Rocketfuel Social is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all of our legal obligations.
We hold personal data about our employees, clients, suppliers, and other individuals for a variety of business purposes.
The purposes for which personal data may be used by us:
Personnel, administrative, financial, regulatory, payroll, and business development purposes.
Business purposes include the following:
- Compliance with our legal, regulatory, and corporate governance obligations and good practice.
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests.
- Ensuring business policies are adhered to (such as policies covering email and internet use).
- Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking.
- Investigating complaints.
- Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration, and assessments.
- Monitoring staff conduct and disciplinary matters.
- Marketing our business.
- Improving services.
‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Personal data that Rocketfuel Social may gather includes: individuals’ phone numbers, email addresses, educational backgrounds, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job titles, and CVs.
Special Categories of Personal Data
Special categories of data include information about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offenses, or related proceedings, and genetic and biometric information. Any use of special categories of personal data should be strictly controlled in accordance with this policy.
‘Data Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
This is the national body responsible for data protection. The supervisory authority for Rocketfuel Social is the United States Federal Trade Commission.
This policy supplements Rocketfuel Social’s other policies relating to internet and email use. Rocketfuel Social may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
Who is Responsible for this Policy?
As Rocketfuel Social’s Data Protection Officer (DPO), Andrew (Drew) N. Horine has overall responsibility for the day-to-day implementation of this policy. Staff members should contact the DPO for further information about this policy if necessary.
Rocketfuel Social shall comply with the principles of data protection (the Principles) enumerated in the EU General Data Protection Regulation. Rocketfuel Social will make every effort possible in everything it does to comply with these principles. The Principles are:
Lawful, Fair, and Transparent
Data collection must be fair, for a legal purpose, and Rocketfuel Social must be open and transparent as to how the data will be used.
Limited for its Purpose
Data can only be collected for a specific purpose.
Any data collected must be necessary and not excessive for its purpose.
The data Rocketfuel Social holds must be accurate and kept up to date.
Rocketfuel Social cannot store data longer than necessary.
Integrity and Confidentiality
The data Rocketfuel Social holds must be kept safe and secure.
Accountability and Transparency
Rocketfuel Social must ensure accountability and transparency in all its use of personal data. It must show how it complies with each Principle of data protection. Each staff member is responsible for keeping a written record of how all the data processing activities they are responsible for comply with each of the Principles. This record must be kept up to date and approved by the Data Protection Officer (DPO).
To comply with data protection laws and the accountability and transparency Principle of GDPR, Rocketfuel Social must demonstrate compliance. Each staff member is responsible for understanding their particular responsibilities to ensure that Rocketfuel Social meets the following data protection obligations:
- Fully implementing all appropriate technical and organizational measures.
- Maintaining up-to-date and relevant documentation on all processing activities.
- Conducting Data Protection Impact Assessments.
- Implementing measures to ensure privacy by design and default, including:
- Data minimization.
- Allowing individuals to monitor processing.
- Creating and improving security and enhanced privacy procedures on an ongoing basis.
Fair and lawful processing
We must process personal data fairly and lawfully in accordance with individuals’ rights under the first Principle. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.
If we cannot apply a lawful basis (explained below), our processing does not conform to the first principle and will be unlawful. Data subjects have the right to have any data unlawfully processed erased
Lawful Basis for Processing Data
Rocketfuel Social must establish a lawful basis for processing data. Each staff member is responsible for ensuring that any data they are responsible for managing has a written lawful basis approved by the Data Protection Officer (DPO). It is the staff member’s responsibility to check the lawful basis for any data they are working with and ensure that all actions comply with the lawful basis. At least one of the following conditions must apply whenever Rocketfuel Social processes personal data:
- Consent: Rocketfuel Social holds recent, clear, explicit, and defined consent for the individual’s data to be processed for a specific purpose.
- Contract: The processing is necessary to fulfill or prepare a contract for the individual.
- Legal Obligation: Rocketfuel Social has a legal obligation to process the data (excluding a contract).
- Vital Interests: Processing the data is necessary to protect a person’s life or in a medical situation.
- Public Function: Processing is necessary to carry out a public function, a task of public interest, or the function has a clear basis in law.
- Legitimate Interest: The processing is necessary for Rocketfuel Social’s legitimate interests. This condition does not apply if there is a good reason to protect the individual’s personal data which overrides the legitimate interest.
Deciding Which Condition to Rely On
When assessing the lawful basis for processing data, it is important to establish that the processing is necessary and a targeted, appropriate way of achieving the stated purpose. If there are alternative means to achieve the purpose that are reasonable, you cannot rely on a lawful basis. Remember that more than one basis may apply, and you should choose the one that best fits the purpose, rather than the easiest option.
