Data Protection

1.1.   This Data Protection Policy (this “policy”) sets out the obligations of Feefo Holdings Limited (“Feefo”, “we”, “us”, “our”) regarding data protection and the rights of individuals whose Personal Data we collect, use and process in the course of our business activities.

1.2.   This policy applies to all Feefo employees, workers and contractors (“personnel”, “you”, “your”). Your compliance with this policy is mandatory. Any breach of this policy and our other data protection policies/procedures may result in disciplinary action, up to and including termination for serious offences.

1.3.   This policy has been prepared with due regard to the data protection laws applicable to Feefo and our Personal Data Processing activities. These Data Protection Laws include the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”), (collectively referred to as the “Data Protection Law”).

1.4.   This policy should be read together with the following related documents:

1. Feefo Data Protection by Design & Default Policy

2. Feefo Personal Data Retention and Destruction Policy

3. Feefo Information Security Policy

4. Feefo Data Subject Rights Procedure

5. Feefo Personal Data Breach Procedure}

6. Feefo DPIA Procedure

2.1.   Feefo places high importance on respecting the privacy and protecting the Personal Data of individuals with whom we work including our clients, end customers and employees. We are committed to the fair, lawful and transparent handling of Personal Data and to facilitating the rights of individuals. Our policy is to comply not only to the letter of the law, but also to the spirit of the law.

3.1.   This policy applies to all Personal Data processed by Feefo whether held in electronic form or in physical records, and regardless of the media on which that data is stored. It applies to Personal Data we process as a Data Controller and Personal Data we process as a Data Processor (on behalf of our (customers/clients).

3.2.   Feefo is registered as a Data Controller with the Information Commissioner’s Office having registration number Z2323576.

4.1. The following definitions apply across all Feefo data protection policies, procedures and supporting documents:

5.1.   Key data protection responsibilities within Feefo are as follows:

1. the Feefo Board is accountable for ensuring we meet our data protection obligations;

2. the Director of Platform Engineering & InfoSec is responsible for implementing and enforcing this policy;

3. the CEO is responsible for ensuring that personnel under their management are made aware of and adhere to this policy;

4. all personnel working with Personal Data over which they have decision making authority are responsible for ensuring it is kept securely, is accessible only to those who need to use it and is not disclosed to any third party without the authorisation of a member of the Board; and

5. all personnel are required to read, understand, and adhere to this policy when processing Personal Data on our behalf.

5.2.   You should speak with the Director of Platform Engineering & InfoSec to ask a question, or raise a concern, relating to this policy or data protection.

6.1.   The following data protection principles shall govern the collection, use, retention, transfer, disclosure and destruction of Personal Data by Feefo:

Principle 1 - Fair, Lawful & Transparent

Personal Data must be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject.

Principle 2 - Purpose Limitation

Personal Data must only be collected and processed for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.

Principle 3 - Data Minimisation

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Principle 4 - Accuracy

Personal Data must be accurate and kept up to date.

Principle 5 - Storage Limitation 

Personal Data which permits identification of Data Subjects (i.e. data which has not been anonymised) must be kept for no longer than is necessary for the purposes for which the Personal Data are processed.

Principle 6 - Security 

Personal Data must be processed in a manner that ensures its security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

7.1.   Feefo shall ensure that the risks to rights and freedoms of Data Subjects associated with processing are key considerations when:

1. Designing, implementing and during the life of business practices and processes that involve the processing of personal data (“processing activities”); and

2. Developing, designing, selecting, procuring, and using applications, services, products and other IT systems and technologies for collecting, holding, sharing, accessing, and otherwise processing personal data (“processing systems”).

7.2.   This risk led approach to processing activities and processing systems shall apply throughout the full lifecycle of the processing, from initial planning and setting of specifications, during use of processing systems, through to disposal of the personal data. It shall take into account both the likelihood and the severity of the potential harm to the rights and freedoms of Data Subjects.

