We are pleased to announce beaton‘s expanded and updated Privacy and Confidentiality Policy. The Policy may be found here.
In an environment of growing cyber uncertainty, risk and regulation, beaton strives to be a good citizen by complying fully with the letter and spirit of the law.
We have increased the Policy’s transparency surrounding how personal data is collected, the purposes for which it is collected, and the rights of those from whom data is collected to meet the stipulations under the General Data Protection Regulation (GDPR) from the EU.
The Policy has also had a visual update, including the use of “icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processes” [Regulation (EU) 2016/679, Recital 60].
Several firms have asked us how GDPR affects their ability to use our services. It would not be appropriate for us to be offering legal advice or guidance, however we make the following statement about how we handle the data of our clients, including the use of third party providers:
Beaton Research + Consulting (‘beaton‘) is striving to be good citizens in how for ourselves we interpret and comply with the letter and spirit of privacy laws, including the General Data Protection Regulation (‘GDPR’). Accordingly, we are making the following statement of our position. We trust our example is helpful to you. This statement does not constitute advice or guidance.
The lawful basis upon which beaton collects information on our clients (e.g. name, email address, organisation) is our legitimate interest [Regulation (EU) 2016/679, Article 6(1)f] in collecting and using this information given there is “a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller” [Recital 47] and processing this information helps us deliver better service to our (i.e. beaton’s) clients. We believe that using that personal data (i.e. email addresses) to collect client feedback constitutes processing for the same purpose, i.e. helping us deliver better service to our clients. Even if our use of the data was determined to be for a different purpose, we believe asking for feedback from our clients satisfies GDPR’s criteria for using collected personal data for a further compatible purpose [Article 6(4)], namely:
- There is a clear link between using these contact details to deliver service and using these contact details to ask for feedback on that service,
- The context of asking for evaluation of a service after having delivered it,
- That the personal data (i.e. name, email addresses, organisation) is not considered a special category,
- The only consequences would be potential minor annoyance at receiving a request-for-feedback email (to which clients can opt-out), and
- That we ensure appropriate safeguards are in place to protect that data (e.g. pseudonymisation, kept for no longer than is necessary).
To that end, we do not believe that we need consent to provide client data to a third party in order to get that feedback. It is in our legitimate interests to do so, provided we ensured the third party had all the relevant protections in place. Our Privacy Policy has been expanded and updated to make clear that we use third parties that meet the standards of GDPR [Article 46] and the Australian Privacy Principles. In the interests of transparency and accountability we may include in our Privacy Policy direct reference to some of the third party providers we may use to process personal data, even though we do not believe that is necessary under GDPR.
We will include explicit reference in our Privacy Policy [Articles 12, 13, 14] that we believe using personal data we have on our clients for research purposes is considered a legitimate interest in helping us deliver better service to our clients. We believe it not necessary to state this explicitly, because it is for the same purpose for which it was collected in the first place, but do so to be comprehensive.
We believe that making a comprehensive and easy-to-read Privacy Policy outlining all of the above available to all clients, and ensuring there are relevant safeguards in place with our third party providers, give us the right to provide personal data to third parties without the need for consent from our clients or making specific provisions in our terms of engagement with our clients.
beaton strives to act within the spirit and the letter of Australian, New Zealand and international privacy law.
The corresponding post type is disabled. Please make sure to 1) install The7 Elements plugin under The7 > Plugins and 2) enable desired post types under The7 > My The7, in the Settings section.