GDPR Statement

GDPR Controller Statement

As a Data Controller we will:

  • Retain your personal data for the purposes of performing our contract with you and on-going support agreements.
  • We will continue to market to you with products and services as they relate to the products and services already supplied and communicated on an on-going basis.
  • We will communicate new features and hints and tips via our current newsletter.
  • We will keep your data secure within our Salesforce CRM application and not share your data outside of the EU.
  • We will ensure that any data processors who are processing your data on our behalf provide guarantees that they have appropriate technical and organisational measures in place to comply with the requirements of the General Data Protection Regulations (GDPR).
  • You have the right to object to the processing of your personal data in relation to communications for marketing and updates from Intelligent Retail.

 

GDPR Processor Statement

 New regulations around the use and protection of an individual’s personal data have been set out in the General Data Protection Regulations (GDPR). Articles 4 (7) & (8) define the following roles:

  • Data Controller – decides why and how the data is handled, including implementation of procedures.
  • Data Processor – processes the data on behalf of the controller.
  • Sub-Processor – should be engaged with sufficient guarantees on data procedures and with the controller’s agreement (article 28).

For the purposes of processing customer data on behalf of our independent retailers, Intelligent Retail’s role is that of a data processor.  You may have separate agreements with sub-processors such as Sage Pay or VeriFone or Payment Express but your contract is direct with them.  Rackspace / AWS are sub-processors of Intelligent Retail. We confirm we have reviewed and agreed their sub-processor statement.

As Data Controllers, our customers will need to meet the rights of the consumer (data subject) regarding their personal data, as well as, be able to demonstrate a lawful reason to collect data.

So to understand those responsibilities more, here are the GDPR definitions of Data Subject Rights and Lawful reasons to collect Data.

 

Data Subject Rights – Consumer

  • Right to be informed (Why is information kept?) – Articles 12-14
  • Right of access (What information do you keep?) – Article 15
  • Right of rectification (Update info) – Article 16
  • Right of erasure (Right to be deleted) –Article 17  There are certain exemptions e.g. HMRC reporting or for compliance with a legal obligation
  • Right to restrict processing (e.g. don’t market to me) – Article 18
  • Right to data portability (Move data to other providers; more related to energy industry) – Article 20
  • Right to object (can object to being processed) – e.g. Can object to being in surveys – Article 21
  • Rights related to automated decision making including profiling – profiling information – Article 22

 

Lawful reason to collect data under Article 6

  1. Consent – evidence based  – must be ‘unambiguous affirmative action’
  2. Contractual consent
  3. Legal obligation (such as proceedings underway)
  4. Vital interest
  5. Public task
  6. Legitimate interest

As your Data Processor, we will provide you with tools to help you meet your obligations as a data controller, as they relate to a data processor’s responsibilities.

As a Data Processor we will support you in your obligations to protect the rights of the data subject:

Right of erasure (Right to be deleted) –There are certain exemptions to this e.g. HMRC reporting or for compliance with a legal obligation

  • Provide tool for retailers to respond to consumers’ request to be erased. The data will be anonymised both on the account as well as transactional history for that consumer.
  • Provide tool to delete all consumer details after a user defined period of time.

Right to restrict processing (e.g. don’t market to me)

  • Provide a tool for retailers to respond to consumers’ request to change their consent/marketing preferences.

Connect already supports the Right to Access and the Right to Portability.  Please note though, that you may store supplementary data on your customers in additional systems that will also need to be accessed/updated or erased.

As a Data Processor we will support you in your obligations to evidence your lawful collection of data as it relates to consent:

  • Provide tools for retailers to capture consumer consent on the website and via the till.  The consent statements will be user defined in number and in content.
  • As a retailer, you will be able to audit when a consumer gave consent, when they changed or updated their consent or simply to track whether a consumer has opted in or out.

The consent framework will be available for 25th May 2018 for customers to upgrade their systems upon request.

As further clarification, we have detailed what customer information is processed in Connect, on our websites and how it is processed.  Furthermore we have explained which 3rd parties may have data passed to them and explained under what circumstances our support processes may require us to access customer data on the host system as part of issue investigation or error resolution.

 

In Store Data (Tills, Back offices)

Personal data we process

By default, Connect is designed to store the following personal data: Name, Email address, Loyalty ID, Gender, Date of Birth, Address and telephone numbers.  As Connect has open fields for entering information, it is possible that you are entering personal data outside of this data set.

How we process personal data

Intelligent Retail stores data on secure databases hosted by our providers AWS / Rackspace within the EU. Data is replicated to and from our infrastructure to the client machines via an encrypted connection. Periodic backups of the server and databases are taken for disaster recovery purposes.

3rd Party Systems

Connect is designed to integrate with many 3rd party systems (Amazon, eBay, etc.).  We will only pass data onto these 3rd parties if you configure the system to do so, giving you complete control of which 3rd parties process your data.  Where available, we will use secure and encrypted connections to these 3rd parties, if you have specific questions regarding a 3rd party integration please contact us.

Support

Some support cases will require access to personal data on our hosted servers.  These cases will be handled within the EU and all access to personal data will be via a secure encrypted connection and access will be logged.

 

Websites

Personal data we process

Intelligent Retail websites are designed to store the following personal data:  Name, Email address, Loyalty ID, Gender, Date of Birth, Address and telephone numbers.  As our websites have open fields for entering information it is possible that personal data outside of this data set is being entered.  We also collect user IP information for server monitoring.  This IP information isn’t stored alongside any further customer information and is removed after 7 days.

How we process personal data

Data collection happens via the website front end and is securely sent to the database server for storage.  Data is retrieved from the database storage and securely passed to the website front end for display to an end user.  Intelligent Retail host websites on webservers and store data on secure databases hosted by our providers AWS / Rackspace within the EU.

3rd Party Systems

Intelligent Retail websites are designed to integrate with many 3rd party systems (Opayo (formerly SagePay), PayPal, Trustpilot, etc.).  We will only pass data onto these 3rd parties if you configure the system to do so, giving you complete control of which 3rd parties process your data.  Where available, we will use secure and encrypted connections to these 3rd parties.  If you have specific questions regarding a 3rd party integration please contact us.

Support

Some support cases will require access to personal data on our hosted servers.  These cases will be handled within the EU and all access to personal data will be via a secure encrypted connection and access will be logged.

Email Hosting

Our standard Email services are hosted with Rackspace in the United States. If you use this service to process personal information then this will be transported outside of the EU. As part of GDPR compliance, you could be required to inform the data subjects whose personal data you control of this fact. We also offer hosting within the EU and we would recommend seeking legal advice as to which option best suits your business compliance and data requirements.

For more information regarding your responsibilities under GDPR, please visit the ICO website.

To read our GDPR FAQ please Click Here

Last revision – (June 04, 2024 @ 15:41)