Aer Support GDPR Compliance Statement
Aer Support’s position is that it has a robust data security program in place. Because of this, we believe our customers’ privacy and data protection rights are fully protected. In order to ensure GDPR best practice is followed to the greatest extent possible at all times, Aer Support follows these operating procedures:
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection, storage, and processing of personal information from individuals who live in the European Union (EU). Since the departure of the UK from the EU the UK now falls under UK GDPR.
The Information Commissioner’s Office is the UK regulator dealing with the Data Protection Act 2018 and the General Data Protection Regulation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 across the UK.
The ICO are the public body responsible for data protection and Aer Support work to ensure that we operate in alignment with their policies.
Aer Support and GDPR compliance
Aer Support have appointed a compliance officer to oversee our adherence to the rules.
Aer Support’s relationship with you
To put this in the language of GDPR and the ICO:
In dealing with our clients we will on occasion handle data that falls under the remit of GDPR. In this respect we operate as Joint Controllers. Even though, as a service provider, we are essentially working for you, it is important to recognise that we are both responsible for any personal data that is collected, processed, used or stored within our business relationship.
As part of client onboarding Joint Controller statements will be provided to ensure that compliance is understood and adhered to within the frameworks laid out by the ICO.
Is Aer Support’s marketing activity compliant?
Aer Support operates solely in the B2B market. In this instance, PECR allows email marketing provided material is relevant and the recipient is allowed to opt-out of future emails. Aer Support is therefore naturally compliant.
GDPR always applies and applies to all aspects of collection, storage, and processing of data.
Aer Support has been designed to be compliant and has established technical and operational systems to make sure this is the case.
As part of all client onboarding activity, Aer Support conducts an assessment to establish if the product or service, combined with the proposed activities, meets the criteria for GDPR and PECR compliant business to business (B2B) marketing.
An assessment called the Legitimate Interest Assessment (LIA), is completed with all clients. We will also help you rework your Privacy Policy for client use as needed, this includes all the relevant clauses you need plus references to Aer Support to make everything clear to the data subject – just let us know if you need a copy of any of these.
Want to know more about how Legitimate Interest applies?
If Aer Support determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR or if your approach would breach some other part of the regulations [including PECR] then we cannot support the activity within any regions subject to GDPR.
In the context of our Services, Legitimate Interest is the relevant lawful basis for processing as defined in GDPR. GDPR sets out a number of permissible circumstances (or categories) under which Personally Identifiable Information (PII) can be stored and processed, the most appropriate category in the case of most B2B marketing is Legitimate Interests. This link explains the Legitimate Interests basis for storing and processing PII:
To ensure client activity falls into this category, prior to engaging, we will carry out a full Legitimate Interests Assessment (LIA) with each new client. Essentially the LIA is a questionnaire containing a series of questions about your scenario. There are 3 areas that need to be satisfied for Legitimate Interests to be used as a basis for processing PII:
Identify a legitimate interest – The legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. The data processing is generally in your interests – whether it be to increase market share, increase brand awareness, or engage business leaders.
Show that the processing is necessary to achieve it – Can the same result be achieved differently? Core to the Aer Support service is the efficiency and constant drive to be the most cost-effective sales channel which we believe cannot be replicated using other methods.
Balance it against the individual’s interests, rights and freedoms – Would the individual expect their data to be used in this way? Would an individual who lists publicly their role within a company expect to be contacted about services that may help that company or their department within the company? No data processing may replace or infringe the individuals interests or cause unjustified harm
LIA Failures
If Aer Support determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR or if your approach would breach some other part of the regulations [including PECR] then we cannot support the activity within any regions subject to GDPR.
Rights of Individuals
Privacy Policy – All messages sent will contain a link to the website that explains to the user exactly what their rights are as well as the type of data that is held about them and by who. Aer Support will provide a template privacy policy or review your existing one to ensure it meets the required standard. A link to our Privacy Policy which is based upon this template is here: https://aersupport.com/privacy-policy/
Opting Out & Exclusion Lists – All recipients are able to opt out easily to prevent further email communication being received. All replies to prospecting emails are logged and those prospects are added to your campaign exclusion list within 24 hours. Aer Support allows import of existing exclusion lists in advance of campaign activity. Exclusions can be submitted in the form of individual email addresses or full domains and will prevent communications being issued to those email addresses or domains listed.
Subject Access Requests – All individuals have the right to request a copy of all data you hold on them. To support this data subjects can email any SAR requests to steveb@aersupport.com and we will return this data within 72 hours.
Right to be Forgotten – All individuals have the right to have some or all of their data removed (to be ‘forgotten’) at any time. In the event that a party contacts us to request this it will be actioned within 72 hours.
PECR and sending of B2B messages
Whilst GDPR controls the storage and processing of personal data in the UK, sending messages is regulated under the Privacy and Electronic Communications Regulations (PECR). This is very clear as to the requirements on business communication: “You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt-out and screen any new marketing lists against that.”
Aer Support Employees
All Aer Support employees undergo GDPR, PECR and general compliance training, this covers the GDPR rule set in detail, the relevance and impact of those rules on Aer Support and our clients, and the steps we take to ensure best practice is observed at all times. We also make clear the consequences (I.e. penalties) associated with failure to meet the strict GDPR standards.
Client responsibility
Whilst Aer Support continues to take extensive measures to ensure best practice with respect to GDPR and PECR across all client activity, clients should take note that responsibility for compliance vests (in different forms) with each party. Aer Support cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such it is important that you, as the client, have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.
In Summary
Aer Support has worked hard to develop a compliant platform providing innovative marketing services and technology for our clients and at all times respecting the rights of the data subjects whose information we collect. Compliance is now part of what we do and ongoing due-diligence is just part of how we operate. Compliance is central to our identity as a business.