We at YO! Marketing need to gather and use certain information about individuals.These include, but are not limited to:
⦁ Other parties that the organisation has a relationship with or may need to contact.
This policy describes how this Personal Data must be collected, handled and stored (processed) to meet our Data Protection standards AND to comply with the Law.
This Data Protection Policy ensures that YO! Marketing:
⦁ Complies with Data Protection Laws and follows good practice
⦁ Protects the rights of staff, clients/patients and partners
⦁ Is open and transparent about how it processes Personal Data
⦁ Protects itself from the risks of a Data Breach
The scope of this Policy applies to the following:
⦁ All working locations (Office & Remote)
⦁ All staff and contractors operating on behalf of YO! Marketing
It applies to all data that YO! Marketing holds relating to identifiable individuals including, but not limited to:
⦁ First Name
⦁ Last Name
⦁ Postal Address
⦁ Email Address
⦁ Telephone Numbers
⦁ And any other identifiable information relating to individuals, including Special Categories (Sensitive)
Note that YO! Marketing typical does not hold any sensitive data relating to individuals as we do not need to hold it to do our job.
DATA PROTECTION LAW
The following key legislation and guidance informs YO! Marketing and the development of our procedures/controls:
⦁ European Data Protection Directive (95/46/EU)
⦁ The Data Protection Act 1998
- The General Data Protection Regulation (GDPR)
These legal requirements govern how we will collect, handle and store Personal Data. They apply regardless of whether the data is stored electronically, on paper or on other materials.To comply with the law, the following EIGHT principles must be applied and evidenced.
Personal Data must be:
⦁ Processed fairly, lawfully and transparently
⦁ Be obtained only for specific and lawful purposes
⦁ Be adequate, relevant and not excessive
⦁ Be accurate and kept up to date
⦁ Not be held for any longer than necessary
⦁ Processed in accordance with the rights of the Data Subjects (individuals)
⦁ Be protected in appropriate ways
⦁ Not be transferred out of the European Economic Area (EEA) unless that country or territory also ensures an adequate level of protection
The Policy helps to protect both YO! Marketing and associated individuals from very real data security risks including:
⦁ Breaches of Confidentiality. E.g. information being disclosed inappropriately
⦁ Failing to offer choice. E.g. all individuals have the right to choose how a company processes their data.
⦁ Reputational Damage. E.g. Complaints, legal proceedings, etc.
Everyone who handles/processes Personal Data must ensure that it is done so in line with this Policy and all other related procedures.
⦁ The only people who can access the Personal Data, covered by this Policy, are those who are required to use it for their legitimate work and who are authorised to do so.
⦁ Data must not be shared informally. Personal Data must be treated with the utmost confidence and security at all times.
⦁ YO! Marketing will provide training to all contractors, employees, partners, etc to ensure that they are fully aware and understand their responsibilities regarding Data Protection and Privacy
⦁ For system access, strong passwords must be used and never shared
⦁ Personal Data should never be disclosed to unauthorised persons, either within the business or externally.
⦁ Data should be regularly reviewed (by authorised personnel) and updated according. If there is no longer a legal basis or legitimate purpose for retaining/processing the Data, it must be safely deleted.
⦁ Where consent is the legal basis for processing information, regular reviews must be undertaken to ensure that the individual still (explicitly) consents to sharing their Personal Data.
⦁ Individuals reserve the right to withdraw their consent to processing their Personal Data⦁ Individuals may request information regarding the Data processed by YO! Marketing. This is called a Subject Access Request (SAR) and must be responded to within 1 month.
⦁ Individuals may raise a query or complaint to the Data Controller/Data Protection Officer. The contact details are at the end of this document.
Under the new GDPR, a lawful basis must be identified and evidenced before Personal Data can be processed. If there is no other legal basis (lawful purpose) then consent must be sought and evidenced.
Consent must be:
⦁ Freely given
⦁ Given by clear statement or affirmative actionConsent can no longer be implied.
