FREE SHIPPING ON SUBSCRIPTIONS & ORDERS OVER $50
100% MONEY BACK GUARANTEE
FULL SPECTRUM
LEGALLY SHIPS NATIONWIDE
TSA APPROVED
FREE SHIPPING ON SUBSCRIPTIONS & ORDERS OVER $50
100% MONEY BACK GUARANTEE
FULL SPECTRUM
LEGALLY SHIPS NATIONWIDE
TSA APPROVED
FREE SHIPPING ON SUBSCRIPTIONS & ORDERS OVER $50
100% MONEY BACK GUARANTEE
FULL SPECTRUM
LEGALLY SHIPS NATIONWIDE
TSA APPROVED

Privacy policy

Website Privacy Policy

Last modified: January 31, 2023

Introduction

Top Quality Supplements LLC dba Sunday Scaries ("Company" or "We") respects your privacy and is committed to protecting it through our compliance with this policy.

This policy describes the types of information we may collect from you or that you may provide when you visit the website https://sundayscaries.com (our "Website") and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This policy applies to information we collect:

  • On this Website.
  • In email, text, and other electronic messages between you and this Website.
  • When you interact with our advertising and applications on third-party websites and services, if those applications or advertising include links to this policy.

It does not apply to information collected by:

  • Us offline or through any other means, including on any other website operated by Company or any third party (including our affiliates and subsidiaries); or
  • Any third party (including our affiliates and subsidiaries), including through any application or content (including advertising) that may link to or be accessible from or on the Website.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

Children Under the Age of 13

Our Website is not intended for individuals under 18 years of age. No one under age 18 may provide any information to or on the Website. We do not knowingly collect personal information from individuals under 18. If you are under 18, do not use or provide any information on this Website or on or through any of its features. If we learn we have collected or received personal information from an individual under 18, we will delete that information. If you believe we might have any information from or about a child under 18, please contact us at:


5965 Village Way STE 105-503 San Diego, CA 92130

Happiness@SundayScaries.com

877-606-2069

Information We Collect About You and How We Collect It

We collect several types of information from and about users of our Website, including information:

  • By which you may be personally identified, such as name, postal address, e-mail address, telephone number, or any other identifier by which you may be contacted online or offline ("personal information");
  • That is about you but individually does not identify you; and/or
  • About your internet connection, the equipment you use to access our Website, and usage details.

We collect this information:

  • Directly from you when you provide it to us.
  • Automatically as you navigate through the site. Information collected automatically may include usage details, IP addresses, and information collected through cookies and web beacons.
  • From third parties, for example, our business partners.

Information You Provide to Us.  

The information we collect on or through our Website may include:

  • Information that you provide by filling in forms on our Website. This includes information provided at the time of registering to use our Website, subscribing to our service, or requesting further services. We may also ask you for information when you enter a contest or promotion sponsored by us, and when you report a problem with our Website.
  • Records and copies of your correspondence (including email addresses), if you contact us.
  • Your responses to surveys that we might ask you to complete for research purposes.
  • Details of transactions you carry out through our Website and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website.
  • Your search queries on the Website.


Information We Collect Through Automatic Data Collection Technologies.

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

  • Details of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Website.
  • Information about your computer and internet connection, including your IP address, operating system, and browser type.

We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). Email Happiness@SundayScaries.com for information on how you can opt out of behavioral tracking on this website and how we respond to web browser signals and other mechanisms that enable consumers to exercise choice about behavioral tracking.

The information we collect automatically does include personal information. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

  • Estimate our audience size and usage patterns.
  • Store information about your preferences, allowing us to customize our Website according to your individual interests.
  • Speed up your searches.
  • Recognize you when you return to our Website.

The technologies we use for this automatic data collection may include:


  • Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website.
  • Flash Cookies. Certain features of our Website may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Website. Flash cookies are not managed by the same browser settings as are used for browser cookies. For information about managing your privacy and security settings for Flash cookies, see Choices About How We Use and Disclose Your Information.
  • Web Beacons. Pages of our Website may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).


Third-Party Use of Cookies and Other Tracking Technologies

Some content or applications, including advertisements, on the Website are served by third-parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see Choices About How We Use and Disclose Your Information.

How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal information:

  • To present our Website and its contents to you.
  • To provide you with information, products, or services that you request from us.
  • To fulfill any other purpose for which you provide it.
  • To provide you with notices about your account, including expiration and renewal notices.
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
  • To notify you about changes to our Website or any products or services we offer or provide though it.
  • To allow you to participate in interactive features on our Website.
  • In any other way we may describe when you provide the information.
  • For any other purpose with your consent.

We may also use your information to contact you about our own and third-parties' goods and services that may be of interest to you. If you do not want us to use your information in this way, please adjust your user preferences in your account profile. For more information, see Choices About How We Use and Disclose Your Information.

We may use the information we have collected from you to enable us to display advertisements to our advertisers' target audiences. Even though we do not disclose your personal information for these purposes without your consent, if you click on or otherwise interact with an advertisement, the advertiser may assume that you meet its target criteria.

Disclosure of Your Information

We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose personal information that we collect or you provide as described in this privacy policy:

  • To our subsidiaries and affiliates.
  • To contractors, service providers, and other third parties we use to support our business.
  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Website users is among the assets transferred.
  • To fulfill the purpose for which you provide it.
  • For any other purpose disclosed by us when you provide the information.
  • With your consent.

We may also disclose your personal information:

  • To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
  • To enforce or apply our terms of use or terms of sale and other agreements, including for billing and collection purposes.
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Top Quality Supplements LLC dba Sunday Scaries, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

Choices About How We Use and Disclose Your Information

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information: 

  • Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe's website. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.
  • Promotional Offers from the Company. If you do not wish to have your contact information used by the Company to promote our own or third parties' products or services, you can opt out by checking the relevant box located on the form on which we collect your data (the order/registration form) or at any other time by logging into the Website and adjusting your user preferences in your account profile by checking or unchecking the relevant boxes or by sending us an email stating your request to Happiness@SundayScaries.com. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions. This opt out does not apply to information provided to the Company as a result of a product purchase, warranty registration, product service experience, or other transactions.
  • Targeted Advertising. If you do not want us to use information that we collect or that you provide to us to deliver advertisements according to our advertisers' target-audience preferences, you can opt out by checking the relevant box located on the form on which we collect your data (the order/registration form) or at any other time by logging into the Website and adjusting your user preferences in your account profile by checking or unchecking the relevant boxes or by sending us an email stating your request to Happiness@SundayScaries.com.

We do not control third parties' collection or use of your information to serve interest-based advertising. However these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative ("NAI") on the NAI's website.

California residents may have additional personal information rights and choices. Please see Your California Privacy Rights for more information.

Accessing and Correcting Your Information

You can review and change your personal information by logging into the Website and visiting your account profile page.

You may also send us an email at Happiness@SundayScaries.com to request access to, correct, or delete any personal information that you have provided to us. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

California residents may have additional personal information rights and choices. Please see Your California Privacy Rights for more information.

Your California Privacy Rights

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit [CCPA Notice link].

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to Happiness@SundayScaries.com or write us at: 1495 Pacific Highway, Ste. 375, San Diego, California 92101.

Data Security

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you provide to us is stored on our secure servers behind firewalls. Any payment transactions will be encrypted using SSL technology.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. We urge you to be careful about giving out information in public areas of the Website like message boards. The information you share in public areas may be viewed by any user of the Website.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.

Changes to Our Privacy Policy

It is our policy to post any changes we make to our privacy policy on this page with a notice that the privacy policy has been updated on the Website home page or, in certain circumstances, to provide notice of such changes via email, if we have your email address on file. If we make material changes to how we treat our users' personal information, we will notify you through a notice on the Website home page, and, if applicable, via email. The date the privacy policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this privacy policy to check for any changes.

