At Itineris, we are committed to GDPR. Please find below our Data Processing Agreement, that applies to all clients.
This document is important so that both parties understand our responsibilities, obligations and liabilities when dealing with your data.
This agreement demonstrates our commitment to GDPR compliance and our duty to protect the data we process on your behalf. It also sets out what data we hold on your behalf, why we hold it, what we do with that data and how long we hold it for.
Where referenced, Itineris Limited acts as the ‘processor’ with the client as the ‘controller’ in this agreement (as we process and hold data on your behalf).Merely holding data (even if we don’t do anything with it) makes us a processor. GDPR is about consent, rights of the individual and transparency. Where we refer to “GDPR” in this agreement this also includes the UK’s Data Protection Act 2018.For your convenience this document includes summary information about your obligations under GDPR as a data controller.
This is not a substitute for specific legal advice and you must not rely on this as such. It is ultimately your responsibility as a data controller to comply with GDPR and you should obtain professional or specialist advice as required. As such we make no representations, warranties or guarantees, whether express or implied, that any of the information set out in this document in relation to GDPR is accurate, complete or up to date.
What is personal data?
According to the Information Commissioners Office, ‘personal data’ can be very broad. They define it as:
“Any information relating to an identified or identifiable natural person (“data subject”); and directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Personal data can include IP information and any other online ‘identifiers’ or unique codes.
In relation to digital marketing, personal data can include:
- Information collected on a website form (name, contact details, contact preferences)
- Financial transactions relating to a data subject, stored on the CMS
- Email marketing lists
- IP addresses
- Information generated from cookies
Our obligations to you:
- With regards to personal data we process on your behalf, we will only act on your written instructions
- We will ensure that people processing personal data on your behalf are subject to a duty of confidence
- We will take appropriate measures to ensure the security of processing
- We will only engage sub-processors with your prior consent in writing (by entering into this agreement you are providing consent to engagement of the sub-processors whose details are set out in this agreement)
- We will assist you by providing subject access and allowing data subjects to exercise their rights under GDPR. Please refer to the “How you can access your data” section for further information.
- We will assist you in meeting your GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
- We will delete or return (at your option) all personal data to you as requested at the end of the contract
- We will provide you with whatever information you need to ensure that we are both meeting our Article 28 obligations, and tell you immediately if we are asked to do something infringing the GDPR or other data protection law of the EU or a member state
Your obligations as a controller:
As the data controller you are responsible for ensuring that personal data is processed in accordance with the GDPR.
You must provide documented instructions to us that outlines:
- What personal data you would like us to capture on your behalf and how this is to be processed.
- How and when you would wish us to expire your personal data
As noted at the beginning of this agreement, data controllers remain directly liable for compliance with all aspects of the GDPR, and for demonstrating that compliance. If this isn’t achieved then they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
What personal data we collect
We only collect personal data that you have told us to collect on your behalf. Personal data collected may cover:
- Postal addresses
- Email addresses
- Contact preferences
- Unsubscribe/Do not mail data
- Card and bank details for online donations and purchases
- IP addresses
- Usernames & passwords
- Website visits
- Website behaviour (visits, clicks, funnels)
We would not ordinarily expect to process any “special category” personal data on your behalf (such as data relating to religious beliefs, medical history, sexual orientation etc. of data subjects). If we are required to process such “special category” data on your behalf you should be aware of your enhanced responsibilities in relation to such processing under the GDPR.
Why we collect the data
We collect personal data on your behalf because you have asked for this to happen.
Data processing can be carried out under the GDPR based on the ‘legitimate interest’ of the data controller as part of a direct marketing strategy. However, where this involves email marketing to individuals you will also need to be able to prove clear consent has been obtained from the individual for the purpose of the Privacy and Electronic Communications Regulations unless they are a previous customer, in which case you may be able to rely on a “soft opt-in”.
Whether or not the data can be processed on this “legitimate interests” grounds will need to be balanced in each case against the rights and protections of the data subjects and their likely expectations. For example, would the marketing communication be something they would reasonably expect to receive from you given their relationship with you?
If “legitimate interests” cannot justify the processing then you are likely to need to look at using GDPR-compliant consent as the lawful basis for processing the data for direct marketing.
Under 13s cannot give consent under the UK implementation of GDPR, but in the remainder of the EU this applies to under 16s. If you can’t justify keeping data, don’t just keep it ‘just in case’. However, we will not remove any data unless you ask us to.
Ultimately it is your responsibility as the data controller to ensure that you have a lawful basis for the data processing you require us to carry out on your behalf and that this is otherwise compliant with the GDPR.
