**Last updated:** March 2022
**Next review date:** May 2023
**The scope and purpose of this Policy**
This Policy sets out the approach of Yoursavingsfiesta LLC, of 948 NE 26th Ave, Pompano Beach FL 33062 USA (the **Company**) to compliance with its legal obligations under the Data Protection Act 1998, the EU General Data Protection Regulation 2016/679) (the **GDPR**), the Data Protection Act 2018, the Data Protection (Charges and Information) Regulations 2018 and the Privacy and Electronic (EC Directive) Regulations 2003 (as amended or replaced from time to time) and any other applicable data protection legislation (together the **Data Protection Legislation**). This Policy also takes account of the relevant guidance published by the Information Commissioner's Office (the **ICO**), the data protection regulator for England and Wales.
The Company takes the protection of individuals' personal data seriously and has developed its practices and policies with regard to the data protection principles set out in the Data Protection Legislation..
The Company is in some circumstances acts as a data controller for the purposes of the Data Protection Legislation and has notified the ICO in this regard. The Company's registration number on the ICO Register of Data Controllers is ZA036195. A copy of the Company's entry on the register can be viewed online via <https://ico.org.uk/esdwebpages/search> or at Appendix 1 to this Policy.
The Company's nominated Data Protection Officer. The DPO is responsible for oversight of data protection within the Company, including this Policy and the procedures developed under or in relation to it. The DPO can be contacted in relation to any queries under this Policy via the following contact details: firstname.lastname@example.org.
**Key terms and definitions**
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Explicit consent is needed for processing special categories of personal data.
An individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data.
An individual or organisation that processes personal data on behalf of a controller.
Includes all living individuals about whom the Company holds personal data. A data subject need not be a UK national or resident. All data subjects who use our services in the European Union have legal rights in relation to their personal data.
The person responsible for overseeing the Company's approach to compliance with the Data Protection Legislation.
The Information Commissioner's Office which is the regulatory body responsible for implementing and overseeing the Data Protection Legislation.
Notifying the ICO about the data processing activities of the Company such that the Company is registered as a data controller and appears on the ICO's public register.
Information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such asa name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.. Personal data can be factual or it can be an opinion about that person, their actions and/or their behaviour which identifies them either directly or indirectly.
In relation to information or data, processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making availbale, alignment or combination, restriction, erasure or destruction.
**special categories of personal data**
Personal data that relates to a living individual's:
- racial or ethnic origin;
- political opinions;
- religion or similar beliefs;
- trade union membership;
- physical or mental health;
- sexual life;
- genetic data;
- biometric data; and
- criminal record or proceedings.
**The Company's business and data collection**
The Company develops, owns, or has the rights to certain technology relating to the distribution of commercial email and engages in commercial advertising and marketing activities directed at consumers via email. Consumers may sign up to receive marketing information from the Company via one of the Company's websites or through the Company's third party marketing partners.
In the course of its business activities the Company collects and uses certain types of information about:
- its employees, and the employees of its agents, associates and advertising partners;
- the individuals who come into contact with the Company via its websites, or otherwise;
- service users who subscribe to receive information directly from the Company; and,
- individuals who have subscribed to receive marketing materials from the Company via the Company's third party marketing partners.
This personal information must be collected and dealt with appropriately whether it is collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the Data Protection Legislation.
As the data controller, the Company determines the purposes for which this data is collected, stored, processed and deleted.
The Company's business involves the processing of personal data in order to engage in the direct marketing of data subjects. Commonly (but not exclusively) the Company may obtain personal data for such purposes from its third party marketing partners and rely on the consent that data subjects supply to such entities.
The Company undertakes the following actions to assess and ensure the validity of consent given by data subjects to its third party marketing partners to receive direct electronic marketing from the Company:
- undertakes due diligence on its third party marketing partners and any databases containing personal data that they may supply to the Company;
- ensures that there are adequate contractual protections in place (including warranties) to oblige its third party marketing partners to obtain consent in a compliant way, including an obligation to maintain and make available records of when consent was obtained from a data subject and on what terms; and
- requires its third party marketing partners to provide it with real time access to their suppression data.
