Feefo is a data controller and is listed with the Information Commissioner’s Office on the Data Protection Public Register with the registration number Z2323576.
1 POLICY STATEMENT
1.1 Everyone has rights with regard to how their personal information is handled. During the course of our activities we will collect, store and process personal information about our past and prospective employees, suppliers, customers, and others that we communicate with and we recognise the need to treat it in an appropriate and lawful manner.
1.2 Data protection law is intended not to prevent the processing of personal information, but to ensure that it is done fairly and without adversely affecting the rights of the person to whom the information relates.
1.3 The types of information that we may be required to handle include details of current, past and prospective employees, suppliers, customers, and others that we communicate with.
1.4 The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards and restrictions set out in:
1.4.1 until 25 May 2018, the Data Protection Act 1998;
1.4.2 after 25 May 2018, the EU General Data Protection Regulation (“GDPR”) which is due to be implemented into UK law under what will likely be the Data Protection Act 2018.
1.5 This policy is based on the requirements of the GDPR, has effect immediately and is not conditional on the GDPR coming into effect.
1.6 This policy does not form part of any employee’s contract of employment and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action.
2 STATUS OF THE POLICY
2.1 This policy sets out our rules on data protection and the legal conditions that must be satisfied in relation to any act taken in relation to personal information, including but not limited to the obtaining, handling, processing, storage, transportation and destruction of personal information.
2.2 If you consider that the policy has not been followed in respect of personal information about yourself or others, you should raise the matter with the Chief Financial Officer (richard.sawney@Feefo.com).
3 DEFINITION OF DATA PROTECTION TERMS
For the purposes of this policy:
“data” means information which is stored either:
(a) electronically (whether on a computer, a removable pen drive or any other electronic device); or
(b) in a paper based filing system which is structured and can be browsed by criteria, regardless of whether that filing system is dispersed across multiple locations;
“personal data” means any data (including but not limited to text, statistics, images and videos) relating to a living individual that either:
(a) is identified in that data; or
(b) is directly or indirectly identifiable from that data, for example only by reference to an identifier such as a name, a unique identification number, location data, an online identifier or username, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person,
regardless of whether that data is fact or opinion.
“processing” means any activity that involves use of personal data. It includes but is not limited obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties;
“data subject” means a living individual to whom personal data relates. A data subject need not be a UK national or resident. Note that all data subjects are protected by the GDPR;
“sensitive personal data” means personal data that:
(c) reveals the relevant person’s race or ethnic origin, political opinions, religious or philosophical beliefs (or beliefs of a similar nature), membership of a trade union;
(d) is genetic data, or biometric data for the purpose of uniquely identifying the relevant person;
(e) concerns the physical health, mental health, sex life or sexual orientation of the relevant person;
(f) relates to the commission or alleged commission of a criminal offence; or
(g) relates to proceedings against the relevant person for a criminal offence or alleged criminal offence, including the disposal of those proceedings, or sentencing.
Sensitive personal data, due to its nature, is subject to more stringent rules under the GDPR.
“data controller” or “controller” mean a person (whether an individual or a corporate body) which determine the purposes for which, and the manner in which, any personal data is processed;
“data processor” or “processor” mean a person who processes personal data on behalf of a data controller, and does not in any way determine how or why data is processed; Employees of data controllers are excluded from this definition but it could include suppliers (including contract workers) which handle personal data on Feefo’s behalf;
the ICO means the Information Commissioner’s Office, the UK regulator for data protection law; and
“security breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
4 ROLES AND RESPONSIBILITIES
4.1 Feefo is generally a data controller over the personal data it holds, meaning it has the primary responsibility to ensure that the GDPR is complied with. One of Feefo’s primary tools in ensuring it compliance is having appropriate practices and policies in place.
4.2 In some circumstances, in particular where Feefo sends review invitation emails on behalf of merchants, it may be a data processor. Whilst a data processor has fewer direct obligations under legislation, we must still protect the personal data involved as we will still be liable to the data controller/merchant.
