Astutis Direct Marketing Policy @Model.Properties.HeaderType>
1. Policy Statement
Astutis Ltd (hereinafter referred to as the “Company”) uses e-marketing via an email automation platform, currently Mailchimp/direct mail/and telephone calls to send out marketing information to certain individuals. As we have obligations under the Privacy and Electronic Communications Regulations 2003 (PECR), the Company is required to comply with certain rules regarding using and sending direct marketing.
The Company understands its obligations under the PECR and ensure that we have adequate and effective policies, procedures, and controls in place to meet our marketing responsibilities.
The purpose of this policy is to ensure that the Company meets its legal, statutory and regulatory obligations under the PECR with regards to direct marketing. This policy sets out our obligations, objectives and the controls for meeting the marketing rules.
The aim of this policy is to inform the Company’s processes for compliance and to provide employees with information and support reading the direct marketing requirements.
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
4. What is Direct Marketing?
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act 2018 and the UK GDPR and set the rules and privacy rights for electronic communications. There are specific rules on marketing that cover all forms of advertising or promotional material that are directed to particular individuals.
The PECR marketing rules apply to information sent via phone, fax, email, text or any other type of electronic message or mail. There are different rules for calls, faxes and electronic mail.
4.1 The PECR and Data Protection
The PECR works in conjunction with the UK GDPR and has been amended to sit alongside the Regulation, including utilising the UK GDPR’s definition of consent. As direct marketing most often includes processing personal data, the Company recognises its obligation to comply with both the PECR and the UK GDPR.
Art. 21(2)(3) of the UK GDPR states that ‘where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing’.
Recipients of such information can also exercise their GDPR right to object to processing for direct marketing purposes. Where the Company receives a request in any format that objects to the processing of personal data for direct marketing, we follow our data protection procedures to ensure that the personal data shall no longer be processed for such purposes.
Whilst we recognise that UK GDPR Recital 47 states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest, we ensure that all recipients are provided with the option to unsubscribe or opt-out at any time.
As the Company sends direct marketing to individuals, we comply with the relevant rules and requirements set by the PECR and UK GDPR. We also follow the Information Commissioners guidance on direct marketing to inform our polices, procedures and employee knowledge.
As the PECR requires businesses using direct marketing to provide certain information to individuals and comply with specific rules, we have set the below objectives to ensure compliance with the requirements.
To comply with the PECR direct marketing rules, the Company:
- Has the below policies and procedures in place:
- Data Protection Policy
- Direct Marketing Policy
- PECR Policy
- Privacy Notice
- Uses a direct marketing checklist to ensure compliance with the PECR rules.
- Can demonstrate that consent has been obtained for direct marketing, if marketing outside of ‘legitimate interest’.
- Ensures that consent requests are clear and transparent, use plain language and avoid any illegible terms or jargon.
- Provides individuals with the right to withdraw consent and/or opt-out of marketing at any time.
- Provides simple options for withdrawing consent or opting out of marketing.
- Ensures that all marketing materials and communications contain options for unsubscribing.
- Retains a ‘do not contact’ list of anyone who opts out or unsubscribes from our electronic mail and we use this list to screen electronic marketing mail to exclude anyone who has asked us not to send it.
- Verifies that all direct marketing mediums contain the relevant information required by the PECR.
- Specifies the methods of communication used for direct marketing (i.e., email, text, phone, call, post).
Ensures that when sending direct marketing by post or email, we include our company name, address, and telephone number in the content.
6. Procedures and Guidance
The Company understands that it has specific obligations under the PECR in terms of direct marketing and has robust policies, procedures, controls, and training programs in place to adhere to these. The Company operates a top-down approach where all employees are aware of, and responsible for complying with the rules and guidance.
Where we provide specific information to individuals about marketing and their rights, we ensure that such information is easily accessible, clear, and concise. We have a Direct Marketing Notice that is used on our website and in all marketing communications so that individuals have easy access to the information.
The Company sends direct marketing in the form of:
- E-marketing via an email automation platform (Mailchimp)
- Direct mail
- Live telephone calls
We use a Direct Marketing Notice to provide additional information to individuals about the type of direct marketing we will/would like to send to them. This notice is easily accessible, a link to which is provided:
- In the footer of our websites.
- On the checkout page of our websites.
