GDPR PRIVACY AND PROCESSING NOTICE


Tryggr provides you with the tools to increase the number of happy customers giving reviews that will help your future customers to make their purchasing decision. To do this the Tryggr system needs you to input customer information and it then needs to store that information for the duration of your relationship with your customer.

This is where GDPR comes in. It’s also where we need to explain a little bit about the Personal Information Online Code of Practice (ICO) and how we ensure security of data and what third party transfers we do. All together this forms our Privacy and Processing Notice which sets out our responsibilities to you and also flags up your responsibilities to your customers. Sections marked with a C highlight the areas where the responsibility sits with you, the Data Controller.

What is GDPR?

GDPR (The General Data Protection Regulations – Data Protection Act 2018) is a piece of UK regulation adopting EU regulations around the collection, processing, storage, and retention of personal data. If you collect customer information you must do this in line with the regulations. If, like Tryggr, you provide a service that processes customer information on behalf of a third party, you must also comply with the regulations.

What is the Personal Information Online Code of Practice?

This voluntary code explains how the Data Protection Act 1998 (the DPA) applies to the collection and use of personal data online. It also provides good practice advice for organisations that do business online and are therefore subject to the DPA.

The code covers activities such as:

collecting a person’s details through an online application form;

using cookies or IP addresses to target content at a particular individual;

using personal data to market goods or to deliver public services; and

using cloud computing facilities to process personal data.

What data is covered?

The GDPR covers two types of data;

Personal data only includes information relating to natural persons who: ·        

can be identified or who are identifiable, directly from the information in question; or    

who can be indirectly identified from that information in combination with other information.  

Special category data includes material that is considered to be sensitive in nature, and where inappropriate use or processing could create significant risks to an individual’s fundamental rights and freedoms. Examples include race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.  

Tryggr only requires the first category of data, Personal Data. C If you collect and process special category data you can find out more about how to do this lawfully here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/

What data does Tryggr use and how does it use it?

Your Data When you sign up with Tryggr we will collect your data so that we can create an account for you.

This will include:

Contact name (s)

Business name

Type of business

Email

Phone

Address details

Contact history

This data is Personal Data and will be held on the lawful basis of Article 6 (b) Contract and (c) Legitimate Interests. In respect to this data Tryggr is the Data Controller.   Your data will be held for the duration of our commercial relationship with you and for 3 years after this. After this time, it will be deleted from our records. While we hold your data, we will ensure that our systems store your data securely, that you have the right to access and amend it if you feel it is inaccurate, and that we take all reasonable steps to prevent data breaches. For more details please see our privacy policy https://www.tryggr.io/privacy  

Data Processing

The ICO states that personal data is being processed where information is collected and analysed with the intention of distinguishing one individual from another and to take a particular action in respect of an individual. This can take place even if no obvious identifiers, such as names or addresses, are held.

 

As such Tryggr acts as the Data Processor in regard to the data that we collect on your behalf about your clients.

C Data Controllers

As customers of Tryggr you will normally be the Data Controller. It is your responsibility to ensure that your customers are aware of what you will be doing with their data. This includes how you collect, process, store and retain it for your own records and processes and how you will use it with Tryggr.  

The ‘data controller’ has ultimate responsibility for complying with the DPA.

Contract

Where a data controller (you) uses a data processor (us) to provide services on its behalf, there must be a written contract in place ensuring that appropriate security is maintained. This means that the security must be as good as, or exceed, the data controller’s own standards, which must in turn be appropriate. This is why the contract we have with you specifies what measures we take so that you can ensure that we are meeting the DPA tandards on your behalf.

C Informing your Clients You must inform your clients that you are using Tryggr and that their data will be processed by us. You can include this information in your privacy statement (usually on your website), as part of your Terms and Conditions, in a contract or under separate notice.   As our client, we will provide you with a form of words that you can include on your website, or in your privacy statement.  

C Lawful basis for collecting reviews. For the purposes of collecting feedback on your goods and services you will usually be able to rely on the lawful basis of Article 6 (c) Legitimate Interest. You will need to include this in the materials your supply to your customers along with an explanation of how they can access the data you hold about them, amend any inaccuracies, or invoke their ‘right to be forgotten.’ We include this in the statement we provide to you which you can make use of if you don’t already have your own.  

C Lawful basis for marketing. If you intend to use your customer’s information for direct marketing purposes the only lawful basis for doing so is Article 6(a) Consent. This means you will need to have, or get, their individual, explicit consent to use their data for this purpose.  

You must allow customers to ‘opt in’ to marketing, you cannot rely on an ‘opt out’ button and you cannot make it a mandatory part of their interactions with you e.g. requesting a price list or brochure does not entitle you to market to them, you must ask for their express, separate permission to do this.

You will need to keep a record of consent and remove any customers that don’t provide consent from your marketing database.  

As the Data Processor Tryggr will use the customer data you submit to generate emails to your customer and direct responses back to you and onto your website. Our team will view the data in order to process it and to analyse the effectiveness and impact of the Tryggr system for your business.  

We store your customer’s contact information to allow us to provide this service. We will securely retain this data, for the purpose described only, for the duration of your contract with us. If your contract with us finishes, we are obliged to delete or return all the data to you as the Data Controller. We will not retain any copies.  

In order to operate in a fair and transparent manner and so that we fully comply with the Personal Information Online Code of Practice we can:

• provide written guarantees about our security arrangements

• guarantee that data will only be processed in accordance with clients’ instructions

• guarantee that our staff are trained and vetted to suitable standards, wherever they are based

• explain our capacity to deal with serious technological or procedural failures

• explain our complaints and redress procedure

• explain the facilities we offer to maintain high data protection standards

• provide customers with copies of their information on request.  

Lawful Basis. We process your customers data on your behalf under the lawful basis of Article 6 (b) Contract. Our contract with you will set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.  

Data Minimisation. We will only request data that is necessary for the provision of our services, we will not request, accept, or utilise data over and above this requirement.  

Data access rights. We will ensure that you are aware of your rights to access, amend or remove data (see SAR Policy) and that you understand, and can communicate to your customers, how they can do the same. If required for the purposes of data access request, we will provide copies of data in an electronic and exportable format.  

Data retention. We will not retain your information or your customer’s information for longer than is required either by the contract or for other legal or regulatory purposes. We regularly review the data we hold and if retaining it for a longer period is necessary, we will anonymise the data.  

Data security. We will ensure that our systems hold your data securely ensuring that the data is backed up, systems are protected from malicious access and that transfers of data are secure and encrypted.  

Data Breaches. We will fully investigate any suspected data breaches and take the required actions to amend, restore or repair data and inform the affected parties and/or the ICO if the data breach is sufficiently serious (See Data Breach Policy).  

Data transfers. We will not share your data or your customer’s data with third parties except for cloud-based storage. Where cloud-based storage involves the automatic transfer of data and storage outside of the EEA we will only use providers to comply with US/EU privacy shield or similar, relevant, standards.   If you need more information or are unsure how to ensure that you have done all you need to do in terms of Privacy and Processing, then please have a look at the useful links below or get in touch. james@loopwhole.co.uk  

Useful Links Guide to the UK General Data Protection Regulation (UK GDPR) | ICO (ico.org.uk)  

Tryggr SAR Policy  

Tryggr Data Breach Policy  

TryggR Website Privacy Notice