Privacy policy

This Privacy Notice is effective as of July 2023, and replaces all prior Privacy Notices. Please note that this Privacy Notice will be updated regularly to reflect any changes in the way we handle your personal data or any changes in applicable laws.

We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who interacts with us and will only collect / use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) and under any other applicable data protection legislation, including the UK’s Data Protection Act 2018, and the South African Protection of Personal Information Act, 2013.

Who Are We?

Lucky Beard is a global design and advisory company. We help our clients build businesses, brands, products and experiences for the customers of tomorrow. We have offices located in England, Ireland, and South Africa. Lucky Beard Limited is registered in Ireland under company number 610580, with offices at 15 Harcourt Street, St. Kevin’s, Dublin 2, D02 XY47, Lucky Beard UK Limited is registered in England under company number 11409849, with registered office at 1 WestFerry Circus Canary Wharf, London E14 4HD, and Lucky Beard (Pty) Ltd is registered in South Africa under registration number 2014/164529/07, with registered office at Southdowns Ridge Office Park, 1240 John Vorster Avenue, Irene, 0062, South Africa.

What Does This Privacy Notice Cover?

This Privacy Notice (“Privacy Notice”) describes the manner in which Lucky Beard collects, uses, maintains and discloses information from visitors to our website, customers, prospective customers, employees and prospective employees, in situations in which Lucky Beard is a data controller as defined in the GDPR. It also explains your rights under the law relating to your personal data.

Where Lucky Beard is required to comply with additional obligations imposed by other jurisdictions, when it processes personal data which you have provided to it, these obligations are set out at the end of this Privacy Notice.

For purposes of this Privacy Notice, the terms “user,” “customer,” “employee”, “you,” and “your” refer to the individuals about whom we may collect and process personal data, and at times may be used interchangeably within this Privacy Notice. The term “personal data” is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified’.

If you have any questions or concerns about our use of your personal data, please contact us using the contact details provided at the end of this Privacy Notice.

What Personal Data Do We Collect?

We collect personal data of our employees, potential employees, clients, potential clients, suppliers, business contacts and website users. If the data we collect are not listed in this Privacy Notice, we will give individuals (when required by law) appropriate notice of which other data will be collected and how it will be used.

Below describes the categories of personal data we collect:

Personal details, contact details and identifiers

  • Personal data is collected on our website through forms you complete including registering to events, downloads, and newsletter.

  • Our website also collects personal data about your website visit including information about your computer through 3rd party cookies (see below).

  • Lucky Beard may also collect personal details for recruitment/employment purposes, such as national identification number, social security number, insurance information, marital/civil partnership status, domestic partners, dependents, and emergency contact information.

  • We may also collect this information when working on projects for our clients.

Education history, professional information, sensitive data, and immigration documents for recruitment

  • Lucky Beard may collect information about your portfolio, education and professional employment history. Information that you submit in CVs, portfolios, letters, writing samples, or other written materials (including photographs). Information generated by interviewers and recruiters related to you including any assessments. We may also collect certain type of sensitive information such as background checks, medical information, and legal documents such as data on citizenship, passport data, residency, work permits where permitted or required by law or with your consent.

Financial information for payroll, benefits or customer invoicing

  • Financial information for payroll, benefits or customer invoicing We may collect your banking details and other relevant financial details for payroll purposes or in order to conduct business with you.

Cookies

In order to improve your experience of our website, we use Cookies to track your interactions with our public facing website. Cookies are small text files that are automatically placed on your computer or mobile device by some websites that you may visit.

When you use our website for the first time, a message will appear asking for your consent to the use of Cookies, with a link to further details about the types of Cookies used, as well as a link to our full

Cookies Policy

. You may choose to consent to the use of all Cookies, or you may specify which types of Cookies may be deployed.

What Is Our Legal Basis For Processing?

Under the GDPR, we must always have a lawful basis for using your personal data. The following describes how we will use your personal data and our lawful bases for doing so:

  • For the purpose of marketing communication and interactions on our website, including when you request information from us, sign up to newsletters, complete web forms or surveys

  • Based on consent given by the data subject

  • For the purpose of promoting our products and services to you in general

  • Based on consent given by the data subject or our legitimate interests to communicate with our customers

  • For the purpose of managing our contractual obligations we have with you

  • Necessary for the performance of a contract

  • For the purpose of operating and managing our business operations

  • On the basis of our legitimate interests for ensuring the proper functioning of our business operations

  • Managing our contractual obligations as an employer including performing any administrative functions (e.g., expenses, benefits)

  • Necessary for the performance of a contract

  • Performing any legally required reporting and to respond to legal process related to employment or business operations

  • Necessary for the compliance with a legal obligation to which we are subject

  • Manage applications from prospective employees

  • Based on your consent, and on the basis of our legitimate interests to process applications

  • Monitoring your use of our systems (including monitoring the use of our website and any apps and tools you use)

  • On the basis of our legitimate interests of avoiding non-compliance and protecting our reputation.

