Privacy Policy

Last updated: June 2026

Source in Surrey and Surrey Chambers of Commerce (“the Chamber”) is committed to protecting the privacy and personal data of its members, employees, and other users, including website visitors. This Privacy Policy (“Policy”) describes how the Chamber collects, uses, retains, and protects personally identifiable information provided by users of this website.

Source in Surrey is fully committed to complying with all applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025 (DUAA). This Policy will be kept under review and updated to reflect changes in technology, business practices, and regulation. Source in Surrey operates as part of Surrey Chambers of Commerce (“the Chamber”).

The Chamber is registered with the Information Commissioner’s Office (ICO), the UK’s data protection authority.

Data Controller

The data controller for all personal data collected via this website is Surrey Chambers of Commerce, with its registered office at Dukes Court Block E, Duke Street, Woking, Surrey, GU21 5BH. The Chamber is responsible for deciding what personal data we collect and how we hold and use it. Appropriate data security measures are in place to protect personal data from unauthorised access and loss, as described in the Security section of this Policy.

Data Collection

Source in Surrey collects and maintains a variety of personally identifiable information, including names, email addresses, phone numbers, payment information, social media profiles, business addresses, and demographic information such as the local authority area or industry sector of the business. We also hold details of Chamber services that users may be interested in, such as international trade opportunities, events, and training courses.

Information is collected directly from individuals or from the parent companies of those individuals, through emails, phone calls, online registration forms, event registration forms, and face-to-face meetings. Source in Surrey does not collect personal data about individuals except where there is a legitimate business requirement, a legal basis under UK GDPR, or where such information is provided on a voluntary basis.

Non-personal information may also be automatically collected through the standard operation of the Source in Surrey’s web servers and through cookies and Internet Protocol (IP) address tracking. This may include browser type, operating system, Internet service provider, pages visited, time spent on pages, and similar technical data. This information helps us improve our website and services. Most browsers are set to accept cookies. You can set your browser to refuse cookies or alert you when cookies are being sent; however, doing so may affect the full functionality of the Source in Surrey’s website.

Purpose of Processing and Lawful Basis

Source in Surrey processes personal data for the following purposes:

  • Administering Chamber membership and providing member services
  • Communicating information about Chamber events, training courses, networking opportunities, and policy updates
  • Processing and responding to enquiries from members, prospective members, and other stakeholders
  • Seeking views on emerging political or economic issues relevant to the business community
  • Sending marketing communications on behalf of the Chamber, its patrons, and strategic partners
  • Conducting statistical analysis of website usage and user behaviour to improve our services
  • Providing aggregate, anonymised information to third parties such as sponsors, where no individual can be identified

The lawful bases we rely on for processing personal data under UK GDPR include:

  • Legitimate interests: where processing is necessary for the Chamber’s legitimate business interests, including direct marketing to members and the wider business community, and intra-network data sharing for administrative purposes, provided those interests are not overridden by the rights and interests of individuals.
  • Contract: where processing is necessary to fulfil our contractual obligations to members.
  • Legal obligation: where processing is required to comply with a legal requirement.
  • Consent: where you have given clear consent for us to process your data for a specific purpose, such as receiving marketing communications if you are not a member.

If you or your parent company are a current member of Surrey Chambers of Commerce, opting out of promotional emails will not stop all communication from us. By becoming a member, your firm is signing you up to receive certain information related to the organisation. It is a constitutional requirement for us to send this information.

If you are not a member, or if your membership has lapsed, you may choose to opt in or out of further contact with us. We also receive non-member data through networking activity (for example, business cards and event registrations) and may add these details to our CRM or other data management systems where relevant.

Data Retention

Personal data is stored in the Chamber’s CRM system and other appropriate data management systems, both paper-based and electronic. Personally identifiable information will not be disclosed to any third party except where permission has first been obtained from the individual concerned, or where we are required to do so by law.

Personal data is held and processed in the United Kingdom only. The Chamber does not transfer personal data to any organisation located outside the UK.

At regular intervals, the Chamber and Source in Surrey will:

  • Review the length of time we keep personal data
  • Consider the purpose or purposes for which personal data is held when deciding whether, and for how long, to retain it
  • Securely delete information that is no longer needed for its original purpose
  • Update, archive, or securely delete information that has become out of date

Security

The Chamber uses reasonable and appropriate measures to safeguard personally identifiable information, in accordance with UK GDPR and the DPA 2018. Measures are implemented to preserve the confidentiality, integrity, and availability of personal data.

We have put in place appropriate technical and organisational security measures to prevent personal data from being accidentally lost, used, accessed without authorisation, altered, or disclosed. Access to personal data is limited to employees, contractors, or agents who have a legitimate business need for access, and all such individuals are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected personal data security breach and will notify you and the ICO of a breach where we are legally required to do so. Relevant areas of the Chamber’s website use Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption technology to enhance data privacy and help prevent loss, misuse, or alteration of information.

