ࡱ>  i Zbjbj j\\WQcc.q.q.q.q.qBqBqBq8zqDqBqRRrhr(rrrtfz|D$\*.q}yt"t}}*.q.qrr?iii}R.qr.qrti}iiDr3%\~X$H`U0ls~.q|}}i}}}}}**f}}}}}}}}}}}}}}}}c> o:  Introduction Welcome to Antur Waunfawr's privacy notice for customers. Antur Waunfawr respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you. It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them. Controller Antur Waunfawr is the controller and responsible for your personal data (collectively referred to as Antur Waunfawr, "we", "us" or "our" in this privacy notice). If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Human Resources Department using the details set out below. Contact details Our full details are: Full name of legal entity: Margaret Jones Job title: Quality and Training Officer Email address: Margaret.jones@anturwaunfawr.cymru Postal address: Bryn Pistyll, Waunfawr, Caernarfon, Gwynedd, LL55 4BJ Telephone number: 01286 650721 You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. Data Protection Principles We will comply with data protection law. This says that the personal information we hold about you must be: Used lawfully, fairly and in a transparent way. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes. Relevant to the purposes we have told you about and limited only to those purposes. Accurate and kept up to date. Kept only as long as necessary for the purposes we have told you about. Kept securely. Changes to the privacy notice and your duty to inform us of changes The data protection law changed on 25 May 2018. Although this privacy notice sets out most of your rights under the new laws, we may not yet be able to respond to some of your requests (for example, a request for the transfer of your personal data) until May 2018 as we are still working towards getting our systems ready for some of these changes. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. TC "2. The data we collect about you" \l 1The data we collect about you Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows: [Identity Data includes [first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender]. Contact Data includes [billing address, delivery address, email address and telephone numbers]. Financial Data includes [bank account and payment card details]. Transaction Data includes [details about payments to and from you and other details of products and services you have purchased from us]. Profile Data includes [your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses]. Usage Data includes [information about how you use our products and services]. Marketing and Communications Data includes [your preferences in receiving marketing from us and our third parties and your communication preferences]. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. If you fail to provide personal data Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time. TC "3. How is your personal data collected?" \l 1How is your personal data collected? We use different methods to collect data from and about you including through: Direct interactions. You may give us your [Identity, Contact and Financial Data] by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you: apply for our products or services; create an account on our website; subscribe to our service or publications; request marketing to be sent to you; enter a competition, promotion or survey; or give us some feedback. Contact, Financial and Transaction Data from providers of technical, payment and delivery services [such as [NAME] based [inside OR outside] the EU]. Identity and Contact Data from publicly availably sources [such as Companies House and the Electoral Register based inside the EU]. TC "4. How we use your personal data" \l 1How we use your personal data We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: Where we need to perform the contract we are about to enter into or have entered into with you. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Where we need to comply with a legal or regulatory obligation. Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us. Purposes for which we will use your personal data We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below. The following terms are used in the table below: Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us. Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to. Purpose/ActivityType of dataLawful basis for processing including basis of legitimate interestTo register you as a new customer(a) Identity (b) ContactPerformance of a contract with youTo process and deliver your order including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Asking you to leave a review or take a survey(a) Identity (b) Contact (c) Profile (d) Marketing and Communications(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)To enable you to partake in a prize draw, competition or complete a survey(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications(a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity (b) Contact (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligationTo deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)To use data analytics to improve products/services, marketing, customer relationships and experiences(a) Usage Necessary for our legitimate interests (to define types of customers for our products and services, to develop our business and to inform our marketing strategy)To make suggestions and recommendations to you about goods or services that may be of interest to you(a) Identity (b) Contact (c) Usage (d) Profile Necessary for our legitimate interests (to develop our products/services and grow our business) How we use particularly sensitive personal data "Special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances: In limited circumstances, with your explicit consent. Where it is needed in the public interest, such as for equal opportunities monitoring. Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public. Promotional offers from us We may use your Identity, Contact, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you have requested information from us or purchased [goods or services] from us [or if you provided us with your details when you entered a competition or registered for a promotion] and, in each case, you have not opted out of receiving that marketing. Third-party marketing We will get your express opt-in consent before we share your personal data with any company outside Antur Waunfawr for marketing purposes. Opting out You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of [a product/service purchase, warranty registration, product/service experience or other transactions]. Change of purpose We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please HYPERLINK \l "a599551"contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. TC "5. Disclosures of your personal data" \l 1Disclosures of your personal data We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 3 above. External Third Parties: Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based who provide consultancy, banking, legal, insurance and accounting services, IT specialists. HM Revenue & Customs, regulators and other authorities [acting as processors or joint controllers] based [in the United Kingdom] [who require reporting of processing activities in certain circumstances]. Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. TC "6. International transfers" \l 1International transfers We do not transfer your personal data outside the European Economic Area (EEA). TC "7. Data security" \l 1Data security We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. TC "8. Data retention" \l 1Data retention How long will you use my personal data for? We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes. In some circumstances you can ask us to delete your data: see Request erasure below for further information. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. TC "9. Your legal rights" \l 1Your legal rights Under certain circumstances, you have rights under data protection laws in relation to your personal data. You have the right to: Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. If you wish to exercise any of the rights set out above, please contact us. Chairman: Name___________________________ Signed_________________________ Date__/__/__ Trustee: Name___________________________ Signed_________________________ Date__/__/__     Document Reference: AWP 105 Issue Number: 01Issue Date: 01/06/2018 Approved by: Senior Management Page  PAGE 10 of  NUMPAGES 10 +<JKLZ  ) R a b e k     []xտշտտտատտտտտտատՋՂvkhgh^JaJhgh5^JaJh 5^JaJhgh1Q0J|6>*aJhG^JaJhgh^JaJhgh c^JaJhSY^JaJhgho^JaJhghY^JaJhgh1Q^JaJhghM;^JaJ(jhghM;U^JaJmHnHu(L9 W  " 8 b  ! [\]x  & Fd(gdgdgd1Qgd1QXgB1rvRwsgd1Q\gd1Qgdogd1Q&gd1Qgd1Qgd1Q  & Fd(gdg@ABCP1?r vƺ⮠⠔~r~~fhgh1Q5^JaJhgh5^JaJhgh^JaJhghg{^JaJhgh1Q\^JaJhgh1Q5\^JaJhgh\^JaJhgh1Q^JaJ jhgh1QU^JaJhgho^JaJhgh1Q^JaJ#hgh5CJOJQJ^JaJ(MNy ##j%t%&K&^&)-)) ****V+W+,,h.i.//1133ʾسؾئئ؛sffffffhgh1QPJnH tH hgh1Q5PJnH tH hghlQ5^JaJhghlQ5\^JaJhghlQ^JaJhgh1QPJ^JaJhgho^JaJhgh1Q5^JaJhgh1Q5\^JaJhgh1Q^JaJhgh1Q^JaJ jhgh1QU^JaJ( /\t e!!_""##$&K&))**!$Ifgd1Ql  & FgdlQgdlQgd1Qgd1Qgd1Q&gd1Q & F!gdogd1Q****+'+3+V+Kkd$$IflF| AN)    t06    44 lapytg{!$Ifgd1Ql V+W+++++++,^KKKKKKK!$Ifgd1Ql kd$$IflF| AN)    t06    44 lapytg{,/,W,,,,-I-W-Kkd$$IflF| AN)    t06    44 lapytg{!$Ifgd1Ql W-d-q----h.i..Kkd^$$IflF| AN)    t06    44 lapytg{!$Ifgd1Ql ...../0///Kkd($$IflF| AN)    t06    44 lapytg{!$Ifgd1Ql /`0m0y0z0a1112Kkd$$IflF| AN)    t06    44 lapytg{!$Ifgd1Ql 2-2:2G2R2t23!$Ifgdg{l !$Ifgd1Ql 3333.4^K8K!$Ifgd1Ql !$Ifgdg{l kd$$IflF| AN)    t06    44 lapytg{333.4/44444(5)5*5,5\52838N8O8O9: ;d;;;;;===>οݸzmz^L#jhgh1QU^JaJjhgh1QU^JaJhgh1QPJ^JaJhgh>^JaJh^JaJ hgh1Qhgh5hgh1Q5 hghhghg{5 h 5 hghg{hghg{^JaJmH sH hgh1Q^JaJmH sH hgh1QPJnH tH hghg{^JaJhgh1Q^JaJ.4/444444(5^KKKKKK!$Ifgd1Ql kd$$IflF| AN)    t06    44 lapytg{(5)5*5+5,5\5066^YPPPDP $^a$gdg{`gdg{gdg{kdP$$IflF| AN)    t06    44 lapytg{667738O8O9::%;0;;<<>>E??@2@AA & FgdApgdW'&gd1Q\gd1Qgd1Qgd1Q $^a$gd d^gdg{ & Fdgdg{>> > >E?F?t?u?@@@0@1@2@H@d@q@@@@@AA C CWDXD|D}DDDƺׯףyncWƺׁhgh1Q5^JaJhohAp^JaJhohV/[^JaJhV/[^JaJhgh>^JaJhV/[hAp5^JaJhV/[hAp^JaJhV/[h1Q5^JaJhghAp^JaJhgh1Q^JaJ jhgh1QU^JaJhgh1Q^JaJhgh1Q0J|6>*aJjhgh1QU^JaJA C CWDDDEFyGGGHJJ;K#LULLLMNQ=S & FgdApgdApgd<gd1Qgd>&gd1Qgd1Q & F5^5`gdg; & FgdApDDDDEEyGzGGGJJJJJJ KK#L$LBLCLLLLMMNNQ,Q=S_SfU{UVWZX[XXXXXֿֿֿxphT}A^JaJhgh^JaJhghAp5\^JaJhghAp^JaJhgh1Q6^JaJhgh<^JaJhgh1Q5^JaJhgh1Q^JaJhgh1Q^JaJ jhgh1QU^JaJhgh>^JaJhgh>5\^JaJ*=SfUV[XXXXY YVYWYYYZY\Y]Y_Y`YbYcYY$ B#d$Ifa$gdql & dgd1QgdT}AgdT}AgdT}A & Fgd1Q & FgdApXXXXXXXXXXXXYY Y Y#Y(Y)Y/Y0Y5YHYMYUYVYWYXYZY[Y]Y^Y`YaYcYzY~YYYYYYYYYY°{{,jhqB* CJOJQJU^JaJph6]hqB* CJ^JaJph6]hqB* CJOJQJaJph6]#hqB* CJOJQJ^JaJph6]hujhuUhT}AhT}A5^JaJhT}A^JaJhT}AhT}A^JaJhT}A5^JaJho5^JaJ-YYYYZw"$ B#d$If`a$gdql &"$ B#9d$If`9a$gdql &"$ B#d$If`a$gdql &"$ B#d$If`a$gdql &YYYYYYYZZZZZZZZμμhT}AhT}A5^JaJhuh1QhVh1QOJQJhq,jhqB* CJOJQJU^JaJph6]#hqB* CJOJQJ^JaJph6]/jhqB* CJOJQJU^JaJph6]*1hoB* CJOJQJ^JaJmHnHph6]u*ZZZZZZC><<7gdT}A$a$kd$$Iflr N")FY FFFL F t0)644 lBaytq?0P1+:p1Q. A!"#$% DpF!sҳN1!JFIFC      C  " }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?(((((o'GgB SD]:!s_+\K \ҔK䏣bhoen\s^y0|s>,MBp!{%NyulvR9XR E?WҿFjQm+:Ǝ`."aBHu&yE.Ī̴ֿ65s֮I_k_ =V kZ鱺% 5bW??J_ ;n/ UR}H?}kz~)zp$?ݗgꌟT}H?}j |6_zV-ݮ^%fR$)gU}׆|xOb¿#ƿC+k?g{n76BcEb7#&m|è|i{s찖$ 9=k.Xя-ڳ e5Η-yA5_X|GniWi8m&eH8 [Yա5(l}|d %5[BPhgCa1Cz8 85/cd'յMדLfkZg-#U?zLN{swu#WEY_=3qY"gM=FO)oxͫj_-P>CK5Uķm-n~?K?{Y?W?Pe/5_Oj¿e?I=cmVgWoqu[7MBX/׵o5%v~e}֯J~g-L/iE['Z`|PH<9+p$fڦ%qF@g bX5UGxZ>>UF뿯S<(牯&ca-fXٳp$cqdU>7uhhױ|Yi|bs_WZUYdMtl:T <9xK]4d+"nu*HWS޾_3.MSmp' ߴR:-$Q}l?|@?'A]GXA[,-MOaeB΍Π$ֿ-cXk陛xeoW|y,‹v&V $7m%K*+N*c}lv3/p0NXZ|N6ovK}rV|ouZKIR)ܫᔕ`A `./i?2O?xG5 D˽$@lve21J@W%G5gO-n<&0J[J7%_ ๿}3=5F]iK\n77a(??O?W6_&_F_^~&֭ȵO6jx~drS"F WjMjM?_=Kίȵ=UF' 3ź_5'caا¾[ju`NpdwC;\@X⾯)I4<nmEii{QEQ@Q@Q@Q@U=cVд˫˹YX,q"1<$JJ+A쏞ߴ( i |X$tboΘЀʣCHgik Wߴg [to0 bx,rA Ěof39N?ÇExs75{/n}VuOz,|\{G{fD^xA{Bmt䶸mUA 2 }i;4cH[^!OݕRV;'19ޯ|'[TKOT18wFb=kkQXXQ;w~j}ʾ̪e^w{}9tߍ4i&Ybs  3l\Օ{}TM56U%NJqj)ׅtkKK3Vt٢C }kS-|3C?ýJv<vbF2śʗz BA߲dqXxW_s08(Fzǩ/tZGeE>[NԮ<_ṼPFC21 s2;tۍP[kI JNVS <+ļyrfgW-3r(QkkgQX?t׭ W+*jtaO20]|3&_ HbpS,{NtgB˿We M=>ECIqA`r8ިOJ{}G+;Rx&G20YXpT# ~y0j(iG;(F_~>!c-i!290Ulgc_^֯4 3 ¿a">kHYlgiP_Xjŵ$xC#.C+)pA~i IxEr-.Xm<(b.9',$o8oQ崵^~G_?pW%ދd-#F\͋k2C$< >'&ߊ t kAg%yhRXg!*ȯ̰1F_/&?TUã]_vv? ss]O'V>=z{ƀMu N$n8 [ѕ98IY>*zQI2IgC[7VVE/ G#} [_gv1r?@u? ޽8V>)vK#y /?5|mỏk^Kb$#G&ҤYAg$| lGY" ]qHTmrmӼ. &RI }8ooO&}ϵ SF~Q\\sTf*W'=OUe#0]~ƒ~> BI-d %)c*r :Ԓ+X)~m: dm|e k=C,{Y>R{GWgrMu}~-^\RE}QEQEQEQEQ(WWڔ|:goK۫xDk{%n+!dR9oi XfnwU$I8H& iڗǯFeծ kcNW8$d><ΞZ/ߩz1YwJ]w軜?[k|K}Wg: إ!egsĐF20ᕅw=+MJ*QٟuΕGJkZ4p~9ִh|_ɹNc9 fgY{{":d`pAA_E~nK~±g kwCqԟNd`>~IGh2oGz|ϟphϘuU[(|þ{+VU_eWc*./ެ 9=*i t&[RW1"w+;XXUtt;"{b/Ov ,M*N GNZMeU}ǽه-G]WUj}Fk e[qMRlP.NqJO,CڿDOJ+WvnlH.#^4gNUz>h}n?QqGՇUK+pUAX_TNQX?tΣұ~W62:V]JԼYw}+em~ilI|=lKKc&n܌|^ p!?xWuG\yM*~y:!uj 9AN#uIxXp=qQoᖏ=GGWԿMcCTif)p2` 'WE* =)O"XaKWX4\^Yx&93 y5*ώ3j~. |K~$a'auec*a*}תU7ľXwjÿt2?5j^ej0ǟX˽^*~4y:-Ý3YS-T 2Vǽ5}&_ZTjƬ7qoU<_oe,p?-.em4 -GE\`99 iW<Sᗎ4ohwMcx~FT1xd PpAWxzk滮2xfx d'_i-SKvUQxIpe.\}O 8Nn@uuT׌5~R|S~ <c%^ v,|jfLXw+YpkT z3IVҵ65KKYDUye5b}4c?"Q tqjv\G)do6m(+XmLzW?