Last Updated: May 25, 2018
Information we collect from you and how we collect it
Information We Collect. We collect information about your use of our Service, including but not limited to: your online behavior, your Internet connections, mobile, or other device computer equipment, as well as the site(s), application(s), destination(s), and/or service(s) visited before using or accessing the Services, and after leaving the Services, along with your time of visits, content viewed, ads viewed, and other similar information about traffic and usage, as you navigate to, through, and away from our website(s), including other clickstream data. This is “Non-Personal Data,” which does not directly, personally identify you.
Information You Provide, Directly and Indirectly. You may register to use our Services, set up an account, enter a sweepstakes or contest, complete a survey, make a payment, subscribe to our Services, or respond to communications (e.g., surveys, polls, requests for feedback). We will collect the information you provide to us. This may include your IP address, first and last name(s), demographic information, mailing address, e-mail address, phone number, credit card number, and any other information you provide to us. Such information may also include the geographic location of you and/or your computer, mobile or other device, as well as date/time stamp, IP address, your computer (e.g., the make, model, settings, and specifications, including but not limited to your CPU speed, connection speed, browser type, operating system, device identifier). While using our Services, you may also transmit your communication preferences, your physical location, your demographic information (e.g., your age, marital status, ethnicity/race, and gender), and other information. All of this is “Personal Data,” which can be used to personally identify you.
Additionally, if you choose to access, visit, and/or use any third party social networking service(s) that may be integrated with our Service, we may receive your Personal Data and other information about you and your computer, mobile, or other device that you have made available to those social networking services, including information about your contacts on those services. For example, some social networking services allow you to push content from our Service to your contacts or to pull information about your contacts so you can connect with them on or through our Service. Some social networking services also will facilitate your registration for our Service or enhance or personalize your experience on our Service. Your decision to use a social networking service in connection with our Service is voluntary. However, you should make sure you are comfortable with the information your third-party social networking services may make available to our Service by visiting those services’ privacy policies and/or modifying your privacy settings directly with those services.
How we use information about you
For Legitimate Interests. Athlon uses information collected by clickstream data collection, web pixels, and cookies to store your preferences, improve website navigation, make personalized features and other services available to you, compile and analyze aggregate statistics and trends, and otherwise help administer and improve the Services. We may identify you from your Personal Data and merge or co-mingle Personal Data and Non-Personal Data, for any lawful business purpose. Where you provide registration information, cookies can also be used to identify you when you log onto the Services or portions of the Services. Except as otherwise stated, we may use information we collect from you for the legitimate business purpose of providing our Services to you, including, but not limited to:
- to administer the Services
- to help diagnose problems with our servers
- to customize our Services to your preferences
- to communicate information to you (e.g., new features, products, or services)
- to check on your account status
- to improve our Services
- to show you content and sponsored messaging based on geographic location information from you and/or your computer, mobile, or other device
- to prevent or investigate fraud (or for risk management purposes), or to comply with a legal obligations, court order, or in order to exercise our legal claims or to defend against legal claims
- to conduct aggregate analysis and develop business intelligence that helps us to enhance, operate, protect, make informed decisions and report on the performances of our Services
- for other purposes identified to you and as requested by you (please note that you have the right to withdraw your consent to such use at any time by contacting us via the information below)
With the Consent of a Data Subject within the European Union. If we have obtained your consent, we may also use your information:
- to send e-mail and postal mail to provide you with updates and news
- to process any request you make
- to process any commercial transaction, including but not limited to fulfilling an order or subscription request
- to process your Personal Data as described throughout this Policy
- to process your Non-Personal Data as outlined as described throughout this Policy
- to establish your account to use the Services
- to validate your username, e-mail, password, and/or other login credentials
- to respond to your requests
- to provide you with merchandise you have requested
- to fulfill your subscription purchase(s)
- to notify you of your contest or sweepstakes results
- to send you e-mail and postal mail supplying you with the most recent service information or to send you information about your order (e.g., order confirmations, shipment notifications, etc.)
- to notify you of any changes to relevant agreements or policies
In each case, we may use third‐party e‐mail providers to deliver these communications to you.
