Client Privacy & Information Assurance Policy
The intended audiences are:
Loyalty Logistix clients and suppliers
Loyalty Logistix third party data processors and data storage providers
ISO 27001 certification service provider
Legal basis for data storage and processing
Where Loyalty Logistix Limited provide platform systems for The Client, the system and services within the scope of the project are defined in a ‘System Register’, provided at project set-up phase. Loyalty Logistix have agreed to process and store information on behalf of The Client on the lawful basis as determined by The Client.
The lawful basis is:
Consent: the individual has given clear consent for The Client to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract between The Client and the End Customer, or because the End Customer has requested The Client to take specific steps before entering into a contract.
Name Privacy Responsibility Contract Role
The Client The Client (Data Controller) Provide clear instruction on the data privacy policies required. Manage End Customer consent.
Loyalty Logistix Ltd Data Processor Receive data from the client comprising Customer, Vehicle and Service Transaction data objects.
De-duplicate customer records.
Socketlabs Data Processor Receive campaign data sets from Loyalty Logistix Limited including personal details of customers and owned vehicles. Create and send emails to customers.
Securely delete the data set.
Microsoft Data Processor Azure hosting for database and application software.
Privacy and Data Protection
Loyalty Logistix shall process and store information on behalf of the client. The policies, processes, methods and tools used will be subject to the following regulations and/or accreditations.
ISO27001:2013 - www.iso.org/isoiec-27001-information-security.html
General Data Protection Regulations EU - www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/?q=fine
Information Commissioner’s Office - ico.org.uk
1.0 General provisions
This policy applies to all personal data processed under the contract.
To ensure its processing of data is lawful, fair and transparent, Loyalty Logistix Limited shall maintain a Register of Systems.
Individuals have the right to access their personal data and any reasonable and legal requests for access shall be processed as follows.
a) The Client shall verify the basis of the request.
b)The request will be dealt with in a timely manner.
All data processing within the contract shall be on at least one of the lawful bases stated above in section 1:
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and we will record the request.
Loyalty Logistix Limited shall ensure that personal data are adequate, relevant and limited to what is necessary for the purpose of the contract.
The Client shall take reasonable steps to ensure personal data is accurate.
Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
The Client will specify and provide the Data Retention Policy related to The Contract.
Personal data shall be retained by Loyalty Logistix Limited as specified by The Client’s Data Retention Policy.
Loyalty Logistix Limited will ensure that personal data is stored securely using software from an approved provider. The software shall be a current version which is in support and patched in accordance with the provider’s security recommendations.
Access to personal data shall be limited to authorised Loyalty Logistix Limited personnel with a defined requirement for access.
Appropriate back-up and disaster recovery solutions shall be in place.
As Data Processor under the terms of this contract, Loyalty Logistix Limited shall manage any breach or suspected breach which could result in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, as follows:
Notify the Loyalty Logistix Limited Data Protection Officer.
Conduct the first line breach investigation and determine:
a. The nature and scale of the breach.
b. Personal data affected.
c. Status in terms of ongoing, stopped, limited.
d. Actions required to stop the breach.
e. Immediate and long-term actions to rectify the breach.
f. Communications required.
Notify the Client of the breach, status and any ongoing actions required.
In the event of a major breach notify the regulatory body and affected customers.
Loyalty Logistix Limited operate in multiple national and international jurisdictions. These Information Assurance and Personal Data Privacy provisions are based on the stringent requirements within the EU GDPR and ISO 27001:2013, and particularly the following provisions.
When relying on Consent as the lawful basis of processing, Loyalty Logistix Limited require Explicit Consent with a Positive Opt-in mechanism.
2.1.1.Customer Registration via a Loyalty Logistix App or Personal Web Page (PWP)
The App or PWP shall provide a clear definition of the effect of giving consent with a link to the full terms and conditions. The default state is “opted out” and opting in requires positive action and confirmation.
2.1.2.Customer Consent Data Provided by Data Transfer from the Client
When consent data is provided by The Client in a data transfer of consent and/or personal information, it is the responsibility of The Client to obtain explicit consent, and Loyalty Logistix Limited will rely on that explicit consent.
2.2.Accuracy and Changes to Personal Information
Where possible, Loyalty Logistix Limited will allow the end customer to check and correct their own personal information, including items such as address and car ownership. When that is not appropriate The Client will be responsible for validating the request and Loyalty Logistix Limited will then action the change as instructed by The Client.
2.3.Right to be Forgotten
This right is intrinsic to the GDPR approach and Loyalty Logistix Limited will undertake reasonable steps to comply. The Client will be responsible for validating a request from an End Customer based on the right to be forgotten. Loyalty Logistix Limited will then action the change as instructed by The Client.
Loyalty Logistix Limited will implement cookie management when developing PWPs for The Client. The GDPR requires that cookies are treated as personal information, and so must be subject to the same level of consent as other items of personal information.
3.Car and Vehicle Sales Sector Specific Requirements
3.1.White Listing and Reputation
Loyalty Logistix Limited and its third-party suppliers implement a white listing process which is designed to protect the reputation of The Client and Loyalty Logistix Limited.
Major mailbox providers such as Gmail, Hotmail, AOL, and others calculate and manage reputations for IP addresses and domains.
Factors used in determining reputation are invalid address delivery attempts and complaints from end-recipients. To maximise and protect The Client reputation we suppress attempts to deliver to bad addresses or to users that have previously complained.
Loyalty Logistix Limited and its suppliers will maintain a Suppression List for your account and use it to minimise failed delivery attempts. This will help maintain reputation and increase inbox delivery rates. It will minimise the chances of Grey Listing or Blacklisting by mailbox providers.
Sender reputation is the process used by major email providers to rate an IP address based on its sending history. This is usually determined by the bounce rate, the number of spam trap hits, user complaints, and the volume of outbound mail.
Loyalty Logistix Limited will provide the ability for an End Customer to remove an association with an owned vehicle from their Personal Account. This is also known as unbinding, and typically occurs when the vehicle ownership changes. As the owner of the data and the only party with original knowledge of the change of ownership it is the End Customer’s responsibility to action the unbinding.
Loyalty Logistix Limited will action a change intervention only in exception circumstance and based on clear instruction from The Client with the lawful reason stated.
If you have any questions about this Privacy & Information Assurance Policy, please contact us.
Loyalty Logistix Ltd
M-SParc, Menai Science Park, Gaerwen, Anglesey, North Wales, LL60 6AG
Tel: +44 (0) 1248 546000
The information and styling of this website is copyright property of Loyalty Logistix Limited.