Mapping the herd: the UK's unicorn companies in numbers. Download the full report

Legal

Data Policy July 2018

Beauhurst’s Data Policy falls into three parts –

1. GDPR
2. Use of email addresses derived from the Beauhurst platform
3. Data sharing rights

1. GDPR

In light of the new General Data Protection Regulation, we need to make sure that any Beauhurst Data you process is suitably protected and compliant with the legislation. This clause comprises a balanced set of terms to put in place those protections. If you have any questions about it, please write to Joseph Saxby.

1.1 Definitions:  In this clause, the following terms shall have the following meanings:

(a) “controller“, “processor“, “data subject“, and “processing” (and “process“) shall have the meanings given in EU Data Protection Law; and

(b) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, EU Data Protection Law.

(c) “EU Data Protection Law” means:

(i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (the “Directive“);

(ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR“);

(iii) the EU e-Privacy Directive (Directive 2002/58/EC); and

(iv) any and all applicable national data protection laws made under or pursuant to (i), (ii) or (iii); in each case as may be amended or superseded from time to time.

1.2 Relationship of the parties:  We (the controller) appoint you as a processor to process the personal data that is the subject of this Agreement (the “Personal Data“) as defined in EU Data Protection Law. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.

1.3 Prohibited data:  We shall not disclose (and shall not permit any data subject to disclose) any special categories of Personal Data to You for processing.

1.4 Purpose limitation:  You shall process the Personal Data as a processor as necessary to perform your obligations under this Agreement and strictly in accordance with our documented instructions (the “Permitted Purpose“), except where otherwise required by any EU (or any EU Member State) law.  You shall immediately inform us if you become aware that our processing instructions infringe Applicable Data Protection Law.

1.5 International transfers:  You shall not transfer the Personal Data (nor permit the Personal Data to be transferred) outside of the European Economic Area (“EEA“) unless

(a) you have first obtained our prior written consent; and

(b) you take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, to a recipient based in the United States of America that maintains a valid and up-to-date EU-US Privacy Shield certification, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission. It also includes any of your Users accessing the Beauhurst Platform while outside the EEA.

1.6 Security:  You shall implement appropriate technical and organisational measures to protect the Data

(a) from accidental or unlawful destruction, and

(b) loss, alteration, unauthorised disclosure of, or access to the Personal Data (a “Security Incident“).  Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.  Such measures shall include, as appropriate:

(i) the pseudonymisation and encryption of personal data;

(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

1.7 Subprocessing:  You shall not subcontract any processing of the Personal Data to a third party subprocessor without our prior written consent.

1.8 Cooperation and data subjects’ rights:  You shall provide all reasonable and timely assistance to enable us to respond to:

(a) any request from a data subject to exercise any of our rights under Applicable Data Protection Law (including our rights of access, correction, objection, erasure and data portability, as applicable); and

(b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data.   In the event that any such request, correspondence, enquiry or complaint is made directly to you, you shall promptly inform us providing full details of the same.

1.9 Data Protection Impact Assessment:  You shall provide us with all such reasonable and timely assistance as we may require in order to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist us in consulting with our relevant data protection authority.

1.10 Security incidents:  Upon becoming aware of a Security Incident, you shall inform us without undue delay and shall provide all such timely information and cooperation as we may require in order for us to fulfil our data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.  You shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep us informed of all developments in connection with the Security Incident.

1.11 Deletion or return of Personal Data:  Upon termination or expiry of this Agreement, you shall destroy or return to us all Personal Data (including all copies of the Personal Data) in your possession or control (including any Personal Data subcontracted to a third party for processing).  This requirement shall not apply to the extent that you are required by any EU (or any EU Member State) law to retain some or all of the Personal Data, in which event you shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

1.12 Audit:  You shall permit us (or our appointed third party auditors) to audit your compliance with this Clause, and shall make available to us all information, systems and staff necessary for us (or our third party auditors) to conduct such audit. You acknowledge that we (or our third party auditors) may enter your premises for the purposes of conducting this audit, provided that we give you reasonable prior notice of our intention to audit, conducts our audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to your operations.  We will not exercise our audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) we believe a further audit is necessary due to a Security Incident suffered by you.

2. Use of email addresses derived from the Beauhurst platform

We provide business email addresses on the Beauhurst Platform so that you can directly approach the individuals concerned. Since any unsolicited direct contact is defined as “marketing” (even if you are not explicitly selling something), you need be compliant with the relevant rules pertaining to email marketing, as well as the GDPR.

2.1 You are forbidden from using email addresses from the Beauhurst platform to email more than 5 people in a single send (“Mailshots”). This is to ensure that any contact that you make is direct and deliberate and the data subject’s rights are suitably protected in line with Article 14 of the GDPR.

2.2 You must identify yourself and your Organisation in any email you send and include contact details, ideally a postal address, active email address, and a phone number.

2.3 You must have a clear and simple way for anyone you email to opt out of your communications.

2.4 If someone objects to or opts out of your marketing, you should immediately add them to a ‘do not contact’ list and stop communications with them (excepting perhaps a brief note to acknowledge that you are acquiescing to their request). You should screen all your marketing against this list to make sure you don’t contact anyone who has opted out.

