As part of our GDPR transformation program, we have been undertaking a thorough audit of all the personal data we hold throughout the organization and have been conducting a ‘gap analysis’ of GDPR requirements against an assurance framework and mapping this against all activities in the group. We are investing in the creation of robust and sustainable processes to support a strong, long-term GDPR compliance framework. Golden Tickets is based in the US but does have customers worldwide. Where we are engaged in cross border data transfers from customers located in the European Economic Area (EEA), we will ensure that we continue to follow appropriate practices and follow one or more of the approved means of protecting personal data that leaves the EEA. This is not something that we can do on our own. The products and services that we provide typically mean that we will be a data processor for data provided to us by our customers which our customers then use through our products and services. As a general rule we do not act as a joint data controller in respect of information provided by our customers. Our customers have their own compliance obligations, and where we can we will work with them to help them comply.
The main category of personal data that we process as a data processor is data belonging to our customer. We are enhancing our data protection impact assessment processes and supporting governance frameworks to ensure that privacy issues are considered appropriately in all new product developments that may impact privacy rights.
What Golden Tickets Does With Customer Data
The personal data that we process which is provided by our customers falls into two broad categories: first, personal data of our customers (i.e. the representatives that we interact with in order to provide our products and services); and, second, personal data of recipients that our customers provide to us. Personal information about our customers is usually limited to the contact and other details we need in order to fulfill our obligations to you. Personal information on our customer’s recipients may be much broader, depending on what our customers provide to us. Typically it will include name and email addresses. With our customers’ subscriber lists, we will act as a data processor, and we only process the information in accordance with our customers’ instructions. We do not typically store or process any special categories of personal data (for example, data regarding mental or physical health, sexual orientation, criminal convictions, and religious or political beliefs).
As part of our GDPR transformation program we will be bringing our contractual arrangements with our customers up to date to ensure compliance with new GDPR obligations governing the relationship between data controllers and data processors. We anticipate rolling out our program of updating our contractual relationships before May 25, 2018. This will be to ensure that the contractual provisions required by GDPR are in place so that we and our customers are compliant with the new rules.
The Rights of Data Subjects
Existing law had long provided individuals with certain rights related to the processing of their personal data (such as subject access rights and rights to object to direct marketing). GDPR enhances some of those existing rights, and introduces some new ones, and we ensure that we have in place appropriate procedures and technology solutions to enable us to fulfill our obligations and respond appropriately to individual requests, including for example data subject access requests, and requests for erasure or for restricted processing, and, where applicable, requests related to data portability and profiling.
Data Retention and Security
We are taking the opportunity to review our data retention policies to ensure that we do not keep personal data for periods longer than is necessary. Where we process customer data, that obligation rests primarily on the customer and we will comply with our obligations as a data processor in that regard. We ensure that we have appropriate technical and organizational measures in place to protect the personal data we process and have always adopted strict IT security measures to protect personal data. As part of our GDPR transformation program we are reviewing our encryption, anonymization, and pseudonymizing controls across customer and supplier data to see where there are opportunities to further protect the data we hold.
Notices and Consent
Our GDPR transformation program is a work in progress. We are currently reviewing all of our policies in light of the requirements of GDPR and other relevant legislation, and where necessary, will update relevant processes, policies, and documentation and provide notice of such changes to our customers, suppliers, and employees at the appropriate time.
We are currently completing a review of our lawful basis for processing the various categories of personal data that we deal with. Some of our customers are asking questions about consent, which is understandable given the amount of publicity that there has been about changes to the consent regime under GDPR. It is important to remember that under GDPR (as with the current law) there are a number of different grounds on which it is permissible to process personal data. Consent is one of them, and the one that has caught most attention, but it is not the only one, and may not always be the most appropriate. Another ground for processing personal data is where that processing is necessary for the performance of a contract (e.g. a customer contract) or where the processing is in the legitimate interests of the data controller (provided that there is no unwarranted adverse effect on the rights of the individual). Legitimate interests include legitimate business interests, such as the interests of Golden Tickets in providing its products and services to our customers.
Golden Tickets Suppliers
Where we engage third party service providers, we do so in accordance with best practice to ensure that those providers are obliged to only process such data in accordance with our instructions, to keep it secure, and not to transfer it outside the EEA other than with our consent or in accordance with the appropriate frameworks.
Under GDPR we are obliged to impose certain additional obligations on our data processors, and we are enhancing our framework of controls around such third parties suppliers and sub-processors. We will be updating our suppler contracts and seeking confirmation of GDPR readiness across all of our suppliers’ data processing facilities and security controls surrounding the processing and management of data. We will expect all our data processors to comply with their contractual obligations and more widely with their own obligations under GDPR.
