Let’s start with introductions
Your personal information is collected and processed by bestsurveying.com. The protection and integrity of your personal data is very important to us.
Our company registration details are:
bestsurveying.com is a company incorporated in Indonesia and Wales.
Registration number 12431937
Registered office: Hayam Wuruk St No.127, RW.6, Mangga Besar, Taman Sari, West Jakarta City, Jakarta 11180
Our ICO registration details are: –
Registration number: Z8882159
Date registered: 02 February 2005
Registration expires: 01 February 2025
Data controller: PT. CITRA GEMILANG NUSANTARA
Data Protection Officer
URM Consulting Services Limited
Manor Farm Road
Telephone: 0118 206 5410
We’re protecting your data
This Policy has been adopted by bestsurveying.com (“bestsurveying.com”).
In this Policy, “we”, “us”, “our” or“Controller”refers to bestsurveying.com, or any organisation belonging to bestsurveying.com, as appropriate.
We are committed to safeguarding your personal data. This Policy describes how we collect, use, disclose and process your personal data, and applies to personal data we collect about you.
This Policy supplements but does not supersede or replace any other consents you may have provided to us, or any other agreements or arrangements that you may have with us, in respect of your personal data.
A culture of privacy and data security
Data protection and privacy is ever changing and enhancing the rights of our customers. As such, we review our uses of personal data and may amend this Policy from time to time to reflect changes in applicable laws or the way we handle personal data. Any updated Policy will supersede earlier versions and will apply to personal data provided to us previously.
You are encouraged to re-visit our Policy from time to time so that you are aware of our culture of privacy and relevant updates we have made to our Policy.
Personal data provided by you and others
What is personal data?
Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
You can voluntarily provide personal data
We collect personal data that you voluntarily provide to us. The personal data we collect will often depend on the purposes for which the personal data are collected and what you have chosen to provide.
You always have the choice not to provide us with personal data. If you have provided your consent for us to process your personal data, you also have the right to withdraw your consent by contacting our Data Protection Officer. However, if you do so, it may not be possible for us to fulfill the specific purposes for which we were given consent, it could include the provision of products and services you have requested.
Accuracy and completeness of personal data
It is important that the personal data we hold about you is accurate and up to date. We would ask you to inform us if there are any inaccuracies with the personal data that we have recorded about you and we will act to update your personal data as required.
In some situations, you will have the ability to update your own information, for example, if you were to create an account on our website. We see it as your responsibility to ensure that all personal data that you provide is accurate and complete, and to inform us of relevant changes to your personal data.
Personal data belonging to children
Our website and our services are not intended for children and we do not knowingly collect data relating to children. If you are under the age of 13, please obtain consent from your parent or guardian before you submit any personal data to us. If you are a parent or guardian of a minor and you have reason to believe your child or ward has provided us with their personal data without your prior consent, please contact us to request for erasure of their personal data or for the minor to be unsubscribed from our mailing lists.
Categories of personal data we may collect
We may collect, use, store and transfer different kinds of personal data about you which we have categorised as follows:
Data specifically related to identity may include, first name, maiden name, last name, marital status, title, date of birth, national insurance details and other recognised official identity documents.
The contact information for you and others could include, email addresses and telephone numbers, postal address details and social media handles.
To fulfill our services to you we may process financial data including bank account information, direct debit information and payment card details, and there may be a requirement for us to collect, process and make a decision on other financial information, for example, when assessing credit account applications.
In this technical age there’s quite a bit of technical data around, including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. Our website also gives us information about how you use our website.
Marketing and Communications Data
We make it our business to develop lasting relationships and to help with this we will be processing data about your preferences in receiving marketing from us and your communication preferences. But don’t worry, we’re not interested in bombarding you with marketing content, just timely and relevant information about services and products we care about and that we think are relevant to you. We put you in control, so you always have the option to decline this or opt out at any point.
Special Categories of Personal Data
There may be instances where special categories of personal data are disclosed to us, but this is incidental and not part of an organised processing activity.
Data requiring special protection
There may be instances where we process special category data for the specific purpose of safeguarding and our legal obligations to undertake criminal record checks through the Disclosure & Barring Service.