@_بɿ曭ꖾO&2@H-m {85NWZWK5wOݏwzQEząQ@Q@Q@Q@ v\)M k2Nt}Bu3D=W='McZ)AԨmУ:#JIuoD|I|+#5ҌP@pr`Gx<_%o/5/7C\5Ƨwq!' $(W ܌;Wๆ&y6x=?8Ga!['ݽ輒"C|44饪S͚K4K%tF&mn,usவyo9J\RLG1֬KN=bߍ |[7@7Y`D܌UfksGþ3fi_1]A*óʰGQ_7P2;z?|Tf+I{wV~zq >7:miGM 24`zOL= 5E{X1Xy᪯vI.)[3QX_DD> Z:?gepX1l Y+{\vxTwiG֦p{U[YWҺ0-]⬻Լ?zk0Xʼƽ Qk 녷߈W.c)XlTG(qɯ YWeFjtyqOV5]X0Kٯ?d=9mW-S/U=}ꔳWF?dKkGKҡW2)&-C2 yJe~uR[E2I?F?nOmOϋe+VTٴ#C*A㓟੟]ax%fعѰx<8x]x{W,.Kk$1o"0*A_-Eۿoi,`; -w$b;Hr^3]W|&i3ESٗϯ]^ko$/X߷O }ºOGe^CA_)FnvIv/6~CƺA⏋ pU0Lg21p,z=;x>*nӟ_l~ĞTJhj}WܟEPEPEPEPE_[_?mhK&2j, *J~SZȿf$OFnn!>\ʀvw0uywq-4JŞYIĒORkx2j I-e|'1C/vGOwO3cϐY<ۍSlWѦy9JM6rk ?o|nX˧o<:$? #,rISk"irs5?&.|+.٢F`6"  uzl+v_+i:NN>Q ALuƒ޿]G7'-?(LY>Q=`NOa>;~9{}fXkFx~Z=+OX?t8s*le^tyҲW<W_u*nVU{sg$:j~_Tz?ClYռͨD@܁_~(қ HmhHR2ӑf|1Ijm%oGu%(l/c><|y<;ȺxZcj/VTb%Bi>*7NN2WYw}/?5zx}2{Y7kZo:׽<=ݯ?ߵ/(/ jB4iɸީcj3<@qKYPo kkYVhfI*G*G l*5cV= "u_5:g4c e |?ڗ}W1A{0ۓY&kjuXzJ5$ף?:]hn? ⯅%2K|8cQ2䀪.+ 45>-1K%V A<q_g'lxF_Ò>e?މIх|{x3 xX[RKͿeRG]|+En' _&ڌcm`rW*UO9i:JI['f~}!^O~v+Ğ,[=?K^ګ!]$e:.ƿw*B 5a@ĊUUpWJz!|'Z#IyHY_b+K^U缝z%e4r <~nlUYL44BK.MU\ tO=oHIɪrKN͑~&#F.ϥWiɓU䒶L6ƽSYݨx_~neO?ԋT ~z}Mx?W ^&uH=ω^ |EèhW7127̬_}bg-˧̾&d?Q̾I{n%|6m߳,x3Ukڿ4N@tBIpd3T:-֟y w6wнH FoCZy>UJn'|~zʾ鿵<+q4zm,-2c+:6Gc^c|6}^t*5f5872?kR.9W2>B>C{clc] ^~~ѷuK/D[ñ dAԞAZWkzM=ww 'p_QţC]}U;)9$nE#x A5_տwh{)/_Uu= zoWƤ/g% ЭIUdOɟ?gYd}:FmdDsXy4σ? |{cmC a: \~e\ 9&Nt^9q2:V]JԼYw}+1VʺYWuZkÞ6 ɺk&Y޵k\Kg}̗66 du=XkW`>o9GG_~?[U BŭyIh[nzSЊwzk?A/k u;B¥KP{ rɯ|WGׯ 1_-%'_|icKnVhv>5}ľooBԠ{kq,nYOI>| 7n l4RC_,L1׻=%FsU9*˻թwUwѫp)X˽ε{Y7kÞMcd=+Zd_r)Χ_@ڿǭW~qIjC-BQydAZc^|7=Kύth khws*x]AJ?e:o;>SzYE\ x^g:f3" 9 ЎpK?+C"Ѡ&MnoNt]& /I;xbP(4W-4GQEQEQEQEQhWu4>kc2I#UEQI<s_ϯÛmri:Im7B df?#e|SE~tlRޏump LOuT3L~+5|f\X:ome~<3MֲaދijfdKQIfb 8w^ZWXxCLֺMTv.}WOu_xZ~C}ۣ)2H kS~c\ fg/?laujEFIdl[_|M.Z/?M֭$A8J3{j1P/C]𮬤_hwolTԫfd^_#?,gyU{ZYws+WxEk}YawQ5.?_A>W2?Gݟ> ?\mmgC .Aľ 穯׮%hS}W:dfF XeXwV#K~0i? Du-Q\i1iQRk[!~#h*. 99 KS;7|ri/~֊$KM9DǦ:wC_̝߯ԟ7;IgV~J׻{ |3\1= |AOzu 7ݕT- H"\yjԾOWoK7^ěŸ&#dBƾ-MKIJʞ%lz?G ֒?4 0Ă4UMo҅#Nu?3aSO;.OxN^*4MRmiRY圑F W7{_ыd~efU5ZxE{xcc]-LW; } \ǹ?7/Y7#a| =;GhQi:7WqX}kc)Ƥ$t?#(ԅ֩G? owVԴ[,rmN2B5]?#=#ib@iڙQFĻ퇽|wXdd}2úeOC*e^֭jʽ9x&멬-Cu_J ._㦩3|v4Vof.a찱F·sWg\+j&NeZ-45g1>ƇZG,a-%^)T:v<3~f'߄:Oڞ4IN$<_gF4R9s, <\:Wg_yuf u 4\*`Ed$q__k?!}cmZ8ao0!"cw?v!tJݭu .K;C,d x)5b`_3/Vdukɼ^EݬGl]t5{ |3_xՏs[?ca>/񟮟nu OqNƈk9_ƾ3AxOZccRF#5CS{n1E閉i_|Qc iƗu ZyiqO*AZ =.W?v<_jߥenEW~QEQEQEQEQh1@/H xm;f&0ZNĿI!T8?2k,Z~+Ǽ<,kD ;*J j|BA]n<0]hePuјt#)_KM{zݎ xi`?5*{ T\YfV\W'겐Wn4窓I]Vd$U'&y:^Y2kxĖ&$J,6%WJYd$|Z"Dw*j$zI1ZE!%| އzZ$Bq_mG~bfG’hL`dqV5wԓ|+닦:"La;(i| 0bs^W{=|_d+3+ԇU[Եwȡ0=5&kw?-!_t߈|t/%I ɯ/M~ؿ-iĞu^^[[&3&`X$ 0_qwmui+C4R.׉ᔎ2c}=WUX?g[-ϩyd_ֽ5^^V>޹GkԻ? } \ǹZ7&}ϓ🴟nq ?|~~fLpvgr TԞD~3O/|+o6UIeF7eU^$-izռ\[FG,n$R 9*GWyײc7tjVOBG68{E\㪖%߆56 -otheH5o,~zƚ|^̓_+趉3v?|#s#YW=NM͔˸Lt'c\T1x^>giXj%ŽM9u uR/j}k)Z)-ZK6Lf2C0Yy%ie>u_ Q9¾c>gExU~XP2{2 !=kHW۟ k}JȲr~~cccR%}W~ɚa~An^=duVK;!9!)$nYpAAyֿæ]mYJغkQ^gSԾ=5/jǹ|^33o{k ?q [3]o [MϦKE)q©wě߱_Iq$Ze ĖY@-{Op^v$ {}~Nh㾵hdIbCnVd{RWԉ]Q@Q@Q@Phjm?8|C[ƊKxMl|cA+r\b# \|oм' kQa gq,zܨ,g 6ġ^niG )QW.Ɲ<\)d۶_xPljgUTծd=1wv>5v[Ge \cjZO$*^_;UK_M帟q?FQA03.j d}2G_ekj8~M4^_;Z/#|OD?%gr=ULsk?o~ _;P?s$ikX1OCG25A#j?GA6v"@GA6v8G?)H}/[h?&SQ O=V8q?6SA.3gҢw_R O;L?EOڔگb?Y ;l۫g(ԧh*7Uq.R"?dہj~zם~^|6x?bCI${gc}鍵KmjoS5OGmABV"ۂ<s(IѸkh _aԩ*ITZ2fsjT+4}֝`#&!?W)1|Wz/hCz yI2NK;kࢿ;~_[}hрu$F9^>No0r^z3s0Ҋ_.3嚲5_G1~g0ɱhg5{kɿ?k+?"U+$G >k׹G WY2%3I ~khםO2&p[" lWrO9'ʖAls ^o;_K%?dG-]oTcZKt]}̱[AI ԫvbljBZeQJ2P-g1?x7?3YO!2qUAI k2+B:SJJ5)Kf874-"H+ GPk"޿P&Os]>xN[1nXMڼ OXr OVPvNv?)eXNPPnϱ5ҾZ|3ֿ%? & ap8e8-)Kgwϸ-}5uپ_o9TFοJQַ+d93̾|'j c^پ-ѷި'SVE c" u!?i&fSE[J7}{mzhՋM ˲ " sEӧ2ґ uº//w:4x^A8(͜QX=E} +r: !VܷI~9`fRƻcoh^7$Rk_O'hO\ox㕗?Kc$\o9^Z,RҌ|{T#\<ŷ i&QERkϚ_ ?X4kgJ7FD w<֛O

6p@z5hāQ?So&>#^|Iվ"hzm˩mfOЂI-`bUA4q_#t>0x/NJ_wZttV)laʓb#'ÿTڅ՝~&x^ZctS_;;Rd ĺ~g6 C2hk50Gh)Iǒz>3xz猵KĚws$Q#Vv`' 1_pnO e~c^Kۋ4ɼCufJ2\v. nsg9~&k>#XYeesYZ4i&有C"*Gy.^0 7ux획ڝ[PF<*m\ŽF@Qg Iύ|Wt[[;KO_[<DIݑ*H^3^>Ưĺ5D/ͺm,Ud2$ @F}?KGi1_|?4jfo%b:[dXP1 b? S?j>.2MoqZO9`R sh |hz {_X<(x~$r Fc\M}\z7/$_-MY\h [yhʝp3@Ym}cuoyeyo< "6H 8 ՚O\Ӿx/.5km$VV4ү-1flx(9]w|5Y9O&*`Bc+*ne"w^ƉyjW~7WW2PDYwbUTX5-|,`h^2uNӴݐ~f҉ǖ*L7hk|CG_؇F{c9s+N7(V½ 5)G|I<;Oρ~úEZ[%܋4mh12z Xg?j؇;V[-D5[~ΟOߥ5{V%Ph0&DϜ7[s7s_7#MYoX(OߊZfr*$! W}xO+o@4Gi4^,wLŘǗYX,ȀK|W]_5=.XeD.[[BJG-F8| )?? t0|NmRм]S/L44$ID3Z?Th[~ОixvVv{?AC>8g]A|Mn-ƕKM2 hmf48ʡvb=h/+.cT_8P Qh>+dӯRXnaO+-!bNGfc?n_2_OGk'I-ƚǗ$P. m!C^K(>#5?v#w(Lec`NvAЬѺ[^3Nxǒ۬ROᯊ*UfnCZ ay89,oC۽GO(f๶= mhe\3&?IE|3㿍g-_Ʊ'p,eՔeo2*D?4͚(~R~fq;7|`.i"6zєU'v4H.3 `4f Ѻ-o|Y.=F_'O΅m, ouI3ƀ` FIE?WE|2~~2h~;H.M LN> KgܲaR@ ( ( (1o=/᷃5o&g6]vI$쪬~ 2<+n?~';_VS?lbfMaSr_O7GƇ_k[%TDIn ݿ_hbŸQ?2|e|;/7zů ң!UijI"/S Sh-eX:J2HAp?nSoeHQM9uAamsxQ8.͎ ~P%boy2:̽_?cdaLׄ?ٿPhw?n|'ᧃxM=+H-!B$hPiMUe!U|~Ϟ`: V-[QM6̋{sظ_u,L((+.5dsGՅ~z^?MF-/,qs rlIGx?:I]7rL? >/6$cEv5Xcr)8ڷ_#Ɲ?FTxЀRRCs5 Y%~WK2O 5ms;7dIfqaOk\lw}Q5_?@~_ Ov5A!EPQ?T? *ˎ($>n'$1@݃kǿoOCOd/8)++ mm';H$GqNT?jO_Ax<-㸯˛OմErӖUTw@'?)5Uּ{?ߴtkX4/MRLY#͏*0?φz/_lO*o"\G``oDʢ$p"_ 5%럴*42^b6 H<.%fa?^f_|EZ_4?kOhܮ/`et9 z"½j/>'e~^ >$<*%Tu3mM6h 0PE%'!޾=/ui.}.d.x8ǸWZ 4WK }y$5MVC./onmiyqATI'~^\~ڞ:^iZ57h/&#]LFdßk~c ~"g >@W-佻Rr$z&) Y4IFeă )̆58gO?'?33KJU @%@ K'k/c]-O*r2/B_"iK]ȕdQ<V?e U5M. o-Nsózw;q_ O FZ KZۉKzy|}@Yln ͟]s(lU%).`W6[aʪdHbuÊ[yY!Y$GPUԌGBzP7?B ώ|3wMT7*U` 8e1^?P?b؃>0x5м%k,zmDQ0a+#1ǴXW+ofk_,ˡ.<^7ى,ɖ%s;(Ƙx3,E&ɸ-Į oC pIi~ǰ_?M[JNsS&kVe] Z =+7?xщk▫tymik !I/1_ ??~[J(((('O_73:_u+v.42ˈʗq"gҡbfdUVc@oSPQn\voUIE~p^&O-$xoT@n 2Dvr |3 6&.U7bCn-no4+Y ȬS9SQ(ؾgݎq=(Z(? +.%.}N`kGXgÑG$mhH$o;]i0ᮥ$64.\-FD72F_.@29r:סuCk@lr}jtc۷|)^5iu OcC$s$+*YPDO#~$#]z_>ib &E4Yz aü*YW_ިSGrGrm7_J [PtcOjO OO|D?]Ik%amZD|B8T{W>dM)wWwCX>O jVܤK˧[2bFw Uw.pq4GEfլ?2I,]#XsY,rI$I(#pſ߱/۞$|/[<]c&KksnZmr%[};mf"HSyc_Dmlr3t6 N+[[X(!GUQ``ps?~xg?JZϊ,^7܆V)"0VGRƟ"f,x?_0O^_Mزԭ_raUNOOn.t߉:5xkS7c"(nT5dVVU*݈=)mǸqvʟcOK'x_uτ~3Ě3:}vzr pZB(o&ŜoR[[8R"xi Aft C)B'ێ?* T8О4Ÿ?gk:߂=ms:G5Ɲj8O*E}mJczhM΁_SRpmT$+#"nIͼ=sh0j-'4c>"_%񵉉%k e$k0pq#|+%_ oԳC 5k{4:RA] ¤.~U*c'n''d]" s_IkqƃXe[?4n8;z*`3rHݏWWYblo.l<0$r7?qMF񬌹PvGJ_)NK3|6$Nj[g ѼSCé":da[=Qf>U>ڲ?@e5Ǐwy/ &W KW.Hk{/D׳sj^&b.lnĬ2nآE|+7_*{8O!M??pE~:s 6oK+;F3GkۛA|E?x9k'ï+;zW8|Rtcv(t.JyK2222222222222222222222222222222222222222222222222hH2226622222222222626666666666666666666666666666666666666666666666662 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XR~ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@OJQJ_HmH nH sH tH d`d UNormal d1B*CJOJPJQJ^J_HaJmH phsH tH nn U Heading 1$$ & F @&'5B*CJOJPJQJ\^JaJphn@n U Heading 2$$ & F @&'5B*CJOJPJQJ\^JaJphff U Heading 3$$ & F @&5B*OJPJQJ\^Jphll U Heading 4$$ & F @&%56B*OJPJQJ\]^Jph`` U Heading 5$$ & F @&B*OJPJQJ^Jphff U Heading 6$$ & F @&6B*OJPJQJ]^Jphff U Heading 7$$ & F @&6B*OJPJQJ]^Jphhh U Heading 8$$ & F @&!B*CJOJPJQJ^JaJphn n U Heading 9 $$ & F @&'6B*CJOJPJQJ]^JaJph^A ^ UDefault Paragraph FontB*OJPJQJ^JphXi@X 0 Table Normal4 l4a B*ph(k ( U0No List \\ U0 Balloon Text dB*CJOJQJ^JaJph\/\ U0Balloon Text Char!B*CJOJPJQJ^JaJphHH UHeader B#d B*phH/!H U Header CharB*OJPJQJ^Jphf 2f UFooter$ 9r d,a$!B*OJPJQJ^JaJphtH P/AP U Footer Char!B*OJPJQJ^JaJphtH T/QT UHeading 1 Char5B*CJOJQJ\aJphT/aT UHeading 2 Char5B*CJOJQJ\aJphT/qT UHeading 3 Char5B*CJOJQJ\aJphZ/Z UHeading 4 Char%56B*CJOJQJ\]aJphN/N UHeading 5 CharB*CJOJQJaJphT/T UHeading 6 Char6B*CJOJQJ]aJphT/T UHeading 7 Char6B*CJOJQJ]aJphF/F UHeading 8 CharB*OJQJphL/L UHeading 9 Char6B*OJQJ]phR R U0Placeholder TextB*OJPJQJ^Jphx/x UDescriptiveHeading hh@&,5B*CJOJQJ_HaJmH phsH tH n/n UDescriptiveHeading Char(5B*OJPJQJ^JmH phsH tH `O` 'U Paragraph!$d,xa$!B*OJPJQJ^JaJphtH ~#~ U Table Grid7:V"0 "d B*phx2x UDraftingnote Title#$d,xa$(5B*CJOJPJQJ^JaJphtH h/Bh %UIgnored Spacing$x)B*CJOJQJ_HaJmH phsH tH n/Qn $UIgnored Spacing Char-B*CJOJPJQJ^JaJmH phsH tH ~Ob~ U Title Clause#&$$ & Fd,@&a$(5B*KHOJPJQJ^JaJphtH V/qV !UParagraph Char!B*OJPJQJ^JaJphtH O UUntitled subclause 1 ($ & Fd,x@&a$!B*OJPJQJ^JaJphtH  UUntitled subclause 2)$ & Fd,x@&a$!B*OJPJQJ^JaJphtH  UUntitled subclause 3$*$ & F d,x@&a$!B*OJPJQJ^JaJphtH  UUntitled subclause 4+$ & Fd,x@&a$!B*OJPJQJ^JaJphtH Z/Z -UAbstract,x)B*CJOJQJ_HaJmH phsH tH `/` ,U Abstract Char-B*CJOJPJQJ^JaJmH phsH tH h/h /UAuthoring Group.x)B*CJOJQJ_HaJmH phsH tH j/j .UAuthoring Group Char)B*CJOJPJQJ^JmH phsH tH T> T 1UTitle0x)B*CJOJQJ_HaJmH phsH tH V/V 0U Title Char)B*CJOJPJQJ^JmH phsH tH b/"b U Internal TOC2x)B*CJOJQJ_HaJmH phsH tH RR UAnnex!3 & F ^` 5B*phB UBackground,(A) Background4$ & Fd,xxa$!B*OJPJQJ^JaJphtH R UBullet List 1,Bullet15$ & Fd,a$!B*OJPJQJ^JaJphtH b UBullet List 2,Bullet2)6$ & F80dx^8`0a$!B*OJPJQJ^JaJphtH r UBullet List 3,Bullet37$ & Fda$!B*OJPJQJ^JaJphtH  USchedule Title Clause#8$$ & Fd,@&a$(5B*KHOJPJQJ^JaJphtH JaJ UClause No Title95:B*phjj U Closing Para:$d,xa$!B*OJPJQJ^JaJphtH ll UClosing SignOff;$d,xa$!B*OJPJQJ^JaJphtH || UCoversheet Title<$d,a$+5:B*CJOJPJQJ^JaJphtH pp U%Cover Sheet Heading,Coversheet Title2= B*ph~~ UCover Sheet Subject Text>$d,a$!B*OJPJQJ^JaJphtH  UCover Sheet Subject Title?$d,a$!B*OJPJQJ^JaJphtH PP UDefined Term Para @ & F B*ph UDraftingnote Section1 ParaA$d,xa$!B*OJPJQJ^JaJphtH " UDraftingnote Section1 TitleB$d,xa$(5B*CJ$OJPJQJ^JaJphtH 2 UDraftingnote Section2 ParaC$d,xa$!B*OJPJQJ^JaJphtH B UDraftingnote Section2 TitleD$d,xa$(5B*CJOJPJQJ^JaJphtH R UDraftingnote Section3 ParaE$d,xa$!B*OJPJQJ^JaJphtH b UDraftingnote Section3 TitleF$d,xa$+56B*CJOJPJQJ^JaJphtH r UDraftingnote Section4 ParaG$d,xa$!B*OJPJQJ^JaJphtH  UDraftingnote Section4 TitleH$d,xa$+56B*CJOJPJQJ^JaJphtH zz UFulltext BridgeheadI$d,xa$(5B*CJ0OJPJQJ^JaJphtH zz UFulltext Section1 ParaJ$d,xa$!B*OJPJQJ^JaJphtH  UFulltext Section1 TitleK$d,xa$(5B*CJ$OJPJQJ^JaJphtH zz UFulltext Section2 ParaL$d,xa$!B*OJPJQJ^JaJphtH  UFulltext Section2 TitleM$d,xa$(5B*CJOJPJQJ^JaJphtH zz UFulltext Section3 ParaN$d,xa$!B*OJPJQJ^JaJphtH  UFulltext Section3 TitleO$d,xa$+56B*CJOJPJQJ^JaJphtH zz UFulltext Section4 ParaP$d,xa$!B*OJPJQJ^JaJphtH  UFulltext Section4 TitleQ$d,xa$+56B*CJOJPJQJ^JaJphtH |"| UGlossItem Glossdef ParaR$d,xa$!B*OJPJQJ^JaJphtH z2z UGlossItem GlosstermS$d,xa$(5B*CJ0OJPJQJ^JaJphtH vBv UHeading Address LineT$d,xa$!B*OJPJQJ^JaJphtH fRf U Heading DateU$d,xa$!B*OJPJQJ^JaJphtH b U%Heading Letterhead Based On AttributeV$d,xa$!B*OJPJQJ^JaJphtH rrr UHeading SalutationW$d,xa$!B*OJPJQJ^JaJphtH h/h YUInternal AuthorXx)B*CJOJQJ_HaJmH phsH tH j/j XUInternal Author Char)B*CJOJPJQJ^JmH phsH tH n/n [UMaintenance EditorZx)B*CJOJQJ_HaJmH phsH tH p/p ZUMaintenance Editor Char)B*CJOJPJQJ^JmH phsH tH pOp U Para Clause\$d,xx^a$!B*OJPJQJ^JaJphtH zOz UPara subclause 1]$d,x^a$!B*OJPJQJ^JaJphtH  USchedule Untitled subclause 1 ^$ & Fd,x@&a$!B*OJPJQJ^JaJphtH vv UPara subclause 2_$d,^a$!B*OJPJQJ^JaJphtH  USchedule Untitled subclause 2`$ & Fd,x@&a$!B*OJPJQJ^JaJphtH vv UPara subclause 3a$d,x^a$!B*OJPJQJ^JaJphtH " USchedule Untitled subclause 3$b$ & F d,x@&a$!B*OJPJQJ^JaJphtH R2R UPara subclause 4c ^ B*phB USchedule Untitled subclause 4d$d,x@&a$!B*OJPJQJ^JaJphtH |R| UPara,PLC Style - Normale$d,xa$!B*OJPJQJ^JaJphtH b UParties,(1) Partiesf$ & Fd,xxa$!B*OJPJQJ^JaJphtH x/rx hUResource History Authorgx)B*CJOJQJ_HaJmH phsH tH ~/~ gUResource History Author Char-B*CJOJPJQJ^JaJmH phsH tH t/t jUResource History Dateix)B*CJOJQJ_HaJmH phsH tH z/z iUResource History Date Char-B*CJOJPJQJ^JaJmH phsH tH t/t lUResource History Desckx)B*CJOJQJ_HaJmH phsH tH z/z kUResource History Desc Char-B*CJOJPJQJ^JaJmH phsH tH |/| nUResource History Titlemx/5B*CJOJQJ\_HaJmH phsH tH ~/~ mUResource History Title Char/5B*CJOJPJQJ\^JmH phsH tH d/d pU Resource Typeox)B*CJOJQJ_HaJmH phsH tH j/j oUResource Type Char-B*CJOJPJQJ^JaJmH phsH tH  U4Schedule Heading - Single,Sch main head inc singleq$ & Fd,ha$(5B*KHOJPJQJ^JaJphtH  U Schedule Heading,Sch main head&r$$$ & Fd,h@&a$(5B*KHOJPJQJ^JaJphtH  U Section Heading,1stIntroHeadingss$ d,xxa$+5:B*CJOJPJQJ^JaJphtH hBh U Shortquestiont$d,xa$!B*OJPJQJ^JaJphtH jRj USpeedread Parau$d,xa$!B*OJPJQJ^JaJphtH |b| USpeedread Section1 Parav$d,xa$!B*OJPJQJ^JaJphtH |r| USpeedread Section1 Textw$d,xa$!B*OJPJQJ^JaJphtH jj USpeedread Textx$d,xa$!B*OJPJQJ^JaJphtH rr USpeedread Titley$d,xa$(5B*CJ$OJPJQJ^JaJphtH d/d {U Template Typezx)B*CJOJQJ_HaJmH phsH tH j/j zUTemplate Type Char-B*CJOJPJQJ^JaJmH phsH tH JU`J U0 Hyperlink6>*B*OJPJQJ^Jphdd UBullet4}$ & Fda$!B*OJPJQJ^JaJphtH / UIgnored Template Text[~x$d%d&d'd-DM Դ&NOPQ/56B*CJOJQJ_HaJmH phsH tH / ~UIgnored Template Text Char@56B*OJPJQJ^JaJfHmH phq Դ&sH tH xx UHeading Level 1$$d,x@&a$(5B*CJ$OJPJQJ^JaJphtH xx UHeading Level 2$$d,x@&a$(5B*CJOJPJQJ^JaJphtH || UHeading Level 3$$d,x@&a$+56B*CJOJPJQJ^JaJphtH `/2` U PinPoint Ref+5<B*CJOJQJ_HmH phsH tH f/Af UPinPoint Ref Char+5<B*CJOJPJQJ^JaJphtH d/Rd U Block Quotex^%B*CJOJQJ_HmH phsH tH ^/a^ UBlock Quote Char%B*CJOJPJQJ^JaJphtH /r UList Paragraph Level 1$ex^ea$)B*CJOJQJ_HaJmH phsH tH / UList Paragraph Level 2$5x^5a$)B*CJOJQJ_HaJmH phsH tH x/x UList Paragraph Level 1 Char)B*OJPJQJ^JaJmH phsH tH x/x UList Paragraph Level 2 Char)B*OJPJQJ^JaJmH phsH tH @@ U Intro Default B*ph>> U Intro Custom B*phBAB UPrecedent Type B*ph:A: U Operative <B*phTQT USpeedread Bullet List 1 B*phB B U Parties Title 5B*ph/ UQuestion Paragraph1 & F ex-D@&M ^e`)B*CJOJQJ_HaJmH phsH tH |Q" | UBullet List Pattern 1-dx-DM ^` B*ph|/1 | UQuestion Paragraph Char6B*CJOJQJaJfHmH phq sH tH jaB j UBullet List Pattern 25-DM ^5 B*phNR N UTestimonium Contract B*phFb F UTestimonium Deed B*phHr H UTitle subclause2 5B*phH H UTitle subclause3 5B*phH H UTitle subclause4 5B*phJOa J UUntitled Clausex 5B*ph\ \ USchedule Untitled Clausex 5B*phL L UTitle subclause1x 5B*phn/ n USchedule & Fd,5B*CJOJQJ_HaJmH phsH tH D D USchedule Title 5B*phF F UPart$ & Fa$ 5B*phFF