What is soft Opt-in?

 

Soft opt-in is a term used to allow us to communicate with an individual even though they have not actually opted in as from the 25th May 2018. An individual could be a prospect, customer or supplier with whom we have spoken to about a service or product. Under the soft opt-in rules, we are allowed to communicate with this individual via email as long as the subject matter is related to the aforementioned product or service.

The soft opt-in ruling can be deemed to be ambiguous. We have interpreted this section under the new GDPR rules that we can communicate with individuals via their personal email account or mobile phone if we can clearly demonstrate we have communicated with them in the past about a relevant subject matter.

 

What have we done to comply with the new GDPR ruling?

 

Board of Directors – Our board of directors have been fully briefed on GDPR and have appointed Data Controllers internally.

 

Personal Data – Our CRM system, Word, Excel, Outlook are all stored in the cloud via a CodeLathe FileCloud storage facility as opposed to the computer drive.

 

Downloading of data – The bulk downloading of data from our CRM system has been changed so that only Data Controllers can undertake this process. Excel spreadsheets are then deleted when not needed.

Printed material – We are a paperless office. All documentation that can hold personal data is stored on our CRM system

CRM system – This is security protected. All employees have an individual login and a passcode that changes on a regular basis. Only current employees of our company have access to this system.

Your rights as an individual

 

The GDPR includes the following rights for individuals:

·         the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, the right not to be subject to automated decision-making including profiling.

 

You can remove consent, for any reason at any time by emailing 

GDPR@eburypartnership.com

Should you have any questions regarding GDPR and your data at The Ebury Partnership, again, please email GDPR@eburypartnership.com and a we will get back to you within two working days.

 

In the event of a security breach

 

We take data security very seriously and use best endeavours to ensure the systems and procedures we follow provide us with a high level of data security. Should a data breach occur, we will analyse the situation and report it to the necessary authorities and communicate with any individuals that may have been affected.

The Ebury Partnership look to report this information to the Information Commissioners Office with 48 business hours and communicate with any individual affected within 72 hours.

Filing a Complaint

We hope that you will not find it necessary to file a complaint against our company with reference to Data Protection.

Should you feel it appropriate, you will need to contact:

Organisation Information Commissioners Officer

 

Website address www.ico.org.uk

Telephone You can call their helpline on 0303 123 1113

Who are the ICO? The ICO are the UK’s independent authority set up to uphold information rights in the public interest promoting openness by public bodies and data privacy for individuals.

 
 
Text Box: Privacy Policy

General Data Protection Regulation.

Introduction

 

GDPR will apply to all EU states from the 25th May 2018.

GDPR is an EU regulation which has two main drivers:

1.     The EU wants to give people more control on how their personal data is being used.

2.     The EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market.

 

The Ebury Partnership has always complied with data protection laws and regulations surrounding the use of personal data. However, GDPR means we are having to change a number of our process’s and policies. This document outlines what we have done at The Ebury Partnership to ensure we are fully compliant with the new regulation as from 25th May 2018.

 

What does GDPR change?

 

In summary, two things:

1.     Transparency – Customers must be given far more information about what is done with their personal data, why, and what rights they have.

2.     Control – Customers are given much more control in terms of obtaining a copy of their personal data, have it corrected, having it deleted, being told what legal ground is relied on to process the data, how long it will be kept for, objecting to processing (especially automated processing) and being told about security breaches and loss of data.

 

Who we are and our details?

 

All our company details are on our website, www.eburypartnership.com. At the footer of each page, there is a section called “Privacy Policy.”

What is Lawful?

Firstly, a person has consented for us to have their personal data and to process it.

Secondly, collecting the data is in our legitimate interest, such as preventing fraud.

How do we get consent from you?

We ask you to opt in via an email we have sent, this consent will then be updated on our CMS system.

To comply with GDPR, The Ebury Partnership have to answer the following questions:

When did you give us consent?

The date you replied to the GDPR request email giving consent.

What did you give consent for?

The Ebury Partnership work with companies mainly in the UK, but also elsewhere in the EU. You may be a supplier, in which case we need your details to keep in touch with you, and to allow us to continue purchasing your products.  You may be a customer, in which case we need to keep your details to allow us to support you, and to invoice you for our work.  You may be a prospect, in which case we would like to remain in contact with you so we can alert you to new and relevant products or services available.

You are giving us consent to market to you no more than once per month and also to communicate about business opportunities we may be working on.

Why do The Ebury Partnership require consent?

We require consent for our own “Know Your Customer” (KYC) requirements, to reduce fraud and malpractice in our sector. We also need to maintain a commercial relationship over time with all our stakeholders to ensure that we can supply appropriate services and products to you.

How did you give consent?

 

Via an email we have sent you.

 

How can I withdraw my consent for you to hold my data?

 

You have the right to withdraw your consent for us to hold your data at any time. You do not have to offer a reason for this.

 

Once we have received notice from you to withdraw consent to hold your data, your details will be removed from our system and marketing lists within seven working days.

 

To remove your consent for us to hold your data, please email GDPR@eburypartnership.com 

 

Do we have this history by individual person?

 

Yes, our records will provide history by the individual, not the company or organisation they represent.

 

When will the consent expire?

 

We expire consent seven years after it has been given. This period of time is due to companies undertaking lease contracts that can be five years in duration. We have allocated a year prior to a contract potentially being completed and one year after the agreement end.

 

What is classified as personal data?

Personal data could relate to economic, cultural and mental health information on yourself. We do not hold any of this data.

What data we hold and why?

·         Contact data – mobile phone number, email address, and possibly home address

·         IT Support related data – Administrative usernames and passwords to PC’s routers etc, IP addresses

Who do we share our data with, selling or offering of your data to third parties (1)

The Ebury Partnership will not sell your personal data to any third parties without your written consent.

1.     The only third-party companies we share data with are:

Partner Vendors: We may log your information into the vendor portals – This information is not passed on to anybody else.

Where information on the data subject/customer is obtained from a source other than the data subject/customer, what that source is.

 

There will be instances where we obtain data from a third party. Often, this is where a supplier we deal with passes up information on a prospect they are working with. We will data load and keep this information to help in obtaining a credit acceptance as long as the information is appropriate to our needs. Should you request it, we will be more than happy to disclose what information we hold and the third party we received it from.