Synergy Print Management Services Limited (Synergy)
- Section 1) General Overview – covering ‘general’ data collection, receipt and processing
- Section 2) Data Protection & Processing for Customer-Supplied Data
- Section 3) Website Privacy
The policy is effective from 23rd May 2018
Terms used within this policy
Data Controller: For the purpose of avoiding ambiguity, the ‘data controller’ is deemed by SYNERGY to be the ‘provider’ of the data, and not necessarily the ‘owner’ of the data, unless otherwise stated by the provider; such as in the case where the provider wishes us to communicate directly with the data owner with regard to processing requirements. The ‘controller’ is not necessarily always the ‘customer’.
Data: Any form of information from which an individual may be identified (personally identifiable information), most commonly – for purposes of this policy – a data or print file or document containing names and addresses.
Data Processor: An organisation (or person) who ‘processes’ data either for themselves or on behalf of someone else. For example, in the scenario whereby SYNERGY has received a data file from a customer for use with a mailing campaign, SYNERGY is the processor
GDPR: General Data Protection Regulation – new data protection legislation in force from 25th May 2018.
Hard Copy: Data/Information that has been supplied in a non-electrical format, such as pre-printed letters.
This policy is, at the time of writing, an accurate and correct reflection of our data practices, and serves as the best possible representation of our operations. This policy is subject to regular review and is subject to change in view of changes to data protection legislation and/or any subsequent changes to our service provision.
SECTION 1 – GENERAL OVERVIEW
Data Protection & GDPR Statement
It is important to us that any party from whom we collect or receive data, or share data with, for any purpose, has full and total confidence in our ability to receive, collect, store, handle, process and destroy data and specifically Personally Identifiable Information (PII) professionally, accurately and in accordance with all data protection legislation, in particular GDPR, whilst doing so with full transparency and with respect to individual rights.
Our policies and procedures are regularly and routinely updated to ensure compliance with all newly implemented legislation. As a result, all our policies have been updated to ensure full compliance with the General Data Protection Regulation (GDPR).
Any processing of data carried out by our organisation is either carried out with us as the processor, and therefore processed on behalf of a customer and under their own legal basis, or in cases where we are the controller under the legal basis of Legitimate Interest.
Policy Purpose & Scope
This policy refers to, and indeed aims to protect, all parties (i.e. employees, job candidates, customers, suppliers, website visitors, etc.) who provide any amount of information to us for any purpose. All representatives of Synergy, including employees, directors, shareholders and contractors, are obligated to adhere to this policy at all times.
As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable, including (but not limited to) names, addresses, usernames, passwords, dates of birth, age, gender, various membership information, email addresses & digital footprints, photographs, and demographic, lifestyle and financial data.
Our company collects and/or receives this information in a transparent way and only with the full cooperation and knowledge of interested parties.
To avoid any unnecessary ambiguity with regard to our use of data in general, it should be noted that we never do anything with data that we collect ourselves or are provided with by any party (i.e. customer-supplied data), other than as outlined or agreed at the point of collection or receipt, and in the case of customer-supplied; as instructed by the data controller.
Further to this;
Our data will be:
- Accurate and kept up-to-date
- Collected fairly and for lawful purposes only
- Only used for the original and agreed purposes of its collection or supply
- Processed by the Company within its legal and moral boundaries
- Protected against any unauthorised or illegal access by internal or external parties
Our data will not be:
- Communicated informally
- Stored for more than a specified amount of time as required by its intended purpose.
- Transferred to any third-parties, organisations or countries that do not have adequate data protection policies
- Distributed to any party other than the ones agreed upon by the data’s provider/owner
In addition to ways of handling the data the Company has direct obligations towards people to whom the data belongs. Specifically we can:
- Let people know which of their data is collected
- Inform people about how we will process their data
- Inform people about who has access to their information
- Have provisions in cases of lost, corrupted or compromised data
- Allow people to request that we modify, erase, reduce or correct data contained in our databases
To exercise data protection and privacy compliance we are committed to:
- Restrict and monitor access to sensitive data
- Develop transparent data collection and receipt procedures
- Train employees in privacy, confidentiality and security measures
- Build secure networks to protect online data from cyberattacks
- Establish clear procedures for reporting privacy breaches or data misuse
- Establish strong and suitable data protection practices (such as document shredding, secure locks, data encryption, frequent backups and careful access-authorisation management.)