7.3.   Where the risk to rights and freedoms of Data Subjects is likely to be high, or where otherwise required by law or the relevant supervisory authority, a DPIA shall be performed in accordance with our DPIA procedure.

7.4.  Safeguards and preventive measures shall be implemented into processing activities and processing systems from the outset and throughout the processing lifecycle, to mitigate the risks to data subjects and protect their rights. These safeguards and measures shall be proportionate to the risks and include organisational (e.g. policy, awareness, governance, and assurance) as well as technical measures (e.g. pseudonymisation). The objectives of such safeguards and measures shall include:

1. data minimisation

2. limiting the extent of the processing, storage, and access to what is strictly necessary

3. ensuring transparency for data subjects regarding the processing activities; and

4. ensuring the security of the personal data.

8.1.   Feefo as a Data Processor

8.1.1. Where Feefo is a Data Processor, we may only process Personal Data in accordance with the controller’s documented instructions as set out in a data processing agreement. We may only transfer Personal Data out of the UK and the EEA and appoint sub-Data Processors as permitted by the data processing agreement.

8.1.2. Personal Data must be kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Access to the Personal Data must be limited only to personnel who are subject to an obligation of confidentiality and who need access to carry out their assigned duties.

8.1.3. We must assist the Data Controller to meet their compliance obligations under applicable laws including for the purposes of:ensuring the security of processing, including by implementing appropriate technical and organisational measures;

1. 1. supporting the facilitation of subject rights of Data Subjects whose Personal Data we hold;

   2. enabling the Data Controller to notify the relevant supervisory authority following a Personal Data breach;

   3. enabling the Data Controller to notify affected Data Subjects following a Personal Data breach; and

   4. supporting data protection impact assessments carried out by the Data Controller as appropriate.

8.1.4. Upon termination of the data processing agreement, we must delete or return Personal Data as set out at Section 13 of this policy.

8.1.5. We must also support the Data Controller to demonstrate Accountability and compliance with applicable laws by providing them with all information necessary to demonstrate compliance by Feefo and allow for and participate in audits by the Data Controller or their representative.

8.2.   Feefo as a Data Controller

8.2.1. Where Feefo is the Data Controller, Data Subjects must be provided with information notifying them of the purposes for which Feefo will process their Personal Data (a “privacy notice”). When Personal Data is obtained directly, the privacy notice shall be provided to the Data Subject at the time of collection. When Personal Data is obtained indirectly, the privacy notice shall be provided to the Data Subject as soon as possible (and not more than one calendar month) after it is obtained from a third party. The privacy notice must explain what processing will occur and must also include the information set out at Schedule 1.

8.2.2. Use of the Personal Data by Feefo must match the description given in the privacy notice and be limited to what is necessary for the specific purposes stated. Where our lawful basis for processing is based on our legitimate interests, we may only process the Personal Data if our legitimate interests are not outweighed by the interests, rights and freedoms of the Data Subjects in question. A legitimate interests assessment must be performed to confirm this.

8.2.3. We must not collect or process any more Personal Data than is strictly necessary for the purposes of the processing (“data minimisation”), as set out in our privacy notice, and must ensure that data minimisation continues to be applied throughout the lifetime of the processing activities.

8.2.4. Personal Data must be kept accurate and up to date.  The accuracy of Personal Data must be checked when it is collected and at regular intervals thereafter.  Where any inaccurate or out-of-date data is found, all reasonable steps are to be taken without delay to amend or erase that data, as appropriate. Personal Data must not be kept for any longer than is necessary for the purpose for which that data was originally collected and processed.  When the data is no longer required, all reasonable steps must be taken to securely erase or dispose of it without delay, as set out at Section 13 of this policy.

8.2.5. Personal Data must be kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.

9.1.   When engaging a new supplier that will process Personal Data on Feefo’s behalf, Feefo will:

9.1.1. Complete a DPIA screening questionnaire and section B of our DPIA Template if required in accordance with our DPIA Procedure.

