Privacy Policy: Health Standards Organization

Health Standards Organization (“HSO”) values its relationships with its clients, business partners, board members, technical committee members, patient partners, surveyors, facility, and advisors and anyone else who helps HSO achieve its mandate. In furtherance of that mandate, HSO is committed to protecting your Personal Information that it may collect, use and disclose, in accordance with applicable privacy law. In cases where privacy laws do not directly apply, HSO aspires to meet the standards under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

HSO is also committed to providing you with understandable and easily available information about its privacy practices. This Privacy Policy (the “Policy”) contains information regarding how HSO collects, uses and discloses your Personal Information, so please read it carefully. If there are any changes to HSO’s privacy practices or applicable privacy law, HSO will update this Privacy Policy without notice and post a revised Policy to its website. Any significant changes to the Policy will be highlighted or indicated in a summary of recent changes. You may therefore wish to refer to this Policy periodically to review any such changes. Hyperlinks are embedded in this document to assist your navigation of the Policy, but if you require assistance navigating this Policy, please refer to the “How to Contact Us” in section 3.

What is in this Privacy Policy?

  1. Application. 2
  2. Important Privacy topics that you need to know.. 2
  3. How to contact us: 3
  4. Consent 3
  5. What is Personal Information?. 3
  6. What Personal Information do we collect?. 3
  7. How Do We Collect Your Personal Information?. 4
  8. How do we use Your Personal Information?. 5
  9. Disclosure of Personal Information. 6
  10. Storage and cross border transfer of Personal Information. 6
  11. How do we protect your Personal Information?. 6
  12. How long do we retain your Personal Information?. 7
  13. Links to other websites. 7
  14. What do we do in case of a security breach?. 7
  15. Cookies and Embedded Scripts. 7
  16. Resolving Your Privacy Concerns. 9
  17. How we conduct Privacy Impact Assessments. 10
  18. How we check our Privacy practices. 10
  19. Conflicts and Interpretation of Policy. 11
  20. Contact Us. 11
  21. The European Union General Data Protection Regulation. 11


The Policy: Full Version

  1. Application
    • HSO
      This Privacy Policy applies to Personal Information collected by HSO about its clients, board members, business partners, and website visitors. This Policy does not apply to the Personal Information of employees and volunteers.
  • Business Partners

HSO’s business partners include: (1) surveyors; (2) other contractors, faculty and advisors; (4) patient partners; (5) partners to save lives; (6) sales representatives; and (7) technical committee members. Business partners, in the course of conducting their duties, on behalf of HSO, may also have access to and collect Personal Information and Personal Health Information.

  1. Important Privacy topics that you need to know

The key elements of this Policy are set out below, and the details of which are set out in the following sections

HSO may collect your Personal Information when you contact HSO, act for or represent HSO, register with HSO, use HSO products and services, or otherwise provide HSO with your Personal Information. Examples include:

  • Client Information: representative’s name, title/position, identifying address (i.e. office number), direct phone number, email address, credit card information, billing information.
  • Business Partner Information: name, address, direct phone number, email address, allergy information, as applicable.
  • User Generated Information: IP address, information provided in the course of communications with HSO.
  • Patient Experience/Personal Health Information: Patient narratives and other information collected by HSO on behalf of its clients.

Examples of the purposes for which HSO may use your Personal Information are:

  • To develop products and standards.
  • To provide survey services.
  • To issue an accreditation services and award.
  • To manage personnel and ensure safety of business partners.

Examples of to whom HSO may disclose your Personal Information are:

  • Affiliated or related entities to enable product and service delivery.
  • Third party providers that provide survey services.
  • Third party providers that provide safety and security services
  • Third party cloud-based storage and computing services.