U Annex Title  5B*ph< < U Part Title 5B*ph<" < U Testimonium B*ph\/1 \ Uapple-converted-spaceB*OJPJQJ^JphHX A H U@Emphasis6B*OJPJQJ]^Jph\OaR \ UNo Num Title - Clause F^ B*phd b d UNo Num Title subclause1 & F^ B*ph>r > U Address Line B*ph.L . UDate B*phHH USalutation Para B*phZV Z U0FollowedHyperlink6>*B*OJPJQJ^JphB/ B UDefTerm5B*OJPJQJ^Jph U0 Shaded TableD:V0 d B*ph< < U Letterhead 6B*ph@ @ U Letter Title 5B*phn n ULong Question Para & F d@&B*CJmH phsH d/ d ULong Question Para CharB*OJQJmH phsH tH  UShort Question Para( d(@&-DM B*CJ\mH phsH /! UShort Question Para CharAB*CJOJPJQJ\^JaJfHmH phq sH tH /2 U"811D3A974D454A258B71E3C4DE24C4F210x)B*CJOJQJ_HaJmH phsH tH z/B z UList Paragraph Level 3px^p%B*CJOJQJ_HmH phsH tH LR L UDocument Title$a$ B*CJphb UTitle - Clause,BIWS Heading 14$$ 0d,@&^`0a$(5B*KHOJPJQJ^JaJphtH b U#Para - Clause - no num,Body clause$d,xx^a$!B*OJPJQJ^JaJphtH Fa F U Para - Clausex 5B*phv v UCoversheet Paragraph$d,a$!B*OJPJQJ^JaJphtH L L UCoversheet Intro:B*CJphT T UCoversheet Static Text 5B*phF F UCoversheet Party B*ph^O ^ UNo Num Untitled Clause F^ B*phXA X UBackground Subclause1 & F B*phXA X UBackground Subclause2 & F B*phL L UHeading Level 2 CQA B*ph^O ^ UClause Bullet 1 & F 5@&^5` B*ph^O" ^ UClause Bullet 2 & F@&^` B*ph^O2 ^ Usubclause 1 Bullet 1 & F 5 B*phfB f Usubclause 2 Bullet 1 & F^` B*phfR f Usubclause 3 Bullet 1 & F^` B*phfb f Usubclause 1 Bullet 2 & F^` B*phfr f Usubclause 2 Bullet 2 & F^` B*phf f Usubclause 3 Bullet 2 & F ^ ` B*phT T UDefined Term Bullet & F B*phT T UDefined Term Number & F B*phR R UAdditional Title$a$5B*CJph</ < UerrorB*OJPJQJ^JphlO l UNo Num Untitled subclause 1 & F^ B*phVA V UBackground Para Clause F B*phr r UBackground Para Subclause1 & F^B*mH phsH r  r UBackground Para Subclause2 & F^B*mH phsH ^  ^ UClause Bullet Para F8^8B*mH phsH b! " b UClause Bullet 2 Para F^B*mH phsH n2 n UACTJurisdictionCheckList d,x5B*CJOJQJphd1B d UJurisdiction Draftingnote Title B*phHAR H UEmpty Clause Para B*phN@b N U List Paragraph ^m$ B*ph^r ^ USchedule Title subclause1x 5B*phQ UBullet List 1 + Pattern-dx-DM ^` B*phna n UBullet List 2 + Pattern5-DM ^5 B*ph/ ,& 6D83DCFF8BDF479DB88C9CA683CF81C7x)B*CJOJQJ_HaJmH phsH tH \' \ 70Comment Reference!B*CJOJPJQJ^JaJph\ \ 70 Comment Text dB*CJ^JaJnHphtHd/ d 70Comment Text Char)B*CJOJPJQJ^JaJnHphtH\j \  n0Comment Subject d5B*\^JphtH p/ p  n0Comment Subject Char/5B*CJOJPJQJ\^JaJnHphtHN N$/0Revision!B*CJ_HaJmH phsH tH && [TOC 1PK![Content_Types].xmlN0EH-J@%ǎǢ|ș$زULTB l,3;rØJB+$G]7O٭VvnB`2ǃ,!"E3p#9GQd; H xuv 0F[,F᚜K sO'3w #vfSVbsؠyX p5veuw 1z@ l,i!b I jZ2|9L$Z15xl.(zm${d:\@'23œln$^-@^i?D&|#td!6lġB"&63yy@t!HjpU*yeXry3~{s:FXI O5Y[Y!}S˪.7bd|n]671. tn/w/+[t6}PsںsL. J;̊iN $AI)t2 Lmx:(}\-i*xQCJuWl'QyI@ھ m2DBAR4 w¢naQ`ԲɁ W=0#xBdT/.3-F>bYL%׭˓KK 6HhfPQ=h)GBms]_Ԡ'CZѨys v@c])h7Jهic?FS.NP$ e&\Ӏ+I "'%QÕ@c![paAV.9Hd<ӮHVX*%A{Yr Aբ pxSL9":3U5U NC(p%u@;[d`4)]t#9M4W=P5*f̰lk<_X-C wT%Ժ}B% Y,] A̠&oʰŨ; \lc`|,bUvPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 0_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!R%theme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] R 3>DXYZ.12<@BDF*V+,W-./23.4(56A=SYZZ/03456789:;=>?ACEG56 6RX!l,R$ҳN1!)sA@l (    A"?"Logo Newydd 2011Picture 1Logo Newydd 2011#" `?B S  ?R<TPa787974a496830a410588a222632a985786a382234a540866a599551a501999a199685a563186a770336a432477a733364a389597a465678a159578a457168a480831 _Toc256000001a738838a562087a331664a524838 _Toc256000002a653340a179246 _Toc256000003a964261a852894a309744a218374a638713a165093a647495a865675a865636a602347a505069a295679a718211a539561a879432a685745a697118a233076a290238a178016a834833a239061 _Toc256000004a342752a880441a888527 _Toc256000005a916272a424553 _Toc256000006a117271a347220a852989 _Toc256000007a536431a656402a679927a369737a263860a137296a938517a152621 _Toc256000008a777128a100058a297597a836012a789450a520072a546939a722140a694615L9W"8b! RNNsK!!)-20N0O12%30334466u7u77 ;}<}<<===>????@BBB;CCDCDUDDEFI=KfMNZPR  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO<8V!7RkZ @ vrrdJ!!"20N0N122/334466D7778V<<<<==>x????@BBB:C"DTDTDDEFI*@B*XTEHH*KH\]^JS*Y(o(phhHANNEX  ^`hH. pL^p`LhH. @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PL^P`LhH.h^`OJQJo(hHhp^p`OJQJ^Jo(hHoh@ ^@ `OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHhP^P`OJQJ^Jo(hHoh ^ `OJQJo(hH^`B*phhH. ^`hH. pL^p`LhH. @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PL^P`LhH.h^`OJQJo(hHhp^p`OJQJ^Jo(hHoh@ ^@ `OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHhP^P`OJQJ^Jo(hHoh ^ `OJQJo(hH^`B*OJQJo(phhH ^ `OJQJ^Jo(hHo^`OJQJo(hHW^W`OJQJo(hH'^'`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHog^g`OJQJo(hH55^5`B*OJQJo(phhH^`OJQJ^Jo(hHopp^p`OJQJo(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJQJo(hHt t ^t `B*OJQJo(phhH^`OJQJ^Jo(hHopp^p`OJQJo(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJQJo(hH h8^h`B*o(phhH Schedule ^`B*OJQJo(phhHp^p`OJQJ^Jo(hHo@ ^@ `OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hHP^P`OJQJ^Jo(hHo ^ `OJQJo(hH^`B*OJQJo(phhHp^p`OJQJ^Jo(hHo@ ^@ `OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hHP^P`OJQJ^Jo(hHo ^ `OJQJo(hH ^ `B*OJQJo(phhH|^|`OJQJ^Jo(hHoL^L`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH\^\`OJQJ^Jo(hHo,"^,"`OJQJo(hH^`B*OJQJo(phhH ^ `OJQJ^Jo(hHo^`OJQJo(hHW^W`OJQJo(hH'^'`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHog^g`OJQJo(hH^`B*OJQJo(phhHp^p`OJQJ^Jo(hHo@ ^@ `OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hHP^P`OJQJ^Jo(hHo ^ `OJQJo(hHh ^`hH.h p^p`hH.h @ L^@ `LhH.h ^`hH.h ^`hH.h L^`LhH.h ^`hH.h P^P`hH.h  L^ `LhH.h^`OJQJo(hHhp^p`OJQJ^Jo(hHoh@ ^@ `OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHhP^P`OJQJ^Jo(hHoh ^ `OJQJo(hH^`OJPJQJ^Jo(-m^m`OJQJ^Jo(hHo= ^= `OJQJo(hH ^ `OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH}^}`OJQJo(hHM^M`OJQJ^Jo(hHo^`OJQJo(hH h^h`56B*CJo(phhH. ^`hH. pL^p`LhH. @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PL^P`LhH. ^`B*phhH Chapter  ^`hH ^`hH ^`hH ^`hH ^`hH ^`hH ^`hH ^`hH8^8`B*OJQJo(phhH^`OJQJ^Jo(hHo ^ `OJQJo(hH ^ `OJQJo(hHx^x`OJQJ^Jo(hHoH^H`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`B*OJQJo(phhHt^t`OJQJ^Jo(hHoD^D`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hHT"^T"`OJQJ^Jo(hHo$%^$%`OJQJo(hH 0^`056;B*CJphhH()^`56;CJhH()^`56CJhH()u ^`56CJhH()@ 0@ ^@ `056CJhH()0^`056CJhH. 0^`0o(hH.0^`056CJhH.0^`056CJhH.hh^h`B*OJQJo(phhH^`OJQJo(hHpp^p`OJQJo(hH@ @ ^@ `OJQJo(hH^`OJQJo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJo(hHoPP^P`OJQJo(hH0^`0B*o(phhH ^`o(hH) ^`o(hHs ^`CJo(hH() @ 0@ ^@ `0o(hH() p^p`o(hH()  ^ `o(hH. @ ^@ `o(hH.  ^ `o(hH.8^`B*OJQJo(phhH8^`OJQJ^Jo(hHo8p^p`OJQJo(hH8@ ^@ `OJQJo(hH8^`OJQJ^Jo(hHo8^`OJQJo(hH8^`OJQJo(hH8^`OJQJ^Jo(hHo8P^P`OJQJo(hHh ^`hH.h p^p`hH.h @ L^@ `LhH.h ^`hH.h ^`hH.h L^`LhH.h ^`hH.h P^P`hH.h  L^ `LhH.0^`0B*phhH() ^`hH() 88^8`hH) ^`hH() ^`hH() pp^p`hH()   ^ `hH. @ @ ^@ `hH.   ^ `hH.^`o(.^`.pL^p`L.@ ^@ `.^`.L^`L.^`.^`.PL^P`L.^`B*OJQJo(phhH^`OJQJ^Jo(hHopp^p`OJQJo(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJQJo(hH!1gfkFjt1Od}ww:/ ;t6f3)O)A8WL% U"a88#'GefDFyD1q#d4%^M Fj]Y >3?D @CJVXKe-N'W?QrVXPZ>la7c@fH)nH)n<"-2 {n?Qr2Q~     O6 tp8}w xG,y%7]}2Q~N32uYo)84k7M;N>u@AT}AQI1QlQSYtZV/[_HaMOgApEp(x>'<qgoVdl>< DW'g;!kB)\G og{#{ cgWQYQdocPartsVariableForceOverwriteVersion gentXMLPartIDVidessEntityMnemonicVidessMergeObjIDVidessTemplateID<docParts>_x000d__x000a_ <Precedent>agreement</Precedent>_x000d__x000a_ <Operative>paragraph</Operative>_x000d__x000a_ <TemplateType>null</TemplateType>_x000d__x000a_ <SignaturePageBreakType>No</SignaturePageBreakType>_x000d__x000a_</docParts>False&{DBF2AE9D-35C6-4400-887F-2E9D96479E70}pdmma1227807126.777611239363314.77761@PPPPR@Unknown G*Ax Times New Roman5Symbol3. *Cx Arial7.@Calibri7@Cambria5. .[`)Tahoma7. [ @Verdana?= *Cx Courier New;WingdingsA$BCambria Math"qhrz'ኇ# 4E )# 4E )!4.Q.Q >qP !N>2!  uc217199Glesni Mair Jones!                           Oh+'0x  ( 4 @ LX`hp uc217199NormalGlesni Mair Jones4Microsoft Office Word@V@P%\@N|}@%\ # 4E՜.+,D՜.+,T hp  ThomsonReuters).Q  TitleTeitl 8@ _PID_HLINKSAHm9a599551  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~    p !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry F%\@Data 1TableyWordDocumentjSummaryInformation(DocumentSummaryInformation8MsoDataStore %\3%\QE3IQEM5QA==2%\%\Item  3PropertiesZ0YAESI53442A==2 %\Pm2%\Item  Properties 3IOHEFCU==2%\%\Item PropertieskJPQAE0UTR==2%\3%\Item Properties: CompObjcr  !"#$%&'()*+,-./0123456789;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abdfalseStandard properties product.name0 Website privacy policy (GDPR version) Practical Law Data Protection Standard documents juris0 juris1 A standard customer-facing website privacy notice that complies with the EU General Data Protection Regulation ((EU) 2016/679) (GDPR). An online business may use this notice to notify the website visitors about how it collects, uses and stores personal data (excluding special categories of personal data and data relating to criminal convictions and offences) through use of its website and to provide goods and services. Further amendments may be made to this document when the Article 29 Working Party’s final Guidelines on Transparency under the GDPR (WP260) are published and if the Information Commissioner's Office provides further guidance on the content and format of privacy notices. About this document The General Data Protection Regulation ((EU) 2016/679) (GDPR), adopted in May 2016, replaces the Data Protection Directive (95/46/EC) and will be directly applicable in all member states on and from 25 May 2018. The GDPR sets out the principles which controllers and processors must comply with when processing personal data (Article 5). These principles form the core of the obligations of the controller and will usually form the basis of any claim that a controller has not complied with its statutory duties. For further information, see Practice note, Overview of EU General Data Protection Regulation: Data protection principles. As part of the GDPR principles, businesses must comply with the transparency requirements set out in Articles 13 and 14 of the GDPR. Guidelines on how to comply with these provisions are currently set out in the draft Article 29 Working Party: Guidelines on Transparency under Regulation 2016/679 (WP260), adopted 28 November 2017 (WP29 Draft Transparency Guidelines). See Practice note, Overview of EU General Data Protection Regulation: Transparency and Legal update, Article 29 Working Party publishes guidelines on transparency for consultation (full update). As the WP29 Draft Transparency Guidelines may change and the Information Commissioner's Office (ICO) may issue further guidance, this privacy notice has been drafted to comply principally with the GDPR, taking a risk-based approach, with references to how the WP29 Draft Transparency Guidelines have been incorporated or where they are difficult to comply with in practice. This privacy notice will need to be amended once the final WP29 Transparency Guidelines are issued and/or if the ICO provides further guidance on the content and format of privacy notices. The transparency principles require all controllers to notify data subjects about their personal data handling practices through a privacy notice, at the time that data is collected. For an online business, that will usually be through their website privacy notice. A privacy notice informs data subjects about how the organisation collects, uses, stores, transfers and secures their personal data. This privacy notice is intended for use on a website that collects: Basic personal data (such as name and contact details) for the purpose of: supplying goods or services; providing content or other information; or marketing its products and services. Information about users' online behaviour, like IP addresses and web log data. Organisations should use this document in conjunction with website terms of use or other similar terms and conditions as well as a cookie policy. For a UK-based template "website terms of use and conditions", see Standard documents, Terms of website use (UK) and Online consumer goods, services and digital content terms and conditions. For a cookie policy, see Standard clause, Cookie policy. This template is titled "privacy notice", but it can equally be called something else as long as it covers what is required under the GDPR. A link to the privacy notice should be clearly visible on each page of a website using a common term, for example, "Privacy Notice", "Privacy", "Privacy Policy" or "Data Protection Notice". Businesses should conduct a gap analysis to compare the personal data processing practices revealed in its data privacy audit to the statements in its privacy notice. If the business is not aware of its data processing activities at a detailed level then, before using this privacy notice, it is essential that a detailed data privacy audit is undertaken to understand how the business uses, or plans to use, the personal data it collects and uses in respect of its customers. The results of the audit should be documented. For further information, see Preparing for the General Data Protection Regulation (GDPR) Checklist: Audit and Map the Business's Data Processing Activities. This