The Company has dedicated procedures in place for checking whether consent is specific enough for any marketing that the Company proposes to send to data subjects as well as whether such consent is/remains valid. In particular the Company will undertake due diligence upon its third party marketing partners' compliance before entering into agreements with them and will undertake ongoing monitoring of the same after entering into any such agreements.
**The data protection principles**
The Company regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal. To this end, the Company will adhere to the principles relating to processing of personal data as detailed in Article 5 of the GDPR.
The principles require that personal information shall:
- be processed fairly and lawfully and in a transparent matter and in particular, shall not be processed unless specific conditions are met;
- be collected for specified, explicit and legitimate purposes, and shall not be processed in any manner incompatible with those purposes;
- be adequate, relevant and not excessive in relation to the purposes for which they are processed;
- be accurate and, where necessary, kept up to date;
- not be kept for longer than is necessary;
- be processed in accordance with the rights of data subjects under the Data Protection Legislation; and
- be kept secure by the data controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information.
**The importance of compliance**
Where a data controller fails to comply with the principles and is thereby in breach of the Data Protection Legislation, the ICO has the power to:
- request further information from the data controller in line with its investigatory powers;
- require an undertaking from the data controller in relation to a particular course of action (i.e. steps to comply with the Data Protection Legislation);
- serve enforcement notices and 'stop now' notices to require the data controller to take specified steps to comply;
- exercise rights of audit for the purposes of ensuring compliance; and
- in relation to serious breaches of the Data Protection Legislation, the ICO also has the power to issue a monetary penalty notice of up to €20M or 4% of annual turnover, whichever is higher.
In addition, data subjects may bring action against the Company seeking compensation for damage and/or distress suffered as a result of a breach of the Data Protection Legislation by the Company in respect of their personal data.
Compliance is therefore critical. Any breach of Company policy or procedure by an employee of the Company that results, or has the potential to result, in a breach of the Data Protection Legislation should be notified to the DPO immediately via the contact details above.
In relation to its third party marketing partners, the Company seeks contractual assurances of compliance and also retains rights of audit. Where the Company receives personal data from a third party, such transfer is always governed by a form of list management agreement, either on the Company's standard terms, or as agreed between the parties.
The Company will not work with companies or individuals whose business practices do not comply with the Data Protection Legislation.
**Fair and lawful processing**
The Data Protection Legislation is intended not to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is (in this case the Company), the purpose(s) for which the data is to be processed and the identities of anyone to whom the data may be disclosed or transferred.
For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When special categories of personal data is being processed, more than one condition must be met. In most cases the data subject's explicit consent to the processing of such data will be required.
Data about staff may be processed for legal, personnel, administrative and management purposes and to enable the data controller to meet its legal obligations as an employer, for example to pay staff, monitor their performance and to confer benefits in connection with their employment.
Data about customers, suppliers and other third parties may be processed for the following purposes:
- provide marketing, advertising and public relation services to our clients;
- maintaining our accounts and records;
- promoting our services;
- undertaking research; and,
- supporting and managing our employees.
**Processing for Limited Purposes**
Personal data will only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Data Protection Legislation. This means that personal data will not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject will be informed of the new purpose before any processing occurs.
When obtaining consent directly from a data subject for the processing of their personal data, or when a third party marketing partner undertakes this on the Company's behalf, the Company will take all reasonable steps to ensure that the purposes for which such data is to be processed are both lawful and clearly notified to the data subject by way of any or a combination of:
- consent disclaimers/forms;
- information included within the Company's third party marketing partners relevant forms, disclaimers, notices and policies; and,
- internal policy documents in relation to employees.
**Processing that is adequate, relevant and not excessive**
Personal data will only be collected to the extent that it is required for the specific purpose(s) notified to data subjects. Any data which is not necessary for that purpose will not be collected in the first place. Personal data will only be processed in accordance with the limited purposes described above and will not be processed in a fashion that is excessive.
