Privacy and Electronic Communications Regulations 2003 (PECR Policy) @Model.Properties.HeaderType>
1. Policy Statement
Astutis Ltd (hereinafter referred to as the “Company”) sends electronic marketing messages/uses cookies/provides electronic communication services, and, therefore, has obligations under the Privacy and Electronic Communications Regulations 2003 (PECR). This policy works in conjunction with our data protection policies and ensures that individuals are afforded adequate privacy rights when it comes to these activities.
The Company complies with the PECR in full and has developed this policy to ensure that employees understand their obligations and that users and subscribers know their rights. We have developed policies, procedures, controls and measures to ensure compliance with the Regulation, including staff training, procedure documents, audit measures and assessments.
Ensuring and maintaining the security and confidentiality of personal information and electronic communication and marketing is one of our top priorities and we are proud to operate a 'Privacy by Design' approach. This policy should be read in conjunction with our Data Protection policies and Information Security policies.
2. Purpose
The purpose of this policy is to ensure that the Company meets its legal, statutory and regulatory obligations under the PECR and where applicable, the UK GDPR. As the Company provides a service or uses technology that comes under the remit of the PECR, we have a duty to implement and maintain specific policies, controls and measures to ensure the security and compliance of all activities.
3. Scope
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
3.1 Definitions
- “Bill” includes an invoice, account, statement or other document of similar character.
- “Call” means a connection established by a telephone service allowing two-way communication in real time.
- “Communication” means any information exchanged or conveyed between parties by means of a public electronic communications service (excluding where part of a programme service, except where the information relates to the identifiable subscriber or user receiving the information.
- “Communications Provider” means a person who provides an electronic communications network or an electronic communications service as per the meaning given by section 405 of the Communications Act 2003.
- “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- “Corporate Subscriber”means a subscriber who is:
- A company formed and registered under the Companies Act 1985 (or any former Companies Acts, excluding a company registered under the Joint Stock Companies Acts.
- A company incorporated in pursuance of a royal charter or letters patent.
- A partnership in Scotland.
- A corporation sole.
- Any other body corporate or entity which is a legal person distinct from its members.
- “Electronic Communications Network” means (as per the meaning given by section 32 of the Communications Act 2003):
- A transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description; and
- Such of the following as are used, by the person providing the system and in association with it, for the conveyance of the signals:
- Apparatus comprised in the system.
- Apparatus used for the switching or routing of the signals.
- Software and stored data.
- Other resources, including network elements which are not active.
- “Electronic Communications Service” means (as per the meaning given by section 32 of the Communications Act 2003) a service of any of the types specified in below provided by means of an electronic communications network, except so far as it is a content service:
- An internet access service.
- A number-based interpersonal communications service.
- Any other service consisting of, or having as its principal feature, the conveyance of signals, such as a transmission service used for machine-to-machine services or for broadcasting.
- “Electronic Mail or Email” means any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service (SMS).
- “Individual” means a living individual and includes an unincorporated body of such individuals.
- “Information Society Service” means any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data, and at the individual request of a recipient of a service:
- ‘At a distance’ means that the service is provided without the parties being simultaneously present.
- ‘By electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means.
- ‘At the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.
- “The Commissioner” means the Information Commissioners Office (ICO) who are responsible for oversight and enforcing the PECR.
- “Traffic Data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication.
- “UK GDPR” means the United Kingdom General Data Protection Regulation, tailored by the Data Protection Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019/2020.
- “User” means any individual using a public electronic communications service.
4. What is the PECR?
The Privacy and Electronic Communications Regulations 2003 (PECR) implemented European Directive 2002/58/EC into UK law and provides rules and specific privacy rights in relation to electronic communications. The Regulations sit alongside the UK's data protection framework and relate specifically to Astutis through: -
- Marketing by electronic means:
- Calls
- Emails
- Live Chat and WhatsApp
- The use of cookies or similar technologies that track information about people accessing a website or other electronic service.
- The privacy of customers using communications networks or services as regards traffic and location data, line identification services and directory listings.
The Regulations have been designed to complement the data protection framework and apply to the specific privacy rights of individuals regarding electronic communications. They also set out the measures and safeguards organisations must take in relation to the security of such services and technologies.
With the vast increase in the provision and use of digital and electronic mediums, there is a direct requirement to provide rules for security and protection. The PECR ensures that organisations are compliant and considerate when carrying out any of the activities covered by the Regulations.
4.1 The PECR and Data Protection
The PECR works in conjunction with the UK GDPR and has been amended to sit alongside the Regulation, including utilising the UK GDPR’s definition of consent. Depending on the services provided or technology used, an organisation may need to comply with both the UK GDPR and PECR or just the PECR.
Providers of services or technologies that rely on consent or legitimate interest and process personal data must comply with both the PECR and the UK GDPR. Where marketing or cookies do not involve the processing of personal information, an organisation must still comply with the PECR.
