Grounds for Processing Personal Data
Please note. The below does not relate, in any way, to programs we operate on behalf of our customers. The below information relates only to marketing and sales information held by Thrive CSR for the purpose of contacting and communicating with CSR professionals, managers and related parties.
Data Controller contact information:
Thrive CSR Limited
The Innovation Centre,
Purposes of processing personal data for marketing:
We process personal data for the purposes of outbound marketing when we come across companies which we believe can, in principle, derive value from our product. We contact the relevant individuals (including CSR Managers) at companies with which we are looking to engage, via a mix of communication channels in order to ascertain whether the company wishes to discuss our service offering. The data we hold is not ‘sensitive data’ as determined by the GDPR and is limited to:
• First name
• Last name
• Job title
• Company name
• Company registration number
• Email address
• LinkedIn profile ID
• Company telephone number
• Trading or registered address
• Turnover or estimated turnover
• Employee numbers or estimated employee numbers
• Profit or estimated profit
• Growth rate or estimated growth rate
• Year founded
The data is either found within the public domain or sourced through GDPR compliant providers and therefore the risk to the data subject’s fundamental rights and freedoms is extremely limited.
Lawful grounds for processing personal data for marketing – ‘Legitimate Interests’
We base our outbound marketing approach on the grounds of Legitimate Interests. In other words, we contact companies where we believe our service can legitimately add value to their business. This is based on article 6.1. f) of the GDPR: https://gdpr-info.eu/art-6-gdpr/
Lawful grounds for processing personal data for marketing – Consent
In the event that data subjects have consented to receive marketing communications from Thrive CSR Limited, the data subject has the right to withdraw that consent at any time either by confirming in writing or by clicking on the unsubscribe links contained in email communications.
Data transfers to 3rd countries
The Controller may from time to time transfer data to 3rd countries where the processor within the 3rd country has signed a contract including GDPR compliant Standard Contractual Clauses and where the processor has been subject to data protection training and security controls in order to ensure secure processing of personal data. Details of these security protocols will be made available on request. For certain 3rd countries there has been no adequacy decision by the Commission, but due to the non-sensitive nature of the data and the aforementioned security protocols the risk to the freedom of the data subject has been deemed extremely low.
Personal Data Storage
All personal data will also be audited and updated annually to ensure it is kept up to date. We continue to store personal data if a data subject asks to be unsubscribed as we need to have a record of the data in order to avoid contacting the unsubscriber again in the future. Data subjects have the right to request we remove their data from our database, which we will of course do, but we do so on the grounds that the data subject understands that removal of their data means that we cannot 100% avoid contacting them again in the future, as we will not have a record of the contact’s data against which to ‘clean’ the contact’s record.
The right to lodge a complaint with a supervisory authority
Data subjects have the right to lodge a complaint with a supervisory authority if they reject our grounds for communication.