You have the following choices:

Depending on the products, services or your use of the HSO website or portal services, your choices may include the following:

  • Cookies Settings and Preferences. You may disable cookies and other tracking technologies through the settings in your browser. While doing so may negatively affect your experience with the use of the HSO website, it will not prevent HSO from transacting with you, unless HSO advises you otherwise.
  • Marketing e-mails. You may sign up to HSO mailing lists in order to receive promotional and other materials that may be of interest to you. If you no longer wish to receive marketing e-mails from HSO, you may choose to unsubscribe at any time by clicking the “unsubscribe” link in the applicable HSO email or contact the HSO Privacy Officer as set out in the “How to Contact Us”.
  • Opt-Outs. You may contact us to opt-out of the use or sharing of your Personal Information, including for marketing or advertising purposes, and/or the provision of your personal information to our business partners for such purposes.
  1. How to contact us:

For more information about this Policy, our privacy practices or to obtain access to or correction of your personal information, please email HSO’s Privacy Officer at or write to Health Standards Organization, 1150 Cyrville Road, Ottawa, ON. K1J 7S9, Canada.

  1. Consent

By using our website or services, or otherwise interacting with us, you consent to the collection, use and disclosure of your Personal Information by HSO in accordance with the terms of and for the purposes set out in the Policy. If HSO wishes to collect, use or disclose your Personal Information for any additional purposes, it will obtain your express consent (by verbal, written or electronic agreement).

You are free to refuse or withdraw your consent, subject to legal and contractual restrictions. The refusal or withdrawal cannot be applied retroactively. In cases where your Personal Information is required, we may not be able to provide those products and services to you without your Personal Information. We will inform you of the consequences of refusal or withdrawal as appropriate.

Where consent is obtained by a client or business partner of HSO for the processing of that Personal Information by HSO, we will undertake reasonable measures to ensure that the consent on which we rely – as the basis for the collection, use or disclose – is in compliance with applicable privacy laws, as appropriate.

If you do not agree to the terms of this Policy, you should exit the website, Client Portal, Partner Portal or Surveyor Portal, and cease use of all of HSO’s services immediately, or contact HSO to withdraw your consent where applicable. Your continued use following the posting of any changes to this Policy means you agree to be bound by the terms of this Policy to the greatest extent permitted by law.

  1. What is Personal Information?

“Personal Information” means any information, in any form, about an identifiable individual or an individual whose identity may be inferred or determined from such information. HSO considers business contact information that identifies an individual (e.g. individual’s name, position/title, identifying work address, direct telephone number, or email address) to be Personal Information as intended by this Policy.

This Policy does not apply to aggregate or anonymous information, which subject to agreement, remains in the custody and control of HSO.

  1. What Personal Information do we collect?
    • Types of Personal Information
Information about our Clients

-Representative’s name

-Identifying address (i.e. office number)

-Direct phone number

-Email address

-Credit card information

-Identifying billing information

Information held by our Clients-Personal health information, when HSO operates as an agent and provides survey services to its clients.
Business Partners and Board Members

-Name and contact information (i.e. address, email address)

-Emergency contact information and allergy information

-Information required for onboarding (i.e. interview notes)

-Information required to govern the contractual relationship (i.e. SIN), where applicable

Webinar Attendees

-Name and contact information (i.e. address, email address)

-Billing information


We collect only such Personal Information as we deem to be reasonably required in the circumstances for the purpose(s) for which it is collected.

Personal Health Information that we collect

HSO may collect personal health information directly from individuals, when it acts as a service provider/agent to its clients. For example, HSO may be engaged by health care providers to provide survey services. This personal health information, at all times, remains in the custody and control of its clients and HSO only operates under the direction of its clients in these circumstances. HSO ensures that any of its obligations as an agent, as required by applicable privacy laws, are addressed in each specific circumstance, via contractual measures and by employing reasonable measures to ensure its clients have obtained valid consent to the collection of personal health information, for example.

  • Personal Health Information accessed/collected by our business partners

Surveyors may access personal health information in the custody and control of HSO’s clients when providing clients with licenced accreditation products and services. Surveyors do not collect any Personal Information, do not remove it offsite and do not disclose it to HSO or any third party.

