Privacy Policy

Effective May 9, 2022

We take your privacy seriously.

This policy defines how Email Hippo Limited collects, protects and uses any personal information you provide us and includes our use of Cookies.

Please read this Privacy Policy, and any other privacy notice or fair processing notice we may provide on specific occasions, carefully as it is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export and delete your information. 

This Privacy Policy supplements the other notices and policies and is not intended to override them.

There is a Glossary of terms at the end of this document and links to the glossary within this policy.

If you have any questions please contact our Data Protection Officer at dpo@emailhippo.com.

We may update this policy from time to time so you should ensure you regularly review this policy to ensure you are happy with any changes.

We do not and will not sell your data to third parties.

We will not sell or share, in any way, your information with any organisations outside the Rolosoft group of companies - Rolosoft Limited, Email Hippo Limited and eVerify Limited. All these businesses operate from the same premises using the same systems and procedures.

 

Who we are 

Email Hippo Limited is a company incorporated and registered in England and Wales with company number 09651852, whose registered office is at Lowin House, Tregolls Road, Truro, Cornwall, England, TR1 2NA, United Kingdom. 

Email Hippo Limited is the Controller (registered with the ICO under number  ZA309925) and responsible for your Personal Data under this Privacy Policy. This means we decide why we collect your data, how we collect it, what data is collected, how this data is going to be used and how this data is protected.

 

Our commitment 

We respect your right to privacy and are committed to protecting it and complying with Data Protection Law. We will always keep your Personal Data safe. We will be clear and open with you about why we collect your Personal Data and how we use it. Where you have choices or rights, we will explain them to you and respect your wishes. 

 

How to contact us 

If you have questions about this Privacy Policy or the processing of your Personal Data, please contact our data protection officer by contacting us via email.

 

Our EU representative 

We have appointed IT Governance Europe Ltd to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our representative via email. 

Please ensure you include our company name, Email Hippo, in any correspondence you send to our representative.

 

Personal information we collect 

We may collect, use, store and transfer different kinds of Personal Data about you depending on our relationship with you:

Identity data 

Includes first name, last name, date of birth, title and gender. 

Contact data 

Includes your  work address, home address, social media handle, email address and telephone number(s).

Location data

We may collect your location data from your IP address, address and telephone codes.

Transaction data 

Includes details about payments to and from you, incentive payments and other details of services you have purchased from us. Details of surveys or research you have participated in. 

Technical data 

Includes IP address, your login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access our site or our Apps.

Profile data 

Includes your email and password, the services you have used or our Apps, your use of social media functions on our Website or our Apps for authentication, feedback, survey responses and such information as you provide to us.

Usage data

Includes information about how you use our Website or Apps and the services you use.

Candidate data 

Includes information you have provided to us in your curriculum vitae, covering letter and/or application form, including name, title, address, telephone number(s), personal email address, date of birth, gender, employment history, qualifications.

This also includes any information you provide to us during an interview.

Marketing and communications data 

Includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Special Category Personal Data 

Special Category Personal Data is personal data that needs more protection because it is sensitive, and we may collect this type of personal data from you in the course of providing you with our services or during our interactions with you.

Aggregated Data 

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific Website feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data, which will be used in accordance with this Privacy Policy.

We will not process your Special Category Personal Data in order to aggregate it without a Lawful Basis to do so.

 

How we obtain your Personal Data 

We use different methods to collect data from and about you, including through:

Personal Data provided directly by you 

You may give us your Personal Data by filling in forms, surveys, questionnaires or assessments on our App or Website, by applying to work for or with us, or by corresponding with us by post, phone, email, chat or otherwise. This includes Personal Data you provide when you:

  • Subscribe to our marketing communications;
  • Complete a form, survey or download content;
  • Sign up for an account for our App;
  • Access and use our App;
  • Contact us using any available methods;
  • Apply for a position.