Prior to obtaining consent, individuals will be provided with access to the Privacy Notice (also called a Fair Processing Notice). To manage consent and ensure that it does not degrade over time, YO! Marketing will conduct regular consent audits and contact the relevant individuals to establish that consent is still current and given as above
This relates to the processing of sensitive data that must be treated with a high degree of care. Special categories of data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data and data concerning health or reveal their sex life or sexual orientation. Processing this data is prohibited unless EXPLICIT consent is obtained from the individual. There may be certain circumstances where processing is necessary, and these details can be provided by the Data Controller / Data Protection Officer on request.
The following details and rules exist for how we store client email data at YO! Marketing Limited:
To capture client information to send relevant marketing correspondence
We store on our server. Mailchimp is our data processor and YO! Marketing have a Customer EU Data Processing Addendum agreement in place. This can be cited upon request.
We retain client email details for 24 months, after which we ask for consent to continue to store it. If consent is not given, we remove client’s details from our database.
Questions regarding storage can be directed to the Data Controller/Data Protection Officer. When data is stored in a physical format (e.g. paper), it will be kept in a secure location where no unauthorised person cannot get access. These guidelines also apply to data that is stored electronically, but that has been printed out.
⦁ Paper files, when not being processed, will be stored in a locked drawer/cabinet.
⦁ Employees shall ensure that paper/prints that contain Personal Data shall not be left unattended, e.g. On a printer or left on a desk, where non-authorised persons can see them.
⦁ When no longer required, paper/prints shall be shredded and disposed of securely
Note that YO! Marketing do not store client data in paper format.
When data is stored electronically, it must be protected from unauthorised access, accidental disclosure/loss, accidental deletion or malicious hacking attempts:
⦁ Data must be protected with strong passwords, that are changed regularly and never shared
⦁ Data stored on removable media (DVD, CD, USB, etc) must be stored securely and locked away when not in use
⦁ Data should only be stored on approved drives and servers and should only be uploaded to an approved cloud computing service
⦁ Servers containing Personal Data should be sited in a secure location, away from general office space, as appropriate
⦁ Data should be backed up regularly.⦁ Data should not be saved/stored directly on laptops (unless encrypted) or smart phones/tablets.
⦁ All services and computers containing data should be protected by approved security software and a firewall, as appropriate.
Data will be held in as few places as necessary and only retained in line with the data storage requirements documented in the previous section.
DATA SUBJECTS RIGHTS
In line with the new Regulation, individuals have more rights to ensure the protection of their privacy and the security of their data. This section details their rights and how YO! Marketing will respond to them.
⦁ Subject Access Requests (SAR)
All individuals are entitled to:
⦁ Ask what information the company holds about them and why
⦁ Ask how to gain access to it
⦁ Be informed about how we keep it up to date
⦁ Be informed about how YO! Marketing is meeting its data protection and privacy obligations
If an individual makes a request to receive this information, it is called a Subject Access Request (SAR). YO! Marketing will always verify the identity of the requester and no information will be sent out until that has been undertaken. Approved identity documents will be one that is photographic (national ID card, drivers licence or passport) and one current utility bill. SARS may be requested in any medium (verbally, email, physical letter) and the YO! Marketing has a legal obligation to provide all information processed within 1 month of receiving the request.
Ordinarily, there is no charge for this, however, if the SAR is significant in terms of size/complexity, YO! Marketing does reserve the right to apply an administration fee. Please note, however, there may be certain circumstances where it is not possible to provide all SAR’s information (in line with the Law). If this is the case, the person will be fully informed.
⦁ Right to Rectification
If it is discovered that YO! Marketing is holding inaccurate or out of date Personal Data relating to an individual, that individual has the right to request that the Data is amended/rectified as quickly as possible.
⦁ Right to Erasure
Whilst an individual does have the right to request erasure of their data (also called the Right to be Forgotten) it is not an absolute right, as there are certain instances where their request cannot be accepted. The right can be fulfilled in the following circumstances:
⦁ The Personal Data is no longer required by YO! Marketing in relation to the purposes that originally applied
⦁ The individual has withdrawn their consent and there is no other legal basis for processing
⦁ The individual objects to YO! Marketing processing their data and there are no overriding legitimate grounds for continuing to process.
