Supplemental Data Protection Act and General Data Protection Regulation Notice (DPA/GDPR Notice)
Effective from: 1 July 2020
Last updated: 1 July 2020
We are disclosing information about our data processing practices as required by the United Kingdom’s Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR). This DPA/GDPR Notice supplements the information contained in the Bright Horizons Global Privacy Notice and applies exclusively to Customers using Services in the United Kingdom and the European Economic Area.
What legal basis do we rely on to process your personal information?
Bright Horizons relies on the following legal basis for processing your personal information.
- Performance under a Contract: For Customers, most of the personal information we process is necessary for us to perform our obligations under a contract we have with you, and, if applicable, your employer when you receive the Service as an employee benefit.
- Legal Obligations: For Customers, there are many laws that require us to process your personal information. Examples include law and regulations for child/adult care, safeguarding, health and safety, tax and government funding.
- Legitimate Interest: For Customers, we have a legitimate interest in processing some of your personal information in some circumstances. We will only process your personal information if our legitimate interests do not override your fundamental rights, freedoms and interests. For any questions regarding this legal basis, please contact our Global Privacy Officer at firstname.lastname@example.org. Some examples of our legitimate interests include:
- Use of your email address to send you newsletters, invitations to webinars, or information about your services or new/enhanced Service updates.You have the right to stop receiving these communications at any time.
- In some locations, we use Closed Circuit (CCTV) for security/safety of our customers, staff and premises; to help prevent and detect crime; to support learning and training; and to defend legal claims.
- Recording your contact center calls to assist us with monitoring our policies and procedures; identifying opportunities for training and development; and improving Services to you.
- Special Categories of Personal Information: Depending upon the Services you receive, we may need to process special categories of personal information as required under law/government regulation or with your consent. Special categories of personal information that we may process include information relating to:
- Health data:
- when receiving adult/child care services, in order for us to provide the Services safely and in compliance with applicable law, you may need to provide us with health data of the dependent we care for (for example to inform us of allergies, medicines, special physical or educational requirements, health conditions). In addition this type of information may be provided to us by a government body;
- when receiving personal or family coaching or special educational needs services, you may voluntarily provide us with health data about you / your dependents to enable us to provide the advice services.
- Religious beliefs: you may provide this information to us voluntarily when receiving child/adult care services (for example to inform us about dietary requirements or family celebrations, etc.);
- Race/ethnic origin: you may provide this information to us voluntarily when receiving College Coach services (for example to assist with identifying schools, scholarships, etc.);
- Trade union membership: your employer may provide this information to us to assist with determining levels of employee’s eligibility for our EdAssist services;
- Sexual orientation: you may provide this information to us voluntarily when receiving Services (for example when completing spouse/partner information on child care registration forms, to assist with identifying schools, to inform us of family celebrations, etc.)
- Health data:
We may process some of your personal information outside the European Economic Area (EEA). Whenever we transfer personal information out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards and protections are in place.
For transfers to the United States, we may rely on the Privacy Shield Framework, which requires the company receiving the data to provide similar protection to the personal information as provided in Europe. Bright Horizons Family Solutions LLC is certified to the Privacy Shield Framework and therefore all transfers to our US entity are protected by Privacy Shield. Please see below for more information on our continued adherence to the EU-US Privacy Shield Framework. For service providers, we may use the standard contractual clauses approved by the European Commission that afford personal information the same protections it has in Europe.
Please contact the Global Privacy Officer at email@example.com if you want further information on the specific mechanism used by us when transferring your personal information out of the EEA.
Adherence to the EU-US Privacy Shield Framework.Bright Horizons Family Solutions LLC complies with the EU-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information we transfer from the United Kingdom and European Union to the United States. Bright Horizons Family Solutions LLC certified to the Department of Commerce that it adheres to the Privacy Shield Principles. The Federal Trade Commission has jurisdiction over our compliance with the Privacy Shield.
If there is any conflict between the terms in our Global Privacy Notice, DPA/GDPR Notice and the Privacy Shield Principles, the Privacy Shield Principles shall apply. To learn more about the Privacy Shield program and view our certification, please visit https://www.privacyshield.gov/.
Under certain circumstances, you have the right to invoke binding arbitration for complaints regarding our Privacy Shield compliance that you have been unable to resolve through any of the other Privacy Shield mechanisms. To learn more about the binding arbitration mechanism, please visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
In compliance with the Privacy Shield Principles, Bright Horizons Family Solutions LLC commits to the following:
- Resolve complaints about our collection or use of your personal information. If you have questions or complaints regarding our adherence to the EU-US Privacy Shield Framework, please contact our Global Privacy Officer at firstname.lastname@example.org or 2 Crown Court, Rushden, Northamptonshire, NN10 6BS, United Kingdom.
- Cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to personal information transferred from the European Union.
- Remain responsible and liable for the processing of personal information we receive under the Privacy Shield and subsequently transfer to a third party acting as an agent on our behalf.
What rights do you have over your personal information?
You have the right to request:
- Access to the personal information we hold about you, free of charge in most cases.
- The rectification of your personal information to ensure that it’s up-to-date, accurate and complete.
- The erasure of your personal information (subject to certain exemptions).
- We stop processing your personal information for direct marketing purposes (either through specific channels or all channels).
- We and other third parties cease processing your personal information when this was previously undertaken on the basis of your consent and you’ve now withdrawn that consent.
To access your personal information, to request we erase your personal information or to exercise any of your other rights, please contact the Global Privacy Officer at email@example.com.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
In circumstances where we are processing your personal information on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal information that doesn’t infringe your rights and freedoms. You have the right to challenge our decision to the Supervisory Authority or seek legal redress through the courts.
If you feel that your personal information hasn’t been handled correctly, or you are unhappy with our response to any requests you have made regarding the use of your personal information, you have the right to lodge a complaint with the relevant Supervisory Authority.
- UK Supervisory Authority: Information Commissioner’s Office at
www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites.)
- Ireland Supervisory Authority: Data Protection Commissioner/An Coimisinéir Cosanta Sonraí at www.dataprotection.ie/docs/Home/4.htm (opens in a new window; please note we can't be responsible for the content of external websites.)
- Netherlands Supervisory Authority: Autoriteit Persoonsgegevens (Dutch Data Protection Authority – Dutch DPA) at https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us (opens in a new window; please note we can't be responsible for the content of external websites.)