How we may collect personal data
Personal data you voluntarily provide to us
We collect personal data that is relevant to our relationship with you. Your personal data may be collected by us, directly or indirectly, for instance:
- if you subscribe to our mailing lists;
- if you attend events or meetings organised by us, or conducted at our offices, for example, sales events, promotional and marketing events, training sessions and social events;
- when your images are captured by us via CCTV cameras while you are within the properties we operate and use, or when photographs or videos of you are taken when you attend events, meetings or training sessions organised by us;
- when you use our services or enter into transactions with us, or express an interest in doing so, including services, products and transactions which you utilise in-person or electronically;
- when you communicate with us by telephone, email, via our website or through other communication channels, for example, through social media platforms;
- when you voluntarily provide documents or information including your; and/or
- when you submit your personal data to us for any other reason.
Personal data that has been provided by others
Depending on your relationship with us, we may also collect your personal data from third party sources, for example:
- from your family members, friends or colleagues who provide your personal data to us on your behalf;
- from credit referencing agencies that we engage with to assess our credit account decisions on an ongoing basis; or
- from public agencies or other public sources, for example, the Electoral Register, Companies House.
Personal data that can be collected automatically
As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We’ve structured our website in a way that asks for your consent for certain cookies, we value your privacy and data rights.
External links on our website
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy notice. You should exercise caution and look at the privacy notices applicable to the website in question.
Specific purposes and legal basis for processing your information
We will always have a legal basis for processing personal data, and we have methodically assessed our purposes and legal bases. Here is a breakdown of our purposes and legal bases:
Our legal basis
Specific purpose, safeguarding and the respect of individual’s data rights
Individual communication via email, post or telephone
Performance of a contract
In order to fulfill the service or product that you have enquired about, where we have been contracted to fulfill a service or product and to facilitate our relationship with you, your business or colleagues. You can of course ask us not to contact you, but it’s likely to affect our ability to fulfill our obligations to you.
CRM system data capture, storage and analysis.
Identity, Contact& Financial data
We collect and store information about our engagements with customers, which may include personal data belonging to staff, customers and other third parties. It is in our legitimate interest to process data in our CRM systems to ensure the smooth operation of our business, effective planning and an efficient customer experience. You may request access to, rectification of or erasure of details we have stored on you.
Customer service tickets
Identity, Contact, Technical data
Performance of a contract
We collect, process and store information for the specific purpose of fulfilling our services, which may include personal data belonging to staff, customers and other third parties. We process data in this way to ensure the smooth operation of our business, effective planning and to deliver a great customer experience. You may request access to, rectification of or erasure of details we have stored on you, where appropriate.
Training and other corporate events
Identity, Contact, Special category health data
Performance of a contract / Consent
The information you provide will be used to communicate with you about your attendance at the event and to follow-up on your experience post-event. The personal information we may process could include your name, job title and employer, address and phone number, email address, dietary requirements, access requirements. We will ask for your consent to process health related data.
Email marketing to other businesses
Identity & Contact data
Where we are looking to have, or we already have a business to business relationship with you or your organisation, we will look to provide you with interesting and relevant services, products and projects. You are more than welcome to opt out of receiving our marketing information by using the Unsubscribe feature in our emails or by contacting us.
Email marketing to consumers
Identity & Contact data
Where we would like to let our customers know about our services, products or projects we will obtain the consent of those individuals. It’s important to make clear that consumers have the right to withdraw consent at any time or to opt out of direct marketing.
Postal marketing to businesses and consumers
Identity & Contact data
We only ever aim to provide customer or potential customers with well designed, relevant and interesting products and so our marketing material should be the same. We’re not fans of spam, so we won’t be spamming anyone with lots of unnecessary postal marketing material. Recipients may ‘opt-out’ of postal marketing via contact details provided. In any case we will make it our business to check the Mail Preference Services before undertaking marketing materials.
Telephone marketing to other businesses
Identity & Contact data
We’re not fans of nuisance phone calls, so we won’t be spamming anyone with lots of unnecessary calls. Recipients may ‘opt-out’ of telephone marketing by either letting our team members know or by contacting us at any point. In any case we will make it our business to check the Telephone Preference Services before undertaking marketing activities.