⦁ The Personal Data has been unlawfully processed
⦁ A legal obligation (e.g. a court order) requires the data to be erased
⦁ The data relates to a child and there is no parental consentIf the right to erasure is accepted YO! Marketing must take reasonable steps to destroy all data, including any that has been made public (e.g. photographs, video clips, etc) and any data that has been forwarded/shared with other agreed 3rd parties, including processors.The right to erasure may not be accepted for legal or public safety reasons.
⦁ Right to Restriction of Processing
An individual has the right to restrict processing in the following instances:
⦁ The accuracy of the data is contested, and time is required to verify
⦁ The processing of the data is considered unlawful, but erasure isn’t an option
⦁ YO! Marketing no longer needs the data but it may be required to support a legal claim
⦁ The individual has objected to processing and verification is required to establish legitimate grounds
⦁ Right to Data Portability
The individual has the right to request all their Personal Data held by YO! Marketing receive it in a machine-readable format and request that it be transferred to another Data Controller. This is applicable when the data is processed by automated means only.
In certain circumstances, the Law allows Personal Data to be disclosed without the consent of the Data Subject. Under these circumstances, YO! Marketing will disclose the requested data. However, the Data Controller/Data Protection Officer will ensure that the request is legitimate, seeking assistance from Legal Advisors or Regulators, as necessary.
YO! Marketing aims to ensure that individuals are aware that their Personal Data is being processed and that they understand:
⦁ What data is being processed
⦁ Why it is being processed
⦁ How the data will be used
⦁ How it will be stored
⦁ How to exercise their rights
WHAT WE WOULD LIKE TO DO WITH YOUR DATA
We would like to use your name and email address to inform you of our future offers and similar products.
We will never share your Personal Data with third parties and you can unsubscribe, at any time, by contacting our Data Protection Officer
If you would like to receive details of our services and any future offers, please confirm by selected the appropriate options in the previous section on consent
WHAT ARE YOUR RIGHTS?
If at any point you believe that the information we process on you is incorrect, you can request to see this information and have it corrected or deleted (if appropriate).
You are entitled to request a copy of the data that we keep on file for you, via a Subject Access Request.
If you are unhappy with our service or with how we have handled your personal data, you may complain to us at any time.
To exercise these rights, please contact our Data Protection Officer
If you are not satisfied with our response, or believe that we are not processing your personal data in accordance with the law, you can complain directly to the Information Commissioner’s Office https://ico.org.uk/
WHY WE NEED YOUR DATA
We may need to know some basic personal data to communicate with persons from your organisation on services that we provide and also to keep you informed of work that we are doing on your behalf. We will not collect any personal data from you that we do not need.
WHAT WE DO WITH YOUR DATA
All the personal data we process is processed by our staff in the UK.
Details of our Clients are retained in the Customer section of Xero, which is the financial system we use to enable quotes, invoices and purchase orders to be processed. This information is held securely with restricted access to authorised personnel only.
No third parties have access to your personal data, unless the law allows them to do so.
We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. More information on this framework is detailed in our Data Protection Policy, which is available on request.
HOW LONG WE KEEP YOUR DATA
WHO TO CONTACT
The Data Controller/Data Protection Officer for YO! Marketing Limited is Yekemi Otaru, who can be contacted at any time and who will be happy to assist.
Contact details are:
Telephone Number: 01224 605 977/ 07717 346 799
Registered Address: 2 Hillview Road, Westhill, AB32 6PE, Aberdeenshire
Trading Address: The Silver Fin Building, 455 Union Street, AB11 6DB, Aberdeen
By providing your name and email address in our sign up form, you are consenting to the processing of your personal data based on the based on the information provided in this Privacy Notice (also called a Fair Processing Notice)
Copyright © 2018 - YO! Marketing