioner’s Office
If you live in a country or territory located in the European Union (EU) or European Economic Area (EEA), and you think that some, or all, of the issues you are concerned about have taken place in your country of residence, you can complain to your national data protection regulator. For contact details of national data protection regulators in the EU and EEA, please refer to the European Data Protection Board website .
You should be aware that the EU or EEA regulator you first contact may not be the regulator that deals with your complaint. They may refer your complaint to another data protection regulator, and a number of regulators may work together to determine the outcome of your complaint. The overall handling of your complaint will be dealt with by a “lead supervisory authority”, which will be allocated during the complaint handling process.
If you live outside the EU or EEA, and the data protection issue you are concerned about relates to the processing of personal data in the country you live in, you may be able to complain to your national data protection or privacy regulator. Details of some national data protection or privacy regulators are detailed in the above link. Alternatively, you may be able to find details of your national privacy or data protection regulator by searching the internet.
If you have a concern about how we have processed your personal data, many data protection/privacy regulators will ask that you contact us first, outlining your concerns, allowing us to try and put the issue right, prior to contacting them with your complaint or concern.
British Council processing of personal information
British Council shares personal information within the wider British Council group of entities situated both within and outside the EU. We do this under a data sharing agreement that includes the appropriate EU model international data transfer clauses to make sure your personal information is protected, no matter which entity in the British Council group holds that information.
Where British Council makes transfers of personal information outside the British Council Group to another organisation, we rely on the use of the EU model international data transfer clauses where the country the organisation is situated in is not listed as ‘adequate’ by the European Commission.
We also use other organisations to process your personal information in order to carry out services on our behalf. We use them to:
- Provide customer service, surveys and marketing
- Personalise our services
- Process payments
- Carry out fraud and other legal investigations
Where we use another organisation, we make sure that your personal information is protected and remains in our control.
We also, in certain situations, share personal information to government bodies and law enforcement bodies. Where we do share personal information with these types of organisations, we’ll make sure it’s protected, as far as it is reasonably possible.
With your consent we’ll use your personal information to send you direct marketing and to better identify products and services that interest you. We do that if you’re one of our customers or if you’ve been in touch with us another way (such as registering to attend a British Council event or entering a competition).
This means we’ll:
- better understand you as a customer and tailor the marketing communications we send you,
- tell you about other products and services you might be interested in,
- try to identify products and services you’re interested in.
The information processed consists of:
- Your contact details. This includes your name, gender, address, phone number, date of birth and email address.
- Information from cookies and tags placed on your connected devices.
- Information from other organisations such as aggregated demographic data and publicly available sources like the electoral roll and business directories.
- Details of the products and services you’ve bought and how you use them.
We’ll send you information about the products and services we provide by phone, post, email, text message, online banner advertising according to the communications channels you prefer. We also use the information we have about you to personalise these messages wherever we can as we believe it is important to make them relevant to you. We do this because we have a legitimate business interest in keeping you up to date with our products and services. We also check that you are happy for us to send you marketing messages before we do so. In each message we send, you also have the option to opt out.
We’ll only market other organisations’ products and services if you have said it is OK for us to do so.
You can ask us to stop sending you marketing information or withdraw your permission at any time.
British Council retains personal information in line with our corporate retention requirements. Further details of our corporate retention schedule are available on request via the contact details, please contact: IGDisclosures@britishcouncil.org.
We undertake fraud checks on all customers because this is necessary for us to perform our contracted services to customers, by ensuring that the services we provide are duly paid for, and so that individuals themselves are protected from fraudulent transactions on their cards. Where we believe we may detect fraudulent activity we may block you from purchasing a product.
Given the volumes of transactions we deal with, we use automated systems including third-party systems for fraud detection purposes which analyses each sale in order to make automated decisions as to whether or not we will accept a sale. We find this is a fairer, more accurate and more efficient way of conducting fraud checks since human checks would simply not be possible in the timeframes and given the volumes of customers that we deal with.
The checks and decisions that are made look at various components including known industry indicators of fraud which our expert fraud detection provider makes available to us, as well as fraud patterns we have detected on our Sites. When combined, these generate an automated score indicating the likelihood of a fraudulent transaction. If our systems indicate a high score for you, then we may decline an order or even block you from our services. The specific fraud indicators are dynamic so will change depending on what types of fraud are being detected in the wider world, country and our sites at any time.
You have certain rights in respect of this activity. Our fraud detection is in place to protect all our customers as well as the British Council. You have the right to contest any fraud decision made about you and to be given more information about why any such decision was made by exercising your rights as noted above, please contact: IGDisclosures@britishcouncil.org.
General Data Protection Queries
If you wish to communicate with us about this privacy notice, or any issue relating to information governance or data protection, please contact the British Council’s Data Protection Officer, using the following channels:
Information Governance & Risk Management Team
10 Spring Gardens
Telephone: (0)20 7389 4385
Notice Revised: 1 February 2019