- On the subscription page of our websites.
- In the footer of all emails related to direct marketing.
The Company only sends direct marketing or asks for consent to send marketing to certain individuals. The individuals that we send direct marketing to are detailed in our Direct Marketing Notice and include:
- Customers of the Company.
- Individuals making a purchase from us.
- Individuals subscribing to a service we provide, i.e. company newsletter.
- Those who attended an event or webinar organised or hosted by the Company.
- Individuals who download or access information via our website.
- Individuals who contact us to request information about our products or services.
6.1 Telephone Marketing
6.1.1 Live Telephone Calls
For all calls made in relation to direct marketing or where any form of marketing will be mentioned or offered, the Company always advises who we are, our purpose for calling and provide a contact address or freephone number where requested. Our telephone number is always displayed to the person receiving the call.
6.2 Electronic Mail Marketing
For the purposes of this policy and our compliance with the PECR, we define electronic mail marketing as 'any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service'.
We use electronic mail for direct marketing in the form of:
- Emails, contain text, picture messages, video messages.
- Direct messages via social media, clearly marked as sponsored.
- Online marketing.
We only send electronic mail marketing where we either have consent from the individual to do so or where they are an existing customer who has used our products or services previously. Such customers are provided with an easy way to opt out of receiving such information, both when we first obtain their details and in all subsequent messages.
Marketing information sent by email or text clearly displays our: -
- Full identity (including any trading names).
- Our trading address and registered office.
- Our company number (if applicable).
- A hyperlink and/or details on how to unsubscribe.
- We retain an electronic list of subscribers who have opted out of receiving electronic mail marketing in our SAGE CRM system.
As per our obligations under the Regulations, we sometimes require an individual’s consent to send direct marketing. In such cases, we never send any information that has not been requested or consented to being received. We have controls and tools in place that provide simple options for withdrawing consent or opt-out of marketing at any time.
- Data processed for any purpose requiring consent is only retained for as long as it necessary and is subject to the retention and erasure rules set out in the UK GDPR and our Data Protection Policies. Our Data Protection Policy details the consent mechanisms that we have in place to comply with the PECR and UK GDPR.
6.2.2 Legitimate Interests
In some instances, the Company sends marketing information to individuals where it has been identified as being beneficial or of interest to them. In these instances, we rely on the legitimate interest’s legal basis under the UK GDPR for processing.
We ensure that such information is always relevant to the customer and is non-intrusive. We also ensure that customers’ have the option to opt-out or unsubscribe at any time.
Where we choose to rely on legitimate interests for processing personal data in relation to direct marketing, we have first verified that: -
- The information being sent is relative and beneficial to the customer.
- We have weighed their interests against our own.
- There is little to no risk posed to the individuals’ personal data or rights.
- The method used to send any direct marketing and the content is non-intrusive.
- The material being sent is something a customer would usually expect to receive.
- We have provided visible, easy to use and access options for opting out or unsubscribing.
7. Third Party Processors
The Company uses a third-party service provider to carry out direct marketing by email. We understand that under the PECR, both parties are responsible for complying with the regulations, but as the initial instigator of any marketing communication, the Company is liable for overall compliance.
We carry out extensive due diligence on all suppliers and third parties prior to forming a business relationship with them and carry out regular audits and reviews of the business, services and activities.
8. Audits & Monitoring
This policy and procedure document details the controls and measures used by the Company to comply with the PECR and any associated data protection rules. It is to be read in conjunction with our other UK GDPR and PECR policies.
The Astutis Senior Management Team has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement action plans to the Board where applicable.
The aim of internal PECR audits is to:
- Ensure that the appropriate policies and procedures are in place.
- To verify that those policies and procedures are being followed.
- To test the adequacy and effectiveness of the measures and controls in place.
- To detect breaches or potential breaches of compliance.
- To identify risks and assess the mitigating actions in place to minimise such risks.
- To recommend solutions and mitigating actions for improvements where applicable.
- To monitor compliance with the PECR and UK GDPR and demonstrate best practice.
The Company ensures that compliance with the PECR is the responsibility of all employees and provides ongoing support and training to this end. Overall responsibility of PECR compliance has been assigned to the Data Protection person whose role it is to identify and mitigate any risks to the protection of personal data or the privacy rights of users and subscribers.