The protection of personal information is important to us as we provide an outsourced loyalty card service called Reward Card to retailers across the UK.
This means we hold personal data belonging to customers (consumers) of our Retail clients.
This policy provides detailed information concerning the personal information we hold, how we interact with it, the right of the consumer in relation to their data
Throughout this document we/us refers to:
Company Name Real Rewards Limited
Address 9 Cromwell Place, East Grinstead, West Sussex, RH19 4DS
Data Controller and Data Processor
We are the Data Processor for our retail clients who operate our outsourced loyalty card service called Reward Card
A data controller may appoint a Data Processor to process, hold and otherwise manage personal data and a related service such as the provision of a loyalty card service.
A Data Controller is a company that collects personal data from the public and decides what to do with it.
The Data Controller is legally responsible for what happens to the personal data they hold and to ensure this complies with data protection law and to ensure customer rights are maintained.
To re-iterate we are Data Processor and as such do not collect personal data ourselves.
As part of our efforts towards protecting consumer personal data, we insist our Retail clients register their role as Data Controller with the ICO (Information Commissioners Office) or a have an active registration in place with effect from 25th May 2018
We also insist that they publish a full privacy statement that states our role as Data Processor.
Data Protection Officer
A Data Protection Officer (DPO) is appointed by a Data Controller to ensure compliance with Data protection law and regulation throughout an organisation and to provide a first point of contact. We have voluntarily appointed a DPO who can be contacted in writing at Data Protection Officer at our address above.
GDPR (The General Data Protection Regulation)
GDPR is Europe’s new framework for data protection laws that effective 25th May 2018 which affects both business and consumers alike, more detailed information can be obtained at the ICO (Information Commissioners Office) https://ico.org.uk.
Lawful Basis for Processing
GDPR requires that a company must have a lawful basis for processing personal data, there are several; Consent, Contract, Legal obligation, Vital Interests, Public Task, Legitimate Interests, Special Category and Criminal offence data.
We insist that our retail clients declare their lawful basis for processing before we enter into any arrange to act as Data Processor
The ICO state clearly states that “no lawful basis for processing is better than another” each company must select the most appropriate according to circumstances as they relate to processing of personal data that they carry out
Typically Reward Card is operated by our clients under Legitimate Interest as the lawful basis for processing personal data.
Legitimate Interest requires
- a) That a company must have a valid reason for processing personal data.
We believe that the provision and operation of a loyalty card service such as our Reward Card service by our clients constitutes a valid reason to process personal data.
- b) The processing must be necessary.
We believe that the processing of personal data that is carried by our clients is necessary to provide a loyalty card service and furthermore that it would be impossible to provide a personalised transaction-based loyalty card service without at least some processing of personal data.
- c) Must satisfy reasonable expectation.
Reasonable expectation is that it would be reasonable to assume that our clients Reward Card customers (consumers) would expect us our clients to hold and process their personal data in the way that they do in order to provide the Reward Card service.
We believe that our clients satisfy this condition in that transaction-based loyalty schemes that reward consumers according to how much they spend are very well understood by members of the public and that they would of course expect a company providing such a service such as our client would need to hold and process personal data.
- d) Must be balanced.
Balance requires that our client balances its valid reason for processing personal data against the possible impact of carrying out the processing in so far as it may affect individuals’ interests, rights and freedoms
We believe that as the data that they collect is minimal, not considered overly sensitive, used minimally and only for the purposes of providing the Reward Card service, that protentional for negative impact is negligible and as such that they satisfy the balance test.
We conclude that as our clients can demonstrate a valid reason for processing personal data, that the processing is necessary to provide the Reward Card service, that they satisfy the tests of expectation and balance, that Legitimate Interest has been demonstrated and hence Legitimate Interest is their Lawful basis for processing personal data.
On that basis, we can legally act as their Data Processor.
As part of our efforts to protect personal data, we insist that our retail clients who select Legitimate Interest as their lawful basis for processing personal data, conduct a detailed Legitimate Interest Assessment (LIA) and lodge a copy of that document with us
The Personal Data we collect
We DO NOT collect any personal data in relation to Reward Card, data collection is carried by our client in their role as Data Controllers.
We DO ultimately receive and hold personal data on behalf of clients which consists of
Title, First Name, Surname Name, Postal Address, email address and a telephone number of consumers
We have in the past received Dates of Birth, but this is no longer the case.
This information is collected via a paper-based Reward Card application form directly from the customer whilst they are physically present at premises operated by our clients
Non-Personal Data Associated with Reward Card.