HSO and its Business Partners may also collect personal health information inadvertently during the survey development process (i.e. during a patient experience interview, where personal health information is disclosed by the patient). This information is de-identified at HSO’s earliest opportunity and no identifying information is retained by HSO. Appropriate consents are acquired at the time the personal information is collected, in line with applicable privacy laws for each particular situation.

  1. How Do We Collect Your Personal Information?

Personal Information is collected in the course of the following interactions with HSO:

  1. When individuals create accounts on our website or create (or are provided) accounts with any Client Portal, Partner Portal or Surveyor Portal operated by HSO.
  2. When individuals place orders through our website for goods and services.
  3. When individuals respond to online or email surveys, or provide information to us in person, in writing, by fax or over the telephone when asked for such information.
  4. In the course of a licensed accreditation process, where information is uploaded by clients and business partners.
  5. How do we use Your Personal Information?
    • Purposes

We use Personal Information for the following purposes:

  1. For the performance and delivery of accreditation products and services and related services.
  2. For the performance and delivery of education and training sessions and webinars.
  3. To process transactions for the purchase of goods and services.
  4. To perform activation services and generate reports.
  5. To improve our products, services and website.
  6. To enter and maintain contractual relationships with business partners.
  7. To inform clients of, or offer goods or services or to seek donations.
  8. To comply with our statutory obligations or any lawful order.
  9. To provide information reasonably required by debt or equity investors planning to invest or who have invested, directly or indirectly, in any of our entities, businesses or assets, or by our potential or existing donors.
  10. To generate anonymized or statistical data.
    • Transfer of Personal Information to Affiliates, Related Entities and Business Partners

Your Personal Information will be accessible to our affiliates, related entities and business partners, as required for the delivery of our products and services.

  • Transfer of Personal Information to Third Party Service Providers

Your Personal Information may be collected by or transferred to third party service providers for processing. Such uses include:

  1. The delivery of patient experience surveys.
  2. The de-identification of personal information.
  3. To ensure the safety of our business partners that travel to foreign jurisdictions.
  4. The maintenance, review and development of our systems, procedures and infrastructure, including testing or upgrading out computer systems.

Unless permitted or required by the applicable laws, HSO does not use Personal Information for other purposes.

  • How do we use your Personal Information for marketing?

We may, occasionally, send you information or marketing messages by electronic means (this includes email, telephone, text message (SMS) or automated calls about our products and services, competitions, special offers and for soliciting donations.

Our Affiliates, related entities, and other entities which we have carefully selected (collectively, “Our Group”), may also send you information or marketing messages, depending on whether you have consented.

We may also send you information via email/SMS/other automated means to ask about your marketing preferences. You can confirm whether you would like us and any of the entities of Our Group to send you information or marketing messages by checking the appropriate option.

If you have consented to receive information or marketing messages from us, or any of the entities of Our Group, you can opt out at any time.

  1. Disclosure of Personal Information

We do not disclose Personal Information to any organization or person for any reason except as set out in this Policy, where we have obtained your express consent, or where otherwise permitted by law. Please note that there are circumstances where the use and/or disclosure of Personal Information may be justified or permitted without your consent or where HSO is obliged to disclose your Personal Information without consent.

Where obliged or permitted to disclose Personal Information without consent, HSO will not disclose more Personal Information than is necessary for the relevant purposes of such disclosure.

  1. Storage and cross border transfer of Personal Information

Hard copies of records containing Personal Information, where they exist, are stored by HSO in Ontario, Canada. In most cases, electronic copies of records containing your Personal Information are stored on servers located in Ontario, Canada. Some third party service providers engaged by HSO may store your personal information in foreign jurisdictions. Such third party service providers are not engaged to provide services in jurisdictions where foreign storage restrictions exist.

Where Personal Information is accessed, transferred or stored outside of Canada, your Personal Information may be subject to access by and disclosure to law enforcement agencies under the applicable foreign legislation.