Sharing Personal Data with third parties
We may sell or share information about you and your computer, mobile, or other device, including without limitation, your Personal Data, with our parent, subsidiaries, and affiliates and with carefully selected companies who we think may offer services and/or products that may be of interest to you. Additionally, we may use, transfer, assign, sell, share, and provide access to your Personal Data and other information about you and your computer, mobile, or other device that we receive through third-party social networking services. We may use, transfer, sell, and share your and Non-Personal Data, aggregated with other users’ Non-Personal Data, for any lawful business purpose, such as analyzing usage trends and seeking compatible advertisers, sponsors, clients, and customers.
In addition, as our business changes, we may buy or sell various assets. In the event all or a portion of the assets owned or controlled by us, our parent or any subsidiary or affiliated entity are sold, assigned, transferred or acquired by another company, the information from and/or about our Service users may be among the transferred assets.
Third-Party Service Providers
We use third-party service providers to help us operate our Services, who may collect, store, and/or process the information detailed herein. We allow access to our database by third parties that provide us with services, such as technical maintenance, market research, community and forums management, auction services, and shopping, personal/job search, and other classified ads functionality, but only for the purpose of and to the extent necessary to provide those services.
If you choose to purchase merchandise, products, and/or services on or through features on the Service, we may forward your information to third parties for services such as credit card or other payment processing, order fulfillment, credit pre-authorization, and address verification. There are also times when you provide information about yourself to us in areas of the Service that may be managed or participated in by third parties. In such cases, the information may be used by us and by such third party(ies), each pursuant to its own policies. We may also provide your information to our advertisers, so that they can serve ads to you that meet your needs or match your interests.
Google Analytics. We have enabled Google Analytics to collect data about our traffic through the use of Google advertisements and other anonymous identifiers. We use Google Analytics cookies and other cookies to compile data to better understand users and provide users with a more tailored experience. You can opt out of Google Analytics by visiting Google’s Opt-Out Browser Add-on website here, https://tools.google.com/dlpage/gaoptout/.
Critical Impact. We use Critical Impact e-mail marketing services to send mass communication e-mails to users. We track how users open these e-mails and what links they click so that we can better serve customers with Services and information that they find relevant. When you “subscribe” to our mailing list, you agree to receive e-mail advertisements and other information from us. Upon receiving an e-mail from us, you may choose to opt-out of future e-mail messages, in accordance with the CAN-SPAM Act of 2003 by clicking the“unsubscribe” option at the bottom of our e-mails and following Critical Impact’s simple opt-out procedure. You can learn more about Critical Impact’s privacy policies at its website.
Brightcove. We use Brightcove to deliver video content through our Services. In addition to facilitating video, Brightcove allows us to track, analyze, and measure the effectiveness of our videos and related content. For more about Brightcove’s privacy policies, visit its website, https://www.brightcove.com/en/legal/privacy, and to learn about it’s GDPR compliance, you can go https://www.brightcove.com/en/legal/gdpr-and-brightcove.
ViralSweep. Applicable to U.S. residents, only. We use ViralSweep to build and deploy tools for contests, sweepstakes, and giveaways on our Services. ViralSweep integrates with our Services and other platforms. You can learn more about ViralSweep’s privacy policies at its website, https://www.viralsweep.com/privacy.
How Personal Data is protected
Athlon takes reasonable steps online and offline to safeguard the Personal Data that you provide to us, including Secure Sockets Layer (SSL) encrypted connections (HTTPS) to the web site(s) on our Service(s), secure multi-tiered firewalls, and portions of your data may also be encrypted on our storage server for additional security.
Nonetheless, it is common knowledge that transmission of information via the internet is not wholly secure, and we cannot guarantee the security of your Personal Data, or any other information, transmitted to or through any of our Service(s). Any transmission of Personal Data, or other information, is at your own risk. By using our Service(s), you acknowledge and accept these risks. As a result, we cannot guarantee or warrant the security of any information you disclose or transmit to us or that are otherwise provided to us and we cannot be responsible for the theft, destruction, or inadvertent disclosure of information. It is your responsibility to safeguard any passwords, ID numbers, or other special access features associated with your use of the Service(s). Any transmission of information is at your own risk. By using our Service(s), you acknowledge and accept these risks.
