ABF Sales, Marketing and Customer Relations Data Protection Guidance (Europe)

Introduction

The protection of our customers’ personal data is of paramount importance given the trust they place in us when they supply us with their personal information. Our customers expect that we will protect their information and be transparent about how we use it. As a business, we need to put data protection at the heart of what we do. To do otherwise risks the loss of confidence in ABF by our customers. This Guidance sets out specific requirements that must be followed by all employees, contractors and temporary staff when collecting and using information about individuals (personal data) in connection with sales, marketing and customer relations.

This Guidance should be read in conjunction with the ABF Data Protection Policy (Europe), which sets out the general data protection requirements for the ABF group in Europe. The key principles of this policy are included in italics at the start of each section, followed by more specific guidance to be considered in a sales, marketing and customer relations context.

Annex 1 to this Guidance contains specific rules that must be followed when conducting telephone, email, or postal marketing.

Whilst there is a consistent theme across European data protection law, many European countries have adopted additional local measures. The Appendix to this Guidance contains additional requirements and considerations for those countries in Europe where our businesses have significant operations. The Appendix must be read with this Guidance when collecting and using personal data in those countries or carrying out sales and marketing in those countries. These country-specific differences are highlighted at the relevant point in the text below by reference to the country and the number in the Appendix where the additional local requirement or consideration is detailed.

Personal data

The law applies to “personal data”. This is information about a living person. It includes both information about them (e.g. name, age, e-mail, address, job title, sex) as well as opinions about them. We typically hold personal data about potential, current and former employees, customers and suppliers. Special precautions must be taken when dealing with sensitive personal data. “Sensitive personal data” includes information about someone’s physical or mental health (including that someone is in good health), political or religious beliefs, racial or ethnic origin, trade union membership and sexual orientation as well as genetic and biometric information. The circumstances in which this data can be collected and used is tightly restricted and no one should have access to or deal with this data unless their role requires this.

Personal data is not limited to information about private individuals but extends to information about sole traders and unincorporated partnerships. It includes factual information (e.g. name, email address, postal address, bank account information, etc.) and also opinions (e.g. on a customer complaints file). Information does not need to be confidential to constitute personal data. Personal data includes all data we have relating to a person whose identity we know or which relates to a person who we could easily identify from information in the public domain or from information likely to be shared with us by third parties (e.g. social media posts).  Personal data is not confined to an individual’s private life: job title, office telephone number, and professional details (for example) are also personal data. The fact that information is publicly available (e.g. on LinkedIn, Facebook or other social media) does not stop data protection laws applying to it.

We can’t avoid the requirements relating to personal data by segregating data into different databases or by removing an identifier (e.g. name) if other information we have or may access, allows re-identification. Although some types of information are clearly personal data, keep in mind that this may not always be so obvious.  Consider, for example:

  • Customer lists:  a list of customers whose names have been replaced with a unique customer code relating to a specific Although this coded list may not obviously appear to be personal data, it is, in fact, personal data due to the fact that the codes are unique identifiers and we are able to identify an individual using that unique identifier;
  • Individuals’ habits:  information gathered about an individual’s online browsing or shopping habits (e.g. for the purposes of retargeted advertising). Even if you do not know the name of the particular user, the fact that you can distinguish that user from others will make the information collected about them personal data.

Key requirements

  1. Deal fairly

We may only collect or use personal data if we do so for a legitimate reason and tell the individual concerned what we are doing with their data (e.g. by privacy notices on customer and employee forms, employee handbooks and websites).

Ensure the collection and use of personal data is for a legitimate reason:

We can only collect and use personal data if we have a legitimate reason for doing this. We will have a legitimate reason if it is necessary for the contract with the individual if this is necessary so that we can achieve our legitimate business interests (provided these interests are not outweighed by the legitimate interests of affected individuals) or, where we have the consent of the affected individuals.

  • Necessary to carry out the contract with the individual: Collection and use of data for customer relations (e.g. responding to questions about delivery) may be necessary to fulfil the contract with the individual.
  • Legitimate business interests:  In most countries, we can process data for sales, marketing and customer relations where this is necessary for legitimate business interests that are not outweighed by the legitimate interests of affected individuals. In the marketing or business development context, this will usually be the case if our use of data is not unduly intrusive, it has been fully explained and individuals have been given the chance to object. Where relevant, we also need to ensure marketing consent rules are followed (see further paragraph 2 below). In some countries, there may be additional restrictions if we rely on our legitimate business interests in order to collect and use data for marketing or business development purposes.
  • Consent:  The processing of personal data may sometimes be justified on the basis of consent. However, consent can only be relied on as a legitimate basis for collecting and using personal data where it is fully informed, specific and freely given. Where consent is relied on, customers must be given a real choice and control:
    • consent language must be prominent and separate from any other terms and conditions;
    • we must explain that consent can be withdrawn at any time and inform affected individuals how they can go about withdrawing their consent;
    • we must ensure that it is as easy for individuals to withdraw their consent as it was for them to supply it;
    • the supply of goods or services must not be made conditional on giving consent to the use of personal data for other purposes e.g. marketing;
    • if we are seeking consent so that we can share contact details with other ABF businesses for their direct marketing purposes, we must name these other businesses; otherwise, any consent we obtain may not be sufficiently specific and can be called into question.

