Dataxcel Ltd – Data Compliance Policy Updated January 2020
The Policy covers the collection and processing of data for our two core data collection sites, Freeprizedraws.ie and Winnersville.co.uk. and our Landline Telephone Database and is focused on:
The Data Protection Acts 1988 to 2018, any other applicable law or regulation relating to the processing of personal data and to privacy legislation (including the E-Privacy Directive and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“E-Privacy Regulations”), as such legislation shall be supplemented, amended, revised or replaced from time to time, including by operation of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) (and laws implementing or supplementing the GDPR, and laws amending or supplementing the E-Privacy Regulations);
Updated: January 2020
Author: Data Protection Officer at Dataxcel Ltd on behalf of the brands Winnersville and Freeprizedraws
Background: We collect data online from our managed consumer facing websites, www.freeprizedraws.ie in Ireland and www.winnersville.co.uk.in the UK. We have built and own the technology platform ensuring optimum data security controls at all times. Our registered address is Dataxcel Ltd, 29 Lower Patrick Street, Kilkenny, Co. Kilkenny. Dataxcel Ltd is registered as a Data Controller and Data Processor with the office of the Data Protection Commissioner in Ireland and the Information Commissioner’s office in the UK.
Our Data Protection registration numbers are: Ireland: 11223/A UK: ZA060682
All data collected is compliant with the current Data Protection Act of 2018 and the Privacy and Electronic Communications Regulations of 2011, and our consent process both legacy and future data processing have been updated in line with GDPR requirements and further underpinned with a legal position benchmark from Senior Counsel across all data touch points.
DataXcel predominantly use consent in line with articles 4, 6 and 7 GDPR and in some cases legitimate interest under recital 47 of the GDPR and Regulations 13(5), (6) and (10). of the eprivacy regulations of 2011 as the legal basis for processing data. Our consent statements and consent process have received guidance from external Data Protection Consultants, senior counsel to define our legal data processing position at each data touch point within the context of GDPR and e privacy, The Irish Direct Marketing Association and previously from the Office of the Data Protection Commissioner in Ireland.
Our core consent statement at all data collection touch points focus on the following statement where the tick boxes are optional allowing a data subject the choice to Freely Give consent without any pre – condition to join the database but with equal opportunity to engage and join our websites.
The dynamic link to competition sponsors lists by vertical sector the brand names we will share the data with in the future, providing the data subject the choice to opt in or not.
Our consent process has been constructed with zero risk GDPR compliance in mind and is underpinned with the following context. Article 4(11) of the GDPR stipulates that consent of the data subject means any:
– freely given, specific, informed and unambiguous indication of the data subject’s wishes Freely Given – Note the tick boxes in our consent process are optional and NOT mandatory. The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.
If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.
Note: We have provided the data subject with data processing choices/preferred marketing contact and have separated terms and conditions for the consent process. Article 7 (4) GDPR indicates that, inter alia, the situation of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable.
Note: We have unbundled our consent process, made ticking the consent box optional so a data subject can still register without any preconditions to join our sites and have separated our terms and conditions to consent.
Withdraw Consent in one click:
Note: We communicate this both in the consent process, the welcome email which a data subject will receive within seconds of registering on our sites and in our regular communications with the data subject where we provide a process to withdraw consent or to update there preferred marketing contact channels (Article 29 committee state: Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment.)
Article 6(1a) confirms that the consent of the data subject must be given in relation to “one or more specific” purposes and that a data subject has a choice in relation to each of them. The requirement that consent must be ‘specific’ aims to ensure a degree of user control and transparency for the data subject. This requirement has not been changed by the GDPR and remains closely linked to the requirement of ‘informed’ consent. At the same time, it must be interpreted in line with the requirement for ‘granularity’ to obtain ‘free’ consent.
Note : DataXcel provide the data subject with a consent choice for each level of data processing and requires the user to confirm by a specific action i.e. the user must tick a box as to there level of accepted consent by each data processing action. The user consent is recorded in real time and flagged accordingly on our database and the user can access there account at any time, once logged in, to alter or update there level of consent therefore giving full control back to the user around their consent levels.
The GDPR reinforces the requirement that consent must be informed. Based on Article 5 of the GDPR, the requirement for transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. Providing information to data subjects prior to obtaining their consent is essential to enable them to make informed decisions, understand what they are agreeing to, and for example exercise their right to withdraw their consent. If the controller does not provide accessible information, user control becomes illusory and consent will be an invalid basis for processing.