- Ensure that our data protection provisions are viewable on our website.
All principles described in this policy must be strictly followed and adhered to. Any breach of data protection guidelines will, dependent upon the nature of the breach and the parties involved, invoke disciplinary and/or possible legal action.
Notes for customers:
What is the Data Processing Agreement?
The DPA is a legally drafted document designed to represent our adherence to the lawful, accurate, and transparent management of customer-supplied data.
By ‘management’ we refer to all aspects of data management from receipt, authorisation and protection through to processing and eventual deletion/destruction.
The DPA is a legally binding ‘contract’ between us and our customer, which enforces the measures by which we are to abide to our own data protection and processing policies and procedures, and those as governed by data protection legislation.
By signing this document, our customers can have full confidence that we will handle and ‘process’ their data, on their behalf, lawfully, transparently, accurately and in total compliance with not only their own instructions, but also with current data protection legislation as set out within the General Data Protection Regulation (GDPR).
SECTION 2 – Data protection and processing of customer-supplied, project-related data.
This section specifically covers our management of all data supplied to us, by our customers or any data controller, for use within their mailing, ecommerce or print projects.
We place a strong emphasis on the use of good data, maintained correctly and secured efficiently and sufficiently.
We operate to a set of stringent data procedures and confidentiality measures, which along with this policy form the foundations of our processing guidelines.
Further to this we have a Data Processing Agreement (DPA) that should be signed by both us and our customer; giving our customer total reassurance and confidence that their data is being handled in accordance with current data protection legislation, in particular the GDPR.
Clients are encouraged to sign the DPA to further emphasise our commitment to best data practices. This new agreement replaces our older Data Protection & Usage Disclaimer.
However, it should be stated and noted here that not signing the DPA does not result in any non-compliance, we operate to the conditions as set out within the DPA regardless of whether this document has been signed by our customer, and further, our general terms of business as documented within our terms and conditions specify our obligations under data protection and GDPR legislation, and this forms the most legally binding part of any contract of work between us and our customers.
Segment brief and purpose:
This segment of the policy is designed to outline the key procedural measures by which we receive, store, handle, process and destroy customer-supplied data prior to, during and following a customer mailing or print project.
This policy refers specifically to all data received by our customers for use within their projects. For all other forms of data collection and handling please refer to Section 1.
Customer-supplied Data and GDPR – Disclaimer
It is the duty of the Data Controller, and not Synergy (as the processor) to ensure that the correct legal basis has been identified prior to the processing of any customer-supplied data.
It is further the sole responsibility of the Data Controller to ensure that the data provided to Synergy is accurate, and that any required consent has been obtained prior to its supply.
Synergy can and will perform any removal work of opt-outs or screening against suppression files such as the Mailing Preference Service if requested to do so by the Controller or Customer.
Synergy cannot be held liable for any breaches of data protection legislation caused by inaccurate data as supplied by the Controller, or the Customer on behalf of the Controller.
Types of Customer-Supplied Data
Customer-supplied data refers to any form of personally identifiable information given to us by our customers, to be used to send mailing correspondence or ecommerce items to.
Examples of customer-supplied data are as follows:
- Databases containing names and addresses of mailing recipients
- Information of online customers which may contain names, addresses, information regarding items purchased, email addresses and in some rare cases, payment information.
- Pre-printed letters or personalised material
- Print-ready electronic files, such as PDFs containing personalised letters/documentation.
It should be noted that for the purpose of consistency and to avoid any potential for misunderstanding or ambiguity with regard to this policy, and the procedures we operate by, that all data and information received by us for the purposes of customer-initiated projects, be them for direct mail, general print, general packing or ecommerce order fulfilment, is regarded and treated by us with the same degree of importance, and furthermore is ‘processed’ under the same guidelines, and with the same adherence to this policy, and all related documentation (including our general terms and conditions) and any and all current data protection legislation.
Data Usage Statement
We only use your data for the purpose(s) you intended it for.
We never do anything with the data other than what has been instructed or what has been discussed with yourselves prior to the commencement of the project.