Note that the ‘use’ of personal data includes the disclosure of personal data (e.g. to other ABF entities). Ensure that any disclosure of personal data is for a legitimate reason, that affected individuals are informed about this and that consent is obtained where necessary (e.g. for direct marketing purposes) (see Annex 1 and paragraphs 1.3 and  2.1 below).

If you need to ask for more personal data or are changing how personal data is processed, always consider if this data or change is for one of the legitimate business reasons above. It may also be necessary to carry out a data protection impact assessment (see paragraph 10 below).

1.2 Sensitive personal data and criminal offences data:

We have to comply with additional restrictions when we collect and use sensitive personal data (or personal data about criminal offences). We can usually only collect and use sensitive personal data if, in addition to one of the legitimate interests set out in paragraph 1.1 above, our collection and use of the data:

  • is necessary in connection with a legal claim;
  • is necessary so that we can disclose information for use by a statutory agency in connection with its functions;
  • is necessary so that we can carry out our obligations under employment, social security or social protection law;
  • is necessary for the prevention or detection of unlawful acts[1]; or
  • is in accordance with the specific consent of affected individuals.

Sensitive personal data should not be used for marketing or business development purposes without specific consent. If you wish to use sensitive personal data for these purposes you must first consult your Data Protection Coordinator and ABF Legal.

 

It is sometimes necessary for us to collect and use sensitive personal data in order to respond to customer queries or complaints or in order to defend a legal claim (e.g. where information about a person’s health status is supplied in connection with a query or complaint about our products).  In these circumstances, the collection and disclosure of sensitive personal data should be limited to what is needed for us to deal with the specific query or complaint or to establish, make or defend a claim. We can only hold and use sensitive personal data supplied to us by customers and contacts in connection with a query or complaint if we have their consent. If a customer or contact provides us with sensitive personal data voluntarily when making a query or complaint you should ask them to confirm that we can keep a record of this information. This could be done on the telephone or in a letter or email sent to follow up the initial enquiry. Their agreement should be documented.

Seek advice from your Data Protection Coordinator if you are considering using sensitive personal data obtained in connection with sales and marketing activity other than in connection with legal claims or with the explicit consent of affected individuals.

 

1.3  Tell individuals how their information will be used

The following information must be provided to individuals:

  • the name and contact details of the entity or entities collecting the information;
  • the contact details of the statutory Data Protection Officer, if there is one;
  • the purposes for which the personal data is to be collected and used;
  • the legitimate reasons relied on to collect and use personal data (as outlined above e.g.: compliance with laws or contract, consent or legitimate business interests);
  • where the legitimate reason relied on to collect and use personal data is that this is necessary for ‘legitimate business interests,’ the specific legitimate interest that is being pursued (e.g. the legitimate business interest in dealing with customer queries, or in marketing products and services, or protecting the integrity of our IT systems) as well as the fact that individuals have a right to object to this use of their data (see paragraph 6 below);
  • where the legitimate reason relied on to collect and use personal data is ‘consent’, the fact that the individual can withdraw that consent at any time;
  • the types of organisations who will receive the data, including other members of the ABF group, and the purposes for which they will receive it;
  • the rights that individuals have in relation to their data. These rights include the right to access their personal data and to receive certain personal data in a particular format, rights to correct and to delete their personal data, the right to restrict certain uses of their personal data and to object to its continued use and the right to file a complaint with a data protection authority (see paragraph 6 below</p
  • any proposed transfers of the personal data to countries outside the European Economic Area, the applicable transfer mechanism relied on to enable that transfer (e.g. an adequacy decision by the European Commission, Standard Contractual Clauses, Binding Corporate Rules or Privacy Shield) and, where relevant, how to obtain a copy of documentation recording relevant privacy safeguards;
  • the retention period or, if this is not possible, the criteria used to determine that period; and
  • the existence of any automated decision-making (see paragraph 7 below for more information on this) and meaningful information about the logic involved, in addition to the significance and potential consequences of this decision-making.

Information about how you process personal data should, in general, be provided to individuals in the form of an actively communicated privacy notice when you first obtain the personal data from them.

In relation to customers and contacts, the way we do this will vary depending on how the information is collected:

  • For information obtained via websites this information should be included in your website privacy notice;
  • For information obtained in person (e.g. at an exhibition or in store) consider supplying a short notice which refers individuals to a fuller notice posted on your website;
  • For information collected over the phone, use a short script which includes essential information about your data handling and either explain how more detailed information can be accessed online or include a fuller notice in any subsequent communication.

