Sentori and the Data Protection Obligations and Legislation
For the purposes of this policy statement the “Data Protection Legislation” means until 25 May 2018 the Data Protection Act 1998 and as from 25 May 2018 the EU General Data Protection Regulation, and any UK statute, regulations or secondary legislation supplementing or replacing the DPA or the GDPR, or otherwise regulating data protection, in each case as amended or updated from time to time, and any expressions defined in the Data Protection Legislation. The terms of this Policy Statement will be incorporated into Sentori’s Terms and Conditions of use of their Email Marketing Application.
Colony101 UK Ltd t/a Sentori Email Marketing (Sentori) we will act as a data processor in relation to personal data relating to your Contacts for which you are the data controller (Contact Data) and in respect of which you use the Sentori Application and/or our Services and we will comply with our obligations under the Data Protection Legislation accordingly.
The Customer is the data controller under the Data Protection Legislation in respect of any Contact Data that we process or access in the course of providing our services. The Contact Data is derived from data provided by you and is not checked or monitored by us and, accordingly, we have no liability or responsibility whatsoever howsoever arising directly or indirectly to you for the accuracy, contents or use of such Contact Data.
As our customer we require that:
- You have obtained or collected the Contact Data lawfully, fairly and in a transparent manner, and in the case of future data, you will obtain or collect the same manner.
- You had a lawful basis, whether based on the consent of the Data Subject or on the processing being necessary for the purposes of the legitimate interests pursued by the data controller for obtaining or collecting the existing Contact Data, and will have such a lawful basis for obtaining or collecting any future Contact Data, and you have kept, and will keep, proper records of that lawful basis.
- In the case of Contact Data for which the lawful basis is based on the consent of the Data Subject, you have complied with the conditions required under the Data Protection Laws for the giving of a valid consent by the Data Subject.
- You will fulfil with your obligations under the Data Protection Legislation to provide the Data Subject with any information relating to the processing of Contact Data which you are required to provide.
- All Contact Data will be, adequate, relevant and limited to what is necessary in relation to the purposes for which they are to be processed.
- You will ensure that Contact Data is, accurate and, where necessary, kept up to date.
Save where, for operational reasons, we share data with a third party processor who provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Legislation, and agrees to adhere to substantially the same or similar confidentiality and data protection provisions, as set out here Sentori will not disclose any Contact Data to any business, organisation or individual without your knowledge, unless required or permitted to do so by applicable law.
We warrant that to the extent that we process any Contact Data shall:
- Process the Contact Data only on your written instructions, unless required to do so by applicable laws, and notify you immediately if we believe that any of your instructions violate the Data Protection Legislation; and
- Ensure that we have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the Contact Data and against its accidental loss or destruction or damage; and
- Use appropriate measures to ensuring the confidentiality, integrity, availability and resilience of our systems and services, to ensure that availability of and access to the Contact Data can be restored in a timely manner after an incident, and regularly assess and evaluate the effectiveness of the technical and organisational measures adopted by us; and
- Ensure that all of our personnel who have access to and/or process the Contact Data are obliged to keep it confidential; and
- Assist you, at your cost, in responding to any request from a Data Subject and in ensuring compliance with your obligations under the Data Protection Legislation with respect to security, personal breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
- Notify you without undue delay, and in any event within 24 hours, on becoming aware of a data breach with respect to any of the Contact Data; and
- Update, amend or correct the Contact Data on your or your customers’ written request including deleting temporary files containing the Contact Data; and
- Cancel, block access to or delete any of the Contact Data on your written request, unless we are required by applicable laws to retain and/or store the Contact Data and then only for the required period; and
- Maintain and make available to you on request complete and accurate records (as required by the Data Protection Legislation) of our processing of Contact Data and all information necessary to demonstrate our compliance with this clause; and
- At your written request, provide you with a copy of the Contact Data that you have provided to us.
We will not transfer any Contact Data outside of the European Economic Area and, if the United Kingdom is no longer part of the European Economic Area, outside of the United Kingdom unless the transfer is to a country that is a member of the European Union unless the transfer is to a country which for the purposes of the Data Protection Legislation is recognised as ensuring an adequate level of protection
We perform back-ups of data in accordance with good industry standards and you are likewise responsible for backing up your data and for implementing disaster recovery in accordance with good computing industry practice.
Sentori reserves the right to delete any Contact Data which has not been edited or used to send an email message for a period of more than six (6) months.