Loyalty Logistix shall process and store information on behalf of the client. The policies, processes, methods and tools used will be subject to the following regulations and/or accreditations. ISO27001:2013 - www.iso.org/isoiec-27001-information-security.html General Data Protection Regulations EU - www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/?q=fine Information Commissioner’s Office - ico.org.uk 1.0 General provisions This policy applies to all personal data processed under the contract. 1.1.1.Lawful Processing To ensure its processing of data is lawful, fair and transparent, Loyalty Logistix Limited shall maintain a Register of Systems. Individuals have the right to access their personal data and any reasonable and legal requests for access shall be processed as follows. a) The Client shall verify the basis of the request. b)The request will be dealt with in a timely manner. 1.1.2.Lawful Purposes All data processing within the contract shall be on at least one of the lawful bases stated above in section 1: Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and we will record the request. 1.1.3.Data Minimisation Loyalty Logistix Limited shall ensure that personal data are adequate, relevant and limited to what is necessary for the purpose of the contract. 1.1.4.Accuracy The Client shall take reasonable steps to ensure personal data is accurate. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date. 1.1.5.Data Lifecycle The Client will specify and provide the Data Retention Policy related to The Contract. Personal data shall be retained by Loyalty Logistix Limited as specified by The Client’s Data Retention Policy. 1.1.6.Security Loyalty Logistix Limited will ensure that personal data is stored securely using software from an approved provider. The software shall be a current version which is in support and patched in accordance with the provider’s security recommendations. Access to personal data shall be limited to authorised Loyalty Logistix Limited personnel with a defined requirement for access. Appropriate back-up and disaster recovery solutions shall be in place. 1.1.7.Breach As Data Processor under the terms of this contract, Loyalty Logistix Limited shall manage any breach or suspected breach which could result in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, as follows: Notify the Loyalty Logistix Limited Data Protection Officer. Conduct the first line breach investigation and determine: a. The nature and scale of the breach. b. Personal data affected. c. Status in terms of ongoing, stopped, limited. d. Actions required to stop the breach. e. Immediate and long-term actions to rectify the breach. f. Communications required. Notify the Client of the breach, status and any ongoing actions required. In the event of a major breach notify the regulatory body and affected customers. 2.Regulatory Compliance Loyalty Logistix Limited operate in multiple national and international jurisdictions. These Information Assurance and Personal Data Privacy provisions are based on the stringent requirements within the EU GDPR and ISO 27001:2013, and particularly the following provisions. 2.1.Consent When relying on Consent as the lawful basis of processing, Loyalty Logistix Limited require Explicit Consent with a Positive Opt-in mechanism. 2.1.1.Customer Registration via a Loyalty Logistix App or Personal Web Page (PWP) The App or PWP shall provide a clear definition of the effect of giving consent with a link to the full terms and conditions. The default state is “opted out” and opting in requires positive action and confirmation. 2.1.2.Customer Consent Data Provided by Data Transfer from the Client When consent data is provided by The Client in a data transfer of consent and/or personal information, it is the responsibility of The Client to obtain explicit consent, and Loyalty Logistix Limited will rely on that explicit consent. 2.2.Accuracy and Changes to Personal Information Where possible, Loyalty Logistix Limited will allow the end customer to check and correct their own personal information, including items such as address and car ownership. When that is not appropriate The Client will be responsible for validating the request and Loyalty Logistix Limited will then action the change as instructed by The Client. 2.3.Right to be Forgotten This right is intrinsic to the GDPR approach and Loyalty Logistix Limited will undertake reasonable steps to comply. The Client will be responsible for validating a request from an End Customer based on the right to be forgotten. Loyalty Logistix Limited will then action the change as instructed by The Client. 2.4.Cookies Loyalty Logistix Limited will implement cookie management when developing PWPs for The Client. The GDPR requires that cookies are treated as personal information, and so must be subject to the same level of consent as other items of personal information. 3.Car and Vehicle Sales Sector Specific Requirements 3.1.White Listing and Reputation Loyalty Logistix Limited and its third-party suppliers implement a white listing process which is designed to protect the reputation of The Client and Loyalty Logistix Limited. Suppression list Major mailbox providers such as Gmail, Hotmail, AOL, and others calculate and manage reputations for IP addresses and domains. Factors used in determining reputation are invalid address delivery attempts and complaints from end-recipients. To maximise and protect The Client reputation we suppress attempts to deliver to bad addresses or to users that have previously complained. Loyalty Logistix Limited and its suppliers will maintain a Suppression List for your account and use it to minimise failed delivery attempts. This will help maintain reputation and increase inbox delivery rates. It will minimise the chances of Grey Listing or Blacklisting by mailbox providers. Sender Reputation Sender reputation is the process used by major email providers to rate an IP address based on its sending history. This is usually determined by the bounce rate, the number of spam trap hits, user complaints, and the volume of outbound mail. 3.2.Vehicle Unbinding Loyalty Logistix Limited will provide the ability for an End Customer to remove an association with an owned vehicle from their Personal Account. This is also known as unbinding, and typically occurs when the vehicle ownership changes. As the owner of the data and the only party with original knowledge of the change of ownership it is the End Customer’s responsibility to action the unbinding. Loyalty Logistix Limited will action a change intervention only in exception circumstance and based on clear instruction from The Client with the lawful reason stated.