Please notify us immediately at firstname.lastname@example.org if you become aware of any unauthorized use of your password or account or any other breach of Service security or of this Policy. If our security system is breached, we will notify you of the breach only if and to the extent required under applicable law.
Your choices, access, and rights to your Personal Data
You may change, edit, update, or delete the information you provided, when you set up your account through our Service(s), through your account settings. You may also request the deletion of this information by sending an e-mail to email@example.com.
In certain jurisdictions, you may also have the following rights and options with regard to accessing, reviewing, correcting, and updating your Personal Data, as well as how we use and disclose your Personal Data:
Right to Access. We respect your right to access and control your information, and we will respond to requests for information and, where applicable, will correct, amend, or delete your Personal Data.
- How to Access Your Personally Identifiable Information. You may choose to access or update Personal Data, by logging into the account you have created with our Service(s), if applicable.
- Access to Personal Data. You may choose to access your Personal Data by contacting us and requesting access, a process which shall include our identity verification procedures. Before providing data to you, we will ask for proof of identity and sufficient information about your interaction with us so that we can locate any relevant data. We may also charge you a fee for providing you with a copy of your data (except where this is not permissible under local law).
Updating Communications Preferences (Opt-Out) and Unsubscribing. You may choose to receive promotional offers, newsletters, and similar communications from us regarding products and services of Athlon and our affiliated organizations. You may opt out of receiving such communications from us by communicating your preferences to us at firstname.lastname@example.org, or in the case of e-mails, by following the unsubscribe instructions contained in the applicable e-mail.
Right to Rectify — Correction and Deletion. In some jurisdictions, you have the right to correct or amend your Personal Data if it is inaccurate or requires updating. You may also have the right to request deletion of your Personal Data; however, this is not always possible due to legal requirements and other obligations and factors. Remember that you can update your account information by contacting us at email@example.com.
Right to Erasure / Be Forgotten. You may request that we delete your Personal Data in certain circumstances, such as if holding the Personal Data is no longer necessary or if part of your Right to Object (below). Please note that if you request erasure of your account, Athlon, in complying with your request, shall also delete any and all research data that has been submitted to us through our Services. It is your responsibility at all times to ensure that you are in compliance with all applicable rules, policies, and regulations at the institutional, administrative, and federal levels regarding retention of research data, including, but not limited to, United States regulations governing retention and disposal of research records.
Right to Object. You have the right to object to the user of Personal Data for direct marketing uses, scientific uses, or historical research. If you do not wish to have your Personal Data shared with third parties, contact our Data Protection Officer as described at the end of this document. If you do not wish to receive future commercial messages from us, simply follow the unsubscribe instructions contained within the message you receive. (But note that you may continue to receive certain communications from us, such as transactional or relationship messages, and/or messages about your account/profile).
Right to Restrict Processing. You have the right to request that we stop processing your Personal Data.
Right to Data Portability. You have the right to request that we provide your Personal Data for the purpose of sharing it with another service provider (through a secure process).
Filing a Complaint. If you are not satisfied with how we manage your Personal Data, you have the right to make a complaint to a data protection regulator. A list of National Data Protection Authorities can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
Access from Outside the United States
If you are visiting the Services from outside the United States, please be aware that Personal and Non-Personal Data is transferred to, stored in, and processed in the United States.
Data Protection Officer
Please see below for information regarding our appointed Data Protection Officer.
If you have an inquiry regarding your Personal Data, pursuant to the rights listed in the preceding section (above), please send your message to the following:
Attention: Data Protection Officer for AthlonOutdoors.com
2451 Atrium Way
Nashville, TN 37214
Links to third party sites
Applicability of the Children’s Online Privacy Protection Act
We do not sell products or services for purchase by anyone under the age of thirteen (13). In accordance with the Children’s Online Privacy Protection Act (“COPPA”), we will never knowingly request or solicit Personal Data from anyone under the age of thirteen (13) without verifiable parental consent. In the event that we receive actual knowledge that we have collected such Personal Data without the requisite and verifiable parental consent, we will delete that information from our database as quickly as is practical. We reserve the right to request proof of age at any stage so that we can verify that minors are not using the Service(s).