  • Where the above table states that we rely on our legitimate interests for a given purpose, we are of the opinion that our legitimate interests are not overridden by your interests, rights or freedoms.

  • Lucky Beard does not knowingly collect personal data from children under the age of 16. We do not provide services to children, nor do we market to children.

Processing personal data for Marketing

With your permission and/or where permitted by law, we will use your personal data for marketing purposes, which may include contacting you by email AND/OR telephone with information, news and offers on our services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the Data Protection Legislation, and you will always have the opportunity to opt-out.

We will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s), and we need to use your personal data for that purpose.

The bulk of the personal data we collect and use for marketing purposes relates to individuals employed by our clients and other companies we work with. We may also obtain contact information from public sources, including content made public on social media sites, to make an initial contact with a relevant individual.

Like most companies, Lucky Beard has a customer relationship management (CRM) database to manage and track our relationship with customers. Personal data used for this purpose includes contact data, publicly available information such as social media posts, your responses to targeted mailing, web activity of registered users. If you wish to be excluded from our CRM database, please contact us.

Do We Share Your Personal Data?

We may sometimes share your personal data with a third party to supply services on our behalf. In some cases, the third parties may require access to some or all of your personal data. Where any of your personal data is required for such a purpose, we will take all reasonable steps to ensure that your personal data will be handled safely, securely, and in accordance with your rights.

We may share personal data with third parties that provide services to us such as billing/ payment processing, HR, web publishing, marketing services, customer support, email processing, communication interfaces, web/application hosting and CRM services.

We are careful only to share the information that is necessary for the purposes described. Any third party who receives this information is bound by a contract with Lucky Beard setting out their obligation in relation to your personal data as required per Article 28 of the GDPR.

We may also be required to disclose data to third parties who are not data processors acting on behalf of Lucky Beard. Categories of recipients include:

  • Tax authorities (e.g., Irish Revenue Commissioners)

  • Law enforcement (where required for the investigation, detection, or prosecution of criminal offences)

Lucky Beard takes strong measures to help protect your personal data from inappropriate access or use by unauthorized persons. We take all necessary steps to ensure that your personal data will be given adequate protection as required under the GDPR and Lucky Beard’s own internal policies.

International Transfers

Lucky Beard will, from time to time, make use of services provided by third parties which may make the transfer of personal data outside the EU/EEA and UK necessary. For example, we use a variety of cloud-based tools such as Bamboo HR, Skype, Microsoft 365, including MS Teams, and similar.

Unless stated otherwise, transfers of personal data from within (i) the European Economic Area (EEA) to third parties outside the EEA are based on an adequacy decision or are governed by the standard contractual clauses (SCC) (ii) the United Kingdom (UK) to third parties outside the UK are based on an adequacy decision or are governed by international data transfer agreement (IDTA), or the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (UK Addendum) Any other non-EEA or non-UK related transfers of your personal data will take place in accordance with the appropriate international data transfer mechanisms and standards.

How Long Will We Keep Your Personal Data?

We will retain your personal data only for as long as necessary for the purposes outlined above, while related services are provided to you, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

We maintain specific records management and retention policies and procedures, so that personal data is deleted according to the following retention key criteria:

  • As long as we have an ongoing and active relationship with you (in particular, if you have a contract with us).

  • As long as we have your consent, keeping you informed.

  • As long as it is needed in order to comply with our global legal and contractual obligations.

How Do We Keep Your Personal Data Secure?

We are committed to ensuring that your personal data is secure with us and with any third parties who may act on our behalf.

All staff working for Lucky Beard have a legal duty to keep information about you confidential and all staff are aware of our information security policy. We take a number of important measures defined in our security policies, including the following:

  • limiting access to your personal data to those employees, agents, contractors, and other third parties with a legitimate need to know and ensuring that they are subject to duties of confidentiality

  • procedures for dealing with data breaches (the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data) including notifying you and/or the Data Protection Commission’s Office when we are legally required to do so

  • training for staff in data protection policies and procedures

What Are My Rights?

Under the GDPR, you have the following rights, which we will always work to uphold:

  • The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions.

