Data Protection Act and General Data Protection Regulation (DPA/GDPR) Addendum to the Global Staff/Supplier Privacy Notice (DPA / GDPR Notice)

Owner: Privacy Department

Approver: Global Privacy Officer

Version: January 2024

Last Review: January 2024

Data Protection Act and General Data Protection Regulation (DPA/GDPR) Addendum to the Global Staff/Supplier Privacy Notice (DPA / GDPR Notice)


We are disclosing information about our data processing practices as required by the United Kingdom’s Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR). This DPA/GDPR Addendum supplements the information contained in the Bright Horizons Global Staff and Supplier Privacy Notice {hyperlink to BH Global Privacy Staff and Supplier Notice page}. This DPA / GDPR Notice applies exclusively to staff and suppliers located in the United Kingdom, Ireland, the Netherlands and any other country within the European Economic Area.

What legal basis do we rely on to process your personal information?

Bright Horizons relies on the following legal basis for processing your personal information. 

  • Performance under a Contract: Much of the personal information we process is necessary for us and you to perform our respective obligations under our employment contract with you. 
  • Legal Obligations: There are many laws that require us to process your personal information. Examples include law and regulations for child/adult care, safeguarding, health and safety and
  • Legitimate Interest: We have a legitimate interest in processing some of your personal information in some circumstances. We will only process your personal information if our legitimate interests do not override your fundamental rights, freedoms and interests. For any questions regarding this legal basis, please contact our Global Privacy Officer at Some examples of our legitimate interests include:
  • Use of your email address to send you newsletters, invitations to webinars, or information about your employment including your benefits.
  • Analysing your digital information and monitoring your digital experience (such as IP, browser, swipes and error message information to improve the website experience for you and provide support. ‘Session’ cookies help you navigate through Bright Horizons websites efficiently and are temporary and ‘persistent’ cookies are small files left on your device that store your user preferences for current and successive visits to Bright Horizons websites. Learn more about how we use cookies and similar technologies by clicking here.  
  • In some locations, we use Closed Circuit (CCTV) for security/safety of our consumers, staff and premises; to help prevent and detect crime; to support learning and training; and/or to defend legal claims.
  • Recording your contact centre calls to assist us with monitoring our policies and procedures; identifying opportunities for training and development; and improving our services.
  • Special Categories of Personal Information: We may need to process special categories of personal information in order to employee you and/or to provide services safely and/or effectively. In some locations, government regulations/laws require us to process special categories of personal information. Special categories of personal information that we may process include information relating to:
  • Health data: that you or your medical provider or an occupational health advisor provides to us to comply with health and safety legal obligations in the workplace including: making appropriate workplace accommodations, as part of sickness absence monitoring, to administer benefits and / or to manage insurance claims.
  • Criminal background records: depending on your role, we may require completion of criminal record checks to confirm your suitability for the role and comply with our legal obligations.
  • Race/ethnic origin / religious or philosophical beliefs/ sexual orientation information: you may provide this information to us voluntarily for meaningful equal opportunity monitoring purposes and to inform us about your dietary/holiday/celebration requirements or a relationship for your emergency contact.
  • Trade union membership: as necessary for us to communicate with your nominated union at your direction.
  • Unique identifying biometric information: such as fingerprinting, to meet our legal obligations to protect Bright Horizons’ consumers (and their dependents in our care), to protect Bright Horizons’ confidential information and property, and to mitigate risk; to ensure accurate time records; and / or to exercise or defend the legal rights of Bright Horizons and its employees, affiliates, contractors, agents and consumers (and their dependents).

International Transfers and Adherence to the EU-U.S. Data Privacy Framework (and UK Extension)

We may process some of your personal information outside the UK / EEA as applicable. Whenever we transfer personal information out of the UK / EEA, we ensure a similar degree of protection is afforded to it by putting in place appropriate safeguards and protections.

For transfers to the United States, Bright Horizons Family Solutions LLC is certified to the EU-U.S. Data Privacy Framework and its UK Extension (“DPF”) and complies with its requirements as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information we transfer from the United Kingdom and European Union to the United States in reliance on the DPF. Bright Horizons Family Solutions LLC has certified to the Department of Commerce that it adheres to the DPF Principles. The Federal Trade Commission has jurisdiction over our compliance with the DPF.

If there is any conflict between the terms in our Global Privacy Notice and the DPF Principles, the DPF Principles shall apply. To learn more about the DPF and view our certification, please visit

There is an independent dispute resolution body designated to address complaints and provide appropriate recourse, free of charge to you, as follows: for EU / EEA personal data: the panel established by the EU data protection authorities (DPAs); for UK personal data, the UK Information Commissioner’s Office (ICO).

In addition, under certain circumstances, you have the right to invoke binding arbitration for complaints regarding our DPF compliance that you have been unable to resolve through any of the other DPF mechanisms. To learn more about the binding arbitration mechanism, please visit

In compliance with the DPF Principles, Bright Horizons Family Solutions LLC commits to the following:

  • Resolve complaints about our collection or use of your personal information. If you have questions or complaints regarding our adherence to the DPF, please contact our Global Privacy Officer at or Pioneer House, 7 Rushmills, Northampton, NN4 7YB, United Kingdom.
  • Cooperate with the panel established by the EU data protection authorities (DPAs) / the UK ICO and comply with the advice given by the panel / the ICO with regard to personal information transferred from the European Union. / the UK (as applicable).
  • Remain responsible and liable for the processing of personal information we receive under the DPF and subsequently transfer to a third party acting as an agent on our behalf.

Read about who we share your data with here.

What rights do you have over your personal information?

You have the right to request:

  • Access to the personal information we hold about you, free of charge in most cases.
  • The rectification of your personal information to ensure that it’s up-to-date, accurate and complete.
  • The erasure of your personal information (subject to certain exemptions).
  • We stop processing your personal information for direct marketing purposes (either through specific channels or all channels).
  • We and other third parties cease processing your personal information when this was previously undertaken based on your consent and you’ve now withdrawn that consent.

How do you make a request about your personal information?

To read about how to amend your information or update your email list preferences, click here.

You can complete our Webform to make a request to access / receive a copy of your personal information or for us to correct or delete your personal information (or exercise any of your other rights).

You can also contact the Global Privacy Officer at

Please note:

  • Only you (or your authorized legal representative) may make a request related to your personal information.
  • In order to authenticate and process your request, you will need to:
    • provide sufficient information that allows us to reasonably verify you are the person about whom we processed personal information or a legally authorized representative; and
    • describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
  • We will not be able to respond to your request if we cannot verify your identity or legal authority to make the request and confirm the personal information relates to you or the subject of the request.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

In circumstances where we are processing your personal information based on our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal information that doesn’t infringe your rights and freedoms. You have the right to challenge our decision to the Supervisory Authority or seek legal redress through the courts.

If you feel that your personal information hasn’t been handled correctly, or you are unhappy with our response to any requests you have made regarding the use of your personal information, you have the right to lodge a complaint with the relevant Supervisory Authority.

  • UK Supervisory Authority: Information Commissioner’s Office at (opens in a new window; please note we can't be responsible for the content of external websites.)

  • Ireland Supervisory Authority: Data Protection Commissioner/An Coimisinéir Cosanta Sonraí at (opens in a new window; please note we can't be responsible for the content of external websites.)