2.5 You must ensure that you are fully compliant with the relevant legislation pertaining to email marketing. At the time of writing this is European Directive 2002/58/EC, also known as ‘the e-privacy Directive’. It is your responsibility to keep up to date with any changes in the law.

3. Data Sharing Rights

Beauhurst’s data sharing rights are based on four tiers. Please only refer to the tier that pertains to your Subscription, as outlined in the Subscription Summary.

Tier Zero: User Use Only
Tier One: Internal Use
Tier Two: Client Use
Tier Three: Marketing Use

3.1 Definitions: In this clause, the following terms shall have the following meanings (any definitions not found here will be in the main Terms):

(a) Client means any of your customers or bona fide prospective customers;

(b) Company means a commercial business included on the Beauhurst Platform;

(c) Fund means an investment organisation, including (but not limited to) private equity firms, venture capital firms, and hedge funds, that appears on the Beauhurst Platform;

(d) Organisation means the employer of the party being referenced in any given instance in this policy;

(e) Person means any named individual on the Beauhurst platform, including but not limited to any director, shareholder, or Company employee;

(f) Transaction means any commercial arrangement that a Company, Fund or other entity is engaged in, and which is tracked on the Beauhurst Platform (for example, an equity fundraising);

3.2 Tier Zero: User Use Only

(a) You may not share any Beauhurst Data.

3.3 Tier One: Internal Use

(a) You have rights to use Beauhurst Data within your Organisation

(b) You may not share any Beauhurst Data with anyone except that:

(i) You may share Beauhurst Data within your Organisation.

(ii) Anyone you share Beauhurst Data with must be aware of (and adhere to) the restrictions in place on that information and is strictly forbidden from passing it on to anyone else. It is your responsibility to ensure this is the case, and Beauhurst shall treat any breach of this rule by any person who has been provided with Beauhurst Data as if such breach had been committed by you or your User directly.

3.4 Tier Two: Client Use

(a) You have rights to share Beauhurst Data with your Clients

(b) You may not share any information on the Beauhurst Platform with anyone except that:

(i) You may share Beauhurst Data within your Organisation.

(ii) You may share Beauhurst Data with a Client, provided in all cases that:

(A) This is done on a one-to-one basis with each Client and is not broadcast in any fashion whatsoever (for example through a marketing email or used in a seminar or conference);

(B) The information being shared is directly relevant to the Client in question and to that particular engagement with them;

(C) You cannot, unless agreed otherwise with Beauhurst in writing, sell any Beauhurst Data to a Client – no transaction may take place in exchange for any Beauhurst Data, and (as outlined in Clause 9.6 of the Terms) you must not grant any Client access to the Beauhurst Platform;

(D) You cannot give Beauhurst Data to a Client for their own marketing or lead-generation purposes.

(c) Anyone you share Beauhurst Data with must be aware of (and adhere to) the restrictions in place on that information and is strictly forbidden from passing it on to anyone else. It is your responsibility to ensure this is the case, and Beauhurst shall treat any breach of this rule by any person who has been provided with Beauhurst Data as if such breach had been committed by you or your User directly.

3.5 Tier Three: Marketing Use

(a) You have additional rights to use Beauhurst Data for marketing purposes

(b) We encourage you to share and Publish information from the Beauhurst Platform; however anything that you share must adhere to the terms of this Tier Three of the Data Policy. If you’re ever unsure about what you can share or Publish, or if you want to exceed the limits detailed below, you must discuss with us and get our agreement to do so in writing.

(c) You may share Beauhurst Data within your Organisation.

(d) You may share Beauhurst Data with a Client, provided in all cases that:

(i) This is done on a one-to-one basis with each Client and is not broadcast (for example through a marketing email or used in a seminar or conference);

(ii) The information being shared is directly relevant to the Client in question and to that particular engagement with them;

(iii) You cannot, unless agreed otherwise in writing, sell any Beauhurst Data to a Client – no transaction may take place in exchange for any Beauhurst Data, and (as outlined in Clause 9.6 of the Terms) you must not grant any Client access to the Beauhurst Platform;

(iv) You cannot give Beauhurst Data to a Client for their own marketing or lead-generation purposes.

(e) NB. Anyone you share Beauhurst Data with must be aware of (and adhere to) the restrictions in place on that information and is strictly forbidden from passing it on to anyone else. It is your responsibility to ensure this is the case, and Beauhurst shall treat any breach of this rule by any person who has been provided with Beauhurst Data as if such breach had been committed by you directly.

(f) You are entitled to Publish Beauhurst Data without prior permission subject to the following limitations:

(i) That you will not Publish more frequently than once per week on average over any three month period;

(ii) That each time you Publish, you may not individually identify more than ten Companies, People, Transactions, or Funds;

(iii) That each time you Publish, you may not use more than five pieces of aggregate data or statistics derived from the Beauhurst Platform;

(iv) Anything that is Published needs to be clearly attributed to Beauhurst (including a link back to beauhurst.com);

(v) Anything that you Publish must strictly be for your own activities – you are forbidden from using Beauhurst to do any marketing/PR/associated activities for another brand or business.

(vi) You may not share any email addresses derived from the Beauhurst Platform with anyone outside your Organisation

(g) Aside from the explicit permissions detailed above, you may not share Beauhurst Data with anyone. Please do get in touch with us if you would like to clarify what you can or can’t do with Beauhurst Data.