  • The right to access the personal data we hold about you.

  • The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.

  • The right to be forgotten, i.e., the right to ask us to delete or otherwise dispose of any of your personal data that we have.

  • The right to restrict (i.e., prevent) the processing of your personal data.

  • The right to object to us using your personal data for a particular purpose or purposes.

  • The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.

  • Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided below.

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Office of Data Protection Commission (Ireland) or the Information Commissioner’s Office (UK).

How Can I Access My Personal Data?

If you want to know what personal data we have about you, you can ask us for details of your personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

All subject access requests should be made in writing and sent to the email or postal addresses shown under How do I contact Lucky Beard? section below.

There is normally no charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests), a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within 30 days of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of 90 days from the date we receive your request. You will be kept fully informed of our progress.

How Do I Contact Lucky Beard?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:

[email protected]

Jurisdiction Specific Requirements

In addition to the information set out in the Privacy Notice above, this South Africa specific section of the Privacy Notice applies to situations in which Lucky Beard is a responsible party as defined in POPIA, and processes the personal data of individuals, including juristic persons, who reside in South Africa or have their personal data processed by Lucky Beard in South Africa. Such data subjects will have certain rights under the Protection of Personal Information Act, 2013 (“POPIA”) and any regulations thereto. Where there is a conflict between the general provisions of the Privacy Notice and this South Africa specific section, this section will prevail.

For the purposes of POPIA, “personal data” means “personal information”, as defined in POPIA, being information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.

Lucky Beard Proprietary Limited is registered in South Africa under company number 2014/16429/07, with offices at Southdowns Ridge Office Park, 1240 John Vorster Avenue, Irene, 0062.

International Transfers

Lucky Beard may, from time to time, make use of services provided by third parties which may make the transfer of personal data outside of South Africa necessary. For example, we use a variety of cloud-based tools such as Microsoft 365, including MS Teams, and similar.

The transfer of personal data to a country outside of South Africa shall take place only if one or more of the following applies:

  • the third party who is the recipient of the personal data is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that:

    (i) effectively upholds principles for reasonable processing of the personal data that are substantially similar to the conditions for the lawful processing of personal data relating to a data subject who is a natural person and, where applicable, a juristic person; and

    (ii) includes provisions, that are substantially similar to the requirements set out in POPIA, relating to the further transfer of personal data from the recipient to third parties who are in a foreign country;

  • you consent to the transfer;

  • the transfer is necessary for the performance of a contract between you and Lucky Beard, or for the implementation of pre-contractual measures taken in response to the data subject’s request;

  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between Lucky Beard and a third party; or

  • the transfer is for your benefit, and:

    (i) it is not reasonably practicable to obtain your consent to that transfer; and

    (ii) if it were reasonably practicable to obtain such consent, you would be likely to give it.

For the purpose of International Transfers:

  • ‘‘binding corporate rules’’ means personal data processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal data to a responsible party or operator within that same group of undertakings in a foreign country; and

  • ‘‘group of undertakings’’ means a controlling undertaking and its controlled undertakings.

What Are My Rights?

Under POPIA, you have the following rights, which we undertake to uphold, and which include the right to:

  • request access to and the right to rectify (or correct) the personal data which has been collected about you;

  • object to the processing of your personal data if you have reasonable grounds for believing that such processing:

    • does not protect your legitimate interests;

    • is not necessary for the proper performance of a public law duty by a public body, if applicable;

    • is not necessary for pursuing the legitimate interests of Lucky Beard or of a third party to whom the information is supplied; or

    • is being used for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications; and

  • lodge a complaint to the Information Regulator, by completing the prescribed POPIA form 5 and sending it to [email protected], if you believe that your personal data is not being processed in accordance with applicable laws.

Application of the above rights may vary depending on the type of data involved, and Lucky Beard’s particular basis for processing the personal data.

How Can I Access My Personal Data?

Lucky Beard has developed a process for you to request access to records of personal data which we hold. The process is set out in Lucky Beards PAIA Manual

To make a request to exercise one of the above rights set out in (a) and (b) above, please follow the process set out in Lucky Beards PAIA Manual or contact [email protected]

We will consider and act upon any requests in accordance with applicable data protection laws. Please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal data that we hold about you. We may, in limited circumstances, charge you a reasonable fee to access your personal data; however, we will advise you of any fee in advance.

If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time but note that we do not require your consent in order to process your personal data for our legitimate business interest. Please note however that this will not affect the lawfulness of the processing before its withdrawal.