PURPOSE FOR ADDENDUM
YOUR RIGHTS AS A EUROPEAN DATA SUBJECT
RIGHT TO TRANSPARENT COMMUNICATION
RIGHT TO ACCESS BASIC INFORMATION
You may get confirmation from IC how your personal data are being processed, including the following information:
- Confirmation if, where, and by whom your personal data are being processed;
- Purpose(s) for the processing;
- Categories of personal data being processed;
- Categories of recipients with whom we may share the data;
- The period for which we will store the data (or the criteria used to determine that period);
- The source of the data (where you were not the source); and
- Information about the existence of, and an explanation of the logic involved in, any automated decision-making that has a significant effect on you.
You may also request to receive an electronic copy of your personal data that are processed by IC. IC is required to provide any requested information within one (1) month of receiving an access request. However, if IC receives many requests, or especially complex requests, this time limit may be extended by a maximum of four (4) further months as long as IC provides you with an explanation for the delay within the original one (1) month timeframe. If IC cannot meet these deadlines, you may complain to the relevant Data Protection Authority (explained below) and may seek a judicial remedy in the relevant EU Member State’s court system.
RIGHT TO DATA PORTABILITY
You may transfer your personal data between controllers (e.g., to move account details from one online platform to another). Specifically, you have the right to:
- Receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
- Transfer your personal data from one controller to another;
- Store your personal data for further personal use on a private device; and
- Have your personal data transmitted directly between controllers without hindrance.
Please note that any inferred or derived data (data derived through use of analytical processes) do not fall within the right to data portability, because you do not provide such data. IC is not obliged to keep personal data for longer than is otherwise necessary to service a potential data portability request.
RIGHT TO RECTIFY INFORMATION
IC is required to ensure that inaccurate or incomplete data is erased or corrected. You may request IC correct or erase personal data that you believe to be inaccurate or incomplete.
RIGHT TO WITHDRAW CONSENT
Your consent can provide a lawful basis for IC to process your personal data and/or transfer your data internationally. However, you may withdraw such consent. However, please note that other lawful bases may apply to the processing or transfer of your data.
RIGHT TO ERASURE/RIGHT TO BE FORGOTTEN
Under the GDPR, in certain circumstances, you may have IBD erase your personal data, cease further dissemination of the data, and potentially have third parties halt processing your data upon your request. This right is commonly referred to as the “right of data erasure” or “the right to be forgotten.” You have the right to the erasure of your personal data if:
- The data are no longer needed by IC for their original purpose (and no new lawful purpose exists);
- The lawful basis for the processing is your consent, you withdraw that consent, and no other lawful ground exists for IC to process the information;
- You exercise your right to object to processing and IC has no overriding grounds for continuing the processing;
- The data have been processed unlawfully; Or
- Erasure is necessary for compliance with other EU laws or the national law of a relevant EU Member State.
RIGHT TO OBJECT TO PROCESSING PERSONAL DATA FOR PUBLIC OR LEGITIMATE INTERESTS
Where IC is processing your personal data because of having a “public interest” or “legitimate interests”, those bases are not absolute, and you may have a right to object to such processing. If you object, WON must cease such processing unless it either: 1) shows compelling legitimate grounds for the processing which override your interests, rights, and freedoms; or 2) requires the data to establish, exercise, or defend legal rights.
RIGHT TO OBJECT TO PROCESSING FOR THE PURPOSES OF DIRECT MARKETING
You may object to the processing of your personal data for receiving direct marketing from IC (including “profiling” activities as detailed further below).
RIGHT TO OBJECT TO PROCESSING FOR SCIENTIFIC, HISTORICAL OR STATISTICAL PURPOSES
Where your personal data is processed for scientific and historical research purposes or statistical purposes, you may object, unless the processing is necessary for performing a task carried out for reasons of public interest.