Consider the following factors and document your answers:
- What is the purpose for processing the data?
- Can the purpose reasonably be achieved in a different way?
- Is there a choice as to whether or not to process the data?
- Who benefits from the processing?
- After selecting the lawful basis, is it the same as the one the data subject would expect?
- What is the impact of the processing on the individual?
- Are you in a position of power over the individual?
- Is the individual a vulnerable person?
- Would the individual be likely to object to the processing?
- Can you stop the processing at any time upon request, and have you considered how to do this?
By considering these factors and documenting your answers, you can make an informed decision on the lawful basis for processing the data and ensure compliance with data protection requirements.
Our Commitment to the First Principle
As part of our commitment to the first Principle of data protection, we are required to document the process of determining the lawful basis for processing data and demonstrate that we have carefully considered which basis best applies to each processing purpose. We must fully justify these decisions and keep a record of our assessments.
Furthermore, we are obligated to ensure that individuals whose data is being processed by us are informed about the lawful basis for processing their data, as well as the intended purpose. This information should be provided through a privacy notice. This requirement applies whether we have collected the data directly from the individual or obtained it from another source.
If you are responsible for conducting an assessment of the lawful basis and implementing the privacy notice for a specific processing activity, it is crucial to have your assessment and notice approved by the Data Protection Officer (DPO). The DPO will ensure that the chosen lawful basis aligns with data protection requirements and that the privacy notice accurately informs individuals about how their data will be processed.
Special Categories of Personal Data
Special categories of personal data, previously known as sensitive personal data, refer to data about an individual that is more sensitive and requires additional protection. This type of data poses higher risks to a person’s fundamental rights and freedoms, potentially exposing them to unlawful discrimination or other significant risks. The special categories of personal data include:
- Ethnic origin
- Trade union membership
- Biometrics (where used for identification purposes)
- Sexual orientation
In most cases where we process special categories of personal data, explicit consent from the data subject is required, unless exceptional circumstances apply or there is a legal obligation to process such data (e.g., to comply with health and safety regulations at work). Consent for processing special categories of personal data must clearly identify the specific data being processed, the purpose of processing, and any recipients of the data.
When processing special categories of personal data, the condition for processing must comply with the law. If there is no lawful basis for processing such data, the processing activity must cease.
- Analyzing and documenting the type of personal data we hold
- Checking procedures to ensure they cover all the rights of the individual
- Identifying the lawful basis for processing data
- Ensuring consent procedures are lawful
- Implementing and reviewing procedures to detect, report, and investigate personal data breaches
- Storing data in safe and secure ways
- Assessing the risk that could be posed to individual rights and freedoms should data be compromised
- Fully understanding your data protection obligations
- Checking that any data processing activities you are involved in comply with our policy and are justified
- Not using data in any unlawful way
- Not storing data incorrectly or being careless with it, to avoid breaching data protection laws and our policies
- Complying with this policy at all times
- Promptly raising any concerns, notifying breaches or errors, and reporting anything suspicious or contradictory to this policy or our legal obligations
Responsibilities of the Data Protection Officer:
- Keeping the board updated about data protection responsibilities, risks, and issues
- Regularly reviewing all data protection procedures and policies
- Arranging data protection training and advice for all staff members
- Answering questions on data protection from staff, board members, and stakeholders
- Responding to individuals’ requests to know what data is being held on them
- Checking and approving contracts or agreements with third parties handling the company’s data
Responsibilities of the IT Manager:
- Ensuring all systems, services, software, and equipment meet acceptable security standards
- Regularly checking and scanning security hardware and software to ensure proper functioning
- Researching and evaluating third-party services, such as cloud services, for data storage or processing purposes
Responsibilities of the Marketing Manager:
- Approving data protection statements attached to emails and marketing materials
- Addressing data protection queries from clients, target audiences, or media outlets
- Coordinating with the DPO to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy
- By fulfilling these responsibilities, we can collectively ensure that personal data is handled in a compliant, secure, and ethical manner, safeguarding individuals’ privacy and rights.
Accuracy and Relevance:
We are committed to ensuring that any personal data we process is accurate, adequate, relevant, and not excessive for the purpose it was obtained. We will not process personal data for any unrelated purpose unless the individual has provided consent or would reasonably expect such processing.
If individuals request the correction of inaccurate personal data, you should record the dispute regarding accuracy and notify the DPO.
It is your responsibility to keep personal data secure and protected against loss or misuse. When other organizations process personal data on our behalf, the DPO will establish specific data security arrangements through contracts with those third-party organizations.
