Wednesday 19 May 2021

Privacy Statement & GDPR

Our Commitment 

PRgloo Ltd is committed to protecting your privacy. We aim to maintain consistently high standards in our use and storage of your personal data, and endeavour to comply with the Data Protection Act 2018, the EU General Data Protection Regulation (GDPR) and other relevant legislation.

This Privacy Notice aims to clearly inform you of how we use your personal data, how we ensure it is kept secure and your choices about its use. We hope this can help you to make informed decisions when using our websites or other services we provide. 

PRgloo values the privacy both of our users and the journalists whose details we make available to them via our platform. 

We have provided separate privacy policies for each class of person but if you have any questions, or would like to discuss any aspect of our operations, then please contact us on +44(0)203 745 2706 and ask for the Data Protection Officer or email dataprotection@prgloo.com 

If you are a Journalist, please click here

If you are a Customer, please click here

Our Contact Details

If you have any questions about this Privacy Notice you can contact us in the following ways:

Write to us: Data Protection Officer, 7 Bell Yard, London, WC2A 2JR
Call us: 0203 745 2706 (and ask for the Data Protection Officer)
Email our Data Protection Officer: dataprotection@prgloo.com 

PRgloo's registered office is 7 Bell Yard, London, WC2A 2JR
Registered in England and Wales under the company number: 08984741
VAT registration number is:186 0607 01
ICO registration number is: ZA076809

What is PRgloo? 

PRgloo is a UK based cloud based software platform used by communication professionals across the UK, Republic of Ireland, Australia, US and across the globe to help them manage their day-to-day and strategic tasks. We are used by hundreds of organisations from across central & local government, public & private sector and thousands of communication professionals. 

What does PRgloo do?

PRgloo provides our customers with the tools to manage media enquiries and statements, send press releases and newsletters, research journalists, manage stakeholder contacts, power their own branded online newsroom, link coverage to their PR activity and generally have all the tools they need in one place to do the job they need to do. 

Data Protection and GDPR Statement

PRgloo is both a processor and a controller of data.

Data Processor: When customers add contacts into their PRgloo platform, and proactively mark these contacts as ‘media’ as opposed to ‘Media Private’ or some other available tag, then PRgloo’s research team are provided with visibility of these contacts (name, email, organisation, mobile, phone number, job title) to research and validate for inclusion in our central contacts database called "Gloo Contacts". In this way we are a processor of data on behalf of the customer.

PRgloo is also a Data Controller sourcing and updating personal data on journalists and politicians for use by our customers. This is made available within the module called "Gloo Contacts". We are also a data controller when it comes to data provided by our users and data which we research for our own marketing activities. 

Data Processing & Controlling - Journalists

The purpose of Data Processing by PRgloo is to provide customers with personal data on Journalists from the UK, EU and globally so that targeted communications can be sent to them in line with the wishes of the data subjects- namely that they be sent targeted news so that they can perform their professional functions. The data processed from our customers is available for the exclusive use of our customers.

We comply with the following GDPR principles:

  1. Article 5(a): “processed lawfully, fairly and in a transparent manner in relation to individuals” PRgloo will review all submissions made by customers to see if the contact is a current member of the media and to see what personal information is available about them online. We will also research publications and journalists independently of customer suggestions in order to expand our contact database. Only publicly verifiable information about the data subject will be used in the Gloo Influencer module which is seen by all customers (any other information collected by the customer but not verifiable online – such as a personal email address or mobile number – will remain visible to the customer but to no one else in PRgloo). Note: our researchers always document the sources where information about the data subject was found online. As the data collected is made publicly available by the data subject for the purpose of receiving news stories, and as the "Gloo Contacts" database is sold only to PR departments wanting to send news stories, PRgloo complies with the conditions of lawfulness, fairness and transparency. Please see later section on Lawfulness for more information. 
  2. Article 5(b) “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” PRgloo’s "Gloo Contacts" Module is built in order to provide our customers with an up to date database of journalists, media outlets and government officials who are interested in receiving news and information from organisations.
  3. Article 5 (c) “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;” PRgloo will only store information on data subjects which will assist and improve the above mentioned legitimate purpose. We do not store information (even if it is publicly available) which does not help with this purpose. We will (for example) provide information on the type of stories the data subject is interested in and the region in which they operate so that they will be able to receive targeted communications which are of interest to them.
  4. Article 5 (d) “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;” PRgloo monitors the Twitter accounts of data subjects within the "Gloo Contacts" module. Where changes are made, our research team will review their data to make sure that they have not moved publications, changed subject areas, or moved out of journalism all together. PRgloo also monitors email bounce backs and customer feedback with all issues being dealt with within 3 working days. In this way we ensure that data is kept up to date and relevant. Should we not have either a Twitter handle or an email address for the contact, an automated reminder is associated to their details to ensure that we manually contact them on a regular basis to ensure that their details are still current. 
  5. Article 5 (e) “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” Data subjects who no longer fit the criteria for inclusion in "Gloo Contacts" are marked as ‘no longer in journalism’ and contact information (except for name, social media links and the audit history of the contact) is then  is wiped from the system to ensure they are not contacted by accident. After a period of 6 months, these data subjects are deleted completely.
  6. Article 5 (f) “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” This data is securely held and processed using secure methods with all the data residing in the EU region.
  7. Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” PRgloo’s researchers keep a detailed log of where personal data was collected from and what communication there has been with the data subject. This is available on request by emailing dataprotection@prgloo.com. In addition, PRgloo have an appointed Data Protection Officer (DPO) to ensure ongoing compliance with GDPR. 

