Data Compliance and GDPR are core to DataXcel

Dataxcel Ltd – Data Compliance Policy Updated May 2025

The Policy covers the collection and processing of data for our core data collection sites, Freeprizedraws.ie, Winnersville.co.uk., and our Landline Telephone Database and is focused on:

The Data Protection Acts 1988 to 2018, any other applicable law or regulation relating to the processing of personal data and to privacy legislation (including the E-Privacy Directive and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“E-Privacy Regulations”), as such legislation shall be supplemented, amended, revised or replaced from time to time, including by operation of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) (and laws implementing or supplementing the GDPR, and laws amending or supplementing the E-Privacy Regulations);

Updated: May 2025
Author: Data Protection Officer at Dataxcel Ltd on behalf of the brands Freeprizedraws (fpd.ie) (Privacy Policy) Winnersville (winnersville.co.uk) (Privacy Policy), Dataxcel Ltd (Privacy Policy)
This policy is displayed in conjunction with our company Data Protection Handbook and Privacy Policy: Data Protection Compliance and the protection of the data subject’s privacy rights are at the very ethos of Dataxcel’s data processing policies.
Background: We collect data online from our managed consumer facing websites, www.freeprizedraws.ie in Ireland and www.winnersville.co.uk.in the UK. We have built and own the technology platform for fpd.ie and winnersville.co.uk and jointly manage pickmypostcode.ie with Pick Media UK ensuring optimum data security controls at all times. Our registered address is Dataxcel Ltd, 29 Lower Patrick Street, Kilkenny, Co. Kilkenny. Dataxcel’s data protection officer is registered with the office of the Data Protection Commissioner in Ireland and is registered as a Data Controller and Data Processor with the office of the Information Commissioner’s office in the UK.
All data collected is compliant with the current Data Protection Act of 2018 and the Privacy and Electronic Communications Regulations of 2011, and our consent process both legacy and future data processing have been updated in line with GDPR requirements and further underpinned with a legal position benchmark from a leading Senior Counsel specialising in data compliance legislation across all data touch points in Ireland.
DataXcel use consent in line with articles 4, 6 and 7 GDPR and in some cases legitimate interest under Article 6(1)(f) and recital 47 of the GDPR and Regulations 13(5), (6) and (10). of the e privacy regulations of 2011 as the legal basis for processing data. In processing any data using legitimate interest as the legal basis for processing such data, DataXcel carry out a three-part test, to ensure our processing is in line with current legislation and the following process is adhered too:
Purpose test – is there a legitimate interest behind the processing?
Necessity test – is the processing necessary for that purpose?
Balancing test – is the legitimate interest overridden by the individual’s interests, rights, or freedoms?

Our consent statements and consent process have received guidance from external Data Protection Consultants, senior counsel to define our legal data processing position at each data touch point within the context of GDPR and e privacy and previously from the Office of the Data Protection Commissioner in Ireland.
Our core consent statement at all data collection touch points focusses on the following statement where the tick boxes are optional allowing a data subject the choice to Freely Give consent without any pre – condition to join the database but with equal opportunity to engage and join our websites.

We offer FREE TO Enter Competitions and we have winners every week which we publish
on the winner’s section of this site, by email and on our Facebook and Twitter pages.
Our FREE competitions are supported by our Competition sponsors.

By ticking the box, you:

First checkbox

Agree to receive winner updates, new competition updates and third party
offers from Freeprizedraws and relevant advertising messages by email
and text from these
competition sponsors who are within the following categories Retail, Finance, Utilities, Telco’s, Charities, Travel, Insurance, Automotive, Gambling or Lifestyle.

Second checkbox

Agree to receive offers by telephone directly from our selected competition sponsor partners who help us to provide Free to enter competitions and they will send exclusive offers that are relevant to you based on the data you provide us. You can view our competition sponsors Here and are within the following categories – Retail, Finance, Utilities, Telco’s, Travel, Insurance, Automotive, Gambling or Lifestyle.

Third checkbox

Receive Competition Sponsor offers by Post. You can withdraw in one click from these marketing communications and you can update your marketing contact preferences once you register as a member by going to the my preference page.By clicking Continue you agree to the Terms and Conditions and acknowledge that you have read the Freeprizedraws Privacy Policy. Our brand partners who run surveys on our sites, may wish to contact you by telephone, email, post, and SMS subject to your opt-in and consent on their survey.

The words terms and conditions, privacy policy and Competitions Sponsors are all dynamic links explaining in a full and transparent format the use and sharing of the data subject’s data in order to meet the data subject contact expectations.

The dynamic link to competition sponsors lists by vertical sector the brand names we will share the data with in the future, providing the data subject the choice to opt in or not for third-party marketing offers.

Our consent process has been constructed with zero risk GDPR compliance in mind and is underpinned with the following context. Article 4(11) of the GDPR stipulates that consent of the data subject means any:

– freely given, specific, informed, and unambiguous indication of the data
subject’s wishes

Freely Given – Note the tick boxes in our consent process are optional and NOT mandatory.
The element “free” implies real choice and control for data subjects.

As a general rule, the GDPR prescribes that if the data subject has no real
choice, feels compelled to consent or will endure negative consequences if they
do not consent, then consent will not be valid.

Unbundled Consent:

If consent is bundled up as a non-negotiable part of terms and conditions, it is presumed not to have been freely given.

Note: We have provided the data subject with data processing choices/preferred marketing contact and have separated terms and conditions for the consent process. Article 7 (4) GDPR indicates that, inter alia, the situation of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable.