Further, data is never passed on, supplied, or sold to third-parties, other than those parties for whom supply of the data is necessary in order to meet the objectives of the project requirements. We only use such companies after viewing and agreeing with their own data usage terms.
The data is deemed at all times to be the sole property of the original source, and the owner/provider may request or instruct us to destroy it at any time.
All staff must agree not to make any copies of datasets unless required as a direct process of the work being undertaken. Employees are not permitted to take any data of the premises, unless taking the data to an external supplier or client for a purpose related to the work being undertaken. Employees are not permitted to discuss or acknowledge anything related to the data they have seen at work in outside conversations with persons not involved in the work being undertaken. Employees are to treat EVERY data file as confidential whether they or the client regard it as such or not.
Clients can, if deemed necessary sign a Confidentiality Agreement with Synergy Print Management for any work being undertaken and all related items, including data.
Data should always be supplied to us in an encrypted format. Though this is at the discretion of the supplier SYNERGY cannot and will not be held liable for any data breaches on files during transit to us.
All data should be received by an authorised Account Manager who is deemed to have responsibility for that particular customer account or project.
If data has been received by a different member of the team, i.e. the Print or Data Manager, then this individual is to inform the Account Manager immediately, and between them they are to follow the procedures as outlined in the Company’s Data Procedure guidelines.
Data can be supplied to us in the following ways:
- Portal: Via our secure membership portal. All members are given the option to use the portal and if they wish to do so are given their own log in details
- We appreciate that some customers do not feel comfortable sending private data via email, and we understand this, however in all our years of trading we have never once had any privacy breaches via the use of email, however we always advise that data supplied via email (and indeed by any other method listed here) is encrypted, professionally and sufficiently (with encryption passwords supplied separately or via other means of communication). Using this method email can be regarded as safe as any other method.
- By post (on media storage formats such as CD or USB drive)
- In person (clients are welcome to physically bring the data to us on their chosen format)
- Our FTP/SFTP server – you may use our FTP server to upload files to us once we have created an account for you.
- Your FTP/SFTP server – If you prefer to use your own file transfer server, please just send us the connection details.
- Hard Copy / Pre-printed: we can accept any form of hard copy data, for either input into a computerised version or to be included in a mailing.
- Via the use of web-based services: There are now many services on the internet which offer secure file transfer. These are very popular and useful when sending large files which are too big for email. Most of the more reputed services available are perfectly secure, and many of our customers have been using such services for many years – you should ensure that whichever site you choose you have seen their terms so that you can be sure both they and you are covered with regard to GDPR.
- We can set up and share password protected cloud-based Dropbox folders. This service allows multiple users to share files quickly and easily.
- Invitation-accessed shared cloud services: There are also a number of ‘cloud’ services now available, (i.e. Dropbox) which allow multiple users to share files quickly and easily. Such services are very effective for people needing to work on the same files across large distances, they are also a great means of file transfer.
Data Storage & Security
When the premises are not occupied by authorised personnel then all fire exits, entrances and windows should be securely locked, with the site intrusion alarm properly set.
Only visitors with managerial authorisation are permitted access to the site, and only under the guidance and supervision of a member of the SYNERGY management or an authorised account manager.
Entrances are to be kept secure at all times during work hours, ensuring that individuals, such as delivery drivers for example, are not able to enter the building without permission.
Synergy uses a data server protected with professional encryption and network domain access.
All digital data must be stored on the Company’s main computer network at all times and must not be removed from the site unless to store a backup in a locked and secure environment. The input of data onto computer must take place on the Company’s premises at all times. On receipt, all data files should be placed into a secured folder on the data server. The folder should be within the existing folder for that particular client and that particular job, if a folder does not already exist then one should be created.
It does not matter how the data has been received, the procedure is to always remain the same – instantly secure and save it in a place on the data server / network where it can only be accessed by those who are authorized to see it.
All files received should be saved directly to the job folder ONLY – and NOT onto the individual’s computer hard drive. The data server should hold all data, which in accordance with the data protection policy can then be backed up and secured. Account Managers are NOT permitted to hold clients files (of any type) on their individual computers, instead ALWAYS saving the files onto the data sever where they can be properly and securely protected.
