The UK’s data protection framework is changing on 25th May 2018, when the existing Data
Protection Act 1998 will be replaced with the European Union General Data Protection
Regulation (“GDPR”) (2016/679). Whilst the UK will soon be leaving the EU, the
replacement data protection legislation being progressed through Parliament is very
closely aligned to the requirements of GDPR.
Simplelists.com (“Simplelists”) provides email list hosting services to its customers,
and as such is responsible for the secure and compliant processing of personal data
related to our customers, as well as the protection of our customers’ information (which
may include personal data) whilst it is being processed by one of our system. This GDPR
statement has been prepared to provide key information about these various personal data
processing activities to our customers.
Data Protection by Design and Default
Article 25 of GDPR requires that data processing activities (e.g. the Simplelists
software solution) provide data protection by design and default. Simplelists has
achieved this requirement by ensuring that its application has been designed in
accordance with industry best practice, using trusted technologies, and has been subject
to penetration testing to ensure that vulnerabilities are being properly managed, and
configurations remain effective.
Simplelists utilises resilient UK data centres which are subject to formal ISO27001
certification. Unless we have entered into a specific agreement with a customer to host
their instance of Simplelists in a non-UK country, we commit that all personal data
processing is undertaken within the United Kingdom, under the prevailing UK data
Article 35 of GDPR requires that formal Data Protection Impact Assessments (“DPIA”) are
undertaken by organisation where there is a “high risk to the rights or freedoms of
natural person”. Simplelists has assessed that there are no high risks to individuals
who may purchase or use our software solution.
Legal Basis for Personal Data Processing
Article 6 of GDPR requires that the lawfulness of data processing be advised. Simplelists
uses “legitimate interests” as the basis for the secure processing and storage of its
customer data in order to deliver the Simplelists software solution to them. This
includes the communication of information related to our solution or similar matters. We
occasionally communicate with non-customers and will only do so based upon the “explicit
consent” which we have been provided with by the data subject, either through a positive
confirmation on a web form, or by their communication preferences shared from social
media channels. We provide clear methods for data subjects to remove or vary their
consent if they wish to do so.
Customer Documented Processing Instructions
Article 28 of GDPR requires that our customers should formally communicate their data
processing requirements to Simplelists (as their data processor). In the event that a
customer does not provide such written instructions to Simplelists (a) this omission
does not remove their obligation to do so, and (b) Simplelists will deliver the software
solutions in accordance with its published service definitions and other related
Data Controller and Data Processor
Simplelists acts as:
- Data Controller (as per GDPR Article 24) for the (i) personal data relating directly
to its customers and necessary for the management, provision and operation of its
software solution, and (ii) for its own employee management purposes, or
- Data Processor (as per GDPR Article 28) in respect of the personal data which may be
loaded into the Simplelists software solutions by its customers.
Each customer is responsible for ensuring that they have an appropriate legal basis for
processing personal data within a Simplelists software solution and will fully indemnify
Simplelists in the event of any claim of any sort being brought for not having a valid
Children’s Personal Data
The Simplelists software solution is not directed towards children under the age of 13.
If you learn that a child under the age of 13 has provided their personal information to
us without having parental consent, please contact us immediately so that we can take
appropriate action. In accordance with Section 5 above, should a Simplelists customer
select to upload children’s personal data into their deployment of a Simplelists
software solution then they will be required to evidence that the have a valid legal
basis for doing so.
Sensitive Personal Data
Article 9 of GDPR specifies a set of personal data categories which are considered to be
“sensitive”, and which require special consideration by Data Controllers. The software
solutions provided by Simplelists does not knowingly collect or process any sensitive
personal data. In accordance with Section 5 above, should a Simplelists customer select
to upload sensitive personal data into their deployment of the Simplelists software
solution then they will be required to evidence that the have a valid legal basis for
Data Subject Rights
Articles 16-21 of GDPR provide data subjects with several rights in relation to their
personal data, including:
- Right of access by the data subject (Art.15)
- Right to rectification (Art.16,19)
- Right to erasure (Art.17,19)
- Right to restriction of processing (Art.18)
- Right to data portability (Art.20)
- Right to object to processing (Art.21)
Where Simplelists is acting as Data Controller (see 4(a) above), then it will receive,
validate, record, progress and respond to any such data subject requests received.
Should Simplelists, acting as Data Processor (see 4(b) above), then it will advise the
applicant of the customer’s details that should be used to make their request. As a
responsible Data Processor, Simplelists will assist its customers with complying with
Should a data subject decide to exercise their rights, they should contact Simplelists as
Declaration of Sub-Processors
Simplelists confirms its use of:
- Secure UK data centres with ISO27001 certification. Being UK-based, they are subject
to prevailing UK data protection legislation. In accordance with our security
operating protocols, details of the providers and locations are only made available
upon specific request to Simplelists.
- Worldpay UK, for the purposes of invoicing and receiving payments from customers for
our software solution, which is based in the UK and therefore falls under the
requirements of the EU General Data Protection Regulation.
- Ctrl O Ltd, for the provision of specialist technical support for our software
solutions, which is based in London, UK and therefore falls under the requirements
of the EU General Data Protection Regulation.
Simplelists confirms that:
- It has undertaken applicable due diligence and validation on each of the declared
sub-processors to ensure that they are aware of and able to deliver their applicable
requirements under the EU General Data Protection Regulation.
- It will not vary or replace any of the declared sub-processors without having first
given advanced notice to all applicable customers.
Record Keeping & Breach Reporting
Simplelists confirms that it securely retains and manages data which records the use of
our software solutions, including user credentials and IP addresses. Should a customer
require assistance with information contained within our data processing records, please
contact us as below.
We actively monitor our software solutions for unusual activities and issues, which
includes indications of data breaches. Simplelists will promptly act to notify either
the customer or the ICO (as applicable to our role) in the event of a data breach being
suspected (as per Article 33), and if acting as Data Controller will also inform
affected data subjects (as per Article 34).
Removal of Personal Data
It remains the customer’s responsibility to remove all personal data prior to terminating
their service provision with Simplelists. Should the customer not do this, then
Simplelists will securely purge their data at the point when the resources are to be
redeployed – but this does not take place instantly and customers are strongly
recommended to (a) remove their own personal data beforehand, or (b) contact Simplelists
Support if assistance is needed to do this
All Simplelists personnel are based within the EU and receive regular, formal instruction
in matters relating to information security and data protection. Those with specific
roles relating to the management of risk assessments, data protection impact
assessments, data subject rights and incident management receive more focused training.
Audits and Inspections
Simplelists will submit to audits and inspections, and provide the Customer (as the
Controller) with whatever information it needs to ensure that we are both meeting our
Article 28 obligations. Simplelists will tell the controller immediately if it is asked
to do something infringing the GDPR or other data protection law of the EU or a member
Security of Web Links
Simplelists software solutions may include relevant hyperlinks to external websites not
controlled by us. Some links may be added by list members by sending emails to lists and
being displayed in archives. As such, you are advised to exercise caution before
clicking any external links. We cannot guarantee the ongoing suitability of external
links, nor do we continually verify the safety or security of the contents which may be
provided to you. You are advised, therefore, that your use of external links is at your
own risk and we cannot be responsible for any damages or consequences caused by your use
Simplelists is registered with the Information Commissioner’s Office under the UK Data
Protection Act 1998 – registration number Z9414171 applies.
If a Simplelists customer or data subject believes that Simplelists has not delivered
upon its obligations under GDPR, they have a right to make a compliant to the ICO. They
can be reached by using the contact form on their website.
27 Old Gloucester Street, London, WC1N 3AX