Data collection forms:  when using on-line or paper forms to collect personal data from customers it is important to check that the form makes clear whether the supply of any particular item of data is mandatory (e.g. because without it we cannot otherwise send them the information they’ve asked for) or is optional. You also need to explain any possible consequences for individuals if they don’t supply you with data that is optional (e.g. you won’t be able to enter them into a prize draw).  You must also check that any data you do collect is covered by your privacy notice. If this is not the case, the data collection form should include additional information explaining how the data collected in the form will be used.

If you need to ask existing customers or contacts for additional personal data, consider whether you need to provide them with additional information about the handling of this personal data. It may also be necessary to carry out a data protection impact assessment (see paragraph 10 below).

 

2.  Limit use

Personal data must be used only for the purposes for which it was collected. This means that we should not use data for any purpose which we have not informed the individual about or which would not be obvious to that individual.

  • Where information has been collected for one specific purpose, you should not ordinarily use that information for other unrelated For example, contact details of individuals who get in touch with us in connection with a product enquiry should not be used for direct marketing purposes unless they have been informed about this and have given their consent to the use of their data for this purpose.
  • Only disclose personal data to others within your function or to others within the business where that person needs to know the information in order to perform their
  • The following should be considered in relation to lists containing personal details for sales and marketing purposes:
  • Sharing marketing lists: Do not share marketing lists with other ABF businesses or third parties (other than suppliers who process the information on our behalf) unless you have made this clear to affected individuals and have their consent for this. There are a number of considerations to take into account when sharing marketing lists; consult with your Data Protection Coordinator before doing so.
  • Buying marketing lists: Particular care should be taken when purchasing marketing lists from a third party vendor and you should, therefore, consult with your Data Protection Coordinator before doing so. In addition to obtaining contractual assurances from the vendor regarding data quality and its suitability for your marketing use, you must also satisfy yourself that the vendor has put in place all necessary notices and consents by asking the vendor for samples of the consents/permissions sought and the notices given to individuals. You should also note and comply with any licence restrictions on the use of marketing lists.
  • Be aware that knowingly or recklessly using or disclosing personal data outside of the permitted purposes for which it was collected (e.g. accessing personal data databases for your own personal purposes or those of a colleague, or disclosing personal data to those who do not need to know it) is not only a serious disciplinary offence but may also be a criminal offence for which you can be
  • If you have any queries about whether a particular use of personal data is permitted or if you wish to use personal data for a new purpose, contact your Data Protection Coordinator.

3.  Don’t collect more than is required

The personal data we collect must be adequate, relevant and limited to what is necessary in relation to the purposes for which it was collected. We should not ask for more personal data than we need for the legitimate purpose for which we are collecting it.

Only collect and use information about individuals where there is a real need for the information. For example, if a marketing initiative involves sending emails to customers on their birthday, only the day and month of the birthday would be required for this purpose (not the year).

4.  Keep up-to-date

Personal data must be accurate and kept up-to-date. We should encourage individuals to inform us of any changes to their information (and update our records accordingly). We should not use personal data we suspect might be out-of-date without confirming its accuracy.

  • Ensure marketing preferences are accurately recorded and any changes to these preferences are updated as soon as possible and, in any event, within 28 days from receipt of the
  • If you become aware that contact details have changed (e.g. emails are returned as undeliverable or you receive notice that a contact is leaving their current position) or an individual gets in touch about a change in circumstances, ensure relevant records are updated accordingly and that this is handled In some cases, it may be necessary to request evidence to support a change.

5.  Don’t keep for too long

Personal data should not be kept for longer than is required in order to meet the legitimate purpose for which it was collected. It should then be securely deleted (see our ABF Information Security Policy. This requirement is subject to other laws and obligations that require us to retain information for certain periods (e.g. retention of financial or tax records).

We have in place data retention guidelines which set out appropriate retention periods for different categories of personal data we handle for sales, marketing and customer relations purposes. Ensure sales, marketing and customer relations databases (including any paper files) are reviewed periodically and that irrelevant or out of date information is deleted or securely destroyed in accordance with the data retention guidelines.

6.  Respect individuals’ rights

Individuals have a number of rights under data protection laws which we must respect.  These include the rights to request copies of their personal data; receive copies of personal data originally provided by them in a commonly used open format; ask us to correct any inaccurate data; ask us to delete or restrict our use of personal data; and object to the use of their data.

