The Refinery is wholly committed to full compliance with the requirements of the EU Regulation 2016/679 – General Data Protection Regulation (GDPR), ePrivacy Directive and the Data Protection (Jersey) Law 2018. We therefore follow procedures that aim to ensure that all employees who have access to any personal data held by or on behalf of clients are fully aware of and abide by their duties under the these regulations.
The Refinery regards the lawful and appropriate treatment of personal information as very important to its successful marketing operations and essential to maintaining confidence between themselves and those with whom it carries out business. The Refinery therefore fully endorses and adheres to the Principles of the GDPR.
This Privacy Notice is part of The Refinery’s ‘best practice’ approach to personal data and is a concise statement of how we collect, use and disclose your personal data, and your rights in relation to the personal data we hold.
The Refinery operates a totally transparent and clear policy in compliance with GDPR. In order for our Policy Notice to be as accessible as possible, we include explanations of the terms used within this document:
This is information that relates to and identifies living individuals, i.e. their personal information. Personal data includes both facts and opinions about the individual, as well as information regarding the intentions of the data controller towards the individual.
These are the living individuals to whom the personal data relate.
This covers a wide range of operations on personal information, this includes its collection, use, disclosure and disposal.
Data controllers are clients who supply The Refinery personal data (i.e. mailing lists) directly, or are the clients The Refinery gather personal data on behalf of. The Refinery only become the data controllers if we are using any personal data for our own purposes or it is the personal data of our staff.
These are individuals who are not employed by a data controller but who process personal data on behalf of and in accordance with the instructions of a data controller; in effect they could be referred to as subcontractors. The Refinery are the data processors for any personal data supplied by, or gathered on behalf of, a client (data controllers).
2. Who is collecting the data?
The Refinery are a full service web/digital, advertising, marketing and public relations agency in Jersey, Channel Islands, adopting the regulations and practices of the EEA via Jersey’s special relationship with the EU and implementation of the EEA (Jersey) Law 1995.
We handle personal data exclusively to provide marketing services for our clients and also for our own marketing purposes.
Personal data is only handled by essential agency staff who require access to this information for legitimate operational needs. This access is strictly controlled and managed by our in-house Data Protection Officer and Digital Director.
In certain circumstances, The Refinery may use third parties to collect and supply data. Any third party company used for this purpose will have been vetted by The Refinery’s Data Protection Officer as fully GDPR compliant.
3. How do we collect your data?
We collect your personal data in a number of ways, for example:
- from the information you provide to us during meetings;
- from information about you provided to us by your company;
- from information about you provided to us by an independent referral;
- when you communicate with us by telephone, email or other forms of electronic communication;
- from publicly available sources.
4. What data is being collected?
For our day-to-day marketing operations, The Refinery does not collect and retain personal information that falls into the sensitive data category (special category data), such as ethnicity, criminal records, medical records, etc.
The form of data collected by the agency, or supplied by our clients, will be names, email addresses, postal addresses and/or telephone numbers, as appropriate.
All data collected is the minimum required to successfully carry out specific operational needs for the agency or our clients.
The data will be kept as accurate and up-to-date as possible. However, the accuracy of any data supplied to The Refinery by a client (data controller), with the express purpose of being processed by The Refinery, will remain the responsibility of the data controller.
5. Where is the data stored?
As policy, The Refinery separates personal data storage from that of general work and office data storage. Personal data is routinely stored on encrypted Microsoft Cloud servers located within the EEA and only accessed and processed by staff who have been assigned specific access privileges.
Any documents or emails containing personal data that staff receive from clients or third parties have the attachment saved in the appropriate cloud location and then the email is deleted, as stipulated in The Refinery Data Protection Policy document.
Further details of these procedures and our Data Protection Policy document can be obtained by contacting The Refinery’s Data Protection Officer at email@example.com
6. What is the legal basis for processing the data?
The Refinery will not process or retain personal data without having received explicit consent from the data subject via the necessary GDPR and ePrivacy Directive compliant opt-in procedures.
We will only process data if it is necessary for the legitimate interests to the data subject unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Any personal data handled by The Refinery as the data controllers will not be transferred or distributed outside the EEA without express permission from the data subject.
In certain instances, a client may request personal data we process on their behalf to be transferred outside the EEA. In such circumstances we cannot guarantee that your privacy rights are adequately protected as this is the responsibility of the client as data controller.
