NBS / Legal / Privacy Policy

Privacy Policy

NBS Privacy Policy

RIBA Enterprises Limited (trading as NBS) (“we” or “us” in this policy) respects your privacy and will do its best to safeguard your personal information.

We sometimes need to collect and hold personal information so that we can deliver our services and products to you and/or your employer. If we do not collect such personal information, then we may be unable to provide you with the services and products you have requested or need to use in the course of your work.

This privacy policy tells you about our use of any personal information you give to us including via phone, by email, in letters or by using our services, products or online content. This policy also tells you about personal information we may obtain from sources other than directly from you.

Any changes we may make to our privacy policy in the future will be posted on this page (and, where appropriate, notified to you by email). Please check back frequently to see any updates or changes to our privacy policy.

How to contact us about this policy

We hope that we can resolve any query or concern you may raise about our use of your information.

If you have any questions about how we may use your personal information data, have any concerns or wish to make a complaint about our handling of your personal information, please contact us by post at:

RIBA Enterprises Limited (trading as NBS)
The Old Post Office
St Nicholas Street
Newcastle upon Tyne
NE1 1RH

or by email to privacy@RIBAEnterprises.com.

We will investigate any complaints you notify to us and we will aim to ensure that any complaint and any queries you submit to us are resolved in a timely and appropriate manner.

The General Data Protection Regulation also gives you the right to lodge a complaint with the relevant supervisory authority at any time. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113. You can contact the ICO at any time if you have any concerns about how we collect or process your personal information, but we hope that you will contact us first to discuss your concerns and give us an opportunity to resolve the issue as quickly as possible.

1. Who we are

NBS is leading the built environment with powerfully connected knowledge, products and services around the world. Please see “How to contact us” above for our full company details and who to contact if you have any concerns about how we collect and process your personal information.

2. What personal information we collect

Personal information means any information that identifies or can be used to identify you directly or indirectly.

When you use any of our services, products or online content, whether on your own behalf or your employer’s behalf, we may receive personal information about you.

The kind of information we collect and hold includes, but is not limited to:

Your name (first and last name)
Email address
Telephone number and
Company name
Your profession
CV (if applying for a vacancy with NBS or its subsidiary companies).

We may also keep information about your use and payment for our services, products and online.

3. Information about other people

Should you provide information to us about any person other than yourself, such as your employees, your suppliers, or your counter parties you must ensure that such third parties have been informed and understand how their personal information will be used and that they have given their permission or you have other lawful grounds under the data protection legislation justifying you disclosing it to us and for you to allow us to use it lawfully and in the ways outlined in this privacy policy.

4. How we obtain personal information

Directly by you
Most personal information we hold will be collected by us directly from you. For example you may provide personal information to us when you:

Set up an NBS ID account
Provide personal information on a subscription order form
Provide personal information to us via telephone, email, letter or your CV.

Not directly by you
There are certain circumstances where we may obtain your personal information without you providing that information to us direct. For example, if a recruiter provides your CV to us for consideration as part of a job application. Or where your employer provides your email address to us in order to obtain user access for you to one of our subscription products, services or content.

5. How we protect your personal information

We take appropriate and reasonable technical and organisational measures to protect personal information from loss, misuse, unauthorised access, disclosure, alteration, and destruction and to comply with our obligations under the data protection legislation.

We provide services to you from data centres with 24/7 physical security. Our data centres have international security accreditation including ISO 27001:2013 and ISO 9001:2015. All our data centres are based within the EEA. We secure your connections to our services with TLS encryption.

Your personal information is logically separated from other’s to ensure data segregation.

NBS ID accounts need a username and password to log in. You must keep your username and password secure, and never disclose it to a third party. NBS ID passwords are hashed, which means we cannot see your password. We cannot resend forgotten passwords; we will only provide instructions on how to reset them.

We restrict our access to your personal information by job role and limit staff access to your personal information to those individuals who have a genuine business need to access it. All employees receive regular security training and sign our information security policy annually. We have an ongoing programme to raise security awareness.

Although we make all reasonable efforts to prevent the loss or misuse of your personal information, we cannot guarantee your personal information will not be intercepted while being transmitted over the internet. Therefore, you acknowledge and agree that we assume no liability regarding the theft, loss, alteration, or misuse of your personal information during transmission.

