GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is the European law regulating data protection. It replaces the 1995 EU Data Protection Directive, applies across Europe, and came into effect on 25 May 2018 in the EU. It is also enacted into UK law, giving it effect in the UK even after Brexit.

GDPR expands the privacy rights granted to data subjects (EU/EEA individuals) and places greater obligations on organisations who handle the personal data of those individuals, wherever those organisations are based.

GDPR comes at a time when more and more personal data is being generated by every individual as they use more services and technologies. It is intended to standardise data protection across EU member countries and post-Brexit UK. It gives EU and UK citizens greater control over their personal data, providing greater transparency into how data is used and ensuring that the organisations entrusted with personal data treat it appropriately.


Is Bink compliant with GDPR?

Yes. We carried out a full programme of activities in relation to GDPR compliance in the run up to implementation and the period since. Protecting our customers' data is a fundamental priority for Bink. GDPR gave us a great opportunity to deepen our commitment to data protection. We made changes to Bink policies, processes, documents and systems to ensure that we comply with the requirements of the regime and continue to put the rights of our customers in relation to their data first. Bink also works closely with our retailer partners to help them to meet their requirements under GDPR in relation to the services we provide.

As an organisation that will process significant amounts of personal data (e.g. name, partial card details, email address) Bink made a number of material changes in order to ensure that we are compliant with GDPR.

This includes:

  • Mapping all personal data processed by Bink and our third-party suppliers
  • Carrying out a gap analysis of GDPR requirements against our then-current systems, documentation, processes and policies
  • Making changes to those systems, policies, processes and documentation in line with the new requirements
  • A comprehensive update of our customer facing Privacy Policy - this is the document which would be provided to customers when they enrol for Bink
  • Reviewing and updating third party contracts, as and where appropriate
  • Training employees on the requirements of GDPR and Bink's data protection procedures

How does Bink keep my data safe?

Bink uses a range of best in class methods to protect the personal data we process as outlined below:

  • Bink is a certified PCI Level 1 service provider which is the most stringent level of certification in the payments industry.
  • Bink's data is hosted on servers using bank grade security practices and strictly limit access to data to authorised users only.
  • Bink's systems are regularly audited to ensure they meet information security best practices and use AES-256 row level encryption to protect and secure customer data.

Additionally:

  • Bink has strict data and access control policies governing handling, storage, transport and access.
  • Bink provides only the required access for employees to carry out their responsibilities following the principles of least privilege.
  • Access control applies to all Bink networks, servers, workstations, laptops, mobile devices and services run on behalf of Bink.
  • All staff who have access to personal data are bound by strict confidentiality obligations in their employment contracts.

Is Bink registered for data protection?

Yes. Bink, trading as Loyalty Angels Ltd, is registered with the UK Information Commissioner's Office under registration number ZA173725.

You can direct any queries regarding our approach to privacy and data protection by emailing support@bink.com with 'Privacy' in the subject line.


What personal data does Bink process?

As a data controller for personal data relating to users who use the Bink services, we comply with the law's requirement to provide accurate, complete and clear notice of the personal data we use. You can read the Bink privacy policy here.


Where does Bink store the data it collects?

Bink relies on a number of component services and providers to deliver payment linked loyalty to our users. All of our main processing is carried out on servers that are located in the European Economic Area (EEA). Additionally, all data for this programme will be held within Bink databases. Bink have strict data and access control policies governing handling, storage, transport and access.

Bink uses carefully chosen suppliers to perform other discrete tasks which may result in data being transferred outside of the EEA. Whenever personal data is stored in those services, we ensure that it is protected to EU standards using a GDPR-approved mechanism for the transfer. In our supplier due diligence, we look for a European Commission adequacy finding such as Privacy Shield Certification.


How long does Bink retain personal data for?

Bink operates a formal, GDPR-compliant data retention and deletion programme. Data will be retained for as long as needed to meet the operational needs of Bink (e.g. for customer service purposes), and to meet Bink's legal and regulatory requirements (including the requirement to retain evidence that Bink has met its obligations to its customers). Specific details are outlined in Bink’s Data Retention and Destruction Policy. In line with industry standard practice, this generally means that data is retained for the life of the customer relationship plus six years.

We apply our retention protocols across the business and monitor for compliance.


How do I request my data from Bink?

We are able to respond to subject access requests and we try to make the process as simple as possible. If you would like more information, please feel free to contact us via email on support@bink.com and one of our Customer Supporters will be happy to help.


Does Bink have a privacy policy?

Yes. Bink has customer facing privacy policy which you can read here.