  1. How do we protect your Personal Information?
    • Physical, technical and organizational security measures

We employ a variety of physical, technical and organizational security measures to maintain the safety of Personal Information.

We offer the use of a secure server. All sensitive financial information (e.g. credit card), any information provided via HSO’s websites, Client Portal and Surveyor Portal is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway providers’ database, where it is only accessible by those authorized with special access rights to such systems, and who are required to keep the information confidential.

  • When engaging third party service providers

The transfer of personal information to third party service providers for processing will occur only after those entities have entered into a contractual arrangement that:

  1. prohibits the third party from using the information for purposes other than those specified by HSO;
  2. prohibits them from allowing access to or disclosing Personal Information to any other party (unless required to do so by law); and
  3. requires them to have appropriate safeguards in place to ensure the ongoing protection of Personal Information.
  4. How long do we retain your Personal Information?

We keep your Personal Information only for as long as it is required. The length of time we retain Personal Information varies depending on the purpose(s) for which it was collected and for which consent was obtained. This period may extend beyond the end of your relationship or contract with us.

Where Personal Information is no longer required for HSO’s purposes, we have procedures to destroy, delete, erase or convert it into an anonymous form.

  1. Links to other websites

HSO may provide links to, or automatically produce search results for third party websites or resources or third party information referencing or linking to third-party websites or resources. HSO has no control over such third-party websites and resources, and website users acknowledge and agree that HSO is not responsible for the content or information contained therein. When website users follow such a link, they are no longer protected by our Policy, and we encourage you to read the privacy statements or other disclaimers of such other third parties. HSO is not responsible for privacy or security practices or the content of others’ websites, services or products.

  1. What do we do in case of a security breach?

A “breach of security safeguards” is the loss of, unauthorized access to or unauthorized disclosure of Personal Information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards. In case of a breach of security safeguards involving Personal Information under HSO’s custody or control, we will notify you and the appropriate federal or provincial Privacy Commissioners in Canada, in line with the applicable privacy laws. We may also notify any other organization or government institution that can reduce the risk or mitigate the harm from the breach. We will keep a record of any breach of security safeguards.

  1. Cookies and Embedded Scripts
    • Cookies

We use cookies, which are small data files that are saved to your device when you visit our website and use this service. Cookies help analyze web traffic and help us provide you with a better website experience, by enabling us to monitor which pages you find useful and which you do not. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer, however this may prevent you from taking full advantage of the website.

The table below explains the cookies we use and their purpose.






Universal Analytics (Google)



_ gat_UA-91005729-1



These cookies are used to collect information on how users use the website. We use this information to draft reports and to help us improve the website. These cookies collect informationsuch as the number of visitors on the website and the blog, how these visitors accessed the website and the pages they have consulted.

Please read Google’s overview on confidentiality and data protection (


Max. 2 years




This targeting/advertising helps with tracking conversion rates for ads.



Cookies YouTube





We embed videos of our official YouTube channel by using the reinforced confidentiality system of YouTube. This system can place cookies on your device once you click on the YouTube video player, but YouTube will not store personally identifiable cookie information when playing such embedded videos.

For more information, please consult YouTube’s information page on video embedding (


PREF – * expires after eight months.

VSC – * expires at end of session.

VISITOR_INFO1_LIVE – * expires after eight months.

remote_sid – * expires at end of session.

Hotjar cookie


This cookie is set once a visitor interacts with a Survey invitation modal popup. It is used to ensure that the same invite does not re-appear if it has already been shown.



Hotjar cookie


This cookie is set once a visitor completes a poll using the Feedback Poll widget. It is used to ensure that the same poll does not re-appear if it has already been filled in.



Hotjar cookie


This cookie is set once a visitor minimizes a Feedback Poll widget. It is used to ensure that the widget stays minimizes when the visitor navigates through your site.



Hotjar cookie



This cookie is set once a visitor submits their information in the Recruit User Testers widget. It is used to ensure that the same form does not re-appear if it has already been filled in.




