Last Updated: May 07, 2024
1. Introduction
This GDPR Privacy Addendum (the "GDPR Privacy Addendum") for Identity Works ("Controller") supplements the information contained in Controller's Privacy Notice (our "Privacy Notice") and applies solely to the users of this Website (https://www.ashleysleepretailer.com, "Website") who are located in the European Economic Area ("EEA") and/or the United Kingdom ("UK").
We adopt this GDPR Privacy Addendum to comply with the European Union's ("EU") General Data Protection Regulation, and any laws implementing the foregoing by any member states of the EEA and the UK (including the UK Data Protection Act and the UK-GDPR) (collectively, the "GDPR"). Unless otherwise defined in this GDPR Privacy Addendum, any terms defined in the GDPR or Controller's Privacy Notice have the same meaning when used in this GDPR Privacy Addendum. When this GDPR Privacy Addendum is applicable to you, it takes precedence over anything contradictory in Controller's Privacy Notice.
2. Data Controller and Representatives
Controller is the data controller of your Personal Data. Controller has appointed representative(s) in the European Union and the United Kingdom in compliance with the GDPR and the UK Data Protection Act and UK-GDPR. Controller and its representative(s) may be contacted in any manner set forth below in the Contact Information section of this GDPR Privacy Addendum.
3. Personal Data We Collect About You and How We Collect It
The Personal Data we collect and the ways in which we collect it is described in our Privacy Notice. We do not ask you to provide, and we do not knowingly collect, any Special Categories of Personal Data from or about you.
4. Lawful Basis for Processing Your Personal Data
The processing of your Personal Data is lawful only if it is permitted under the GDPR. We have a lawful basis for each of our processing activities (except when an exception applies as described below):
- Consent. By using our Website, you consent to our collection, use, and sharing of your Personal Data as described in our Privacy Notice and this GDPR Privacy Addendum. If you do not consent to the terms of our Privacy Notice and this GDPR Privacy Addendum, please do not use the Website. We will also ask for or otherwise obtain your consent to process your Personal Data in certain circumstances, such as to: (i) communicate with you about our products and services; (ii) provide you with marketing, promotional, and similar information or materials; and (iii) place cookies (that are not strictly necessary for the operation of our Website) and/or related technologies onto your browser when you visit our Website.
- To Fulfill Our Obligations to You Under our Contract. We process your Personal Data as necessary to perform our responsibilities under our contract with you – for example, to process your order and deliver the products you purchased.
- Compliance with Legal Obligations. To meet our regulatory and legal obligations, we may need to process some of your Personal Data.
- Legitimate Interests. We will process your Personal Data as necessary for our legitimate interests. Our legitimate interests are balanced against your interests and rights and freedoms and we do not process your Personal Data if your interests or rights and freedoms outweigh our legitimate interests. We process your Personal Data only so far as is necessary to achieve the purpose outlined in our Privacy Notice. Our processing activities will not unreasonably intrude on your privacy and ultimately benefits you in optimizing its provision of the Website and its features to you. Specifically, we rely upon on several legitimate interests for processing your Personal Data including, but not limited to: (i) facilitating communications with you; (ii) managing our relationship with you, as well as maintaining and securing your account with us; (iii) providing you information about our products, your account, and other details you request from us, as well as responding to your inquiries; (iv) providing you with customer support; (v) notifying you of any material changes to our Privacy Notice or this GDPR Privacy Addendum; (vi) administering surveys, sweepstakes, promotions, and other contests that you participate in or otherwise enter; (vii) providing you with access to, as well as researching, developing, improving, and/or customizing, our Website and product offerings; (viii) operating, administering, and protecting our business, Website, and IT infrastructure; (ix) detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity; (x) understanding how you interact with the Website to enhance user experience and functionality; (xi) engaging in direct marketing efforts; (xii) growing our business; (xiii) verifying your identity, and detecting and preventing fraud; (xiv) evaluating or engaging in a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Controller's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by or on behalf of Controller about its Website users is among the assets transferred; (xv) exercising, enforcing, or defending legal claims and managing related administrative activities; (xvi) complying with inspections, audits, and other valid requests from government or other public authorities; (xvii) responding to legal processes, such as subpoenas or court orders; and (xviii) as necessary for us to protect our interests or otherwise pursue our legal rights and remedies.
5. How We Use and Disclose Your Personal Data
With the exception of certain cookies and marketing-related communications described below, we use your Personal Data in the same manner set out in our Privacy Notice and do not share or otherwise disclose your Personal Data other than to the entities and for the purposes discussed in our Privacy Notice.
- Cookies: Except for those cookies that are strictly necessary for the operation of our Website, we will only use cookies if we have your explicit consent to use them in the UK and the EEA. Please bear in mind that if you have given your consent to a cookie, you may withdraw your consent at any time adjusting the cookie settings on our Website. Please refer to the Choices About How We Use and Disclose Your Information section of our Privacy Notice for additional information.
- Marketing Communications: We will only use your Personal Data to contact you about our products that may be of interest to you or to otherwise send you marketing-related communications if we have your consent to do so. If you wish to consent to this use, please check the relevant box located on the form on which we collect your Personal Data. If you wish to change your choice and withdraw your consent, you may do so at any time by (i) adjusting your communication preferences via the Website, or (ii) clicking the unsubscribe link at the bottom of any email or other marketing communication you receive from us.