Links to Third-Party Websites

Source in Surrey may provide links to third-party websites or advertisements containing links to third-party sites, where relevant to the legitimate business needs of the Chamber and its members. These links are provided as a service to website users. Third-party websites are operated by independent entities with their own privacy policies, and this Policy does not apply to those websites.

Source in Surrey has no control over the content or privacy practices of third-party sites. Source in Surrey’s website may also serve third-party advertisements or other content that contains their own cookies or tracking technologies. Source in Surrey does not control the use of those technologies.

Marketing and Opt-Out

The Chamber is a membership organisation and, for its legitimate business interests, maintains contact information on its members and the wider business community to communicate information on membership, events, training courses, policy and research, international trade, and other Chamber products or services.

From time to time, the Chamber collaborates with relevant organisations to promote programmes that may be of interest to members and the wider business community. In such cases, the Chamber does not provide those organisations with any personally identifiable information, but may distribute their information on their behalf to those who may legitimately benefit from receiving it, or who have elected to receive it.

If you do not wish to receive marketing material, you may opt out at any time. Every marketing email will include an ‘unsubscribe’ link. You may also notify the Chamber in writing using the contact details set out in this Policy.

If your parent company has nominated you as a contact required to receive information on its behalf, you cannot opt out of important information the Chamber is required to provide under its contractual obligations to members.

The British Chambers of Commerce

The Chamber is part of a network of Chambers of Commerce across the UK accredited by the British Chambers of Commerce (BCC). One purpose of the Chamber is to “influence the function of any governmental body,” as stated in the Chamber’s Articles of Association. We will provide BCC with your company’s email address so that BCC can conduct research into the impact of policies on your business.

BCC will not contact your business for any purpose other than to notify you of an opportunity to respond to a national policy survey. BCC conducts approximately five surveys per year, which directly inform government policy across areas including business taxation, international trade, and employment. Survey data is completely anonymised and aggregated so that individual responses cannot be identified.

There is no marketing or commercial purpose to the surveys, and BCC does not conduct surveys on behalf of any third party. You can contact us at any time if you do not wish to be contacted by BCC, and you will have the opportunity to unsubscribe from BCC’s research mailing list at any point.

Social Media

Source in Surrey may use third-party tools such as Hootsuite to manage social media interactions. If you send us a private or direct message via social media, that message may be stored by Hootsuite. Like all other personal data we hold, direct messages will not be shared with any other organisations.

Your Right of Access (Subject Access Requests)

Under UK GDPR, you have the right to access personal data held about you by making a Subject Access Request (SAR). If you have an established relationship with the Chamber, you may request a list of the categories of personal information we hold about you.

Subject access requests must be made in writing to the contact details below. We will carry out a reasonable and proportionate search of our records and respond within one calendar month of receiving your request. Where a request is complex or we require clarification from you, we may pause this one-month window while we seek that clarification. We will contact you to let you know if this applies.

We will ask you to verify your identity before fulfilling any subject access request. It is important that the personal data we hold about you is accurate and current. We will take reasonable measures to ensure accuracy, and have procedures in place to enable you to review and correct your personal information if your circumstances change or if there are errors in the data we hold.

Your Privacy Rights

In addition to the right of access described above, under UK GDPR you have the following rights:

  • The right to rectification: to have inaccurate personal data corrected
  • The right to erasure: to request that we delete your personal data in certain circumstances
  • The right to restrict processing: to ask us to limit how we use your personal data
  • The right to object: to object to your personal data being processed for a particular purpose, including direct marketing
  • The right to data portability: to receive a copy of your personal data in a structured, machine-readable format in certain circumstances

To exercise any of these rights, or if you have any questions about how we handle your personal data, please contact our Data Protection Administrator by email at DPA@Surrey-Chambers.co.uk, or in writing to: Data Protection Administrator, Surrey Chambers of Commerce, Dukes Court Block E, Duke Street, Woking, Surrey, GU21 5BH.

Data Protection Complaints

If you have a concern or complaint about how Source in Surrey has handled your personal data, please contact our Resources Manager in the first instance:

Email: tara.wavre@surrey-chambers.co.uk

Your complaint will be logged on our Complaints Log and acknowledged within 4 working days. The relevant manager will investigate and provide a formal response within 10 working days. If further information is needed, we will contact you.

If you remain dissatisfied with our response, or if you do not wish to raise your concern with us directly, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority:

  • Website: ico.org.uk/make-a-complaint
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Changes to This Policy

This Policy is reviewed regularly and updated to reflect changes in legislation, technology, or the Chamber’s practices. The date at the top of this page indicates when the Policy was last revised. We encourage you to check this page periodically.

This policy was last updated in June 2026 to reflect the requirements of the Data (Use and Access) Act 2025 (DUAA) and to update references from EU GDPR to UK GDPR.