Secure Data Storage Practices:
- Printed data should be stored in a secure location inaccessible to unauthorized personnel.
- Printed data that is no longer needed should be securely shredded.
- Data stored on computers should be protected by strong, regularly changed passwords. We encourage the use of password managers for all staff.
- Data stored on CDs or memory sticks should be encrypted, password protected, and securely locked away when not in use.
- The use of cloud storage for data must be approved by the DPO.
- Servers containing personal data should be kept in a secure location separate from general office space.
- Regular data backups should be performed in accordance with the company’s backup procedures.
- Data should not be saved directly to mobile devices (laptops, tablets, smartphones).
- All servers containing sensitive data must be protected by approved security software.
- All necessary technical measures must be implemented to ensure data security.
- By adhering to these practices, we can maintain the confidentiality, integrity, and availability of personal data, minimizing the risk of unauthorized access or loss.
We are committed to retaining personal data for no longer than necessary. The specific retention period will be determined based on the circumstances of each case, considering the purpose for which the personal data was obtained. Our data retention guidelines will provide guidance on the appropriate retention periods.
Transferring Data Internationally:
The transfer of personal data internationally is subject to restrictions. You must not transfer personal data abroad or outside of the normal rules and procedures without obtaining express permission from the DPO. International transfers of personal data should comply with applicable data protection laws and regulations, including ensuring an adequate level of protection for the personal data in the receiving country. The DPO will provide guidance and approval for any international data transfers.
Rights of Individuals:
Individuals have rights over their personal data, and it is our responsibility to respect and facilitate the exercise of these rights to the best of our ability. We must ensure individuals can exercise their rights in the following ways:
- Right to be informed:
- Providing privacy notices that are concise, transparent, easily accessible, and written in clear language.
- Maintaining a record of our data processing activities to demonstrate compliance and transparency.
- Right of access:
- Enabling individuals to access their personal data and supplementary information.
- Allowing individuals to verify the lawfulness of the processing activities.
- Right to rectification:
- Rectifying or amending personal data if it is inaccurate or incomplete.
- Responding to rectification requests promptly, within one month (with potential extension to two months with DPO permission).
- Right to erasure:
- Deleting or removing an individual’s data upon request, provided there is no compelling reason for its continued processing.
- Right to restrict processing:
- Complying with requests to restrict, block, or suppress the processing of personal data.
- Storing restricted data without further processing, ensuring future compliance with the right to restriction.
- Right to data portability:
- Providing individuals with their personal data in a commonly used, machine-readable format.
- Facilitating the direct transmission of personal data to another controller, as requested.
- Right to object:
- Respecting individuals’ right to object to data processing based on legitimate interests, public interest tasks, or direct marketing.
- Respecting individuals’ right to object to data processing for scientific, historical research, or statistical purposes.
- Rights in relation to automated decision making and profiling:
- Respecting individuals’ rights regarding automated decision making and profiling.
- Providing explanations of the rationale behind automated decisions and offering the option for human intervention.
We must ensure that individuals can exercise these rights and respond to their requests in a timely and appropriate manner.
Privacy notices play a crucial role in informing individuals about the processing of their personal data. Here are the key aspects to consider when supplying a privacy notice:
- Timing of Supply:
- If data is obtained directly from the data subject, provide the privacy notice at the time of data collection.
- If data is obtained indirectly, provide the privacy notice within a reasonable period, typically within one month.
- When data is used to communicate with the individual, the privacy notice must be supplied at the latest during the first communication.
- If disclosure to another recipient is anticipated, provide the privacy notice before the data is disclosed.
- Content of the Privacy Notice:
- Privacy notices should be concise, transparent, intelligible, and easily accessible.
- Provide the following information to all data subjects:
- Identification and contact information of the data controller and the data protection officer.
- Purpose of processing the data and the lawful basis for processing.
- Legitimate interests pursued by the controller or third party, if applicable.
- Right to withdraw consent, if applicable.
- Categories of personal data (only for data not obtained directly from the data subject).
- Recipients or categories of recipients who may receive the personal data.
- Details of any transfers to third countries and safeguards in place.
- Retention period or criteria used to determine retention, including data disposal procedures.
- Right to lodge a complaint with the relevant supervisory authority (e.g., ICO) and internal complaint procedures.
- Source of the personal data, including whether it came from publicly available sources (only for data not obtained directly from the data subject).
- Existence of automated decision making, including profiling, and information about its significance and consequences.
- Whether the provision of personal data is a statutory or contractual requirement, and the possible consequences of failure to provide the data (only for data obtained directly from the data subject).