privacy notice must be tailored on a case-by-case basis for each organisation, in the light of the results of the data protection audit. This standard document gives various examples under each heading, but each business must ensure that each part of the privacy notice accurately reflects its own actual or anticipated personal data collection, handling and sharing practices. Training should also be provided to staff who handle personal data across the organisation in relation to the new requirements under the GDPR and the issues arising in this privacy notice (see General Data Protection Regulation (GDPR) training materials). What is not covered in this privacy notice This template does not address certain types of personal data collection that may require additional disclosures or specific consents, including: Special categories of personal data These include: This template also does not address data relating to criminal convictions and offences. Websites collecting special categories of personal data and/or data relating to criminal convictions and offences will need to provide an enhanced privacy notice and may need to obtain explicit, opt-in consent for the proposed use with "click-wrap" or "check box" consent forms unless they can rely on a legal ground (other than consent) for collecting that data (see Practice note, Overview of EU General Data Protection Regulation: Special categories of personal data and Preparing for the General Data Protection Regulation (GDPR) Checklist: Review and Update Consent Mechanisms and Language). Children's personal data Websites targeting children should review local parental notice and consent requirements (see Preparing for the General Data Protection Regulation (GDPR) Checklist: Review the Business's Use of Children's Personal Data). Employee personal data Organisations typically provide employee privacy notices through separate internal policies after consulting employment counsel (see Standard document, Privacy notice for employees, workers and contractors (UK)). In addition to the above, this template privacy notice does not cover the provision of interactive features, social media applications or processing involving automated decision making. In all cases, a business should carefully assess the different types of data being collected and processed to provide specific goods and services and adapt this privacy notice accordingly. Format of this privacy notice Under Article 13 of the GDPR, a business is required to provide the individual with certain information at the point their data is collected (see Drafting note, Provision of information to data subjects). All information provided must be concise, transparent, easily accessible and given in plain language (Article 12, GDPR). It remains to be seen how this presentational requirement will be interpreted by the ICO. Although the WP29 Draft Transparency Guidelines have already suggested various mechanisms to assist with these requirements, there remains an inherent tension between the requirement to provide extensive information to individuals and the conciseness requirement. The GDPR allows for the use of visualisation tools as well as language communications to comply with the principle of transparency. Visualisation tools can include icons, certification mechanisms and data protection seals and marks. As these mechanisms are still in their infancy, this document does not refer to them in detail. Many privacy regulators recommend a layered notice format, which pairs a short summary with a linked detailed disclosure, as the most effective way to simplify a complex privacy notice and make it clearly and conspicuously accessible. In particular, the ICO recommends using several different techniques to present information in a fair and transparent way, taking into account the audience, the available methods of communication and the complexity of the data processing. However, businesses should avoid fragmenting notices into too many individual documents to ensure the privacy notice remains accessible to users. The WP29 Draft Transparency Guidelines also refer to use of "privacy dashboards" and "just-in-time" notices which businesses may want to consider implementing. This privacy notice follows a layered format providing links to certain sections which lend themselves to being clicked through to, rather than setting out everything in full in one document. This notice has split the different areas by the type of processing (for example, collection, use and sharing). However, businesses could follow a different format and split their notice up differently, by perhaps following the execution process with a customer (for example, marketing, onboarding a customer and provision of goods and services, after sales or complaints). Organisations with entities in multiple jurisdictions face compliance challenges when trying to implement website privacy notices as part of a global privacy compliance programme. Multinationals must choose between implementing a single, global privacy notice applicable for all its customers globally or jurisdiction-specific or regional privacy notices, taking into account the fact that even within the EU, member states are likely to have varying rules on data protection. Provision of information to data subjects The GDPR requires businesses to provide the data subject with the following information: The controller's identity (meaning the name of the legal entity) and contact details and its representative, if any. The contact details of the data protection officer (DPO), where applicable. The intended purposes of, and the legal basis for, the processing. Where the processing is based on Article 6(1)(f) of the GDPR (legitimate interest), the legitimate interest pursued by the business or by a third party. The recipients or categories of recipients of the personal data, if any. Where applicable, the fact that the business intends to transfer the personal data to a recipient in a country outside the EU or an international organisation, and the existence or absence of a Commission adequacy decision or information about the appropriate or suitable safeguards adduced to secure the data and the means to obtain a copy of them. (Article 13(1).) The business must also provide the data subject with the following information to ensure fair and transparent processing: The period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period. The existence of the individual's: right of access (Article 15); right to rectification (Article 16); right to erasure (Article 17); right to restriction of processing (Article 18); right to object to processing (Article 21); and right to data portability (Article 20). Where processing is based on the individual's consent, the right to withdraw that consent at any time. The individual's right to lodge a complaint with the supervisory authority. Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract. The individual must be informed about any obligation to provide personal data and of the consequences of a failure to do so. The existence of automated decision-making or profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of that processing for the individual. (Article 13(2).) For details of the information to be provided to individuals when personal data is collected from a third party, see Drafting note, How is your personal data collected?. UK-specific rules Article 6(2) of the GDPR grants member states a limited right to maintain or introduce more specific provisions to adapt the application of the GDPR with regard to data processing for: Compliance with a legal obligation (Article 6(1)(c)). The performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e)). The UK has done so by means of the Data Protection Bill (DPB). For more information on the DPB, see Data Protection Bill tracker. Taking a risk-based approach The WP29 Draft Transparency Guidelines go further than what is required in Articles 13 and 14 of the GDPR in many respects, as set out in the examples given below. Many businesses have provided feedback into these more onerous requirements as the additional requirements could potentially make privacy notices long, complex and legalistic, therefore defeating one of the main principles of the GDPR to keep notices simple. The key challenge for businesses is to achieve a balance between providing comprehensive information to comply with the GDPR, yet make the notice simple and transparent in a meaningful way for its customers. Until the WP29 Draft Transparency Guidelines are finalised and/or further guidance is received from the ICO, businesses may wish to take a risk-based approach in order to deal with some of the more onerous guidance in the WP29 Draft Transparency Guidelines. Each business is different in terms of risk appetite, type of customers and complexity of data processing activities. For example, for a consumer-facing business, the privacy notice could prioritise being more user-friendly (for example, set out lawful basis in a consumer-friendly manner and forego complex detail) versus a regulated organisation with business customers where it may be more appropriate to take a more comprehensive approach to compliance and include more detailed and complex information in the privacy notice. Onerous requirements arising out of interpretation of GDPR by WP29 Draft Transparency Guidelines: The GDPR says you must set out the purposes and legal basis of any processing. WP29 states "the relevant legal basis relied upon under Art 6 and 9 must be specified". This implies that each purpose or activity should be matched to a specific legal basis, including calling out additional legal basis per activity where relevant. The GDPR requires you to set out the legitimate interests being relied on. WP29 suggests the balancing interest test used to rely on legitimate interest also needs to be included in the notice. he GDPR states you should provide data subjects with "relevant further information as referred to in paragraph 2" where personal data is used for another purpose. WP29 has interpreted this to mean all information in Article 13(2) should be provided, as well as a compatibility analysis which will need to be provided to the data subject before the different processing is undertaken (unless the legal basis for the new processing purpose is consent or national or EU law). The GDPR states the source from which personal data originated and whether it came from a publicly available source should be provided when data is not obtained from an individual. WP29 goes further and requires the provision of the type of organisation, industry or sector, whether the data was held in or out of the EEA and the specific source of the data (it is unclear whether this means a named source or whether categories will be sufficient). The GDPR requires recipients or categories of recipients to be set out in the privacy notice. WP29 states recipients must include other controllers or joint controllers, so this could extend to internal recipients in respect to intra-group data transfers. WP29 also requires privacy notices to name actual individual recipients unless you can prove why it is fair to provide categories of recipients. Where categories are provided, the type of recipient (that is, activity carried out), the industry sector (and sub-sector) and location of the recipients must be provided. The GDPR states notices should state when data is transferred out of the EEA and the mechanism relied on, together with means to obtain details of the mechanism. WP29 suggests the notice explicitly lists individual countries outside the EEA where data has been transferred, as well as including a reference to the actual GDPR Article being relied on to permit the transfer. The GDPR requires the period for which data will be stored or the criteria used to determine the period to be included in the privacy notice. WP29 suggests it will not be enough to "generically state that personal data will be kept as long as necessary for the legitimate purposes of processing". Where possible, individual periods need to be specific or the criteria should be phrased in a way that enables an individual to determine how long his or her data will be stored. Business sign-off The privacy notice should not make promises or statements that a business cannot fulfil as data subjects or privacy regulators may act to enforce the privacy notice terms. To ensure the privacy notice accurately reflects current and anticipated personal data handling practices, as well as technical features and content, the organisation should require the following people to review it before public release: Senior management. Business and technical employees responsible for operating the website and collecting data. Operating units responsible for controlling access to and use of personal data collected from the website. Information technology groups responsible for security. Legal counsel. Businesses should periodically audit and verify compliance with the statements in the privacy notice, particularly around any website visitor data use