Ve Interactive - Data Protection & Privacy

Choose your country:

Austria

Belgium

France

Germany

Greece

Guernsey

Isle of Man

Italy

Jersey

The Netherlands

Spain

Nordics

Canada

U.S.A

We would like to welcome you to our website VeInteractive.com and to let you know a few things about our products, services and legal considerations.

You can use this website for information purposes only but we ask you to review our Privacy Policy and Terms & Conditions for exact guidance.

We do use our own software products within our website so any information you enter into our forms, carts or elsewhere will be collected and stored briefly by us so that we may contact you in relation to the nature of your enquiry/attempted transaction, even if you don't hit the 'submit' button. We will not use the data for any other purpose, we won't store it for longer than necessary and we certainly won't share it with any other company. Our aim is simply to provide you with the highest level of service that we can.

We have an ever-growing portfolio of intellectual Property (IP), from Patents through to Trademarks. We rigorously defend our IP so please make sure you don't use any of our materials in this website or within any of our software products without our express permission or as you may be entitled within our software licensing granted to you at the time of purchase.

This notice does not constitute legal advice from us to you but is intended as a helpful guideline to managing data collection on your website and of course, using our software where appropriate. We do recommend that you adopt best practices when capturing, storing and processing data and to publish how you do this within your Privacy Policy so that your customers can be well informed.

Yours faithfully,
David J Brown
CEO

We have conducted an analysis of the Implementation of the Data Protection Directive in Individual Member States as relates to the Obtaining of Consent.

Introduction

In this analysis, we have looked at how Directive 95/46.EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Directive") has been implemented in different member states across the European Union.

This analysis is only focused on the specific issue of consent, and whether this is required before personal data can be processed and if so, how.

The Directive

Article 7 of the Directive sets out the criteria that must be complied with before personal datacan be processed. This is set out below: "Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

(d) processing is necessary in order to protect the vital interests of the data subject; or

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1)."

Criteria: : Consent is required to ensure that the individual's interest in the secrecy of their data is not infringed.

If a customer abandons a process, through error or choice they may not have had chance to give their explicit consent for their personal data to be used. Therefore, to avoid doubt we recommend that you choose and adopt one of the following measures where you intend to capture data.

There are few formal requirements for consent, except where the data to be processed is sensitive personal data.

Consent need not be in writing although this is advisable.

A declaration of consent must be separate from the rest of the text, clearly readable and signed separately.

Consent is a valid declaration of intention by the individual to agree to the processing of their data. Individual must be fully aware of circumstances, the kind and extent of processing and must be free of constraint. Therefore, the consent declaration must name each type of data to be processed, the name of the recipients and the exact purpose of processing. There must also be an indication that the consent can be withdrawn at any time.

Comment: Whilst initially looking less onerous than the position in the UK, the requirements for the declaration of consent actually go further than in the UK by requiring that the data type to be processed is named together with the exact purpose for the processing. This goes beyond the position in the UK where consent can be implied.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Criteria: Personal data can be processed without prior consent if the processing can be based on one of the following legitimate grounds:

* For the performance of a contract to which the individual is a party, or for the taking of steps at the request of the individual with a view to entering into a contract.

* To comply with a legal obligation

* For The proper performance of task in the public interest.

* To uphold the legitimate interests of the data controller, except where the interests or fundamental rights of the individual are concerned. Otherwise, consent must be freely given, specific and informed. Online consent that complies with this is sufficient.The requirements in Belgium are generally less onerous, and it may be possible to utilise Ve Capture in Belgium without any consent, if it can be shown that the processing is needed for a contract to which the individual is a party. However, it is recommended that consent is obtained nonetheless.Whilst initially looking less onerous than the position in the UK, the requirements for the declaration of consent actually go further than in the UK by requiring that the data type to be processed is named together with the exact purpose for the processing. This goes beyond the position in the UK where consent can be implied.

Comment: The requirements in Belgium are generally less onerous, and it may be possible to utilise Ve Capture in Belgium without any consent, if it can be shown that the processing is needed for a contract to which the individual is a party. However, it is recommended that consent is obtained nonetheless.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Criteria: Prior consent is required unless a statutory justification applies.

