Redder as a Data Processor
How we process personal data on behalf of our clients
Redder is a full digital marketing agency. We design, build, maintain and host websites for many of our clients. We also provide email services for many of them.
Our work requires us to process data collected by our clients’ websites. For example, via:
- E-commerce – Bookings, purchases, membership sign-ups etc
- Form submissions
Why are we a data processor
We process data on behalf of our clients in order to carry out the work they contract us to do:
- Maintaining websites & web systems
- Hosting websites & web systems
What personal data is collected, how it is processed, and where it is stored
We host our clients’ websites on servers in the UK managed by two companies: Linode & Ionos. Backups of data from these websites are stored in encrypted form, both on servers within the EU owned by AWS Europe, and on our own computers and servers.
A variety of third-party plugins and analytics services are in use in our clients websites. Some of these collect personal data (e.g. via cookies). We check the GDPR compliance of these companies and services, and make adjustments where necessary to ensure compliance. A full list of cookies set by each client’s website should be provided on their website.
Most of our clients’ websites include forms that can be submitted so that website users can submit data to contact our clients and use their services. Most of the data entered by users into these forms is personal data, and in a few cases is sensitive personal data.
Data held on our computers and storage devices, and backups of the data held off-site (as part of our disaster-recovery planning) are all protected with strong encryption.
We use various third-party sub-processors to process data on behalf of our clients. Please note that this will vary client to client. Here is a list of these:
- AWS Europe
- Uptime Robot
Retention and deletion of personal data
We identify and delete personal data in our possession, which is controlled by our clients, when it is no longer needed for the performance of our contract with the client.
Personal data for use in a one-off short-term contract is deleted soon after completion of the contract.
Some contracts with our clients last for many years, and some of these include personal data (e.g. membership data). We encourage and assist our clients in implementing good practice with the personal data collected by, and administered by their websites. Data collected by their website forms should be deleted when it’s no longer needed, the retention period depending on the purpose for which that particular data was collected by that particular organisation – this could be days, weeks, months or years – refer to the organisation’s website for its policy. Membership and other lists need to be kept up-to-date and data on unsubscribed individuals should not be retained, unless necessary for compliance (e.g. to prevent inadvertently emailing somebody who has opted out).
When deleting personal data, we take steps to delete all copies beyond reasonable possibility of restoration, including copies on backups. Digital data is deleted securely by overwriting it, and data on paper physically destroyed.
Subject Access Requests
If you wish to make a Subject Access Request about data we process on behalf of one of our clients, the request should be addressed to them as the Data Controller.
What would happen in the event of a personal data security breach
If we become aware of a personal data breach involving data we process for one of our clients, we will notify them without undue delay. As the Data Controller, our client is then responsible for following its own data breach procedures, and informing the Information Commissioner Office and those affected by the breach where necessary. As a Data Processor, we have a role in assisting our client with the subsequent investigation and remedial work.