True Influence LLC, a Delaware limited liability company, respects your privacy.
Core activity of True Influence is to provide support to its customers in marketing B2B products by generating effective leads from the target markets.
It is True Influence’s policy to respect your privacy regarding any information we may collect through registration forms, resource libraries, advertising units, widgets, web sites and web pages, whether accessed via computer, mobile or tablet device, or other technology (collectively, the “Service”), collection and licensing of data through third parties we work with, and how such information may be used and/or shared with others, how we safeguard it, and your choices in controlling its use in connection with our marketing activities.
True Influence operates under several different brands, including BusinessTech Alert, SecurityTech Alert, HRTech Alert. All such brands are collectively called “Services”.
True Influence has a zero-tolerance spam policy. Any partner or publisher found to be using True Influence promotional offers for spam will be immediately cut-off from use of the product. If you know of or suspect any violators, please notify us immediately at [email protected].
Data Controller and Data Processor
We process two main types of personal data.
Our Customers are the controller of Customer Data. True Influence is the processor of Customer Data and the controller of Other Data.
True Influence collects this data based on our customer’s instructions (also known as campaign information) through different channels including business partners (publishers) using relevant technology in web marketing, E mail marketing and Telemarketing.
The leads generated by the publishers are intelligently filtered to improve their quality and converted into actionable marketing targets before being passed on to the customers.
This data includes business contact information to match criterion provided by the customer.
The types of data we may collect include: company name, contact/person name, company address, city, state, zip code, company phone, business- email-address, IP address, and date.
Our purpose in collecting information is to help us provide you with better service, such as notifications about special offers and promotions, or other relevant content delivered through targeted advertising.
The trueinfluence.com website may also collect a recipient’s email address to help you to initiate and email the recipient you have selected. The recipient may contact us at [email protected] to request that we remove this information.
We collect data through cookies
Customer Data will be used by True Influence in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and as required by applicable law. True Influence is a processor of Customer Data and Customer is the controller.
True Influence may use the information we obtain, license and collect about and from you for a number of business purposes, including for example, to: better tailor website and promotional content to visitor interests; verify your profile information; deliver targeted advertising; inform our partners of your business-related interests; improve the Service for internal business purposes; help our advertising partners better understand the audience they are reaching; and for purposes we disclose at the time you provide your Personal Information.
Lawful basis for processing
We have lawful basis to process your personal data. We also use your consent as basis for lawfully processing your personal data.
We process your personal data only when we have a lawful basis. Presently, we use the Performance of Contract (i.e. to deliver the services to our customers) and consent as the lawful basis for processing. For certain processing, we may also use legitimate interests as provided under the Data Protection Regulations.
In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
Where you have consented to a particular processing, you have a right to withdraw the consent at any time.
True Influence collects certain Personal Data from its Employees and Job Applicants, including without limitation (collectively, the “HR Data”).
True Influence processes HR Data relating to its Employees and Job Applicants in the US, UK or EEA for recruitment and HR management purposes at a global level, including:
True Influence does not knowingly collect Personal or Usage Information from children under the age of 13 through www.trueinfluence.com, nor from any of our affiliates and partners. If you are under 13, please do not give us any Personal Information, and do not provide Personal Information to any website or web service without consulting your parent or guardian. If you have reason to believe that a child under the age of 13 has provided Personal Information to True Influence, please contact us, and we will seek to delete that information from our database.
True Influence is engaged in providing B2B services for customers to identify targets for the marketing of business products and in the process collects business contact data of companies and executives working in companies which are prospective customers for the products to be marketed.
True Influence and its business partners (publishers) collect the data based on campaign information provided by True Influence’s customers.
The publishers obtain the necessary consent from the data subjects to receive marketing communications from True Influence customers using appropriate disclosures in compliance with legal requirements of the jurisdiction in which the prospective customers reside, including Canada’s Anti-Spam Legislation.
Opt in is obtained when legally required and a fair opportunity is provided by the publishers to the data subjects to opt out. True Influence has entered necessary legally binding contracts with the publishers to ensure compliance of relevant regulations for collection, processing, storage, and transfer of data.