There is no specific definition for consent, but this is commonly defined under French law to be any free, specific and informed indication of will.

Online consent is acceptable

Comment: The obligations in France are similar to those in the UK.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Criteria: Processing of data requires consent unless based on a statutory permission

Consent must be informed and voluntary.

Consent must be in writing, although this includes an electronic signature.

Consent must be visually distinguishable.

Consnt must be based on the free decision of the individual. Where consent is given for a specific purpose, such consent will not extend to linked services that are not required for the specific purpose.

Individual must be informed of the purpose of the data processing, and on request, must be informed of the consequences for not providing consent.

Consent can be obtained online if the following requirements are met:

* Consent is declared knowingly and unequivocally

* Consent is recorded

* The Individual can access their consent at any time

* The individual can revoke their consent at any time

Comment: The requirements in Germany are more onerous than those in the UK, in particular, consent cannot be implied

The statement requesting consent must explain why the data is being processed (ie. to fulfill incomplete orders) and also provide for a mechanism where the individual can be informed of the consequences for not providing consent.

Additional procedures will have to be implemented to ensure that the individual can access and if necessary, revoke the consent at any time

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section. However, we recommend also adding to the Privacy Policy that a link is provided to email the company asking for removal of their details even having given prior consent.

We also recommend that with the statement at the beginning of a form that they should use our Privacy Policy should they later wish to retract their consent.

Criteria: Consent is a free, express and specific declaration of wish, made with full awareness as to its content. This includes the right to be informed of the following:

* The purpose of the processing

* The data or categories of data to be processed

* Persons to receive the data

* Name and address of person responsible for processing

Consent should be written, however, it is accepted that where consent is obtained online, consent can be provided electronically.

Comment: Obligations in Greece are similar to those in the UK, although more information must be provided to the individual as regards how and by whom the data will be processed.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Criteria: Prior consent must be obtained before personal data is processed (subject to certain statutory exemptions). This does not need to take the form of a tick-box however.

Comment: Obligations in Guernsey are based on those in the UK and are therefore very similar.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Criteria: Prior consent must be obtained before personal data is processed (subject to certain statutory exemptions).

Comment: Obligations in the Isle of Man are based on those in the UK and are therefore very similar.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Criteria: Express consent must be obtained and this must be documented in writing. This means that consent can be obtained orally, but this must be documented

Consent can be obtained online.

Comment: Obligations in Italy are similar to those in the UK, with the exception of the documentation of consent obtained orally. However, this would be recommended practice in any event.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Criteria: Consent must be obtained prior to processing personal data, although this can be implied

Comment: Obligations in Jersey are based on those in the UK and are therefore very similar.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Criteria: Personal data can be processed without consent, although it is recommended that consent is obtained.

Consent is deemed to be any freely- given, specific and informed expression of will.

Consent can be given online, as long as it is actively given (i.e. opt-in as opposed to opt-out).

Comment: : Obligations in the Netherlands are less onerous than those in the UK, but it is recommended that UK style procedures are adopted nevertheless.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Criteria: Processing of personal data requires the prior consent of the individual, unless a statutory exception applies

Consent can be express, written, oral or implied, but must be free, unambiguous, specific and informed.

Comment: Obligations in Spain are similar to those in the UK

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Using Our Software & Data Protection Act Compliance

Our software products are designed to help you increase your online efficiency but in doing so, we suggest that you let visitors to your site know how you capture and use data. A lot of website owners don't realise that in order to comply with the Data Protection Act of 1986 you must include the details of how you collect, store and process data within your Privacy Policy and in certain circumstances you must give website visitors advance notice that you will collect such information.

To make sure you are compliant with the Data Protection Act and that your website customers are adequately informed, we recommend you adopt one of the measures listed below, based on the following principle: If a customer abandons a process, through error or choice they may not have had chance to give their explicit consent for their personal data to be used. Therefore, to avoid doubt we recommend that you choose and adopt one of the following measures where you intend to capture data.