How we process data on your behalf
We hold and process personal data on your behalf via our CMS and email marketing systems. We will sometimes work alongside other processors – when advised by you – to collect data on your behalf, which can include:
- Google Analytics – a web analytics service offered by Google that tracks and reports website traffic
- Google AdWords – an online advertising service by Google, where advertisers pay to display brief advertising copy, product listings, and video content within the Google ad network to web users
- Hot Jar – a tool that creates heatmaps and click tracking on website
- Unbounce – a tool to build custom landing pages, which uses form collection and cookies
- Third party email marketing platforms (SendGrid, Mailchimp. Dotmailer)
- Facebook – social media platforms which offers tracked ads and conversion tracking through Facebook Pixel
You will be contracting directly with these processors and should make sure that you have read and understood their terms and agreements in relation to the processing of data they will undertake on your behalf.
How long we store your data for
As a data processor, we store personal data on your behalf until you tell us not to and it is your responsibility to determine and apply appropriate data retention policies. If you tell us to delete certain datasets, they will be removed.
You have access to any data collected from the website on the back end of the CMS. Any email marketing lists that you have uploaded into little green plane (if you use this) will stay there until you delete them.
It is good practice for your team to periodically review information stored in your CMS and email marketing software, and remove any data that you do not have legitimate interest to hold.
How you can access your data
Data processed on your behalf in your CMS and email marketing account (if you use little green plane) is already fully available to you to view and access.
If you require a full access report on the data we hold for a specific individual, this will supplied within 30 days of the request being submitted and will be chargeable at our standard hourly rate. Please email us at firstname.lastname@example.org or call 01473 760040 if this is required.
Security of processing
Keeping your data secure is very important to us. We work to the highest standards of data security,
However there are a number of things we do that can reduce the likelihood of this, including:
SSL – We suggest all our web clients have SSL installed on their site. SSL stands for Secure Sockets Layer, an encryption technology. When an SSL certificate is used, the information a user sends to your website – credit card numbers, usernames and passwords, and other sensitive information – cannot be read by anyone else, tampered with or stolen. Please ensure that you have the SSL padlock displayed.
Web servers – our websites are hosted on either Amazon Web Services (AWS) or Kinsta; two of the most secure cloud computing environments available. Both these organisations act as data
Licence renewals & patches – If you do not keep up with your paid licences we cannot provide the appropriate patch levels, and your website solutions will not have the most up-to-date security protection.
Liquidation – In the event of liquidation, we would pass all website and email marketing files and data to yourself, or they would be provided to the liquidator or administrator.
Confidentiality – your data can be accessed by Itineris staff, our sub-processors and occasionally freelancers. We will take steps to ensure that anyone processing your data understands their GDPR requirements and only processes your data in line with your written instructions. We have adapted our Employment Contracts to outline GDPR requirements of our staff.
Google Analytics – Google uses the EU-US Privacy Shield
When we may use a sub-processor
We use various web hosts to host your web files, from AWS to Kinsta.
The nature of digital marketing means we will sometimes work alongside other processors to collect, manage and otherwise process personal data on your behalf. We will only do this upon your instruction.
Please refer back to the ‘how we collect your data’ section for further information.
Records of processing activities
We only begin holding and processing your data upon written confirmation, via a contract at the beginning of the website project or by signing up to email marketing software.
Web – All processing is recorded within the web CMS system or our email marketing software (little green plane).
Analytics – Google Analytics states that it does NOT store any personally identifiable information on their platform and it is impossible to identify a particular customer from Google Analytics data. IP addresses are not stored by Google Analytics but could be accessed by a Google employee. You, as our client, need to ‘own’ your Google Analytics account and we should just have access to it. For further information on these points, please see https://privacy.google.com/businesses/compliance/
Co-operation with supervisory authorities
Itineris shall cooperate, on request, with the supervisory authority in the performance of its tasks. In this case, this would be the Information Commissioner’s Office.
You can learn more about the ICO and GDPR below:
12 Step Checklist to prepare for GDPR: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Checklists for data controllers and data processors: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/
Notifying personal data breaches
In the case of a data breach (no matter how small) we will report the breach to you without undue delay and in any event within a 72 hour period so that you can comply with your obligations under article 33(1) of GDPR to notify the ICO. This will include adding this to a data breach log within the Itineris office.
The log will:
- describe the nature of the personal data breach including the categories and approximate number of data subjects and records concerned
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
- describe the likely consequences of the personal data breach
- describe the measures taken or proposed to be taken by us to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
If it is not possible to provide the information all at once, we will provide the information in phases. The documentation shall, to the extent possible, be sufficient to enable the supervisory authority to verify compliance with GDPR. If you feel compensation is owed from any data breach that we have caused, this will have to go through the ICO.
Data Protection Officer (DPO)
At present, Itineris does not need to appoint an official Data Protection Officer as we are not a public body and do not meet the other criteria under the GDPR which would require us to make such an appointment.
In accordance with GDPR, we will appoint an official Data Protection Officer if:
- Our core activities consist of processing that require regular and systematic monitoring of data subjects on a large scale
- Our core activities consist of personal data relating to criminal convictions and offences