Royal Mail Data Processing Agreement
“We also have policies in place whereby we must approve copying and advertising of the campaign to ensure that these are appropriate moving offers, and we have also added specific opt-outs for all campaigns run with our data, where the person can unsubscribe from both the Royal Mail shipment and the individual brand. Royal Mail Data Services conducted a legitimate interest review to understand whether this could justify its use of the data in this way, and then turned to the Information Commissioner`s Office (ICO) for advice. “We have modified our fair treatment notice to ensure greater granularity and transparency in the transfer of data to the individual as they go through the redirect service,” Conning explains. The only coherent counter-argument against my theory that I have come across is that the Royal Mail does not really process the data. It remains sealed in an envelope or package while it is in their hands, and they do nothing but take it from one place to another. Delivery companies may be different from those that, for example, destroy information, as Section 1 of the DPA states that “processing” also includes “destruction.” There is no doubt that the man who shreds your paper or gets rid of your hard drives is a data processor because of this word. This argument indicates that none of the conditions in Section 1 cover the delivery of a sealed envelope – but it is the argument that the delivery of a letter is not “withholding”, “transmitting” or “distributing” on behalf of the data controller. I think it`s nonsense because I believe the Royal Mail does all three. The GDPR is one of the world`s strictest data protection regulations that govern what organizations can do with personal data. With eleven chapters and 99 pages, the legal text of the GDPR law is not easy to read. Those planning to have a vat of tea and a packet of cookies that are ready to settle in for a reading can find the text here, but it might be easier to call one of our team members with specific questions. Mosaic/Accord profile data: Using existing customer data, you can create a mosaic image of your ideal demographic that can be used to purchase new lead data. If you do this through a reputable data provider, you will be assured that the data complies with the GDPR.
“One of the ways in which this form of data processing could be carried out legally is the `legitimate interests` clause of the GDPR. This can justify direct marketing campaigns where consumers` data is used in a way they expect and that has minimal impact on privacy. “What about clause 6.6 of the “Agreement” between Poster and RM (which is in writing): “You and we agree to comply with the provisions and obligations of the Data Protection Act 1998 and the data protection principles set out in that Act when processing personal data (as defined in this Act) and to indemnify each other for any loss or damage caused by a breach of this clause 6.6. Certainly indicates that RM considers itself a processor. The P7 contract does not need to be signed, but only proven in writing. The difficult question seems to me to be whether the GTCU really require RM “only on the instructions of the controller”. It is possible to construct an argument that they do, that is, when I post a first-class letter, RM must deliver it according to the postal scheme. Unfortunately, the terms of the contract raise issues, such as: “. We may choose not to collect, process or deliver items if we deem it impractical or inappropriate to do so. This would require HMMS to identify each data controller, which the service could not achieve, Jim Conning, managing director of Royal Mail Data Services, told Computerworld UK.
Partially addressed email: We`ve covered this above, but as a fully GDPR-compliant way to extend the reach of your campaign, it deserves a second mention. PAM enables targeted mail marketing without the use of personal data. Instead of the recipient`s name, replacements such as “Occupant” or “Rated Customer” are used, with Royal Mail numbers showing a reach of up to 30% more households than a cold list shipment. So we made it much more transferable and we made it much easier for the individual and that`s why we put it at risk. I would never say it`s risk-free and brands need to make their own legitimate interest assessments, but we`ve minimized the risk of using our data and remembered that our data is already as low risk as possible because we don`t aggregate or aggregate the third-party data of the person who can unsubscribe at any time. Last October, third-sector adoption agency Norwood Ravenswood was fined £70,000 after one of its employees left a package of sensitive documents in a hidden area of a potential adopter`s home just so the information was lost before the adopters returned home. It makes no sense to me that Royal Mail wouldn`t be a data processor in this scenario if they had hired Royal Mail to deliver the package for them. I don`t think data protection law provides for a role for an “unspecified harmless intermediary” – in any situation involving personal data, you are definitely a processor or controller. Another way to stay GDPR compliant while sending direct mail is to use partially addressed mail (PAM). We use your existing customer data to create a demographic match that allows you to target more customers without violating the GDPR. Partially addressed emails have an open rate of 88% and an action rate of 26%. With an average “shelf life” of 7.2 days at home, PAM exceeds the average lifespan of marketing emails by 2 seconds, without the nagging worries of the GDPR.
For the same reason, door drops are also GDPR compliant, as they do not target people who use personal data, but focus on specific zip code areas. Of course, if you`ve come this far and are determined to argue that Royal Mail can`t be a data processor because that would mean that any non-domestic user of its services would have to have them sign a contract, then I believe the only rational alternative is that Royal Mail somehow has to be a data controller after all. .