Note: Our consent process is in plain English and explains our levels of data processing, is self explanatory, is unbundled, is optional to consent and provides details as to who we will share the data with and the type of data we will share.
Unambiguous indication of wishes:
The GDPR is clear that consent requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the processing.
Note; DataXcel define consent as a clear affirmative indication the data subject has ticked the consent box and this consent is recorded in real time by date stamp opt in,ip address opt in, source URL and the consent choices the data subject has provided when joining our sites. Data will only be processed in line with this clear audit trail for consent.
In addition to the requirements of the GDPR we follow industry best practice in relation to outbound data usage which is a pre – condition to our terms and conditions using any data supplied by DataXcel to a third party brand company.
Rule one applies to Real Time Leads only: Data subjects who consent to a specific brand partner to contact them by telephone on a survey placed on our sites is referred to as a double opt in, where the relationship between the data subject transfers to the brand owner allowing the brand to make marketing contact based on the consent preferences provided within the survey and the brand can contact the data subject either by email, postal mobile, landline and this process overrides the consumer marketing preferences on the NDD as it is defined as a direct request by the data subject for the brand to contact them within the contact preferences provided by the data subject.
Rule Two applies to Telephone data usage: All outbound calls, the first line of the script must include a statement clarifying the source of the data and allowing the data subject the choice to continue with the call or not. We apply this rule to our data usage terms and conditions when supplying data to a third party brand. We monitor this rule though a system known as seed checking and react where we see the rule not being followed by a third party brand. In relation to outbound Landline calls the brand must also include an option for the data subject to opt out of future marketing calls. For mobile data this process is covered by monthly email contact with the data subject where the option to unsubscribe or update their contact preferences is provided.
Note: All landline and mobile data is pre – screened against the NDD, HLR, MPS and Internal DNC/UNSUB/Suppression Data Sets.
Dataxcel will remain the gate keepers for such data and will deploy email campaigns from creatives sent to Dataxcel Ltd deployment team. We do not share this data with a third party and where an email deployment service provider is involved we have a data processing agreement in place to protect the privacy rights of each data subject.
The source of the data and the option to opt out of future communications to be made available on the outbound direct mail pack.
We do not share this data with a third party and DataXcel remain the gate keepers for such data. Third party brand can send DataXcel the copy text to be deployed with call to action links and we then state the source of the data in the first 27 characters of the text as follows ”As a member of Freeprizedraws” or Winnersville, we will apply as appropriate.
Retention of Data:
Data is retained in line with GDPR requirements and is reviewed monthly with data subject privacy rights and the original consent expectations at the core of our data decisions. All users on our database have the ability to self regulate their data usage for marketing contact once logged in and can update, restrict or withdraw marketing activity with just a few clicks by visiting our contact preference centre. In short where we see a data subject, does not want to be on our data due to lack or no engagement with us the Data Controller, or where the data subject has exercised their right to withdraw consent, we archive and remove their data. Data that is shared with a third party on a one time use, list rental orders must be deleted from all servers within 30 days of the data supply. If the data has not been used you need to contact your account manager for a data resupply. An email confirming the data has been removed from all servers to be sent to firstname.lastname@example.org
GDPR, the term data is defined in Art. 4 (1) of the GDPR. Personal data are any information which are related to an identified or identifiable natural person and GDPR provides for a higher standard of data protection responsibilities for data controllers and data processors and we have implemented such standards at all data touch points . Our staff are all data protection aware and are trained in all aspects of the GDPR when handling or processing data on a day to day basis. The legislation requires that where data is obtained from data subjects the data controller must ensure, so far as practicable, that the data subject is provided with or has made readily available to him the following information:
- The identity of the data controller
- The purpose or purposes for which the data is intended to be processed,
- Any further information which is necessary taking into account the specific circumstances in which the data is to be processed to enable the processing in respect of that data to be fair.
We make all data subjects aware of how their data will be processed, the purpose of the processing (direct marketing) and the brands their data may be passed onto. As stated above at consent stage we provide the data subject a dynamic link to third parties so the data subject can view who the data may be shared with and is provided with full transparency as to the intended use of their data and by who.
Data Subject Access Requests:
Under GDPR, individuals can exercise their right to object to the disclosure of their personal data to third parties for marketing purposes. Data subjects can also revoke their consent to the processing of their personal data for direct marketing purposes, including future marketing approaches from the data controller itself.
The GDPR sets out a 30 day limit when responding to data subject access requests however DataXcel Ltd have taken the decision to respond in full to any data subject access request within 72 hours maximum, with the objective to provide a full data audit and resolve in full the data subject request.
