This GDPR Addendum was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal data. However, we are happy to provide any additional information or explanation needed. Any requests for further information should be sent to email@example.com.
For the purposes of the GDPR:
- we are the data controller (as defined in the GDPR) when processing Account and Marketing Data; and
- our clients are the data controller when processing User Data.
The remainder of this GDPR Addendum applies to Account and Marketing Data only, and does not apply to User Data.
Lawful basis for processing personal information
Our lawful basis for processing (as that term is defined in the GDPR) personal information that we collect, use and disclose depends on the personal information collected and the context in which we collect it.
Generally, we collect personal information from you where we have your consent, where processing is necessary for the performance of a contract to which you are party to or in order to take steps at your request prior to entering into a contract, or where processing is necessary for the purposes of our legitimate interests (except where such interests are overridden by your interests or fundamental rights and freedoms).
Where we process personal information based on your consent, you may withdraw your consent at any time.
Despite the above, we may process your personal information where such processing is necessary for compliance with applicable law.
If you have any questions about the legal basis on which we process personal information or need further information, please contact us at firstname.lastname@example.org.
Your rights under the GDPR
If you are located in the EU, your rights in relation to your personal information include:
- right of access – if you ask us, we will confirm whether we are processing your personal information and provide you with a copy of that personal information
- right to rectification – if the personal information we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. We will take reasonable steps to ensure inaccurate personal information is rectified. If we have shared your personal information with any third party, we will tell them about the rectification where possible
- right to erasure – when your personal information is no longer needed for the purposes for which you provided it, we will delete it. You may request that we delete your personal information and we will do so if deletion does not contravene any applicable law. If we have shared your personal data with any third party, we will take reasonable steps to inform those third parties that they must delete your personal information
- right to withdraw consent – if the basis of our processing of your personal information is consent, you can withdraw that consent at any time
- right to restrict processing – you may request that we restrict or block the processing of your personal information in certain circumstances. If we have shared your personal information with any third party, we will tell them about this request where possible
- right to object to processing – you may request that we stop processing your personal information at any time and we will do so to the extent required by the GDPR
- rights related to automated decision-making, including profiling – you have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such automated decision-making is necessary for entering into, or the performance of, a contract with you, is authorised by applicable law or is based on your explicit consent. We do not undertake automated individual decision-making
- right to data portability – you may obtain your personal information from us that you have consented to give us or that is necessary to perform a contract with you. We will provide this personal information in a commonly used, machine-readable and interoperable format to enable data portability to another data controller. Where technically feasible, and at your request, we will transmit your personal information directly to another data controller
- the right to complain to a supervisory authority – you can report any concern you have about our privacy practices to your local data protection authority.
Where personal information is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing.
If you would like to exercise any of your above rights, please contact us at email@example.com. If you are not satisfied by the way we deal with your query, you may refer your query to your local data protection authority.
International transfers of personal information
If you are located in the European Economic Area (EEA), your personal information may be transferred outside of the EEA. Under the GDPR, the transfer of personal information to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection. In the absence of an adequacy decision, we may transfer personal information if other appropriate safeguards are in place.
Where we transfer personal information outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data, or to a third party where approved transfer mechanisms are in place to protect your personal information (e.g. to organisations in the United States under the EU-U.S. Privacy Shield framework or by entering into the European Commission’s Standard Contractual Clauses). For further information, please contact us at firstname.lastname@example.org.
The name and contact details of our Data Protection Officer are Sarah Webb – email@example.com.
The name and contact details of our European GDPR representative areSarah Webb – firstname.lastname@example.org.