Contact Information

To ask questions or comment about this privacy policy and our privacy practices, contact us at:

5965 Village Way STE 105-503 San Diego, CA 92130

Happiness@SundayScaries.com

or via our toll-free number:

877-606-2069

 

 

 

Top Quality Supplements LLC dba Sunday Scaries Privacy Policy for California Residents

Effective Date: September 1, 2020

Last Updated on: September 1, 2020

This Privacy Policy for California Residents supplements the information contained in Top Quality Supplements LLC dba Sunday Scaries 's https://sundayscaries.com/privacy-policy and applies solely to all visitors, users, and others who reside in the State of California ("consumers" or "you"). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and any terms defined in the CCPA have the same meaning when used in this Policy. 


Information We Collect

Our Website collects information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device ("personal information"). Personal information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.

In particular, our Website has collected the following categories of personal information from consumers within the last twelve (12) months: 


Category

Examples

Collected

A. Identifiers.

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.

YES

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Some personal information included in this category may overlap with other categories.

YES

C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).


YES

D. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

YES

E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

NO

F. Internet or other similar network activity.

Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.

YES

G. Geolocation data.

Physical location or movements. 

YES

H. Sensory data.

Audio, electronic, visual, thermal, olfactory, or similar information.

NO

I. Professional or employment-related information.

Current or past job history or performance evaluations.

NO

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. 

NO

K. Inferences drawn from other personal information.

Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

YES

Our Website obtains the categories of personal information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete or products and services you purchase.
  • Indirectly from you. For example, from observing your actions on our Website.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following purposes: 

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product orders or process returns. 
  • To provide, support, personalize, and develop our Website, products, and services.
  • To create, maintain, customize, and secure your account with us.
  • To process your requests, purchases, transactions, and payments and prevent transactional fraud.
  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  • To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law).
  • To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
  • For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your personal information or as otherwise set forth in the CCPA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Website users is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We do not sell your personal information to third parties.

Your Rights and Choices 

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Right to Know and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the "right to know"). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete), we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and 
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained. 
  • The specific pieces of personal information we collected about you (also called a data portability request).

Right to Delete 

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the "right to delete"). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete), we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to: 

  1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  3. Debug products to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  8. Comply with a legal obligation.
  9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action. 


Exercising Your Rights to Know or Delete

To exercise your rights to know or delete described above, please submit a request by either: 

  • Calling us at (619) 892-7174.
  • Emailing us at Happiness@SundayScaries.com. 

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. To designate an authorized agent, email us at Happiness@SundayScaries.com. 

You may also make a request to know or delete on behalf of your child by Emailing us at Happiness@SundayScaries.com. 

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. 

You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.

We will only use personal information provided in the request to verify the requestor's identity or authority to make it. 

For instructions on exercising your sale opt-out or opt-in rights, see Personal Information Sales Opt-Out and Opt-In Rights.

Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please email us at Happiness@SundayScaries.com.

We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. 

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. 

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Other California Privacy Rights

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to Happiness@SundayScaries.com or write us at: 1495 Pacific Highway, Ste. 375 San Diego, CA 92101.


Changes to Our Privacy Policy

We reserve the right to amend this privacy policy at our discretion and at any time. When we make changes to this privacy policy, we will post the updated notice on the Website and update the notice's effective date. We may also email you at your email address on file with us. Your continued use of our Website following the posting or emailing of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this notice, the ways in which Top Quality Supplements LLC dba Sunday Scaries collects and uses your information described here and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Phone: (877)606-2069

Email: Happiness@SundayScaries.com

Postal Address

Top Quality Supplements LLC dba Sunday Scaries

Attn: Data Privacy Dept. 

5965 Village Way STE 105-503 San Diego, CA 92130

If you need to access this Policy in an alternative format due to having a disability, please contact Happiness@SundayScaries.com and (877)606-2069.

 

Demonstrating Compliance with the GDPR


(prepared by SONA LEGAL APC for Sunday Scaries)


The EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) took effect on May 25, 2018, replacing the EU Data Protection Directive (Directive 95/46/EC) (Data Protection Directive) and its local implementing laws. The GDPR requires organizations to demonstrate compliance with its requirements, replacing the requirement under the Data Protection Directive and the local implementing laws in several EU member states for organizations to notify the local data protection authorities of their processing activities under certain circumstances. In this memorandum, you will see references to “controller” or “processor” of data. For purposes of GDPR, Sunday Scaries is a “controller.”

 

Organizations are not required to notify the local supervisory authority of their processing activities but must take steps to both comply with the GDPR’s requirements and demonstrate compliance.

 

This Memorandum provides an overview of the obligations that either explicitly, or implicitly, require evidence to demonstrate compliance, and practical steps that organizations can take to both comply with and meet the requirement to demonstrate compliance. This Memorandum does not provide an exhaustive list of all steps and documentation needed to demonstrate compliance but provides an overview of compliance steps and examples of the types of records that help demonstrate compliance with the GDPR’s requirements. 

 

This Memorandum discusses:

 

  • The GDPR principles governing personal data processing.
  • The meaning of accountability and demonstrating compliance.
  • Controller and processor obligations that require a demonstration of compliance.
  • Steps to help demonstrate compliance under the GDPR including:
  • establishing a privacy governance structure;
  • embedding GDPR requirements into policies and day-to-day activities;
  • implementing technical measures to ensure compliance;
  • documenting and recording compliance measures;
  • implementing training programs; and
  • testing and auditing data protection measures and using audit results and metrics to demonstrate compliance.
  • How demonstrating compliance may help reduce liability under the GDPR.

The GDPR introduced a single legal framework across the EU. However, the GDPR includes several provisions allowing EU member states to enact national legislation specifying, restricting, or expanding some requirements. As a result, organizations must understand how member states’ laws vary or supplement the GDPR.

 

 

  1. GDPR Principles Governing Personal Data Processing

 

The six principles governing the processing of personal data under Article 5(1) are:

 

  1. Lawfulness, fairness, and transparency.
  2. Purpose limitation, which means that:
    1. an organization should only collect personal data for specified, explicit, and legitimate purposes; and
    2. should not process the personal data in a manner that is incompatible with those purposes, except under limited circumstances.
  3. Data minimization, which means that personal data should be:
    1. adequate;
    2. relevant; and
    3. limited to what is necessary for the purpose of processing.
  4. Accuracy, which means that personal data must be:
    1. accurate and kept up-to-date; and
    2. corrected or deleted without delay when inaccurate.
  5. Storage limitation, which requires that the organization keep personal data in identifiable form only for as long as necessary to fulfill the purposes the organization collected it for, subject to limited exceptions.
  6. Integrity and confidentiality, which requires that the organization secure personal data by appropriate technical and organizational measures against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.

Article 5 requires a controller to both:

 

  1. Comply with the six principles when processing personal data (Article 5(1), GDPR).
  1. Demonstrate compliance with all six of the principles (Article 5(2), GDPR; see Accountability and Demonstrating Compliance).

 

  1. Accountability and Demonstrating Compliance

 

In addition to Article 5(2), Article 24(1) also requires a controller to demonstrate that data processing activities comply with the GDPR’s requirements. Together, Articles 5 and 24 form the concept of accountability under the GDPR, which is a key element of the regulation.

 

Meeting the accountability requirement means doing more than just establishing data protection policies and procedures. Accountability requires a controller to be able to demonstrate compliance with the GDPR by showing the supervisory authority and individuals how the controller complies, on an ongoing basis, through evidence of:

 

  1. Internal policies and processes that comply with the GDPR’s requirements.
  1. The implementation of the policies and processes into the organization’s activities.
  1. Effective internal compliance measures.
  1. External controls.

The obligation to demonstrate compliance replaces the obligation to notify local data protection authorities of processing activities, which was a requirement under the Data Protection Directive and its local implementing laws in several EU member states. The effect of the GDPR’s accountability principle is that organizations subject to the legislation must implement a formal data protection compliance program. 