choices or opt-out methods (for example, mailing list unsubscribe procedures). Failure to implement effective procedures and technology or comply with user opt-out requests exposes businesses to potential liability. Resources In addition to the guidance notes within this privacy notice, the following documents should be consulted when preparing your privacy notice: Updating Privacy Notices to Comply With the GDPR Checklist. Practice note, Getting privacy policies GDPR-ready. Legal update, Article 29 Working Party publishes guidelines on transparency for consultation (full update). Practice note, Overview of EU General Data Protection Regulation: Transparency. Practice note, Demonstrating compliance with the GDPR. ICO guidance: Privacy notices, transparency and control. Introduction Introduction This privacy notice may be used by an online business to describe its collection, storage and use of personal data (excluding special categories of personal data and data relating to criminal convictions and offences) on a website collecting data for the purpose of supplying goods or services to website users or for contacting users with direct marketing information. The template provisions set out in this privacy notice deal with processing basic personal data with limited processing activities. Accordingly, this document will need to be tailored and provisions expanded on if a website or business has a complex operation involving many parties, several types of data and numerous processing activities. In addition to this general website privacy notice, it is important that businesses issue a short-form privacy notice or fair processing notice at the actual point when it collects data from an individual. Such a short-form notice would set out why data is being collected and processed for a particular purpose and perhaps refer to the contents of this website privacy notice for more details. We have indicated throughout the document where we advise including internal hyperlinks by square brackets and italics (these are not all live in the document as published). Welcome to the [COMPANY NAME]'s privacy notice. [COMPANY] respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you. This privacy notice is provided in a layered format so you can click through to the specific areas set out below. [Alternatively you can download a pdf version of the policy here [LINK]]. Please also use the Glossary to understand the meaning of some of the terms used in this privacy notice. 1. [IMPORTANT INFORMATION AND WHO WE ARE] 2. [THE DATA WE COLLECT ABOUT YOU] 3. [HOW IS YOUR PERSONAL DATA COLLECTED] 4. [HOW WE USE YOUR PERSONAL DATA] 5. [DISCLOSURES OF YOUR PERSONAL DATA] 6. [INTERNATIONAL TRANSFERS] 7. [DATA SECURITY] 8. [DATA RETENTION] 9. [YOUR LEGAL RIGHTS] 10. [GLOSSARY] 1. Important information and who we are Important information and who we are The first layer of the privacy notice should provide a clear overview of the information being processed (including that which has the most impact on the data subject and processing which could surprise the data subject) and set out where further, detailed information can be found. Controller Individuals are entitled to know the identity of the entity that will make decisions about how their data is used - this will be the "controller" of the data. Businesses must ensure the privacy notice includes their full legal name and contact information as controller of data. Where the business is part of a multinational group, the details of the legal entity responsible for the website should be included in the privacy notice. Organisations that provide services or products in the EU but are based outside of the EU should provide information in respect of their EU-based representative. Data protection officer (DPO) Although some businesses will appoint a DPO voluntarily, there is only a requirement under the GDPR for a DPO to be designated if any of the following circumstances apply: Where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity. Where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale. Where the core activities of the controller or the processor consist of processing any special categories of personal data on a large scale and data relating to criminal convictions and offences (Articles 9 and 10). (Article 37(1).) Irrespective of whether a mandatory DPO needs to be appointed, most organisations will most likely allocate data privacy compliance to a particular individual. They may be called a data privacy manager, if they are not a DPO (to make clear that DPO rights do not apply to them). If the business is required to appoint a DPO under the GDPR then it must include the DPO's details in the privacy notice. For more information on DPO requirements under the GDPR, see Practice note, Data protection officers under the GDPR and Flowchart, Do we need a Data Protection Officer? . Changes to this privacy notice The WP29 Draft Transparency Guidelines state that controllers should adhere to the same principles when communicating the initial privacy notice and any subsequent changes. This means ensuring that all changes are communicated in a specific, targeted, obvious way. It is not enough for a business to require a data subject to regularly check a privacy notice for any changes or updates; WP29 states that this will be considered unfair under the GDPR. This may be difficult to implement in practice as there is a serious risk of information fatigue if frequent reminders, particularly of non-material changes, are sent to data subjects resulting in communications being ignored by recipients. To make some effort to comply with these new requirements, businesses may wish to take a view that only material changes will be communicated, perhaps by a pop-up notice on the website announcing that the privacy policy has changed. Even this may be burdensome and difficult to implement. Therefore, businesses may want to wait and see if the ICO issues any guidance around privacy notice updates before implementing any major technical changes to their website. Irrespective of how changes are dealt with after May 2018, it may be prudent to insert the right to make further changes between when this privacy notice is uploaded and May 2018, especially if businesses are not yet in a position to be able to deal with all the data subject rights (for example, data portability). Businesses may also prefer not to introduce expanded data subject rights before they are required to do so in May 2018. Purpose of this privacy notice This privacy notice aims to give you information on how [COMPANY] collects and processes your personal data through your use of this website, including any data you may provide through this website when you [sign up to our newsletter, purchase a product or service or take part in a competition]. This website is not intended for children and we do not knowingly collect data relating to children. It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them. Controller [IF ONLY ONE ENTITY:] [LEGAL ENTITY NAME] is the controller and responsible for your personal data (collectively referred to as ["COMPANY"], "we", "us" or "our" in this privacy notice). [IF SEVERAL ENTITIES PART OF A GROUP:] [COMPANY] is made up of different legal entities, details of which can be found here [LINK]. This privacy notice is issued on behalf of the [COMPANY] Group so when we mention ["COMPANY"], "we", "us" or "our" in this privacy notice, we are referring to the relevant company in the [COMPANY] Group responsible for processing your data. [We will let you know which entity will be the controller for your data when you purchase a product or service with us.] [LEGAL ENTITY NAME] is the controller and responsible for this website. We have appointed a [data protection officer (DPO) OR data privacy manager] who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise [your legal rights], please contact the [DPO OR data privacy manager] using the details set out below. Contact details Our full details are: Full name of legal entity:  Name or title of [DPO OR data privacy manager]: Email address: Postal address: [Telephone number:] You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. Changes to the privacy notice and your duty to inform us of changes [This version was last updated on [DATE] [and historic versions are archived here [LINK] OR can be obtained by contacting us.]] [The data protection law in the UK will change on 25 May 2018. Although this privacy notice sets out most of your rights under the new laws, we may not yet be able to respond to some of your requests (for example, a request for the transfer of your personal data) until May 2018 as we are still working towards getting our systems ready for some of these changes.] It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. Third-party links This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit. 2. The data we collect about you The data we collect about you The GDPR defines personal data as "any information relating to an identified or identifiable natural person ('data subject')" (Article 4(1)). The business' customer is the "data subject" in relation to this privacy notice. Businesses should include a broad definition of personal data in their privacy notices (though it is important to only specify data you will collect or process) and identify any categories of data that do not constitute personal data so that these can be excluded. For example, anonymous data, or data where the identity of the individual has been irretrievably removed, would not be considered personal data. To set clear customer expectations, the notice should also state that the business intends to use that non-personal or aggregated data. For more information, see Practice note, Anonymization and Pseudonymization under the GDPR. The categories of data included in this privacy notice provide examples only and are not intended to be an exhaustive list of all of the categories of personal data that a business may collect. Businesses must tailor the categories of personal data listed to reflect their actual data collection practices (based on the results of their data protection audit). The description of each category of personal data could be moved to the Glossary below if a business wishes to further layer the notice. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows: Identity Data includes [first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender]. Contact Data includes [billing address, delivery address, email address and telephone numbers]. Financial Data includes [bank account and payment card details]. Transaction Data includes [details about payments to and from you and other details of products and services you have purchased from us]. Technical Data includes [internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website]. Profile Data includes [your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses]. Usage Data includes [information about how you use our website, products and services]. Marketing and Communications Data includes [your preferences in receiving marketing from us and our third parties and your communication preferences]. