Protecting Personal Data and the Rights of Data Subjects

Updated as of: September 19, 2019

Preemptive Love Coalition, a U.S. registered 501(c)3 charitable organization [*corporate name] (“Preemptive Love Coalition,” “we,” “us,” or “our”), has published this General Data Protection Policy to inform our users, customers, and website visitors from the European Economic Area (collectively, “Data Subjects,” “you,” or “your”) about why and on what legal bases Preemptive Love Coalition collects personal data from Data Subjects when visiting our website and/or completing a purchase or other interaction with us. Personal data will be collected and processed in accordance with our Privacy Policy.

If you would like information on how we process personal data via cookies, social plugins, and other types of tracking technology, please also refer to our Cookie Policy.

We will only share your personal data with third parties in the circumstances set out below. We will always comply with the General Data Protection Regulation (the “GDPR”) when dealing with Data Subjects’ personal data. Further details on the GDPR can be found on the website of the Information Commissioner (https://ico.org.uk/).

We reserve the right to amend this policy from time to time without prior notice.

Overview of Data Protection:

The GDPR requires that Preemptive Love Coalition, acting either as a data controller (meaning an individual or organization that, alone or jointly with others, determines the purposes and means of the processing of personal data) or as a data processor (meaning an individual or organization that processes personal data on behalf of the data controller),  process data in accordance with certain principles of data protection:

  • Personal data must be processed lawfully, fairly, and in a transparent manner;
  • Personal data must be collected for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • The personal data collected must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
  • The personal data collected must be accurate and kept up-to-date; every reasonable step must be taken to ensure that personal data that is inaccurate, bearing in mind the purpose(s) for which it is processed, is erased or rectified without delay;
  • The personal data collected must be kept for no longer than is necessary for the purpose(s) for which the personal data is processed;
  • The personal data collected must be processed with appropriate security measures, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures; and that
  • The data controller shall be responsible for, and be able to demonstrate, compliance with these principles.

Data Protection Officer:

For the purposes of the GDPR, our Data Protection Officer (the “DPO”) will be Dane Barnett at dataprotection@preemptivelove.org. The DPO is responsible for making sure that Preemptive Love Coalition complies with the GDPR requirements for handling the personal data of Data Subjects. We will regularly review all our holdings of personal data to establish our compliance.

Data Subject Rights:

Data Subjects have rights under the GDPR, including:

  • The right to request access to all personal data relating to you that is processed by us in a structured, commonly-used, and machine-readable format. However, we reserve the right to charge an administrative fee for multiple subsequent requests for access that are clearly submitted for the purpose of causing us nuisance or harm.
  • The right to ask that any personal data relating to you that is inaccurate is corrected free of charge. If you submit a request for correction, such request must be accompanied by proof of the accuracy of the correction you are seeking.
  • The right to withdraw previously-granted consent for the processing of your personal data. You have the right to oppose the processing of personal data if you are able to prove that there are serious and justified reasons connected with the particular circumstances that warrant such opposition. However, if the intended processing qualifies as direct marketing, you have the right to oppose such processing free of charge and without justification.
  • The right to request that personal data relating to you be deleted if it is no longer required in light of the purposes outlined in this policy or, where we rely on your consent as the legal basis for processing, when you withdraw your consent for processing. Please keep in mind that a request for deletion will be evaluated against our overriding interests or those of any other third party and any legal or regulatory obligations or administrative or judicial orders that may contradict such deletion. Instead of deletion, you can also ask that we limit the processing of your personal data if and when: (a) you contest the accuracy of the data, (b) the processing is illegitimate, or (c) the data is no longer needed for the purposes listed in this policy.

If you wish to submit a request to exercise one or more of the rights listed above, or to address any questions, comments, or requests about our data processing practices, you can send an e-mail to our DPO, [name of DPO] at [email of DPO]. An e-mail requesting to exercise a right shall not be construed as consent to the processing of your personal data beyond what is required for handling your request. Any request should be dated and clearly state which right you wish to exercise and the reasons for it, if such is required. The circumstances may mean we need to undertake verification of your identity before we action your request in order to protect your personal data to the relevant standard. We will promptly inform you of having received this request. If the request proves valid, we will action it as soon as reasonably possible and at the latest thirty (30) days after having received the request.

For more details describing the rights of Data Subjects with regards to personal data, please see our Privacy Policy.

Lawful Reasons for Processing Personal Data

Preemptive Love Coalition will only process personal data where it has a legal basis for doing so (see Annex A attached). Where Preemptive Love Coalition does not have a legal reason for processing personal data, any processing will be a breach of the terms of the GDPR.