 

Complying with the accountability principle requires the controller to:

 

  1. Establish a data protection compliance program and privacy governance structure.
  1. Implement and maintain privacy controls on an ongoing basis.
  1. Embed ongoing privacy measures into corporate policies and day-to-day activities, throughout the organization and within each business unit that processes personal data.
  1. Leverage technology to require or ensure compliance.
  1. Maintain documentation of the privacy measures implemented and records of compliance.
  1. Train employees on privacy and data protection matters.
  1. Regularly test the privacy measures implemented.
  1. Use the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.

Failure to comply with the accountability principle may result in fines of up to EUR20 million or 4% of the organization’s total worldwide annual revenue for the preceding financial year, whichever is higher (Article 83(5), GDPR). Demonstrating compliance may help reduce the controller’s or processor’s risk of liability including administrative fines.

  

  1. Obligations Requiring a Demonstration of Compliance

 

The GDPR imposes many different obligations on controllers, and sometimes processors, that either explicitly or implicitly, require the controller or processor to demonstrate compliance with the GDPR’s requirements including:

 

  1. Establishing and maintaining a comprehensive data protection compliance program and appointing individuals responsible for overall data protection matters as part of the program, including, but not limited to:
  1. an EU representative; and
  2. a data protection officer.
  1. Embedding privacy measures into policies and operations, including, implementing appropriate technical and organizational measures. 
  2. Complying with processing obligations and documenting compliance including:
  1. determining and documenting a lawful basis for each instance of processing personal data;
  1. maintaining a record of data processing activities;
  1. providing data subjects with a GDPR-compliant privacy notice;
  1. satisfying specific requirements when relying on data subject consent;
  1. satisfying specific requirements when processing special categories of personal data;
  1. honoring data subject rights, including rights relating to automated decision-making and profiling; and
  1. complying with cross-border data transfer restrictions and maintaining compliant data transfer mechanisms.
  1. Delivering ongoing data protection training through formalized training and communication efforts.
  1. Making explicit arrangements with joint controllers.
  1. Taking certain steps when engaging processors and managing third-party relationships.

 

  1. Privacy Governance Structure

 

Establishing and maintaining a comprehensive data protection compliance program is a helpful and demonstrable way to implement the GDPR’s requirements and support continuous compliance. Formalizing a privacy governance structure is a good foundation on which to build the larger data protection compliance program. A privacy governance structure may include, for example:

 

  1. Establishing a privacy office and assigning responsibility for implementing and maintaining a privacy compliance program to a privacy officer or other individuals in the organization.
  1. Educating senior management about the GDPR’s requirements and the impact of non-compliance.
  1. Identifying key stakeholders.
  1. Developing a privacy framework.
  1. Designating roles with specific responsibilities and tasks.
  1. Establishing reporting lines and regular communication between the privacy office and internal stakeholders.

 

As part of establishing a privacy governance structure, under certain circumstances, the GDPR requires controllers and processors to appoint:

 

  1. An EU representative.
  1. A data protection officer.


  1. EU Representative

 

Controllers and processors not established in the EU must, subject to limited exceptions:

 

  1. Designate, in writing, a representative in the EU.
  1. The representative must be:
  1. established in an EU member state where the organization’s data subjects are located; and
  1. addressed by supervisory authorities and data subjects on all issues relating to data processing, in addition to or instead of the controller or processor.

(Article 27(1), GDPR.)

 

  1. Document Appointment of EU Representative


Documenting the appointment of the EU representative may help demonstrate compliance with Article 27(1). Examples of documentation include:

 

  1. A written designation of a representative in the EU to act on behalf of the controller or processor.
  1. Identification of the EU representative, including contact details, in a privacy notice, on a website, or via another mechanism to ensure data subjects are informed.


  1. Data Protection Officers (not required for Sunday Scaries at this point in time)

 

A controller or processor must appoint a data protection officer when:

 

  1. A public authority or body, except for courts acting in their judicial capacity, carries out the data processing.
  1. The core activities of the controller or processor consist of:
  1. the regular and systematic monitoring of data subjects on a large scale; or
  1. large-scale processing of special categories of personal data or personal data relating to criminal convictions and offenses. (Article 37(1), GDPR.)

 

The data protection officer must:

 

  1. Be professionally qualified and have expert knowledge of data protection law and practices (Article 37(5), GDPR).
  1. Be involved in all matters relating to data protection (Article 38(1), GDPR).
  1. Report to the highest level of management within the controller or processor (Article 38(3), GDPR).

The GDPR requires data protection officers to carry out certain tasks including, but not limited to:

 

  1. Advising the controller or processor and employees of their obligations under the GDPR and other applicable data protection laws, including providing training to employees involved in personal data processing (Article 39(1)(a) and (b), GDPR).
  1. Monitoring compliance with the GDPR, other applicable laws, and the controller’s or processor’s policies and procedures relating to data protection (Article 39(1)(b), GDPR).
  1. Advising on data protection impact assessments (Article 39(1)(c), GDPR). 
  2. Cooperating with supervisory authorities and acting as the point of contact on issues relating to data processing (Article 39(1)(d), GDPR).

The controller or processor must publish the contact details of the data protection officer and provide these details to the relevant supervisory authority (Article 37(7), GDPR).

 

At this time, we do not believe that Sunday Scaries is required to appoint a data protection officer. Although the GDPR does not require every organization to appoint a data protection officer, organizations may voluntarily choose to appoint one to lead and manage their privacy governance structure.

 

  1. Document Appointment and Responsibilities of the Data Protection Officer


Documentation to help demonstrate compliance with requirements relating to data protection officers under Articles 37, 38, and 39 includes, for example, records demonstrating:

 

  1. That the controller or processor appointed a data protection officer and provided the data protection officer’s contact details to the relevant supervisory authority.
  1. The data protection officer’s qualifications, such as resumes and certifications.
  1. The data protection officer’s responsibilities such as job descriptions or similar mandates, or any service contract with the data protection officer, if applicable.
  1. The reporting structure such as an organizational chart, showing that the data protection officer reports to the highest level of management.
  1. Communication between the data protection officer and management on data protection matters.
  1. The data protection officer’s involvement in the data privacy impact assessment process such as providing advice and monitoring the performance of these assessments.
  1. The content of data protection training programs and evidence that employees completed these trainings.
  1. That the data protection officer regularly monitors changes to applicable law and privacy and data protection practices to ensure continued compliance.

 

  1. Embed Data Protection into Operations

 

To comply with the GDPR and demonstrate compliance with its requirements, the controller must embed data protection measures into corporate policies and procedures and day-to-day activities throughout the organization. This means implementing internal policies and procedures, including an organizational level data protection policy, on handling personal data, which should include, but not be limited to, policies and procedures on:

 

  1. Collection and use of special categories of personal data or personal data relating to criminal convictions and offenses.
  1. Collection and use of personal data about children, including obtaining parental consent.
  1. Secondary uses of personal data.
  1. Obtaining valid consent.
  1. Maintaining data quality.
  1. Anonymizing or pseudonymizing data.
  1. Processing personal data by automated means.
  1. Personal data retention and secure destruction.
  1. Security breach management.
  1. Using personal data for direct marketing.
  1. Using personal data in research.
  1. Information security including the specific security measures implemented.

Controllers must not only maintain internal policies and procedures but must ensure that it integrates data protection measures into the organization’s practices and that employees follow the policies and procedures in their day-to-day activities. To help ensure that policies and procedures are fully integrated and followed, organizations should implement regular training and use testing, audits, and other documented mechanisms to measure and demonstrate compliance. The GDPR also requires data protection by design and by default as part of integrating data protection into the organization on an ongoing basis.

 

  1. Data Protection by Design and by Default

 

The GDPR requires controllers to integrate data protection into their systems and product designs to ensure the inclusion of appropriate technical and organizational GDPR compliance measures into personal data processing means (Article 25(1), GDPR). 