Privacy notices should be written in clear and plain language, particularly when aimed at children. They should be freely available and easily understandable to ensure individuals can make informed decisions about their personal data.
Subject Access Requests:
A subject access request is a right granted to individuals under data protection laws, allowing them to obtain confirmation of whether their personal data is being processed and access to their personal data and supplementary information as outlined in the privacy notice.
Here’s how we handle subject access requests:
- Providing Access:
- We must provide individuals with a copy of their requested information free of charge and without undue delay.
- The information should be provided within one month of receiving the request.
- Whenever possible, we strive to provide access to the data in commonly used electronic formats and through secure remote access systems.
- Complex or Numerous Requests:
- If the request is complex or involves a large volume of data, we may extend the deadline by two months. However, we must inform the individual of the extension within one month of receiving the request.
- Before extending the deadline, approval from the DPO is necessary.
- Refusal to Respond:
- In certain circumstances, we may refuse to respond to a subject access request. For example, if the request is manifestly unfounded or excessive.
- If a large quantity of data is requested, we can ask the individual to specify the information they are seeking, with approval from the DPO.
- Data Integrity:
- Once a subject access request has been received, we must not alter or amend any of the requested data. Doing so is a criminal offense and can lead to severe penalties.
Handling subject access requests requires careful consideration to ensure compliance with data protection laws and individuals’ rights. By following these guidelines, we can fulfill our obligations and provide individuals with access to their personal data in a timely and secure manner.
Data portability requests:
Data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Here’s how we handle data portability requests:
- Providing the Data:
- We must provide the requested data in a structured, commonly used, and machine-readable format.
- Typically, a CSV file is used, but other acceptable formats can be used as well.
- The data should be provided either to the individual making the request or to the data controller they have specified.
- This should be done free of charge and without undue delay, and no later than one month from receiving the request.
- Complex or Numerous Requests:
- If the request is complex or involves a large amount of data, we may extend the deadline by two months.
- The individual must be informed of the extension within one month of receiving the request.
- Before extending the deadline, express permission from the DPO is required.
Handling data portability requests requires prompt and accurate provision of the requested data in a format that allows for easy transfer and reuse. By adhering to these guidelines, we ensure individuals can exercise their right to data portability effectively.
Right to erasure:
The right to erasure, also known as the right to be forgotten, grants individuals the ability to request the deletion of their personal data and the cessation of its processing. Here’s how we handle the right to erasure:
- Circumstances for Erasure:
- We will comply with the right to erasure in the following situations:
- When the personal data is no longer necessary for its original purpose of collection or processing.
- When consent for processing has been withdrawn by the individual.
- When the individual objects to the processing, and there are no overriding legitimate grounds for continued processing.
- When the personal data has been unlawfully processed or violates data protection laws.
- To comply with a legal obligation.
- When the processing relates to a child.
- Refusal to Erase:
- We may refuse to comply with a request for erasure in the following cases:
- Exercising the right of freedom of expression and information.
- Fulfilling a legal obligation for the performance of a public interest task or the exercise of official authority.
- Public health purposes in the public interest.
- Archiving purposes in the public interest, scientific research, historical research, or statistical purposes.
- The exercise or defense of legal claims.
- Data Recipients:
- If the erased data has been shared with other parties or recipients, we will inform them of the erasure request and their obligation to erase the data.
Respecting the right to erasure ensures individuals have control over their personal data and can request its removal when appropriate and lawful.
Right to object:
Individuals have the right to object to the processing of their personal data when it relates to their specific situation. Here’s how we handle the right to object:
- Grounds for Objection:
- If an individual objects to the use of their data, we must cease processing unless we have legitimate grounds that override their interests, rights, and freedoms.
- However, if the processing is necessary for the establishment, exercise, or defense of legal claims, we may continue processing.
- Notification and Online Objection:
- We must inform individuals of their right to object at the first point of communication, typically in the privacy notice.
- We must provide individuals with a convenient way to object online, ensuring a smooth and user-friendly process.
Right to restrict automated profiling or decision making:
We may engage in automated profiling or decision making that significantly affects individuals only under certain circumstances. Here’s how we handle this right:
- Permissible Circumstances:
- We may carry out automated profiling or decision making if it is necessary for a contract’s entry into or performance, based on explicit consent, or authorized by law.
- Providing Detailed Information:
- When engaging in automated processing, we must provide individuals with detailed information about the process.
- We must offer simple ways for individuals to request human intervention or challenge decisions made about them.
- Regular Checks and Testing:
- To ensure the accuracy and fairness of our automated systems, we conduct regular checks and user testing.
