Client Privacy Policy

Summary of Policy Topic

A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways Phenomenon Marketing & Entertainment, LLC. (“Phenomenon,” “we,” “us,” “our”) gathers, uses, discloses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy. Personal information can be anything that can be used to identify an individual, not limited to the person’s name, address, date of birth, marital status, contact information, and intentions to acquire goods and services. This privacy policy applies not only to Phenomenon’s website at phenomenon.com (the “Website”), but to all data (sensitive or confidential) provided to Phenomenon clients. This policy covers the collection, processing and other use of personal data under the Data Protection Act 1998 (“DPA”) and the General Data Protection Regulations (“GDPR”). The policy covers both written and computerized information and the individual’s right to see such records. For the purpose of the DPA and GDPR, Phenomenon is considered both the “data controller” of information it collects independently as well as a “data processor,” of all information provided from clients.

A full assessment of data collected and processed is to be conducted annually.

Sensitive Data Provided by Clients

It is the policy of Phenomenon to not receive Personally Identifiable Information from its client’s constituents. The generation of Scoped Work (Marketing and Advertising) should not require the delivery of such Client Sensitive Data.

Inadvertent Data Collected by Clients

Data may inadvertently be collected and generated through the course of day-to-day business and contacts with Customer Representatives.

In regard to such data, we shall:

  • limit access to the Information collected strictly to employees and representatives (such as attorneys and consultants) who have a need to know of the information in order to analyze or consummate the transaction (provided that such employees and representatives are bound to the confidentiality provisions at least as restrictive as those contained in Phenomenon “Non- Disclosure Agreement”)
  • not authorize any third party to disclose such Information to others without the prior written approval of said client
  • use the same degree of care in protecting clients Information as we use to protect our own information, but in no event less than a reasonable degree of care
  • promptly notify the client in writing of any unauthorized use or disclosure of the information, which shall describe the nature of the disclosure

Managing Privacy

Phenomenon focuses on having a consistent level of data protection and security across the organization.
Our standards and preparation include:

  • Information Audit – a company-wide information audit to identify and assess what personal information is held, where it came from, how and why it is processed and if and to whom it is disclosed.
  • Policies & Procedures – our user access policies and procedures were updated to meet the requirements and standards set in both DPA, GDPR and any relevant state level data protection laws, including:
  • Data Governance – our main policy and procedure document for data governance has been overhauled to meet the standards and requirements of the GDPR.
  • Data Storage Retention & Erasure – we have updated our retention periods to ensure that we meet the “data minimization” and “storage limitation” principles and that personal information is stored, archived and destroyed compliantly and ethically.
  • Data Breaches – our staff is acutely aware of the need to report any data breach to a member of the management team who will act upon this appropriately. In the event of a breach or suspected inadvertent disclosure of private information, the Director of IT is to be notified immediately and “Incident Response Procedure” is to be enacted.
  • Access Management Request (AMR) – we have revised our AMR procedures to accommodate user termination notification that all access was removed to any and all Phenomenon Systems. Our new procedures detail the steps to be taken when processing an AMR.

Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy-to-access information via our website of an individual’s right to access any personal information that Phenomenon processes about them and to request information
about:

  • What personal data we hold about them
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the personal data has/will be disclosed
  • How long we intend to store your personal data for
  • If we did not collect the data directly from them, information about the source
  • The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
  • The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
  • the right to lodge a complaint or seek judicial remedy and who to contact

In such instances documentation and evidence of compliance with the DPA and associated GDPR requests are stored in Phenomenon IT Ticketing Platform.