  • Objections to marketing:  Maintain a suppression list of contacts who have asked not to receive sales and marketing communications; contacts should be suppressed (rather than deleted). Take prompt action to ensure that individuals who have objected do not receive further direct marketing material. In any event, marketing communications should stop within one month of receiving a relevant objection.
  • Telephone, email and postal marketing guidelines:  Follow the guidelines in Annex 1 in relation to telephone, email, SMS or postal marketing.
  • Subject access requests :  If you receive a request from an individual for a copy of their personal data (known as a “subject access request”), contact your Data Protection Coordinator promptly (the law requires a response to subject access requests within one month (unless an exception applies) and it may be time-consuming to filter and extract the relevant data).
  • Portability Requests:  In certain circumstances, customers have the right to receive copies of personal data originally provided by them, in a commonly used open format (e.g. XML, JSON, CSV). If you receive a request in writing from an individual to exercise this right, contact your Data Protection Coordinator promptly.
  • Other customer requests:  If you receive any other requests from customers asking you to correct or delete their personal data or to restrict its use, or objecting to the holding or using of their personal data, contact your Data Protection Coordinator.
  • Free text areas: Take care when entering information into any “free-text” areas (e.g. manuscript comments for customer complaints which are stored electronically). This information may constitute personal data, and individuals to whom the text refers may have a right under data protection law to see this Information should only be entered which is relevant and appropriately worded.
  • Automated decision taking and profiling:  Do not deploy ‘automated decision taking’ techniques or profiling without first checking with your Data Protection Coordinator. Automated decision taking is where personal data is used to make decisions about individuals that are based on wholly automated assessments that involve no meaningful human review. Profiling includes any form of automated processing to evaluate or predict certain personal aspects relating to personal preferences, interests, behavior and location. This may arise, for example, when creating marketing segments and using sophisticated online targeted sales/advertising

7.  Keep secure

Personal data needs to be kept and used securely. This applies to our information systems, sites, and our day-to-day handling of personal data. The ABF Information Security Policy sets out the information security requirements that apply across ABF and advice on site security can be obtained from the ABF group Security Department.

7.1  Access:

  • Ensure that sales and marketing lists, customer complaints lists or other records containing personal data relating to customers and contacts are only accessed by members of staff that need access in order to carry out their duties. Use secure filing cabinets, access controls and passwords to ensure this.
  • Appropriate audit measures should be put in place to record access to and amendments to records that include personal data. For paper based files containing sensitive personal data, these measures should include the use of a written log to record the removal and return of relevant records. For data held in computerised systems, ask your IT department to enable auditing of access to folders you use to store personal data and any related data sharing. This is important to ensure that there is accountability for personal data.
  • If you become aware of inappropriate access to records that include personal data or attempts to access such records by unauthorised individuals, this should be reported to your Data Protection Coordinator.

7.2  Physical security and storage of documents:

  • You should clear your desk of all documents containing personal data at the end of each day. This information must be stored safely and securely in appropriate storage locations (e.g. filing cabinets).
  • Doors to areas where personal data is stored and filing cabinets which contain personal data should be locked and keys kept securely.
  • Use a shredder to dispose of waste paper containing personal data securely. If your office has confidential waste bins, use them.

7.3  Storage of electronic data, off-site working and own devices:

  • All electronic personal data should be stored on your company network and in accordance with local records management rules. Never send or transfer personal data to your personal email, never save it to a cloud service such as DropBox or iCloud and never download or copy personal data onto personal devices (e.g. desktops, laptops, mobile phones, or USB sticks).
  • For records that include sensitive personal data, consider whether pseudonymisation should be used to reduce privacy risks (i.e. the substitution of personal identifiers (e.g. name, address, date of birth) with a specifically allocated customer number).
  • Comply with your ABF business’ policy for storage of personal data on mobile devices, use of own devices and off-site working.
  • Ensure that the taking of personal data off-site by staff involved in sales, marketing and customer relations (e.g. on laptops) is controlled and that strict security rules are applied. If you are permitted to take paperwork containing personal data off-site, you should limit this to only that which is necessary.
  • Printing:
  • Use secure printing areas or locked printers where available.
  • Where available, use “follow-me” printing services so that output is only printed when you are present at the printer.
  • Collect your paperwork promptly and do not print unnecessary copies of personal data.
  • Where available, use printer settings to ensure that the correct number of sheets has been printed.
  • Transferring personal data:
  • Ensure that personal data is transferred securely, whether externally to third parties or internally within your business or to other parts of the ABF group. You must ensure that you follow the requirements set out below depending on the method of transfer you are

Sending personal data to the right person

  • When emailing, posting or faxing personal data, double-check that the right information is being sent to the correct As an extra check when sending large volumes of personal data, consider asking another authorised member of staff to checkdocumentsbeforetheyaresent.
  • Be aware that those seeking information sometimes use Before sending out personal data to any third party, be sure of their identity. This may involve carrying out checks to verify their identity, particularly if you are releasing information over the phone. If you are sending someone their own personal data, check their identity. If you are sending someone’s personal data to a third party acting on his/her behalf, ensure that you check their authority to receive the personal data about the individual. If in doubt, contact your Data Protection Coordinator.

Electronic personal data

  • Where available, use secure methods of transmission to transfer personal data rather than email (e.g. secure intranet facilities).
  • Email encryption and password protection should be used when large volumes of personal data are sent by email (e.g. transfers of large spreadsheets of data) or where personal data that might be considered sensitive or confidential is sent by
  • Consider whether the use of pseudonymisation could be used to minimise privacy risks (i.e. the removal of obvious identifiers such as names, addresses, national insurance numbers, or dates of birth).

