BLOOMREACH GLOBAL PRIVACY PRINCIPLES
Our Guiding Values for Data Privacy
The privacy of individuals whose personal information we process, whether on behalf of others (like our customers and their end users) or within BloomReach is extremely important to BloomReach.
Set out below are the privacy principles (“Principles”) we will apply globally whenever we collect, use or manage personal information across our products and services and across the BloomReach group of companies.
The purpose of these Principles is to set minimum standards for how we must process personal information to ensure that we are operating consistently across the organization and in accordance with applicable laws.
The Principles apply to all BloomReach staff members and inform how we develop our products and services; manage data we collect; select and interact with our partners; and shape our public policy.
1. TRANSPARENCY: We must be open and honest about how and what data we process
We must always be transparent with individuals and other parties from whom we collect personal information. This means we must provide such individuals with concise, transparent and easily accessible information about how and why we use and share their personal information; and any further information necessary for our use to be fair and compliant with applicable law. The information we provide must be sufficient for them to make an informed decision about the uses of their personal information.
When we collect information directly from individuals, we must provide notice at the point (or as soon as reasonably possible after) that personal information is collected. If we collect personal information from someone other than the individual (for example, from LinkedIn or other publically available sources), we must inform the individual at the earliest opportunity unless this is impossible or involves disproportionate effort.
2. LEGITIMATE BUSINESS PURPOSES: We must only use personal information for specified, fair and lawful purposes
We must only process personal information if we can show we have legal grounds to use the information and must process that data in a lawful and fair manner.
Where possible, we should rely on non-consent based grounds (like reliance on our legitimate interests or performance of our contractual obligations) and avoid relying on consent to process personal information unless legally required.
We must only collect and use personal information in a manner that is consistent with the notice provided to individuals at the time of collection.
We must only share an individual's personal information with third parties if we have the necessary permissions or there is a legitimate business need to share the personal information.
3. INDIVIDUAL CHOICE AND CONTROL: In certain situations, we must obtain individual consent to process personal information and provide individuals with controls regarding the processing of their personal information
In certain situations, we may be required to obtain an individual’s consent prior to processing their personal information. For example, the law requires that we seek individuals' consent for the collection, use or disclosure of ‘sensitive’ personal information, such as health and financial information, genetic data, geo-location data, biometric data used for the purposes of uniquely identifying an individual, and personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or sexual orientation.
Further, if we intend to use or disclose personal information in ways other than those described at the time of collection, or other than as required by law, we may also need to seek an individual’s prior consent.
If we collect an individual's consent, we must keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
Privacy principles also promulgate giving individuals control over the personal information organizations collect from them and how it is used. In some situations, we may want to give individuals the right to opt-in or opt-out of certain functionality or features which involve the collection of personal information.
We must only send direct marketing messages to individuals in accordance with their marketing preferences and in compliance with direct marketing laws. We must also allow individuals to opt-out of direct marketing from us at any time.
4. DATA MINIMIZATION: We must only collect necessary and relevant personal information
We must only collect personal information for a legitimate business purpose and must only collect as much personal information as is needed for and relevant to that purpose. We must take care to ensure that our products, services and business processes are designed to collect the minimum amount of personal information.
5. ACCOUNTABILITY: We are accountable for how we and our service providers process personal information
We must remain accountable for how we process personal information, whether that personal information is collected directly by us or whether we process that personal information on behalf of our customers. We are also accountable for the processing of personal information by our service providers or other entities that we use to process personal information on our behalf or in our name.
We must have procedures in place to demonstrate our compliance and accountability with the Principles when handling personal information, along with evidence to demonstrate that such procedures are monitored, evaluated and any necessary measures or changes implemented. Such procedures should include, maintaining certain records regarding all personal information for which we are responsible or for which we handle on behalf of our customers.
6. RETENTION/DELETION: We must not use and retain personal information for longer than is necessary
We must only keep personal information where we have a genuine business or legal need to do so and for the purposes notified to the individuals or the other parties from whom we process personal information. We must not keep personal information indefinitely. Once personal information is no longer required for the purposes it was collected or becomes obsolete, it should be deleted or securely destroyed, unless otherwise required by law. Every reasonable step should be taken to delete or rectify inaccurate data.
Where we process personal information on behalf of our customers as a data processor, we only process and retain such personal information for as long as our customer instructs, unless otherwise required by law or to manage an ongoing business relationship.
7. ACCURACY: We must keep personal information accurate, complete and up to date
We must take all reasonable and appropriate measures to keep the personal information we process accurate, complete and up to date. Such measures shall include periodically requiring the source of personal information, whether the individual or otherwise, to verify the accuracy and completeness of the personal information in our records and where possible, providing self-service tools that enable individuals to update their personal information in our records.
8. CUSTOMER INSTRUCTIONS: We must comply with our customers' processing instructions
Where we collect, hold and use personal information on behalf of our customers, we must use that personal information only as instructed or authorized by our customers, and not for our own (or anyone else's) purposes. We must maintain the confidentiality and security of our customers' personal information at all times in accordance with our contractual obligations to them. If we receive any questions or requests relating to personal information we use on behalf of our customers, we must inform the relevant customer and assist them to respond to that request.
9.INDIVIDUAL ACCESS RIGHTS: We must respect individuals’ rights and choices
Individuals have certain rights and choices relating to the use of their personal information, including the right to request that we confirm certain information about the personal information we hold about them. They can also ask us to correct any inaccurate personal information we hold or to delete their personal information.
In some territories (like the Europe Economic Area), individuals are entitled by law to be supplied with a copy of any personal information held about them. In certain limited circumstances, they may also be entitled to request that we transmit their data to another third party.
We must respond to questions, complaints and requests from individuals or the third parties from whom we collect personal information relating to the exercise of such rights without undue delay and in accordance with law.
In addition and where required by law, we must allow individuals to refuse the use of their personal information for direct marketing purposes, both before and after their personal information has been collected. We must always respect marketing preferences expressed by individuals.
Where we process personal information on behalf of our customers, we will assist any customer as necessary to comply with any individuals request to exercise their rights.
10. SECURITY AND BREACH NOTIFICATION: We must use appropriate security safeguards and ensure security breaches are appropriately notified
We must apply appropriate physical, technical and administrative security measures to protect personal information we process from unauthorized or unlawful processing or disclosure, and from accidental loss, destruction or damage.
When engaging a third party vendor to collect, store or use personal information on our behalf, we must impose strict contractual obligations on them dealing with the privacy and security of that information.
We must ensure that where required by law, security breaches are notified to the applicable regulators and/or the affected individuals without undue delay in accordance with applicable law.
11. INTERNATIONAL TRANFERS: We must ensure protection for international transfers of personal information
Some territories do not allow transfers of personal information to other territories unless an adequate level of data protection exists for the personal information on its receipt.
We must not transfer personal information internationally unless we have first taken appropriate steps, such as the European Commission's approved contractual clauses (the so called "model clauses"), to protect the personal information being transferred.
12. PRIVACY BY DESIGN: We must implement appropriate measures to ensure the principles of privacy by design and default are embedded into our processes and systems
We must adopt internal policies and implement measures which meet and embed the principles of data protection by design and by default.
This means that when we are designing, developing, and operating products, services and business processes, we should understand what personal information will be processed, how it will be processed, why it is being processed in the way that it is and where possible, minimize the processing of personal information and pseudonymise or anonymize information as soon as possible. Privacy Impact Assessments (PIAs) where appropriate or required by applicable law, should be incorporated into product review and vendor onboarding processes.
BloomReach Inc. and its affiliates
LAST UPDATED: 18 MAY 2018