Your California privacy rights
California Civil Code Section 1798.83 permits users of the Service(s) who are California residents to request and obtain from us a list of what Personal Data (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year and the names and addresses of those third parties. Requests may be made only once a year and are free of charge. Under Section 1798.83, California residents are entitled to request and obtain such information, by e-mailing a request to aohelp@AthlonOutdoors.com.
Waller Lansden Dortch & Davis, LLP
511 Union Street, Suite 2700
Nashville, TN 37219
Attention: Julian L. Bibb, Esq.
Data Retention Policy
Managing Document and Personal Data Retention
Updated as of: Aug. 1, 2018
AthlonOutdoors.com, Tactical-Life.com, PersonalDefenseWorld.com, BallisticMag.com, and RealWorldSurvivor.com (collectively, “Athlon,” “we,” “us,” or “our”), have published this Data Retention Policy to inform our users, customers, and website visitors from the European Economic Area (collectively, “Data Subjects”) about how Athlon processes and retains specific categories of Personal Data (as described below), our retention periods for their Personal Data, our reasoning behind those retention periods, and the minimum standards to be applied when destroying certain types of information within Athlon.
Purpose and Scope:
Under the terms of the General Data Protection Regulation (the “GDPR”), Athlon is required to process Personal Data from Data Subjects in a fair manner which notifies Data Subjects of the purposes of the data processing and also to retain the Personal Data for no longer than is necessary to achieve those purposes.
Under these rules, Data Subjects have a right to be informed about how their Personal Data is processed and this policy is meant to provide Data Subjects with information on our data retention periods or criteria used to determine the retention periods.
This policy applies to all business units, processes, and systems in all countries in which we conduct business and have dealings or other business relationships with third parties. This policy applies to all Athlon officers, directors, employees, agents, affiliates, contractors, consultants, advisors, or service providers who may collect, process, or have access to data (including Personal Data and/or Sensitive Personal Data, as those terms are defined below). It is the responsibility of all of the above persons to familiarize themselves with this policy and ensure adequate compliance with it.
This policy applies to all records used and maintained at Athlon, regardless of physical format, including:
|· Appointment books and calendars||· Invoices|
|· Audio and video recordings||· Letters and other correspondence|
|· Computer programs||· Magnetic tape|
|· Contracts||· Memory in mobile phones and PDAs|
|· Electronic files||· Online postings, including social media platforms|
|· E-mails||· Performance reviews|
|· Handwritten notes||· Voicemails|
Please see the Records Retention Schedule contained in Appendix A to this policy for the amount of time that any paper records and electronic files will be retained by Athlon. A record must not be retained beyond the Retention Period indicated in the Record Retention Schedule, unless a valid business reason (or a litigation hold or other special situation) calls for its continued retention.
For questions on document retention or if you are unsure whether to retain a certain record, contact our Data Protection Officer (“DPO”), Matt Hogan, at firstname.lastname@example.org.
“Personal Data” means any information relating, directly or indirectly, to an identified or identifiable Data Subject, including name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
“Sensitive Personal Data” means any Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Operational Personal Data” means any Personal Data that is used by Athlon for the purpose of operating its systems and services, including, but not limited to, internal identifiers that Athlon’s systems and/or services use as references for or to leads, events, clicks, or actions performed by users, customers, and/or website visitors.
“Metric Personal Data” means any Personal Data that is used by Athlon for the purpose of measuring the performance of its systems and services or the systems and services of Athlon’s users, customers, and/or website visitors.
“Marketing Personal Data” means any Personal Data that is used by Athlon or Athlon’s users, customers, and/or website visitors solely for marketing purposes.
“Contract Duration” is the length of time from the date a contract or agreement is executed between Athlon and any users, customers, website visitors, or relevant third party and the date that such contract or agreement is terminated.
“Retention Period” is the length of time between the expiration of the Contract Duration and the time when the Personal Data is purged. If the Retention Period is described as “Permanent,” the data type is held indefinitely.