Advertising / Behavioral Targeting; How to Opt-Out
We may use third party vendors to enhance the Service (e.g. for purposes of retargeting). When you opt out of the Service, True Influence will no longer use or share any of your Personal or anonymous Usage Information, unless you recently submitted Personal Information (within last 30 days) in order to access free content, in which case only the Content Provider associated with the content you recently acquired will have access to your information. Please contact True Influence at [email protected] to opt out of this option.
We may engage companies that provide services to help us with our business activities such as our blog and career pages. These companies are authorized to use your personal information only as necessary to provide these services to us.
Your data will be shared with other recipients to provide you with services.
While we aim to limit the sharing of your data, at times, it is necessary to share your data with certain service providers and or customers. Examples of when and for what purpose your data is shared include data center / hosting services, email marketing/verification services, customers, and on boarding partners etc. Additionally, compiled personal information may be shared with third parties for their marketing purposes.
Cross-Border Data Transfers
Your data will be stored and processed in multiple countries including outside of the European Union (EU) Region
The Service and the servers and facilities that maintain the data we hold, are operated in the United States. Given that we are an international business, our use of your information necessarily involves the transmission of data on an international basis. If you are in the European Union, Canada or elsewhere outside of the United States, please be aware that information we collect may be transferred to and processed in the United States.
True Influence offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our customers that operate in the European
Union, and other international transfers of customer Data. These clauses are contractual commitments between parties transferring personal data (for example, between True Influence and its Customers, suppliers, or data processors outside the EU), binding them to protect the privacy and security of the data.
True Influence also certifies to the EU-US Privacy Shield Framework for data transferred from the EU to the United States. To read more about our participation in Privacy Shield, please review our Privacy Shield Notice below.
By using the Service, or providing us with any information, you consent to the collection, processing, maintenance and transfer of such information in and to the United States and other applicable territories in which the privacy laws may not be as comprehensive as or equivalent to those in the country where you reside and/or are a citizen.
Accountability for onward transfer
True Influence is responsible for the processing of personal data it receives under the EU U.S. Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf or providing data storage services.
Any personal information received from publishers in which personal data of EU citizens may be contained is treated as “EU Sensitive Data” and adequate technical and administrative controls are implemented across all the True Influence entities.
The personal information is used only for the purpose for which it has been collected and is shared within the organization on a need to know basis.
The technical and administrative controls ensure preservation of the confidentiality, integrity, and availability of information as per the contractual obligations that True Influence has committed itself to.
True Influence maintain reasonable and appropriate security measures to protect data and information under its control from unauthorized access, disclosure, misuse, loss, or alteration.
True Influence’s security measures include industry-standard technology and equipment to help protect your information, and True Influence maintains security measures to allow only the appropriate personnel and contractors access to your information as well as policies and procedures to support implementation of various security controls. Unfortunately, no system can ensure complete security, and True Influence disclaims any liability resulting from use of the Service or from third party hacking events or intrusions.
We will retain this information for as long as needed to provide services to any one of our customers or as otherwise authorized, directed, or permissioned by our Customers. In addition, True Influence will retain this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
We will retain this information for the duration of our business relationship and afterwards for as long as is necessary and relevant for our legitimate business purposes, in accordance with the True Influence Data Retention Policy or as otherwise permitted applicable laws and regulation. Where we no longer need your personal information, we will dispose of it in a secure manner (without further notice to you).
Retention period for personal data and rationale for retention period is defined in True Influence’s ‘Data Retention Policy’.
True Influence is subject to the investigatory and enforcement powers of the FTC, or any other U.S. authorized statutory body [currently, there is no other U.S. authorized statutory body recognized by the EU or Switzerland].
You can request to access, update, or correct your personal information. You also have the right to object to direct marketing.
You may have additional rights pursuant to your local law applicable to the processing. For example:
If the processing of your personal information is subject to the EU General Data Protection Regulation (“GDPR”), and your personal information is processed based on legitimate interests, you have the right to object to the processing on grounds relating to your specific situation. Under GDPR you may also have the right to request to have your personal information deleted or restricted and ask for portability of your personal information.