Images and film footage
Consent& Legitimate interest
We may take photographs and / or video footage at our offices, an event we host or as part of our mobile job completion processes, which could capture personal data of staff, customers, visitors and other third parties. We will always notify participants when a photographer or filmmaker is present at our offices or events. There is a legitimate interest in processing personal data in a crowd setting, but we may also as for consent when an individual is clearly identifiable from the photograph or video footage and where photos are to be published alongside a name or other personal identifier. You have the right to withdraw consent at any time or to opt out of this processing activity. We will respect the wishes of anyone who signals their desire not to have their image taken. Images or footage recorded as part of our mobile job processing is not intended to capture personal data.
Collection/analysis of statistical information about website usage
Technical & Usage data
To manage and improve how people engage with our public-facing channels. The information we collect tells us about how you use our website, what links you follow and tells us what you’re most interested in.
Sharing information with Companies House, Accountants, legal advisors, HMRC and Statutory authorities
Identity, Contact, Financial & Special category data
Legitimate Interest & Legal Obligation
As a registered UK business, we are subject to UK company law and therefore have specific legal obligations. We process our accounts in accordance with UK law and therefore use external accountants, which is our legitimate interest, to submit our statutory accounting records. We are subject to audits and assessments from industry standard bodies and in the protection of our interests and to comply with UK law, we may be obligated to share information with the statutory authorities.
Undertaking DBS checks
Identity, Contact data & data deserving special protection data
Legal Obligation & Consent
Where a member of staff is to be placed within a customer that works with either children or adults at risk, we will undertake checks with the Disclosure Barring Service as is our legal obligation. There may also be a balanced and reasonable legitimate interest to conduct checks DBS checks on our wider team.
Credit facilitation purposes
Identity, Contact & Financial data
Legal Obligation, Performance of a Contract& Legitimate Interest
In compliance with legal obligation and our own business interests, we may collect data from Credit Referencing Agencies (CRA’s). We may also share your personal information with CRA’s to help us make decisions on and manage our relationship with you. Specifically this may include: Name, address and date of birth, credit account details, shared credit information, credit history, fraud prevention information and public information, from sources such as the Electoral Register and Companies House. We’ll use this data to assess whether a credit account can be offered, to verify the information that we’ve been given, to detect and prevent financial crime, to trace and recover debts and to undertake litigation proceedings where necessary. In which case we may share your personal data with our consultants and professional advisors (such as accountants, compliance, lawyers, auditors) We will be continually accessing and sharing data with We will go on sharing your personal information with CRAs for as long as you are a customer.
Identity, Contact & Financial data
Performance of a Contract
We may disclose your personal data to third parties who provide services to us, including our service providers and data processors (providing services such as hosting and maintenance services, analysis services, e-mail messaging services, delivery services, handling of payment transactions, marketing, and professional services).
Security and Safety
Identity, Contact, Technical & Usage data
Legal Obligation & Legitimate Interest
We may process personal data for the specific purposes of security and safety. This is in connection with the buildings that we own and/or rent, or events organised by us or conducted at the buildings we own and/or use; and through the systems that we operate throughout the organisation. Personal data may include door access logs or visitor’s logs.
Customer engagement metrics
Identity, Contact, Technical & Usage data
Performance of a contract& Legitimate interest
We may contact you during and after the fulfillment of the services you request from us. Communication will be a combination of service updates to let you know that an order or delivery is on the way, and we may engage with you to understand how well we’ve done or if there are areas we could improve on. We have a team of Customer Service staff that will review the feedback requests, and we also use some technical methods to automatically assess the nature of feedback we receive.
When you provide consent to processing
Where you have given your consent for us or a 3rd party of ours to process your data, you can withdraw your consent at any time. Where consent has been used as the lawful basis for processing data, the information we provide about our processing activities will be fair, transparent, and unambiguous and you will have the power to decide whether you give consent.
Where legitimate interest is the most appropriate lawful basis
When processing your personal information is a legitimate interest of ours, or a third-party, we undertake legitimate interest assessments to ensure that our processing is not overridden by the interests, rights and freedoms that you have been afforded by data protection legislation.
Use permitted under applicable laws
We may also collect, use, disclose and process your personal data, without your knowledge or consent, where this is required or permitted by law.