4.3 Employees must only process personal data as instructed by Feefo, and therefore must ensure they comply with this policy and other policies relating to Feefo’s compliance with the GDPR. Any breach by an employee of Feefo will be a breach of Feefo itself. Note that an employee may have direct criminal liability for certain breaches under data protection law.
4.4 Processors of Feefo, like employees, must only process personal data as instructed by Feefo, and therefore must ensure they comply with this policy and other policies relating to Feefo’s compliance with the GDPR. Any breach by a processor of Feefo will be a breach of Feefo itself. However, processors may also have direct liability to the ICO or data subjects for its breaches of the GDPR. Examples of a data processor to Feefo could include an IT support company, hosting providers, or a research company that compiles reports for Feefo using personal data Feefo has given them.
4.5 Contract workers to Feefo will either be treated as employees or as data processors for the purposes of data protection compliance. In either case, they must comply with this policy and other policies relating to Feefo’s compliance with the GDPR. Any breach by a contract worker will be a breach of Feefo itself. Where a contract worker is a processor, they may also have direct liability to data subjects and the ICO.
5 DATA PROTECTION PRINCIPLES
Anyone processing personal data must comply with six data protection principles. Those are that personal data must be:
5.1 Processed lawfully, fairly and in a transparent manner
This high level principle is the root of a number of specific obligations under the GDPR, including requirements to:
(i) have a “legal basis” for processing personal data, discussed in more detail below;
(ii) be transparent with data subjects, providing them specific information about the processing to be carried out before it is carried out; and
(iii) to give data subjects certain rights in relation to their personal data, discussed in more detail below.
Whilst the GDPR sets out these specific requirements, we must, when processing personal data, continue to comply with the spirit of this high level principle. Notably, we must:
(i) not use personal data in a way that would have an unjustified adverse effect on the individual;
(ii) only handle people’s personal data in ways they would reasonably expect; and
(iii) not do anything unlawful with a person’s personal data.
5.2 Collected for a specific, explicit and legitimate purpose, and not further processed in a manner that is incompatible with those purposes
Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the GDPR.
This means that personal data must not be collected for one purpose and then used for another.
If it becomes necessary to change the purpose, or there is a new purpose, for which the data is processed, the data subject must be informed of the changed or new purpose before any processing occurs, and you must only use personal data for that changed or new purpose if it is compatible with the existing purpose.
The ICO takes the view that a changed or new purpose will not be compatible with the existing purpose if using or disclosing the personal data would be unfair because it would be outside what the individual concerned would reasonably expect, or would have an unjustified adverse effect on them.
5.3 Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed
If personal data later becomes excessive in relation to the purpose, it will need to be deleted unless there is another purpose (and associated legal basis) for keeping it.
5.4 Kept accurate and, where necessary, kept up to date
Personal data must be accurate and kept up to date. Personal which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards.
Inaccurate or out of date data that cannot be rectified should be destroyed.
5.5 Kept for no longer than is necessary for the purposes for which it is processed
Personal data should not be kept longer than is necessary for the purpose.
This means that data should be destroyed or erased from our systems when it is no longer required for the purpose(s) originally notified to the data subject.
5.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage
The GDPR requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third party data processor if he agrees to comply with those procedures and policies, or if they put in place adequate measures themselves.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
(i) confidentiality means that only people who are authorised to use the data can access it.
(ii) integrity means that personal data should be accurate and suitable for the purpose for which it is processed; and
(iii) availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.
Examples of security procedures include:
(iv) Entry controls. Any stranger seen in entry controlled areas should be reported.
(v) Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind (personal data is always considered confidential).
(vi) Methods of disposal. Paper documents should be shredded. Floppy disks, CD ROMs and flash drives should be physically destroyed using appropriate destruction methods when they are no longer required.
(vii) Equipment. Employees, processors and contract works should ensure that individual monitors do not show confidential information to passers by and that they log off from their PC when it is left unattended.
For more information on these and other security procedures, please see our information security policy.
6 LEGAL BASIS FOR PROCESSING
6.1 Under the GDPR we must have a “legal basis” for processing. One such legal basis must apply to our processing of personal data for it to be lawful.