Access to Information
Access to digital data kept on the Company’s network is only given to those who need access
due to their involvement with the project to which the data is related. Any employee wishing to access data held on the Company’s network will only be able to do so after successfully logging into their own network account (or an administrative / generic account as authorised by a member of the Synergy management team). To adhere to data protection acts Synergy initiates a policy whereby digital data must be deleted from the main computer network within one month following the completion of the project to which it refers – unless otherwise requested by the client who owns the data.
Because of the nature of the work that Synergy carries out on behalf of its clients, one month is considered the optimum length of time allowed to pass before allowing the destruction of project related data files.
This does not include data that is held permanently by Synergy on behalf of a client for a monthly management fee, or data held at the request of clients for use in future mailing campaigns.
Third Party Use
On occasion it may be necessary to temporarily pass customer data to a third party for the provision of certain project-related services, such as when screening against suppression files, or in some rare cases when specific services are to be provided that cannot be completed entirely by SYNERGY in-house. SYNERGY ensures that it only uses legitimate and reputable businesses to carry out such work, under agreed terms and conditions, and in line with the GDPR.
Continuity Plan and Backup
Synergy, like any company, must constantly adhere to a strict backup procedure to aid in the unlikely but always possible scenario whereby a specific event results in the loss of hard and/or digital files. Therefore, Synergy must carry out a backup procedure for its digital file network that is briefly described below.
The control and monitoring of the company’s backup procedure is the responsibility of an authorised member of the I.T team. Synergy operates a daily and weekly backup routine cycle, whereby actively in-use project files and recently completed project files are backed up to both an internal backup source and a specially encrypted off site backup source once a day, with a full archived backup inclusive of older files being backed up once a week.
Synergy no longer backs up customer supplied data as part of its backup routine. Print setup files, artwork, and other non-confidential information is backed up in relation to the ongoing work of a project, however the client supplied data itself is not if it is deemed too confidential
In any such case where the servers become corrupted or fail, the data for a current project
would therefore be resupplied by the customer. This policy ensures that customer-supplied data is never taken off the main domain server.
Further to this the File Server which holds all data files operates on a mirrored RAID storage system to protect against any sudden hardware failures that could result in the loss of important data.
The long term archive is mainly for artwork files and Synergy’s own internal files and systems. Client supplied Files are not archived. ALL archived and Backup files MUST be encrypted with a high security level, and ONLY accessed by a member of the management team, or any other employee who has been authorised by a member of the management team, or is being overseen by a member of the management team, for purposes only related to the tasks being undertaken to complete project/work related processes.
Destruction of Data
It is important to note that Synergy abide to a strict internal regime whereby client data, unless otherwise requested, is only kept on the company network (data server) for up to a maximum of one month following the completion of a project unless the client has agreed an extension to this, or has agreed a monthly management fee with Synergy, or unless the client has specifically requested the data be archived for use in future projects. During this time if the client requests the data back, Synergy is to oblige at all times. If after 30 days no instruction from the client has been received with regard to the storage of their data then for data protection reasons it is digitally destroyed. If the client requests the destruction of their data prior to the 30 days then again Synergy is to oblige immediately.
Mobile Phones/Tablets: iPhones, Androids, Blackberries, etc
Mobile phones and tablets usually do not have a standardised way to securely delete or remove their data. However, most will have a “hard reset” or “cold reset” button which will remove software and restore the handheld device to factory default settings.
After resetting the handheld, check to ensure that no company data remains on the phone before discarding.
PCs, Laptops, Hard Drives and Flash Memory Devices, USB/memory sticks and SD cards
Whenever retiring old desktop computers or laptops, it is important to securely overwrite data on their hard drives and flash memory devices.
CDs, DVDs, Blu-Rays, and other tape storage drives
All optical and tape media should be physically destroyed when they are no longer necessary.
SECTION3 – Website Privacy
We collect information from visitors to this website using online forms, email hyperlinks and anytime you email us. We also collect information about transactions you undertake through the Synergy Print Cloud portals, including payment details.
We collect additional information automatically about your visit to our website that helps us which pages are of interest to you.