 

Controllers must also implement “privacy by default” measures to ensure that, by default, they only process the personal data necessary for each specific business purpose (Article 25(2), GDPR).

 

  1. Conducting Regular Training to Integrate Policies and Procedures

 

One of a data protection officer’s responsibilities is to advise employees of their obligations under the GDPR and other applicable data protection laws, including providing training to employees involved in personal data processing (Article 39(1)(a), (b), GDPR).

 

Training is not an explicit GDPR obligation for organizations that are not required to appoint a data protection officer. However, to embed data protection into the organization’s operations and daily activities effectively, the organization should still implement regular data protection training. Demonstrating compliance without effective and ongoing employee training programs on the organization’s policies and procedures including how the organization integrates those policies into its actual practices becomes difficult.

 

Organizations should:

 

  1. Implement a regular training program, including specialized training based on an employee’s job function.
  1. Implement a policy on when and how the organization conducts data protection training and refresher training courses and consider adding data protection training to the controller’s or processor’s core annual training curriculum.
  1. Consider implementing regular bulletins and other mechanisms to deliver updates and reminders on data protection matters to the entire staff.
  1. Implement a process to record when employees complete the required training.
  1. Enforce the requirement to complete data protection training.


  1. Using Codes of Conduct and Certifications to Demonstrate Compliance

 

The GDPR approves the use of codes of conduct (Article 40, GDPR) and certifications (Article 42, GDPR) to help demonstrate compliance with certain GDPR obligations. Participating in certification programs or adhering to established codes may help demonstrate compliance with requirements under the following GDPR Articles:

 

  1. Responsibilities of the controller (Article 24, GDPR). A controller may use adherence to approved codes of conduct or certification programs to demonstrate compliance with its obligations to implement appropriate technical and organizational measures to ensure processing complies with the GDPR’s requirements.
  1. Data protection by design and by default (Article 25, GDPR). Adherence to an approved certification program helps demonstrate that an organization integrated data protection into its data processing by design and by default.
  1. Processor (Article 28, GDPR). Adherence by a processor to a code of conduct or certification program helps demonstrate that the processor provides sufficient guarantees that it implements appropriate technical and organizational measures to ensure processing complies with the GDPR’s requirements.
  1. Security of processing (Article 32, GDPR). Adherence to a code of conduct or certification program helps demonstrate the implementation of technical and organizational measures that ensure a level of security appropriate to the risk.
  1. Data protection impact assessment (Article 35, GDPR). Adherence to a code of conduct is considered in assessing the impact of the processing operations performed by the controller or processor.
  1. Transfers subject to appropriate safeguards (Article 46(2), GDPR). Adherence to a code of conduct or participation in an approved certification program can provide appropriate safeguards to support personal data transfers outside of the EU.

The European Data Protection Board has adopted:

 

  1. Guidelines on the accreditation of certification bodies under Article 43 of the GDPR (EDPB 4/2018) (June 4,2019) and Annex 1 (Accreditation Guidelines).
  1. Guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR (EDPB 1/2018) (June 4, 2019) and Annex 2 (Certification Guidelines).
  1. Guidelines on Codes of Conduct and Monitoring Bodies under the GDPR (EDPB 1/2019) (June 4, 2019) (Code of Conduct Guidelines). The Code of Conduct Guidelines provide practical guidance in relation to the application of Articles 40 (codes of conduct) and 41 (certifications), and include:
  1. procedures for submission, approval, and publication of codes of conduct at both a national and European level;
  1. minimum requirements for a supervisory authority’s acceptance of a request to evaluate a code of conduct; and
  1. factors supervisory authorities should consider when evaluating whether a code of conduct contributes to the effective application of the GDPR.

The EDPB has issued opinions on draft decisions of certain supervisory authorities on certification and code of conduct monitoring bodies’ accreditation requirements. Once implemented, these schemes may provide organizations with a practical solution to demonstrate compliance.

 

The European Commission has encouraged the use of codes of conduct and certification programs to legalize cross-border data transfers. Codes of conduct have been submitted to the Article 29 Working Party (now the EDPB) for cloud infrastructure service providers and for mHealth applications.

  

  1. Using Technical and Organizational Measures to Demonstrate Compliance

 

Controllers must implement appropriate technical and organizational measures to ensure:

 

  1. That processing complies with the GDPR’s requirements (Article 24(1), GDPR).
  1. A level of security that is appropriate to the risk (Article 32(1), GDPR).

When assessing the appropriate level of security, the controller or processor should consider the risks presented by processing the personal data, including the risks associated with accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data (Article 32(2), GDPR).

 

To determine whether measures are appropriate, the controller or processor should conduct a risk assessment and consider the nature, scope, context, and purposes of processing, as well as the likelihood and severity of the risks to the data subjects’ rights. As part of implementing appropriate measures, the GDPR requires data protection by design and by default and data protection impact assessments under certain circumstances.

 


  1. Data Protection Impact Assessments

 

The GDPR requires a data protection impact assessment under certain circumstances, including where the processing is likely to result in a high risk to the rights and freedoms of data subjects (Article 35, GDPR). We do not believe that Sunday Scaries is required to conduct a data protection assessment at this time. This applies when the controller implements new programs, systems, or processes, or when the controller makes changes to programs, systems, or processes. The GDPR specifically requires data protection impact assessments when the controller engages in:

 

  1. Automated processing, including profiling, that produces legal or other significant effects for a data subject.
  1. Large scale processing of special categories of personal data (Article 9) and processing personal data relating to criminal convictions and offenses (Article 10).
  1. Large scale, systematic monitoring of a publicly accessible area.

(Article 35(3), GDPR.)

 

Supervisory authorities may specify additional types of processing that require a data protection impact assessment or exclude processing types from the data protection impact assessment requirement, so controllers should always check with the relevant supervisory authority.

 

When a data protection impact assessment indicates that processing would result in a high risk to data subjects, the controller must consult with the relevant supervisory authority (Article 36, GDPR).  


  1. Document Risk Assessments and Technical and Organizational Measures

 

Documentation to help demonstrate compliance with the obligation to assess risk and implement technical and organizational measures appropriate to the risk, includes:

 

  1. Policies or procedures requiring the incorporation of data protection mechanisms into the technical specifications of IT systems, networks, processing operations, and business practices.
  1. Data protection impact assessment templates specifying the assessment information required by Article 35(7).
  1. Completed data protection impact assessments, audits, or other risk assessments which include:
  1. identification of risks, including high-risk data processing;
  1. risk mitigation plans;
  1. identification of the lawful basis for processing personal data;
  1. verification that data processing complies with the GDPR;
  1. evidence that the organization integrated necessary safeguards into systems, networks, and processing operations;
  1. evidence that the organization reviewed processing activities and risks considering changes to programs, systems, or processes; and
  1. confirmation that the organization made updates after program, system, or process changes affecting data protection risk.
  1. Documentation showing consultation with the relevant supervisory authority in the case of high-risk processing.
  1. Documentation that the controller sought the data protection officer’s advice during the data protection impact assessment process.
  1. Evidence of regular security measure testing and an evaluation of those measures’ effectiveness.
  2. Detailed data privacy requirements for third parties that receive or access personal data such as processors, including contracts with third parties. 


  1. Security Breach Management

 

The GDPR establishes personal data breach notification requirements that require controllers to:

 

  1. Notify the relevant supervisory authority without undue delay and no later than 72 hours after any breach of personal data that poses a risk of harm (Article 33, GDPR).
  1. Notify the data subject without undue delay if the personal data breach poses a risk of harm, subject to certain limited exceptions (Article 34 and Recital 86, GDPR).

The GDPR also specifies the notice’s required contents to supervisory authorities (Article 33(3), GDPR) and data subjects (Article 34 (2), GDPR). Data subject notices must also comply with the data subject communication requirements in Article 12. The controller must also document any personal data breaches (Article 33(5), GDPR). 