6.2 If processing sensitive personal data a more stringent set of legal bases apply.
6.3 There are six legal bases for processing personal data, excluding sensitive personal data, five of which may be relevant to Feefo as a private organisation:
6.3.1 the data subject has consented to processing for a specific purpose;
6.3.2 the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
6.3.3 the processing is necessary for compliance with a non-contractual legal obligation (usually a statutory obligation) to which Feefo is subject;
6.3.4 the processing is necessary for the purposes of the legitimate interests pursued by Feefo or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data; and
6.3.5 the processing is necessary to protect the vital interests of the data subject or another natural person (e.g. to prevent death or critical injury).
6.4 There are ten legal bases for processing sensitive personal data, six of which may be relevant to Feefo:
6.4.1 the data subject has explicitly consented to processing for a specific purpose (explicit consent being a clear statement in words, rather than by action);
6.4.2 the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Feefo or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by EU or UK law;
6.4.3 the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
6.4.4 the processing relates to personal data which are manifestly made public by the data subject;
6.4.5 the processing is necessary for the establishment, exercise or defence of legal claims; and
6.4.6 the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or UK law or pursuant to contract with a health professional and subject to certain conditions and safeguards.
6.5 Please note that:
6.5.1 strict rules apply to the collection of a valid consent, and consent will never be valid in an employment relationship due to the imbalance in relationship. As the consent requirements are very prescriptive, please contact Feefo’s Compliance Manager (firstname.lastname@example.org) if consents need to be drafted; and
6.5.2 opt-in consent will often be the only legal basis available for marketing. Please contact Feefo’s Compliance Manager (email@example.com) for advice on the limited number of exceptions.
7 DATA SUBJECT RIGHTS
7.1 Under the GDPR data subjects have a number of rights, each of which is set out below. Note that some of these rights are new under the GDPR.
7.2 Requests to exercise rights must, except in limited circumstances, be actioned within one month of receiving them. This includes responding with a refusal where Feefo has a legitimate reason to refuse the request. Failing to respond at all, even with a refusal, would be a breach.
7.3 Requests to exercise rights must be actioned free of charge except in limited circumstances, for instance where the request is manifestly unfound, excessive or repetitive (although these are high thresholds to meet).
7.4 Right of subject access (Subject Access Request, SAR or DSAR)
Data subjects have a right to receive:
(i) a copy of their personal data which Feefo holds; and
(ii) details of:
(1) the purpose for processing;
(2) the categories of data processed;
(3) any recipients (or categories of recipients) to whom the personal data has been disclosed;
(4) the envisaged period for processing;
(5) the existence of the right to request rectification or erasure;
(6) right to complain to the ICO;
(7) the source of the information (if not from the data subject themselves);
(8) any automated decision making, including meaningful information about the logic involved, and the significance and envisaged consequences of such decisions; and
(9) the safeguards put in place if the personal data has been transferred outside the European Economic Area,
each subject to a limited number of exceptions.
Any member of staff who receives a request should pass the request on to the Chief Financial Officer (firstname.lastname@example.org) immediately.
Any member of staff dealing with telephone enquiries should be careful about disclosing any personal information held by us. In particular they should:
(i) check the caller’s identity to make sure that information is only given to a person who is entitled to it;
(ii) suggest that the caller put their request in writing if they are not sure about the caller’s identity and where their identity cannot be checked; and
(iii) refer to the Chief Financial Officer (email@example.com) for assistance in difficult situations. No one should be bullied into disclosing personal information.
7.5 Right to rectification
Feefo must rectify any inaccurate information held by it at the request of the data subject. This includes having incomplete personal data completed.
Note that this does not affect our primary obligation under the fourth principle to keep personal data accurate and up-to-date.
7.6 Right to erasure*
Feefo must erase personal data at the request of the data subject, but only in limited circumstances, namely were:
(i) the personal data is no longer necessary for the purpose it was processed;
(ii) Feefo originally relied on consent, that consent is withdrawn and has no other legal basis for processing;
(iii) the data subject has objected to the use of their personal data for direct marketing purposes, and Feefo only uses that personal data for direct marketing purposes;
(iv) the personal data is unlawfully processed; or
(v) the personal data has to be erased for compliance with a legal obligation to which Feefo is subject.
