The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data.
It requires that all personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specific and legitimate purposes
- Accurate and kept up to date, and erased when not up to date
- Not stored for any longer than necessary
- Processed in a manner that ensures appropriate security against personal data
In order to undertake the services highlighted above it is necessary for Whitelane to process personal data belonging, but not limited, to clients, prospective clients, and strategic partners. Business related data is not applicable under GDPR – which has the intention of protecting personal data.
Personal Data which we hold about you
Under GDPR, usually Whitelane will only ever process necessary personal data, which is limited to first name, last name, company email address, function title, and company telephone number. No sensitive personal data will be collected or processed in any way.
Purposes for Storing and Processing Data
We will process personal data for the purposes of:
- To perform our obligations under any potential contract of engagement with Whitelane;
- To invite you to participate in one of our research studies;
- To invite you to attend one of our events;
- To send you market or industry intelligence reports.
Lawful basis for storing and processing data
Under the EU General Data Protection Regulation (GDPR) there are six lawful basis for processing personal data. These are detailed as follows:
- Consent – The individual has given clear consent for you to process their personal data for a specific purpose
- Contract – The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal Obligation –The processing is necessary for you to comply with the law (not including contractual obligations).
- Vital Interests – The processing is necessary to protect someone’s life.
- Public Task – The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate Interests – The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
The information relating to the six lawful basis for processing personal data is taken from the ICO website and the GDPR regulation documentation. Further information regarding the lawful basis for processing personal data can be found at ico.org.uk.
Other than employees, Whitelane stores personal data for the following types of individuals or businesses:
- Prospective clients
- Strategic partners
For individuals and businesses we will use the “Legitimate Interest” lawful basis for the ability to store and process personal data. The rationale for such a decision is detailed below:
- Whitelane has carried out a Legitimate Interest Assessment (LIA) as advised by the ICO
- Storing personal data is necessary for the legitimate interests of Whitelane or a third party under contract with Whitelane, balanced with the interests and fundamental rights and freedoms of the individuals
- The interest for Whitelane is that we have to store our clients’ personal data in order to provide the services to those clients
- For all prospective clients, the prospects database may have been built up over many years and is crucial to the success or failure of our business and it is therefore in our legitimate interest to store and process this personal data
- For suppliers and other individuals it is in the interest of those suppliers and other individuals for us to provide market intelligence in the form of research and events as we believe it provides valuable market and industry information
Legitimate Interest Assessment
Whitelane has carried out a Legitimate Interest Assessment (LIA) as advised by the ICO. Based upon that assessment it is deemed that the rights and freedoms of the data subjects would not be overridden in our processing of the personal data and that in no way would a data subject be caused harm by the data processing carried out by Whitelane. It is deemed that any processing of data will be limited to business matters, and therefore any risk of personal compromise is extremely unlikely. It is also deemed that sending out research and event requests are necessary in the context of keeping our clients and prospective clients informed about our services and to generate business sales.
As a result, Whitelane will rely on the Legitimate Interest lawful basis for storing and processing personal data on behalf of all individuals and businesses. Per the ICO guidance, Whitelane can confirm:
- We have checked that legitimate interests is the most appropriate basis
- We understand our responsibility to protect the individual’s interests
- We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision
- We have identified the relevant legitimate interests
- We have checked that the processing is necessary and there is no less intrusive way to achieve the same result
- We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests
- We only use individuals’ data in ways they would reasonably expect
- We are not using people’s data in ways they would find intrusive or which could cause them harm
- We do not process the data of children
- We have considered safeguards to reduce the impact where possible
- We will always ensure there is an opt-out / ability to object
- Our LIA did not identify a significant privacy impact, and therefore we do not require a DPIA
- We keep our LIA under review every six months, and will repeat it if circumstances change
- We include information about our legitimate interests in our privacy notice
We collect and process personal data in the following ways:
- Directly via individuals who want to participate in our research and/or events.
- Whitelane has an EU-based in-house team who gather data relating to business from publicly available information, using search engines and online social media platforms used for professional purposes that are in the public domain (such as Linked In, Twitter and Facebook). The data we collect from these platforms includes name, job titles, contact information (i.e. company’s email address).
- Whitelane on occasion purchases data from selected third party data vendors with key segmentation criteria to ensure that only decision makers from registered businesses are procured. All third party data vendors have been checked for GDPR compliance and to ensure the validity and accuracy of data.
How we Ensure Data Validity
Whitelane ensure the validity of the personal data contained within their client management software. The team continually cleanse the data, completing a full cleanse cycle of both business and personal data at least once every 12 months. Any records found to be out of date are placed into a deletion queue which is securely purged four times in a 12 month period. Whitelane takes data cleansing extremely seriously.
Whitelane will store the personal data for a period of five years after our last meaningful contact with you. We retain your personal information for that period so that we can show, in the event of an audit or legal claim, that we have conducted our research studies in a fair, objective and transparent way. After this period, we will securely destroy your personal information in accordance with applicable laws and regulations.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Sharing personal data with third parties
It is sometimes necessary for Whitelane to outsource certain services to third party providers. As a result, personal data will be passed to these third party providers by Whitelane. Whitelane will only pass personal data to a third party provider when there is an agreement in place between Whitelane and that third party provider, which addresses GDPR compliance by both parties.
Request to Object
Any individual has the right to object to receiving correspondence from Whitelane. Individuals can unsubscribe by sending us an email to firstname.lastname@example.org with “Unsubscribe” in the subject title. All requests will be processed within 30 days. Please note that this applies only to the processing of your personally identifiable data, not that of the business data which does not fall under the remit of GDPR.
Request for Deletion
Any individual has the right for their personal data to be deleted by Whitelane. If you request deletion, we will remove any data we hold about you from our client management software. We will process your request within 30 days. Please make your request in writing by emailing: email@example.com
Request for Data Held
You may request that we send you all of the data we hold that relates to you. Please make your request in writing by emailing: firstname.lastname@example.org
We will process and respond to your request within 30 days and this service will be free of charge.
This policy was last reviewed and updated on the 24th of May 2018. Policies are periodically reviewed to ensure compliance with the current compliance environment.
Whitelane are not liable for any damages arising in contract, tort or otherwise from the use of or inability to use this site or any material contained in it, or from any action or decision taken because of using the site.
The materials on this site comprise the company’s views; they do not constitute legal or other professional advice. You should consult your professional adviser for legal or other advice.
This site offers links to other sites thereby enabling you to leave this site and go directly to the linked site. This company is not responsible for the content of any linked site or any link in a linked site. This company is not responsible for any transmission received from any linked site. The links are provided to assist visitors to this company site and the inclusion of a link does not imply that this company has approved the linked site.