Privacy notice

Our commitment to your privacy

We’re serious about protecting your personal data. This note explains:

  • From where we secured your personal data;
  • The personal data that we collect;
  • Your personal data rights;
  • Your right to object to our processing your personal data and withdrawing consent;
  • How and when we use that personal data;
  • Whether we share your personal data with anyone else;
  • For how long will we keep your personal data;
  • How you can access your personal data
  • Information about our use of cookies

If you have any questions or queries about this notice please email us at nmbs@nmbs.co.uk

Personal data that we collect

The personal data that we collect includes your name, business email address and business telephone number We collect your personal data from you directly. We always ensure that we have a lawful basis for processing the personal data that we collect.

Your rights in respect of your personal data

You have the right to request access to your personal data, amendments to it and for it to be deleted. Further information about those rights along with your right to withdrawn any consent you’ve given or object to our processing your data can be found in our data protection policy.

That policy also includes who to speak with if you have any queries about our approach to processing your personal data.

How and when we use your personal data

We’re committed to using your personal data responsibly and lawfully. Here’s what we do with your personal data:

  • Send invoices, remittances and statements
  • Send marketing material relevant to you and your business

Your personal data is all stored within the UK.

To help us to maintain the accuracy of the personal data that we hold please let us know if we hold out of date or inaccurate information about you.

Sharing your personal data

There are only a few occasions where we will share your personal data with a third party. They are:

  • where we’re required to disclose it by law – to government bodies for example;
  • between ourselves – for example to deal with a query that you may have;
  • with our professional advisers (who are required to keep confidential your data).

The data controller collecting your personal data for the purpose of this policy is NMBS. We use accepted standards of technology and security to protect your personal data.

For how long will we keep your personal data

Our ‘retention policy’ lists the type of data we process and for how long it is kept. You can access that policy on our website. If you would like us to delete your data and we don’t have a lawful reason to retain it you can make a deletion request by writing to the Operations Manager, NMBS, 10 Merus Court, Meridian Business Park, Leicester, LE19 1RJ.

How you can access your personal data

You can ask us for a copy of the personal data that we hold on you by writing to the Operations Manager, NMBS, 10 Merus Court, Meridian Business Park, Leicester, LE19 1RJ. We’ll ask you for copies of two types of approved identity in order to process your request (such as a passport and driving licence). You can also ask us to make corrections to data you consider to be inaccurate by clicking writing to the Operations Manager, NMBS, 10 Merus Court, Meridian Business Park, Leicester, LE19 1RJ.

Information about our use of cookies

A cookie is a small file (typically letters and numbers) which may be placed on your computer when you access our website. Through the cookie we can recognise your computer and browsing activity if you return to the website.

We use cookies to allow our website to recognise when you return to our site (which helps us to optimise your visits) and cookies to track the life of each visit.

The following Cookies are used on our website:

If you’re like more information on cookies click https://www.aboutcookies.org/

We use social buttons such as Twitter, Google, Facebook and LinkedIn to share or bookmark pages on our site or email updates. Those sites may collect information about your internet activity, including if your visit to our site (even if you don’t click on the button if you’re logged on to their site). You should check the privacy and cookies policy of each of these sites to see how they use your information and find out how to opt out and delete such information. You are able to manage cookies. For more information click https://www.aboutcookies.org/. If you want to block all cookies all of the time you can set your computer preferences to do so.

Our website does not require you to input personal data to use it. You may however volunteer personal data such as your name and email address to request information, updates and our services. That information is required to deal with your query appropriately.

Protecting personal data

1.1 Protecting personal data is very important. Whether it belongs to you or individuals we work with we take our responsibilities very seriously.

1.2 Not only do we need to ensure that we protect your personal data but you also need to help us to protect other personal data that we hold.

1.3 We have appointed a Personal Data Manager to ensure that this policy is implemented appropriately. If you have any questions or concerns about this policy or the processing of personal data please speak with them first.