If your personal information is processed under the Principles of the EU-U.S. Privacy Shield, you have the right to access to personal information about you that we hold and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
For any such requests please go to the Do Not Sell My Data page.
Your Rights to Control Data
Whenever you use our services, we aim to provide you easy means to access, modify, delete, object to, or restrict use of your personal information
We strive to give you ways to access, update/modify your data quickly or to delete it unless we must keep that information for legal purposes. Some rights can be accessed from within the True Influence application. For visitors, these rights can be exercised by contacting us with your specific request.
If you are based within the EEA, or within another jurisdiction having similar data protection laws, in certain circumstances you have the following rights:
If you wish to access, verify, correct, or update your personal Information collected through the Service, you may contact us at [email protected]
You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here: www.ec.europa.eu/justice/dataprotection/bodies/authorities/index_en.htm.
True Influence Services
True Influence also collects information under the direction of any one of its Customers, in which case it collects cookie identifiers from the individuals. If you are a customer of any one of our Customers and would no longer like to be contacted by our Customer that uses our Service, please contact the Customer that you interact with directly. We may transfer personal information to companies that help us provide our Service. Transfers to subsequent third parties are covered by the service agreements with our Customers.
An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his query to the pertinent True Influence’s Customer (the data controller).
As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, or a sale of our significant assets, we reserve the right to include any information we have among the assets transferred to the acquiring company.
Our website includes social media features, such as the “Facebook Like” button, and Widgets, such as the “Share This” button or interactive mini programs that run on our website. These features may collect your internet protocol address, which page you are visiting on our website, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our website. Your interactions with these features are governed by the privacy statement of the company providing them.
Our website offers publicly accessible blogs. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your personal information from our blog or community forum, contact us at [email protected]. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
Pursuant to the Privacy Shield Frameworks, EU individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to: [email protected]. If requested to remove data, we will respond within a reasonable timeframe.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to [email protected].
In certain situations, True Influence may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
True Influence’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, True Influence remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless True Influence proves that it is not responsible for the event giving rise to the damage.
In compliance with the Privacy Shield Principles, True Influence commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints regarding our Privacy Shield policy should first contact us at [email protected].
True Influence has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you. If your complaint involves human resources data transferred to the United States from the EU in the context of the employment relationship, and True Influence does not address it satisfactorily, True Influence commits to cooperate with the panel established by the EU data protection authorities (DPA Panel), as applicable and to comply with the advice given by the DPA panel, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.
Contact details for the EU data protection authorities can be found at
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at www.privacyshield.gov/article?id=ANNEX-I-introduction
We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, business contact, or device (“personal information”). In particular, we collect the following categories of personal information from consumers and business contacts:
|A. Identifiers.||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, business name, device id, or other similar identifiers.||YES|
|B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||A name, postal address, telephone number, employment name. Some personal information included in this category may overlap with other categories.||YES|
|C. Protected classification characteristics under California or federal law.||Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).||NO|
|D. Commercial information.||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||NO|
|E. Biometric information.||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.||NO|
|F. Internet or other similar network activity.||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.||YES|
|G. Geolocation data.||Physical location or movements.||NO|
|H. Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar information.||NO|
|I. Professional or employment-related information.||Current or past job history or performance evaluations.||YES|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||NO|
|K. Inferences drawn from other personal information.||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||YES|
Personal information does not include:
We obtain the categories of personal information listed above from the following categories of sources:
We may use or disclose the personal information we collect for one or more of the following business purposes:
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:
Category A: Identifiers.
Category B: California Customer Records personal information categories.
Category F: Internet or other similar network activity.
Category I: Professional or employment-related information. We disclose your personal information for a business purpose to the following categories of third parties:
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by visiting Do Not Sell My Data
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
We are committed to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by postal mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will notify you by email or through a notice on our website homepage.
If you have any questions or comments about this notice, our California Privacy Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
functionality or track usage of our Services. This provides a better experience when you use our Services and allows us to improve our Services.