Use of personal information
We process personal information collected via this website for the purposes of:
- providing and personalising our services to you
- dealing with your inquiries and requests
- administering orders and accounts relating to our suppliers or customers
- administering membership records
- crime prevention and prosecution of offenders
- maintaining information as a reference tool or general resource
- providing you with information about products and services
We will send you information according to the preferences you submitted via our data capture form. If you would like to change these preferences at any point, please contact us at firstname.lastname@example.org. Alternatively, you can also write to us at Synergy, 57, Britannia Way, Lichfield, Staffs WS14 9UY
A cookie is a small piece of information sent by a web server to a web browser, which enables the server to collect information from the browser. Find out more about cookies on www.allaboutcookies.org.
Most browsers will allow you to turn off cookies. If you want to know how to do this please look at the menu on your browser or look at the instruction on www.allaboutcookies.org. Please note however that turning off cookies will restrict your use of our website.
Please note that your data will never be passed to any third parties for marketing purposes.
Your information may be used to send you details of those products or services that we offer that we have identified as likely to be of interest to you; this is in accordance with the preferences that you have indicated when completing one of our online forms or data capture forms. We use telephone, direct mail and email marketing channels and will only use your information for legitimate interests regarding Synergy marketing.
If at any point you would like to opt-out of receiving communications from us, or would like to change the channels (such as email, post or telephone) that we use to contact you, please contact us at email@example.com. Alternatively, you can also write to us at Synergy, 57, Britannia Way, Lichfield, Staffs WS14 9UY
Membership mailings and direct mail
Data for membership mailings and direct mail that requires the use of personal details (such as name, address, etc) are passed to our mailing houses for processing where this data is downloaded from our secure client portal and destroyed after use. The data is retained on our Synergy servers for a period of 4 weeks before destruction for reprints or print queries.
We will not share your data with third parties except as required to do so by government bodies and law enforcement agents.
How we protect your information
The privacy and protection of your information is important to us. Personal information collected by our website, or collected by a member of our team following communication with you, is held securely on our network and is never sold or passed to any third party, unless as instructed by you.
Who has access to the information?
Access to your information is never provided to third parties other than those parties for whom supply of the data is necessary in order to meet the project requirement objectives. All third party supplier used by Synergy are fully GDPR compliant. We may also disclose your information in response to a court order or when requested to do so by law.
We may disclose your information in connection with disputes, for instance with regard to any monies you may owe to us, and to law enforcement authorities whenever we deem it appropriate or necessary. Please note we may not provide you with notice prior to disclosure.
Methods we use to protect your information
We follow Data Protection Guidelines (including GDPR) to protect the confidentiality of your personal information. In addition, our business practices are reviewed periodically for compliance with legislation governing the security and confidentiality of our information. Our business practices limit employee access to confidential information and limit the use and disclosure of such information to authorised persons.
How you can access your information
You can request access to all your personally identifiable information maintained by us, by writing to us at the address provided on the final page of this policy, or by sending an e-mail to the address provided on the same page. Upon request we offer you the ability to have inaccuracies corrected in your personally identifiable information. You can have this information corrected by contacting us as outlined above.
By using our website, you consent to the collection and use of your personal information as described within this policy
This policy was written to protect the interests of both Synergy Print Management Services Limited, and all parties with whom information may be shared, received, supplied and processed. If you feel that any of the information provided is incorrect or unlawful, then you should contact us immediately using the contact details provided below.
This policy is subject to change in accordance with changes in data protection legislation, and also in accordance with our own internal procedures and operations. If the policy changes we will immediately update this document and provide an updated copy to all parties, as well posting an updated version on our website.
Any individual or organisation has the right to view any information that Synergy holds about them, and we will provide access without question or delay when requested, provided we are able to do so, and also provided that we are allowed to do so by law.
Whilst we have done our utmost to ensure we have included as much information as possible, with regard to our data protection measures, and equally attempted to ensure we have covered each and every aspect of this subject, it is possible that we may have missed something. If you feel this to be the case, or anything is unclear, then please contact us using the details below.
All queries, questions, comments or complaints should be made in writing to:
Mr Matthew Fillingham
Synergy Print Management Services Limited
57 Britannia Way
Emails can be sent to: firstname.lastname@example.org
For general enquiries regarding Synergy Print Ltd services, please call 01543 257257
Synergy Print Management Services Ltd is Registered in England and Wales no 4013121. Vat Reg. GB 715 7215 45.