Who we are
Exceed Group gathers and processes your personal information in accordance with the relevant data protection regulations and laws. This notice provides you with important information regarding your rights and our obligations and explains how, why and when we process your personal data.
We are a company registered in England & Wales under company number 09802671. We are registered on the Information Commissioner's Office Register, registration number ZB041986 and we act as data processor, data controller and co-controller depending on the circumstances.
Our Data Protection Officer for the organisation is Kam Tirmizey, who can be contacted at email@example.com
Where we are the data processor or co-controller the other controller is normally the Charity / Client running the event and we will share your data with that Charity / Client.
Information that we collect
Exceed Group processes your personal information to provide you with our products and services. We will never collect any unnecessary personal data from you and we do not process your information in any way, other than as specified in this notice.
The personal data that we collect from you includes:
First and Last Name
We collect information from online forms through the Exceed Group site.
How we use your personal data
We take your privacy very seriously and other than to provide our services and as described in this notice, we will never disclose or share your data without your consent; unless we are required to do so by law.
We only retain your data for as long as is necessary and for the purposes specified in this notice. Where you have consented to us providing you with promotional offers and marketing, you are free to withdraw this consent at any time.
The purposes and reasons for processing your personal data are detailed below:
We collect your personal data to provide the auction and other services you are experiencing and to ensure that any funds you give to our Charity / Corporate partners are collected and any items you purchase are sent out to your preferred address by our suppliers.
Our email and SMS providers use your personal data to keep you updated on the progress of the event, auction or campaign in which you are taking part.
We and our payment provider store your personal data as part of our legal obligation for business accounting and tax purposes.
Where you consent, we will occasionally contact you for specific promotional purposes that we genuinely think you will be interested in, such as other auction prizes similar to those that you have showed interest in and other similar charities too.
Very occasionally we may send you information without your consent, but where we have assessed that it is beneficial to you as a customer and in our interests. Such information will be non-intrusive.
You have the right to access any personal information that we process about you and to request information about:
What personal data we hold about you and the purposes of the processing
The categories of personal data concerned
The recipients to whom the personal data has/will be disclosed
How long we intend to store your personal data for
If we did not collect the data directly from you, information about the source
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to correct it as quickly as possible.
You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; to exercise your data portability rights, and to be informed about any automated decision making we may use.
If we receive a request from you to exercise any of the above rights, we will ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.
Sharing and Disclosing Your Personal Information
We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this notice or where there is a legal requirement. As well as sharing your data with our Charity / Corporate partner for each event, we use some third-parties to provide the services and business functions below; all our processors acting on our behalf process your data in accordance with our instructions and they comply fully with this privacy notice and the data protection laws.
Where we are processing your data for these purposes, we will share it with:
Stripe Payments UK Ltd: We use Stripe for taking payment; they are PCI Compliant payment experts and they will process your payment seamlessly and securely.
Where you have successfully bid for a lot, we will share your details with our lot supplier in order that you may redeem your winning item. Our suppliers for lot items process your data so that they can provide you with the item. Our suppliers change on a regular basis.
We take every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have security measures in place, including:
Encryption in the case of physical theft or loss
Encryption when sending over public networks to prevent interception or tampering
Up to date security software to prevent malware and external threats
Strict permission controls to ensure access only by authorised persons
Transfers outside the EU
Personal data in the UK and European Union is protected by the General Data Protection Regulation (GDPR) but some other countries may not necessarily have the same high standard of protection for your personal data. Wherever possible, we do not transfer or store any personal data outside the EU.
Where this is the case, we are taking steps to ensure that these providers use the necessary level of protection for your information and abide by strict agreements and measures to protect your data and comply with the relevant data protection laws.
How long we keep your data
We only ever retain personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations.
Where you have taken part in an auction or another one of our services, we will keep your data for a period of 3 years for accounting purposes and in order that we can reference the event for you, for the Charity / Corporate involved or for ourselves. Where you have purchased an item, we are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent.
Occasionally, we would like to contact you about other events, auction items, charities or new services that we are providing and we think will be of genuine interest to you. If you consent to us using your contact details for these purposes, you have the right to modify or withdraw your consent at any time by using the opt-out/unsubscribe options or by contacting us directly.