The Company will ensure that this principle is adhered to when designing and implementing its email marketing campaigns to consumers.
**Accurate and up to date data**
Personal data will be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps will therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards.
In the context of its commercial marketing operations, the Company will work with its third party marketing partners to ensure that personal data forming a part of a marketing database/contact list is regularly checked and updated.
Data that is identified as out-of-date or inaccurate will be either updated or suppressed and destroyed.
We must ensure that the personal data we process is adequate, relevant and not kept for longer than is necessary for the purpose it was processed for. This means that data will be archived, and ultimately destroyed or erased from our systems when it is no longer required. This is done in line with our data retention periods which are described at Annex 2 of this policy.
**Processing that is in line with data subject's rights**
Data will be processed in line with data subjects' rights. Data subjects have a right to:
1) request access to any data held about them by a data controller (article 15) - a data subject is entitled to be informed if any of their personal data is being processed and, if that is the case, to be provided with a copy of the personal data. This is more commonly known as submitting a "Data Subject Access Request" or "DSAR". No charge may be made, unless the request is manifestly unfounded/excessive, in which case a reasonable fee may be payable;
- request that any data held about them is deleted (article 17) - a data subject is entitled to request that any personal data held about them is deleted without undue delay. However, the Company is not required to erase personal data where there is a necessity to keep it or where it is necessary for compliance with a legal obligation to which we are subject;
- object to processing -- a data subject has the right to object to direct marketing, processing based on legitimate interests or the performance of a public interest task provided they have grounds relating to their particular situation and processing for scientific or historical research purposes or statistical purposes;
- ask to have inaccurate or incomplete data amended or completed (article 16) -- a data subject is entitled to request that any personal data held about them that is inaccurate is rectified. If personal data is incomplete, the data subject has the right for that data to be completed
- request that any personal data held about them is restricted (i.e. blocked or supressed) (article 18) -- a data subject may request restriction of processing where the accuracy of the personal data is contested by the data subject, where the processing is unlawful and the data subject opposes erasure and requests restriction instead, where the Company no longer needs to personal data for the purposes of the processing but the data subject requires it to establish, exercise or defend legal claims and the data subject has objected to proposes and the Company is considering whether its legitimate grounds override the rights of the individual;
- request that their personal data be transferred to a third party (article 20) -- this right only applies to personal data in respect of which the processing is based upon consent or on a contract and is carried out by automated means. As the Company does not carry out processing by automated means, individuals cannot exercise this right in respect of their data processed by the Company; and
- object to any decision that significantly affects them being taken solely by a computer or other automated process (article 22) -- The Company does not use any automated decision software.
Where data subjects whose personal data is processed for the Company's commercial marketing purposes withdraw their consent or otherwise opt out of marketing their personal data will be added to a suppression list, and archived.
The Company will ensure that appropriate technical and organisational security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Individuals may apply to the courts for compensation if they have suffered damage arising from any such processing or loss of data.
The Data Protection Legislation requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third-party data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
- **Confidentiality** means that only people who are authorised to use the data can access it.
- **Integrity** means that personal data should be accurate and suitable for the purpose for which it is processed.
- **Availability** means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.
The Company maintains various procedures in respect of data security including (but not limited to):
- protection against malicious software/viruses including firewalls;
- user access controls such as passwords;
- backing up data;
- secure destruction or deletion of data and secure disposal of computer equipment and removable media;
- regular technical audits; and
- vulnerability assessments.
- entry control to premises;
- equipment -- if you are leaving your PC unattended then ensure that you have locked the screen;
- secure lockable hard-copy filing system, desks and cupboards; and
- appropriate methods of disposal -- hard-copy and electronic documents are sanitised, removed and destroyed.
**Data security breach**
If there is a breach or suspected, threatened or potential breach of security in respect of any personal data or any other confidential documents, you must immediately report this to the DPO.
