Last Updated August 8th, 2020

Contents

1. Protecting Personal Data and the Rights of Data Subjects
2. Overview of Data Protection
3. Data Protection Officer
4. Data Subject Rights
5. Lawful Reasons for Processing Personal Data
6. Protecting Personal Data and the Rights of Data Subjects
7. Reporting Personal Data Breaches
8. Annex A: Legal Bases for Personal Data Processing of Data Subjects

Protecting Personal Data and the Rights of Data Subjects

This site, AndyAndrews.com (“Site”), is owned and operated by The Andy Andrews Group. (together “Companies,” “we,” “us,” or “our”). This General Data Protection Policy (“GDPR”) is applicable to you (“User,” “you,” or “your”). The terms contained herein apply to all Users of our Sites.

The Andy Andrews Group has published this General Data Protection Policy to inform our users, customers, and website visitors from the European Economic Area (collectively, “Data Subjects,” “you,” or “your”) about why and on what legal bases The Andy Andrews Group collects personal data from Data Subjects when visiting our website and/or completing a purchase or other interaction with us. Personal data will be collected and processed in accordance with our Terms of Use.

If you would like information on how we process personal data via cookies, social plugins, and other types of tracking technology, please also refer to our Cookie Policy

We will only share your personal data with third parties in the circumstances set out below. We will always comply with the General Data Protection Regulation (“GDPR”) when dealing with Data Subjects’ personal data. Further details on GDPR can be found on the website of the Information Commissioner (ico.org.uk).

We reserve the right to amend this policy from time to time without prior notice.

Overview of Data Protection

GDPR requires that The Andy Andrews Group, acting either as a data controller (meaning an individual or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data) or as a data processor (meaning an individual or organization which processes personal data on behalf of the data controller), process data in accordance with certain principles of data protection:

• Personal data must be processed lawfully, fairly, and in a transparent manner;
• Personal data must be collected for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• The personal data collected must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
• The personal data collected must be accurate and kept up-to-date; every reasonable step must be taken to ensure that personal data that is inaccurate, bearing in mind the purpose(s) for which it is processed, is erased or rectified without delay;
• The personal data collected must be kept for no longer than is necessary for the purpose(s) for which the personal data is processed;
• The personal data collected must be processed with appropriate security measures, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures; and that
• The data controller shall be responsible for, and be able to demonstrate, compliance with these principles.

Data Protection Officer

For the purposes of the GDPR, our Data Protection Officer (the “DPO”) will be Chase Neely (Chase@ChaseNeely.com). The DPO is responsible for making sure that The Andy Andrews Group complies with the GDPR requirements for handling the personal data of Data Subjects. We will regularly review all our holdings of personal data to establish our compliance.

Data Subject Rights

Data Subjects have rights under the GDPR, including:

• The right to request access to all personal data relating to you that is processed by us in a structured, commonly-used, and machine-readable format. However, we reserve the right to charge an administrative fee for multiple subsequent requests for access that are clearly submitted for the purpose of causing us nuisance or harm.
• The right to ask that any personal data relating to you that is inaccurate is corrected free of charge. If you submit a request for correction, such request must be accompanied by proof of the accuracy of the correction you are seeking.
• The right to withdraw previously-granted consent for the processing of your personal data. You have the right to oppose the processing of personal data if you are able to prove that there are serious and justified reasons connected with the particular circumstances that warrant such opposition. However, if the intended processing qualifies as direct marketing, you have the right to oppose such processing free of charge and without justification.
• The right to request that personal data relating to you be deleted if it is no longer required in light of the purposes outlined in this policy or, where we rely on your consent as the legal basis for processing, when you withdraw your consent for processing. Please keep in mind that a request for deletion will be evaluated against our overriding interests or those of any other third party and any legal or regulatory obligations or administrative or judicial orders which may contradict such deletion. Instead of deletion, you can also ask that we limit the processing of your personal data if and when: (a) you contest the accuracy of the data, (b) the processing is illegitimate, or (c) the data is no longer needed for the purposes listed in this policy.

If you wish to submit a request to exercise one or more of the rights listed above, or to address any questions, comments, or requests about our data processing practices, you can send an e-mail to our DPO at Chase@ChaseNeely.com. An e-mail requesting to exercise a right shall not be construed as consent to the processing of your personal data beyond what is required for handling your request. Any request should be dated and clearly state which right you wish to exercise and the reasons for it, if such is required. The circumstances may mean we need to undertake verification of your identity before we action your request in order to protect your personal data to the relevant standard. We will promptly inform you of having received this request. If the request proves valid, we will action it as soon as reasonably possible and at the latest thirty (30) days after having received the request.

For more details describing the rights of Data Subjects with regards to personal data, please see our Terms of Use

Lawful Reasons for Processing Personal Data

The Andy Andrews Group will only process personal data where it has a legal basis for doing so (see attached Annex A). Where The Andy Andrews Group does not have a legal reason for processing personal data, any processing will be a breach of the terms of GDPR.