Document Retention Procedure:
As a company, Athlon is required to retain certain records, usually for a specific amount of time. We must retain these records because they contain information that:
- Serves as Athlon’s corporate memory
- Have enduring business value (for example, they provide a record of a business transaction, evidence Athlon’s rights or obligations, protect our legal interests, or ensure operational continuity
- Must be kept in order to satisfy legal, accounting, or other regulatory requirements
We must balance these requirements with our statutory obligation to only keep records for the period required and to comply with data minimization principles. Our DPO determines the time period for which the documents and electronic records should to be retained. If there is no justification for retaining Personal Data, then those records should be routinely deleted. Information should never be kept “just in case” a use can be found for it in the future. If we want to retain information about Data Subjects to help us to provide better service in the future, we will obtain consent in advance.
Further retention of Personal Data is lawful only when compatible with the purpose(s) for which it was originally collected. In some cases, no separate legal basis will be required — for exercising the right of freedom of expression and information; for compliance with a legal obligation; for the performance of a task carried out in the public interest or in the exercise of official authority vested in Athlon as a data controller; on the grounds of public interest in the area of public health; for archiving purposes in the public interest, scientific, or historical research or statistical purposes; or for the establishment, exercise, or defense of legal claims.
Erasure of Personal Data:
On a regular basis, we review all data, whether held electronically or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. Overall responsibility for the destruction of data falls to our DPO.
Once a timing decision is made to dispose Personal Data (see Records Retention Schedule contained in Appendix A), the information is deleted, shredded, or otherwise destroyed to a degree proportionate to the information’s value to others and level of confidentiality. Thus, the method of disposal varies and is dependent upon the nature of the document. For example, any documents that contain Sensitive Personal Data shall be disposed of as confidential waste (cross-cut shredded and incinerated; secure electronic deletion); some expired or superseded contracts may only warrant in-house shredding. The Records Retention Schedule defines the mode of disposal. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the DPO subcontracts for this purpose, but the DPO shall fully document and approve the destruction process.
Records which may be routinely destroyed, unless subject to an on-going legal or regulatory inquiry, are:
(Generally, these types of records have no significant operational, informational, or evidential value; contain information that is duplicated, unimportant or only of a short-term value; and contain little or no Personal Data from Data Subjects. They can therefore be destroyed as soon as they have served their primary purpose)
- Announcements and notices of day-to-day meetings and other events
- Requests for ordinary information, such as travel directions
- Reservations for internal meetings
- Transmission documents, such as fax cover sheets and routing slips that accompany documents, but do not add substantive value
- Superseded address lists, distribution lists, etc.
- Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts, or extracts from databases and day files
- Stock in-house publications which are obsolete or superseded
- Trade magazines, vendor catalogues, flyers, and newsletters from vendors or other external organizations
In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation.
Right of Erasure:
- Where the Personal Data is no longer necessary in relation to the purposes for which it is/was collected or otherwise processed
- Where a Data Subject has withdrawn his/her consent or objects to the processing of Personal Data
- Where the processing of Personal Data does not otherwise comply with the GDPR
Breach, Enforcement, and Compliance
The DPO has the responsibility of ensuring that Athlon’s employees comply with this policy. It is also the responsibility of the DPO to assist with official inquiries from any data protection and/or governmental authority. Any suspicion of a breach of this policy must be reported immediately to DPO. All instances of suspected breaches of this policy shall be investigated and action taken, as appropriate.
Failure to comply with this policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss, damage to Athlon’s reputation, and personal injury, harm, or loss. Non-compliance with this policy by permanent, temporary or contract employees or any third parties, who have been granted access to Athlon’s premises or information may therefore result in disciplinary proceedings or termination of employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
Appendix A: Records Retention Schedule
|Record Name/Type||Storage Location||Responsibility for Storage||Controls for Record Protection||Retention Period||Destruction Level**|
|[i.e. Subscription Orders]||[i.e. Accounting Dept.; DPO]||[i.e. Level II]|
Level I documents are those that contain information that is of the highest security and confidentiality and those that include any Personal Data, especially Sensitive Personal Data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction.
