Policy Statement
Flavour Warehouse Limited plus all associated companies (hereinafter referred to as the “Company”) uses email/SMS/e-marketing/ e-marketing via a marketing systems/direct mail/telephone/, to send out marketing information to certain individuals. As we have obligations under the Privacy and Electronic Communications Regulations 2003 (PECR), the Company is required to comply with certain rules regarding using and sending direct marketing. The Company understands its obligations under the PECR and ensure that we have adequate and effective policies, procedures, and controls in place to meet our marketing responsibilities.
Purpose
The purpose of this policy is to ensure that the Company and its employees meet legal, statutory and regulatory obligations under the PECR with regards to direct marketing. This policy sets out our obligations, objectives and the controls for meeting the marketing rules. The aim of this policy is to inform the Company’s processes for compliance and to provide employees with information and support reading the direct marketing requirements.
Scope
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory.
What is Direct Marketing?
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act 2018 and the UK GDPR and set the rules and privacy rights for electronic communications. There are specific rules on marketing that cover all forms of advertising or promotional material that are directed to particular individuals. The PECR marketing rules apply to information sent via phone, fax, email, text or any other type of electronic message or mail. There are different rules for calls, faxes, and electronic mail.
The PECR and Data Protection
The PECR works in conjunction with the UK GDPR and has been amended to sit alongside the Regulation, including utilising the UK GDPR’s definition of consent. As direct marketing most often includes processing personal data, the Company recognises its obligation to comply with both the PECR and the UK GDPR.
The UK GDPR states that ‘where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing’.
Recipients of such information can also exercise their GDPR right to object to processing for direct marketing purposes. Where the Company receives a request in any format that objects to the processing of personal data for direct marketing, we follow our data protection procedures to ensure that the personal data shall no longer be processed for such purposes.
Whilst we recognise that UK GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest, we ensure that all recipients are provided with the option to unsubscribe or opt-out at any time.
Objectives
As the Company sends direct marketing to individuals, we comply with the relevant rules and requirements set by the PECR and UK GDPR. We also follow the Information Commissioners guidance on direct marketing to inform our policies, procedures and employee knowledge.
As the PECR requires businesses using direct marketing to provide certain information to individuals and comply with specific rules, we have set the below objectives to ensure compliance with the requirements.
To comply with the PECR direct marketing rules, the Company: -
Procedures and Guidance
The Company understands that it has specific obligations under the PECR in terms of direct marketing and has robust policies, procedures, controls, and training programs in place to adhere to these. The Company operates a top-down approach where all employees are aware of, and responsible for complying with the rules and guidance.
Where we provide specific information to individuals about marketing and their rights,
we ensure that such information is easily accessible, clear, and concise.
The Company sends direct marketing in the form of: -
The company has no current intention of sending direct marketing via telemarketing, automated phone calls or fax. However, if it wishes to do so in the future, this policy will apply.
We use a Direct Marketing Notice to provide additional information to individuals about the type of direct marketing we will/would like to send to them. This notice is easily accessible, a link to which is provided: -
The Company only sends direct marketing or asks for consent to send marketing to certain individuals. The individuals that we send direct marketing to are detailed in our Direct Marketing Notice and include: -
Telephone Marketing
Live Telephone Calls
As the Company may make calls in relation to direct marketing in the future, we have an obligation to comply with Sections 19 and 21 of the PECR. The Company will use the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS) to screen all telephone numbers related to direct marketing. We will also retain our own ‘do not contact’ list for individual and corporate subscribers who have opted out of direct marketing via the telephone.
The only exception to calling a number that is registered on the TPS or CTPS is where we have obtained consent to make contact by phone for marketing purposes. We have strict consent mechanisms in place to obtain consent by an affirmative action and to demonstrate that consent was provided knowingly.
For all calls made in relation to direct marketing or where any form of marketing will be mentioned or offered, the Company always advises who we are, our purpose for calling and provide a contact address or freephone number where requested. Our telephone number is always displayed to the person receiving the call.
Employee calls are monitored and reviewed monthly to ensure compliance and staff are also provided with scripts of the information that must be relayed during the call.
Automated Telephone Calls
Where the Company uses an automated dialling system to deliver direct marketing messages by recorded message, we only do so with the explicit consent of the person being called. This consent specifies that direct marketing will be made by an automated calling system and is separate and in addition to any consent obtained for live calls.