9.1.2. Complete Feefo’s supplier due diligence questionnaire;

9.1.3. Ensure there is a written agreement in place between Feefo and the relevant supplier that contains appropriate data protection provisions; and

9.1.4. Resolve any risks/issues identified when completing point 9.1.1-9.1.3 above, before any processing takes place.

10.1.  Only those personnel that need access to, and use of, Personal Data to carry out their assigned duties correctly will be permitted access to Personal Data we hold. All personnel handling Personal Data on behalf of Feefo must be:

• • made fully aware of both their individual responsibilities and Feefo’s responsibilities under this policy and applicable law, and be provided with a copy of this policy;

  • appropriately trained to do so and suitably supervised, with training to be provided upon starting with Feefo and refresher training to be provided at least annually; and

  • bound to handle the Personal Data in accordance with this policy and the law by contract.

10.2.  The methods of collecting, holding and processing Personal Data by personnel, or other parties working on our behalf, are to be regularly evaluated and reviewed by the Director of Platform Engineering & InfoSec.

10.3. All consultants, agencies and other parties working on our behalf and handling Personal Data must ensure that all of their employees who are involved in the processing of Personal Data are held to the same obligations as applicable to Feefo personnel arising out of this policy.

10.4. When using a Data Processor (or, where permitted, a sub-Data Processor), a binding contract must be implemented between Feefo and the Data Processor setting out the subject matter and duration of the processing; the nature and purpose of the processing; the type of Personal Data and categories of Data Subject; and the obligations and rights of the controller. Processor contracts must also include the terms set out at Schedule 2.

10.5. Feefo will keep written internal records of processing activities in respect of all Personal Data collection, holding, and processing (“RoPA”). Where Feefo is a Data Processor, we will keep a Data Processor RoPA and where we are the Data Controller, we will keep a Data Controller RoPA.

10.6.   Data Processor RoPA

10.6.1.   Where Feefo is a Data Processor, the RoPA will incorporate the following information:

• • the name and contact details of the Data Processor and of each Data Controller on behalf of which we are acting as Data Processor and of our Data Protection Officer;

  • the categories of processing carried out on behalf of each controller;

  • details of any transfers of Personal Data to countries outside the UK or European Economic Area (“EEA”) including all mechanisms and security safeguards;

  • descriptions of the technical and organisational measures we have implemented to ensure the security of Personal Data.

10.7.   Data Controller RoPA

10.7.1. Where Feefo is the Data Controller, the RoPA will incorporate the following information:

• • the name and contact details of the Data Controller, its Data Protection Officer or point of contact for data related concerns and any joint controllers;

  • the purposes for which we process Personal Data;

  • details of the categories of Personal Data collected, held, and processed by us; and the categories of Data Subject to which that Personal Data relates;

  • details (and categories) of any third parties that will receive Personal Data from us;

  • details of any transfers of Personal Data to countries outside the UK or European Economic Area (“EEA”) including all mechanisms and security safeguards;

  • the envisaged retention periods for the different categories of Personal Data; and

  • descriptions of the technical and organisational measures we have implemented to ensure the security of Personal Data.

11.1.  Feefo will monitor the risks to Data Subjects associated with all existing and planned Personal Data processing activities and implement appropriate technical and organisational measures to safeguard Data Subjects and ensure the data protection principles set out in this policy are met. This risk led approach to data protection will be applied across all Feefo business activities to ensure data protection by design and by default, as set out in the Feefo Data Protection by Design & Default Policy.

11.2.  Where the risks to rights and freedoms of Data Subjects associated with any existing or planned Personal Data processing to be carried out by Feefo are potentially high or where otherwise required by applicable law or a supervisory authority in country or territory in which we operate, Feefo will carry out a Data Protection Impact Assessment (“DPIA”). All DPIAs are to be undertaken as set out in the Feefo DPIA Procedure. A record of DPIAs shall be kept, to include details of the outcome, the names of the parties signing off the DPIA recommendations and the date of next review.

11.3.   Where a Data Controller carries out a DPIA in relation to a processing activity in which Feefo is a Data Processor, we will provide all information and assistance to the Data Controller as is reasonably required for the purpose of the DPIA.