RIGHT TO NOT BE EVALUATED SOLELY ON THE BASIS OF AUTOMATED DECISION-MAKING PROCESSES
Subject to certain exceptions detailed below, you have the right to not have any decisions made about you that are based solely on “automated decision-making” processes. An automated decision-making process involves using automated processing activities (activities that do not use human intervention) to decide about you that will materially affect you (i.e., a decision that would produce “legal effects” or otherwise have a similar “significant effect“). A legal effect is something that will affect your legal rights, such as your freedom to associate with others, vote in an election, or take legal action. A legal effect could also be something that affects your legal status or rights under a contract, e.g., something that could lead to cancellation of a contract. For data processing to have a significant effect, the effects of the processing must be sufficiently great or important to be worthy of attention. The decision must have the potential to: significantly affect your circumstances, behavior, or choices; have a prolonged or permanent impact; or at its most extreme, lead to exclusion or discrimination. Automated decision-making can include “profiling” activities whereby automated processing is used to test certain personal characteristics to analyze or predict your preferences, behavior, performance, reliability, location, or movements. Please note that if a human being reviews and takes other factors into account in making a final decision, that decision is not considered being “based solely” on automated processing.
Using automated decision-making processes is permitted where:
- It is necessary for a data controller to agree with you;
- Law authorizes it; Or
- You have explicitly consented, and safeguards are in place.
If a data controller is making decisions based on any automated decision-making processes, you are entitled to a description of what portions of the decision-making will be automated, reasons automation is logical, and the significance and consequences behind the decision to automate the processing. IC’s automated decision-making processes include the following
Determining Eligibility to Receive Offers: IC utilizes automated decision-making processes in order to determine whether you are eligible for certain offers from IC and/or its Business Partners. In utilizing automated decision-making processes, IC is able to quickly and efficiently identify those persons that are eligible to receive certain offers in relation to the Services. These offers could include things like discounted access rates for certain products/over a certain limited period (e.g., a limited trial period at a reduced introductory rate for new users). Utilizing automated decision-making enables IC to sort through its user database in order to determine users who could be eligible for such an offer. It is not anticipated that any such automated decision-making would result in any prohibitively disparate price differential that would serve to unfairly bar someone from accessing the Services. Routine human involvement can sometimes be impractical or impossible due to the sheer quantity of data being processed.
Determining What Portions of the Services you may Access: IC utilizes automated decision-making processes to determine your access rights to use the Services. In visiting, registering, and/or subscribing to the Services, you are given different levels of access to IC’s products and services. IC uses this information to inform the Services what product, services, and/or content you should be able to access. For example, an unregistered visitor to the Site will not have the same level of user rights as an individual that is a subscriber to IC’s paid content. Automated decision-making allows IC to quickly, efficiently, consistently, and fairly determine what Services and/or content you should be permitted to access based upon our business arrangement with you. Routine human involvement can sometimes be impractical or impossible due to the sheer quantity of data being processed.
Subscription Cancellation for Non-Payment: IC utilizes automated decision-making processes to identify and cancel access to the Services where it has not received the payments it is properly owed. Automated decision-making allows IC to quickly, efficiently, consistently, and fairly determine what Services and/or content you should have access to based upon whether you have fulfilled your contractual obligations with IC. Routine human involvement can sometimes be impractical or impossible due to the sheer quantity of data being processed.
If an automated decision-making process is conducted as a result of contractual necessity or you have explicitly consented to such processing, you are allowed to request human intervention, express your point of view, and contest decisions that are arrived at as a result of the processing. To the extent automated decision-making processes also involve high risks to the privacy of your information, IC will conduct a data privacy impact assessment (“DPIA“) prior to conducting the processing in order to ensure that appropriate safeguards are in place. A DPIA is a tool designed to enable organizations to identify and analyze the risks that are inherent in data processing activities and enables us to address and mitigate those risks.
While IC does use automated processing methods to conduct certain profiling activities, including the use of profiling to better segment markets and tailor our Services to align with individual needs, it is unlikely that such activities will have a legal or other significant effect on you. Targeted advertisements (e.g., ads that are delivered online) are not typically considered to have a legal or significant effect unless the profiling methods used are unnecessarily intrusive, advertisements are delivered in an intrusive fashion, or certain vulnerabilities are known and targeted (e.g., vulnerable age or financial condition). IC has no reason to believe that any of its activities related to profiling will have any legal or any similar significant effect on you. Additionally, IC does not use any automated decision-making processes that evaluate your Sensitive Information.
RIGHT TO RESTRICT PROCESSING
In some circumstances, you may be entitled to limit the purposes for which IC can process your personal data. Specifically, you have the right to restrict the processing of your personal data if:
- The accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
- The processing is unlawful, and you request restriction (as opposed to exercising the right to erasure);
- IC no longer needs the data for their original purpose, but the data are still required by IC to establish, exercise, or defend legal rights; or
- If verification of overriding grounds is pending in the context of an erasure request.