6. How long your personal information will be kept

We will keep your personal information while you have an account with us or we are providing products and services to you.
Thereafter, we will keep your personal information for as long as is reasonable in the circumstances to ensure we can:

respond to any questions, complaints or claims made by you or on your behalf;
show that we treated you fairly; and
keep records required by applicable laws or regulations.

We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information and we can make available more detailed information on our retention and deletion policies upon request.

When it is no longer necessary to retain your personal information, we will securely delete or anonymise it.

Personal information from a CV or employment application
We will process such information on the basis of preparation to perform a contract with the candidate and/or legitimate interests in recruiting and vetting potential employees of the business.

We will hold such data for a maximum of 6 months for unsuccessful candidates but for successful candidates we will hold such data for at least the duration of employment and usually for a period of 7 years thereafter (the length of time being determined by our regulatory and legal obligations, and any potential for legal claims).

7. How we use your personal information

Under data protection law, we can only use your personal information if we have a lawful reason for doing so. We may process your personal information in connection with any of the purposes set out in this policy or more on the following legal grounds:

for the performance of our contract with you or to take steps at your request before entering into a contract, relevant where we are providing you with services and/or products or you have expressed an interest in obtaining our services and/or products.

to comply with our legal and regulatory obligations. For example in relation to record keeping for tax purposes;

because our legitimate interests, or those of a third party recipient of your personal information, make the processing necessary, provided that those interests are not overridden by your interests or fundamental rights and freedoms; or

where you have given consent.

Please note a legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We set out in the table below further information on the lawful grounds we typically rely on n processing your personal information.

We use your personal information in the following ways and with the following legal grounds

The ways we use personal information:	Lawful grounds for processing this information
To provide you with our services and products and online content	For the performance of our contract with you; If you do not have a contract with us directly, we may rely on our legitimate interests in performing our contract with your employer or other entity through whom you obtain access to our services, products and content
To deal with your requests and enquiries	For the performance of our contract with you, or in preparation to enter into and perform a contract with you
To provide you with information about our services, activities or online content.	To take steps at your request before entering into a contract, relevant where we you have expressed an interest in obtaining our services and/or products
To provide essential updates to you e.g. terms and conditions change	For the performance of our contract with you; If you do not have a contract with us directly, we may rely on our legitimate interests in performing our contract with your employer or other entity through whom you obtain access to our services, products and content
To personalise the way our content is presented to you.	For the performance of our contract with you
To assess your use of our services and products and content (Analytics Data).	For the performance of our contract with you and /or, Our legitimate interests make the processing necessary, provided that those interests are not overridden by your interests or fundamental rights and freedoms
To block malicious users and prevent software piracy and fraud	For the performance of our contract with you and /or, Our legitimate interests make the processing necessary, provided that those interests are not overridden by your interests or fundamental rights and freedoms
Sending questionnaires and surveys to gather customer feedback. We may use two third party software providers to send these out, for more information please see section 8 of this privacy policy.	Our legitimate interests make the processing necessary, provided that those interests are not overridden by your interests or fundamental rights and freedoms
For insurance and accounting purposes. We may need to share certain of your information with professional advisers, accountants, auditors and insurers who provide consultancy, banking, insurance and accounting services	For the performance of our contract with you and /or, Our legitimate interests make the processing necessary, provided that those interests are not overridden by your interests or fundamental rights and freedoms and/or Pursuant to our legal or regulatory obligations
To exercise or defend our legal rights. We may need to share this information with third party professional advisers including lawyers who provide legal services.	For the performance of our contract with you and /or, Our legitimate interests make the processing necessary, provided that those interests are not overridden by your interests or fundamental rights and freedoms
Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies including external audits. We may also need to share this information with professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.	To comply with our legal and regulatory obligations and /or, Our legitimate interests make the processing necessary, provided that those interests are not overridden by your interests or fundamental rights and freedoms Pursuant to our legal or regulatory obligations
A potential buyer (and its agents and advisors) in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition. In this type of event, any acquirer will be subject to this privacy policy. Usually information will be anonymized so you can no longer be personally identified from the data being shared but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.	Our legitimate interests make the processing necessary, provided that those interests are not overridden by your interests or fundamental rights and freedoms