Data we collect when you use our Websites and App 

Each time you interact with our Website or use our App, we will automatically collect Personal Data, including technical data about your device, your browsing actions and patterns, content and usage data. We collect this data using Cookies, server logs and other similar technologies like pixels, tags and other identifiers in order to remember your preferences, to understand how our Website and Apps are used, and to customise our marketing offerings. Please read our Cookie Policy for further details. 

Information we receive from third parties 

We may receive Personal Data about you from various third parties, such as:

  • Analytics providers such as Google;
  • Our payment gateways when you attempt to make a purchase; and
  • Information about our employee candidates from referees, recruitment agencies and social media such as LinkedIn.

Information we receive from public sources 

Identity and contact data from publicly available sources such as the UK Companies House and the electoral register inside the UK and similar appropriate sources for organisations and people based outside the UK.

 

How we use personal information 

General 

We need your Personal Data to conduct our business and provide you with our Apps and services. Most commonly we will use your Personal Data in the following circumstances:

  • Where you have consented before the processing.
  • Where we need to perform a contract, we are about to enter or have entered with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

UK GDPR/EU GDPR Lawful Basis table 

The table below describes the ways we plan to use your Personal Data, and which Lawful Basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

For more information on the Lawful Basis we use to process your data under the UK GDPR and EU GDPR, see our Lawful Basis table  below or by contacting us via email.

Lawful Basis Table 

LAWFUL BASIS 

PURPOSE EXAMPLES

Contractual 

We use your Personal Data on the basis that it is necessary for us to provide our services and products to you. 

When you sell or purchase a service, you are entering into a contract with us.






On boarding 

When you sign up, subscribe or contact us as a prospective customer, existing customer, supplier or employee.

Service delivery 

In order to be able to deliver our services or receive services in physical or digital form.

Account administration 

  • When we administer your account, take, or receive payment, deal with any transaction, respond to your queries, refund requests and complaints. 
  • When we collect and recover money owed to us (usually from clients). 

Relationship management 

To manage our relationship with you, which may include:

  • Notifying you of changes to our terms or Privacy Policy;
  • Notifying you of changes to the Apps or any services processing ;
  • Processing purchase orders; and
  • Asking you to leave a review.

Communication  

To be able to contact you regarding updates or informative communications related to the functionalities, products, or contracted services, including the security updates, when necessary or reasonable for their implementation.

Handling the information, you submit to us enables us to respond effectively. We may also keep a record of these queries to inform any future communications between us and to demonstrate how we communicated with you throughout our contractual relationship.

Legitimate interest

When we rely on this, we will carry out a Legitimate Interests Assessment to ensure we consider and balance any potential impact on you (both positive and negative), and your rights under Data Protection Law. 

Our legitimate business interests do not automatically override your interests – we will not use your Personal Data for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law. 

 


Managing our business  

We hold Personal Data for our own legitimate business interest. This relates to us managing our business to enable us to give you the best service/products and most secure experience, including when we respond to your queries and complaints, where you are not a client or supplier, or a potential client or supplier.

Provide and maintain Websites and Apps.  

To provide and maintain our Websites, Apps and platforms, including to monitor the usage of these, troubleshooting, data analysis and system testing necessary for our legitimate interests  and  network security.

Recommendations and marketing 

To make recommendations to you about services that may interest you.

To measure and analyse the effectiveness of the advertising we serve you. Ensuring that our marketing is tailored to your interests and to keep our records up to date and to provide you with marketing as allowed by law to develop our products/services and grow our business).

Recruitment of candidates (contractors, employees and providers) 

We will use the personal information we collect about you to assess your skills, qualifications and suitability for the work.

It is in our legitimate interests to decide whether to appoint you to work since it would be beneficial to our business to appoint someone to that work.

Reviews  

When we capture your service reviews, for example when you buy goods and services from us, we may follow it up with an enquiry about your experience of the service to help us gauge customer satisfaction.

Data analytics  

We use data analytics to improve our Website, products/services, marketing, customer relationships and experiences and to provide statistical analysis of website traffic . Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy).

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy). 

Rights and claims  

To enforce or apply our Website terms of use, our policy terms and conditions, or other contracts.

To exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with.

Data subject rights  

Verifying your identity when you exercise your data subject rights.

Fulfilling data subject rights requests.

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud, and in the context of a business reorganisation or group restructuring exercise.

Legal obligations 

We may use your Personal Data to comply with laws (for example, if we are required to co-operate with a police investigation after a court order orders us to).



Legal requirement  

The processing is necessary for compliance with legal obligations, such as but not limited to healthcare requirements, security requirements and accounting requirements. 

To comply with applicable law, for example in response to a request from a court or regulatory body, where such request is made in accordance with the law.

Criminal activity  

To detect fraudulent or criminal activity, we may share information with forces such as the police when obliged to do so. 

Consent 

We may have to get your consent to use your Personal Data, such as when we collect and use Special Category Personal Data about you or when we want to send you marketing.

We will get your consent before sending third-party direct marketing communications to you via email or text message or before processing any Personal Data relating to your health.

Wherever consent is the only reason for using your Personal Data, you have the right to change your mind and/or withdraw your consent at any time by clicking the Unsubscribe button at the bottom of an applicable email or by withdrawing your consent here.

Marketing  

  • To measure and analyse the effectiveness of the advertising we serve you. We may collect IP addresses and store Cookies on visitors’ devices. 
  • We may use Cookies for the purposes of  data analytics to improve our Website, products/services, marketing, customer relationships and experiences and to provide statistical analysis of website traffic
  • Sending third-party direct marketing communications to you  via email, letters or phone calls.  

 

Special Category Personal Data 

Reason for processing Special Category Personal Data

Where we are processing your Special Category Personal Data, we must, in addition to the Lawful Basis in the Lawful Basis table, process your Special Category Personal Data because of an additional condition, including You have given us your explicit consent to process that data; You have made the data manifestly public.

The ICO has some useful information here.

 

Using your data for other reasons 

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. 

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the Lawful Basis that allows us to do so.

 

Marketing and advertising 

Using Personal Data for marketing purposes 

We may use your information to provide you with details about services.

Where we are legally required to obtain your consent to provide you with certain marketing materials, we will only provide you with such marketing materials where we have obtained such consent from you.

You can opt out of us using your personal information for marketing purposes by following the unsubscribe link included in each marketing email or by contacting us via email.

 

Disclosing your Personal Data to others 

Your Personal Data safety 

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. 

We do not allow our third-party service providers to use your Personal Data for their own purposes. We only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

Who we share Personal Data with

As a general principle, we share data in order to facilitate or improve our services or offers. We will get your express opt-in consent before we share your Personal Data with any third party for marketing purposes.

You can opt out of us using your personal information for marketing purposes by following the unsubscribe link included in each marketing email or by contacting us via email.

We may share your Personal Data with the following organisations that help us manage our business and deliver our products, applications, or services, or where we are legally obliged to share information, including with:

  • Business partners, our employees, contractors, consultants, agents and professional advisors;
  • Insurance providers
  • Third parties carrying out services on our behalf, including billing, sales, marketing agencies, analytics, research, university research, data storage, validation, security, fraud prevention and legal services couriers, IT systems or software providers, IT support service providers, and document and data storage providers;
  • Third-party platforms to manage and deliver customer (prospective and existing) communications, services and billing;
  • Third parties in the event of any merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our assets (including without limitation in connection with any bankruptcy or similar proceedings);
  • Other organisations for the purposes of fraud/crime protection and investigation; 
  • Courts of law and government, regulatory authorities or third parties to the extent required by law, court order or a decision rendered by a competent public authority and for the purpose of law enforcement; or
  • Other third parties subject to your consent.

Sharing your Personal Data overseas 

Please note that we may send personal information outside of the country generally for, but not limited to, reasons relating to processing and storage by our service providers. For example, we may have Cloud storage providers with data storage facilities in the UK, US, Europe or other countries. 