Hotjar cookie


This session cookie is set to let us know whether that visitor is included in the sample which is used to generate funnels.



You can disable cookies completely, or be prompted prior to a cookie being loaded, by adjusting your browser’s settings. Consult each individual browser’s “help” feature for more information.

Find out how to manage cookies on popular browsers:

Google Chrome

Microsoft Edge

Mozilla Firefox

Microsoft Internet Explorer


Apple Safari


To opt out of being tracked by Google Analytics across all websites, visit

  • Embedded Scripts

An embedded script is a programming code that is designed to collect information about your interactions with our website, such as information about the links on which you click. The code is temporarily downloaded onto your device from our web server or a third party service provider. The code is active only while you are connected to our website, and is deactivated or deleted once you disconnect from the website.

  1. Resolving Your Privacy Concerns
    • Questions and Comments
      In the event of questions about: (i) access to Personal Information; (ii) our collection, use, disclosure or storage of Personal Information; or (iii) this Policy; please contact HSO’s Privacy Officer by sending an e-mail to Complaints
      HSO will investigate all complaints and if a complaint is justified, we will take all reasonable steps to resolve the issue.

      How Can You Access or Correct Any Inaccuracies In Your Personal Information?
      HSO endeavors to ensure that all Personal Information provided by or about you and in its possession is accurate, current and complete, as necessary for the purposes for which we use that Personal Information. If we become aware that Personal Information is inaccurate, incomplete or out of date, we will revise the Personal Information and, if necessary, use our best efforts to inform third party service providers or contractors which were provided with inaccurate information to enable those third parties to also correct their records.

HSO permits the reasonable right of access and review of Personal Information held by us and will endeavour to provide the Personal Information in question within a reasonable time, generally no later than 30 days following the request subject to applicable law. To guard against fraudulent requests for access, we may require sufficient information to allow us to confirm that the person making the request is authorized to do so before granting access or making corrections.

We will provide copies of the Personal Information in our possession in a form that is easy to understand or in a summary form where appropriate. HSO reserves the right not to change any Personal Information but will append any alternative text the individual concerned believes to be appropriate. HSO will not charge you for verifying or correcting your information, however, to the extent permitted by applicable law, there may be a minimal charge imposed if you need a copy of records.

  1. How we conduct Privacy Impact Assessments

A Privacy Impact Assessment is an evaluation process which allows HSO to assess and evaluate privacy, confidentiality or security risks associated with the collection, use or disclosure of personal information, and to develop measures intended to mitigate and, wherever possible, eliminate identified risks.

HSO undertakes an appropriate Privacy Impact Assessment prior to the Processing of any Special Category/Sensitive Personal Information to assess the risks associated with such Processing. Special Category/Sensitive Personal Information includes:

  • Social Insurance Number, banking and credit card information.
  • Passport and Visa.
  • Health and genetic/biometric data.
  • Any personal information of a minor, under the age of majority (18/19 years depending on the applicable jurisdiction).
  • Racial/ethnic background.
  • Religion, beliefs or political opinions.
  • Gender, sexual orientation or sex life.
  • Education, employment history, Trade Union membership.
  • Background checks – criminal record.

HSO will also conduct a specific Privacy Impact Assessment for all new or significantly revised projects involving collection, use or disclosure of personal information that raise risks of privacy, confidentiality or data security (e.g., high risk of unauthorized disclosure due to aspects of the project), where an existing privacy impact analysis does not already adequately address the risks.

Privacy Impact Assessments are directed by HSO’s Privacy Officer.

  1. How we check our Privacy practices

HSO conducts organizational privacy audits as a means to ensure that its compliance framework for privacy and confidentiality are supported by its practices. Privacy audits are conducted to ensure HSO’s information processing procedures meet privacy requirements by examining how information is collected, stored, shared, used, disclosed, and destroyed. HSO’s Privacy Officer leads the audit, with input from internal stakeholders (e.g., information technology) and/or external auditors.