Level II documents are proprietary documents that contain confidential information, such as parties’ names, signatures, and addresses, or which could be used by third parties to commit fraud, but which may not contain any Personal Data. The documents should be cross-cut shredded and then placed into locked garbage containers for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.
Level III documents are those that do not contain any confidential information or Personal Data and/or are published Athlon documents. These should be strip-shredded or disposed of i.e. through a recycling company and include, for example, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail.
General Data Protection Policy
Protecting Personal Data and the Rights of Data Subjects
Updated as of: Aug. 1, 2018
We will only share your personal data with third parties in the circumstances set out below. We will always comply with the General Data Protection Regulation (“GDPR”) when dealing with Data Subjects’ personal data. Further details on GDPR can be found on the website of the Information Commissioner (www.ico.gov.uk).
We reserve the right to amend this policy from time to time without prior notice.
Overview of Data Protection:
GDPR requires that Athlon, acting either as a data controller (meaning an individual or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data) or as a data processor (meaning an individual or organization which processes personal data on behalf of the data controller), process data in accordance with certain principles of data protection:
- Personal data must be processed lawfully, fairly, and in a transparent manner;
- Personal data must be collected for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- The personal data collected must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
- The personal data collected must be accurate and kept up-to-date; every reasonable step must be taken to ensure that personal data that is inaccurate, bearing in mind the purpose(s) for which it is processed, is erased or rectified without delay;
- The personal data collected must be kept for no longer than is necessary for the purpose(s) for which the personal data is processed;
- The personal data collected must be processed with appropriate security measures, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures; and that
- The data controller shall be responsible for, and be able to demonstrate, compliance with these principles.
Data Protection Officer:
For the purposes of the GDPR, our Data Protection Officer (the “DPO”) will be Matt Hogan (email@example.com). The DPO is responsible for making sure that Athlon complies with the GDPR requirements for handling the personal data of Data Subjects. We will regularly review all our holdings of personal data to establish our compliance.
Data Subject Rights:
Data Subjects have rights under the GDPR, including:
- The right to request access to all personal data relating to you that is processed by us in a structured, commonly-used, and machine-readable format. However, we reserve the right to charge an administrative fee for multiple subsequent requests for access that are clearly submitted for the purpose of causing us nuisance or harm.
- The right to ask that any personal data relating to you that is inaccurate is corrected free of charge. If you submit a request for correction, such request must be accompanied by proof of the accuracy of the correction you are seeking.
- The right to withdraw previously-granted consent for the processing of your personal data. You have the right to oppose the processing of personal data if you are able to prove that there are serious and justified reasons connected with the particular circumstances that warrant such opposition. However, if the intended processing qualifies as direct marketing, you have the right to oppose such processing free of charge and without justification.
- the right to request that personal data relating to you be deleted if it is no longer required in light of the purposes outlined in this policy or, where we rely on your consent as the legal basis for processing, when you withdraw your consent for processing. Please keep in mind that a request for deletion will be evaluated against our overriding interests or those of any other third party and any legal or regulatory obligations or administrative or judicial orders which may contradict such deletion. Instead of deletion, you can also ask that we limit the processing of your personal data if and when: (a) you contest the accuracy of the data, (b) the processing is illegitimate, or (c) the data is no longer needed for the purposes listed in this policy.
If you wish to submit a request to exercise one or more of the rights listed above, or to address any questions, comments, or requests about our data processing practices, you can send an e-mail to our DPO at firstname.lastname@example.org. An e-mail requesting to exercise a right shall not be construed as consent to the processing of your personal data beyond what is required for handling your request. Any request should be dated and clearly state which right you wish to exercise and the reasons for it, if such is required. The circumstances may mean we need to undertake verification of your identity before we action your request in order to protect your personal data to the relevant standard. We will promptly inform you of having received this request. If the request proves valid, we will action it as soon as reasonably possible and at the latest thirty (30) days after having received the request.
Lawful Reasons for Processing Personal Data:
Athlon will only process personal data where it has a legal basis for doing so (see Annex A attached). Where Athlon does not have a legal reason for processing personal data, any processing will be a breach of the terms of GDPR.
