This page explains our Data Protection practises, GDPR compliance and provide all the information required to complete due diligence and Data Protection Impact Assessments.
Controller / Processor Delineation
- We are Processor for the eligibility data that you, the customer, transfer to us for the purposes of providing licenses and the services you entered into a contract for.
- We are Controller for some of the data generated/captured directly from your employees while using the programme. For example:
- SmartSpending - Individual spending data, ie. where an employee chooses to spend their money, their delivery address and other details provided as part of the order, are never shared back with employers other than on an aggregated basis.
- Reward and Recognition - How and where employees choose to spend their awards
- Surveys - individual results from our Engaged Index surveys
- Salary Sacrifice Products - Individual spending
- Analytics - Our SmartInsights module and analytics data captured by Google Analytics for opted-in members.
- Find our Data Processing Addendum at rg.co/agreements.
Our Data Processing Addendum (DPA) is tailor made for the services we provide. We understand you may have your own template DPA, but we find these are tend to be generic and do not cover the way we operate.
If you require your DPA signed, please share it with your Reward Gateway representative and we'll review it. This process can take several days as feedback and changes are suggested.
- Our sub-processors are also listed at rg.co/agreements, including all the necessary information on each company we share data with.
If we add a new sub-processor, we will notify customers with at least one months notice.
- We use some sub-processors located in the United States of America.
We only share data with third parties when absolutely required to deliver our services - they tend to be large multinational, trusted brands and we ensure any data shared with them is minimised.
We perform Transfer Impact Assessments, assess technical measures, ensure that Standard Contractual Clauses or Binding Corporate Rules are in place and actively monitor the legal landscape to ensure these transfers remain in compliance. Read more about this.
The way we typically work with clients is we ask for a minimum of two unique identifiers per employee you wish to provide licenses for - generally referred to as ‘eligibility data’. We are flexible on what these identifiers are, clients often go with a Payroll ID and Date of Birth or similar. Some clients wish to integrate ‘deeper’ with us through automated provisioning integrations that link to your HRIS.
We have many options for data sharing - from simply allowing your employees to self register with case-by-case administrator approval, to full HRIS integration. Read more about these options.
Data Protection Impact Assessments (DPIAs)
We often receive requests from customers to complete their DPIAs. We cannot complete these for you as it'd be improper for us to judge the risk of you sharing with data with Reward Gateway and the DPIA would not likely stand up to scrutiny.
However, we are very willing to help customers with their DPIAs. We have an article that will help.
How we comply with Data Protection Law
We see maintaining high standards of Data Protection as a strategic part of our future success. We want employees to feel comfortable using our products, and customers happy to share their people data with us.
We always aim to go further than minimum compliance, showcasing our commitment to Privacy and Security throughout our business.
We have in house Data Protection expertise, as well as expert advice to hand from our Data Protection Officer and team.
You can read more on how we operate and comply with Data Protection Law around the world in other articles on Success:
- How we comply with the GDPR principles
- We operate within Australia and comply with Australian Privacy Principles
- We comply with the California Consumer Privacy Act (CCPA)