Faxing personal data

  • If a fax is used, as well as checking the fax number is correct, use a cover sheet marked ‘Confidential’, call ahead to advise a fax is coming (to allow swift collection) and ask for confirmation of receipt.
  • Security breaches:  In the event you become aware of an information security incident (or a suspected information security incident), notify your Data Protection Coordinator immediately and provide as much information as you have. Examples of security breaches include personal data being sent to an incorrect recipient, personal data being accessed without authority and paperwork or computers containing personal data being lost or stolen. For further information on how an information security incident is managed, refer to the ABF Data Protection Breach Management Policy and the related ABF Information Security Incident Response Framework.
  • Policies regarding information security:  Ensure that you follow the ABF Information Security Policy that sets out the information security requirements that apply across the ABF

8. Assess and monitor third parties

Before appointing a third party to collect, store or use personal data for us we must satisfy ourselves that they will act in accordance with the requirements of this policy. As part of this, we must put in place a written contract with them that requires this.

  • We are responsible for our suppliers and other third parties who process personal data for us (“data processors”). At an early stage of supplier selection, and before contracting, you should undertake the Third Party Data Processing Assessment to determine whether a third party will be processing personal data for us. Examples of data processors who process personal data for us in a marketing context include mailing houses, print houses or marketing agencies who make calls on our behalf.
  • If a third party is acting as a data processor, you will need to take the following steps:
  • Due diligence before contracting:  This is necessary to satisfy ourselves that our processors will act in accordance with the principles of our data protection and information security policies.  You must ensure that appropriate supplier due diligence is carried out so that the information security and data protection risks around using third party services are adequately managed.  You should consult your Data Protection Coordinator in relation to any data protection risks highlighted by this due diligence. 
  • Contracts:  We must ensure a written contract containing approved data processing clauses is in place with all
  • data processors.  Speak to your Data Protection Coordinator and/or ABF Legal to ensure appropriate contractual provisions are agreed.  You should also speak to your Information Security Coordinator to ensure compliance with the Group Information Security Third Party Outsourcing Policy.
  • Ongoing supplier supervision:  You should build into regular supplier/contract reviews a requirement for the third party to report on data protection matters. This could include requiring the supplier to confirm that no unauthorised use, disclosure or access of personal data has occurred and to inform us of the steps taken to train staff and to monitor compliance with data protection and information security policies.

9.&nbs; Check before transferring outside Europe

We may only give someone outside the European Economic Area (including another member of the ABF group and data hosting providers) access to or a copy of personal data if we follow certain precautions. You should speak to your Data Protection Coordinator before allowing any transfers.

Seek advice from your Data Protection Coordinator if:

  • you wish to use a third party to process personal data outside the European Economic Area (you should seek guidance not only where the third party is based outside the European Economic Area but also if data is going to be held by a third party or its subcontractors in a location outside the European Economic Area) or will be accessed from countries outside the European Economic Area); or
  • you have any queries about what data may be transferred outside the European Economic Area.

10.  Embed and demonstrate compliance

We must embed the protection of personal data in our business, including through appropriate governance. As part of this, we must perform data protection impact assessments to identify and address privacy risks when we consider new initiatives or processes, or commission new systems that involve the processing of personal data.  We must also be able to demonstrate compliance to regulators, including maintaining core documents about our data handling.

  • In relation to all actions taken to comply with the requirements outlined in this guidance document, ensure that records are maintained as evidence of the actions taken. For example, records should be kept to evidence the information supplied to customers when collecting their personal data. Copies of wording used to obtain consent, where this is relied on in order to collect or use personal data should also be retained. Records should also be kept to evidence steps taken in response to requests from customers to exercise their rights, and to evidence checks carried out regarding the capabilities and data handling practices of our service providers.
  • Records of processing:  In order to demonstrate data protection compliance it is necessary to maintain a central record of data processing activities which records key information about the way in which personal data is collected and used, including details of the purposes for which the data is used, the recipients of the data, and details of any transfers to countries outside the EEA. In the UK, if you need to process any sensitive personal data, you should first speak to your Data Protection Coordinator so that the central record of processing activities can be updated.
  • Privacy by design and default:  If you are involved in designing new processes for handling personal data or in commissioning new data handling systems or processes (e.g. commissioning a new CRM system) you must take all reasonable steps to ensure that you build in appropriate privacy safeguards, and that, by default, personal data is processed only to the extent necessary in order to achieve the legitimate business purposes. This is usually achieved by carrying out a data protection impact assessment (see below). If you have any questions about this, please contact your Data Protection Coordinator.
  • Data protection impact assessment:  We have an obligation to carry out a data protection impact assessment whenever our collection and use of personal data is likely to result in a high risk to the privacy of individuals. If you are carrying out projects or initiatives that will involve a significant change in the way customer data is handled, or you are commissioning new systems that will involve the handling of customer data, you should contact your Data Protection Coordinator and carry out a Data Protection Impact Assessment.

11.  Specific considerations for marketing

  • If your digital marketing strategy involves the use of mobile applications, speak to your Data Protection Coordinator as there are additional considerations when collecting and using personal data in this way.