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. If you fail to provide personal data Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time. 3. How is your personal data collected? How is your personal data collected? This section should disclose how the website collects data from or about its users. In particular, the privacy notice should include details of any personal data collected from third parties. Website visitors are clearly aware of some data collection methods. For example, website visitors know they directly provide personal data by submitting an online form or creating an account. Many data collection methods, however, are not obvious to casual website visitors (for example, cookies and automatic data collection technologies). Website operators using any automatic or non-obvious data collection methods should clearly identify and describe them in the privacy notice or related cookie policy. Each website should have detailed information on the cookies it uses and usually this is set out as a different policy on the website. See Standard clauses, Cookie policy for further details. Additional notification requirements apply to personal data collected from third parties (Article 14(1), GDPR). These mirror the notification requirements in respect of data collected directly from the data subject (see Drafting note, Provision of information to data subjects), save that the following information must also be notified: The categories of personal data concerned. The source of the personal data and, if applicable, whether it came from publicly accessible sources. This information must be provided to the individual within a reasonable period after obtaining the data, but at the latest within one month. However, if the personal data is to be used for communication with the individual before that time, the information must be provided at the latest at the time of the first communication with them. If the personal data is to be disclosed to another recipient, the information must be provided to the individual before the disclosure takes place. This privacy notice proposes some typical categories of data captured by website operators. However, this privacy notice should be tailored to ensure that it refers to all sources of personal data other than the individuals themselves. Where possible, the notice should include the information set out in the two bullet points above. If this is not possible in the privacy notice itself, a separate notification must be given to the individual at the appropriate time. In particular, if your business uses credit reference or fraud prevention agencies or checks data against government sanction lists, then further details of these activities should be set out in the privacy notice together with details of what information is shared and under what circumstances. Similarly, if your website allows the user to interact with it (for example, by facilitating the use of interactive features or social media applications), then further details of these activities should be provided together with sources and recipients of data. The WP29 Draft Transparency Guidelines have clarified what needs to be included with respect to sources by recommending that privacy notices should disclose the type of organisation or industry sector from which the data came, as well as where the data was held (that is, EU or not). The WP29 guidelines state that the "specific" source should be provided "unless it is not possible to do so". They further clarify that businesses cannot fail to comply with this requirement simply because it is time-consuming and burdensome to identify each individual source. Instead, every source of data should be able to be tracked back by ensuring privacy by design is built into all processing systems from the ground up. This is quite an onerous requirement and may be difficult to comply with in practice, especially where a business has a complex data processing life cycle involving several data sources which may change from time to time. Accordingly, businesses may wish to take a risk-based approach and instead only list categories of sources. Separate to the above requirements, businesses should check that the third party passing them personal data has obtained any necessary consents from a data subject to pass their data or notified data subjects of such a transfer and advised them of the purpose for which your business plans to use the data. We use different methods to collect data from and about you including through: Direct interactions. You may give us your [Identity, Contact and Financial Data] by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you [DELETE OR ADD TO THIS LIST AS APPROPRIATE]: apply for our products or services; create an account on our website; subscribe to our service or publications; request marketing to be sent to you; enter a competition, promotion or survey; or give us some feedback. Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, [server logs] and other similar technologies. [We may also receive Technical Data about you if you visit other websites employing our cookies.] Please see our cookie policy [LINK] for further details]. Third parties or publicly available sources. We may receive personal data about you from various third parties [and public sources] as set out below [DELETE OR ADD TO THIS LIST AS APPROPRIATE]: Technical Data from the following parties: (a) analytics providers [such as Google based outside the EU]; (b) advertising networks [such as [NAME] based [inside OR outside] the EU]; and (c) search information providers [such as [NAME] based [inside OR outside] the EU]. Contact, Financial and Transaction Data from providers of technical, payment and delivery services [such as [NAME] based [inside OR outside] the EU]. Identity and Contact Data from data brokers or aggregators [such as [NAME] based [inside OR outside] the EU]. Identity and Contact Data from publicly availably sources [such as Companies House and the Electoral Register based inside the EU]. [ANY OTHER WAYS YOU COLLECT PERSONAL DATA]. 4. How we use your personal data How we use your personal data The privacy notice should disclose how a business plans to use the personal data it collects by describing the specific use purposes, such as order fulfilment, billing, delivery, and marketing. Businesses should also clearly identify any non-obvious personal data uses, for example, data used for profiling, automated decision-making and direct marketing purposes. The suggested uses of personal data included in this privacy notice are examples and are not intended to be an exhaustive list of all of the reasons an online business may process personal data. The business should tailor the list to reflect its practices. In particular, additional details may need to be included if the business uses credit reference agencies, fraud prevention agencies, allows users to interact with their website or undertakes profiling or automated decision-making. Lawful basis for processing The GDPR requires a controller to justify the processing of personal data before it will be considered lawful under Article 5(1)(a). For more information, see Practice note, Overview of the EU Data Protection Regulation: Lawfulness of processing. A business must only process personal data on the basis of one or more of the following legal grounds: The individual has given their consent to the processing of their data for one or more specific purposes (Article 6(1)(a)). It is necessary for entering into or performing a contract with the individual (Article 6(1)(b)). It is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c)). It is necessary to protect the vital interests of the individual or another person (Article 6(1)(d)). It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e)). It is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where these interests are overridden by the interests or the fundamental rights and freedoms of the individual which require protection of personal data (Article 6(1)(f)). Where a business wishes to rely on legitimate interests, it must identify the legitimate interests it is relying on in its privacy notice. Where legitimate interest is being used, the WP29 Draft Transparency Guidelines go a step further than the GDPR and suggest, as a matter of best practice, that businesses should also provide their customers with information from the "balancing test" (which should have been carried out by the controller to allow reliance on legitimate interest as a lawful basis for processing) in advance of any collection of data subjects' personal data. This could be impractical to do for every activity undertaken and make the privacy policy overly legalistic. Instead, businesses may wish to adopt a risk-based approach (like the one taken in this privacy notice) and exclude the "balancing test" from the privacy notice on the basis that it would be of limited interest to customers and would be made available on request. Consent This privacy notice does not refer to the use of consent as, in most cases, online businesses will not need consent to process personal information other than for processing special categories of data (see Practice note, Overview of EU General Data Protection Regulation: Special categories of personal data) or marketing third-party products and services (see Practice note, E-marketing: a quick guide (DPA 1998 version) for further details). Under the GDPR, if data processing is based on consent, the individual has the right to withdraw consent at any time without any justification, although this will not affect the lawfulness of any processing carried out before the withdrawal (Article 7(3)). Data subjects must be informed of their right to withdraw their consent and consent must be as easy to withdraw as it is to give. If an individual withdraws consent, the business could face a situation where it can no longer process the personal data in question because it does not have another legal ground for processing. Note that a business cannot change the legal basis relied upon once it has notified an individual of the legal basis it is actually relying on to process certain data. The WP29 draft guidance on consent (see Legal update, Article 29 Working Party consults on guidelines on consent under the GDPR) indicates that most organisations may find it difficult to rely on consent and difficulties will arise if a data subject withdraws consent, so a different lawful basis should be found for processing data if at all possible. For further information on consent, see Practice note, Overview of EU General Data Protection Regulation: Consent requirements. Matching purposes and categories of personal data with lawful basis The WP29 Draft Transparency Guidelines appear to suggest that privacy notices should match each individual processing activity with a lawful basis. In particular, the WP29 state "The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. In particular the purposes of, and legal basis for, processing the personal data should be clear". Many businesses may find this difficult to comply with, especially where the data processing is complex, involving several processing activities and parties. Data subjects may also find this level of detail too complex and unhelpful. Although the GDPR seems to indicate that more than one lawful basis can be relied on to process data, businesses must identify the specific legal basis being relied on and cannot rely on either one basis applying or another. For example, if a business collects consent to fulfil an order, it cannot automatically rely on performance of contract for the same activity when a data subject withdraws consent. This privacy notice has set out, in a table format, suggested categories of data processed by a typical online business carrying out certain activities. The table also suggests the lawful basis which could be relied on for those activities. Organisations must review the lawful basis proposed in this privacy notice and make their own determination as to whether the lawful basis proposed in this privacy notice applies to their specific business activities. Although the table has proposed categories of data used for specific activities, businesses may decide not to include this level of detail in complex data processing operations as, technically, the GDPR only requires the purposes to be matched with lawful basis and not categories (Article 13(1)(c)). This privacy notice does not set out individual activities within the broader activity and match each individual activity with a lawful basis. Nor does this privacy notice expressly call out where an activity may be relying on two different lawful bases. However, it has been suggested that data subjects contact the business if they need further information on the exact lawful basis used for each activity. This means businesses should have recorded this level of detail in their data mapping in case a data subject requests this information. Finally, businesses may wish to add an additional two columns in the table to identify individual recipients of data as well as specific retention periods per processing activity. Businesses may wish to take the risk-based approach suggested in this privacy notice until (and if) further guidance is provided by the ICO on whether setting out processing grounds in more general terms will be regarded as being compliant with the GDPR. For more information on lawful basis under the GDPR, see Practice note, Overview of EU General Data Protection Regulation: Lawfulness of processing. Marketing Organisations will need to identify if personal data, such as name and email address, is collected and processed for direct marketing purposes as specific rules apply.  