Data breach notification is one of the key new requirements under GDPR. We are reviewing our controls and processes around data breach detection, investigation and reporting to ensure we can comply with our obligations as data controller and as a data processor, by May 2018. This includes our obligations as a controller to report to the appropriate data protection regulator within 72 hours of discovery, to the data subjects where appropriate, and our obligations as a data processor (e.g. of customer data) to report to the data controller (in this case our customer) without undue delay after becoming aware of a breach. This review also includes assessing the adequacy of present information security assessment programs.
We have reviewed current IT services and systems and are carrying out remedial actions, where required, to strengthen our IT controls around personal data.We are also reviewing our encryption, anonymization and pseudonymizing controls across customer and supplier data, and on all of our databases.
This statement is intended to provide responses to the most common inquiries we have received from our customers. As part of ongoing transformation, Golden Tickets will be communicating regularly with its customer base in 2018 about what it is doing on its journey to achieve compliance and how we are protecting customer data, retraining staff and upgrading systems, processes and governance as we move towards compliance with GDPR by May 2018 and onwards, and to ensuring privacy issues continue to sit at the heart of our product and service development plans in the future.
If you have more detailed questions that are not covered by this document, please contact firstname.lastname@example.org and we will respond to you as soon as possible.
Your IP Address
Like most e-commerce websites, each time you visit the Site, we automatically collect your IP address and the web page from which you came. In order to administer and optimize the Site for you and to diagnose problems with our Site, we use your IP address to help identify you and to gather broad demographic information about you and all visitors to the site.
Information We Collect From You
In order to operate the Site and provide you with information on products and services that may be of interest to you, we may collect personal information (i.e. information that could be used to contact you such as full name, postal address, phone number and email address), financial information (e.g. passwords and credit card numbers) and demographic information (zip code, hometown, gender, purchase history information and age) from you. Please note that nowhere on the Site do we knowingly collect personal information from children under the age of 18.
Information Other Web Sites Collect From You
How We Use Personal Information
We use your personal information to help us efficiently perform transactions on the Site, to deliver the services you have requested, to contact you when necessary in connection with events for which you purchased tickets on the Site (including event confirmations, changes and cancellations), and to send you information, offers and other promotional materials from Golden Tickets or Golden Sports Tours. We carefully select the information we send to you and attempt to send you offers that are of value to you, such as discounts, exclusive offers or special event information. The Site provides you with the option of declining to receive offers from (Golden) by "opting-out" of receiving this type of communication. To process transactions on the Site, we may share your personal information with our agents, representatives, contractors and service providers so they can provide us with support services such as authorization of credit card transactions, order fulfillment and sweepstakes and promotional fulfillment. We require these entities not to use your information for any other purpose.
By purchasing, or making reservations for, products or services electing to receive communications (such as emails) or electing to participate in contests, sweepstakes, or your personal information may be passed on to a third party in the event of a transfer of ownership or assets, or a bankruptcy, of Golden Tickets. We may also disclose specific information when we determine that such disclosure is necessary to comply with law, to cooperate with law enforcement or to protect the interests or safety of Golden Tickets.
How We Use Financial Information
We use your financial information to check your qualifications, to bill you for products and services and to enable you to participate in discount, rebate and similar programs in which you may elect to participate. By making a purchase, or engaging in any other kind of activity that uses financial information, on the Site, you consent to our providing your financial information to our service providers and to such third parties as we determine is necessary to process your transactions, as well as to your credit card issuer for their purposes. These third parties may include the credit card companies and banking institutions used to process the transaction, or by participating in programs offered on the Site that are administered by third parties and that require you to submit financial information in order to use them, you also consent to our providing your financial information to those third parties. Any of these various third parties are authorized to use your financial information in accordance with our contractual arrangements with such third parties and in accordance with their own privacy policies, over which we have no control.
How We Use Demographic Information
We use demographic information to tailor the Site and communications to the interests of our users. your demographic information on a non-anonymous basis. This information will help us bring you offers relevant to your location and sports interests.
Our Security Precautions
The Site has security measures in place to protect against the loss, misuse and alteration of the information under our control. Our secure server software (SSL) is the industry standard and among the best software available today for secure commerce transactions. We encrypt all of your personal and financial information as it travels over the Internet and we store your financial information on our servers in encrypted form. Your information may be transferred to and maintained on computer networks which may be located outside of the state, province, country or other governmental jurisdiction in which you reside, and the country or jurisdiction in which these computer networks are located may not have privacy laws as protective as the laws in your country or jurisdiction. Our security provider is THAWTE.
How You Can Update Your Email, Personal Information and other My Account Information
You can also send us mail to: Office of the President, Golden Tickets, 301 W. Parker Rd #202, Plano, Texas 75023