The Card Number(s) assigned to a customer, the transactions created at the till(s) using these cards and the vouchers issued to customers forms the non-personal data associated with Reward Card.
The combination of personal data and non-personal data forms a Reward Card account which is assigned to an individual or couple.
Both the non-personal data and the account remain the property of the client and not the customer (consumer).
How we use personal information
Our clients collect personal information from their customers (consumers) for the sole purpose of communication and contact in so far as it enables them to provide a Reward Card service to them.
We ourselves as Data Processor do NOT use the data for any other purpose what so ever other than as required to act as Data Processor to our clients
We nor our clients, do not process personal data at all in the sense that the Reward Card service that we provided does not alter or change in anyway based the personal data that our clients collect from their customers.
In essence, a customer’s (consumer) Title, Name Address, Post Code, email address and telephone does not affect the Reward Card service in anyway.
Our clients do use the personal information they collect and as data processor, we may facilitate
- To associate non-personal data such as card numbers, transactions and vouchers with an individual or couple in a Reward Card account.
- To address Reward Card Vouchers being sent via Royal Mail.
- To address Reward Card Voucher notifications being sent via email.
- To report found lost cards via email and telephone.
- To answer any queries customers may have.
- To facilitate changes to the personal data requested by customers.
- To carry out requests to be un-subscribed from Reward Card.
- To generally conduct correspondence with customers in relation to the operation of the Reward Card service.
Location of personal data
Reward Card personal data may be held at our client’s sites but as data processor we normally hold they bulk of the data on our Reward Card server located in East Grinstead West Sussex in the UK.
Real Rewards Ltd does not alter, process or otherwise interact the personal data associated with Reward Card except as required by us to provide the Reward Card service to our clients
Security of Personal data
Our client as data controllers collect personal information in relation to Reward Card via paper-based application forms.
Application forms are collected from customers(consumers) by authorised members of staff
They are stored in a secure location, accessible only by authorised staff.
On a regular basis, the Application form are sent to us as Data Processor using a Recorded or Tracked delivery service in very secure packaging.
We receive the application forms and the data they contain is captured by authorised employees.
We hold the application forms on site only as long as required to complete data entry and after which they are then shredded securely.
We take data security very seriously and although we do not publish the exact details (for security purposes) the measures we take are extensive and not limited to the following
In essence, they can be summarised as follows
- Only authorised staff have access to the Reward Card Server.
- Access is always under secure password and passwords are regularly changed.
- Access via unattended PC’s is not permitted as they return to secure state
- Our systems are fully patched and updated at all times.
- Our systems are effectively backed-up and protected against power cuts.
- Changes to personal data relating to Reward Card are only carried at the request of the associated data controller.
- Real Rewards Ltd will not make Reward Card personal data available to any third party
- accept where that third party is directly involved with providing the Reward Service such as a printer for over printing paper vouchers on our stationary or stationary provided by our clients.
- When we release data to our selected printing partner it in the form of encrypted PDF files over secure communication services using Secure Sockets Layer (SSL).
- Such PDF files are used for the sole purpose of printing vouchers and contain the minimum personal data required and are deleted as soon as the printing is completed.
- Real Rewards will report any data breaches immediately upon discovery to the Data controllers.
- We enforce other physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personal data not mentioned here.
We carry out no marketing activity in relation data we hold as Data Processor for Reward Card.
Disclosing personal data
We will never disclose personal data belonging to our clients and or their customers (consumers) to anyone outside of our company or our printing partner.
We will never engage in the selling of personal data.
We will only ever release personal data if the law or public authority requires us to do so.
How consumers can access their personal information
We will retain personal information only as long is required to provide the Reward Card service
- The right to correct and update personal data.
Consumers have the right to correct and update personal data that relates to their Reward
Card account. This can be carried out by contacting their data controller
- The right to unsubscribe
Consumers s have the right to un-subscribe from Reward Card, this can be carried out by contacting their data controller directly.
- The right to be forgotten.
Consumers can request that we remove any personal data that we hold, again this can be carried by contacting their data controller directly.
We are not obliged to support or provide a transfer service to enable consumers to transfer their Reward card account to another provider.
We would however consider requests to export data in a format the would permit this but reserve the right to either refuse to carry out the request or to change a small fee.
Such requests should be made to the appropriate data controller in the first instance
Changes to our policy
This Policy replaces all previous versions We may update this privacy statement to reflect changes to our information practices. We encourage you to periodically review our Website for the latest information on our privacy practices.
If you have any queries, please contact via our contact pages.