The UK’s data protection framework is changing on 25th May 2018, when the existing Data Protection Act 1998 will be replaced with the European Union General Data Protection Regulation (“GDPR”) (2016/679). Whilst the UK will soon be leaving the EU, the replacement data protection legislation being progressed through Parliament is very closely aligned to the requirements of GDPR.
Simplelists.com (“Simplelists”) provides email list hosting services to its customers, and as such is responsible for the secure and compliant processing of personal data related to our customers, as well as the protection of our customers’ information (which may include personal data) whilst it is being processed by one of our system. This GDPR statement has been prepared to provide key information about these various personal data processing activities to our customers.
Data Protection by Design and Default
Article 25 of GDPR requires that data processing activities (e.g. the Simplelists software solution) provide data protection by design and default. Simplelists has achieved this requirement by ensuring that its application has been designed in accordance with industry best practice, using trusted technologies, and has been subject to penetration testing to ensure that vulnerabilities are being properly managed, and configurations remain effective.
Simplelists utilises resilient UK data centres which are subject to formal ISO27001 certification. Unless we have entered into a specific agreement with a customer to host their instance of Simplelists in a non-UK country, we commit that all personal data processing is undertaken within the United Kingdom, under the prevailing UK data protection framework.
Article 35 of GDPR requires that formal Data Protection Impact Assessments (“DPIA”) are undertaken by organisation where there is a “high risk to the rights or freedoms of natural person”. Simplelists has assessed that there are no high risks to individuals who may purchase or use our software solution.
Legal Basis for Personal Data Processing
Article 6 of GDPR requires that the lawfulness of data processing be advised. Simplelists uses “legitimate interests” as the basis for the secure processing and storage of its customer data in order to deliver the Simplelists software solution to them. This includes the communication of information related to our solution or similar matters. We occasionally communicate with non-customers and will only do so based upon the “explicit consent” which we have been provided with by the data subject, either through a positive confirmation on a web form, or by their communication preferences shared from social media channels. We provide clear methods for data subjects to remove or vary their consent if they wish to do so.
Customer Documented Processing Instructions
Article 28 of GDPR requires that our customers should formally communicate their data processing requirements to Simplelists (as their data processor). In the event that a customer does not provide such written instructions to Simplelists (a) this omission does not remove their obligation to do so, and (b) Simplelists will deliver the software solutions in accordance with its published service definitions and other related materials.
Data Controller and Data Processor
Simplelists acts as:
- Data Controller (as per GDPR Article 24) for the (i) personal data relating directly to its customers and necessary for the management, provision and operation of its software solution, and (ii) for its own employee management purposes, or
- Data Processor (as per GDPR Article 28) in respect of the personal data which may be loaded into the Simplelists software solutions by its customers.
Each customer is responsible for ensuring that they have an appropriate legal basis for processing personal data within a Simplelists software solution and will fully indemnify Simplelists in the event of any claim of any sort being brought for not having a valid basis.
Children’s Personal Data
The Simplelists software solution is not directed towards children under the age of 13. If you learn that a child under the age of 13 has provided their personal information to us without having parental consent, please contact us immediately so that we can take appropriate action. In accordance with Section 5 above, should a Simplelists customer select to upload children’s personal data into their deployment of a Simplelists software solution then they will be required to evidence that the have a valid legal basis for doing so.
Sensitive Personal Data
Article 9 of GDPR specifies a set of personal data categories which are considered to be “sensitive”, and which require special consideration by Data Controllers. The software solutions provided by Simplelists does not knowingly collect or process any sensitive personal data. In accordance with Section 5 above, should a Simplelists customer select to upload sensitive personal data into their deployment of the Simplelists software solution then they will be required to evidence that the have a valid legal basis for doing so.
Data Subject Rights
Articles 16-21 of GDPR provide data subjects with several rights in relation to their personal data, including:
- Right of access by the data subject (Art.15)
- Right to rectification (Art.16,19)
- Right to erasure (Art.17,19)
- Right to restriction of processing (Art.18)
- Right to data portability (Art.20)
- Right to object to processing (Art.21)
Where Simplelists is acting as Data Controller (see 4(a) above), then it will receive, validate, record, progress and respond to any such data subject requests received.
Should Simplelists, acting as Data Processor (see 4(b) above), then it will advise the applicant of the customer’s details that should be used to make their request. As a responsible Data Processor, Simplelists will assist its customers with complying with valid requests.
Should a data subject decide to exercise their rights, they should contact Simplelists as below.
Declaration of Sub-Processors
Simplelists confirms its use of:
- Secure UK data centres with ISO27001 certification. Being UK-based, they are subject to prevailing UK data protection legislation. In accordance with our security operating protocols, details of the providers and locations are only made available upon specific request to Simplelists.
- Worldpay UK, for the purposes of invoicing and receiving payments from customers for our software solution, which is based in the UK and therefore falls under the requirements of the EU General Data Protection Regulation.
- Ctrl O Ltd, for the provision of specialist technical support for our software solutions, which is based in London, UK and therefore falls under the requirements of the EU General Data Protection Regulation.
Simplelists confirms that:
- It has undertaken applicable due diligence and validation on each of the declared sub-processors to ensure that they are aware of and able to deliver their applicable requirements under the EU General Data Protection Regulation.
- It will not vary or replace any of the declared sub-processors without having first given advanced notice to all applicable customers.
Record Keeping & Breach Reporting
Simplelists confirms that it securely retains and manages data which records the use of our software solutions, including user credentials and IP addresses. Should a customer require assistance with information contained within our data processing records, please contact us as below.
We actively monitor our software solutions for unusual activities and issues, which includes indications of data breaches. Simplelists will promptly act to notify either the customer or the ICO (as applicable to our role) in the event of a data breach being suspected (as per Article 33), and if acting as Data Controller will also inform affected data subjects (as per Article 34).
Removal of Personal Data
It remains the customer’s responsibility to remove all personal data prior to terminating their service provision with Simplelists. Should the customer not do this, then Simplelists will securely purge their data at the point when the resources are to be redeployed – but this does not take place instantly and customers are strongly recommended to (a) remove their own personal data beforehand, or (b) contact Simplelists Support if assistance is needed to do this.
All Simplelists personnel are based within the EU and receive regular, formal instruction in matters relating to information security and data protection. Those with specific roles relating to the management of risk assessments, data protection impact assessments, data subject rights and incident management receive more focused training.
Audits and Inspections
Simplelists will submit to audits and inspections, and provide the Customer (as the Controller) with whatever information it needs to ensure that we are both meeting our Article 28 obligations. Simplelists will tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
Security of Web Links
Simplelists software solutions may include relevant hyperlinks to external websites not controlled by us. Some links may be added by list members by sending emails to lists and being displayed in archives. As such, you are advised to exercise caution before clicking any external links. We cannot guarantee the ongoing suitability of external links, nor do we continually verify the safety or security of the contents which may be provided to you. You are advised, therefore, that your use of external links is at your own risk and we cannot be responsible for any damages or consequences caused by your use of them.
Simplelists is registered with the Information Commissioner’s Office under the UK Data Protection Act 1998 – registration number Z9414171 applies.
If a Simplelists customer or data subject believes that Simplelists has not delivered upon its obligations under GDPR, they have a right to make a compliant to the ICO. They can be reached by using the contact form on their website.
BCM 6673, London, WC1N 3AX