As such Dataxcel Ltd has provided several touch points by which data subjects can contact us to revoke their consent for their details to be used for marketing purposes.
Firstly in all communications to our users we provide the data subject the option at the start of every communication to update their data preferences through the My Preference section of our data collection site freeprizedraws.ie and winnervile.co.uk.
An example of the my preference section and process can be viewed here
Once a user updates their data preferences the database is updated in real time and the marketing database flagged accordingly.
Secondly we have a dedicated Data Protection officer with a support team who are trained in handling a range of complaints/enquiries that have the authority and experience to resolve such queries or complaints. The data compliance team can be contacted at email@example.com
Thirdly we have assigned a dedicated telephone number 056 7790295 and postal address, DataXcel, C/O Data Compliance Dept, 29 Lower Patrick Street, Kilkenny, Co. Kilkenny, where a data subject can make contact to resolve any related privacy queries.
Opt-out information for electronic data processing can also be sent to the email address firstname.lastname@example.org or email@example.com and to withdraw from an offline database such as our Landline telephone file the opt out can be sent to firstname.lastname@example.org and such requests are processed within 72 hours by the data protection team. The data protection team will record the data subject’s ’ Full Name, Address, eircode or postcode, Telephone Number and/or email address to ensure accurate suppression and to record a full audit trail of the SAR request for regulator inspection if required.
These details are added within 72 hours to our internal suppression files/‘Do Not Contact File’ by our Data Protection Team. Details marked as “ do no contact” will no longer be used by Dataxcel Ltd in the production of real time leads or data for direct marketing campaigns. Where a multiple use license is in place, a pre agreed data feed will be set up to provide updated DNC data for all data touch points with a client.
Our GDPR action plan has covered the following steps;
We put privacy and data compliance at the very ethos of the business and maintain a director level down approach. Every staff member is trained in our data compliance process and receives a copy of our data protection handbook as part of their training. Induction training also covers data compliance as a key topic.
Knowing the information we hold:
All our data is mapped with a complete audit trail, to include date stamp for consent, the data we hold on the data subject, the options to withdraw consent or update marketing contact preferences and is collected from two core sites www.freeprizedraws.ie and www.winnersville.co.uk. We audit trail the source of the data from first contact to archive or deletion, Note we do not buy in any third party data in short all anonymous clicks must pass through our GDPR compliance and validation process prior to turning such clicks into data fit for purpose.
We built our own proprietary technology and own the platforms, data collection sources, validation data touch points and data delivery mechanisms. Where we use third party platforms, for example to transfer data in an encrypted process we have in place a data processing agreement with the service provider.
All data is hosted and processed in an encrypted environment at all times.
Data can only be accessed by two employees in the company using an encrypted two tier password system alongside real time IP validation
We apply best in industry data security software to protect the data in real time from real time threats and we have developed a policy to identify suspicious activity, where two designated employees are always on call to respond immediately to any such activity and apply the company data protection policy to secure the data.
When transferring data we use an encrypted data transfer process and require acknowledgement by the recipient of receipt of the data within 24 hours. Where this does not occur access to the data is withdrawn.
Any data that is transferred to a third party data processor, we issue a data processing agreement and we request from the data processor in writing that the data has been deleted from all relevant servers within 30 days of supplying the data.
We have communicated during the first three months of 2018 to all of our data subjects with an update to our privacy notice and the options to withdraw or update their consent for marketing contact preferences.
We have archived data that has not engaged with us for 12 months plus and will continuously update this process on a monthly basis. In short if we identify a data subject that does not action a withdraw of consent but we define them as not being interested in being on our database we archive them in an anonymised format.
We have in place a process to collect the date of birth for each new data subject and cross match this data variable with other demographic data to sense check the date of birth is likely to be correct. We do not have access to a national file of minors in Ireland to suppress our data against, so we apply every physical process we can to eliminate or greatly reduce a minor entering our database .
We have documented and implemented a data breach policy in line with GDPR requirements. Data Protection by design and data protection impact assessment, this has been and will continue to play a core role when developing any new product/service and new feature to our existing technology and consumer offering.
Data Protection Officer:
We have appointed a data protection who can be contacted as follows for any privacy related matters.
- By Email: data email@example.com
- By Phone: +353 56 7790295
- By Post: DataXcel Ltd, 29 Lower Patrick Street, Kilkenny, Co Kilkenny
We operate in both the Irish and UK markets and given we are a registered trading corporate in the Irish geography we will report and adhere to the Irish supervisory regulator.