PromoVeritas Privacy Notice

January 2020

PromoVeritas Ltd is a company incorporated in England and Wales whose registered office is at Monument House, 215 Marsh Road, London, HA5 5NE (registered number 04437132) (“we/us/our”). We gather and hold personal data about our employees, clients, suppliers, promotion entrants and other individuals for a variety of business purposes. We are committed to respecting your privacy and to complying with applicable data protection and privacy laws, including the Data Protection Act 2018. (“Data Protection Legislation”). We will uphold our commitment to this stringent level of data protection during the transfer period when the UK leaves the European Union (EU) and beyond, when we anticipate that the UK will come an “Adequacy Decision” with the EU authorities.
This Policy applies to all products and services provided by us and sets out how we seek to protect personal data and ensure that our staff understand the rules governing their use of any personal data to which they have access in the course of their work. This Policy is effective from January 2020.

This Policy should be read in conjunction with our website Terms & Conditions.

1. Business Purposes

1.1. You give us your information through this website, by entering a promotion we are running for a client, or by any other means. All personal data passed to us by any third-party such as a brand client will also be treated in accordance with this Policy.  We may use your personal data for business purposes which include the following:
1.1.1. Conducting the running of promotions for third-party clients, communicating with entrants about promotions they may have entered and undertaking general winner management.
1.1.2. Internal record keeping, compliance with our legal, regulatory and corporate governance obligations and good practice.
1.1.3. Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings/requests.
1.1.4. Ensuring business policies are adhered to (such as policies covering email and internet use).
1.1.5. Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information and security vetting.
1.1.6. Investigating complaints.
1.1.7. Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities, staff absences, administration and assessments.
1.1.8. Marketing our business to our clients, sending our clients promotional emails and updates about new products, special offers or other information we may think is of interest to them.
1.2. We may use the information and visiting patterns from our online sites to customise the website according to your interests. Our Cookie Policy provides further information on this.

2. Personal Data

2.1. This is defined as information about individuals which makes them personally identifiable such as their name and email address. We process personal information relating to entrants to promotions, clients, suppliers, marketing contacts, job applicants, current or former employees and agency, contract or other staff.
2.2. The type of personal data we may gather differs depending on who an individual is. They may be an employee, or a promotion entrant.
2.3. Personal data we may collect includes:
· Full name
· IP address and other data associated with your computer
· Demographic information e.g. postcode
· Additional information provided by you may include:
· Preferences and reminders
· Home address
· Telephone number
· Mobile phone number
· Date of birth
· Job Title
· Payment and bank account information

3. We may collect personal data:

3.1. When you visit one of our websites and the following information may be created automatically: transactional & clickstream information and cookies.
3.2. When you enter a promotion
3.3. When we fulfil a promotion, for example, arranging to send you a prize
3.4. When we meet you in person
3.5. When we speak to you by telephone
3.6. When you correspond with us by email
3.7. When you fill in forms and questionnaires either for us directly or for promotions that we are administering

4. Sensitive Data

4.1. This is defined as personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings.
4.2. We very infrequently gather this type of information and any use of sensitive personal data will be strictly controlled in accordance with this Policy.
4.3. In the unlikely event that we do process sensitive personal data, we will require an individual’s explicit consent to do this unless either exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

5. Application of Policy

5.1. This Policy applies to all personal and sensitive data processed by us and by all of our staff. We will ensure that all staff members are familiar with this Policy and stringently comply with its terms. We may supplement or amend this Policy with additional policies and guidelines from time to time. Any new or modified Policy will be circulated to staff before being adopted.

6. Responsibility for this Policy

6.1. Our Head of Business Operations has overall responsibility for the day-to-day implementation of this Policy.

7. Fair and lawful processing

7.1. We will always seek to process personal data fairly and lawfully in accordance with the rights of the individual. This generally means that we will not process personal data unless the individual whose details we are processing has consented to this happening unless there is a lawful reason to not gather this consent. The processing of data must be:
7.1.1. Necessary in order to deliver our services and the services that we deliver on behalf of our clients.
7.1.2. In our legitimate interests and not unduly prejudice the individual’s privacy.

8. Accuracy and relevance

8.1. We will seek to ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any other unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this. Individuals may ask that we correct inaccurate personal data relating to them. If an individual’s information changes or they otherwise believe that information is inaccurate, they should inform the Information Security Manager.