Emails sent on behalf of The Royal Institute of British Architecture (RIBA)

We also carry out certain marketing activities on behalf of our shareholder, The Royal Institute of British Architects, a charity (“RIBA”). If you are an RIBA member registered with the RIBA you may also have consented to receive marketing information relating to Continuing Professional Development (CPD), including RIBA CPD Providers Network and RIBA CPD Roadshow events, CPD e-Bulletin newsletters and other related events from our organisation. In this scenario, we are acting purely as a processor on behalf of RIBA and they are the controller of your personal information; they are also responsible for ensuring your personal information is collected lawfully, kept up to date and they would make any decisions about your requests to exercise your rights in relation to that personal information. Individuals may also opt out of these communications at any time by clicking the ‘opt out link’ within one of these emails. To view the RIBA's privacy policy and for more information please click here https://www.architecture.com/about/privacy-policy. We will only process your personal information obtained in this way in accordance with yours and RIBA’s instructions, and the applicable data protection legislation. We will also always include information on how to unsubscribe from our mailing list when we contact you with this marketing information.

8. How We Share Information

In certain circumstances, as detailed below, we may use third parties to process your personal information on our behalf.

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information.

We also ensure there are written contractual obligations with such parties to ensure they can only use your personal information to provide services to us and to you, and to comply with the requirements of the data protection legislation for written processing agreements.

Third parties providing email sending services

We currently use third party software and/or service providers, such as Mailchimp and Adestra, to provide email sending and email list management services. We do this to ensure data is up to date and to send you emails about our products, services, events, training, surveys and notifications from time to time.

Third Party Processor	Activity undertaken by third party processor	How information is shared	Types of data processed
Mailchimp Mailchimp privacy policy	Email sending services and data list management services; to send you emails about our products, services, events, training and notifications.	Within Mailchimp’s online systems to manage the sending of emails and managing an individual’s privacy preferences	Email address
Adestra Adestra privacy policy	Email sending services and data list management services; send you emails about our products, services, events, training and notifications.	Within Adestra’s online systems to manage the sending of emails and managing an individual’s privacy preferences	Email address

Third parties providing supplemental services

We currently use third parties to offer services to supplement NBS products and services that we offer to you, you will typically access these services via a link which will take you away from our website and to the third party providers website or portal. For example:

Third Party Processor	Activity undertaken by third party processor	How information is shared	Types of data processed
Day One	Online training software (link to third party provided within NBS Chorus)	A link to third party is provided within NBS Chorus and users input their NBS ID to access the training portal which is hosted by the third party	Email address Name (first and surname) Company Name
Freshdesk (Freshworks)	Online support software portal (used with NBS Chorus) support.theNBS.com	Within NBS Chorus users will be able to access a support portal which is hosted by the third party.	Email address Name (first and surname) Company (all passed from NBS ID) Support tickets, chats, support emails and telephone calls.
Premium Credit Limited (PCL)	Credit facility to assist customers spread the cost of NBS products and services	Within PCL’s online systems used to manage borrower’s data and enable borrowers and service providers (where permitted by PCL to do so) to submit requests for transactions to PCL and view management information	Email address Name (first and surname) Address Telephone Number Company Name

The RIBA

In relation to RIBA CPD Providers Network matters, we also share personal information with the Royal Institute of British Architects (“RIBA”), by providing RIBA with some limited access to our CRM database system. RIBA’s access and permissions in respect of this database are strictly limited to the RIBA CPD Providers Network company records, and purely for the purposes of RIBAE and RIBA providing te RIBA CPD Providers Network services and/or managing your CPD material assessment and approvals records for the performance of a contract with you.

Manufacturers

We do not share any personal information (including email addresses) with manufacturers for any reason whatsoever. Instead, we provide the following statistical aggregate information to manufacturers about how their products are used to improve the performance of our products and services:

Project name / project ID
Your company name
Usage analytics e.g. number of downloads of a manufacturer’s products

Analytics

We may collect data about your use of our products and services to help improve the quality and performance of products and services (‘Analytics Data’).