When we do this, we will ensure it has an appropriate level of protection and the transfer is made in line with Data Protection Law. Often, this protection is set out under a contract with the organisation that receives that information. You can find more details of the protection given to your information when it is transferred overseas by contacting us via email.

 

Data security 

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties that have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.

We periodically test the security of our systems to check for vulnerabilities.

Risk 

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your Personal Data, we do not have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many Information Security Risks that exist and take appropriate steps to safeguard your own information. 

Breaches 

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

 

Third-party websites, plugins and services links to other websites 

You should be aware that information about your use of this website (including your IP address) may be retained by your ISP (Internet Service Provider), the hosting provider and any third party that has access to your Internet traffic.

Our Website and Apps may contain links to third-party websites and plugins, for instance a social media login plugin. If you choose to use these websites, plugins, or services, you may disclose your information to those third parties. 

We are not responsible for the content or practices of those websites, plugins, or services. The collection use and disclosure of your Personal Data will be subject to the privacy notices of these third parties and not this Privacy Policy. We urge you to read the privacy and cookie notices of the relevant third parties.

 

Use by children

Our services are not targeted for use by Minors. Minors must obtain express consent from parents or legal guardians before accessing or providing any Personal Data. If notified by a parent or guardian, or discovered by other means, that a minor under the age of 18 has provided their Personal Data to us without consent, we will delete the minor’s Data that is in our possession.

 

Retention of your Personal Data 

We will keep your Personal Data in line with our data retention policy for no longer than is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. 

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

Where we store your data

All of your information is stored on secure servers managed by Email Hippo and by the following sub-processors:

ORGANISATION

NATURE

COUNTRY LOCATION(S)

USE

Google LLC

Google Workplace: Email services and document storage

Google Analytics: website visitor statistics

United States and United Kingdom

Email, sales document storage and contract storage

Website visitor analytics

Mailchimp/Mandrill, The Rocket Science Group LLC

Email sender

United States

Customer names and email addresses for automated service notifications.

Lucky Orange LLC

Website and app interactions

United States

Captures anonymised interactions with our website and app. Use to be phased in from November 2022.

HubSpot Ireland Limited, HubSpot, Inc

CRM platform (sales, marketing, and support)

United States

Customer names and email addresses, email marketing, website visitor tracking.

Stripe Inc.

Payments platform

United States 

Customer payment information (if used).

PayPal (Europe) S.a.r.l. et Cie, S.C.A. 

Payments platform

United States 

Customer payment information (if used).

Microsoft Azure, Microsoft Inc.

Cloud hosting services

United Kingdom

Data being processed.

Amazon Web Services Inc.

Cloud hosting services

United Kingdom

DNS services, data being processed.

Digital Ocean LLC 

Cloud hosting services

United Kingdom

Customer names, contact details, data being processed.

Rackspace Limited

Cloud hosting services

United Kingdom

Data being processed.

 

Cookies 

We use Cookies and similar technologies like pixels, tags, and other identifiers to remember your preferences, to understand how our Website and our Apps are used, and to customise our marketing offerings for you.

Further details can be found in our Cookie Policy.

 

Rights of data subjects

You have several rights under Data Protection Law. The rights available to you depend on our reason for processing your information and are set out in the Table of your rights. Information on your rights under Data Protection Law can also be found at For-the-public | ICO.

Table of your rights 

YOUR RIGHT

DETAILS

Right to be informed

We have a legal obligation to provide you with concise, transparent, intelligible, and easily accessible information about your personal information and our use of it. We have written this policy  to do just that, but if you have any questions or require more specific information, you can contact us via email

Right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information. When you request this data, this is known as making a data subject access request (DSAR). In most cases, this will be free of charge; however, in some limited circumstances, for example repeated requests for further copies, we may apply an administration fee. Please contact us via email for more information.

Right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. Please contact us via email for more information.