Protecting personal data

1.4 When dealing with personal data there are eight principles that you and we need to follow. The personal data needs to be:

(a) Processed fairly and lawfully;

(b) Relevant and not excessive;

(c) Processed for limited purposes and in an appropriate way;

(d) Accurate;

(e) Not kept longer than necessary;

(f) Processed in accordance with the laws dealing with personal data;

(g) Kept secure;

(h) Not transferred to people or organisations in countries without adequate protection.

There is a lot to understand in respect of these principles. This policy should help you to ensure that your and our treatment of personal data is appropriate and lawful. If you have any questions please direct them to the Personal Data Manager.

A lawful purpose for processing your personal data

1.5 We process personal data fairly and lawfully. Grounds for processing personal data include: with your consent, to comply with a legal obligation, in your vital interests, in the performance of a contract with you or in our legitimate interests (or a third party processing your personal data). If the personal data is sensitive additional conditions will be met.

1.6 At the end of this policy we identify the categories of personal data that we collect and the reasons for processing it along with a privacy notice explaining more about what we do with your personal data.

Requests to see your personal data

1.7 If you want us to show you personal data that we hold on you then you need to make a request in writing to the Personal Data Manager. We might ask you for more details about the request or give you a template letter to help with your request. Where the request isn’t made in person we will always ask for two forms of identity to confirm that it is you making the request.

1.8 We’ll always try and acknowledge your request when we receive it. We’ve got between 30 days and three months to respond in full to your request.

1.9 We may ask you to contribute towards the administration fee in processing your request.

Your rights to deletion, freezing data processing and corrections

1.10 You can ask us to delete your personal data where:

(a) Processing it is no longer necessary bearing in mind the reason it was collected;

(b) It is being processed unlawfully;

(c) You object to us processing your personal data (unless we have an overriding legitimate interest for continuing to process it in which case we may continue to do so).

1.11 Where information we hold on you is inaccurate or incomplete you can ask us rectify the data.

1.12 You can ask us to stop processing your data where:

(a) Processing is unlawful;

(b) You say that the information that we hold is inaccurate;

(c) You don’t consider we have a ‘legitimate interest’ for processing the data (unless we have an over-riding legitimate interest for continuing to process it in which case we will continue to do so).

1.13 If we think that you’re abusing these rights and making unfounded or excessive requests we may refuse your request or may charge a reasonable administration fee for processing the request.

Limitations and obligations

1.14 We have processes in place to ensure that the accuracy of the personal data that we hold is up to date. Obviously, if personal data that we hold on you is out of date or inaccurate please notify the Personal Data Manager. We will talk to you at least once a year and at the point that you leave our employment about the personal data that we hold on you, whether it is still necessary to hold that data and whether any of it is inaccurate or out of date.

1.15 Wherever possible you should always encrypt personal data so that it is not easily accessible to others. Equally, you and we should not capture more personal data than is needed for the purpose identified. Where you are able to anonymise personal data you are encouraged to do so.

1.16 We will retain your personal data in accordance with our ‘policy on retaining your personal data’. We have processes in place to ensure that personal data isn’t kept for longer than necessary. Once it’s no longer necessary for processing purposes we will delete it.

1.17 We have put appropriate security measures in place to stop accidental loss of, or damage to personal data. Where we have shared with you those measures you must comply with them. Where we ask third parties to process your personal data we will ensure that they have appropriate security measures in place too and that they comply with data protection legislation.

1.18 A data breach is a breach of data security that leads to accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. It includes sending emails to the wrong person, carelessness with passwords and leaving personal data on desks. If you become aware of a data breach you should immediately notify the Personal Data Manager

1.19 Usually, we will only process or share your personal data for the purpose it was collected.

1.20 If you become aware that personal data has become lost, stolen or otherwise transferred outside of NMBS accidentally or without authorisation, you need to report this immediately to the Personal Data Manager.

1.21 This policy may be changed from time to time. We will notify you of any changes.