We may share this analytics data with third parties but where we do so the analytics data will be anonymized so that it is not possible to identify you or any other individual from the data. We may share anonymized Analytics Data about use of our products and services with third parties such as manufacturers.

9. Content we show to you from third parties

We may also provide you with access to third party content and websites (not controlled by us), via our products, services and content e.g. Links to The Construction Information Service (CIS) to provide access to Standards, and links to manufacturer websites to provide access to supplementary technical information.

We are not responsible for such third party content. The user is responsible for ensuring the contents are suitable for the intended purpose. Please refer to our terms and conditions for more information on third party content.

10. Transferring your personal information out of the European Economic Area (EEA)

We use data servers based in the EEA to store and process your personal information. Where you are based in the EEA (including the UK), we may make transfers of personal information outside the EEA.

If you are based in the EEA (including the UK) we will only transfer your personal information to non-EEA countries where one of the following conditions applies under the GDPR:

the European Commission has issued a decision confirming that the country to which we transfer the personal information ensures an adequate level of protection for the data subjects' rights and freedoms;
appropriate safeguards are in place such as:

binding corporate rules (BCR),
standard contractual clauses approved by the European Commission,
an approved code of conduct or a certification mechanism (including the EU-US Privacy Shield or its replacement);

you have provided explicit consent to the proposed transfer after being informed of any potential risks.

To deliver some of our products and services we use third party providers who may transfer your personal information out of the EEA. For example:

Third Party Processor	Activity undertaken by third party processor	Location of processing and appropriate safeguards for your personal information	Types of data processed
Mailchimp Mailchimp privacy policy	Email sending services and data list management services; to send you emails about our products, services, events, training and notifications.	United States Mailchimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.	Email address
Freshdesk (Freshworks)	Online support software portal (used with NBS Chorus) support.theNBS.com	Frankfurt AWS Cloud Server Cluster	Email address Name (first and surname) Company (all passed from NBS ID) support tickets, chats, support emails and telephone calls.
Premium Credit Limited	Credit facility to assist customers spread the cost of NBS products and services	May be transferred outside of the EEA. Please refer to your credit agreement or contact Premium Credit directly.	Email address Name (first and surname) Address Telephone Number Company Name

11. Cookies

We use cookies on our websites and we collect IP addresses from visitors to our websites. Cookies are small amounts of information that we store on your computer. Our system issues these cookies to your computer when you log on to the site and have provided your consent to those cookies where appropriate. Cookies make it easier for you to log on to and use the site during future visits. They also allow us to monitor website traffic and to personalise the content of the site for you. You may set up your computer to reject cookies although, in that case, you may not be able to use certain features on our sites.

To view the NBS Cookie Policy https://www.theNBS.com/cookies.

12. Your rights

You have the following rights, which (provided we are acting as the controller of your personal information) you can usually exercise free of charge by writing to us at the details given below:

Access	The right to be provided with a copy of your personal information (the right of access)
Rectification	The right to require us to correct any mistakes in your personal information
To be forgotten	The right to require us to delete your personal information - in certain situations
Restriction of processing	The right to require us to restrict processing of your personal information - in certain circumstances
Data portability	The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party - in certain situations
To object The right to object:	at any time to your personal information being processed for direct marketing in certain other situations to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests
Not to be subject to automated individual decision-making.	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

If you would like to exercise any of those rights, please:

email or write to us - see above: ‘How to contact us about this policy’;
let us have enough information to identify you (e.g. your full name, address and subscriber or matter reference number);
let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
let us know what right you want to exercise and the information to which your request relates.

13. Right to withdraw consent

If we are processing your personal information on the basis of your consent, you have the right to withdraw your consent. If you wish to do so, please contact us at the postal address set out above: ‘How to contact us about this policy’ or email us at privacy@RIBAEnterprises.com.

Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there are compelling legitimate grounds for further processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If you are receiving marketing material you no longer wish to receive, you can click the “unsubscribe” link included on any marketing e-mail we send to you.

Withdrawal of consent to receive marketing communications will not affect the processing of personal information for the provision of our services.