Training

Any new joiner involved in sales, marketing or customer relations must undergo the online Information Security Training and the online Data Protection Training. New joiners include both members of staff (temporary or permanent) and contractors. A record of attendance should be retained for all training sessions delivered.

Registrations

In some countries it may be necessary to register certain data handling activities with the local data protection authority. Ensure that any national registration requirements are complied with.

Additional resources

Remember, all key policies and guides are available for your ongoing reference. The following are available on the ABF group intranet:

Additional guidance may also be issued by local data protection authorities (for example, in the UK, the Information Commissioner’s Office’s direct marketing guidance and privacy notices code of practice). See the Appendix for links to additional guidance from regulatory authorities outside the UK.

Data Protection Coordinator and questions

Any questions regarding the requirements set out in this document should be directed to your Data Protection Coordinator, whose details can be found on the Data Protection Coordinator section of the ABF group intranet.

ANNEX 1

GUIDELINES FOR DIRECT MARKETING BY TELEPHONE, EMAIL, SMS AND POST

1. Introduction and summary of rules

1.1  When carrying out direct marketing activities, we must comply both with data protection rules and also with an additional set of marketing consent rules that are imposed by e-privacy laws.

1.2  What is meant by direct marketing?

Direct marketing means the communication by any means of advertising or marketing material which is directed to a particular individual. Advertising and marketing materials are not restricted to information about commercial goods and services, but include all forms of promotional materials, including newsletters and other communications that we use to promote our brands, aims and values.

1.3  Varying European rules:

The rules for sales and marketing communications differ across Europe. This Annex explains the rules that must be followed in the UK. Any additional requirements that are applicable in other European countries are set out in the Country Specific Annex which should be consulted if you are carrying out direct marketing in European countries other than the UK.

1.4  Suppression lists, unsubscribe and objections:

Individuals have the right to object to the use of their personal data for marketing purposes at any time. If you are asked to stop sending direct marketing material you must comply promptly and ensure that no further marketing is sent. Marketing objections should therefore be recorded on internal “suppression lists” and these lists should be checked before sending marketing emails, postal marketing or making any unsolicited marketing calls. See paragraph 6.1 of this Guidance for further details.

1.5  Appointing third parties:

It is our responsibility to ensure that any direct marketing campaigns carried out on our behalf comply with all relevant data protection and marketing consent rules. We must therefore comply with paragraph 8 of this Guidance if we appoint a third party supplier to make marketing calls or carry out email or postal campaigns.

1.6 The table below summarises the rules that apply when carrying out direct marketing by email, SMS, phone and post in the UK  More detailed rules and guidance are set out at paragraphs 2-4 below which must be read in conjunction with this summary table.

Summary of UK Direct Marketing Rules
Private Subscribers
(private individuals, sole traders and unincorporated partnerships)
Corporate Subscribers
(companies, limited liability partnerships or government bodies)
Telephone
Consent requirement Consent not required.
Unless you have specific consent to call, you must check Telephone Preference Service.
Individual recipients have the right to object; their details should be added to your internal suppression list.
Consent not required.
Unless you have specific consent to call, you must check Corporate Telephone Preference Service.
Individual recipients have the right to object; their details should be added to your internal suppression list.
What you should tell people The purpose of the call;

The name of the business and the legal entity (where different);

Contact details for further information; and

How they can access your privacy notice (e.g. online on your website).

Email / SMS
Consent requirement Consent or soft opt in is required. Evidence of consent/soft opt-in must be kept. Individual recipients have the right to object; their details should be added to your internal suppression list. Consent not required. Individual recipients have the right to object; their details should be added to your internal suppression list.
What you should tell people State the name of the business (and the legal entity, where different) responsible for sending the communication.

Don’t try and give the impression your email isn’t really a marketing communication.

Always provide a contact email address or unsubscribe link so that recipients can opt out.

Include a link to your website privacy notice (and ensure this covers direct marketing).

Post
Consent requirement Consent not required. Individuals have the right to opt out; their details should be added to your internal suppression list. Consent not required
What you should tell people Supply the name of the business (and the legal entity, where different) responsible for the mailshot.
Supply a copy of your privacy notice or details of how this can be accessed (e.g. on your website).

2.Telephone marketing

The guidelines below should be followed when carrying out direct marketing by telephone. Additional requirements apply to fully automated telephone calling systems (i.e. automated dialing systems that play recorded marketing messages). If you intend to carry out tele-marketing using fully automated systems, contact your Data Protection Coordinator.

2.1 Check for objections before making calls

In the UK, organisations can make live unsolicited marketing calls without consent. However, these calls should not be made if individuals have previously objected or if they have registered their telephone number with the Telephone Preference Service.

Therefore, unless the person you are calling has specifically agreed to receive your call, you should check your internal suppression list before making any unsolicited marketing calls and you must also screen the number you intend to call against the registers maintained by the Telephone Preference Service (TPS). If your telemarketing campaign will be carried out over a period in excess of 28 days, you will need to check the TPS every 28 days for the duration of the campaign to ensure any new TPS registrations are taken into account. The TPS maintains separate registers for private and corporate telephone numbers; if you are unsure whether the numbers you intend to call relate to private or corporate lines, you should check both registers. Information about how to subscribe to the TPS is available at www.tpsonline.org.uk.

