Data Protection & GDPR Compliance

1

Introduction & Identity of the Data Controller

The Business Development Association (BDA) is fully committed to protecting personal data and ensuring compliance with UK GDPR and the Data Protection Act 2018. As a global authority in business development, headquartered in London, we apply the highest standards of transparency, accountability, and security in managing the data of our members, certified professionals, partners, and website users.

2

Core Data Protection Principles

In line with UK GDPR, we ensure that all data processing is based on the following seven principles:

3

Legal Bases for Processing

We do not process any personal data without a clear legal basis. The six possible grounds under Article 6 of the UK GDPR are: Consent, Contract, Legal Obligation, Vital Interests, Public Interest / Official Function, and Legitimate Interest. Each processing activity is mapped to one or more of these legal bases.

4

What We Collect & How

We may collect the following categories of personal data:

• Identification and contact information: Name, title, email address, phone number.
• Professional data: Experience, qualifications, and professional history relevant to BDA certifications or accreditations.
• Technical data: IP address, browser/device type, and cookie identifiers.
• Transaction data: Fee payments processed via secure payment providers.
• Interaction data: Exam registrations, downloads, seminar and event attendance.

5

Processing Purposes

We use your data to:

1. Management of Certification Applications (BDA-CP™/BDA-SCP™) and Examinations.
2. Managing memberships, accreditations, and partner relationships.
3. Providing content and resources (such as the BDA BoCK® Guide) and improving our platforms.
4. Organisational and service communication (exam dates, policies, updates).
5. Fulfilling legal and regulatory obligations in the UK.

6

Cookies & Electronic Communications

We use cookies and similar technologies to improve your experience and measure performance. We obtain your prior consent where required under the PECR, except for "strictly necessary cookies" required to provide the service. You may manage your cookie preferences at any time through our cookie settings.

7

Protection & Security

We implement appropriate technical and organisational measures, including:

• Encryption in transit and at rest
• Access controls and role-based permissions
• Regular staff training on data protection
• Periodic security testing and audits

In the event of a personal data breach, we assess whether to report it to the ICO within 72 hours of becoming aware of it.

8

Data Sharing & Third-Party Processors

We may share your data as needed with hosting, operation, e-payment, and e-learning service providers; BDA partners certified under strict data protection agreements; and regulatory bodies or competent authorities when there is a legal obligation. We do not sell personal data to third parties.

9

International Data Transfers

When transferring data outside the UK, we comply with UK GDPR requirements using safeguards such as the International Data Transfer Agreement (IDTA) or the British Addendum to the EU Standard Contractual Clauses (SCCs).

10

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

We respond within one month, extendable by up to two months for complex cases. Contact: privacy@bda-global.org

11

Automated Decision-Making

We do not make decisions that produce legal effects purely automatically without human intervention. All significant decisions involving personal data are subject to human review.

12

Complaints & Regulatory Authority

For inquiries or complaints regarding data protection, contact: privacy@bda-global.org. Complaints can also be lodged with the Information Commissioner's Office (ICO) in the UK at ico.org.uk.