Some browsers support a “Do Not Track” feature, which is intended to be a signal to websites that you do not wish to be tracked across different websites you visit. Our Services do not currently change the way they operate based upon detection of a Do Not Track or similar signal. You may, however, disable certain tracking as discussed in the Cookies & Other Tracking Mechanisms section above (e.g., by disabling cookies). You also may opt out of certain behavioral advertising by following the instructions in the Your Choices section below.
Accessing, updating or deleting your personal information. We value the accuracy of the information we have about you. You may access, update or delete your information (or in some cases object to its processing) by emailing us at [email protected].
PART A: General
1. True Influence LLC, a Delaware limited liability company, Carnegie Center Drive, Suite 300, Princeton, NJ 08540 (USA)
2. True Influence India, 43, 100 ft Road, Domalur, Bengaluru, 560071 (India)
3. True Influence Ltd,54 Clarendon Road, Watford, London, UK, WD17 1DU 103
The Lead generation is done through intelligent market research collecting relevant data to identify reliable purchase intent of corporates through different channels including through business partners using relevant technology in web marketing, Email marketing and Telemarketing.
In the process of these activities, True Influence acts as an intermediary who adds value to the B2B marketing chain. The campaign information is provided by the Customers which are fine-tuned and converted into campaign materials for distribution to the potential market space.
The distribution to the end target customers by placement of the campaign materials in relevant media is done through external publishers who generate leads. A part of the leads are generated by in-house publishing activity and use of innovative corporate intent marketing tools developed by the R&D team of True Influence.
The leads generated by the publishers are intelligently filtered to improve their quality and converted into actionable marketing targets before being passed on to the customers.
True Influence has developed proprietary products, processes and information generation systems which includes development of reliable vendors and trained manpower, which together reflect the value proposition that True Influence brings to the B2B marketing eco system across the globe. Sustaining and nurturing this expertise and using it for harnessing commercial opportunities represents a legitimate interest of True Influence.
This Code of GDPR Compliance adopted by True Influence declares that True Influence is committed to the concept of “Privacy as a fundamental right of a citizen of a democratic society” across the globe and in good faith shall implement all the Privacy principles mandated under GDPR where it is applicable.
True Influence however discloses that it is its legitimate interest that it carries on a legitimate business operation across the globe as a B2B market intermediary and it is the democratic right of True Influence to carry on its business in good faith without being in conflict with the rights of the individual natural persons whose Privacy is sought to be protected under GDPR.
True Influence also discloses that its business model requires collection of only the Data of business entities which are outside the purview of GDPR and Business Contact data which is not personal data per-se but may include personally identifiable information in part but does not include personal data of children and Personal data that is classified as “Special categories” under GDPR.
A part of B2B marketing leads are generated in the EU countries and in UK. Some of the Customers located in EU/UK may also avail the services of True Influence. Currently a majority of interactions with Customers is in US and a majority of interactions with Lead Generating business partners are in India.
The GDPR exposure of True Influence is therefore recognized when Business Contact Data is collected from business organizations operating in EU/UK regions.
The Privacy protection of data subjects and Security of information related to Privacy protection in respect of the GSD tagged data is factored into the design of the support structure.
Though data is processed in specific locations and the technical infrastructure for processing GSD are located in such specified locations, an enterprise level GDPR awareness has been created and will continue to be pursued so that the principles of this GDPR Code of Conduct percolates to the entire organization beyond GSD processing to include the Marketing, Financial, and Managerial functions which may be located in different locations with their own technical and administrative infrastructure.
In order to effectively implement the security for the entire data processing infrastructure, the Company has adopted a comprehensive information security policy which includes multiple sub policies regarding data access, processing storage, transmission etc.
In view of the presence of Customers in EU/UK and the monitoring of activities of corporate employees residing in EU/UK, True Influence has chosen to adopt GDPR Compliance standards towards protection of Privacy of all natural persons who may interact with the Group even where such interaction is only in their capacity as employees of different business entities pursuing the business objectives of their respective business organizations.