Although we do not usually need consent in order to make live unsolicited marketing calls, if we have obtained telephone contact details for operational purposes only (e.g. to make arrangements for deliveries) we cannot then use these details for an entirely different purpose without first getting consent (see paragraph 2 of this Guidance).

2.2 Information you should provide when you make marketing calls

The following information should be provided whenever an unsolicited direct marketing call is made:

  • the purpose of the call;
    • the name of the business responsible for making the call. This can include information about the brand that is being promoted (e.g. Silver Spoon or AB Connect) but the name of the legal entity responsible for the call must also be given (e.g. British Sugar plc or AB Agri Limited);
    • contact details so that the individual can get in touch if they want to opt out of receiving any further calls or exercise their rights to access, delete or amend their details; and
    • information about where a copy of your privacy notice can be found (g. on your website).

2.3 Additional considerations

2.3.1   If calls are being recorded:  you should tell the person you are speaking to that you are recording the conversation and why you are doing so (e.g. for training purposes). This applies to both incoming and outgoing calls.

2.3.2  Privacy notice:  When we collect personal data about individuals we have an obligation to provide them with a privacy notice explaining how we use their data (see paragraph 1.3 of this Guidance). If it is not feasible to supply the necessary level of detail during a telephone call, we should identify alternative ways of supplying individuals with the information they are entitled to. We can do this by telling individuals where they can find our full privacy (e.g. on our website), including a hard copy of our privacy notice in any follow up postal communications, or including a link to our privacy notice in any follow up email.

2.3.3  Objections: If, during a marketing call, the person you have called tells you s/he does not wish to be called again for marketing purposes, make sure you record this and add the caller’s details to your internal suppression list.

3.  Marketing by email and text messaging

The guidelines below should be followed when carrying out marketing via email or text messaging.

  • Is consent required?

In the UK different rules apply depending on whether the recipient of a marketing email is a ‘private subscriber’ (i.e. a private individual, sole trader or unincorporated partnership) or a ‘corporate subscriber’ (i.e. a recipient with an email address at a company, limited liability partnership or government body).

Consent is not required in order to send marketing emails to corporate subscribers but strict consent rules apply when marketing emails are sent to private subscribers (see paragraph 3.2 below). Because of this, particular care should be taken when carrying out email marketing campaigns that will involve sending email marketing to a mix of both corporate and private subscribers. To ensure we comply with marketing consent rules, it is often more straightforward to treat all e-marketing recipients as private subscribers and follow the rules at paragraph 3.2 below.

  • Sending email marketing to private subscribers

3.2.1  Consent

In the UK, unless we can rely on the “soft opt-in” (see paragraph 3.4 below), email marketing should not be sent to individual recipients unless they have specifically consented to receiving this from us. We can only rely on consent if it is:

  • Freely given – this means that wording used to collect consent must be specific about the type of marketing that individuals are signing up to and the identity of th– this means the individual must be given a genuine choice; we cannot insist that individuals who enter a competition, submit a query, or buy our products must agree to receive our marketing emails.
  • Specific e-organisation that will be sending the marketing.
  • Informed – this means that the individual must understand what they are consenting to. We must use clear language to explain this and we must ensure that relevant information is prominently displayed (i.e. not buried in small print).
  • Given by a statement or by clear affirmative action – this means that we cannot assume that an individual consents because s/he has failed to take a specific action, such as ticking an opt-out box or writing to us. Instead, we must ask individuals to opt-in to receiving e-marketing and to positively indicate their agreement by ticking an opt-in box, clicking on a link or button, or completing an online or paper based form.

3.2.2  Right to withdraw consent  We can only rely on consent if we tell people at the outset that they have a right to withdraw their consent. We must also then offer them easy ways to withdraw consent at any time (e.g. an unsubscribe link in all marketing emails).

3.2.3  Evidence of consent

We must be able to demonstrate that relevant individuals have consented. This means we must keep evidence of the consent that we have obtained including (i) the date of the consent; (ii) what we told people when we obtained their consent (i.e. the notice given); and (iii) how the consent was provided. For example, if the consent is obtained via our website, this could be done by keeping a copy of the template consent form used and version of website privacy notice, together with a description of the process followed (e.g. for Jan 2018-Dec 2018 individuals added automatically to e-marketing database but only after completing v2 consent form and being directed to v3 website privacy notice).

