The Splio Group is a marketing software provider in Saas mode, specialized in retail, offering various Services to its clients. The Saas Client Experience Management IT platform combines a number of modules allowing Splio Group clients to orchestrate omnichannel strategies in real time from their Client database.
The Splio Group places great importance on the quality of marketing communications sent from its infrastructure (electronic communication operation via campaigns (hereinafter referred as “Campaigns”), pays particular attention to Personal Data protection, ensuring that the rights of Campaigns or Electronic Messages recipients are protected, fighting against inappropriate solicitations, spam, junk mail and chain letters, and subjects the use of the Saas Service to the respect of Applicable Legislation and good practices.
The Splio Group and its clients undertake to collect, process, use and transfer the Client Data with respect of the Applicable Legislation.
The respect of Applicable Legislation and good practices is necessary in maintaining and developing the Splio Group’s reputation towards e-mail service providers and telecommunications operators. This reputation is essential for optimal deliverability and enables clients to use electronic marketing to its full potential in order to expand their businesses. They also make it possible to guarantee the respect of the recipients’ rights and privacy.
The Client Data used by the Splio Group clients are owned by the clients, and are collected and managed under their full and sole responsibility.
The Splio Group does not market any Client Data.
The Splio Group reserves the right to suspend the launching of a Campaign which could lead to an abnormal or excessive complaint rate or else block an account or part of the Client Data if it is proven that the said client does not respect the Applicable Legislation.
We remind our clients that it is important not to over solicit their contacts, to correctly segment their database in order not to send messages considered to be uninteresting or inappropriate and to carefully pick the mailing days.
In respect of your Campaigns, the Splio Group, as sub-contractor remains at your disposal in order to provide you with any information on the Applicable Legislation and good practices.
COMMITMENTS OF CLIENTS USING THE Splio PLATFORM
1. Ethics Codes and Charters of various organizations
The Splio Group makes its clients aware that they should:
1.1. respect the ethics codes and charters of the following organizations:
SNCD (Syndicat National de la Communication Directe; (http://www.sncd.org/deontologie/code-general-de-deontologie-communication-directe-sncd/); Signal Spam (http://www.signal-spam.fr/); Certified Senders Alliance (https://certified-senders.eu/); MAAWG (http://www.m3aawg.org/); CAN-SPAM Act (https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business); CASL (http://fightspam.gc.ca); and more specifically any good practice or regulation applicable to the territory targeted by the Campaigns launched;
1.2. consult the recommendations of the Personal Data protection authorities such as for example National Commission for Data Protection and Liberties (CNIL) in France, Spanish Data Protection Agency (AEPD) in Spain, Italian Regulatory Authority (Garante) in Italy, GIODO in Poland, etc.
2. Applicable Legislation and Good Practices
Within the context of the Saas Services contract signed between Splio Group and its clients, the clients undertake to respect the Applicable Legislation and in particular the rules and good practices described below from articles 3 until 19.
3. Representations, Registers for processing and collections
If the local law so requires, the Client Data must be declared by the clients to the competent local Personal Data protection authorities (or else keep a Register of the Personal Data processing activities) and must exclusively contain addresses or numbers collected (opt-in) from individuals who have been informed of the information below at the time of the collection.
The clients shall be solely responsible for collecting the Client Data for direct marketing purposes and information to be provided to individuals at the time of this collection. The clients must first obtain the free, specific, informed and unequivocal consent (clear and positive act) from the recipient to receive the Electronic Message, irrespective of the channel, and must keep proof of this consent, as well as any information on the data collection (date, origin, IP address, etc.).
The “pre-ticked” boxes which make it possible to assume the consent of the individual (“opt-out) are not lawfully admitted. Similarly, the acceptance of the client’s general user conditions is not a sufficient method for gaining the individual’s consent.
At the time of the Personal Data collection the clients must inform the individual of the following information in particular:
a) identity and contact details of the person responsible for the processing;
b) if applicable the Data Protection Officer’s (“DPO”) contact details;
c) the purpose for which the Personal Data processing is intended, as well as the legal basis for the processing (consent or legitimate interests of the person responsible);
d) recipients or categories of recipients of Personal Data, if they exist; and
e) if applicable, the fact that the person responsible for the processing intends to transfer the Personal Data to a third country;
f) time limits for the storing of Personal Data;
g) existence of the right to request the person responsible for the processing to provide access to the Personal Data, for rectification or deletion of the said Personal Data or limitation of the processing regarding the person concerned, or the right to oppose the processing and the right to the portability of the Personal Data;
h) the right to lodge a claim to a supervisory authority;
i) the existence of automated decision-making, including profiling mentioned in article 22, par. 1 and 4 of the GDPR (General Data Protection Regulation), and, at least in such cases, relevant information concerning the underlying logic, as well as the importance and consequences of this processing for the person concerned.
4. Subscriptions to a Newsletter
When collecting Personal Data at the time of subscription to a Newsletter, secure the subscription form (captcha or double opt-in).
5. Personal data of minors
When processing Personal Data of a child under 16 years of age, obtain the consent or authorization for consent from the person who has parental responsibility for the child. It must be noted that EEA Member States may provide by law for a younger age for these purposes so long as this age is not below 13 years.
6. International Personal Data transfers
Take all necessary measures to ensure the legality of the international Personal Data transfers.
7. Information on the client’s Website
Provide a privacy and cookie user policy, as well as legal disclaimers available on the website where Personal Data are collected.