Note: We have unbundled our consent process, made ticking the consent box optional so a data subject can still register without any preconditions to join our sites and have separated our terms and conditions to consent.

Withdraw Consent in one click:

Note: We communicate this both in the consent process, the welcome email which a data subject will receive within seconds of registering on our sites and in our regular communications with the data subject where we provide a real time process and/or offline process to withdraw consent or to update their preferred marketing contact channels (Article 29 committee state: Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment.) We contact all active users every six months with a data compliance focussed communication setting out their rights and providing links to update their contact preferences or to inform us, the data controller, to cease processing of their personal data.

Specific:
Article 6(1a) confirms that the consent of the data subject must be given in relation to “one or more specific” purposes and that a data subject has a choice in relation to each of them. The requirement that consent must be ‘specific’ aims to ensure a degree of user control and transparency for the data subject. This requirement has not been changed by the GDPR and remains intricately linked to the requirement of ‘informed’ consent. At the same time, it must be interpreted in line with the requirement for ‘granularity’ to obtain ‘free’ consent.

Note: DataXcel provide the data subject with a consent choice for each level of data processing and requires the user to confirm by a specific action i.e. the user must tick a box as to their level of accepted consent by each data processing action. The user consent is recorded in real time and flagged accordingly on our database and the user can access their account at any time, once logged in, to alter or update their level of consent therefore giving full control back to the user around their consent levels. Consent options are communicated regularly to users.

Informed:

The GDPR reinforces the requirement that consent must be informed. Based on Article 5 of the GDPR, the requirement for transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. Providing information to data subjects prior to obtaining their consent is essential to enable them to make informed decisions, understand what they are agreeing to, and for example exercise their right to withdraw their consent. If the controller does not provide accessible information, user control becomes illusory, and consent will be an invalid basis for processing.

Note: Our consent process is in plain English and explains our levels of data processing, is self-explanatory, is unbundled, is optional to consent and provides details as to who we will share the data with and the type of data we will share.

Our GDPR action plan has covered the following steps.

Awareness:
We put privacy and data compliance at the very ethos of the business and maintain a director level down approach. Every staff member is trained in our data compliance process and receives a copy of our data protection handbook as part of their training. Induction training also covers data compliance awareness as a key topic.

Knowing the information, we hold:
All our data is mapped with a complete audit trail, to include date stamp for consent, the data we hold on behalf of the data subject, the options to withdraw consent or update marketing contact preferences and is collected from two core sites www.freeprizedraws.ie and www.winnersville.co.uk. We audit trail the source of the data from first contact to archive or deletion, note we do not buy in any third-party data in short, all anonymous clicks to our website must pass through our GDPR compliance and validation process prior to turning such clicks into data fit for purpose.

We built our own proprietary technology and own the platforms, data collection sources, validation data touch points and data delivery mechanisms. Where we use third party platforms, for example to transfer data in an encrypted process we have in place a data processing agreement with the service provider.

Data Security

All data is hosted and processed in an encrypted environment at all times.

Data can only be accessed by two employees in the company using an encrypted two-tier password system alongside real time IP validation and SSH keys.

We apply best in industry data security software to protect the data from real time threats, and we have developed a policy to identify suspicious activity, where two designated employees are always on call to respond immediately to any such activity and apply the company data protection security policy to secure the data.

Regular penetration tests are carried out by an independent cyber security company to identify any vulnerabilities in our data environment.

When transferring data, we use an encrypted data transfer process and require acknowledgement by the recipient of receipt of the data within 24 hours. Where this does not occur access to the data is withdrawn.

Any data that is transferred to a third-party data processor, we issue a data processing agreement, and we request from the data processor in writing that the data has been deleted from all relevant servers within 30 days of supplying the data.

Privacy Notices:
Our consumer facing privacy notices are now at GDPR standards and are reviewed quarterly by our D.P.O. You can view our privacy notices here: DataXcel Ltd, Freeprizedraws Winnersville

Individual Rights:
We communicated during the first three months of 2018 to all of our active data subjects with an update to our privacy notice and the options to withdraw or update their consent for marketing contact preferences. We have continued to maintain this policy where over a six-month period we contact all data subjects with a focussed email explaining their data rights and the options they have available to update or withdraw their contact preferences.

We have archived data that has not engaged with us for 12 months plus and will continuously update this process on a monthly basis. In short if we identify a data subject that does not action a withdraw of consent, but we define them as not being interested in being on our database we archive them in an anonymised format.

Children:
We have in place a process to collect the date of birth for each new data subject and cross match this data variable with other demographic data to sense check the date of birth is likely to be correct. We do not have access to a national file of minors in Ireland or an age verification data set to suppress our data against, so we apply every physical process we can to eliminate or greatly reduce a minor entering our database.

Data Breaches:
We have documented and implemented a data breach policy in line with GDPR requirements. Data Protection by design and data protection impact assessment, this has been and will continue to play a core role when developing any new product/service and new feature to our existing technology and consumer offering.

Data Protection Officer:
We have appointed a Data Protection Officer who has worked with industry governing bodies regulating best practice for data compliance within the Data Marketing Industry, who can be contacted as follows for any privacy related matters.

By Email: datacompliance@dataxcel.ie
By Phone: +353 56 7790295
By Post: DataXcel Ltd, 29 Lower Patrick Street, Kilkenny, Co Kilkenny

Supervisory Regulator:
We operate in both the Irish and UK markets and given we are a registered trading corporate in the Irish geography we will report and adhere to the Irish supervisory regulator.