3.2.4  Indirect consent’

If we intend to share email contact details with other organisations (e.g. other ABF businesses or partner organisations working with us in connection with a joint promotion) so that these other organisations can use these details for e-marketing, we must ensure that these other organisations are clearly named on any consent forms we use. If they have not been named, these other organisations will not be able to rely on the consent we have collected. We cannot avoid this requirement by referring to these other organisations in general terms (e.g. “our partners”, “selected third parties”, or “other group companies”).  As a matter of good practice even if we intend to share email marketing lists with other business units that are part of the same legal entity as us, we should specifically name these other brands / business units in our e-marketing consent wording and where possible offer individuals a choice about which businesses or brands they would be happy to receive marketing from. This will enhance transparency and minimise the likelihood of confusion on the part of our email contacts. See paragraph below for an example of this.

In the same way, if another organisation supplies us with email contact details for our direct marketing purposes, we should always check that relevant individuals have specifically consented to the receipt of marketing emails from our business and retain evidence of this.

3.2.5  Suggested consent language for obtaining email marketing consent 

The following wording is an example of a language that can be used to obtained consent for email marketing:

“We would like to contact you by email with information about our products and services. If you agree to be contacted in this way, please tick here:

[We would also like to contact you by email with information about our products and services. If you agree to be contacted in this way, please tick here: [Use where you want to send marketing about other brands in your business that may not be obvious to the individual]

[We would also like to share your information with other companies within the ABF group [either list the companies or include a link to the relevant list] so they may contact you about their products and services by email.  If you agree to your information being shared in this way, please tick here: ] [include if relevant]

[We would also like to share your information with [insert details of relevant third parties] so they may contact you about their products and services by email. If you agree to your information being shared in this way, please tick here: [include if relevant]

You have the right to withdraw your consent and object to our use of your details for marketing purposes at any time. If you wish to amend your marketing choices in the future, please email [insert appropriate email address]

To know more about how we use your data, please see our privacy notice [include link].”

3.2.6  SMS messaging

The same principles apply to the use of text messaging to send marketing communications to private individuals. If you plan to carry out marketing activity by SMS/text messaging, speak to your Data Protection Coordinator.

  • Sending marketing emails to corporate subscribers

3.3.1  Consent:

Consent is not required in order to send marketing emails to corporate subscribers. However, business contacts often include private subscribers (e.g. sole traders); see paragraph 3.2 above if your email campaign involves sending email marketing to private subscribers.

3.3.2 Right to object:

even though consent is not required when we send marketing emails to corporate subscribers, individuals who receive such marketing emails have the right to object to the use of their personal details for marketing. When sending email marketing to corporate subscribers, it is, therefore, good practice to include an ‘unsubscribe link’ or other information about how recipients can opt out of receiving any further email marketing. Irrespective of how individuals choose to contact us, marketing objections must be actioned promptly and details added to any relevant internal suppression list (see paragraph 1.4 above).

3.3.3 SMS messaging:

the same rules apply to the use of text messaging to send marketing communications to a corporate telephone number. If you plan to carry out marketing activity by SMS/text messaging, speak to your Data Protection Coordinator.

  • ‘Soft Opt-In’

Although we can usually only send marketing texts and emails with specific consent, there is an exception to this rule for existing customers. This rule is known as the soft opt-in.

We can rely on the soft opt-in and send marketing texts and emails without consent if:

  • we have obtained the contact details in the course of a sale (or negotiation for a sale) of a product or service to that person;
  • our marketing emails and texts are sent to promote our own similar products and services;
  • we gave the individual a clear opportunity to opt out of future email/text marketing when we first collected their details; and
  • we include an opt-out opportunity in every subsequent marketing email or text we send.

If we intend to rely on the soft opt-in, we must retain evidence of the circumstances in which we originally collected the individual’s contact details so that we can demonstrate that the soft opt-in applies.

  • Information that must be included in marketing emails

The following information should be provided in marketing emails:

  • the name of the business responsible for sending the communication. The name of the brand that is being promoted can, of course, be included (e.g. Silver Spoon or AB Connect) but the name of the legal entity responsible for sending the email must also be given (e.g. British Sugar plc or AB Agri Limited);
  • the fact that the email is a marketing communication (as opposed to a private message or an operational communication about an order or specific enquiry); the title of the email should make clear that the email is marketing related;
  • a contact email address, free phone number or link which individuals can use to opt out or unsubscribe; and
  • a link to our website privacy notice or other information about how this privacy notice can be accessed.

4.  Postal marketing

The guidelines below should be followed when carrying out marketing via post.

  • Consent

In the UK, consent is not required in order to send postal marketing. Checking postal marketing lists against the suppression list maintained by the Mail Preference Service is considered good practice but is not mandatory.

  • Information to include in postal marketing

All postal marketing must make clear which ABF company is responsible for sending the communication. Recipients of postal marketing should be provided with a privacy notice explaining how we will use their personal data. Alternatively, it may be possible to provide individuals with a summary privacy notice and information about how a full copy of this privacy notice can be accessed (e.g. on our website) (see paragraph 1.3 of this Guidance). Before doing this, you should first consult your Data Protection Coordinator.

[1] In the UK data protection legislation includes a number of specific requirements in relation to the collection and use of sensitive personal data and criminal offences data for some of the reasons set out above, including adding specific details to the Record of Processing.  Please consult your Data Protection Coordinator.