For those providing an electronic communication service or network Article 95 and Recital 173 of the UK GDPR help to avoid duplication and confusion of rules between the UK GDPR and PECR. The PECR rules supersede those in the GDPR when related to:
- Security and security breaches.
- Traffic data.
- Location data.
- Line identification services.
4.2 The Information Commissioners’ Office (ICO)
The Information Commissioners Office (ICO) (hereinafter referred to as the Commissioner), is an independent regulatory office who report directly to Parliament and whose role it is to uphold information rights in the public interest. The legislation they have oversight for includes:
- The UK GDPR (tailored by the Data Protection Act 2018).
- The Privacy and Electronic Communications Regulations (PECR).
- Freedom of Information Act 2000.
- The Environmental Information Regulations 2004.
The Commissioners’ mission statement is “to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” and they can issue enforcement notices and fines for breaches in any of the Regulations, Acts and/or Laws regulated by them.
Under the PECR, the Commissioner is responsible for the oversight and enforcement of the Privacy and Electronic Communications Regulations 2003 and for responding to complaints with regards to UK GDPR and those firms located solely in the UK.
5. Objectives
We are committed to ensuring that all electronic communications activities and personal data processed by the Company is done so in accordance with the PECR and where relevant, the UK GDPR. We also adhere to any associated guidelines or codes of conduct set out by the Commissioner and local law.
The Company has developed the below objectives to meet its public electronic communications obligations and to ensure continued compliance with the legal and regulatory requirements.
The Company ensures that:
- We have dedicated PECR related policies and procedures in place to ensure ongoing awareness and compliance with the rules.
- We have up to date Data Breach Procedures and a Data Breach Log in place to comply with Section 5(a) of the PECR.
- Users and subscribers are provided with specific information about our use of traffic data and/or location data and, where applicable, consent is obtained to process such data.
- Staff are provided with intelligence on the Company’s obligations.
- Direct marketing mediums contain the relevant information required by the PECR and where such marketing is unsolicited, we always offer an opt-out mechanism for the user or subscriber.
- Any cookies used on our website are clearly marked and information about the cookies and the users’ rights are provided to every visitor as per the PECR requirements. Options to accept or reject non-essential cookies are always provided.
- Procedures and controls to comply with the PECR are reviewed on an annual basis to ensure ongoing compliance with the Regulation.
- All forms of electronic marketing are reviewed by the Head of Marketing prior to being implemented.
6. Direct Marketing
The Company has a dedicated Direct Marketing Policy that details our obligations and procedures in relation to marketing as defined in the PECR. We recognise the requirement to obtain consent and provide specific information when sending unsolicited marketing by email.
We have consent controls in place that comply with the UK GDPR requirements and ensure that all forms of marketing communication adhere to the PECR rules. As the areas of direct marketing has numerous rules and regulations, we utilise a standalone policy for this purpose, to ensure that employees have a clear understanding of the rules and their responsibilities.
Please refer to the Company’s Direct Marketing Policy for full details of our marketing procedures and controls.
7. Cookies and Similar Technologies
In the UK, the Privacy and Electronic Communications Regulation (PECR) sets out the rules regarding the use of cookies on websites. Section 6 of the Regulation prohibits the storing and accessing of information on a users' terminal equipment unless that user has given their consent.
The PECR requires that detailed, clear, and relevant information is provided to the user regarding the existence of any cookies, including what each cookie does and why it is used. Consent must then be obtained from the user to allow cookie(s) to be stored on their device.
The Regulation provides an exception to cookie consent where the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network or where the cookie is strictly necessary to provide a service requested by the user (i.e., cookies used to remember a user’s goods in an online basket or that are essential for regulatory or legal compliance).
7.1 Confidentiality
In accordance with Section 6 of the Regulation, the Company has strict procedures to ensure that no person gains access to any information stored within the terminal equipment of a user or subscriber. The Company complies fully with its obligations under the PECR and uses a dedicated Cookie Policy to ensure that visitors and users of our website are provided with the necessary information on our storage and use of cookies.
Where the Company would like to request access to any data or personal information stored within the individual’s terminal equipment, we utilise a pop-up notice upon initial visit to the website to ensure that the subscriber or user:
- Is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
- Has given his or her consent.
Where the above information has already been provided to the subscriber or user, the Company can also utilise the consent of a subscriber or user who amends or sets controls on the internet browser that they are using or by using another application or programme to signify consent. All forms of consent are collected and maintained in accordance with the consent rules set out in the UK GDPR.
The Company reserve the right not to obtain consent for access to subscriber or user data or personal information where it relates to the technical storage of, or access to, information: -
- For the sole purpose of carrying out the transmission of a communication over an electronic communications network.
- Where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Please refer to our Cookie Policy for full information on our procedures and measures.
8. Public Electronic Communications Service and Network
Electronic communications service as defined in the PECR has the same meaning as that of section 32 of the Communications Act 2003 "a service consisting of, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except insofar as it is a content service."
The same Act provides a definition of an electronic communications network as "a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description [where the] following as are used, by the person providing the system and in association with it, for the conveyance of the signals: -
- Apparatus comprised in the system.
