- UKISUG Members, Members’ employees and senior employees/officers (“Users”) (including trial Members, UKISUG Directors and Volunteers, prospective Members and persons using or visiting our website or downloading any of our on-line resources)
- Service providers, VARS, vendors, suppliers, licensors, exhibitors, sponsors, professional advisors, speakers, facilitators, auditors, and lawyers (e.g. SAP Group) (“Partners”)
- Other sector-wide representative bodies, governmental, statutory, public and regulatory bodies or authorities (including, for example, SUGEN, (“Outside Bodies”)
This Policy applies to all personal data we process regardless of the media on which that data is stored or whether it relates to past or present data subjects. It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them. The business of UKISUG is as a trade organisation to support those who use SAP systems and to represent the interests of its Users and UKISUG considers that all personal data is collected and processed for the purpose of promoting that business and that therefore it has a legitimate interest to collect and process such personal data.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
2. SCOPE AND CATEGORIES OF PERSONAL DATA COLLECTED
Protecting the confidentiality and integrity of personal data is a critical responsibility that we take seriously at all times.
- Identity Data includes first name, last name, title, username or similar identifier, employer, department, job title, date of birth, contact details, biographies, memberships of Outside Bodies, declared conflicts of interest.
- Contact Data includes billing address, delivery address, email address, residential address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us, User activity details and professional preferences/interest, events/meetings booked/attended and items purchased/licensed from us or via SAP, minutes of meetings attended and reports made by Users
- Technical Data includes information collected through cookies, internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses,
- Usage Data includes information about how you use our website, products and services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
b. Personal Data on Representatives of Outside Bodies is limited to Identity Data and Contact Data.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. This website is not intended for children and we do not knowingly collect data relating to children.
3. CONTACT DETAILS
UKISUG is the controller and responsible for your personal data. We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, please contact the data privacy manager using the details set out below.
Our full details are:
Full name of legal entity: UNITED KINGDOM & IRELAND SAP USER GROUP LIMITED
Name or title of data privacy manager: Helen Borland, General Manager
Email address: Helen.firstname.lastname@example.org
Postal address: UK & Ireland SAP User Group, Lockheed Court, Preston Farm, Stockton on Tees, TS18 3SH
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
4. PERSONAL DATA PROTECTION PRINCIPLES
We adhere to the principles relating to processing of personal data set out in applicable law (particularly GDPR) which requires personal data to be:
(a) Processed lawfully, fairly and in a transparent manner.
(b) Collected only for specified, explicit and legitimate purposes.
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
(d) Accurate and where necessary kept up to date.
(e) Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.
(f) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage.
(g) Not transferred to another country without appropriate safeguards being in place.
(h) Made available to data subjects and data subjects allowed to exercise certain rights in relation to their personal data.
(i) We are responsible for and must be able to demonstrate compliance with the data protection principles listed above.
5. PURPOSE LIMITATION
The business of UKISUG is as a trade organisation to support those who use SAP systems and to represent the interests of its Users and UKISUG considers that all personal data is collected and processed for the purpose of promoting that business and that therefore it has a legitimate interest to collect and process such personal data.
a. UKISUG collects and processes personal data about Users for the following purposes:
- Maintaining and enhancing UKISUG’s products/services and the Users’ experiences
- Keeping Members up to date with information on products/services, which may be of interest to them
- Providing products/services and User management and administration
- SIG and other event management, administration, minuting and reporting
- Account management
- Direct marketing
- Supporting network and security system
- Detecting and preventing fraud
- Complying with legal obligations
- Conducting web analytics
b. UKISUG collects and processes personal data about ex-Users who still use SAP systems, and prospects who may use SAP systems, for the purpose of special marketing offers and for complying with legal obligations.
c. UKISUG collects and processes personal data about Partners for the purposes of:
- Contract management, commercial relationship and administration purposes
- Providing products/services and user management and administration
- Account management
- Direct Marketing
- Supporting network and security system
- Detecting and preventing fraud
- Complying with legal and auditing obligations
- Conducting web analytics
d. UKISUG collects and processes personal data about Outside Bodies for the purpose of complying with legal obligations, relationship and network management, representing Member Organisations and administration purposes and responding to requests or consultations from or providing information to Outside Bodies.
6. IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
7. HOW WE USE YOUR DATA
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by Contacting us. We will get your express opt-in consent before we share your personal data with any third party company for marketing purposes.
9. DATA SECURITY
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
10. DATA SUBJECT’S RIGHTS AND REQUESTS
Under certain circumstances, you have rights under data protection laws in relation to your personal data. If you wish to exercise any of the rights set out this notice, please Contact us. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
11. SHARING PERSONAL DATA
Generally we will not share personal data with third parties unless certain safeguards and/or contractual arrangements have been put in place. UKISUG will only disclose personal data to the following categories of recipients and for its legitimate business purposes:
- Other Users
- Member Organisations and UKISUG Board
- Outside Bodies
- HMRC or other governmental or legal authority (where applicable)
Where the User or a Partner (such as an Exhibitor) books an event (such as attendance at the UKISUG annual conference), UKISUG may from time to time transfer limited personal data to international Partners as service providers (such as Cvent, established in the USA, which collects payment and administers the bookings for UKISUG’s annual conference). UKISUG will not transfer personal data outside the EEA unless one of the following conditions applies:
UKISUG will not transfer personal data outside the EEA unless one of the following conditions applies:
(a) the European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms;
(b) appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism;
(c) the Data Subject has provided explicit consent to the proposed transfer after being informed of any potential risks; or
(d) the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the data subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent and, in some limited cases, for our legitimate interest.
We may have to share your personal data with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our Users and Partners (including Contact, Identity, Financial and Transaction Data) for 7 years after they cease being Users or Partners for tax purposes.
13. CHANGES TO THIS POLICY
We reserve the right to change this Policy at any time without notice to you so please check back regularly to obtain the latest copy of this Policy. This Policy does not override any applicable laws.