FEES FOR REQUESTS
IC is required to give effect to your rights of access, rectification, erasure, and the right to object free of charge. However, IC may charge a reasonable fee for repetitive requests, unfounded or excessive requests, or further copies beyond the initial copy provided.
RIGHT TO MAKE A COMPLAINT TO THE RELEVANT DPA
Data Protection Authorities (“DPAs“) are the regulatory authorities responsible for monitoring and enforcing data protection laws at a national level and providing guidance on the interpretation of those laws. DPAs are empowered to oversee enforcement of the GDPR, investigate breaches of the GDPR, and bring legal proceedings where necessary. If you believe that your rights have been infringed by IC, you have the right to ask IC to remedy the situation. If you believe you have not received an adequate response from IC, you may file a complaint with the relevant DPA (either the DPA for the EU Member State in which you live or work or the Member State in which the alleged infringement occurred). A list of DPAs may be found at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080 (current as of April 2018).
IC’S LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA
Under the GDPR, to process your personal data, IC is required to identify a legal basis (or bases) for its processing activities. IC’s legal basis for processing your personal data as described below.
IC is permitted to process your personal data to the extent you have given consent for IC to perform processing activities. Please note that your consent to processing can be revoked at any time (though there may be other applicable legal bases that may justify ongoing processing of your personal data). Your consent may be revoked by emailing email@example.com.
IC is permitted to process your personal data to the extent the Processing is necessary:
- Respond to your request to access your personal data; or
- For the conclusion or performance of a contract between IC and a third party where it is in your interest for the processing to occur.
In order for you to be able to access the Services, it is critical that IC be able to process your personal data, particularly because many of IC’s Services are based on a subscription model. Without being able to process your personal data, including your payment information, IC could not provide the Services to you.
IC is permitted to process your personal data to the extent the processing is necessary for the purposes of legitimate interests pursued by IC or a third party (“legitimate interests“), except where those legitimate interests are overridden by your interests, fundamental rights, or freedoms. In order to establish that IC has a legitimate interest in processing your information, it will complete a Legitimate Interest Assessment Form (“LIA Form“) to ensure that there is adequate consideration and accountability for the decision to conduct the processing. The LIA Form is intended to: 1) assess whether a legitimate interest exists; 2) establish the necessity of the processing; and 3) perform a balancing test to ensure that a particular processing operation does not cause undue interference with your interests, rights, or freedoms. You may object to IC’s processing of your personal data on the basis of legitimate interests; if you wish to raise such an objection, please email detailing your objection to firstname.lastname@example.org. IC’s identified legitimate interests for processing your personal data include:
Organizational Interests: As IC operates different sites, it is often necessary for IC to transmit your personal data within the organizational group. Processing is necessary so that data can be shared amongst our affiliates so that each entity can carry out their legal, regulatory, and/or contractual responsibilities and/or coordinate/implement business plans, logistics, and/or operations. This is especially true because IC’s affiliated entities may perform critical services for IC, such as services related to: accounting, compliance, human resources, information technology and security, legal, management, etc.
Operational Interests: Processing your personal data is necessary to facilitate the day-to-day operation of our business and to allow for business planning for strategic growth. This includes managing our relationship with you, our employees, other users/clients, vendors, business partners, and/or others; sharing intelligence with internal stakeholders; implementing training procedures; planning and allocating resources and budgets; performing data modelling; facilitating internal reporting; analyzing growth strategies; aggregating analytics; and/or processing personal information to create anonymized data (e.g., for product improvement, analytics, etc.).
Logistical Interests: Processing your personal data is necessary to enable IC’s business operations to run more efficiently, e.g., establishing how to allocate resources or to predict future demand.
Research and Development Interests: Processing your personal data is necessary for us to deliver and/or improve our products and services. This includes processing your personal data to determine whether a product or service works as intended, monitoring usage and conduct, and identifying and troubleshooting issues.