We process your personal information in order to enable us to provide you with our products and services in a workable, proper and professional manner.
We will very occasionally send you product or service updates by email that have been identified as being beneficial to our customers and in our interests. Such information will be relevant to you as a customer and is non-intrusive and you will always have the option to opt-out/unsubscribe at any time.
Lodging a Complaint
We only process your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority.
Exceed Group Ltd
A cookie is a small information file that is sent to your computer, mobile or other device when you visit a website and it will recognise your device on future visits. These types of files do a number of different jobs such as remembering your preferences and chosen items, assisting you to improve your site experience as well as trying to ensure that the adverts or offers you see online are more relevant to you. These "cookies" can be divided into 4 types each of which is outlined below.
We use the following cookies:
Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
GDPR COMPLIANT DATA PROCESSING
DATA PROCESSOR AGREEMENT
This data processing agreement forms part of the booking form(s) (“Principal Contract”) agreed and to be agreed between the below parties and is made effective from the date of signing of the booking form between the below parties: -
(i) The Client(s) as the “Controller(s)”
(ii) Exceed Group Ltd, whose trading address is Solutions House, 72 Staines Road East, Sunbury, TW16 5BB as the “Processor”
1. Terms of Agreement
1.1 This agreement supplements the Principal Contract and makes legally binding provisions for compliance with the Data Protection Laws as set forth in this agreement. As per the requirements of the Data Protection Laws and GDPR in particular, all processing of personal data by a processor on behalf of a data controller, shall be governed by a contract. The terms, obligations and rights set forth in this agreement relate directly to the processing and co-controller activities and conditions laid out in Schedule 1.
1.2 The terms used in this agreement have the meanings as set out in the definitions below, in particular the data controller is the Controller for the purposes of this contract and the processor is Exceed Group; any terms not otherwise defined, will have the meaning given to them in the Principal Contract.
2.1 In this Agreement, unless the text specifically notes otherwise, the below words shall have the following meanings: -
2.2 The "data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
2.3 "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
2.4 "Data Protection Laws" means all applicable Data Protection Laws, including the General Data Protection Regulation (GDPR) (EU 2016/679) and, to the extent applicable, the data protection or privacy laws of any other country
2.5 "EEA" means the European Economic Area
2.6 "Effective Date" means that date that this agreement comes into force
2.7 The "personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
2.8 “GDPR” means the General Data Protection Regulation (GDPR) (EU) (2016/679)
2.9 "Principal Contract" means the main contract between the parties named in this agreement
2.10 "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
2.11 The "processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
2.12 "Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
2.13 "Third-party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
2.14 "Sub processor" means any person or entity appointed by or on behalf of the Processor to process personal data on behalf of the data controller
2.15 "Supervisory authority" means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR
3. Obligations and Rights of the Processor
3.1 Exceed Group, as the processor or co-controller, shall comply with the relevant Data Protection Laws and will: -
a) only act on the written instructions of the Controller
b) ensure that people processing the data are subject to a duty of confidence
c) ensure that any natural person acting under their authority who has access to personal data, does not process that data except on instructions from the Controller
d) use its best endeavours to safeguard and protect all personal data from unauthorised or unlawful processing, including (but not limited to) accidental loss, destruction or damage and will ensure the security of processing through the demonstration and implementation of appropriate technical and organisational measures as specified in Schedule 1 of this agreement
e) ensure that all processing meets the requirements and is in accordance with the principles of the GDPR and related Data Protection Laws
f) ensure that where a sub-processor is used, they: -
i. only engage a sub-processor with the prior consent of the data Controller
ii. inform the Controller of any intended changes concerning the addition or replacement of sub-processors
iii. implement a written contract containing the same data protection obligations as set out in this agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws
iv. understand that where any sub-processor is used on their behalf, that any failure on the part of the sub-processor to comply with the Data Protection Laws or the relevant data processing agreement, the initial processor remains fully liable to the controller for the performance of the sub-processor’s obligations
g) assist the Controller in providing subject access and allowing data subjects to exercise their rights under the Data Protection Laws
h) assist the Controller in meeting its data protection obligations in relation to: -
i. the security of processing
ii. data protection impact assessments
iii. the investigation and notification of personal data breaches
i) delete or return all personal data to the Controller after 3 years from the end of the contract
j) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the relevant Data Protection Laws and allow for, and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
k) tell the Controller immediately if they have done something (or are asked to do something) infringing the GDPR or other data protection law of the EU or a member state
l) co-operate with supervisory authorities in accordance with GDPR Article 31
m) notify the Controller of any personal data breaches in accordance with GDPR Article 33
n) employ a data protection officer throughout the term of the Principal Contract
3.2 Nothing in this agreement relieves Exceed Group of their own direct responsibilities, obligations and liabilities under the Data Protection Laws.