The Raw Data collected is recognized as data belonging to the data subject and to which the Data Subject’s rights under GDPR is applicable. The value addition to the data that occurs during the process arises out of the proprietary data processing capabilities of True Influence on which True Influence has a certain level of Intellectual Property Right claim.
If any data has been pseudonymized, the value added pseudonymized data shall be considered as data on which True Influence has legitimate interest to use for further research. Non Pseudonymized data even in the value added state is subject to the exercise of Data Subject’s rights such as Access, Rectification, Restriction, Portability and Erasure. Pseudonymized data if any will not be classified as GDPR sensitive.
True Influence possesses a legitimate business interest as recognized under Article 6(1)(f) of the EU GDPR regulations, in the collection and processing of Business related data such as firmographics and Business Contact data of decision making officials in the business entities
Also, the business of True Influence involves operations within and outside EU countries and hence is exposed to statutory obligations of different countries related to Data Processing as well as other laws applicable to business in general and IT related activities in particular, as envisaged under Article 6(1)(c) of the EU GDPR regulations.
Further True Influence has adopted business practices for lawful processing incorporating the principles of EU GDPR as enunciated under Article 6, including obtaining informed explicit consent where required and adhering to the requirements of contractual obligations with the data subjects if any.
The policies of True Influence on Privacy and Data Protection are therefore structured with specific Privacy and Information Security controls that address the issue of identifying GDPR sensitive data at the stage of its origin and entry into the True Influence system and tagging them throughout its life cycle of processing.
True Influence recognizes that in most part of its operations, it is not a “Data Controller” but is a “Data Processor” for the purpose of GDPR. It may assume the role of a “Joint Controller” when it uses the services of sub-contractors for any part of its processing.
Keeping these roles in view, True Influence’s policies and controls are structured to ensure GDPR compliance, including maintenance of appropriate Technical and Organizational/Administrative controls to keep itself duly informed about the GDPR compliance activities of its business partners and also sharing with them True Influence’s own GDPR Compliance measures as may be necessary.
This policy document is meant for limited sharing with stakeholders including business entities outside the True Influence and hence excludes proprietary information on the processing where it is essential to protect the Intellectual Property of the organization.
Any request for disclosure of information beyond what is stated here will be addressed under the Data Disclosure Policy of True Influence and such requests may be directed to the Privacy Manager through a non reputable authenticated e-mail.
Part B: Specific Policy Outlines
An Information Security Governance Committee (ISGC) will be overall in charge of Information Security including GDPR compliance. It will be the apex policy making body of True Influence responsible for laying down all information security policies including GDPR policy and will monitor the need to designate any person or a consultant as Data Protection Officer in due course.
Accordingly, the entire Business contact data set associated with a physical location address in EU/UK is identified as GDPR Sensitive Data (GSD) and tagged during further processing within the organization.
In the absence of the physical location information of the data subject, the physical location of the associated business organization would be considered relevant.
Any GSD data set not accompanied by an appropriate “Consent” or “Legitimate Interest Note” will be recommended for deletion.
On confirmation, such data will be forensically deleted.
Every GSD set shall be tagged with the Data Controller from whom it was sourced and who is responsible for the collection of the data under a consent or contract.
Any specific restrictions associated with such data set shall also be tagged with the data set.
The Data storage shall enable individual data set to be located and processed for execution of any Data Subject’s rights such as request for data rectification, data portability, data erasure or data access at any time during its life cycle.
Use of access parameters such as Passwords shall be defined with a degree of complexity and uniqueness as may be required and supplemented with Encryption and Machine ID tags so that GSD data may be accessed only from specific hardware which are assigned to authorized GSD work force.
Where data storage is on the cloud, only GDPR compliant cloud services shall be used along with additional controls as may be required in ensuring that data at storage and transit shall be protected from unauthorized access.
Project specific GSD shall be stored in such a manner that only employees associated with a given project get access to the data. Cross project access shall be regulated on a need basis.
Thereafter, the data shall be archived securely as per the requirement identified under legitimate interest for example until the project billing cycle is complete.