Note that there is much miss-information concerning the right to erasure, and we must therefore be aware of when the right does and does not apply.
If in doubt, please ask the Chief Financial Officer (firstname.lastname@example.org).
7.7 Right to restriction of processing
Feefo must restrict (i.e. limit the scope of) its processing at the request of the data subject where:
(i) the accuracy of the personal data is contested by the data subject, but only for a period enabling Feefo to verify the accuracy of the personal data;
(ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(iii) Feefo no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
(iv) the data subject has objected to processing pursuant to the right to object to legitimate interests processing (see below), but only pending the verification of whether the legitimate interests of Feefo override those of the data subject (if they do not, Feefo would then have to permanently restrict processing).
7.8 Right to data portability
This right is unlikely to be relevant to Feefo, however staff should be aware of it.
Feefo must when requested by the data subject provide the data subject with its personal data in a structured, commonly, used, machine-readable format, but only where:
(i) the processing is based on consent or contractual necessity (see legal basis for processing above); and
(ii) the processing is carried out by electronic means.
The data subject may require Feefo to transfer such personal data directly to another data controller where technically feasible.
7.9 Right to object
Feefo may have to stop processing personal data where the data subject objects to it if:
(i) Feefo is relying on legitimate interests (see legal basis for processing above) and Feefo is unable to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims (not that this is a high hurdle); or
(ii) The personal data are processed for direct marketing purposes (including profiling).
8 AUTOMATED DECISION MAKING
8.1 Feefo cannot use personal data to make automated decisions with legal or similarly significant effects unless:
8.1.1 it has explicit consent to do so;
8.1.2 national law allows it to do so; or
8.1.3 it is necessary to do so for entering into, or the performance of, a contract,
or where the personal data is sensitive personal data, only with explicit consent and or where in the public interest (see legal basis of processing above).
8.2 A decision will be automated where it is taken purely by electronic means, without human intervention.
8.3 A decision will have a similarly significant effect where it has a substantial effect on the data subject; for instance by changing the price of something, determining the amount of a bonus, or making a hiring or promotion decision.
8.4 Even where permitted, Feefo must put in place safeguards, including at least the right to obtain human intervention (i.e. an appeal process) and the opportunity for the data subject to present their point of view.
8.5 If you would like to introduce such automated decisions, or already make such automated decisions which haven’t been reviewed, you must consult the Chief Financial Officer (email@example.com) as soon as possible.
9.1 Under the GDPR Feefo as a data controller, when instructing a data processor to process personal data on its behalf, must ensure that there is a written contract between Feefo and the processor dealing with a prescribed list of matters.
9.2 If you need to instruct a processor, which may include contract workers, please contact the Chief Financial Officer (firstname.lastname@example.org) who will be able to assist in putting a data processing agreement together.
10 NOTIFICATION OF BREACHES
10.1 Feefo is required to report certain security breaches (as defined above) to the ICO and the data subject.
10.2 All security breaches should therefore be notified to Feefo’s Compliance Manager (email@example.com).
11 DATA PROTECTION IMPACT ASSESSMENTS
11.1 Feefo is required conduct a data protection impact assessment whenever there is a high risk to data subjects.
11.2 For more information on what is considered a high risk, please consult with Feefo’s Compliance Manager (firstname.lastname@example.org).
12 TRANSFERS OVERSEAS
12.1 Where personal data must be transferred outside of the European Economic Area, Feefo is required to ensure certain safeguards are in place guaranteeing a similar level of protection to the data subject as they would have within the European Economic Area.
12.2 If personal data needs to be transferred outside of the European Economic Area please contact the Feefo’s Compliance Manager (email@example.com) who will be able to assist in ensuring such adequate safeguards are in place.
13 REVIEW OF PROCEDURES
Feefo reserves the right to amend and update this policy as required. For the avoidance of doubt, this policy does not form part of employees’ contract of employment.