In particular, if businesses intend to send electronic direct marketing (such as email and text) prior consent will be required unless soft opt-in applies. A short-form privacy notice or fair processing notice, giving details of the proposed marketing, should be provided at the time data is collected from an individual for marketing purposes. This privacy notice envisages that the legitimate interests' lawful basis may be relied on with respect to carrying out direct marketing activities. Recital 47 of the GDPR acknowledges that direct marketing can be conducted on the basis of legitimate interests. However, unless soft opt-in applies, consent will also be needed (as a result of Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (as amended)) even if the "legitimate interests" lawful basis is being relied on. Prior consent will also be required before data can be passed to third parties for direct marketing purposes. For more information on direct marketing, see Practice notes, Direct marketing and data protection: consent and preference services (DPA 1998 version), Consent, third party marketing lists and evidence of compliance, Direct marketing: data protection and e-privacy rules, and E-Marketing:a quick guide (DPA version) and Standard document, Consents to receive unsolicited direct marketing material. For the wider rules surrounding direct marketing, see Practice note, Direct marketing: advertising, consumer protection and e-commerce rules. All these resources reflect the Privacy and Electronic Communications Regulations (EC Directive) 2003 (SI 2003/2426) (as amended) (PECR) and are currently being updated to reflect GDPR. Note: The rules on electronic marketing are currently under review in the EU's draft E-Privacy Regulation. However, these are unlikely to be finalised by 25 May 2018 to coincide with the GDPR. The Information Commissioner, Elizabeth Denham, clarified in a speech at the Direct Marketing Association's 2018 event on 23 February 2018, that "Until the e-privacy regulation comes into force, PECR will sit alongside the GDPR". For information on profiling and marketing, see Drafting note, Automated decision-making and profiling. Cookies Regulation 6(1) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (as amended) requires website operators and other online providers that set cookies on their users' equipment to provide internet users with clear and comprehensive information about the purposes for which the cookie is stored and accessed. The rules on cookies are currently under review in the EU's draft E-Privacy Regulation and are unlikely to be finalised by 25 May to coincide with the GDPR. Recital 30 of the GDPR defines online identifiers as including cookies and, where cookies can identify an individual, they are considered to be personal data subject to the GDPR. In particular, the GDPR states that cookies, when combined with unique identifiers and other information received by servers, may be used to create profiles of individuals and identify them. Currently there is uncertainty as to how cookies, especially third party cookies, will be dealt with under GDPR and the draft E-Privacy Regulation. These are some of the issues causing uncertainty: What legal basis can be relied on to serve cookies? Legitimate interest could be used but as consent is also required under the existing Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (as amended), should the lawful basis be consent? GDPR requires unambiguous consent. Would cookie pop up boxes constitute unambiguous consent under GDPR, especially in relation to use of targeting third party cookies? Use of cookies to send targeted adverts may be considered “profiling” under GDPR. Could such profiling have “legal” or significant effects” on an individual? For more information on profiling, see Drafting note, Automated decision-making and profiling. Until the ICO or WP29 issue some guidance around use of cookies, consent and profiling or until the E-Privacy Regulation is finalised, businesses may wish to take a risk based “wait and see” approach and continue use of cookies “as is”. See Draft E-Privacy Regulation Tracker. In any event, every website should provide a link to a cookie policy and the privacy notice could make reference to this cookie policy. See cookie policy for a template cookie policy. For more general information on cookies, see Practice notes, Cookies: UK issues and Complying with the new cookie regime; practical steps and Practice note, Direct marketing and data protection: Frequently asked questions (DPA 1998): How do the DPA and Privacy Regulations 2003 apply to cookies and profiling. Note that all these resources are currently being updated to reflect GDPR. Automated decision-making and profiling The GDPR defines 'profiling' as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular, to analyse or predict their performance at work, economic situation, health, personal preferences, reliability, behaviour, location or movements (Article 4.4). A decision does not need to be made, simply collecting data and building a profile of the person and the way they behave will qualify. When processing personal data for profiling purposes, businesses must ensure that appropriate safeguards are in place which include: Ensuring processing is fair and transparent by providing privacy or fair processing notices which give meaningful information about how profiling will take place. This includes recognising any risks of profiling an individual which may cause discriminatory effects on that individual; Using appropriate mathematical or statistical procedures for the profiling; Implementing appropriate measures to enable inaccuracies to be corrected and to minimise the risk of errors. Businesses must provide details of the profiling undertaken on request from a data subject. Data subjects have a right to object to profiling where it is based on legitimate interests or public interest grounds unless the business can demonstrate there are compelling legitimate grounds that override the interests of the data subject. However, if the profiling is undertaken for direct marketing purposes, the data subject has an unconditional right to object to it. Usually, online businesses profile individuals to create customer profiles so more tailored products and services can be marketed to them. This processing is usually undertaken under the “legitimate interest” lawful basis. However, the more extensive or intrusive the profiling for direct marketing, the more likely it will infringe on a data subject’s rights and thus not fulfil the legitimate interests processing condition. Under the GDPR, individuals also have a right not to be subject to decisions based solely on automated data processing (including profiling) if the decision produces legal effects on the individual or significantly affects them (Article 22(1)). There are exemptions to this rule if the automated decision-making is necessary for entering into or performing the contract or is based on the individual's explicit written consent, and a business has implemented measures to safeguard the individual's rights and freedoms and legitimate interests. These must include the right to human intervention, to express their point of view and appeal the decision. (Article 22(2).). Additionally, the DPB provides further lawful justifications for automated decision-making to take place (see Section 13, DPB). This privacy notice does not include any reference to processing data as a result of automated decision-making or profiling other than profiling carried out as part of marketing a company’s own products or services to a customer. For all other cases, further detailed information regarding the specific type of processing will need to be provided in this privacy notice and an appropriate fair processing notice in case such activities are undertaken. For further information, see Practice note, Overview of EU Data Protection Regulation: Measures based on profiling.and Checklist, Preparing for the General Data Protection Regulation, Identify and Review All Profiling Activities and Automated Decisions Change of purpose If a business wants to use personal data for new or different purposes that are not compatible with the original purposes of use, it will need to consider whether there is a lawful basis for processing for the new purpose (Articles 13(3) and 14(4), GDPR). As a general rule under the GDPR, the purpose limitation principle binds a business to the specified, explicit and legitimate purposes notified to the individual on collection of the personal data (Article 5(1)(b)). Organisations may process personal data for purposes other than those for which the data was initially collected where the further processing is undertaken on the basis of the following: The data subject's consent. An EU or member state law. Public interest, scientific, historical research or statistical purposes. See Practice note, Overview of EU General Data Protection Regulation: Exceptions to the purpose limitation principle for further details. Alternatively, further processing can be undertaken when it is compatible with the original purpose of use. When ascertaining whether a purpose of further processing is compatible with the one for which the data was originally collected, organisations must take into account the following non-exhaustive list of criteria: Any link between the purposes for which the personal data has been collected and the purposes of the intended further processing. The context in which the personal data has been collected, in particular regarding the relationship between the data subject and the business. The nature of the personal data, in particular whether special categories of personal data are processed, or whether personal data related to criminal convictions and offences is processed. The possible consequences of the intended further processing for individuals. The existence of appropriate safeguards, which may include encryption or pseudonymisation. (Article 6(4).) The WP29 Draft Transparency Guidelines go a step further and suggest that, in adhering to the principle of transparency, accountability and fairness, businesses should provide customers with further information on the compatibility analysis carried out where a legal basis other than consent or national or EU law is relied on for the new processing purpose. This is to allow customers the opportunity to consider the compatibility of the further processing and the safeguards provided and to decide whether to exercise their rights, such as the right to restriction of processing or the right to object to processing (among others). Similar to the "balancing interest" test explained above under legitimate interest, businesses may find the requirement to provide the compatibility analysis too burdensome and it may lead to information fatigue as customers are unlikely to read such a legalistic document in a privacy notice. Instead businesses may wish to adopt the risk-based approach taken in this privacy notice, which is to make such an analysis available on request. If a business wants to use previously collected data for a new or different purpose that is unrelated to the original purpose, in most circumstances, it must provide a revised notice to individuals (Article 13(3)). To minimise future re-notifications, businesses should consider both current and future potential data use purposes when drafting their privacy notice. Businesses, however, should resist the temptation to fill the notice with hypothetical or abstract potential use purposes, as data limitation and retention principles may prevent them from collecting or retaining personal data not required for specific or immediate business needs. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: Where we need to perform the contract we are about to enter into or have entered into with you. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Where we need to comply with a legal or regulatory obligation. Click [here] to find out more about the types of lawful basis that we will rely on to process your personal data. Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us. Purp      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnoqrstuvwxyzoses for which we will use your personal data We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below. Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest To register you as a new customer (a) Identity (b) Contact Performance of a contract with you To process and deliver your order including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us (a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications (a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us) To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Asking you to leave a review or take a survey (a) Identity (b) Contact (c) Profile (d) Marketing and Communications (a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) To enable you to partake in a prize draw, competition or complete a survey (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business) To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity (b) Contact (c) Technical (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) To use data analytics to improve our website, products/services, marketing, customer relationships and experiences (a) Technical (b) Usage Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) To make suggestions and recommendations to you about goods or services that may be of interest to you (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile Necessary for our legitimate interests (to develop our products/services and grow our business)