 

  1. Implement a Security Breach Management Plan and Document Incidents


Documentation to help demonstrate compliance with the GDPR’s personal data breach notification requirements includes, but is not limited to:

 

  1. A security breach response plan including a protocol for notifying regulators, law enforcement, other agencies, and data subjects.
  1. Identification of a security breach response team.
  1. Template breach notification letters that comply with Articles 33 (Notification of a personal data breach to the supervisory authority), 34 (Communication of a personal data breach to the data subject), and 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject).
  1. A log for recording security incidents and security breaches, including a summary of the incident, its effects, and the responsive action taken.
  1. Details of the analysis used to determine whether a security breach poses a high enough risk to require notification.

 

  1. Document Compliance with Processing Requirements

 

  1. Lawfulness of Processing

 

A controller must have a lawful basis for processing personal data. Processing is lawful under Article 6 if one of the following applies:

 

  1. The data subject consents to the processing.
  1. The processing is necessary for:
  1. performing a contract with the data subject;
  1. complying with a legal obligation;
  1. protecting the vital interests of the data subject;
  1. performing a task carried out in the public interest; or
  1. pursuing the legitimate interests of the controller or a third party, except where the data subject’s interests or fundamental rights and freedoms override the controller’s interests.

(Article 6(1), GDPR.)

 

A controller generally cannot use personal data for a different purpose than the one it collected the personal data for, unless the secondary use purpose is compatible with the original purpose of use. Article 6(4) specifies how to determine when further processing for a different purpose than the controller originally collected the personal data for is consistent with the original processing purpose. 

  1. Document a Lawful Basis for Processing Personal Data


Documentation to help demonstrate a lawful basis for processing includes, but is not limited to:

 

  1. A record specifying the lawful basis for processing personal data under Article 6.
  1. Policies and procedures for obtaining valid data subject consent under the GDPR and a record of valid consents obtained.
  1. Completed data protection impact assessments or other risk assessments for new processing operations or when making changes to processing operations.
  1. Completed data protection impact assessments or other risk assessments detailing the analysis used to determine the lawful basis for processing.
  1. Policies and procedures on determining whether secondary uses of personal data are compatible with the original purpose of use.
  1. Policies and procedures on using personal data for secondary purposes different than the purposes originally notified to the data subject.


  1. Record of Processing Activities

 

The GDPR establishes specific data processing recordkeeping requirements in Article 30. Controllers and processors must, subject to limited exceptions:

 

  1. Maintain a written or electronic record of its data processing activities, including specific information for controller activities (Article 30(1), GDPR) and for processor activities (Article 30(2), GDPR).
  1. Make the record available to the supervisory authority on request (Article 30(4), GDPR).
  1. Maintain a Current Data Inventory of Processing Activities


To help demonstrate compliance with Article 30’s recordkeeping requirements, controllers, and if applicable a controller’s representative, should maintain a current and detailed data inventory of processing operations that includes the following information:

 

  1. The name and contact details of:
  1. the controller;
  1. any joint controllers, if applicable;
  1. the controller’s representative, if applicable; and
  1. the data protection officer, if applicable.
  1. The purposes of data processing.
  1. A description of the categories of data subjects and categories of personal data.
  1. The categories of third-party data recipients including recipients in other countries.
  1. For transfers to countries outside of the European Economic Area (EEA), identification of the country and the safeguards used to secure the transfer.
  1. Storage periods for the different categories of personal data.
  1. A general description of the technical and organizational security measures used to secure the personal data. (Article 30(1), GDPR.)

 

Processors have a similar obligation under Article 30(2). Processors, and if applicable a processor’s representative, should maintain a current and detailed data inventory of processing operations that includes the following information:

 

  1. The name and contact details of:
  1. the processor or processors;
  1. each controller that the processor acts on behalf of;
  1. the controller’s or processor’s representative, if applicable; and
  1. the data protection officer, if applicable.
  1. The categories of data processing that the processor carries out on behalf of each controller.
  1. For transfers to countries outside of the EEA, identification of the country and the safeguards used to secure the transfer.
  1. A general description of the technical and organizational security measures used to secure the personal data.

(Article 30(2), GDPR.)

 

  1. Privacy Notice Requirements

 

A controller uses a privacy notice to provide data subjects with certain information about its data processing activities. Information provided to data subjects must be:

 

  1. Concise.
  1. Transparent.
  1. Intelligible.
  1. Easily accessible.
  1. In clear and plain language.

A controller can provide the required information:

 

  1. In writing.
  1. Electronically if appropriate.
  1. Orally in some cases.

(Article 12(1), GDPR.)

 

To help ensure fair and transparent processing, controllers must:

 

  1. Provide specific information to data subjects at the time of data collection when collecting data directly from them (Articles 13(1), (2), GDPR.
  1. Provide specific information to data subjects when collecting data from third parties (Articles 14(1), (2), GDPR.
  1. Satisfy specific timing requirements for providing the privacy notice when collecting personal data from a party other than the data subject (Article 14(3), GDPR).
  1. Provide additional information to the data subject if the controller intends to use personal data for a different purpose than originally notified to the data subject (Articles 13(3), 14(4), GDPR.

Data subjects have the right to object to processing based on certain grounds under Article 21. Controllers should also notify data subjects if they carry out processing for one of these purposes and of the right to object to the processing, including processing done:

 

  1. For the performance of a task in the public interest under Article 6(1)(e) (Article 21(1), GDPR).
  1. For the purposes of the legitimate interests pursued by the controller or a third party, except where the data subject’s interests or fundamental rights or freedoms override these interests under Article 6(1)(f) (Article 21(1), GDPR).
  1. For direct marketing purposes (Article 21(3), GDPR).
  1. For scientific or historical research or statistical purposes under Article 89(1) (Article 21(6), GDPR).
  1. Maintain Compliant Privacy Notices


Documentation to help demonstrate compliance with the privacy notice requirements includes, but is not limited to:

 

  1. Policies and procedures describing when and how the controller provides privacy notices to data subjects when collecting personal data directly from data subjects or from third parties.
  1. Copies of dated privacy notices provided to data subjects when data is collected directly from data subjects or from third parties, which satisfy the various notification requirements established in Articles 12, 13, and 14.
  1. Policies and procedures on using personal data for secondary purposes different than the purposes originally notified to the data subject.
  1. Policies and procedures on data subject rights, such as the right to object to processing.


  1. Consent Requirements

 

Data subject consent is one of several legal bases for processing personal data under Article 6(1). The controller must satisfy certain requirements when relying on consent to process personal data, including a requirement that the controller demonstrate that it obtained the data subject’s consent. The GDPR requires that consent be:

 

  1. Freely given, specific, and informed.
  1. Unambiguous and take the form of an affirmative action or statement.
  1. Explicit for certain types of data processing, including, for example, sensitive personal data processing and cross-border data transfers.
  1. Presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form.
  1. Provided in clear and plain language.

When the controller collects personal data from a child under 16, Article 8 requires the controller to:

 

  1. Obtain consent from the child’s parent.
  1. Take reasonable steps to verify that the parent consented.

Member states may lower this age requirement, provided the revised age requirement does not fall below 13. 


  1. Maintain a Method of Obtaining Valid Data Subject Consent


Documentation to help demonstrate compliance with the GDPR’s requirements for valid consent includes, but is not limited to:

 

  1. Policies and procedures for obtaining consent that comply with the GDPR’s requirements for valid consent. 
  2. Policies and procedures on obtaining and verifying parental consent.
  1. Copies of dated privacy notices which satisfy the various notification requirements established in Articles 12, 13, and 14 and that notify of the right to withdraw consent when the controller bases processing on consent. 
  2. Archives of past, publicly posted privacy notices, along with their effective dates.
  1. Copies of compliant consent forms, including written and web-based forms that use check boxes, buttons, or other methods to obtain consent.
  1. Copies of signed and dated written and electronic consent forms.
  1. Policies and procedures to respond to a data subject’s withdrawal of consent. 
  2. Policies and procedures to ensure that personal data is only used in accordance with the consent obtained.
  1. Policies and procedures on using personal data for secondary purposes different than the purposes originally notified to the data subject.
  1. Policies and procedures on obtaining consent for secondary use purposes.
  1. A record of any consents obtained for secondary use purposes.