9. Data security

9.1. We are committed to protecting the confidentiality of all personal information and will keep personal data secure against any loss or misuse by implementing appropriate technical and organisational measures in line with Data Protection Legislation. We will safeguard personal data from unauthorised/unlawful processing, accidental loss, destruction or damage, for example, by way of encryption, third party audits, access controls and security testing. We will only make copies of personal data to the extent that is reasonably necessary for the provision of our services (including, but not limited to, back-up, mirroring and similar availability enhancement techniques, security, disaster recovery and testing). We will not extract, re-utilise, use, exploit, redistribute, re-disseminate, copy or store any personal data other than for the agreed purpose.
9.2. Where other third-party organisations process personal data as a service on our behalf, our Information Security Manager will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organisations. We will always seek to ensure that any third party engaged by us who processes any personal data have policies and procedures in place to ensure compliance with Data Protection Legislation. We may share personal data with third parties where we are required to do so by law or regulation, such as in connection with an investigation of a legal nature, including where we believe that an individual’s actions violate applicable laws, the terms & conditions of a promotion, this Privacy Notice, or any usage guidelines for specific services, or threaten the rights, property or safety of our client(s), us, our users, or others.

10. Storing data securely

10.1.1. In cases when data is stored on printed paper, it will be kept in a secure place where unauthorised personnel cannot access it.
10.1.2. Printed data will be shredded when it is no longer needed.
10.1.3. Any data stored on a computer will be protected by strong passwords.
10.1.4. The Information Security Manager will approve any cloud service used to store data.
10.1.5. Servers containing personal data will be kept in a secure location, away from general office space.
10.1.6. Data will be regularly backed up in line with the company’s backup procedures.
10.1.7. Data will never be saved directly to mobile devices such as laptops, tablets or smartphones.
10.1.8. All servers containing sensitive data will be protected by security software and a strong firewall.

11. Transferring data internationally

11.1 We will uphold our commitment to the stringent level of data protection set out under current Data Protection Legislation during the transfer period when the UK leaves the EU until an Adequacy Decision has been reached, and beyond.
11.2 Our servers are based within the UK therefore for any non-UK promotion there will by necessity, be data flow from entrants entering outside the UK into the UK.
11.3 As our clients operate globally, it may be also necessary to transfer an individual’s personal data internationally. However, we will not transfer any personal data outside of the European Economic Area (EEA) unless:
11.4 Such transfer is to a country or jurisdiction where the EU Commission has approved as having an adequate level of protection (including to the USA under a Privacy Shield agreement).
11.5 Appropriate safeguards are in place as set out in Article 46 GDPR or equivalent provisions of subsequent Data Protection Legislation.
11.6 The transfer is otherwise allowed by applicable Data Protection Legislation (such as in the form of a derogation under Article 49 GDPR).

12. Processing data in accordance with the individual’s rights

12.1. We will abide by any request from an individual not to use their personal data for direct marketing purposes.
12.2. We will not send direct marketing material to anyone electronically (e.g. via email) unless they have given us positive consent to receiving our marketing material and that consent will be recorded and stored securely.

13. Staff Training

13.1. All staff will receive training as part of the induction process. Further training will be provided at least every year or whenever there is a substantial change in the law or of our Policies or Procedures. Completion of training is compulsory and will cover:
13.1.1. The law relating to data protection.
13.1.2. Our data protection and related policies and procedures.

14. Who will your information be shared with?

14.1. In order to run our business, we need to make use of personal data e.g. to conduct a prize draw.  However, we do not sell any information to third parties.  We will only share an individual’s information as set out below, with their consent or on the basis of it being necessary and to fulfil legitimate business purposes.  For example:
14.1.1. Bank account information may be shared with our bank to facilitate payment of a prize into an individual’s bank account.
14.1.2. Information may be shared with third parties such as a handling house or a delivery company to fulfil promotions, fulfil transactions including payment information, shipping, prize fulfilment and any other personal information which may be required to fulfil the transaction. If further consent is required to pass an individual’s personal data to third parties, the individual may be contacted in order to give their positive consent for this purpose.
14.1.3. Details may be shared with marketing platforms.
14.2. We may disclose an individual’s personal information to third parties in limited circumstances as follows:
14.2.1. Where we engage the business services of a third party to provide services directly to us. We will carry out the necessary due diligence on any third party that we use to ensure that they fully comply with data protection regulations. Any third party will be engaged for a specific purpose only and they will be strictly prohibited from using any individual’s personal data for any other purposes.
14.2.2. If we are under a duty to disclose or share an individual’s personal data in order to comply with any legal obligation or in order to enforce or apply our terms of use on this website and other agreements.