- Apparatus used for the switching or routing of the signals.
- Software and stored data.
- Other resources, including network elements which are not active."
An electronic communications service allows individuals to sign up to a service with a view to sending or receiving electronic signals (i.e. sounds, images, data etc). An electronic communications network is the transmission system that makes the electronic communications services available to the users or subscribers.
Where the Company provides a public electronic communications service, we ensure that we have adequate and appropriate technical and organisational measures in place to safeguard the security of that service. Details of the measures and controls in place are set out in Data Protection Policy.
Access Control
The Company complies with Section 5 of the PECR which states the minimum mandatory security requirements for electronic communications services. Our security policies set out the measures and controls used to ensure privacy and security. The procedures include (but are not limited to):
- Ensuring that personal data can only be accessed by authorised personnel for legally authorised purposes.
- Protecting personal data stored or transmitted against accidental or unlawful destruction, accidental loss, or alteration, and unauthorised or unlawful storage, processing, access, or disclosure.
- Ensuring that the security policies are compliant and maintained in accordance with the relevant rules and regulations with respect to the processing of personal data.
Traffic Data
As an electronic communications provider, the Company processes traffic data as part of its business activities. The Company is aware of the strict regulations relating to the processing of such data and comply with these in full. Where we process traffic data, we ensure that:
- It is only used for permitted purposes.
- Our customers have been given information about the processing, including the types of traffic data which are to be processed and the duration of such processing, prior to consent being obtained.
- Where applicable, we have obtained the customers' consent for using the data.
The Company only processes traffic data for one or more of the purposes set out below:
- The management of billing or traffic.
- Customer enquiries.
- The prevention or detection of fraud.
- The marketing of electronic communications services.
- The provision of a value-added service.
The Company reserves the right to provide any relevant traffic data to a competent authority where such data relates to the settling of disputes.
8.1 Provision of Information
The Company provides information about the processing of traffic data to users and subscribers within the data policy. The information and opt-in, granular consent mechanism is provided by:
- Website Cookie mechanism.
- Opt-in provision on web contact forms.
- An email opt-out to a customer after purchase.
- An email opt-out to a user who has previously shown interest in the company product or service.
Third Party Processor
The Company uses a third-party data processor to process traffic data on our behalf. However, we recognise that the responsibility for complying with the rules on traffic data lies with us and it is the Company’s obligation to ensure that the processing complies with the PECR at all times.
We have Service Level Agreements in place with all third parties to ensure that they are aware of our obligations under the PECR and of their own responsibilities and duties in accordance with those rules. We carry out continual monitoring and reviews of all third parties to verify that rules are being followed and complied with and that the service being provided is appropriate and adequate.
8.2 Consent
Processing location data, certain types of traffic data and data used for the purposes of direct marketing or providing value-added services requires the consent of the user or subscriber. The Company adheres to the UK GDPR definition of consent and has set out specific information or controls for consent in the below documents:
- Privacy Notice
- Cookie Notice
- Cookie Policy
- PECR Policy
- Data Protection Policy
- Direct Marketing Policy
Data processed for any purpose requiring consent is only retained for as long as it necessary and is subject to the retention and erasure rules set out in the UK GDPR. The user or subscriber is always informed of their right to withdraw consent at any time.
Where processing is based on consent, the Company have reviewed and revised all consent mechanisms to ensure that:
- Consent requests are transparent, using plain language and is void of any illegible terms, jargon or extensive legal terms.
- It is freely given, specific and informed, as well as being an unambiguous indication of the individual’s wishes.
- Consent can be obtained by a statement or a clear affirmative action (positive opt-in) which signifies agreement to the processing of personal data.
- Pre-ticked, opt-in boxes are never used.
- Where consent is given as part of other matters (i.e., terms & conditions, agreements, contracts), we ensure that the consent is separate from the other matters and is not a precondition of any service (unless necessary for that service).
- Along with our company name, we also provide details of any other third party who will use or rely on the consent.
- Consent is always verifiable, and we have controls in place to ensure that we can demonstrate consent.
- We keep records of consent and can evidence at a minimum:
- Via our CRM, that the individual has opted out of receiving marketing communications.
- We have ensured that withdrawing consent is as easy, clear, and straightforward as giving it and is available through multiple options, including:
- Opt-out links in mailings or electronic communications.
- Ability to opt-out verbally, in writing or by email.
- Consent withdrawal requests are processed immediately and without detriment.
Please refer to the Company’s Direct Marketing Policy which contains details of our obligations, procedures and controls.
- Information is provided to end users and subscribers about our line identification and related privacy services.
- The above information and services are provided free of charge.
In accordance with the PECR rules, the Company reserve the right to override any of the above measures and controls where: -
- A subscriber has requested the tracing of malicious or nuisance calls received on his line; and
- The Company is satisfied that such action is necessary and expedient for the purposes of tracing such calls; or
- In order to facilitate responses to emergency calls.