  1. Processing Special Categories of Personal Data

 

The GDPR prohibits processing special categories of personal data unless a lawful justification for processing applies. Special categories of personal data include:

 

  1. Racial or ethnic origin.
  1. Political opinions.
  1. Religious or philosophical beliefs.
  1. Trade union membership.
  1. Genetic data.
  1. Biometric data.
  1. Data concerning health or sex life.
  1. Sexual orientation.

(Article 9(1), GDPR.)

 

The prohibition on processing special categories of personal data does not apply when:

 

  1. The data subject consents to the processing.
  1. The processing is necessary for:
  1. carrying out the controller’s rights in the field of employment law, social security, and social protection;
  1. protecting the vital interests of the data subject when the controller cannot obtain consent;
  1. establishing, exercising, or defending legal claims;
  1. reasons of substantial public interest;
  1. purposes of preventive or occupational medicine to assess the working capacity of a data subject, medical diagnosis, or for the provision of health or social care or treatment;
  1. reasons of public interest in the area of public health;
  1. archiving in the public interest; or
  1. scientific, historical research, or statistical purposes.
  1. The processing relates to the legitimate activities of certain non-profit organizations.
  1. The processing relates to personal data made public by the data subject.

(Article 9(2), GDPR.)

 

  1. Document Procedures for Processing Special Categories of Personal Data


Documentation to help demonstrate compliance with the requirements relating to processing special categories of personal data includes, but is not limited to:

 

  1. Documentation specifying the grounds for processing special categories of personal data through data protection impact assessments or other mechanisms, including evidence of the analysis used to determine the processing’s lawful basis.
  1. Policies and procedures on the collection and use of special categories of personal data.
  1. Copies of privacy notices that comply with Articles 12, 13, and 14.
  1. Policies and procedures for obtaining valid consent under the GDPR.
  1. Copies of compliant consent forms.
  1. Copies of signed consent forms that demonstrate explicit consent to process special categories of personal data.
  1. Policies and procedures to ensure that personal data is only used in accordance with the consent obtained.
  1. Policies and procedures to respond to a data subject’s withdrawal of consent.


  1. Data Subject Rights

 

The GDPR provides data subjects with several rights, including, but not limited to the right to:

 

  1. Receive a privacy notice containing certain information about the processing activities (Articles 12 to 14, GDPR).
  1. Confirm whether the controller processes personal data about the data subject and the right to access the personal data processed and obtain certain information about the processing activities (Article 15, GDPR).
  1. Correct inaccurate personal data (Article 16, GDPR).
  1. Have personal data erased under certain circumstances (Article 17, GDPR).
  1. Restrict the processing of personal data under certain circumstances (Article 18, GDPR).
  1. Receive a copy of the personal data the controller holds under certain circumstances and transfer the personal data to another controller (Article 20, GDPR).
  1. Object to processing under Article 21 that is:
  1. done for the performance of a task in the public interest under Article 6(1)(e) (Article 21(1), GDPR);
  1. done for the purposes of the controller or a third party pursuing its legitimate interests under Article 6(1)(f) (Article 21(1), GDPR);
  1. for direct marketing purposes (Article 21(3), GDPR); or
  1. done for scientific or historical research purposes or statistical purposes under certain circumstances (Article 21(6), GDPR).
  1. Not be subject to a decision based solely on automated data processing, including profiling, where the decision has a legal or other significant affect, subject to certain limited exceptions, including:
  1. where the data subject explicitly consents;
  1. where the automated data processing and decision-making is necessary for the performance of a contract with the data subject; or
  1. where an applicable law that also requires measures to protect data subjects’ rights authorizes the automated data processing and decision-making.
  1. (Article 22(2), GDPR.)

The controller also must notify each recipient of personal data, for example, third-party processors, of any correction or erasure requests or restrictions on processing so that the third party can carry out the request (Article 19, GDPR).

 

EU member states can vary the scope of data subject rights and controllers’ related obligations if they comply with the provisions of Article 23. 


  1. Documentation Demonstrating Compliance with Data Subject Rights


Documentation to help demonstrate compliance with data subject rights includes, but is not limited to:

 

  1. Copies of privacy notices that comply with Articles 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), 13 (Information to be provided where personal data are collected from the data subject), and 14 (Information to be provided where personal data have not been obtained from the data subject).
  1. Policies and procedures on responding to data subject access and other requests in a timely and appropriate manner in compliance with GDPR Chapter III (Rights of the Data Subject). Policies and procedures should ensure, among other things, that:
  1. communications with the data subject are concise, transparent, intelligible, easily accessible, and in clear and plain language;
  1. the controller provides information to the data subject on any action taken in response to a request within one month of receiving the request, unless the data controller extends the period to respond under Article 12(3); and
  1. when the data controller does not act in response to a data subject request, the data controller notifies the data subject within one month of receiving the request of the reasons why.
  1. Response letters or response forms to access and other types of requests.
  1. Forms to collect additional information where necessary for preparing data subject request responses.
  1. Evidence of a mechanism provided to data subjects for updating or correcting their personal data.
  1. An inventory or log for recording data subject requests and for tracking responses.
  1. Guidance on assessing requests to object to or restrict data processing under Articles 18 and 21 and requests for erasure under Article 17.
  1. Procedures to ensure that personal data are used only in accordance with any objections to or restrictions on processing.
  1. Policies and procedures on the use of automated decision making including when use is acceptable.
  1. Procedures for reviewing data processing conducted wholly or partially by automated means to ensure compliance with Article 22.
  1. A data inventory identifying automated data processing and the legal justification for the processing.
  1. For automated data processing, procedures allowing the data subject to:
  1. obtain human intervention by the controller in the decision-making process;
  1. express a point of view on any decision made through automated processing; and
  1. contest the decision.


  1. Data Transfers

 

Controllers and processors transferring personal data outside of the EU must comply with certain requirements for data transfers established in GDPR Chapter V (Transfer of Personal Data to Third Countries or International Organisations). Controllers and processors can base transfers outside of the EU on any of the following:

 

  1. A determination by the European Commission that the recipient country provides an adequate level of protection (Article 45, GDPR).
  1. Where the controller or processor provides appropriate safeguards and provided data subjects can enforce their legal rights and have effective legal remedies (Article 46, GDPR). Controllers and processors can provide appropriate safeguards, without the approval of a supervisory authority, through:
  1. a legally binding and enforceable instrument between public authorities or bodies;
  1. binding corporate rules (Article 47, GDPR);
  1. standard data protection clauses adopted by the European Commission;
  1. standard data protection clauses adopted by a supervisory authority and approved by the European Commission;
  1. an approved code of conduct under Article 40, together with the recipient controller’s or processor’s commitment to apply appropriate safeguards; or
  1. an approved certification program under Article 42, together with the recipient controller’s or processor’s commitment to apply appropriate safeguards. (Article 46(2), GDPR.)
  1. Controllers and processors can also provide appropriate safeguards, with approval from the supervisory authority, through:
  1. contractual clauses between the controller or processor and the controller, processor, or recipient in the non-EU country; or
  1. provisions inserted into administrative arrangements between public authorities or bodies that include enforceable data subject rights. (Article 46(3), GDPR.)
  1. In the absence of an adequacy decision or appropriate safeguards, Article 49 permits the cross-border transfer of personal data when the data subject explicitly consents.
  1. Article 49 also permits the cross-border transfer of personal data in the absence of an adequacy decision or appropriate safeguards when the transfer is necessary for:
  1. the performance of a contract;
  1. important reasons of public interest;
  1. the establishment, exercise, or defense of legal claims;
  1. protecting the vital interests of the data subject and the data subject is incapable of giving consent; or
  1. under limited circumstances, pursuing the legitimate interests of the controller and the data subject’s interests or rights and freedoms do not override those legitimate interests.
  1. (Article 49(1), GDPR.)
  1. Implement and Document Compliant Data Transfer Mechanisms