Subsequently, data shall be continued in secure archiving or destroyed as per the identified legitimate interest requirements of the Company.
A monthly review of archived data shall be undertaken to identify data that is no longer required which shall be referred to ISGC for disposal instructions.
Legal obligations on data retention which may arise due to any overlapping legislations shall be factored into the legitimate interest assessment.
It is recognized that requests received directly from the data subjects are subject to phishing risk and such requests if any shall be referred to the corresponding Data Controller who collected the data from the data subject under a consent or contract that may exist between them.
The data to be disclosed shall be sent only to the Data Controller for onward transmission to the Data subject after properly authenticating the identity of the representative of the Data Controller who makes the request.
In exceptional circumstances where data needs to be disclosed directly either to a data subject or his authorized representative or a law enforcement authority, adequate authentication of the identity of the person making the request shall be ensured.
All data disclosure requests are to be approved by the ISGC before release of the data and the request as well as the assessment documents shall be considered as required GDPR compliance documentation.
A whistleblower’s policy may be used to ensure that incidents are reported promptly by any observer either within the Company or outside.
Any such incident which comes to the knowledge of True Influence shall be logged in a GSD Incident Management Register and referred to the DPO for immediate action.
The DPO shall review the incident report and take immediate steps to resolve the incident and also to report the incident to the ISGC.
The ISGC will convene a meeting expeditiously and evaluate the incident to identify if it involves any suspected data breach.
Where necessary, ISGC may order an immediate techno legal audit of for a risk assessment of the incident. Based on the risk assessment ISGC shall decide the need for further action including sending a data breach notification to the Data Controller associated with the Data.
An incident where GSD has been accessed by another employee of the organization is considered as a Security Incident and not necessarily a “Breach”. However, such incidents shall be investigated as to the cause of unauthorized access and if it is an unintentional accidental access it may be resolved with a suitable internal disciplinary action as per the HR policy.
If data has not moved out or accessed by an outsider, the incident may be classified as an internal data accident not amounting to a breach.
In the event the access or data moved out is known to be in encrypted form and was in a state in which it was undecipherable by the recipient, subject to suitable internal investigation as to the security of the associated decryption key, the access may be classified as an internal data accident not amounting to a breach.
Such data breach incident shall be immediately reported to the ISGC which shall without further delay notify the Data Controller associated with the data set along with relevant details of the incident.
Such report shall specify the nature and extent of the breach, time and data of the breach, the details of the affected data subjects, action taken on the noticing of the breach etc.
Where necessary the data breach may be also reported to a supervisory authority.
In order to meet these rights of the data subject such as “Access”, “Rectification”, “Erasure”, “Portability” and Right to impose “Restrictions”, True Influence has enabled its GSD storage and access systems in such a manner that a data set belonging to a specified data subject may be extracted separately and processed.
The system has therefore been designed to be compliant to the most stringent requirements of GDPR.
Whenever a request for exercising of such rights is received from a Data Subject, as per the Data disclosure policy, the request is first validated and then in case the data has been received from a Data Controller, the data controller would be requested to confirm the data disclosure.
Ordinarily the request is processed in communication with the data controller and if it is to be ported, it is returned back to the data controller.
In exceptional circumstances where True Influence has to handle the request of a data subject without the cooperation of the data controller, appropriate precautions will be taken to prevent a wrongful disclosure since it would be in the legitimate interest of True Influence to be indemnified against any possible wrongful disclosure.
The data transmission is on an encryption basis subject to management of transmission security covering known vulnerabilities.
The application itself along with its inherent storage and processing elements and the API are secured against unauthorized access and malicious attacks by an appropriate malware and secured access management system
Where GSD set is transmitted to the Customer or Sub contractor also, the transmission is managed through encrypted communication channels either through an API or an encrypted e-Mail.
True Influence also insists that its partners both the lead generators, sub contracting processors and customers do not use the GSD except as per the available permissions.
Where an unambiguous consent is not available, no business contact data is collected from the lead generators or passed onto the customers or processed through the sub contractors.