The audit process may involve:

(1) review of existing policies and procedures for legality, completeness and consistency with the HSO’s services and activities; management policies and procedures;

(2) examination of how data is obtained including required notices and/or consents from identifiable individuals;

(3) mapping of data flows through the organization, including access, storage, and disposal;

(4) assessment of sensitivity and security risks of information collected, processed and retained by HSO and the necessity of processing and retention of data elements;

(5) recommendations on collection, use, disclosure and retention; access processes and procedures; protections and safeguards; and accountability and compliance monitoring.

Privacy audit results will generally be documented within a report containing: a summary of privacy legislation and principles applicable to HSO; a description of the policies and practices of HSO relating to privacy and information management; any risk areas identified or gaps with respect to compliance; and prioritized recommendations to address gaps and risk areas, and are privileged and confidential.

Privacy audits may be conducted internally by HSO or with the assistance of a third party auditor. External privacy audits will be conducted every 3 years.

  1. Conflicts and Interpretation of Policy

Should there be, in a specific case, any inconsistency between this Policy and Canada’s federal and provincial privacy laws, as applicable, this Policy shall be interpreted, in respect of that case, to give effect to, and comply with, such privacy laws.

To the extent of any conflict between the Policy in English and any version in another language, the English version shall prevail.

  1. Contact Us


Health Standards Organization

1150 Cyrville Road

Ottawa, ON,

K1J 7S9

European Union

Health Assessment Europe ASBL

Rue d’Egmont 11, 1000 Bruxelles

  1. The European Union General Data Protection Regulation

This Policy also contains certain information required by the European Union (“EU”) Regulation No. 2016/679 of 27 April 2016, known as the General Data Protection Regulation (“GDPR”), and mirroring legislation (with the GDPR, the “European Data Privacy Laws”) of the other countries (Norway, Iceland and Liechtenstein) forming with the EU Member States the European Economic Area (the “EEA”), which apply when we process personal data about individuals located in the EEA in relation to (i) the offering of goods and services to these individuals or (ii) the monitoring of their behaviour in the EU or EEA – at the moment we consider that only processing of personal data about individual surveyors in the EEA would fall within the scope of European Data Privacy Law.

  • Storage of personal data of individuals in the EEA for processing activities falling within the scope of European Data Privacy Laws

The following provisions apply only to personal data of individuals in the EEA for processing activities falling within the scope of European Data Privacy Laws:

(1) As regards customers, surveyors and other persons with whom we have a contractual relationship as well as their individual representatives, we will hold all personal information for so long as HSO is in a contractual relationship. We may then (i) archive the data up to one year after the applicable limitation period has expired or final settlement of any dispute whichever is last and (ii) keep contact details for the purposes of direct marketing for a period of up to 3 years after termination of the contract or last contact made by the relevant individual.

(2) As regards prospects, we keep their contact details for the purposes of direct marketing for a period of up to 3 years after time of collection or last contact made by the relevant individual.

(3) As regards website/app/email users who do not provide us with their contact details, we maintain a log during 18 months before anonymising the data; as regards expiration of cookies, please see above.

Individuals in the EEA are hereby informed that we may transfer and store their personal data in the EEA, Canada and other countries deemed to offer an adequate level protection according to the European Commission as well as the United States of America, provided that any recipient of personal data based in the United States of America adopted corporate binding rules or entered into a data transfer agreement containing clauses offering an adequate level protection according to the European Commission or benefits from the U.S. “Privacy Shield” accreditation.

  • What’s the legal basis for these uses under European Data Privacy Laws?

When European Data Privacy Laws apply and you are an individual in the EEA, we inform you that HSO is allowed to process your personal data on the following legal bases.