All automated messages that fall under the PECR rules for direct marketing are reviewed by the Head of Marketing prior to being used and are kept under regular review. Automated messages are only approved where they meet the PECR rules, including providing our company name, address and/or a freephone telephone number.
Our telephone number is always displayed or made available to the person receiving
the call.
Fax Marketing
As the Company may send marketing information via facsimile machine (fax), we have an obligation to comply with Section 20 of the PECR. The Company will use the Fax Preference Service (FPS) to screen all fax numbers prior to their use for direct marketing. We also retain our own 'do not contact' list for fax numbers where an individual or corporate subscriber has requested that we do not contact them via fax.
The only exception to using a fax number for marketing that is registered with the FPS, is where we have obtained consent to use the fax number for marketing purposes. We have strict consent mechanisms in place to obtain consent by an affirmative action and to demonstrate that consent was willingly provided. In any fax message used to send marketing information, we provide written details of our company name, address and/or a freephone telephone number. All fax messages used for direct marketing are reviewed by the Head of Marketing prior to being implemented and are kept under regular review.
Electronic Mail Marketing
For the purposes of this policy and our compliance with the PECR, we define electronic mail marketing as 'any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service'.
We use electronic mail for direct marketing in the form of: -
We only send electronic mail marketing where we either have consent from the individual to do so or where they are an existing customer who has used our products or services previously. Such customers are provided with an easy way to opt out of receiving such information, both when we first obtain their details and in all subsequent messages.
Marketing information sent by email or text clearly displays our: -
We retain an electronic list of subscribers who have opted out of receiving electronic mail marketing.
Consent
As per our obligations under the Regulations, we usually require an individual’s consent to send direct marketing. In such cases, we never send any information that has not been requested or consented to being received. We have controls and tools in place that provide simple options for withdrawing consent or opt-out of marketing at any time.
Data processed for any purpose requiring consent is only retained for as long as it necessary and is subject to the retention and erasure rules set out in the UK GDPR and our Data Protection and Data Retention Policies. Our Data Protection Policy details the consent mechanisms that we have in place to comply with the PECR and UK GDPR.
Legitimate Interests
In some instances, the Company sends marketing information to individuals where it has been identified as being beneficial or of interest to them. In these instances, we rely on the legitimate interest’s legal basis under the UK GDPR for processing.
We ensure that such information is always relevant to the customer and is nonintrusive. We also ensure that customers’ have the option to opt-out or unsubscribe at any time.
Where we choose to reply on legitimate interests for processing personal data in relation to direct marketing, we have first verified that: -
Third Party Processors
The Company uses a third-party service provider to carry out direct marketing by email/telephone/fax/text. We understand that under the PECR, both parties are responsible for complying with the regulations, but as the initial instigator of any marketing communication, the Company is liable for overall compliance.
We carry out extensive due diligence on all suppliers and third parties prior to forming a business relationship with them and carry out regular audits and reviews of the business, services and activities. We have Service Level Agreements and written contracts in place with all service providers that set out our obligations and the providers responsibilities and duties.
Audits and Monitoring
This policy and procedure document details the controls and measures used by the Company to comply with the PECR and any associated data protection rules. It is to be read in conjunction with our other UK GDPR and PECR policies.
To ensure continued compliance with the Regulations and to review internal policies and processes, the Company uses a dedicated Compliance Monitoring & Audit Policy & Procedure, with a view to ensuring that the measures and controls in place to protect subscribers and users, along with their information at all times.
The Head of Marketing has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement action plans to the Board/Directors/Owner and Senior Management Team where applicable.
The aim of internal PECR audits is to: -
Training
Through our strong commitment and robust controls, we ensure that all staff understand, have access to and can easily interpret the PECR and that they have ongoing training, support and assessments to ensure and demonstrate their knowledge, competence and adequacy for the role. Our Induction Policies detail how new and existing employees are trained, assessed and supported and include: -
Responsibilities
The Company ensures that compliance with the PECR is the responsibility of all employees and provides ongoing support and training to this end. Overall responsibility of PECR compliance has been assigned to the Data Protection Officer, whose role it is to identify and mitigate any risks to the protection of personal data or the privacy rights of users and subscribers.