Before transferring personal data to any third party, Athlon will establish that we have a legal reason for making the transfer. We will make a reasonable effort to ensure that your personal data is shared only with organizations that are GDPR compliant in those instances where we have your consent to sharing with third parties or are otherwise permitted by law to do so.
Protecting Personal Data and the Rights of Data Subjects:
- An overriding interest of Athlon, your financial institution, the payment service provider, or another third party, in keeping your personal data identifiable; or
- A legal or regulatory obligation or a judicial or administrative order that prevents us from de-identifying.
You understand that an essential aspect of our marketing efforts involves making our marketing materials more relevant to you. This means that we collect personal data in order to provide you with communications, promotions, offerings, newsletters, and other advertisements about products and services that may interest you. We will take appropriate technical and organizational measures to keep your personal data safe from unauthorized access or theft, as well as accidental loss, tampering, or destruction. Access by our personnel or our third party processors will be on a need-to-know basis and will be subject to strict confidentiality obligations. You understand, however, that safety and security are best-efforts obligations which can never be guaranteed.
If you are registered to receive communications, promotions, offerings, newsletters, and other advertisements via e-mail or other person-to-person electronic communication channels, you can change your preferences for receiving such communications, promotions, offerings, newsletters and other advertisements by [following the opt-out link provided in such communications / emailing us at email@example.com.
Your personal data will normally be kept for up to [_____ years]. It may be kept for a longer period for reasons such as legal action or required management. For more information on our retention of personal data, please see our Data Retention Policy.
Reporting Personal Data Breaches:
All data breaches should be referred immediately to the DPO, Matt Hogan, at firstname.lastname@example.org.
Where Athlon has identified a personal data breach resulting in a high risk to the rights and freedoms of any Data Subject, we shall alert all affected Data Subjects without undue delay. Athlon may not be required to tell Data Subjects about a personal data breach where:
- We have implemented appropriate technical and organizational protection measures to the personal data affected by the breach, in particular to make the personal data unintelligible to any person who is not authorized to access it, such as encryption.
- We have taken subsequent measures which ensure that the high risk to the rights and freedoms of the Data Subject is no longer likely to materialize.
- It would involve disproportionate effort to tell all affected Data Subjects. In this case, Athlon will make a public communication or similar measure to tell all affected Data Subjects.
If you have a complaint or suggestion about the handling of personal data, please contact our DPO, whose details are listed above.
Annex A: Legal Bases for Personal Data Processing of Data Subjects
Bases for lawful processing of personal data are:
- Consent of the Data Subject for one or more specific purposes.
- Processing is necessary for the performance of a contract with the Data Subject or in order to take steps at the request of the Data Subject to enter into a contract.
- Processing is necessary for compliance with a legal obligation that the controller is subject to.
- Processing is necessary to protect the vital interests of the Data Subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.
Bases for lawful processing of sensitive personal data are:
- Explicit consent of the Data Subject for one or more specified purposes (unless reliance on consent is prohibited by EU or Member State law).
- Processing is necessary for carrying out our obligations under employment, social security, or social protection law, or a collective agreement, providing for appropriate safeguards for the fundamental rights and interests of the Data Subject.
- Processing is necessary to protect the vital interests of the Data Subject.
- In the course of its legitimate activities, processing is carried out with appropriate safeguards by a foundation, association or any other not-for-profit body, with a political, philosophical, religious or trade union aim and on condition that the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without the consent of the Data Subject.
- Processing relates to personal data which are manifestly made public by the Data Subject.
- Processing is necessary for the establishment, exercise or defense of legal claims, or whenever courts are acting in their judicial capacity.
- Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law which shall be proportionate to the aim pursued, respects the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the Data Subject.
- Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or a contract with a health professional and subject to the necessary conditions and safeguards.
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of EU or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the Data Subject, in particular professional secrecy.
- Processing is necessary for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard fundamental rights and interests of the Data Subject.
 Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, bio-metric data, data concerning health, a Data Subject’s sex life or sexual orientation, and a Data Subject’s criminal convictions.