Using your personal data to contact you
When we contact or send you information for the purposes described above, we may do so by post, email, SMS, telephone or such other means provided by you. If you do not wish to receive any communication or information from us or wish to restrict how we may contact or send you information, you can let us know by contacting our Data Protection Officer.
Data being transferred outside of the EEA
In the provision of our services to you we use data processors that are outside of the European Economic Area (EEA).
The General Data Protection Regulation has strict rules about data transfers to international organisations and we use approved data transfer mechanisms wherever we transfer personal information to a country that is outside the EEA, known as “third countries”. Approved transfer mechanisms that are utilise include, adequacy based on the EU–US Privacy Shield, transfers safeguarded using contracts with model clauses and transfers based on an existing adequacy agreement between the EU and the receiving third country.
We take extra steps to ensure comprehensive due diligence of the data processing activities of our data processors.
If you would like any more information, please get in touch by contacting our Data Protection Officer, details can be found at the start of this Privacy Notice.
The security of your personal data
We have put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We limit access to your personal data to those employees, agents, contractors and other third parties who have been authorised to access your personal data.
We have put in place procedures to deal with any suspected personal data breach and will notify you and the appropriate supervisory authority of a breach where we are legally required to do so.
However, we cannot guarantee that our systems or applications are invulnerable to security breaches, nor do we make any warranty, guarantee, or representation that your use of our systems or applications is safe and protected from viruses, worms, Trojan horses, and other vulnerabilities.
We also cannot guarantee the security of data that you choose to send us electronically. Sending such data is entirely at your own risk.
How long we keep personal data
Our retention schedules
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available and you can request more details of that by contacting our Data Protection Officer.
By law we may have to keep certain information about our customers and this data will be held solely and securely for those legal purposes.
You have rights when it comes to your personal data
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
Right of access
You have the right to request a copy of the information that we hold about you. Access to a copy of your personal information is often known as a Subject Access Request, is usually free of charge and we have a one-month time period with which to respond.
If requests for information are particularly complex or you have submitted multiple requests, the law permits an extension to the one-month timeline of up to two further months. It is also permitted to apply a fair administration fee for access requests that are deemed manifestly unfounded or excessive or if further copies of data are requested.
Finally, the law allows an organisation to refuse a Subject Access request where the request is deemed to be manifestly unfounded or excessive. Any such decision would need to be made on a case by case basis.
Right of rectification
You have a right to review and correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten
In certain circumstances you can ask for the data we hold about you to be erased from our records.As detailed within data protection law, a request to be forgotten is not an absolute right and will be assessed on its merits.
Right to restriction of processing
In certain conditions you can exercise a right to restrict the processing of personal data. In particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing.
Right of portability
You have the right to have the data that you have provided to us, for the fulfillment of a contract or where you have provided your consent, transferred in a structured and machine-readable format to another organisation.
Right to object
You have the right to object to certain types of processing, for example where we process your personal data for marketing purposes, this is an absolute right. You will be able to object to or opt out of any marketing message we send you.
Right to object to automated processing, including profiling
You also have the right to object to processing that is automated and involves decision making likely to have a legal effect on you.
Right to lodge a complaint
In the event that we refuse your request under these rights of access, we will provide you with a reason as to why. You have the right to complain and we have provided a specific section on this below.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
You can request access to your personal data
At your request,and for the specific right of access that you have, we can confirm what information we hold about you and how it is processed. There are elements of the information below contained within this Privacy Notice and we would refer you to the relevant sections. Otherwise, you can request the following information:
- Identity and the contact details of the person or organisation that has determined how and why to process your data.
- Contact details of the data protection officer, where applicable.
- The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of our business or a third party, information about those interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- If we intend to transfer personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
- How long the data will be stored.
- Details of your rights to correct, erase, restrict or object to such processing.
- Information about your right to withdraw consent at any time.
- How to lodge a complaint with the supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
What forms of ID will I need to provide to access my data?
We will assess the information we process on your behalf, and if we are unable to verify your identity through existing security checks, we may request additional identification that could include: –
Passport, driving licence, birth certificate, utility bill from last 3 months.
If you have any queries about this Policy, please feel free to get in touch with our Data Protection Officer and we will do our best to answer your questions.