8. “Opt-in partners” monetization transactions
Do not use database leased or loaned by a third party without the individuals of these bases having previously and expressly consented to receive messages from the partners (opt-in partners). The purchase of Client Data is forbidden.
Monetization transactions take place when the clients (i) send Campaigns to addresses or telephone numbers leased from third parties or made available by third parties (for example in what are commonly known as “partner operations”/”opt-in” partners) or (ii) sell or make available to third parties its own addresses or telephone numbers.
In both cases, the Client Data thus monetized contributes significantly to the increase in the recipients’ complaint rate.
Therefore at the time of the collection, if a Personal Data transfer to partners is planned, the clients must separate the collection of the consent from the person who is to receive the offers from the clients, from the consent to be received from offers issued by the client’s partners (by clearly indicating the company name of these partners and the purpose of commercial solicitation), in order to avoid any confusion in the consumer’s mind.
9. DPO and request for information on the collection
Send the DPO’s contact details and reply within 3 working days to any request for information on the origin of the consent and collection.
Splio may request the clients to provide proof of consent from recipients of the Client Data, in particular in the event of a high complaint rate following a Campaign.
10. List of unsubscribed, inactive contacts and complaints
On the date of Saas Services Initialisation and during the performance of the Saas Services Contract, provide Splio with a complete list of unsubscribed, inactive contacts and spam complaints which may have been collected by the client’s other routing service providers.
11. Taking into account unsubscribed contacts, feedback and requests for information
The clients must ensure that it takes into account unsubscribed contacts, final rejections (“hard bounces”), any feedback of information sent by Splio and recipients’ requests for information, access, change or opposition within a maximum period of two (2) weeks.
12. Do not send Campaigns to “spamtrap” or “honeypot” addresses or numbers
Avoid targeting recipients who have not received any communication over the last six (6) months (“spamtrap”).
A spamtrap is an address or trap number distributed or kept in service to identify spams, in other words illegal or abusive communications. These trapped addresses or numbers are for the most part created from addresses or numbers which have been inactive for a long time, and their basic presence in the Client Data tends to indicate that their retention period has been excessive or that they have been obtained without opt-in.
The “honeypots” are also trapped addresses or numbers but they are created on purpose. Their actual presence in the Client Data shows that the collection has been fraudulent as it is impossible to collect them with opt-in.
13. Mandatory details – Content and Format of Electronic Messages
The Campaigns sent must contain mandatory legal details, namely:
– clearly indicate the identity of the advertiser with the company name; the subject of the message must clearly indicate its purpose and no element of the header or body of the message must deceive the recipient as to the origin or subject of the message;
– the subject of the message must be related to the activity of the company which is the owner of the Client Data;
– for emails the technical field reserved for the message sender contains an email address, the domain name of which corresponds either to the actual sender or to a service provider responsible for the routing of the message, and a display name clearly informing the recipient of the message sender’s identity; The clients dedicate a sub-domain or a domain name to the email transmissions carried out by the Splio Group; the owner of the domain name must be publicly identifiable on the WHOIS database (not anonymous);
– offer the recipients a simple, free, express and unambiguous means to oppose the receipt of new Electronic Messages, by offering (1) for emails and/or newsletters a clearly visible and functional unsubscribe or opt-out link and (2) for SMS’ a STOP marketing message the operation of which has been checked (in the event of sending to countries where operators offer this function) or else a right of opposition collected by means of a checkbox. The unsubscribe link makes it possible to unsubscribe without manual identification of the recipient.
14. Respect the authorized times for sending marketing SMS
Sunday and bank holidays are forbidden for the sending of SMS with commercial or marketing character.
15. Do not send Electronic Message containing malware or software likely to carry out operations without being detected by the systems intended to receive the message.
16. Do not use the SaaS Service to store content or to send Campaigns (…)
(…) whose content may be illicit, political, religious, discriminatory, offensive, shocking, inappropriate, obscene, threatening, abusive, violent, rude, racist, insulting, defamatory, misleading, aimed at harassing, threatening, embarrassing others, involving pornography or child pornography, constituting an apology for crimes against humanity, likely to incite racial hatred, violence or terrorism, impair human dignity or the privacy of others, manifestly contrary to good morals and public order, illegal or contrary to current laws or harming the reputation of the SPIO Group. These restrictions of use also concern breaches of privacy and press offences such as slander or defamation.
17. Do not store Personal Data pertaining to health, banking, sexual, religious or political preference
18. Do not practice email appending
The clients must refrain from preparing communications using contact details obtained within the context of enrichment operations carried out by third parties. The means of contacting final recipients must always have been obtained by means of a direct exchange between the said recipient and the clients.
19. Take all the necessary precautions to preserve the security of your own Information Systems
“Applicable Legislation” designates any national legislation on personal data protection applicable to the data processing, and notably, when all or some of the processing operations entrusted to the Splio Group (pursuant to the Saas services contract with the client) are undertaken in the European Economic Area (“EEA”) or relate to data collected in the EEA, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data, and from 25 May 2018 the General Data Protection Regulation (EU 2016/679 of the European Parliament and of the Council of 27 April 2016), and the applicable national laws and legislations on data protection and privacy.
“Client Data” means the client’s database hosted by the Group Splio within the context of the SaaS Service, including Personal Data.
“Personal Data” designates any information concerning an private individual identified or identifiable within the meaning of the Applicable Personal Data protection Legislation; on the understanding that in all cases, a person who can be identified, directly or indirectly, notably by reference to an element of identification such as a name, an identification number, location data, an online ID, or one or more elements specific to his physical, physiological, genetic, psychological, economic, cultural or social identity, is deemed identifiable).