3.3 Exceed Group is responsible for ensuring that each of its employees, agents, subcontractors or vendors are made aware of its obligations regarding the security and protection of the personal data and the terms set out in this agreement.
3.4 Exceed Group shall maintain induction and training programs that adequately reflect the Data Protection Laws, their requirements and regulations, and ensure that all employees are afforded the time, resources and budget to undertake such training on a regular basis.
3.5 Any transfers of personal data to a third country or an international organisation shall only be carried out on documented instructions from the controller; unless required to do so by Union or Member State law. Where such a legal requirement exists, the processor shall inform the controller of that legal requirement before processing.
3.6 Exceed Group shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing: -
a) the name and contact details of the data protection officer for the Controller
b) the categories of processing carried out on behalf of the Controller
c) transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards
d) a general description of the technical and organisational security measures referred to in Article 32(1)
3.7 Exceed Group shall maintain records of processing activities in writing, including in electronic form and shall make the record available to the supervisory authority on request
3.8 When assessing the appropriate level of security and the subsequent technical and operational measures, Exceed Group shall consider the risks presented by any processing activities, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
4. Obligations and Rights of the Controller
4.1 The controller is responsible for verifying the validity and suitability of the processor before entering into a business relationship.
4.2 The controller shall carry out adequate and appropriate onboarding and due diligence checks for all processors, with a full assessment of the mandatory Data Protection Law requirements.
4.3 The controller shall verify that the processor has adequate and documented processes for data breaches, data retention and data transfers in place.
4.4 Where the controller has authorised the use of any sub-processor by the initial processor, the controller must verify that similar data protection agreements are in place between the initial processor and sub-processor.
4.5 Where the controller has authorised the use of any sub-processor by the initial processor, the details of the sub-processor must be added to Schedule 2 of this agreement.
5. Penalties & Termination
5.1 Exceed Group confirms that it understands the legal and enforcement actions that it may be subject to should it fail to uphold the agreement terms or breach the Data Protection Laws. If it fails to meet its obligations, it may be subject to: -
a) investigative and corrective powers of supervisory authorities under Article 58 of the GDPR
b) an administrative fine under Article 83 of the GDPR
c) a penalty under Article 84 of the GDPR
d) pay compensation under Article 82 of the GDPR
5.2 This agreement will terminate in line with the Principal Contract.
The parties or their duly authorised representatives agree to this agreement in accordance with all its clauses and on the day, month and year stated at the Principal Contract.
On behalf of Exceed Group, as the processor or co-controller.
On behalf of The Client as the Controller.
1. Processing Details
a) The Controller named in this agreement has appointed Exceed Group with regard to specific processing activity requirements. These requirements relate to the auction and payment services provided by Exceed Group.
b) The duration of the processing is for the period as set out in the Principal Contract.
c) The processing activities relate to the bidding, winning and delivering of auction items or pledges and are for the purpose of ensuring a successful auction.
d) The requirement for Exceed Group to act on behalf of or with the Controller is with regard to the below types of personal data and categories of data subjects: -
i. Name, email, phone number, and address.
ii. Event goers and online auction participants.
Stripe Payments UK Ltd: We use Stripe for taking payment; they are payment experts and they will process your payment seamlessly and securely. There is no manual uploading and the client enters payment information on a secure Stripe payment portal directly. See their privacy notice: -