Documentation to help demonstrate compliance with the GDPR’s cross-border transfer requirements includes, but is not limited to:

 

  1. A data inventory of processing activities identifying cross-border data transfers and the specific transfer mechanism relied on for each transfer.
  1. Identification of any specific adequacy decision relied on to support the transfer.
  1. Copies of valid consent forms relied on to support the transfer. The forms must include information on the possible transfer related privacy risks from the absence of an adequacy decision or appropriate safeguards. 
  2. When relying on other derogations under Article 49 besides consent:
  1. identification of the specific transfer basis, such as to perform a contract or for the establishment, exercise, or defense of legal claims; or
  1. a record of the assessment balancing the controller’s legitimate interests against the data subject’s rights and freedoms.
  1. When relying on other appropriate safeguards:
  1. documentation of compliance with the Swiss-US Privacy Shield Framework for transfers from Switzerland to the US;
  1. approved binding corporate rules and related documentation.
  1. data transfer agreements incorporating standard data protection clauses;
  1. documentation of compliance with an approved code of conduct or certification program; or
  1. documented approval from the relevant supervisory authority.


  1. Joint Controllers

 

The GDPR specifies that two or more controllers that jointly determine the purposes and means of data processing are considered joint controllers (Article 26, GDPR). Joint controllers must:

 

  1. Determine which controller is responsible for certain obligations under the GDPR.
  1. Specify their duties by an arrangement which should:
  1. include a point of contact for data subjects;
  1. reflect the controllers’ roles vis-à-vis the data subjects;
  1. be made available to data subjects; and
  1. allow data subjects to exercise their rights against each of the controllers.


  1. Document Arrangements with Joint Controllers


Documentation to help demonstrate compliance with Article 26 (Joint controllers) includes, but is not limited to:

 

  1. Details of the arrangement between joint controllers specifying each controller’s obligations.
  1. A privacy notice that includes details on the joint controller relationship and a contact point for data subjects.
  1. Policies and procedures on responding to data subject access or other requests.


  1. Processors

 

Article 28 GDPR establishes specific obligations and requirements for engaging processors. It only permits transfers to processors when the processor provides sufficient guarantees that it has implemented appropriate technical and organizational measures to protect personal data in accordance with the GDPR.

 

Processor relationships must be governed by a contract or other legal act under applicable law that binds the processor. Article 28(2) states that the processor must have written authorization from the controller before engaging another processor. Also, Article 28(3) specifies certain terms that a controller should include in any contracts with processors.

 

  1. Implement Procedures for Engaging Processors


Documentation to help demonstrate compliance with Article 28 (Processors) includes, but is not limited to:

 

  1. Policies and procedures for conducting due diligence on potential processors, including screening questionnaires.
  1. Completed due diligence reports or processor risk assessments.
  1. Data protection requirements for processors.
  1. Policies and procedures for engaging processors and executing contracts.
  1. Privacy and security clauses for insertion into processor contracts.
  1. Executed contracts with third parties that comply with Article 28 or include standard contractual clauses approved by the European Commission or other supervisory authority.
  1. Evidence of the processor’s adherence to an approved code of conduct referred to in Article 40. 
  1. Using Testing and Auditing to Demonstrate Compliance

 

Organizations must do more than implement internal policies and procedures that comply with the GDPR’s requirements. Organizations must also:

 

  1. Ensure that mechanisms put the policies and procedures into effect in the day-to-day activities of the organization.
  1. Implement recurring means, such as testing and audits, to measure the effectiveness of the mechanisms and privacy measures.
  1. Maintain evidence of regular testing of privacy measures and an evaluation of those measures.
  1. Be able to prove to the relevant supervisory authority through audit results and other metrics that it meets its obligations under the GDPR and that data processing complies with the GDPR’s requirements.

 

  1. Accountability for Processors

 

The accountability principle under Articles 5 and 24 expressly applies to controllers. However, in practice, the GDPR obligations imposed directly on processors or indirectly passed on by the controller also subject processors to certain accountability requirements. These obligations include, but are not limited to, an obligation to:

 

  1. Process personal data only according to the controller’s instructions under Article 29.
  1. Maintain a record of data processing activities that complies with Article 30(2).
  1. Appoint a data protection officer under certain circumstances as specified in Article 37.
  1. Implement appropriate technical and organizational measures in compliance with Article 32.
  1. Have written controller authorization before engaging subcontractors under Article 28(2) and pass obligations down to any processors it engages via contract as specified in Article 28(4) (see Processors).
  1. Notify the controller of any security breach without undue delay in accordance with Article 33(2).
  1. Appoint an EU representative when the processor is not located in the EU, subject to certain limited exceptions under Article 27.
  1. Only transfer personal data internationally in accordance with Article 44, which requires the processor to have a compliant data transfer mechanism.
  1. Make available to the controller all information for the controller to demonstrate compliance with its obligations under Article 28 (Processors), as set out in Article 28(3)(h).

Processors can demonstrate compliance with these obligations by taking the same steps and maintaining the same types of documentation as controllers. Processors may also rely on codes of conduct and certification programs to demonstrate compliance with certain obligations.  

 

  1. Reducing Liability by Demonstrating Compliance

 

A controller or processor’s ability to present evidence to regulators of its efforts to comply with the requirements of the GDPR may help reduce liability under Article 83 (General conditions for imposing administrative fines). In considering whether to impose an administrative fine and the amount of the fine, the GDPR instructs supervisory authorities to consider, among other factors:

 

  1. The infringement’s intentional or negligent character.
  1. The controller’s or processor’s degree of responsibility when considering their implementation of technical and organizational measures under the Articles requiring data protection by design and by default (Article 25) and secure processing (Article 32).

(Article 83(2), GDPR.)

 

If a controller or processor demonstrates, for example, that it did not act intentionally in violating the GDPR and that it implemented technical and organizational measures appropriate to the risk, a supervisory authority may consider this in deciding whether to impose a fine, or it may reduce the fine imposed.

 

In addition, Article 82(3) (Right to compensation and liability) states that a controller or processor is exempt from liability if it proves that it was not responsible for the event resulting in damage.

Top Quality Supplements LLC dba Sunday Scaries Privacy Policy for European Union (EU) and United Kingdom (UK) Residents

Effective Date: September 1, 2020

Last Updated on: September 1, 2020

This Privacy Policy for European Union (EU) and United Kingdom (UK) Residents supplements the information contained in Top Quality Supplements LLC dba Sunday Scaries 's https://sundayscaries.com/privacy-policy and applies solely to all visitors, users, and others who reside in the United Kingdom or European Union ("consumers" or "you"). We adopt this notice to comply with the EU General Data Protection Regulation 2016/697 and UK Data Protection Act 2018 and any terms defined in said regulations have the same meaning when used in this Policy. 

Introduction

Welcome to Top Quality Supplements LLC dba Sunday Scaries 's UK and EU privacy policy. 

Top Quality Supplements LLC dba Sunday Scaries respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you. 

This privacy policy is provided in a layered format so you can click through to the specific areas set out below. Alternatively, you can download a pdf version of the policy here: [LINK]. Please also use the Glossary to understand the meaning of some of the terms used in this privacy policy.