Right to erasure

You have the right to ask us to erase your personal information in certain circumstances. We have the right to refuse to comply with a request for erasure if we are processing the Personal Data for one of the following reasons:

  • To exercise the right of freedom of expression and information.
  • To comply with a legal obligation.
  • To perform a task in the public interest or exercise official authority.
  • For archiving purposes in the public interest, scientific research, historical research or statistical purposes.
  • For the exercise or defence of legal claims.

Please contact us via email for more information.

Right to restriction of processing

You may ask us to stop processing your Personal Data. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies, you may exercise the right to restrict processing:

  • The accuracy of the Personal Data is contested.
  • Processing of the Personal Data is unlawful.
  • We no longer need the Personal Data for processing, but the Personal Data is required for part of a legal process.
  • The right to object has been exercised and processing is restricted pending a decision on the status of the processing.

Please contact us via email for more information.

Right to object to processing

You have the right to object to processing in certain circumstances. You can also object if the processing is for a task carried out in the public interest, the exercise of official authority vested in you, or your legitimate interests (or those of a third party.

Please contact us via email for more information.

Right to data portability 

This right only applies if we are processing information based on your consent or for the performance of a contract and the processing is automated.

Please contact us via email for more information.

 

How to exercise your rights 

In most circumstances, you do not need to pay any charge for exercising your rights. We have one month to respond to you.  

To exercise your rights or get more information about exercising them, please contact us via email, giving us enough information to identify you.

 

How you can complain to or about us 

We hope that we can resolve any query or concern you raise about our use of your information. Please contact us via email including your first name, last name and title your email “Complaint”. All complaints will be treated in a confidential manner, and we will try our best to deal with your concerns.

You have the right to lodge a complaint with a supervisory authority in the EEA member state where you work or normally live, or where any alleged infringement of Data Protection Law occurred

The supervisory authority in the UK is the ICO, which may be contacted at Concerns | ICO or by telephone on 0303 123 1113. 

 

Glossary 

Aggregated Data

means data that can be compiled from numeric or non-numeric data. 

The data is collected and summarised for the purpose of statistical analysis or reporting. It is limited to recognising general trends due to the non-specific nature of the information.

It could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.

Anonymisation

means a type of information sanitisation whose intent is privacy protection. It is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.

In order to be truly anonymised under the UK GDPR and EU GDPR, the personal data must be stripped of sufficient elements that mean the individual can no longer be identified. However, if you could at any point use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised but will have merely been pseudonymised and subject to data protection law.

For more information from the ICO read what is personal data

App(s)

means an application that is a computer program or piece of software designed for a particular purpose - for example our customer web application which provides you access to and administration of the services we provide to you (app.emailhppo.com) 

Consent

means a type of information sanitisation whose intent is privacy protection. It is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.The UK GDPR and EU GDPR. sets a high standard for consent , consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

What are the GDPR consent requirements? - GDPR.eu
Consent | ICO
Art. 7 GDPR - Conditions for consent - GDPR.eu
Recital 43 - Freely given consent - GDPR.eu

Controller

means the natural or legal person, public authority, agency or any other entity or person who alone or jointly with others determines the purposes and means of the processing of personal data.

Cookies

means a small file of letters and numbers that is stored on a browser or the hard drive of a computer.  Cookies contain information that is transferred to a computer’s hard drive.

Controllers must have users’ informed consent before storing cookies on a user’s device and/or tracking them.

For more information, please read our cookie policy.

The ICO provides information about cookies Cookies | ICO.

DPA 2018 

UK Data Protection Act 2018

Data Protection Act 2018 (legislation.gov.uk)

Data Protection Law

means all applicable data protection and privacy legislation in force from time to time including the UK GDPR and the EU GDPR, the Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended, and any other legislation relating to personal data and all other legislation and regulatory requirements in force from time to time that apply to the use of personal data.

Encryption

is the process that scrambles readable text so it can only be read by the person who has the secret code, or decryption key. It helps provide data security for sensitive information. 

