The GDPR law grants the public increased rights and imposes rules on how data must be handled.
Good-Loop supports the GDPR. This policy document covers how Good-Loop handles the GDPR.
This document is for internal training. It can also be shared with external bodies on request.
Good-Loop services are hosted within the UK and the EU, and comply with GDPR regulations.
Clients can contact Support with data and GDPR issues. We will provide support and help. This is also the process for subject-access requests.
The contact for our data protection officer (DPO) is: support at good-loop.com
It is important that companies have consent from individuals to store and process their data, and to communicate with them.
Most adverts will not need extra consents.
Where Good-Loop collects personal data from users, for example emails for a mailing-list, we do so on an opt-in basis.
Good-Loop stores all data on secure servers. Please see our Security Policy for more details.
If you suspect a data breach, you must notify Good-Loop support straight away.
The GDPR places legal obligations on handling data breaches, including time limits for responding. We aim to respond strictly faster than this in the event of any data breach.
If we suspect a data breach we will notify affected clients within 24 hours. We would then work with the affected client to identify the scope of the breach and take remedial action.
Good-Loop has not had a data breach in its history.
We maintain a register of data breaches and near misses here.
Good-Loop staff and sub-contractors who handle personal information or confidential client data must take appropriate care to prevent unauthorised people from accessing the data.
Individuals ("data subjects") can contact a Good-Loop client with various requests. The client should lead the response to a data subject request, with the Good-Loop support team available to help clients handle these.
This does not apply to our activities.
Good-Loop's databases support filtering by individual. When responding to a subject-access request, you must first verify the identity of the data-subject (to avoid releasing potentially private data incorrectly).
Individuals should contact us by email, and we will make corrections as requested. However we will first verify the identify of the person making the request.
Please contact the support team, who can erase the data from the system. As this is not reversible, the support team must first verify the identity of the data-subject and the range of data to be deleted.
Erased data will instantly vanish from front-end use. It will take one month for all data to be removed from the system.
Contact support by email, and we will arrange a data export.
We do not recommend using Good-Loop services as part of automated decision-making about a person that has legal or similar significant effects for that person. We are not aware of any clients who do so. If you should wish to do so, please check GDPR regulations.
Good-Loop acts as a Data Processor for its clients. We support the aims of the GDPR and we fully accept our responsibilities as a Data Processor. In order to comply with the requirements of Article 28 of the GDPR:
- As a Data Processor, we will only act on the instructions of the Data Controller (unless required by law to act without such instructions).
- All people processing the data within our organisation, whether they are staff or contractors, agree to confidentiality clauses.
- We take data security seriously, and take appropriate measures to ensure the security of processing (please see our security policy for more detail).
- We will only engage a sub-processor with the prior consent of the Data Controller and with a written contract.
- We will assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
- We will assist the Data Controller in meeting its GDPR obligations in relation to the security of processing (Article 32 GDPR), the notification of personal data breaches (Article 33 GDPR), and data protection impact assessments (Article 35 GDPR).
- We will delete or return all personal data to the Data Controller as requested at the end of the contract.
- We agree to reasonable audits and inspections, and to provide the Data Controller with whatever information it needs to ensure that we are both meeting Article 28 obligations.
- We will tell the controller immediately if asked to do something infringing the GDPR or other data protection law of the UK, the EU, or a member state.
We do not send unsolicited email or similar electronic messages. All such communications are done on the basis of the user opting in. The user can unsubscribe at any time.
Please also see the following relevant policies: