This document has been created to enable customers and prospective customers of Generator (Creative Energy) Ltd (Generator) to understand key elements of its approach to storing personal data, particularly with regards to the requirements of the General Data Protection Regulation (GDPR), and the need to demonstrate the requirements of the law have been complied with.
Generator is committed to the protection of the rights and freedoms of data subjects whose personal data is held and processed by Generator for marketing purposes.
Generator shall always comply with the requirements of the laws concerning data protection and personal data protection in force. These include:
- Data Protection Act (DPA)
- Privacy and Electronic Communications Regulations (PECR)
- General Data Protection Regulation (GDPR)
- ePrivacy Regulation (ePrivacy)
Compliance with GDPR legislation
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever personal data is processed:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Our Responsibility to Data Subjects
Generator shall be open and honest about how personal data will be used to market products and services which are considered relevant to the data subject in a professional capacity.
Generator shall explain the rights the data subject has, and how to exercise them.
Generator shall be respectful of the preferences every data subject has about how they should be communicated with.
Generator shall make reasonable efforts to ensure personal data is accurate and to identify and rectify inaccuracies as soon as possible.
Generator shall retain the personal data for as long as it is believed accurate, and relevant.
Generator shall keep the personal data of data subjects confidential and secure using appropriate technologies and organisational measures, including but not limited to, physical security, cybersecurity, firewalls, backups, data access restriction and encryption.
Business Contact Information
Generator may hold business contact information about you if you are a decision maker in an organisation in the UK.
Your information can only be used where the product or service or information being promoted could be relevant to you in your professional capacity.
We want to respect your wishes about how and if you are contacted.
We record, if you tell us, how you prefer to receive direct marketing communications, whether by post, by phone or by email.
You may also tell us you do not wish to be contacted at all, and we will respect your wishes.
The personal information we hold may include your name, job title, work email address, company name, work address and work telephone number.
The legal basis for processing your data is ‘legitimate interest’, because Generator benefits commercially from providing marketing and design know-how.
We do not use your personal data for any automated decision making or profiling.
Your rights concerning your personal data are:
- You can ask to see the personal data we hold about you and we will show you free of charge
- We will update the personal data to correct errors when you tell us about them
- We will supply you with a CSV version of the personal data we hold about you if you ask us to
- We will stop processing your personal data if you tell us to
- We will delete your personal data if you tell us to although we may find your details again later, and if we have no record of you we may contact you again.
Most people who wish us not to contact them or process their personal data find asking us to stop processing their personal data is a preferable solution.
We will keep the data for as long as we believe that it is accurate & up to date, and that it reflects your preferences. To do this, we will normally re-contact you on a frequency that is less than every 12 months.
Generator also ensures that the product or service we wish to market is professionally relevant to you. This might be because of the type, size or location of the organisation that you work in or because you are the right person for certain sets of decisions based on factors like your role, seniority, and responsibilities.
The aim is to facilitate marketing that is relevant to you, and helps you in your professional role. You may not actually want it, but you should at least understand why it was sent to you.
If you would like to update your data, change your preferences or request a copy of the data we hold about you simply email firstname.lastname@example.org or call (01425) 651951. It is free to do so.
Personal Data Processing Policy
Legal Basis for Processing
Generator uses data for direct marketing purposes on the basis of ‘Legitimate Interest’. Offering marketing and design know-how and consulting is legitimate in the UK, and Generator derives profitable revenue from these services enabling it to employ people, which is its interest.
The personal data processed by Generator is not likely to result in a high risk to the rights and freedoms of the data subjects, so a ‘Data Protection Impact Assessment’ is not required. Because the legal basis for processing is ‘Legitimate Interest’, Generator must ensure that the risks to the rights and freedoms of the data subject do not outweigh the ‘Legitimate Interests’ of Generator.
Consequently, Generator shall perform and document the findings of:
Generator Necessity Test for processing Personal Data for Direct Marketing
Objective of Intended Data Processing
Generator is seeking to attract new customers so they must use net new data.
Requirement for personal data
Generator has determined that to achieve a profitable return on investment, direct marketing communications should be personalised, so it is necessary to use personal data.
Alternatives to data processing
This direct marketing is to be conducted in addition to other promotional activities of Generator, thus there is no alternative that meets the requirement. Generator can-not identify any alternative solution to finding new customers, so the processing of personal data for direct marketing is necessary.
Generator Balancing Test for using Personal Data for Direct Marketing
Intended Data Processing
Generator wishes to use data to send direct marketing or otherwise prospect, to gain new clients and/or sales. They wish to promote products and/or services to decision makers in UK organisations. Generator shall use targeting suitable to identify contacts for whom the direct marketing will be ‘professionally relevant’.
The personal data concerned are the contact details for the decision makers including name, job title, work email address, company name, work address and work telephone number. There is no sensitive data involved.
Generator has identified a need to find new customers and failing to do so will be prejudicial to the interests of the organisation, it’s members and stakeholders.
Risks to the Interests or Fundamental Rights and Freedoms of the Data Subject
There is a risk that the data subject will not know, or may have forgotten, their data is being used and might feel the use is not transparent and fair. The data subject may be unaware of their rights concerning its use. There is a risk that the exercising of their rights will not be observed, specifically their rights to access, to rectification, to restriction of processing, to object to processing, to erasure and to data portability. There is a risk that their data might be transferred to an unsafe territory, and the security of their data may be compromised.
Data subjects’ reasonable expectations During the engagement process Generator explains to the data subject, the intended use was to send them ‘professionally relevant’ direct marketing communications. Generator also asks for the contact preferences of the data subject meaning the methods by which the communications could be delivered, specifically post, telephone or email. This means the data subject has been made aware of the potential usage of the data, both in terms of content, and delivery method. The data subject has also been informed of how Generator assess the professional relevance of direct marketing.
The data being processed is not of a sensitive nature, and the harm likely to befall the data subject in the case of a data breach is likely to be minor, given that the data concerns them in their work capacity and only relates to their workplace contact details.