6. Automated Decision Making
We do not use your Personal Data with any automated decision-making process, including profiling, which may produce a legal effect concerning you or similarly significantly affect you.
7. Your Rights
The GDPR provides you with certain rights with regards to our processing of your Personal Data. These rights replace the similar rights provided in our Privacy Notice or are supplemental to such rights.
- Access and Update. You can review and change your Personal Data we have about you by notifying us through the Contact Information below of any required changes or errors in to ensure that it is complete, accurate, and as current as possible. We may not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.
- Restrictions. You have the right to restrict our processing of your Personal Data under certain circumstances. In particular, you can request we restrict our use of it if you contest its accuracy, if the processing of your Personal Data is determined to be unlawful, or if we no longer need your Personal Data for processing but we have retained it as permitted by law.
- Portability. To the extent the Personal Data you provide to Controller is processed based on your consent or contractual necessity and we process it through automated means, you have the right to request that we provide you a copy of, or access to, all or part of such Personal Data in structured, commonly used and machine-readable format. You also have the right to request that we transmit this Personal Data to another controller, when technically feasible.
- Withdrawal of Consent. To the extent that our processing of your Personal Data is based on your consent, you may withdraw your consent at any time by closing your account or notifying us through the Contact Information below. Withdrawing your consent will not, however, affect the lawfulness of the processing based on your consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing your Personal Data.
- Right to be Forgotten. You have the right to request that we delete all of your Personal Data. We will only delete your Personal Data when we no longer have a lawful basis for processing your Personal Data or after a final determination that your Personal Data was unlawfully processed. We may not accommodate a request to erase information if we believe the deletion would violate any law or legal requirement or cause the information to be incorrect. In all other cases, we will retain your Personal Data as set forth in this GDPR Privacy Addendum.
- Complaints. You have the right to lodge a complaint with the applicable supervisory authority in the country you live in, the country you work in, or the country where you believe your rights under applicable data protection laws have been violated. If you are located in the UK, you must lodge such a complaint with the Information Commissioner's Office in the UK. You can also contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy.
- How You May Exercise Your Rights. You may exercise any of the above rights by contacting us through any of the methods listed under Contact Information below. If you contact us to exercise any of the foregoing rights, we may ask you for additional information to verify your identity. We reserve the right to limit or deny your request if you have failed to provide sufficient information to verify your identity or to satisfy our legal and business requirements. Please note that if you make unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access your Personal Data, you may be charged a fee subject to a maximum set by applicable law.
8. Consent to Processing of Personal Data In Other Countries Outside the EEA or the UK
In order to provide our Website, products, and services to you, we may store and process your Personal Data outside of the EEA or the UK, including in the United States. Accordingly, your Personal Data may be stored and processed outside the country where you reside or are located, including to countries that may not or do not provide an equivalent level of protection for your Personal Data. In limited circumstances, federal, state, and local governments, courts, or law enforcement or regulatory agencies in the United States may be able to obtain disclosure of your information through the laws of the United States. By using our Website, you represent that you have read and understood the above and hereby consent to the storage and processing of Personal Data outside the country where you reside or are located, including in the United States.
9. Data Retention Periods
We will retain your Personal Data for as long as is necessary for the purposes set out in this GDPR Privacy Addendum (e.g., for as long as you maintain an account with us on the Website) unless a longer period is required under applicable law, or as needed to resolve disputes or protect our legal rights or otherwise to comply with legal obligations.
Where we are processing Personal Data based on our legitimate interests, we generally will retain the data for a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of data subjects.
Where we are processing Personal Data based on contract, we generally will retain the information for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from the contractual relationship.
Where we are processing Personal Data based on your consent, we generally will retain the information for the period of time necessary to carry out the processing activities to which you consented, subject to your right, under certain circumstances, to have certain of your Personal Data erased (see Your Rights).
10. Changes to This GDPR Privacy Addendum
Controller reserves the right to amend this GDPR Privacy Addendum at its discretion and at any time, as further described in our Privacy Notice. If we make material changes to how we treat our users' Personal Data, we will notify you by email to the email address we have on file for you, through the posting of a notice on the home page of our Website, or by using a similar method. The date this GDPR Privacy Addendum was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this GDPR Privacy Addendum to check for any changes. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.
11. Contact Information
If you have any questions, concerns, complaints, or suggestions regarding our Privacy Notice or this GDPR Privacy Addendum, have any requests related to your Personal Data described in the Privacy Notice or this GDPR Privacy Addendum, or otherwise need to contact us, you can do so using the contact information below.
To Contact Identity Works (Controller)
Identity Works
920 Industrial Drive
West Salem, WI 54669
Phone: 800-658-9014
Email: privacy@idworks.com
To Contact Our Representative in the EU/EEA
DataRep
77 Camden Street Lower
Dublin D02 XE80
Ireland
datarequest@datarep.com
To Contact Our Representative in the UK
DataRep
107-111 Fleet Street
London EC4A 2AB
Ireland
datarequest@datarep.com