12.1.  Data subjects have the following rights regarding Personal Data processing and the data that is collected and held about them:

• the right to be informed;

• the right of access;

• the right to rectification;

• the right to erasure (also known as the ‘right to be forgotten’);

• the right to restrict processing;

• the right to data portability;

• the right to object;

• rights with respect to automated decision-making and profiling.

12.2.  Requests by Data Subjects to exercise their rights must be facilitated as set out in the Feefo Data Subject Rights Procedure.

12.3.  Where Feefo is the Data Controller, we are responsible for facilitating Data Subjects’ rights. Where we are a Data Processor, we must assist the Data Controller to facilitate Data Subjects’ rights as appropriate.

13.1.  All personnel must comply with the following when working with Personal Data:

• Personal Data must be handled with care at all times and must not be shared with any colleague, who does not have access to it, or with any third party without authorisation;

• physical records must not be left unattended or on view to unauthorised employees, agents, contractors or other parties at any time and must not be removed from the business premises without authorisation;

• if Personal Data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it;

• all physical copies of Personal Data, along with any electronic copies stored on physical, removable media should be stored securely in a locked filing cabinet, drawer, box or similar;

• all electronic copies of Personal Data are to be stored securely using passwords which are changed regularly, and which do not use words or phrases that can be easily guessed or otherwise compromised;

• Personal Data must not be transferred to any device personally belonging to an employee or transferred or uploaded to any personal file sharing, storage, communication or equivalent service (such as a personal cloud service);

• Personal Data may only be transferred to devices belonging to agents, contractors, or other parties working on our behalf where the party in question has agreed to comply fully with the letter and spirit of this policy and the Data Protection Law and all other applicable law (which may include demonstrating that all suitable technical and organisational measures have been taken and entering into a Data Processor contract with Feefo);

• all Personal Data stored electronically shall be backed-up regularly and securely; and

• under no circumstances must any passwords be written down or shared between any employees, agents, contractors, or other parties working on our behalf, irrespective of seniority or department.  If a password is forgotten, it must be reset using the applicable method.

13.2.  In addition to the obligations set out above, all personnel involved in processing Personal Data are required to read and adhere to the Feefo Information Security Policy.

14.1.  Feefo as a Data Processor

14.1.1.   Where Feefo is a Data Processor, we may only retain Personal Data for the duration of the data processing agreement. Upon termination of the data processing agreement, we must, at the choice of the controller, delete or return all the Personal Data to the Data Controller and delete all existing copies unless otherwise required to store a copy by UK and/or EU member state law.

14.2.  Feefo as a Data Controller

14.2.1.  Where Feefo is the Data Controller, we may only retain Personal Data for as long as is reasonably required and in any event, only for as long as set out in the Feefo Personal Data Retention Policy. Written authorisation from the Director of Platform Engineering & InfoSec is required to retain Personal Data for longer than as set out in the Personal Data Retention Policy.

14.2.2. Once Personal Data records have reached the end of their life, they must be securely destroyed in a manner that ensures that they can no longer be used.

15.1.        We will only transfer (‘transfer’ includes making available remotely) Personal Data from countries in the UK to countries outside of the UK where:

• the transfer is to a country (or an international organisation) that the UK government has determined ensures an adequate level of protection (“Adequacy”);

• an International Data Transfer Agreement (IDTA) or Standard Contractual Clauses adopted by the UK Government have been put in place between the entity in the UK and the entity located outside the UK;

• binding corporate rules have been implemented, where applicable; or where

• the transfer is otherwise permitted by the law.

15.2.  Where Feefo is a Data Processor, transfers of Personal Data outside the UK shall only be made with the controller’s agreement.

15.3.  Where a transfer is not based on Adequacy, we will undertake a transfer impact assessment (“TIA”) using our TIA Template to ensure that Data Subjects (whose Personal Data is transferred) continue to have a level of protection essentially equivalent to that under the UK GDPR. If the TIA outcome is that the appropriate safeguard does not provide the required level of protection, we will implement supplementary measures e.g. encryption.

