Jellyfish Connect’s Subscription Campaign Sites (PP) Controller to Controller Data Usage and Sharing Statement
This statement outlines the responsibilities between Jellyfish Connect Ltd (Controller, ‘Jellyfish Connect’) and the Publisher/Client (Controller, ‘Publisher’) for the gathering, storage, transfer, use and management of customer User Data gathered through specific magazine subscription sites run by Jellyfish Connect on behalf of the Publisher (the ‘Sites’).
Jellyfish Connect needs to gather and use certain information about individuals as part of its role as a retailer, to provide the Services, to process some payments, for service related communications, and in customer marketing communications.
The Publisher needs to use data to fulfil the order/subscription purchased through the Services, to process some payments, for service related communications and for specific customer consented marketing purposes.
Jellyfish Connect’s Responsibilities:
- Jellyfish Connect takes its responsibilities under data protection legislation very seriously. Jellyfish Connect Ltd is registered with the Information Commissioner’s Office (with the registration number Z1232767), and abides by the requirements of the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and following May 25th 2018, that of the General Data Protection Regulation (EU) 2016/ 679 (GDPR).
- Jellyfish Connect shall collect customer names, email address, billing address, delivery address and payment details (if applicable) - (“User Data”) via the Sites so the order and the order transaction can be processed.
- For customers selecting to pay by debit or credit card, Jellyfish Connect shall securely process and collect payments via hosted services provided by SagePay Europe Ltd which meet the requirements of the Payment Card Industry Data Security Standard (PCI). Until the appropriate monies have been passed from Jellyfish Connect to the Publisher Jellyfish Connect shall be responsible for refunds.
- For customers selecting to pay by Direct Debit, Jellyfish Connect shall securely collect bank details but shall not be responsible for setting up any Direct Debit payments with the customer or for refunds.
- Jellyfish Connect shall securely store User Data in line with data protection legislation.
- Jellyfish Connect shall securely transfer appropriate User Data and information to either the Publisher’s designated data processor (e.g subscription bureau) or to the Publisher’s internal processing team to enable the Publisher to fulfil customer orders.
- When collecting customer User Data Jellyfish Connect will provide a Fair Processing Notice on the Sites to notify the customer about their intention to send marketing communications and also a separate Publisher Fair Processing Notice to invite them to receive marketing from the Publisher. If the customer allows Jellyfish Connect to send marketing we will do so. If the customer allows the Publisher to send marketing, we will provide the relevant marketing permissions to the Publisher along with the subscription data.
- Jellyfish Connect shall ensure that their Fair Processing Notices are clear and transparent on the Sites and provide sufficient information to customers in order for them to understand what personal User Data each Controller will be using, the circumstances in which it will be shared, the purposes for the data sharing and either the identity with whom the data is shared or a description of the type of organisation that will receive the Data.
- For Publishers located in countries outside the European Economic Area (EEA) in respect of which an adequacy decision has not been issued by the European Commission, the transfer of User Data from Jellyfish Connect to the Publisher shall be governed by the Controller to Controller Standard Contractual Clauses (SCCs) in force at the date of the transfer.
- Jellyfish Connect shall not share User Data with any third party organisations for the purposes of their own marketing.
- Jellyfish Connect shall not keep User Data or associated personal information for any longer than is necessary in accordance with our Retention Policy.
Publisher Responsibilities:
- As the Controller for the processing of the subscription service and some payments, the Publisher shall be responsible for its own compliance with the General Data Protection Regulation and all appropriate data protection legislation.
- The Publisher or designated data processor (e.g subscription bureau) shall use the data provided from Jellyfish Connect to process and set up the subscription as contracted by the customer when purchasing through the Sites.
- Where a customer selects to pay by Direct Debit, the Publisher shall be responsible for the set up and Direct Debit processing as well as refunds.
- Where a customer selects to pay by credit or debit card, only once the appropriate monies have been passed from Jellyfish Connect to the Publisher shall the Publisher be responsible for refunds.
- The Publisher shall be responsible for the handling of subscription renewals.
- The Publisher shall only use User Data for marketing purposes if there is permission from the customer for the purposes as defined in the Publisher Fair Processing Notice on the Sites.
- In the case that Jellyfish Connect cookies are placed on publisher owned sites (such as their brand subscription site) for remarketing purposes, the Publisher will ensure that the use of third party cookies for remarketing is disclosed in their cookie policy. The Publisher shall be responsible for the compliance of Publisher owned site(s) (including privacy policy, cookie policy etc.) with the latest relevant legislation.
- The Publisher will not share data with any third party organisation for the purposes of marketing by the third party.
Last updated: 23rd May 2018