Examples of data security breaches include:
- personal data accidentally being sent to someone (either internally or externally) who does not have a legitimate need to see it;
- databases containing personal data being compromised, for example as the result of a cybersecurity breach or the Company being "hacked";
- the loss or theft of laptops, mobile devices or paper records containing personal data;
- papers not properly disposed of in secure disposal bins that can be seen or extracted by others;
- staff accessing or disclosing personal data outside the requirements or authorisation of their job;
- being deceived by a third party into improperly releasing the personal data of another person; and
- the loss of personal data due to unforeseen circumstances such as fire or flood.
It is the Company's policy that all employees must report any realised or suspected breaches of this policy to the DPO as soon as discovered and no later than 24 hours of the occurrence.
The DPO will keep a log of all breaches and take any further action required including:
- Notifying a personal data breach to the supervisory authority (the ICO) within 72 hours of having become aware of such breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons; and
- Communicating the breach to the affected data subject(s) without undue delay, unless the data is encrypted or otherwise unintelligible to unauthorised parties, measures have been taken such that the risk to rights and freedoms is unlikely to materialise or it would involve disproportionate effort (in which case a public communication may be made).
The Company will transfer personal data from the European Economic Area to the United States. In order to comply with the eighth data protection principle, and ensure an adequate level of protection for data subjects' personal data in compliance with the Data Protection Legislation, where we share information with third parties, we will put in place appropriate contracts containing model contractual clauses approved by the European Commission and the ICO to provide an adequate level of protection to that data.
The Company may share data with certain specified third parties. In most instances, data subjects will be made aware how and with whom their information will be shared. However, there are circumstances where the law allows the Company to disclose data (including special categories of data) without the data subject's consent.
**Failure to comply with this policy**
Compliance with our data protection procedures is vital and is closely monitored and enforced. Any breach of this policy will be taken seriously and will be dealt with under the Company's formal disciplinary procedure and in serious cases may be treated as gross misconduct leading to summary dismissal [or (in the context of self-employed agents) as a potential contractual breach].
Where offences have been committed, for example involving dishonesty or fraud, criminal proceedings which may result in a fine or imprisonment. Managers and Directors may also be prosecuted if the offence was committed with their consent or collusion or by virtue of their neglect.
In addition to the restrictions on data use which are contained in Data Protection Legislation, employees should also be aware that a person may be committing an offence under the Computer Misuse Act 1990 where, without appropriate authorisation, they access computer programs or data or they modify the contents of any computer.
**Review of this policy**
The Company's approach to data protection is kept under regular review through the Company's wider compliance monitoring programme and the Company's approach will be adjusted and optimised based on such monitoring.
This policy (and its underlying procedures) will be reviewed at least annually, or more regularly in relation to regulatory developments or any specific issues that are identified through our monitoring.
All staff will, through appropriate training and responsible management:
- observe all forms of guidance, codes of practice and procedures about the collection and use of personal data;
- understand fully the purposes for which the Company uses personal data;
- only collect and process personal data in accordance with the purposes for which it is to be processed by the Company to meet its business needs or legal requirements;
- only access personal data that they require to carry out their jobs properly;
- ensure that the personal data held by the Company in relation to them is accurate, complete and up-to-date;
- ensure personal data is correctly inputted into the Company's systems by following our standard procedures;
- ensure personal data is destroyed securely when it is no longer required, in accordance with the data retention periods described in ANNEX 2;
- immediately notify the DPO on receipt of any request from an individual to exercise their rights as explained in this policy;
- deal with all personal data in accordance with the Company's security procedures;
- ensure that no personal data or special categories of personal data about a fellow member of staff or customer or supplier is disclosed on social networking sites or elsewhere online, including but not limited to Facebook, Twitter and other online forums and social media sites (such disclosure may amount to breach of the Data Protection Legislation and this policy); and
- be responsible for complying with this policy.