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data. PRgloo uses “(f) Legitimate interests”

 (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. 

Legitimate Interests

There are three elements to the legitimate interests basis.

  • Identify a legitimate interest; Journalists want to receive news. They make their contact information publicly available so that news can be emailed to them or communicated to them via the phone. PRgloo collects this publicly available information and makes it available to communication professionals only. We therefore believe we have a legitimate interest for processing this data and making it available to communication professionals
  • Show that the processing is necessary to achieve it; In order for communication professionals to communicate with journalists, they need to know their professional contact details (name, job title, email address, phone number) and where possible some information regarding the sort of news which would be of professional interest to the journalist.
  • Balance it against the individual’s interests, rights and freedoms. The journalists within the PRgloo platform have all made it clear that they wish to be contacted about tailored news and information by publicly stating this via publication contact pages, via their professional websites, via social media or via direct contact with PRgloo. We therefore believe that this is strongly in the interest of the data subject in their professional endeavours and one which would accord with the expectations of this category of data subject.

PRgloo and Necessary Processing

Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data. It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods.

In order to supply journalists with information with which to write stories, it is necessary to store contact information (name, email, phone number) along with details of what they are interested in receiving (from social media, their job title, their author profile page on their publication website etc).

PRgloo and the Lawful Principle

  • Who does the processing benefit? The data subject who needs news stories to perform their professional role and expect this information to be communicated to them
  • Would individuals expect this processing to take place? Yes, which is why they make their professional contact details available online
  • What is your relationship with the individual? PRgloo will have a minimal relationship with the data subject. Our customers will have an ongoing relationship with a subset of the data subjects we control.
  • Are you in a position of power over them? No
  • What is the impact of the processing on the individual? To receive information which will help them perform their professional duties
  • Are they vulnerable? No
  • Are some of the individuals concerned likely to object? Only if they are sent badly targeted news which they are not interested in. Because of this we attempt to gather as much publicly available information on the type of stories they publish so that our customers can make informed choices.
  • Are you able to stop the processing at any time on request? Yes, data subjects can opt out of receiving information from any customer and from being included in the central contacts database

PRgloo and Fairness Principle

Fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.

PRgloo deals only with journalists and only processes information made publicly available by the journalist for this purpose. A typical example would be storing the data held on the ‘contact us’ page of the publication website or information made available on the contact’s twitter handle (often in the form of “got a story – email me today”). The data is only made available to communication professionals who aim to send news to these individuals as expected by the journalists.

PRgloo and the Transparency Principle

Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data. Transparency is important even when you have no direct relationship with the individual and collect their personal data from another source. In some cases, it can be even more important - as individuals may have no idea that you are collecting and using their personal data, and this affects their ability to assert their rights over their data. This is sometimes known as ‘invisible processing’. You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.

In PRgloo every email communication with the journalist comes with a link to the customer’s privacy and GDPR policy plus a link to unsubscribe with one click.  Each customer has the ability to respond to a subject access request to show all the data currently stored on each individual data subject. PRgloo also publishes their GDPR statement and provides the ability for a contact to have their details permanently removed.

Common Questions 

  • Q: Does PRgloo have an effective process to identify, report, manage and resolve any personal data breaches?
  • A: Yes we have an internal process to identify, report and resolve personal data breaches of that data which we control and that data which we process. dataprotection@prgloo.com
  • Q: Does PRgloo have a process to routinely and securely dispose of personal data that is no longer required in line with agreed timescales?
  • A: Yes. We do this for data we control (journalist, customer and marketing data) and data which we process (journalist data from the customer). 
  • Q. Does PRgloo have a process in place to meet the GDPR reporting timeframe for breaches?
  • A. All breaches are reported to the affected parities within 2 hours of discovery and to the ICO within 72 hours
  • Q. At the end of the contract what will happen to the data processed by PRgloo?
  • A. PRgloo does not hold processed data and this is due to the special way in which we use the data. When a customer logs an interaction with a journalist who is not in our contact database, they can choose to submit that person for addition into our contact database. At this point, PRgloo becomes a processor of that data. Once received, PRgloo's researchers will then go and find all publicly verifiable information about this person. Whatever they find, they then add to the central contact database (for which PRgloo is the data controller). Any non verifiable personal data stays within the customer's section of PRgloo and they are then responsible for it's upkeep and the customer is then the data controller. At the end of the contract the customer can then download all their data.
  • Q. Does PRgloo have a process for obtaining consent and processing data?
  • A. We comply with article 9(2)(e) Conditions for special categories of data where – “Processing relates to personal data manifestly made public by the data subject” in order to establish consent and therefore the lawfulness of the processing. As the data collected is made publicly available by the data subject for the purpose of receiving news stories, and as the "Gloo Contacts" database is sold only to PR departments wanting to send news stories, PRgloo complies with the conditions of lawfulness, fairness and transparency without having to obtain consent from the data subjects in advance. For accountability purposes, we keep a record of the source of the data, to help us demonstrate it was manifestly made public by the individual.
  • Q; Does PRgloo make sure data is kept in a simple format which is easy to understand by the general public in the event the data is requested via a subject access request?
  • A. Yes. Within the PRgloo platform you can click a 'Subject Access Request' button which exports a word document outlining all the customer's interaction with this contact together with all the data held on this contact by PRgloo and the customer combined. 

Please contact dataprotection@prgloo.com for more information.