For more information see the Encryption | ICO and the GDPR's requirements for encryption.

EU Representative

the GDPR requires organisations not established in the EU to appoint a representative in an EU member state (or the EEA), if (i) it is apparent that the organisation intends to offer goods or services to individuals in the EU or (ii) it monitors the behaviour of individuals in the EU (or the EEA).

For more information see the ICO information European Representatives | ICO

EU GDPR

means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the Directive. 

General Data Protection Regulation (GDPR) – Official Legal Text (gdpr-info.eu)

ICO

means the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. 

ICO

Information Security Risks

comprises the impacts on individuals or organisations that could occur due to the threats and vulnerabilities associated with the operation and use of information systems and the environments in which those systems operate.

Security | ICO
Art. 32 GDPR - Security of processing - GDPR.eu

Lawful Basis

under the EU GDPR and the UK GDPR, you must have a valid lawful basis to process personal data.

Lawful Basis of processing personal data 

There are six lawful bases for processing personal data available:

(a) Consent: the individual has given clear consent to the processing of their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract, or because specific steps have been taken before entering into a contract.

(c) Legal obligation: the processing is necessary for compliance with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests. (This cannot apply if an organisation is a public authority processing data to perform its official tasks.)

For more information 

Lawful basis for processing | ICO

Art. 6 GDPR – Lawfulness of processing 

GDPR: lawful bases for processing, with examples - IT Governance UK Blog

Special category data 

Special category data is personal data that needs more protection because it is sensitive.

In order to lawfully process special category data, you must identify both a lawful basis under Article 6 of the UK GDPR  and EU GDPR and a separate condition for processing under Article 9. These do not have to be linked.

Legitimate Interests Assessment (LIA)

is a form of risk assessment and should be conducted by an organisation when your personal data processing is based on legitimate interest. The LIA is split into three steps:

  • Assessing whether a legitimate interest exists.
  • Establishing the necessity for processing.
  • Performing the balancing test.

Legitimate interest assessment (LIA) | ICO

Net Promoter Score (NPS)

is a rating tool. The main purpose of the Net Promoter Score (NPS) question is to calculate a score so we can determine the level of customer loyalty and satisfaction to our business.

Personal Data 

this is also referred to as “personal information” and it means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Personal data breaches | ICO
Art. 33 GDPR - Notification of a personal data breach to the supervisory authority - GDPR.eu

Privacy Policy

(also sometimes called a privacy notice or fair processing notice) is a public document from an organisation that explains how that organisation processes personal data and how it applies data protection principles under Articles 12, 13 and 14 of the EU GDPR and the UK GDPR.

Special Category Personal Data

some of the personal data that organisations process is more sensitive and needs higher protection. Under the GDPR, this is known as ‘special categories of personal data, and includes information about a person’s:

  • Race
  • Ethnicity
  • Political views
  • Religion, spiritual or philosophical beliefs
  • Biometric data for ID purposes
  • Health data
  • Sex life data
  • Sexual orientation
  • Genetic data

In order to lawfully process special category personal data, we must identify both a lawful basis under Article 6 of the UK GDPR and EU GDPR and a separate condition for processing under Article 9. These do not have to be linked.

There are ten conditions for processing special category data in Article 9 of the UK GDPR.

Five of these require us to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018.

Special Category Personal Data Conditions for Processing 

the conditions for processing special category data:

Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)


Art. 9 GDPR - Processing of special categories of personal data - GDPR.eu
Special category data | ICO
GDPR | Personal Data vs Sensitive Data: What's the Difference? (itgovernance.co.uk)

Supervisory Authorities

means the data protection authority tasked with supervising GDPR compliance in each member state of the European Union.

What are Data Protection Authorities (DPAs)? | European Commission (europa.eu)

UK GDPR

means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the DPA 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and other data protection or privacy legislation in force from time to time in the United Kingdom. 

The UK GDPR | ICO

Website

websites on the emailhippo.com domain e.g. www.emailhippo.com