Last Modified: 30 July 2021
We encourage you to read the whole notice but if you wish to jump to a certain subject, please use the table below.
- Privacy Commitment
- Epsilon’s Role
- Information Sharing
- Retention Times
- Your Rights
- International Transfers
- Contact Us
We care about your privacy and we think it is important for you to understand how we process Personal Data and what choices you have with regards to it. We have done our best to provide you with information that is as clear and easily accessible as possible, but if you have any questions, please do not hesitate to contact us.
This section sets out Epsilon’s role in relation to the different types of Personal Data that we process and provides further information about the connected Processing activities.
Personal Data provided by Members
Members provide us with their customers’ name and address details as well as purchasing histories for Processing in the Abacus Alliance’s cooperative environment. Epsilon Processes this type of Personal Data as a Processor on behalf of each Member, which is a Controller. Each Member decides what Personal Data to share with other Abacus Alliance Members and how it can be used. Each Member also determines the lawful basis for Processing. We Process this Personal Data to provide our Services to Members, which include creating mailing lists for Members to use for postal marketing.
Other Personal Data Processed by Epsilon
In addition to the Personal Data provided by Members, Epsilon Processes Personal Data from the Ocean Database provided to it by CACI Limited (“CACI”), and receives Personal Data collected in connection with other services provided by Epsilon. Epsilon Processes this Personal Data as a Controller.
The Ocean Database contains name, address and profiled attributes such as probability scores, for example as to whether an individual may have an interest in gardening or whether it has bought clothes online in the last 12 months. These probability scores are modelled/predicted scores (known as “inferred data”) created by inputting Personal Data and non-Personal Data (e.g. aggregated census data) into an algorithm and then running a computer model to produce probability scores for a wide range of attributes. The source of the name and address information in the Ocean Database is the edited Electoral Register. CACI also buys other sources of Personal Data to create the Ocean Database. More information can be found here.
We use this combined Personal Data to enhance our Services and help our Members gain insight into their customers and assess, for example, whether an individual should be included on a mailing list for a specific postal marketing campaign. The probability scores in the Ocean Database and the additional attributes will only be linked to names and addresses that already exist in the Abacus Alliance (i.e. have already been provided by at least one Member). The profiling and automated decision making required to support this processing does not have legal or other similarly significant effects on individuals.
Epsilon has legitimate interests in Processing this Personal Data. Epsilon’s legitimate interests include (i) gaining the insight required to be able to provide Members with mailing lists that are likely to include individuals for whom the offer is relevant and achieve the result expected by the Member and (ii) providing the best Services possible to Abacus Alliance Members.
Epsilon does not share Personal Data with any third parties, with the following exceptions.
- Our affiliates that assist us in providing our Services,
- Our Processors and sub-Processors as necessary to assist us in proving our Services;
- A third party in the event of any reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings);
- As we believe necessary and appropriate: (a) under applicable law; (b) to comply with legal processes; (c) to respond to requests from public and government authorities including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety or property; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.
We retain Personal Data provided by Members for a period of 2 years. Personal Data received from CACI as well as the attributes received from other parts of Epsilon is updated and replaced every 12 weeks.
If you do not want your Personal Data to be Processed by Epsilon for the purpose of future postal mailings from Members you can request to be supressed from the Abacus Alliance. Please note that you may still receive postal marketing from Members for a few weeks after the date on which your suppression request was actioned. This is because Members prepare their postal marketing campaigns weeks in advance and source contact lists from the Abacus Alliance early in the process.
You also have the right to contact us with a request to access, rectify, erase or restrict the Personal Data we Process as a Controller. We ask you to be clear and specific with your request as this will enable us to assist you in a more effective manner.
If you wish to further limit the amount of unsolicited direct mail you receive, we recommend registering with the Mailing Preference Service (www.mpsonline.org.uk. This is a free service which will remove your name and address from lists used for postal marketing by the members of the Data & Marketing Association.
We have implemented appropriate technical and organisational security measures to protect the Personal Data in our care, both during transmission and at rest. This includes physical and technical security measures to protect Personal Data from accidental or unlawful destruction, loss, or alteration, and from unauthorised disclosure or access.
In order to operate the Abacus Alliance and provide our Services, we may transfer Personal Data to countries outside the EU/EEA or the UK. More specifically Abacus Alliance servers are located in Ireland, and our Processors and sub-Processors operate from the United States and India.
We have taken appropriate and suitable safeguards to ensure that Personal Data will remain protected when transferred outside the EU/EEA or the UK. This includes implementing Standard Contractual Clauses for transfers of Personal Data adopted by the European Commission and/or the UK.
We are an active member of the Data & Marketing Association (DMA) who sets standards for our industry. The DMA is representing over 1 000 members drawn from the UK's data and marketing landscape. We comply with the DMA Code which is a code of practice to which all DMA members and their business partners must adhere.
Our Data Protection Officer is tasked with informing and advising us on the obligations that apply to us under Data Protection Laws as well as monitoring our compliance with the same. If you need to contact our Data Protection Officer, please email us here. However, we respectfully ask that you only contact our Data Protection Officer regarding urgent matters relating to data protection.
You also have the right to report a concern to your country’s Data Protection Authority. UK residents can report a concern to the Information Commissioner’s Office. However, we respectfully request that you contact us first so that we can assist you.
“Abacus Alliance” means the cooperative environment used by participating retailers (i.e. Members) to find and understand more about consumers who may be interested in what they offer. The Abacus Alliance is operated by Epsilon.
“Controller”, “Personal Data”, “Processor”, “Processing” and “Profiling” have the meaning given to them in Data Protection Laws.
“Epsilon” means Epsilon International UK Ltd, registered in England and Wales with company number 03610044, whose registered address 1st Floor 2 Television Centre, 101 Wood Lane, London, United Kingdom, W12 7FR.
“Data Protection Laws” means (i) the UK General Data Protection Regulation (UK GDPR) as tailored by the UK Data Protection Act 2018 (“GDPR”); (ii) the UK Privacy and Electronic Communications (EC Directive) Regulations 2003; and (iii) any and all applicable national data protection laws made under or pursuant to (i) or (ii); in each case as may be amended or superseded from time to time.
“Members”means (i) charities; and (ii) retailers operating in the clothing, collectable, food & drink, gardening, gadgets & entertainment, health & beauty, household goods, home interiors and travel categories that provide their customers’ or donors’ name and address details as well as transaction histories to the Abacus Alliance for processing in the co-operative environment”
“Services” means the Abacus Alliance UK and other marketing related services that we provide to Members in more detail described here.