16.1.  All Personal Data breaches must be reported immediately to the Director of Platform Engineering & InfoSec and must be added to the register of Personal Data breaches.

16.2.  Feefo as a Data Processor

16.2.1.  Where Feefo is a Data Processor, and a Personal Data breach occurs, the Data Controller must be notified immediately with further information about the breach provided as soon as information becomes available.

16.3.  Feefo as a Data Controller

16.3.1.  Where Feefo is the Data Controller, unless a Personal Data breach occurs which is unlikely to result in a risk to the rights and freedoms of Data Subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the relevant supervisory authority must be notified of the breach without delay, and in any event, within 72 hours after having become aware of it, if this is feasible. If the notification is not made within 72 hours, it should be made as soon as possible, together with reasons for the delay. The Information Commissioner’s Office (ICO) is the supervisory authority in the UK

16.3.2.   In the event that a Personal Data breach is likely to result in a high risk (that is, a higher risk than that described immediately above) to the rights and freedoms of Data Subjects, all affected Data Subjects are to be informed of the breach directly and without undue delay.

16.3.3.   Irrespective of whether Feefo is a Data Processor or a Data Controller, all data breach notifications must be handled strictly in accordance with the Feefo Personal Data Breach Procedure and be added to the Feefo Personal Data Breach Register.

17.1.  This policy shall be deemed effective as of 1 August 2025. No part of this policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

17.2.  This policy will be reviewed by the Director of Platform Engineering & InfoSec and the Data Protection Officer annually and following any Personal Data breach. 

Privacy notices for Data Subjects shall include:

1. the identity and contact details of the Data Controller including, but not limited to, the identity of its Data Protection Officer and EU representative, where applicable

2. the purpose(s) for which the Personal Data is being collected and will be processed and the legal basis justifying that collection and processing;

3. where applicable, the legitimate interests upon which Feefo is justifying its collection and processing of the Personal Data;

4. where the Personal Data is not obtained directly from the Data Subject, the categories of Personal Data collected and processed and the source from which the personal data originated;

5. where the Personal Data is to be transferred to one or more third parties, details of those parties;

6. where the Personal Data is to be transferred to a third party that is located outside of the UK/EEA (whichever is applicable), details of that transfer, including but not limited to the safeguards in place;

7. details of the length of time the Personal Data will be held (or, where there is no predetermined period, details of how that length of time will be determined);

8. details of the Data Subject’s rights;

9. where applicable, details of the Data Subject’s right to withdraw their consent to the processing of their Personal Data at any time;

10. details of the Data Subject’s right to complain to a supervisory authority;

11. where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the Personal Data and details of any consequences of failing to provide it; and

12. details of any automated decision-making that will take place using the Personal Data (including but not limited to profiling), including information on how decisions will be made, the significance of those decisions and any consequences.

Contracts with Data Processors who will process the Personal Data must set out the subject matter and duration of the processing; the nature and purpose of the processing; the type of Personal Data and categories of Data Subject; and the obligations and rights of the controller. They must also include terms requiring the Data Processor to:

1. only act on the written instructions of the controller;

2. ensure that people processing the data are subject to a duty of confidence;

3. take appropriate measures to ensure the security of processing;

4. only engage sub-Data Processors with the prior consent of the Data Controller and under a written contract;

5. assist the Data Controller in providing subject access and allowing Data Subjects to exercise their rights under the UK GDPR and/or the EU GDPR (whichever is applicable) ;

6. assist the Data Controller in meeting its UK GDPR and/or EU GDPR (whichever is applicable) obligations (or obligations under other applicable laws) in relation to the security of processing, the notification of Personal Data breaches and data protection impact assessments;

7. delete or return all Personal Data to the Data Controller as requested at the end of the contract; and

8. submit to audits and inspections, provide the Data Controller with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell the Data Controller immediately if it is asked to do something infringing the Data Protection Law (or other applicable legislation).