We have self-service tools available within the members' Security Centre that can facilitate requests for account deactivation and for copies of all the personal data we process (known as a Subject Access Request or the Right to Access).
Deactivate Your Account
Employees can request the deactivation of their account from our systems.
Important! All monetary awards and funds must be withdrawn before the initiation of this process, as well as vouchers redeemed, if the employee wishes to do so. They will be permanently removed and unrecoverable otherwise.
Deactivation process
- Log in and go to the account menu
- Click on Account, then My Account
- Scroll to Deactivate my account and select Deactivate
- Follow the instructions and deactivate your account
After this has been selected and the instructions followed, you will need to wait until the local data protection correspondent approves the deactivation request. When approved, the account is immediately terminated with all data deleted and cashback funds being removed.
Download Your Data
Employees can request a copy of all the personal data we process relating to them, either in a PDF or machine-readable JSON format. A password will be given to the member upon requesting a download, which is used to encrypt the data export we generate.
A request is sent to the local data protection correspondent to verify the request and then approve or deny it. Once this is approved, the member will receive an email notification to download their data.
Where can employees find the Security Center?
When logged into Reward Gateway, members can click 'Account' in the top right hand menu, 'Account Settings' and finally 'Security Centre'. You can read more about our Security Centre at A guide to the Employee Security Center.
Why does the local data protection correspondent need to approve these requests?
There are a number of reasons we involve our local data protection correspondent in these requests.
- We need to validate the authenticity of the request. Password reuse and account sharing is an unfortunate common practice. If we were to delete your account without properly authenticating the request, we would potentially be causing an incident by removing access to your data
- Rather than requesting copies of identity documents - which many other companies do in response to these requests - we decided to build a simple workflow that allows our local data protection correspondent to authenticate these requests.
- Your employer is the Data Controller of some information and Reward Gateway is the processor. We need to inform them in order to ensure they do not share your information with us again
What if my employer shares my data with Reward Gateway, even after I have requested deactivation of my account?
We have a process where we make a secure ‘hash’ (a one-way, irreversible process) of the unique identifier that your employer shares with us (this is usually your payroll ID, work email address, staff number).
When processing a membership refresh or upload, we compare the data provided with this ‘hashed’ value. If it matches, we inform the administrator and reject the data, ensuring we don’t process your data once you have informed us not to.
This is designed as a safety measure to ensure we don’t process your data after being instructed not to, on the basis that employers often use automated data integrations with us and in some situations may not update their systems as quickly as we update ours. It is not designed as a replacement for proper lawful basis management and we advise employers to ensure they have their own internal processes for managing this.
Comments
0 comments
Please sign in to leave a comment.