15. How long we retain your data for

15.1. We will retain personal data for no longer than is necessary and in any event no longer than one year from the date of last usage as per our data retention policy.  What is necessary will depend on the circumstances of each case and any Data Processing Agreements which exist with our clients. We will also need to take into consideration any regulations that we must fulfil, for example for auditing purposes or for legitimate business purposes we may need to retain an individual’s information after their relationship with us has ended.
15.2. For as long as we do store an individual’s data, we will follow generally accepted industry standards and maintain reasonable safeguards to attempt to ensure the security, integrity and privacy of the information an individual has provided. We have security measures in place designed to protect against the loss, misuse and alteration of the information. Personal data processed by us is stored in secure operating environments that are not available to the public.

16. Marketing

16.1. We would like to send our clients information, from time to time about our products and services but will only do so on the legitimate interest basis, which our clients can object to at any time, as detailed below.

17. How can an individual access data that we hold on them?

17.1. All individuals have the right to access or correct information held about them. In all the cases below, this is done by contacting us at infosec@promoveritas.com and providing their full name, address and email and likely source of us holding data on them, e.g. a recent promotion. Please allow up to 28 days for response.

18. Consent

18.1. The personal data that we process is subject to an individual’s positive or explicit consent as the case may be either by virtue of us fulfilling our role as a Fulfilment Partner of our Clients or by virtue of us being a Data Controller in accordance with our Data Protection Impact Assessment where deemed necessary. This consent can be revoked at any time.

19. Legitimate Interest

19.1. The personal data that we collect and process under the legitimate interest basis is done in the commercial interest of the business and we will use this basis especially in connection with business growth and our Surveys, Newsletters, Events and other marketing literature send to business contacts and prospects. Individuals have the right to object to this processing and if they wish to exercise this right they may unsubscribe from an email, or contact the Information Security Manager, at which time we will stop processing their data.

20. Data portability

20.1. Upon request, individuals will have the right to receive a copy of their data in a structured format. These requests will be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. Individuals may also request that their data is transferred directly to another system. This will be done for free.

21. Right to be forgotten

21.1. Individuals may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

22. Monitoring

22.1. Although we take every reasonable step to protect the information that individuals provide us, we cannot guarantee the security or accuracy of the information that we gather. Please be assured that all our staff must observe this Policy and the Head of Business Operations who has overall responsibility for this Policy will monitor it regularly to make sure it is being adhered to.
22.2. If you have any questions or concerns about anything in this Policy, do not hesitate to contact us at infosec@promoveritas.com.
23. Links to other websites
23.1. Links on this website may take visitors to a third-party website.  At the point they enter the third-party website, the privacy and cookie Policy of the third-party will apply to any and all information that they provide. It is important to read the third-party’s privacy and cookie Policy. Such links or re-directions are not endorsements of such websites or representation of our affiliation with them in any way and such third-party websites are outside the scope of this Privacy Notice. If an individual visits such third-party websites, they must ensure that they are satisfied with their respective privacy policies before they provide them with any personal data. We cannot be held responsible for the activities, privacy policies or levels of privacy compliance of any website operated by a third-party.

24. Cookies

24.1. Please refer to our Cookie Policy.

25. Notification of changes to this Policy

25.1. Our Privacy and Cookie Policy will be reviewed and enhanced from time to time.  Please check our website or contact us for a copy of the current Privacy and Cookie Policy.  If an individual is not happy with the conditions of a revised Privacy and Cookie Policy, they may opt out by contacting us.

26. Contact Us

26.1. For support on matters relating to Data and Information Security please contact us at:
Post: PromoVeritas, Information Security Manager, Monument House, 215 Marsh Road, London, HA5 5NE
Email: Infosec@promoveritas.com
Telephone: +44 20 3325 6000

27. You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues, which in the UK is the Information Commissioner’s Office (ICO) (www.ico.org.uk)