Campus Tenant and Visitor Privacy Notice

Date Notice Last Updated: 04/11/2024

What is the purpose of this document?

Babraham Research Campus is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are providing this privacy notice to you as you fall into one of two categories: (1) a tenant (encompassing employees, partners, affiliates, contractors, and third parties collaborating with or under the direction of a campus tenant) or (2) a visitor to our campus or one of our tenants.

The purpose of this document is to inform you about the use of your personal data, both now and in the future. It is focused on ensuring the appropriate use of your data whilst highlighting our responsibility to the privacy and security of your personal information during your association with Babraham Research Campus. This includes the duration for which we may retain your data. This information is provided in compliance with the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

Please note the effective date at the top of this notice. We may amend this Notice from time to time and will inform you in advance of the effective date of any material changes that we intend to implement.

Identity of the Data Controller

Babraham Research Campus is responsible for processing your personal data and is the data controller. 

Our main address is Babraham Hall, Babraham, Cambridge CB22 3AT, UK, Babraham CB22 3AT. 

How is your personal information sourced?

Most of the personal data that we process about you has been provided by you directly to us. We may also collect personal data about tenants and visitors from other third parties and services, including:

  1. your employer (if you are working on behalf of a tenant within the Campus);
  2. a partner organisation you are working with that has a site on the Campus;
  3. the organisation you are visiting.

Information we hold about you

In connection with your status as a tenant or visitor, we may collect, store, and use the following categories of personal information about you as set out in the table below. This also identifies our lawful basis for the specified purposes and conditions for any special category data.

*Except as described in this Privacy Notice, we do not generally ask you to disclose any sensitive information (e.g., medical information, details of race, religious or political beliefs, data concerning sexual orientation or sex life or membership of a trade union, or genetic or biometric data) to us. If we do ask you to provide us with any sensitive information, we will normally explain the requirements and situations where and why this data is required.

N.B. We may need to process data as necessary in connection with any legal claims or prospective legal claims. (Schedule 1, Part 3, paragraph 33 of DPA.)

Please note – failure to provide any necessary information (either as a Tenant or a Visitor) will restrict your access to the site.

Data Sharing: Partners /Third-Party Recipients

Why might you share my personal information with third parties?

The purposes for which we may share personal data relating to our tenants and visitors with trusted third-party vendors and business partners are set out below.

Third Party Suppliers

Babraham Research Campus may share personal data with trusted service providers and business partners pursuant to contractual agreements with them. These agreements will, as necessary, include appropriate safeguards to protect any personal data that we share with them. We may share personal data with third parties that perform services and carry out functions on our behalf and under our instruction as data processors. These third parties include:

  1. Security service providers;
  2. IT service and platform providers;
  3. Facilities management service providers;
  4. Campus Connected Application provider;
  5. Training Providers;

We may also share your information with third parties such as Police, local authorities, and other similar bodies where this is necessary for us to investigate, prevent or take action regarding illegal or suspected illegal activities; or where disclosure is required by law. We will only do this where necessary to comply with legal obligations to which we are subject.

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal information only to those employees, agents, contractors, and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator(s) of a suspected breach where we are legally required to do so.

International Transfer

The data we collect from you may be processed from or transferred and stored outside the UK in countries with less protective Data Protection laws. To address this, we ensure additional safeguards are in place to with our processors. If we transfer your data from the UK to a country that does not meet UK GDPR adequacy standards, we will use the following legal mechanism(s) to enable the transfer and protect your data, rights and freedoms;

Data Retention

How long will you use my information for?

Tenant Information: We will retain your personal information for the duration of your tenancy and for a period of six months after its termination.

Visitor Information: We will retain your personal information for the duration of your visit and for a period of six months thereafter. (Unless necessary for auditing purposes if visiting restricted campus locations).

After these periods, we will securely destroy your personal information in accordance with our data retention schedule.

If we wish to retain your personal information on file for potential future opportunities, we will seek your explicit consent to retain it for a fixed period.

Rights of Access, Correction, Erasure, and Restriction

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Request the transfer of your personal information to another party.

If you want to review, verify, correct, or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Protection Officer in writing (see below for contact details)

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO via dpo@babraham.co.uk

You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.