**The Company's obligations**
The Company will:
- be responsible for complying with this policy;
- ensure that there is always one person with overall responsibility for ensuring compliance with the Data Protection Legislation and this policy. This will be the DPO whose details are set out above;
- provide training for all staff members who handle personal data (if an employee is unsure of his or her responsibilities he or she should contact the DPO who will consider whether further training is necessary);
- provide clear lines of reporting and supervision for compliance with the Data Protection Legislation and this policy;
- maintain and update its records of processing activities under its responsibility and make such records available to the ICO on request, as required under Article 30 of the GDPR;
- undertake suitable and sufficient monitoring, including spot checks without notice, to ensure that the Data Protection Legislation and this policy are being complied with by the Company and all members of staff;
- implement appropriate technical and organisational measures to ensure the safety and security of personal data which is processed by the Company; and
- adopt best practices in relation to the obligations placed on the Company as a data controller, in particular it will observe all relevant codes of conduct, regulations and guidance issued by the ICO in relation to the processing of personal data.
**Summary of the Company's approach**
- The DPO has specific responsibility for overseeing the Company's compliance with the Data Protection Legislation.
- Everyone processing personal information understands that they are contractually responsible for following good data protection practice.
- Everyone processing personal information is appropriately trained to do so.
- Everyone processing personal information is appropriately supervised.
- Anybody wanting to make enquiries about handling personal information knows how to do this.
- The Company deals promptly and courteously with any enquiries about handling personal information.
- The Company will regularly review and audit the way it holds, manages and uses personal information.
- It regularly assesses and evaluates its methods and performance in relation to handling personal information.
- All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them.
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Legislation.
**APPENDIX 1:The Company's ICO Registration**
Registration Number: ZA036195
Date Registered: 15 January 2014 Registration Expires: 14 January 2019
Data Controller: Yoursavingsfiesta LLC
948 NE 26th Ave
This register entry describes, in very general terms, the personal data being processed by:
Austinshire Partners LLC
**Nature of work - Marketing/Advertising Agency**
**Description of processing**
The following is a broad description of the way this organisation/data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.
**Reasons/purposes for processing information**
We process personal information to enable us to:
- provide marketing, advertising and public relation services to our clients
- maintain our accounts and records
- promote our services
- undertake research
- support and manage our employees
**Type/classes of information processed**
- We process information relating to the above reasons/purposes. This information may include:
- personal details
- membership details
- goods and services
- family details
- lifestyle and social circumstances
- financial details
- education and employment details
We also process sensitive classes of information that may include:
- physical or mental health details
- racial or ethnic origin
- religious or other beliefs of a similar nature
- offences and alleged offences
- trade union membership
**Who the information is processed about**
We process personal information about our:
- customers and clients
- enquirers and complainants
- survey respondents
- professional advisers and consultants
**Who the information may be shared with**
We sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (Act). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
- current, past or prospective employers
- suppliers and service providers
- financial organisations
- family, associates and representatives of the person whose personal data we are processing
- trade associations and bodies
- professional advisers and consultants
- central government
- employment and recruitment agencies
- business associates
- survey and research organisations
- credit reference agencies
- debt collection agencies
**Trading and Sharing Personal Information**
Personal information is traded and shared as a primary business function. For this reason the information processed may include name, contact details, family details, financial details, employment details, and goods and services. This information may be about customers and clients. The information may be traded or shared with business associates and professional advisers, agents, service providers, customers and clients, and traders in personal data.
It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the data protection act.
**APPENDIX 2: Data Retention**
In accordance with the data protection principles provided under the Data Protection Legislation (and set out in this policy), the personal data which is processed by the Company must be adequate, relevant, limited to what is necessary and not kept for longer than is necessary.
To comply with these principles, the Company has defined periods for which it will retain different types of information, which are reasonable and proportionate in each case (for example, the retention period is defined by statutory requirements, or reflects the limitation period for potential litigation). Once a retention period has expired, unless there is a reasonable and justifiable need to retain such information (for example, ongoing litigation) it should be securely deleted.
**Statutory books and registers**
Certificate of incorporation: Permanently
Change of name certificates: Permanently
Shareholder register and other statutory registers: Permanently
Board minutes: Permanently
Minutes of shareholder meetings: Permanently
**Central business records**
Accounts records: 6 years
Complaints records: 6 years from the conclusion of the complaint
Major agreements of historical significance: Permanently