Respecting the right to object and restricting automated profiling or decision making ensures that individuals have control over the use of their data and can challenge decisions that significantly impact them.
Using third-party controllers and processors:
When we engage third-party controllers or processors to handle personal data on our behalf, we must ensure that written contracts are in place. These contracts should include specific clauses that outline the liabilities, obligations, and responsibilities of both parties involved.
For data controllers:
- As a data controller, we are responsible for selecting processors that can provide sufficient guarantees in compliance with GDPR.
- We must ensure that the rights of data subjects are respected and protected by the processors we appoint.
For data processors:
- As a data processor, we act solely based on the documented instructions provided by the data controller.
- We acknowledge our responsibilities as a data processor under GDPR and commit to protecting and respecting the rights of data subjects.
By establishing these contractual relationships and adhering to GDPR requirements, we ensure that personal data is handled securely and in compliance with applicable regulations.
Our contracts with data controllers and processors must meet the standards set by the Information Commissioner’s Office (ICO) and, where possible, incorporate the standard contractual clauses available. These contracts should clearly outline the subject matter and duration of the processing, the nature and purpose of the processing activities, the types of personal data and categories of data subjects involved, as well as the respective obligations and rights of the controller and processor.
Key terms that should be included in our contracts are:
- Acting only on written instructions provided by the controller
- Imposing a duty of confidence on all personnel involved in the processing
- Implementing appropriate security measures to safeguard the processed data
- Obtaining the prior consent of the controller and establishing written contracts when engaging sub-processors
- Assisting the controller in responding to subject access requests and facilitating the exercise of data subjects’ rights under GDPR
- Assisting the controller in meeting its GDPR obligations regarding security of processing, data breach notifications, and Data Protection Impact Assessments
- Obligations to delete or return all personal data at the end of the contract
- Subjecting to regular audits and inspections, and providing necessary information to fulfill legal obligations
- Ensuring that neither the controller nor the processor engages in activities that would infringe on GDPR requirements
Criminal offence data:
When conducting criminal record checks, we must ensure that these checks are justified by law and not solely based on the consent of the subject. It is important to note that comprehensive registers of criminal offence data cannot be maintained. As criminal offence data falls under the special category of personal data, it must be treated accordingly. Prior approval from the DPO is required before carrying out any criminal record checks.
Audits, monitoring, and training:
Regular audits and inspections should be conducted to assess compliance with data protection policies and procedures. This includes monitoring the processing activities, assessing the effectiveness of security measures, and identifying areas for improvement. Adequate training should also be provided to staff members to ensure they are aware of their data protection obligations and understand how to handle personal data securely and in compliance with GDPR.
At Rocketfuel Social, regular data audits are conducted to manage risks and maintain a comprehensive data register that includes details about the data we hold, storage locations, usage, responsible parties, and relevant regulations and retention periods. It is your responsibility to conduct these audits as directed by the Data Protection Officer (DPO) and established procedures, ensuring that our data practices remain transparent and compliant with data protection requirements.
Monitoring and Training
Compliance with this policy is mandatory for everyone at Rocketfuel Social, and the Data Protection Officer (DPO) holds overall responsibility for ensuring its implementation and enforcement. The company will periodically review and update this policy as necessary. It is your duty to promptly report any breaches of this policy to the DPO. You are expected to fully comply with this policy at all times.
To ensure adequate understanding and adherence to data protection laws, you will receive comprehensive training tailored to your specific role. It is mandatory to complete all assigned training sessions. In the event of a job transfer or change in responsibilities, it is your responsibility to request appropriate data protection training relevant to your new role. If you require additional training or have any inquiries regarding data protection matters, please contact the DPO.
Reporting Breaches and Failure to Comply
Any breaches of this policy or data protection laws must be reported promptly once they are identified. Rocketfuel Social has a legal obligation to report data breaches to the appropriate supervisory authority within a timeframe of 72 hours. It is the responsibility of all staff members to report any actual or potential data protection compliance failures, enabling us to investigate and take necessary remedial actions. A register of compliance failures will be maintained, and material failures will be reported to the supervisory authority. Failure to report a breach or to follow the correct reporting procedures will result in disciplinary action. Please refer to our designated reporting system for the reporting procedure.
Compliance with this policy is of utmost importance, and any failure to comply puts both individuals and the organization at risk. Non-compliance with the policy may lead to disciplinary action, including possible dismissal, in accordance with our procedures. If you have any questions or concerns regarding this policy, please reach out to the Data Protection Officer (DPO) at Rocketfuel Social.