7. Will the data be shared with any third parties?
Only data that is deemed to have legitimate interests for both parties will be shared with clients (third parties). This data will not be sensitive in nature and only for the purposes of a specific project or event.
Any data shared will have been collected following explicit consent from the data subject via the necessary GDPR compliant opt-in procedures.
8. How will the data be used?
In general, data that is collected by the Refinery, or supplied to The Refinery by a client or third party, will be used exclusively for marketing purposes.
This comes in a variety of forms including, but not exclusively, email newsletters, publication distribution, both physical and digital event invitations, targeted email mailing lists and competitions.
9. How long will the data be stored for?
The Refinery will only retain personal data for as long as is absolutely necessary under law. This period may vary due to the nature of a project or campaign.
For instance, once a data subject has opted-in to receive a client’s email newsletter, their data will be stored for the duration of the newsletter distribution or until they wish to be removed.
In the example of an invitation to a specific event, the data will only be retained for the duration of the marketing period of the event and the event itself. It may be retained for longer, but only if the data subject has specifically opted-in to receive further information from the client or The Refinery.
As a matter of procedure, a regular review is made by The Refinery’s directors and Data Protection Officer of any personal data held and whether it’s retention is necessary.
10. Do we apply the ePrivacy Directive to websites?
Websites built, hosted and managed on behalf of our clients are fully compliant with the principles of the ePrivacy Directive and GDPR.
The user is clearly informed when cookies that do not cache or collect data are used, and that they do not need to opt-in as they are essential for the website to operate.
However, where cookies are used to cache data the user is asked to opt-in and also offered the ability to opt-out at any time via the website’s utility menu. In these cases, all data is automatically encrypted when stored.
Our websites are only hosted by approved third party hosting providers on remote secure servers which have been vetted by the DPO and Digital Director as being fully GDPR compliant.
Likewise, The Refinery only uses third party tools for website analytics that have the necessary levels of data security compliance.
Any data collected is only stored for as long as is absolutely necessary for the function of the website and the improvement of the end user experience. For instance, an IP address is only stored for a maximum of 48 hours by the hosting provider before being permanently erased unless otherwise requested by the client.
Further details on our ePrivacy processes and procedures can be obtained from our Digital Director or Data Protection Officer.
11. What are your individual rights?
You, as the data subject, have full rights under the General Data Protection Regulation (GDPR).
Therefore, you have several rights in relation to how The Refinery uses your information. They are:
Right to be informed
You have a right to receive clear and easy to understand information on what personal information we have, why and who we share it with.
Right of access
You have the right of access to your personal information. If you wish to receive a copy of the personal information we hold on you, you may make a Data Subject Access Request (DSAR) via firstname.lastname@example.org
Right to request that your personal information be rectified
If your personal information is inaccurate or incomplete, you can request that it is corrected.
Right to forget (request erasure)
You can ask for your information to be deleted or removed if there is not a compelling reason for The Refinery to continue to have it. Any data we hold is subject to the right to forget clause and should a person opt to be removed from our database, our policy is that they are removed within 48 hours (business days).
Right to restrict processing
You can ask that we block or suppress the processing of your personal information for certain reasons. This means that we are still permitted to keep your information – but only to ensure we don’t use it in the future for those reasons you have restricted.
Right to data portability
You can ask for a copy of your personal information for your own purposes to use across different services. In certain circumstances, you may move, copy or transfer the personal information we hold to another company in a safe and secure way.
Right to object
You can object to The Refinery processing your personal information where:
- it’s based on our legitimate interests (including profiling);
- for direct marketing (including profiling);
- and if we were using it for historical research and statistics.
Rights related to automatic decision making including profiling
You have the right to ask The Refinery to:
- give you information about its processing of your personal information;
- carry out regular checks to make sure that our profiling processes are working as they should.
12. How can you raise a complaint?
If you think your personal data has been misused, or that The Refinery hasn’t kept it secure, you should immediately contact our Data Protection Officer either by post, by email at email@example.com or call +44 (0)1534 720200.
The matter will be thoroughly investigated and, if any serious breach or misuse discovered, you and The Office of the Information Commissioner (OIC) will be notified forthwith. You will also be updated in full if no evidence of a security breach or misuse is discovered.
You always retain the right to have any personal data held by The Refinery erased.
If you’re unhappy with our response, or if you need any further independent advice, you should contact The Office of the Information Commissioner (OIC):
13. Contact details
For further information on any of the subjects covered in this document, please contact: