Global Data Privacy Policy

Global Access Group, LLC: Global Data Privacy Policy

1. Introduction

The purpose of this document is to detail the Global Data Privacy Policy of Global Access Group, LLC, which includes links to the Privacy Statements for each of its wholly owned subsidiaries and associated customer websites: Global Access, LLC; Shipito, LLC; Goopping.com; and ExpatExpress.com. The Global Data Privacy Policy also outlines where in the web applications and data processes the Privacy Statements are made available to Data Subjects. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Processor” used throughout this Global Data Privacy Policy shall have the same meaning as the EU General Data Protection Regulation (GDPR) (EU) 2016/679 (“GDPR”) and their cognate terms shall be construed accordingly.

2. Who We Are

Global Access Group, LLC, is an international logistics organization that provides services for retailers, distributors and end-user customers, enabling international delivery of purchased products. Global Access Group, LLC, operates through its wholly-owned subsidiaries Global Access, LLC, and Shipito, LLC. Services include: product purchase, logistics, insurance, storage, re-packaging, package forwarding, freight, customs, tax, and Advisory Services, including market and use analysis, industry information and promotional recommendations.

For its business clients, Global Access, LLC, acts on behalf of its clients to deliver goods internationally and facilitate associated services including website language translation and hosted checkouts. Data is collected from client systems via API calls and FTP and browser-based file uploads. For its end-user clients, Shipito, LLC, provides domestic delivery, insurance, storage, re-packaging and international delivery of the goods purchased. An additional service offered is the “assisted purchase” program where Shipito, LLC, facilitates the actual purchase of a product that the end-user client is unable to purchase themselves directly from the retailer. Delivery may be to the end-user or to the person provided by the end-user as the ship-to party. Data is collected directly from the end-user via shipito.com. On a smaller scale, Global Access, LLC, offers similar services via its websites goopping.com and expatexpress.com.

Global Access, LLC, and Shipito, LLC, maintain corporate offices and warehouses in the United States and Japan. Global Access, LLC, and Shipito, LLC, utilize third-party Processors to provide services, including: logistics, payments, insurance and communication. Local regulations for customs and tax require the sharing of Personal Data with regulatory authorities.

3. Our Commitment to Data Protection

Global Access Group, LLC, is committed to complying with data protection laws of countries in which it operates, including the GDPR. Global Access Group, LLC, applies a global approach to data protection, frequently applying a higher data protection standard than required by an individual country. This standard is based upon the principles outlined in the GDPR, which represent globally accepted, basic principles on data protection. Additional protective measures are applied beyond the global approach on a country-by-country basis, as required, and include registration with data protection authorities.

In regards to data Processing, Global Access Group, LLC, operates through its wholly owned subsidiaries, each of which implements technological and organizational measures independently of the other. A data sharing agreement has been established between the subsidiaries to govern operations where data is transferred from Shipito, LLC, to Global Access, LLC, for the purpose of accessing logistics services that are not available through Shipito, LLC. Under this data sharing agreement, each entity is responsible for protecting Personal Data that it Processes.

Our wholly owned subsidiaries Shipito, LLC, and Global Access, LLC, are required to abide by this Data Privacy Policy.

4. Links to Specific Privacy Statements

In addition to this Global Data Privacy Policy, separate Privacy Statements exist for our subsidiaries Shipito, LLC, and Global Access, LLC, and the websites goopping.com, and expatexpress.com, that provide information directly related to the services offered. Please access the links below to view these Privacy Statements:

Shipito, LLC.

https://www.shipito.com/en/privacy-policy

Global Access, LLC.

https://www.globalaccess.com/about/Privacy-Policy

Goopping.com

https://www.goopping.com/about/Privacy-Policy

ExpatExpress.com

https://www.expatexpress.com/about/Privacy-Policy

5. Availability of Privacy Statements

In accordance with business best practice, our Privacy Statements are available as a link in the footer of the websites to which they apply. Our Privacy Statements are also presented to customers at the time that they register for an account.

6. Data Protection Principles

Global Access Group, LLC, applies the following data protection principles in its global approach to data protection. These principles are articulated in Article 5 of the GDPR.

Lawfulness, fairness and transparency. Global Access Group, LLC, processes Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject.

Purpose limitation. Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimization. Personal Data collected and processed is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy. Global Access Group, LLC, endeavors to ensure that Personal Data is accurate and, where necessary, kept up to date. Global Access Group, LLC, takes every reasonable step to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. Global Access Group, LLC, has implemented a process in which Data Subjects may inquire as to Personal Data being processed and exercise their rights in regards to it.

Storage Limitation. Global Access Group, LLC, keeps Personal Data in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed. Where Personal Data is stored for longer periods, it is only stored insofar as the Personal Data is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of appropriate technical and organizational measures that safeguard the rights and freedoms of the Data Subject.

Integrity and Confidentiality. Personal Data is processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. The wholly owned subsidiaries of Global Access Group, LLC, are each required to apply this principle for the Personal Data they process.

Accountability. Global Access Group, LLC, requires its wholly owned subsidiaries to maintain documents and records that demonstrate compliance with the data protection principles outlined above.

7. Personal Data We Process

We collect Personal Data that (a) you actively submit to us, (b) we receive from our customers, (c) we receive from our business clients, and (d) we obtain for marketing purposes for potential clients, customers or others. We may process your Personal Data with or without automatic means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of your Personal Data.

a. Actively submitted data. You submit Personal Data to us when you register an account with us through our websites, purchase our services, or engage in other interactions or communications with our organization. We generally process name, physical address, telephone number, e-mail address, and payment information.