  1. IMPORTANT INFORMATION AND WHO WE ARE
  2. THE DATA WE COLLECT ABOUT YOU
  3. HOW IS YOUR PERSONAL DATA COLLECTED?
  4. HOW WE USE YOUR PERSONAL DATA
  5. DISCLOSURES OF YOUR PERSONAL DATA
  6. INTERNATIONAL TRANSFERS
  7. DATA SECURITY
  8. DATA RETENTION
  9. YOUR LEGAL RIGHTS
  10. GLOSSARY
  • Important information and who we are
  • Purpose of this privacy policy

    This privacy policy aims to give you information on how Top Quality Supplements LLC dba Sunday Scaries  collects and processes your personal data through your use of this website, including any data you may provide through this website, for example when you sign up to our emails, purchase a product, or take part in a survey. 

    This website is not intended for children and we do not knowingly collect data relating to children under 18 years of age.

    It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them. 

    Controller

    Top Quality Supplements LLC dba Sunday Scaries is the controller and responsible for your personal data (collectively referred to as Top Quality Supplements LLC dba Sunday Scaries , "we", "us" or "our" in this privacy policy).

    We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below. 

    Contact details

    If you have any questions about this privacy policy or our privacy practices, please contact our data privacy manager in the following ways:

    Full name of person or legal entity: [DETAILS]

    Email address: [DETAILS]

    Postal address: [DETAILS]

    Telephone number: [DETAILS] 

    If you are based in the United Kingdom, you have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. 

    Changes to the privacy policy and your duty to inform us of changes

    We keep our privacy policy under regular review. This version was last updated on November 1, 2020. Historic versions can be obtained by contacting us. 

    It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

    Third-party links

    This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

  • The data we collect about you
  • Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

    We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

    • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
    • Contact Data includes billing address, delivery address, email address and telephone numbers.
    • Financial Data includes bank account and payment card details.
    • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
    • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. 
    • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.  
    • Usage Data includes information about how you use our website, products and services. 
    • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

    We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

    We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

    If you fail to provide personal data

    Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you our products). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time. 

  • How is your personal data collected?
  • We use different methods to collect data from and about you including through:

    • Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
    • purchase or apply for products or services;
    • create an account on our website;
    • subscribe to our service or publications; 
    • request marketing to be sent to you;
    • enter a competition, promotion or survey; or
    • give us feedback or contact us. 
    • Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie policy [LINK] for further details.
    • Third parties or publicly available sources. We will receive personal data about you from various third parties as set out below: 

    Technical Data from the following parties:

    1. analytics providers based inside and outside the EU; 
    2. advertising networks based inside and outside the EU; and
    3. search information based providers inside and outside the EU.

    Contact, Financial and Transaction Data from providers of technical, payment and delivery services based inside or outside the EU.

  • How we use your personal data
  • We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

    • Where we need to perform the contract we are about to enter into or have entered into with you.
    • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
    • Where we need to comply with a legal obligation.

    Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

    Purposes for which we will use your personal data

    We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

    Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below. 

    Purpose/Activity

    Type of data

    Lawful basis for processing including basis of legitimate interest

    To register you as a new user

    (a) Identity 

    (b) Contact

    Performance of a contract with you

    To process and deliver your order including:

    (a) Manage payments, fees and charges

    (b) Collect and recover money owed to us

    (a) Identity 

    (b) Contact 

    (c) Financial 

    (d) Transaction 

    (e) Marketing and Communications

    (a) Performance of a contract with you 

    (b) Necessary for our legitimate interests (to recover debts due to us)

    To manage our relationship with you which will include:

    (a) Notifying you about changes to our terms or privacy policy

    (b) Asking you to leave a review or take a survey

    (a) Identity 

    (b) Contact 

    (c) Profile 

    (d) Marketing and Communications

    (a) Performance of a contract with you 

    (b) Necessary to comply with a legal obligation

    (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

    To enable you to partake in a prize draw, competition or complete a survey

    (a) Identity 

    (b) Contact 

    (c) Profile 

    (d) Usage 

    (e) Marketing and Communications

    (a) Performance of a contract with you 

    (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

    To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)  

    (a) Identity

    (b) Contact

    (c) Technical

    (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

    (b) Necessary to comply with a legal obligation

    To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

    (a) Identity 

    (b) Contact 

    (c) Profile 

    (d) Usage 

    (e) Marketing and Communications 

    (f) Technical 

    Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

    To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

    (a) Technical 

    (b) Usage 

    Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

    To make suggestions and recommendations to you about goods or services that may be of interest to you

    (a) Identity 

    (b) Contact 

    (c) Technical 

    (d) Usage 

    (e) Profile 

    (f) Marketing and Communications

    Necessary for our legitimate interests (to develop our products/services and grow our business)

    Marketing 

    We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising:

    Promotional offers from us 

    We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). 

    You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing.

     

    SMS/MMS Mobile Messaging Marketing Program

    If you opt-in to Sunday Scaries Mobile Messaging Program, as defined in our Terms of Service, we will only use information you provide through the Program to transmit your mobile messages and respond to you, if necessary. This includes, but is not limited to, sharing information with platform providers, phone companies, and other vendors who assist us in the delivery of mobile messages.  WE DO NOT SELL, RENT, LOAN, TRADE, LEASE, OR OTHERWISE TRANSFER FOR PROFIT ANY PHONE NUMBERS OR CUSTOMER INFORMATION COLLECTED THROUGH THE PROGRAM TO ANY THIRD PARTY. However, as with all information collected by Sunday Scaries, we reserve the right at all times, to the extent permitted by law, to disclose any information as necessary to satisfy any law, regulation or governmental request, to avoid liability, or to protect our rights or property. When you complete forms online or otherwise provide information in connection with the Program, you agree to provide accurate, complete, and true information. You agree not to use a false or misleading name or a name that you are not authorized to use. If, in Sunday Scaries’s sole discretion, we believe that any such information is untrue, inaccurate, or incomplete, or you have opted into the Program for an ulterior purpose, we may refuse you access to the Program and pursue any appropriate legal remedies.

    Text marketing (if applicable): With your permission, as set forth elsewhere in our Terms of Use and Privacy Policy, we may send text messages about our store, new products, and other updates. Updates may include checkout reminders; webhooks will be used to trigger the checkout reminders messaging system.

    California Civil Code Section 1798.83 permits Users of the Program that are California residents to request certain information regarding our disclosure of the information you provide through the Program to third parties for their direct marketing purposes.  To make such a request, please contact us at happiness@sundayscaries.com. 

    Third-party marketing 

    We will get your express opt-in consent before we share your personal data with any third party for marketing purposes. 


    Opting out

    You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time. 

    Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.

    Cookies

    You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see [LINK TO YOUR COOKIE POLICY].

    Change of purpose 

    We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. 

    If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

    Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

  • Disclosures of your personal data
  • We do not share your personal data with third parties except with .

    • (if applicable) Internal Third Parties as set out in the Glossary. 
    • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy. 

    We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

  • International transfers
  • We share your personal data within Top Quality Supplements LLC dba Sunday Scaries Group, which is based in the United States. This will involve transferring your data outside the European Economic Area (EEA).

    Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: 

    Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model Contracts for the transfer of personal data to third countries.  


    Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. 

  • Data security
  • We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

  • Data retention
  • How long will you use my personal data for?

    We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

    To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

    Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us .

    In some circumstances you can ask us to delete your data: see Your Legal Rights below for further information.

    In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. 

  • YOUR LEGAL RIGHTS
  • Under certain circumstances, you have rights under data protection laws in relation to your personal data. 

    You have the right to:

    Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

    Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

    Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. 

    Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

    Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: 

    • If you want us to establish the data's accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims. 
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. 

    Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. 

    Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

    • If you wish to exercise any of the rights set out above, please contact us.


    No fee usually required

    You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

    What we may need from you

    We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

    Time limit to respond

    We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

  • Glossary
  • “LAWFUL BASIS”

    Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

    Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

    Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

    “THIRD PARTIES”

    Internal Third Parties

    None at this time (subject to change). 

    External Third Parties

    • Service providers acting as processors based in the United States who provide IT and system administration services.
    • Professional advisers including lawyers who provide legal services.