Marketing We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. [We have established [a privacy centre where you can view and make certain decisions about your personal data use [PRIVACY CENTRE LINK] OR the following personal data control mechanisms]: Promotional offers from us We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you have requested information from us or purchased [goods or services] from us [or if you provided us with your details when you entered a competition or registered for a promotion] and, in each case, you have not opted out of receiving that marketing. Third-party marketing We will get your express opt-in consent before we share your personal data with any company outside the [COMPANY] group of companies for marketing purposes. Opting out You can ask us or third parties to stop sending you marketing messages at any time [by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or] by contacting us at any time]. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of [a product/service purchase, warranty registration, product/service experience or other transactions]. Cookies You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see [LINK TO YOUR COOKIE POLICY.] Change of purpose We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 5. Disclosures of your personal data Disclosures of your personal data Under Article 28 of the GDPR, businesses are required to enter into a contract (or other legally binding act) with any third-party processor that imposes obligations on the processor to: Process the personal data only on the documented instructions of the controller. Only use staff and other persons who have a duty of confidentiality with regard to the data. Comply with security obligations equivalent to those imposed on the controller under the GDPR. Notify the controller of any breach in relation to the personal data shared by the controller. Enlist a sub-processor only with the prior permission of the controller. For further information, see Practice note, Data processor obligations under the GDPR: overview. Article 13 of the GDPR also requires a privacy notice to disclose all recipients or categories of recipients of the personal data. A recipient does not have to be a third party and can therefore include controllers and other entities within the same group. The WP29 Draft Transparency Guidelines recommend that a privacy notice should provide information on the actual (named) recipients of the personal data. If businesses can (and wish to) provide details of named recipients, they may want to insert that detail into the table in paragraph (instead of referring out to the Glossary as suggested in this template privacy notice) as that will provide a direct link to what data is disclosed to specific recipients for particular purposes. However, thought needs to be given as to how this list of specific recipients will be kept updated as vendors can change frequently and sending frequent notifications about a change of vendors could lead to information fatigue for customers. Where a business decides to only disclose categories of recipients, a business must be able to demonstrate why it is fair to adopt this approach. Where categories are used, the information provided should be as specific as possible about the categories of recipients (that is, include the activities of the recipient and the industry they are in (with sector and sub-sector) together with location of the recipient). Businesses which sell personal data, for example, customer lists to advertisers, should specifically disclose this practice. The notice should also specifically reserve the right to transfer or disclose personal data in connection with a sale of the business or its assets. This privacy notice, together with the lists in the Glossary, broadly identifies (by categories) and describes some of the common recipients of data by website operators. This section must be carefully reviewed and tailored to meet your business operations. In particular, businesses should try and be as specific as possible about the categories of recipients and include the details set out above as well as whether the third party is a controller or processor. We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4 above. Internal Third Parties as set out in the [Glossary]. External Third Parties as set out in the [Glossary]. [Specific third parties [listed in the table in [paragraph 4] above] OR such as [SPECIFIC THIRD PARTIES]].] Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. 6. International transfers International transfers A business may wish to transfer the personal data collected on its website across international borders where they have offices or other legal entities in different jurisdictions, or where the business is part of an international group of companies. A business may also use external service providers (such as IT providers) in other jurisdictions and personal data may need to be transferred to those third parties for the performance of the services. The GDPR restricts transfers of personal data outside the EU unless the recipient country provides adequate protection for the personal data, or other safeguards are in place. This is to ensure that the level of protection of an individual's personal data afforded by the GDPR is not undermined. After Brexit, the UK will be a jurisdiction outside the EU. For coverage of the Brexit process in this field, see Practical Law's Brexit summary: a watching brief: Data protection. This notice should be reviewed on an ongoing basis as the UK progresses towards Brexit to ensure it is still applicable in its current form after Brexit and to ensure that there are no national or EU laws in place in other member states that would affect the transfer of personal data between the UK and any relevant member state. Personal data can only be transferred outside the EU to third countries or international organisations in compliance with the conditions for transfer set out in Chapter V (Articles 44-50) of the GDPR. Where personal data is to be transferred to a country outside the EU, the individual has the right to be informed of the appropriate safeguards in place (Article 15(2)). This privacy notice includes an optional clause (to be used when data is to be transferred to third parties outside the EU) which provides for details of the safeguards to be requested from the business if appropriate. The WP29 Draft Transparency Guidelines recommend that names of individual countries outside the EEA where data is transferred are set out in the privacy notice. This is quite an onerous requirement to comply with as the countries where data is transferred may regularly change as a result of changes in vendors. The WP29 Draft Transparency Guidelines also suggest that the privacy notice should specify the specific articles permitting those transfers; this requirement also appears to be overly legalistic. Businesses may wish to take a risk-based approach (similar to the one in this privacy notice) and omit those specific details, but allow for provision for further information on request. For further information, see Practice note, Overview of EU General Data Protection Regulation: Cross-border data transfers. [IF NO TRANSFERS OUT OF EEA OCCUR:] [We do not transfer your personal data outside the European Economic Area (EEA).] OR [IF TRANSFERS OUT OF EEA OCCUR:] [We share your personal data within the [COMPANY] Group. This will involve transferring your data outside the European Economic Area (EEA).] [IF BINDING CORPORATE RULES ARE USED:] [We ensure your personal data is protected by requiring all our group companies to follow the same rules when processing your personal data. These rules are called "binding corporate rules". For further details, see European Commission: Binding corporate rules.] [Many of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.] Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented [DELETE AS APPLICABLE]: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries. Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries. Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. 7. Data security Data security Organisations must: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (Article 32(1), GDPR). Ensure that anyone acting under their authority who has access to the personal data does not process it except on their instructions, unless required to do so by EU or member state law (Article 32(4)). Security measures Measures that may be taken include or display the following features and functionalities: The pseudonymisation and encryption of personal data. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. (Article 32(1).) For further information on security measures under the GDPR, see Practice notes, Overview of EU General Data Protection Regulation and Demonstrating compliance with the GDPR: Using technical and organizational measures to demonstrate compliance. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 8. Data retention Data retention The GDPR does not specify retention periods for personal data. Instead, organisations are required not to retain personal data in a form that enables customers to be identified for longer than is necessary to fulfil the purposes the data was collected for (Article 5(1)(e)). Article 30 of the GDPR introduces document requirements for controllers such that they must maintain a record of all processing operations under their responsibility. This includes, where possible, a general indication of the time limits for erasure of the different categories of data. Article 13(2) requires organisations to provide individuals with information about the specific period for which the data will be stored as part of the transparency principle. The WP29 Draft Transparency Guidelines go further and suggest it will not be sufficient to generically state that personal data will be kept as long as necessary for the legitimate purposes of the processing and in fact privacy notices should go as far as including, where appropriate, archiving periods for specific data or activities. This is quite an onerous requirement to comply with for most businesses. If organisations have managed to determine specific retention periods, they may wish to insert the appropriate retention period per activity/data set in the table set out in paragraph 4 above. Alternatively if your business has a data retention policy, you may wish to link to this policy from this privacy notice. If specific retention periods are not available, businesses may wish to include the criteria used to determine that period. Note that the WP29 Draft Transparency Guidelines indicate that such a period should be phrased in a way that allows the data subject to assess, on the basis of his or her own situation, what the retention period will be for specific data or activity. As this may be difficult to provide, it may be best to provide a specific retention period if possible. How long will you use my personal data for? We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. [Details of retention periods for different aspects of your personal data are [available in our retention policy which you can request from us by contacting us OR set out in the table in paragraph 4 above]. OR By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for [six] years after they cease being customers for [tax] purposes.] In some circumstances you can ask us to delete your data: see [Request erasure] below for further information. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. 9. Your legal rights Your legal rights For information on data subjects' rights under the GDPR, including the right to be forgotten and the right to data portability, see Practice notes, Overview of EU General Data Protection Regulation: Rights of data subject and Data subject rights under the GDPR. Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights: [Request access to your personal data]. [Request correction of your personal data]. [Request erasure of your personal data]. [Object to processing of your personal data]. [Request restriction of processing your personal data]. [Request transfer of your personal data]. [Right to withdraw consent]. If you wish to exercise any of the rights set out above, please contact us OR [INSERT SPECIFIC DETAILS OF WHO TO CONTACT FOR SUBJECT ACCESS RIGHTS]]. No fee usually required You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. What we may need from you We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. Time limit to respond We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 10. Glossary LAWFUL BASIS Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to. THIRD PARTIES Internal Third Parties Other companies in the [COMPANY] Group [acting as joint controllers or processors] and who are based [SPECIFIC COUNTRIES] and provide [IT and system administration services and undertake leadership reporting]. External Third Parties Service providers [acting as processors] based [SPECIFIC COUNTRIES] who provide [IT and system administration services]. Professional advisers [acting as processors or joint controllers] including lawyers, bankers, auditors and insurers based [SPECIFIC COUNTRIES] who provide [consultancy, banking, legal, insurance and accounting services]. HM Revenue & Customs, regulators and other authorities [acting as processors or joint controllers] based [in the United Kingdom] [who require reporting of processing activities in certain circumstances]. [DETAILS OF ANY OTHER THIRD PARTIES, FOR EXAMPLE, MARKET RESEARCHERS, FRAUD PREVENTION AGENCIES, PRICE COMPARISON SITES ETC]. YOUR LEGAL RIGHTS You have the right to: Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.   F Microsoft Word 97-2003 Document MSWordDocWord.Document.89q