Alvo GDPR Compliance Statement

This document outlines the measures Alvo takes to ensure that our operations consistently uphold GDPR best practices to the highest possible standard.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive legal framework that dictates the rules for collecting, storing, and processing personal data of individuals residing within the European Union (EU).

In the UK, the Information Commissioner’s Office (ICO) enforces the GDPR, alongside the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Think of the ICO as the data protection authority—ensuring we comply with these regulations is non-negotiable. Alvo is fully committed to being 100% GDPR and PECR compliant, keeping us well within the ICO's guidelines.

Given the substantial penalties for non-compliance, we take GDPR obligations very seriously. No one wants to face an ICO investigation or enforcement action, so we ensure our practices are in full alignment with these stringent requirements.

Alvo's Approach to GDPR Compliance

To maintain our commitment to GDPR, Alvo has appointed a dedicated compliance officer to monitor our adherence to these regulations. Additionally, we engage third-party experts to audit our practices and provide guidance on best practices. This proactive approach allows us to guarantee our clients that GDPR standards are rigorously observed at all times.

Alvo’s Partnership with You

In GDPR terms, Alvo operates as a Joint Controller with our clients. Even though we act as your service provider, both Alvo and our clients share the responsibility for making key decisions regarding data targeting, collection, processing, messaging, and storage. These decisions are crucial to our operations, so if you have any questions, we’re here to discuss them.

To simplify compliance, Alvo includes a comprehensive Data Sharing Agreement within our standard Terms of Service. This agreement outlines our joint responsibilities and supports mutual cooperation in handling any GDPR-related requests.

Is Alvo's Marketing Activity Compliant?

Alvo’s services are specifically designed for B2B marketing, and we ensure that all marketing activities adhere to both GDPR and PECR. PECR allows email marketing to businesses as long as the material is relevant and recipients are given an opt-out option. In this respect, Alvo’s activities are naturally compliant.

Regarding GDPR, our platform has been meticulously designed to ensure compliance at every stage of data collection, storage, and processing. Before launching any client campaign, we conduct a thorough assessment to ensure that the proposed activities meet GDPR and PECR requirements. A key component of this is the Legitimate Interest Assessment (LIA), which we conduct for ourselves and provide a template for our clients. We also offer a standard Privacy Policy template, including relevant clauses and references to Alvo for clarity. If you need a copy, we’re happy to provide it.

Understanding Legitimate Interest

Legitimate Interest is the legal basis under which most B2B marketing activities fall. GDPR allows the processing of Personally Identifiable Information (PII) when it serves a legitimate interest, provided it does not override the individual’s rights and freedoms. We carefully evaluate each client’s marketing plans through an LIA, ensuring that the activities align with these criteria.

If Alvo determines that your planned marketing activity does not meet Legitimate Interest criteria or violates any GDPR or PECR regulations, we cannot support such activities within regions governed by GDPR.

Individual Rights

  • Privacy Policy: We can review or provide a template for your Privacy Policy to ensure it meets required standards.

  • Opting Out & Exclusion Lists: All recipients can easily opt out of further communications. We promptly update campaign exclusion lists within 24 hours. Clients can also import existing exclusion lists to ensure no further communications are sent to those who opt out.

  • Subject Access Requests (SARs): Individuals have the right to request a copy of the data we hold on them. SAR requests can be sent to dpo@alvosales.com, and we will respond within 72 hours.

  • Right to be Forgotten: Individuals can request the removal of their data. To honour this right while preventing future contact, we encrypt the email address using a one-way hashing algorithm and add it to an exclusion list.

PECR and B2B Communication

While GDPR governs the processing of personal data, the sending of electronic messages is regulated under PECR. According to PECR, businesses can email corporate bodies, provided that they maintain and respect an opt-out list for those who object to further communications.

Alvo Employees

All Alvo employees undergo comprehensive training on GDPR, PECR, and general compliance. This training covers the implications of these regulations on our operations and emphasises the importance of adhering to best practices. We also highlight the serious penalties associated with non-compliance.

Client Responsibility

While Alvo takes extensive measures to ensure GDPR and PECR compliance, clients also bear responsibility for staying informed about local regulatory frameworks. We encourage clients to remain vigilant and ensure their operations comply with relevant regulations.

In Summary

Alvo is committed to maintaining a compliant platform that provides innovative marketing services while respecting the rights of the data subjects we interact with. Compliance is ingrained in our business operations, and we continuously perform due diligence to uphold these standards.