- Marketing and Data Collection Policy
1.0 Policy Principles
Vivanti adheres to the following core principles regarding client data:
Purpose Limitation: Data is collected only for specified, explicit, and legitimate business purposes.
Data Minimization: Only the minimum amount of data necessary for the intended purpose is collected.
Storage Limitation: Data is retained only for as long as necessary to fulfill its purpose or meet legal obligations.
Integrity and Confidentiality: Technical and organizational measures are implemented to protect data against unauthorized processing and accidental loss.
2.0 Client Data Collection and Marketing Consent
2.1 General Collection
Client data shall only be collected through lawful and transparent means. Personnel must ensure that clients are informed about the nature of the data being collected and the purpose of its collection at the time of gathering.
2.2 Mandatory Prior Consent for Marketing
The collection and usage of a client’s contact information for marketing purposes—including but not limited to newsletters, promotional updates, event invitations, and service advertisements—must be consented to by the client prior to such collection or usage.
To be valid, consent must meet the following criteria:
Freely Given: The client must have a genuine choice and be able to refuse or withdraw consent without detriment.
Specific and Informed: The client must be clearly informed that their information will be used for marketing.
Unambiguous: Consent must be indicated by a clear affirmative action (e.g., ticking an opt-in box). Pre-ticked boxes or "silence" do not constitute valid consent.
Vivanti shall maintain a central record of marketing consents as auditable evidence of compliance.
3.0 Data Usage and Storage
3.1 Authorized Usage
Client data must only be used for the purposes for which it was originally collected. Any secondary use of data requires a new assessment of legal grounds or a new request for client consent.
3.2 Access Controls
Access to client data is strictly governed by the "Principle of Least Privilege." Access is granted only to authorized personnel who require the information to perform their specific job functions ("need-to-know" basis).
3.3 Secure Storage and Encryption
All client data must be stored in approved, secure environments as defined in the Information and Asset Management Policy (ISMS-POL-001).
Encryption: Sensitive client data and Personally Identifiable Information (PII) must be encrypted both at rest and during transit over public networks.
Physical Security: Hard copy documents containing client data must be stored in locked cabinets within secure areas and disposed of using secure shredding bins.
4.0 Roles and Responsibilities
Role / Position
Specific Responsibilities
CEO / Partnership Board
Provides ultimate accountability for Vivanti’s data protection posture and ensures resources are available for policy implementation.
ISMS Manager
Owns and maintains this policy. Acts as the Privacy Officer to oversee compliance and manage the Register of Consents.
Head of IT
Responsible for the technical implementation of access controls, encryption standards, and secure storage infrastructure.
Marketing Lead
Ensures all marketing campaigns and lead generation activities adhere to the prior-consent requirements outlined in Section 4.2.
All Personnel
Responsible for following the procedures in this policy and immediately reporting any suspected data breaches or non-compliance.
5.0 Policy Compliance and Enforcement
Compliance with this policy is mandatory for all personnel. Vivanti will conduct periodic audits and monitoring to verify adherence to these controls.
Any violation of this policy—particularly the unauthorized collection or use of client data for marketing without prior consent—will be treated as a serious security breach. Such violations will be handled in accordance with the Disciplinary Process for IS Violations (ISMS-PROC-016). Depending on the intent and impact of the breach, consequences may include formal warnings, retraining, or summary dismissal, and may lead to legal action where statutory regulations have been breached.