For processing your personal data for the purposes outlined this policy and our Privacy Policy, we, as the responsible party, ask for your consent. The processing of your personal data for these purposes is also necessary for the protection of our legitimate interest in marketing and promoting our products, services, and brands and the overall successful commercialization of our products and services. The processing of personal data for these purposes is also necessary for the protection of our legitimate interest to continuously improve our websites, social media channels, products, and services to ensure that you have the best experience possible. Finally, the processing of personal data is necessary to allow us to comply with our legal obligations and for the protection of our legitimate interest in keeping our websites, social media channels, products, and services safe from misuse and illegal activity.

Before transferring personal data to any third party, Preemptive Love Coalition will establish that we have a legal reason for making the transfer. We will make a reasonable effort to ensure that your personal data is shared only with organizations that are GDPR compliant in those instances where we have your consent to sharing with third parties or are otherwise permitted by law to do so.

Protecting Personal Data and the Rights of Data Subjects:

Your personal data is only processed for as long as needed to achieve the lawful purposes described in this policy and in our Privacy Policy. We may de-identify your personal data when it is no longer necessary for those purposes, unless there is:

  • An overriding interest of Preemptive Love Coalition, your financial institution, the payment service provider, or another third party, in keeping your personal data identifiable; or
  • A legal or regulatory obligation or a judicial or administrative order that prevents us from de-identifying.

You understand that an essential aspect of our marketing efforts involves making our marketing materials more relevant to you. This means that we collect personal data in order to provide you with communications, promotions, offerings, newsletters, and other advertisements about products and services that may interest you. We will take appropriate technical and organizational measures to keep your personal data safe from unauthorized access or theft, as well as accidental loss, tampering, or destruction. Access by our personnel or our third party processors will be on a need-to-know basis and will be subject to strict confidentiality obligations. You understand, however, that safety and security are best-efforts obligations, which can never be guaranteed.

If you are registered to receive communications, promotions, offerings, newsletters, and other advertisements via e-mail or other person-to-person electronic communication channels, you can change your preferences for receiving such communications, promotions, offerings, newsletters and other advertisements by [following the opt-out link provided in such communications / emailing us at [EMAIL ADDRESS]]. 

Your personal data will normally be kept for up to [_____ years]. It may be kept for a longer period for reasons such as legal action or required management. For more information on our retention of personal data, please see our Data Retention Policy.

Reporting Personal Data Breaches:

All data breaches should be referred immediately to the DPO, Dane Barnett at dataprotection@preemptivelove.org

Where Preemptive Love Coalition has identified a personal data breach resulting in a high risk to the rights and freedoms of any Data Subject, we shall alert all affected Data Subjects without undue delay. Preemptive Love Coalition may not be required to tell Data Subjects about a personal data breach where:

  • We have implemented appropriate technical and organizational protection measures to the personal data affected by the breach, in particular to make the personal data unintelligible to any person who is not authorized to access it, such as encryption.
  • We have taken subsequent measures which ensure that the high risk to the rights and freedoms of the Data Subject is no longer likely to materialize.
  • It would involve disproportionate effort to tell all affected Data Subjects. In this case, Preemptive Love Coalition will make a public communication or similar measure to tell all affected Data Subjects.

If you have a complaint or suggestion about the handling of personal data, please contact our DPO, whose details are listed above.

Annex ALegal Bases for Personal Data Processing of Data Subjects

Bases for lawful processing of personal data are:

  1. Consent of the Data Subject for one or more specific purposes.
  2. Processing is necessary for the performance of a contract with the Data Subject or in order to take steps at the request of the Data Subject to enter into a contract.
  3. Processing is necessary for compliance with a legal obligation that the controller is subject to.
  4. Processing is necessary to protect the vital interests of the Data Subject or another person.
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
  6. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.

Bases for lawful processing of sensitive personal data are:

  1. Explicit consent of the Data Subject for one or more specified purposes (unless reliance on consent is prohibited by EU or Member State law).
  2. Processing is necessary for carrying out our obligations under employment, social security, or social protection law, or a collective agreement, providing for appropriate safeguards for the fundamental rights and interests of the Data Subject.
  3. Processing is necessary to protect the vital interests of the Data Subject.
  4. In the course of its legitimate activities, processing is carried out with appropriate safeguards by a foundation, association or any other not-for-profit body, with a political, philosophical, religious or trade union aim and on condition that the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without the consent of the Data Subject.
  5. Processing relates to personal data which are manifestly made public by the Data Subject.
  6. Processing is necessary for the establishment, exercise or defense of legal claims, or whenever courts are acting in their judicial capacity.
  7. Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law which shall be proportionate to the aim pursued, respects the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the Data Subject.
  8. Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or a contract with a health professional and subject to the necessary conditions and safeguards.
  9. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of EU or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the Data Subject, in particular professional secrecy.
  10. Processing is necessary for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard fundamental rights and interests of the Data Subject.