For processing your personal data for the purposes outlined this policy and our Privacy Policy, we, as the responsible party, ask for your consent. The processing of your personal data for these purposes is also necessary for the protection of our legitimate interest in marketing and promoting our products, services, and brands and the overall successful commercialization of our products and services. The processing of personal data for these purpose is also necessary for the protection of our legitimate interest to continuously improve our websites, social media channels, products, and services to ensure that you have the best experience possible. Finally, the processing of personal data is necessary to allow us to comply with our legal obligations and for the protection of our legitimate interest in keeping our websites, social media channels, products, and services safe from misuse and illegal activity.

Before transferring personal data to any third party, The Andy Andrews Group will establish that we have a legal reason for making the transfer. We will make a reasonable effort to ensure that your personal data is shared only with organizations that are GDPR compliant in those instances where we have your consent to sharing with third parties or are otherwise permitted by law to do so.

Protecting Personal Data and the Rights of Data Subjects

Your personal data is only processed for as long as needed to achieve the lawful purposes described in this policy and in our Privacy Policy. We may de-identify your personal data when it is no longer necessary for those purposes, unless there is:

• An overriding interest of The Andy Andrews Group, your financial institution, the payment service provider, or another third party, in keeping your personal data identifiable; or
• A legal or regulatory obligation or a judicial or administrative order that prevents us from de-identifying.

You understand that an essential aspect of our marketing efforts involves making our marketing materials more relevant to you. This means that we collect personal data in order to provide you with communications, promotions, offerings, newsletters, and other advertisements about products and services that may interest you. We will take appropriate technical and organizational measures to keep your personal data safe from unauthorized access or theft, as well as accidental loss, tampering, or destruction. Access by our personnel or our third party processors will be on a need-to-know basis and will be subject to strict confidentiality obligations. You understand, however, that safety and security are best-efforts obligations which can never be guaranteed.

If you are registered to receive communications, promotions, offerings, newsletters, and other advertisements via e-mail or other person-to-person electronic communication channels, you can change your preferences for receiving such communications, promotions, offerings, newsletters and other advertisements by following the opt-out link provided in such communications or by emailing us at Chase@ChaseNeely.com.

Your personal data will normally be kept for up to 3 years. It may be kept for a longer period for reasons such as legal action or required management. For more information on our retention of personal data, please see our data retention policy.

Reporting Personal Data Breaches

All data breaches should be referred immediately to the DPO, Chase Neely, at Chase@ChaseNeely.com.

Where The Andy Andrews Group has identified a personal data breach resulting in a high risk to the rights and freedoms of any Data Subject, we shall alert all affected Data Subjects without undue delay. The Andy Andrews Group may not be required to tell Data Subjects about a personal data breach where:

• We have implemented appropriate technical and organizational protection measures to the personal data affected by the breach, in particular to make the personal data unintelligible to any person who is not authorized to access it, such as encryption.
• We have taken subsequent measures which ensure that the high risk to the rights and freedoms of the Data Subject is no longer likely to materialize.
• It would involve disproportionate effort to tell all affected Data Subjects. In this case, The Andy Andrews Group will make a public communication or similar measure to tell all affected Data Subjects.

If you have a complaint or suggestion about the handling of personal data, please contact our DPO, whose details are listed above.

Annex A

Annex A: Legal Bases for Personal Data Processing of Data Subjects

Bases for lawful processing of personal data are:

1. Consent of the Data Subject for one or more specific purposes.
2. Processing is necessary for the performance of a contract with the Data Subject or in order to take steps at the request of the Data Subject to enter into a contract.
3. Processing is necessary for compliance with a legal obligation that the controller is subject to.
4. Processing is necessary to protect the vital interests of the Data Subject or another person.
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
6. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.

Bases for lawful processing of sensitive personal data^[1] are:

1. Explicit consent of the Data Subject for one or more specified purposes (unless reliance on consent is prohibited by EU or Member State law).
2. Processing is necessary for carrying out our obligations under employment, social security, or social protection law, or a collective agreement, providing for appropriate safeguards for the fundamental rights and interests of the Data Subject.
3. Processing is necessary to protect the vital interests of the Data Subject.
4. In the course of its legitimate activities, processing is carried out with appropriate safeguards by a foundation, association or any other not-for-profit body, with a political, philosophical, religious or trade union aim and on condition that the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without the consent of the Data Subject.
5. Processing relates to personal data which are manifestly made public by the Data Subject.
6. Processing is necessary for the establishment, exercise or defense of legal claims, or whenever courts are acting in their judicial capacity.
7. Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law which shall be proportionate to the aim pursued, respects the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the Data Subject.
8. Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or a contract with a health professional and subject to the necessary conditions and safeguards.
9. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of EU or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the Data Subject, in particular professional secrecy.
10. Processing is necessary for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard fundamental rights and interests of the Data Subject.

---

^[1] Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, bio-metric data, data concerning health, a Data Subject’s sex life or sexual orientation, and a Data Subject’s criminal convictions.