1 Who we are
1.1 British Telecommunications plc, a company registered in England and Wales (company number 01800000), with registered office at 81 Newgate Street, London EC1A 7AJ (“BT”).
1.2 In respect of any data collected by BT pursuant to this Notice, BT will act as a Controller of such data.
2 Why are we providing this Notice
2.1 As a visitor to a BT site, BT may need to hold certain information about you and your visit, at times this will include Personal Data, or occasionally Special Category Data.
2.2 This visitor privacy notice (the “Notice”) sets out what data may be captured by BT and how such data will be used by BT.
2.3 This Notice has been prepared in accordance with the GDPR and DPA 2018.
3 What data we collect
3.1 As part of your visit to a BT site, BT may store and use your personal details and information about your visit for the purposes of managing and operating the BT site.
3.2 The Personal Data BT may collect for the purposes of your visit include (but are not limited to):
3.2.1 Contact details and contact preferences
3.2.2 Date of birth and gender
3.2.3 Employer details
3.2.4 Photographic ID
3.3 Additionally, CCTV is in operation at BT sites for the purposes of crime prevention, security and health and safety and, accordingly, will capture imagery of visitors to BT sites
4 Our lawful basis for using your data
4.1 BT processes data collected pursuant to this Notice on the basis of its legitimate interests, this includes (but is not limited to):
4.1.1 for purposes of site security; and
4.1.2 in order to maintain details of any guests present at BT sites, and be able to contact them in the event of an emergency.
4.2 When processing Special Category Data, BT will only do this where it has obtained your explicit consent to do so.
4.3 Where required by Applicable Law to hold certain records, BT will collect and hold such records to comply with that legal obligation.
5 Transferring your data
5.1 Subject to clause 12 of this Notice, other than companies within the BT Group, BT will not share you data with any other organisation or third party.
5.2 BT may share your data with other companies within the BT Group. BT have entered into group-wide binding corporate rules to ensure that any data shared continues to be subject to an adequate level of protection, regardless of which BT Group company holds the data.
6 Retaining your data
6.1 Any data collected by BT pursuant to this Notice will be retained only for as long as is necessary for the purposes of this Notice.
7 Automated decision making
7.1 Any data collected by BT pursuant to this Notice will not be used in any automated decision making process or profiling.
8 If you choose not to provide your data
8.1 If you inform BT that you do not wish for your data to be collected pursuant to this Notice then BT reserves the right to refuse you access to BT sites.
9 Rights regarding your data
9.1 In respect of any data collected by BT pursuant to this Notice, you have the following rights:
9.1.1 the right to request access to this data;
9.1.2 the right to correct your data if it is incorrect.
9.2 If you wish to exercise these rights please contact BT at one of he addresses listed in clause 10.1 of this Notice.
10 Who to contact
10.1 If you have any questions about your data or anything contained in this Notice, please contact:
10.1.1 via email: firstname.lastname@example.org; or
10.1.2 by post:
S. Yorkshire, S1 3EF
11 Updates to this Notice
11.1 BT keep this Notice under regular review and will update it from time to time to make sure it remains up-to-date and accurate.
11.2 The most up to date version can be found at www.bt.com/visitorprivacypolicy
12 COVID-19 and your data
12.1 In light of current coronavirus concerns BT will be following government-issued guidance on contact tracing.
12.2 This includes collecting and sharing relevant visitor data in order to comply with government contact tracing schemes such as NHS Test and Trace (the “COVID Purpose”).
12.3 In order to do this BT will collect the following data from you each time you visit a BT site:
12.3.1 your name;
12.3.2 your contact phone number; and
12.3.3 the date of your visit (including, where possible, arrival time and departure time),
(collectively data collected by BT pursuant to clauses 12.3.1 to 12.3.3 being “Contact Tracing Data”).
12.4 BT will process Contact Tracing Data on the basis of its legitimate interests, this includes (but is not limited to):
12.4.1 complying with the COVID Purpose; and
12.4.2 for the purpose of health and safety at BT sites.
12.5 Contact Tracing Data collected by BT may be shared only with legitimate public health authorities (such as the NHS or the Department of Health & Social Care) in order to satisfy the COVID Purpose.
12.6 Contact Tracing Data will be held for a maximum period of twenty-one (21) days.
12.8 BT will regularly review the suitability of these measures in line with government-issued guidance, and will update this section of the Notice accordingly.
“Affiliate” means any entity that directly or indirectly controls or is controlled by BT, or is jointly controlled with BT.
“Applicable Law” means the laws of England and Wales and any laws and regulations, as may be amended from time to time, including:
(a) anti-corruption laws set out in the Bribery Act 2010 and the Foreign Corrupt Practices Act of 1977 of the United States of America; and
(b) all applicable export laws and regulations, including those of the United States of America.
“BT” has the meaning given to it in clause 1.1.
“BT Group” means BT Group plc and its Affiliates.
"Contract Tracing Data” has the meaning given to it in clause 12.3.
“Controller” has the meaning given to it in the GDPR.
“COVID Purpose” has the meaning given to it in clause 12.2.
“DPA 2018” means the Data Protection Act 2018, and any amendment or replacement to it.
“Data Protection Legislation” means collectively (i) any applicable laws of the European Union, (ii) any applicable local laws relating to the Processing of Personal Data and the protection of an individual’s privacy, (iii) the GDPR, and (iv) any binding guidance or code of practice issued by a Supervisory Authority.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 and any amendment or replacement to it, (including any corresponding or equivalent national law or regulation that implements the GDPR).
“Notice” has the meaning set out in clause 2.2.
“Personal Data” has the meaning ascribed to it in the GDPR.
“Special Category Data” has the meaning given to it in Art 9(1) GDPR.