Display A Notice

This is the simplest way to avoid confusion and can be used for the majority of cases. A simple notice can be expanded on in the Privacy Policy but for starters we recommend displaying a notice at the beginning of a form or shopping cart so that the customer can have 'legitimate expectation' that you may contact them, even if they do not hit 'submit'. The notice could be something like the following (feel free to use this):

"Please note that we have the ability to retain any data that you provide on this website, even if you do not complete your [registration/transaction] by clicking [submit/next]. Such contact details and data may be used [state purpose(s) e.g. to contact you to enquire why you did not complete your [registration/transaction]. For more information, full details of our privacy policy can be found here[insert link].

Provide A Check Box

This really is 'best practise' and provides ultimate flexibility for you to use the data collected. If it is not going to be used in an area which could deter a customer then we would recommend using it because when checked, the customer has given explicit consent for you to capture, store and process the data as outlined in your Privacy Policy.

Criteria: Personal data can only be processed with consent and if it is implied consent then it must be clear and unambiguous. Consent need not be written but it is recommended as the data controller has the burden of providing that consent was obtained.

Individual visitors must at least see a notice to help them to decide whether they wish to consent (including the advantages and disadvantages of providing consent).

Comment: We recommend that a notice states that data collected will be processed for the purpose of contacting you about your visit, but will not be shared with 3rd parties. Obligations in Sweden are more onerous than those in the UK and therefore we absolutely insist on a notice and updated Ts & Cs as a minimum.

Recommendation: You are only contacting customers about their visit to your site and to ask them to return, you are not producing a database for generic marketing. Therefore, we recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section but to make sure any notice regarding data processing is clearly displayed.

Criteria: There is no overarching data protection legislation in the USA. Instead, different pieces of legislation or regulations apply to different industry sectors.

For example, the Federal Trade Commission has issued Behavioural Advertising Principles that suggest that website operators must obtain affirmative express consent (which can be provided online) before using sensitive commercial data. This includes the following:

* Financial data

* Data about children

* Health information

* Precise geographic information

* Social security numbers

Where website privacy policies are revised, affirmative express consent must be obtained before consumer data is used in ways materially different from the privacy policy that was in effect when the data was collected.

Any websites that specifically target children must comply with the Child Online Privacy Protection Act.

Furthermore, certain states have enacted legislation governing certain types of personal data.

Comment: The USA has a very different set of procedures in place governing the processing of personal data. Different definitions also apply which means that information relating to financial data and geographic location are considered sensitive.

Generally speaking, the obligations on data controllers in the US are less onerous than in the UK and EU. However, there are certain requirements that are not specifically contained within the Directive that apply in the US (although the adoption of these principles would be considered best practice in the EU). For example, this applies to the revision of privacy policies.

Furthermore, before processing of personal data commences, the position governing such processing should be checked in the particular state where the processing will take place.

Recommendation: We recommend customers in this territory to adopt the same recommendations we make for the UK earlier in this section.

Compliance to the CAN-SPAM Act is extremely important to Ve Interactive and we work closely with our US based clients to provide best-practice guidance to ensure CAN-SPAM compliance whenever we send emails on their behalf. Failure to follow guidelines can result in fines of up to $16,000.

Information on CAN-SPAM is simple to follow. Guidelines on how to comply are provided below:

The CAN-SPAM Act has three main areas which senders of all commercial emails, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” should follow:

• Labeling. Unsolicited emails must be clearly identified as solicitation or advertisement for products and services.

• Opt-out. Email senders must provide easily accessible, legitimate means for recipients to “opt-out” of receiving future messages.

• Revelation of the sender’s addresses. Unsolicited emails must contain a legitimate return email address, as well as the sender’s postal address.

While CAN-SPAM legislation only applies to customers in the United States we advise all customers, regardless of their physical location, to apply the following easy-to-follow guidelines:

1. Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.

2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.

3. Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.

4. Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.

5. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based method to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.

6. Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

7. Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

Further information on the CAN-SPAM Act can be found on the Bureau of Customer Protection website. Alternatively, should you have any questions please contact clientservices@veinteractive.com or your Online Efficiency Consultant.

WHSmith

Fitness Digital

écurie25

Ve Interactive emerges triumphant!

Decisions decisions

Don’t ‘spray & pray’ email campaigns

How big is the Internet?