(i) Legitimate interests. HSO is permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing your personal data which is in our interests. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. The following personal data processing activities are based on this ground:

  1. contacting or verifying the authority of an individual representing an organisation in relation to the execution or performance of a contract with that organisation and keeping exchanges with that individual as evidence in case of a possible dispute with that organisation;
  2. anonymising personal data for generating statistics that can be used for, amongst others, improving our products and services and our website;
  3. improving our products and services and our website when this cannot be done without first anonymising the data;
  4. providing information to debt or equity investors or donators in order to incite them to invest or donate or continue to do so;
  5. presenting or communicating on our good or services or requests for donations when we do not need consent;

(ii) Contract. HSO is also permitted to process your personal data every time it is necessary for the entry into or the performance of the contract you have agreed to enter with us. If you do not provide the necessary personal data, we will not enter the contact for which it is necessary or we will not be able to carry out our obligations thereunder in case of personal data necessary for its performance.

(iii) Legal obligation. HSO is also permitted to process your personal data every time it is necessary for the purposes of complying with applicable regulatory, accounting and financial rules, health and safety and to make mandatory disclosures to government bodies and law enforcements.

(iv) Consent. Your consent may be asked for the presenting or communicating on our goods or services or requests for donations when this cannot be done on the sole basis of our legitimate interests, You can withdraw this consent at any time.

(v) Public interest or official authority. HSO is also permitted to process your personal data when necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us by the relevant authorities, namely accreditation of health organisations when laid down by applicable EU or EEA country laws.

  • Rights afforded under European Data Privacy Laws

When European Data Privacy Laws apply and you are an individual in the EEA, we inform you that you have the rights set out below.

You may exercise these rights by contacting us at the email address indicated in this Policy. We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.

Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the European Data Protection Laws.

(1) Right to object to processing of your personal data

You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing. If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so.

In particular, you can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:

  • email, call or write to us (at You can also click on the ‘unsubscribe’ button at the bottom of the email newsletter. It may take up to 14 business days for this to take place.
  • provide proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
  • provide us with details of your preferred method of contact (for example, you may be happy for us to contact you by email but not by telephone).

(2) Right to access personal data relating to you

You may ask to see what personal data we hold about you and be provided with:

  • a copy of the personal data;
  • details of the purpose for which the personal data is being or is to be processed;
  • details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are outside the EEA and what protections are used for those transfers;
  • the period for which the personal data is held (or the criteria we use to determine how long it is held); and
  • any information available about the source of that data.

To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.

(3) Right to correct any mistakes in your information

As indicated above, you can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.

(4) Right to restrict processing of personal data

You may request that we stop processing your personal data temporarily if:

  • you do not think that your data is accurate (we will start processing again once we have checked whether or not it is accurate);
  • the processing is unlawful but you do not want us to erase your data;
  • we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
  • you have objected to processing because you believe that your interests should override our legitimate interests.

(5) Right to data portability

You may ask for an electronic copy of your personal data which we hold electronically and which we process on the basis of a contract with you or with your consent.

(6) Right to withdraw consent

You may withdraw any consent that you have given us to process your personal data at any time. This means that we will not be able to carry out any processing which required use of that personal data.

(7) Right to erasure

You can ask us to erase your personal data:

  • should we not need your data anymore in order to process it for the purposes set out herein;
  • if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
  • if you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
  • if your data has been processed unlawfully or have not been erased when it should have been.

(8) Rights in relation to automated decision making

You have the right to have any decision that has been made by automated means and which produces legal effects or has a similar significant effect on you reviewed by a member of staff, it being noted that our processing activities do not fall in that category.

(9) France only – directives for handling personal data after death

If you are in France, we inform you that you may write directives about the handling of your personal information after your death.

(10) Complaints to a European supervisory authority

It is important that you ensure you have read this Privacy Policy and, if you do not think that we have processed your data in accordance therewith, you should let us know as soon as possible. You may also complain to any European competent supervisory authority.

  • Personal Data Breach

Individuals in the EEA are hereby informed that we will also comply with the documentation and notification requirements of articles 33 and 34 of the GDPR in case of a personal data breach as defined in the GDPR.

Effective Date: This Policy was last updated on July 23, 2021.