Market Intelligence and Analytical Interests: IC legitimately needs to conduct market intelligence so we can better promote our products and services by creating a better understanding of our users’ and/or customers’ preferences. This could include using diagnostic analytics to optimize products, services, and/or marketing campaigns by assessing/monitoring users’ usage of the products or services and/or conduct while using the products or services. Common metrics for evaluation could include monitoring pages and links accessed, ad performance and conversion tracking, the number of posts, the number of page views, patterns of navigation, time at a page, devices used, user reviews, where users are coming from, hardware used, operating system version, advertising identifiers, unique application identifiers, unique device identifiers, browser types, languages, wireless or mobile network information, etc. This metrics could be used to personalize services and communications; determine which users should receive specialized communications based on how they use the product or service; create aggregate trend reports; determine the most effective advertising channels and messaging; and/or measure the audience for a certain communication.
Personalization Interests: We process personal data to enhance and personalize the “consumer experience” we offer our current and/or prospective users/customers in our products and services.
Monitoring Interests: to identify recurring problems and/or analyze the patterns of behavior of users and/or customers, it is necessary for IC to monitor your performance/behavior on our Services.
Direct Marketing Interests: Processing your personal data is necessary for direct marketing to occasionally update users on the Services, including occasional communications regarding updates to our activities, products, services, and/or events.
Marketing and Sales Interests: IC has a legitimate interest in processing personal data in marketing our products and services to other businesses, e.g., processing the information of a business contact to market our products and/or services to the affected data subject’s employer.
Due Diligence Interests: It is necessary for IC to process your personal data for conducting due diligence. This could include, for example, monitoring official watch-lists, sanction lists and “do-not-do-business-with” lists published by governments and other official bodies globally. This could also include keyword searches of industry and reputable publications to determine if companies and individuals have been involved in or convicted of relevant offenses, such as fraud, bribery, and/or corruption.
Fraud Detection and Prevention Interests: Processing your personal data is necessary for IBD to help detect and prevent fraud, e.g., verifying that the registered address of the cardholder for a particular credit or debit card is the same as the cardholder’s normal place of residence or work.
Updating Customer Details and Preferences: Processing your personal data is necessary to verify the accuracy of your user data and to create a better understanding of our past, present, and/or prospective users.
Network and Information Security: Processing your personal data is necessary for ensuring our network and information security, e.g., monitoring users’ access to our network for the purpose of preventing cyber-attacks, inappropriate use of data, corporate espionage, hacking, system breaches, etc. This could include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping “denial of service” attacks and damage to a computer and electronic communication systems.
Business Continuity/Disaster Planning Interests: IC processes your personal data because it is necessary to allow for the backup and protection of your information (e.g., utilizing cloud-based services to archive/protect data) to ensure that such information is not improperly lost or modified. Such processing is also necessary to archive/protect data under legal, regulatory, organizational, and/or contractual obligations.
Artificial Intelligence Interests: In processing your personal data, IC may process your data using an algorithm that helps to streamline organizational processes, e.g., our customer service department putting in place an algorithm that helps to manage customer service requests by routing customer contacts to the most appropriate part of the organization.
Compliance with Laws and Regulations: IC is subject to binding legal or regulatory obligations and needs to process your personal data in order to comply with such laws or regulations. Examples include: complying with reporting obligations; complying with screening obligations; responding to law enforcement requests; and/or responding to judicial/regulatory agency requests.
Reporting Potential Threats to Public Security/Safety: IC has a legitimate interest in reporting possible criminal acts or threats to public security/safety that we identify as part of our processing activities to a competent authority.
BINDING LEGAL OR REGULATORY OBLIGATIONS
IC is permitted to process your personal data where it has a binding legal or regulatory obligation to perform the processing to stay in compliance with applicable laws or regulations (e.g., tax reporting purposes). Other examples could include where IC or one of its affiliates is required to respond to a court order, subpoena, or law enforcement agency request, to prevent fraud or abuse, or to protect the safety of individuals. Were IC not able to process your personal data for such purposes, WON could be subject to fines, penalties, and/or civil or criminal liability.
INTERNATIONAL DATA TRANSFERS
PERSONAL DATA OF DATA SUBJECTS UNDER THE AGE OF EIGHTEEN (18)
The services are for a general audience and are not targeted to data subjects under the age of sixteen (18). IC and its affiliates do not knowingly process personal data from EU residents under the age of eighteen (18) without parental consent. If such a situation is found, we delete that information immediately. If you believe IC has any information from an EU resident under the age of eighteen, please contact us at email@example.com