Such data is killed at the first instance when it enters the True Influence system and identified as a “GSD without proper processing consent”.
In the pre-GDPR scenario, such consents had been generally collected under the principles of Personal data processing which included a Privacy Notice. Such Privacy Notice indicated what information was being collected, the purpose of collection, the time for which it would be retained, how it would be secured, whether the information was accurate, whether it would be transferred out of EU for processing etc., Some of the consents were based on the “Opt-in” principle as a default setting.
Under GDPR, it is essential that personal data is collected only on the basis of an Explicit Consent where “Opt-Out” is the default option and only on the basis of an affirmative action indicating acceptance, the consent would be accepted.
Additionally, the Privacy notice should also indicate that the Data subject has certain rights such as “Right to be informed of the identity of downstream processors”, “Right to access and rectification”, “Right to Portability and Erasure”.
In view of the new requirements, all consents obtained in the pre-GDPR format shall be considered as invalid and such data would be discarded by True Influence.
External Publishers who generate Leads for True Influence shall confirm through their contracts that they would provide only leads generated with the new form of consent in case the data subject is located in EU/UK.
For effective compliance, no GSD data should be exchanged in any communication with the stakeholders except through secure transmission and to authorized representatives only.
While the communication through API is controlled by the access policy, any other communication through e-mail should be controlled with an Email Communication policy.
Essentially an Email Communication policy shall define that sharing of any GSD or GDPR compliance information with a stake holder shall be only through a notified contact Email address who will be in most cases the DPO of the other organization,
Where necessary the Email communication may be encrypted and authenticated with a digital signature.
In call cases of Data Subject’s Rights being implemented, True Influence would evaluate the request before taking further action. In the event True Influence recognizes a need to refuse the request or modify it for acceptance, the reasons would be documented and a GSD Legitimate interest note would be developed by the ISGC.
Where the data is not required to be active, it may be archived securely until the legitimate interest expires.
The reasons for exercising legitimate interest argument for processing the data subject’s request shall be conveyed to the Data Controller who is responsible for the Data Subject for onward transmission to the data subject.
Hence, GSD would be suitably tagged and processed on a need to know basis by a specially trained set of employees.
These employees and the systems in which GSD would be stored, accessed and processed would be managed securely considering the level of risk that is associated with GSD.
Assignment of people to this GSD processing and their removal shall be managed with the appropriate security measures including a higher level of back ground verification, training, physical access identities, sanction policies etc.
The HR policies need to be appropriately upgraded for the GSD workforce as may be required.
Pseudonymized personal data is not considered as “Personal Data” for the purpose of GDPR regulation provided the Pseudonymization process is adequately structured.
In view of the current level of exposure of its operations to the GDPR Risks True Influence has not considered it necessary at present to use Pseudonymization as a strategy for risk mitigation.
True Influence will maintain adequate back up of GSD data and reasonable ability to maintain Business Continuity in case of any contingency.
The Compliance documentation shall be retained for a minimum period of 6 years since its creation.
In the event any document is a potential evidence for law enforcement requirements or for defending the legitimate interest of True Influence, such document would be retained as long as the requirement persists.
External audits may be considered on the basis of an assessment by the ISGC whenever a substantial change in business profile occurs.
True Influence reserves the right to conduct an audit of the facilities of any of its sub-contractors to ensure compliance as per the contractual obligations.
True Influence however recognizes that the empowerment to audit a sub contractor’s facilities is an enablement and shall be used only under exceptional circumstances. This does not reduce the responsibility of the sub contractor to meet the compliance requirements at their end as per the contractual assurances provided.
Any queries from a GDPR supervisory authority shall be handled by the DPO and escalated to the ISGC where required.
Any disputes with the Customers, Publishers or Sub Contractors shall be handled as per the respective contractual agreements
A designated Information Security Manager shall be responsible for maintenance of Network security.
Until further notice, Mr. Ray Estevez, located at the True Influence LLP, US office, is the designated Privacy Manager, and he would be available at [email protected]
P.S: This Code is subject to revision from time to time.