We may also process identification information in order to verify your identity in the event that there is a risk of fraud or a regulatory requirement to verify such. Identification information may include photo, passport number, photocopy or electronic copy of the passport, driver’s license number, driver’s license photocopy or electronic copy, national ID number, photocopy or electronic copy of utility bills or other documentation requested for this purpose. Identification information is collected only as needed. A failure to provide identification information as requested may impact the status of your account with us.

You may provide us with additional information to participate at your own initiative in surveys, feedback comments, online chat services, promotions or other activities. Participation in surveys, feedback comments, online chat services, promotion or other similar activities is optional. If you do not wish to participate in, or provide Personal Data in connection with such activities, this will not affect your account status or ability to use available services. In each such case you will know what Personal Data you provide us with because you actively and voluntarily submit the data.

We also offer our customers registered under our Affiliate Program commissions for referring new customers to us who use our services. Upon registration in the affiliate program they are assigned a URL with a unique Affiliate ID to use in their own marketing efforts. That affiliate ID is then tied to any new account registration sourced from the affiliate’s URL. The data of customers who sign-up through an Affiliate is treated the same as if the customer sought us out directly.

b. Data received from our customers. Customers identify a ‘Ship-to’ party and delivery destination for packages that we ship at their request. The ‘Ship-to’ party and delivery address do not need to match the personal information provided by the customer upon registration. The main reasons for the personal information differing is where the customer is purchasing and shipping products on behalf of another person, as a gift for another person, or to another person who will receive the products on their behalf. The personal information collected generally includes the name, physical address and phone number of the ‘Ship-to’ party. Processing of this Personal Data is performed on behalf of the customer and for the purpose of providing the services requested by the customer. No active marketing is performed on Personal Data of the ‘Ship-to’ party.

c. Data received from our business clients. Our business clients submit Personal Data to us in order for us to be able to provide the services requested, which may include delivery of products, Processing of payments, calculation and submission of relevant taxes, submission of customs forms, reporting of shipping volumes and frequency, and reconciliation of distributor commissions. The Personal Data collected generally includes the name, physical address and phone number of the ‘Ship-to’ party, and the name, physical address, phone number, email, payment information, business client and Personal Client ID. A Personal Client ID is typically the ID number used by the business client to identify a salesperson such as a distributor, who is responsible for the product sale. Personal Client IDs are assigned by the business client and may be the social security number or other national ID of the person.

Related services offered to our business clients include access to a web module that provides tracking and reporting information on shipping orders. Business clients have the option to extend access to this module to their agents, salespersons or distributors so that they can manage, track, and obtain reporting on the orders for which they are responsible.

Processing of this Personal Data is performed on behalf of the business client and for the purpose of providing the services requested by the business client. Personal Data received from our business clients is done so in accordance with the Service Level Agreement or other agreement entered with the business client.

d. Data obtained for marketing purposes for potential clients, customers or others. We obtain marketing data that we use to reach out to inform potential clients, customers and others of the services offered by our organization. The Personal Data collected generally includes the email address of a potential client, customer or contact and may also include their name and phone number.

e. Personal Data not actively collected or Processed. We do not actively collect or otherwise Process Personal Data from minors and include in our Terms and Conditions a condition that the customer is not a minor and does not provide Personal Data of minors. The age of a minor varies by country. For the purposes of Personal Data collected from the European Union, the age of a minor is under age sixteen (16).

We do not actively collect or otherwise process special categories of Personal Data as identified in the GDPR including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

We do not actively collect or otherwise process Personal Data relating to criminal convictions and offences.

8. Tracking Technologies, Cookies and Clear GIFs

We use tracking technologies, cookies and clear GIFs to collect information. Tracking technologies are used to collect information from your web browser through our servers or filtering systems when you visit any of our sites. Cookies are small bits of data used to transfer information to your computer’s hard drive or your web browser for record-keeping purposes, including recognizing your web browser when you return to our sites. A clear GIF is a transparent graphic image placed on a website. The use of clear GIFs allows us to monitor your actions when you open a web page and makes it easier for us to follow and record the activities of recognized browsers. Clear GIFs are used in combination with cookies to obtain information on how visitors interact with our websites.

Information collected may include but is not limited to your browser type, your operating system, your language preference, any referring web page you were visiting before you came to our site, the date and time of each visitor request, and information you search for on our sites. We can also track the path of page visits on a website and monitor aggregate usage and web traffic routing on our sites. We collect this information to better understand how you use and interact with our sites in order to improve your experience. We also collect this information to better understand what services and marketing promotions may be more relevant to you. We may also share this information with our employees, service providers and customer affiliates as well as between affiliated entities.

You can change your web browser settings to stop accepting cookies or to prompt you before accepting a cookie from the sites you visit. If you do not accept cookies, however, you may not be able to use some sections or functions of our sites.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org.

To opt out of being tracked by Google Analytics across all websites visit https://tools.google.com/dlpage/gaoptout.

9. Purposes for Processing Personal Data

We process Personal Data for logistics, payment, insurance, customs, tax, other regulatory requirements, communication, customer service, marketing, web analytics, system monitoring, data security, other operational and administrative purposes, and Advisory Services, including market and use information, industry information and promotional recommendations.

We use Personal Data to provide logistics and other related services to enable international product purchase and delivery for our customers and business clients while meeting the regulatory requirements of the relevant countries. We may use Personal Data to (a) purchase product for you, (b) package and inventory product for you, (c) store product for you, (d) deliver product to you, (e) insure product, (f) submit customs or other regulatory forms on your behalf, (g) contact you, (h) create and maintain an account profile, (i) fulfill requests you make. (j) seek your voluntary feedback, (k) customize features or content on our websites and software, (l) evaluate eligibility to participate in promotions, (m) verify identity, (n) administer our services, including through use of third-party services providers, (o) provide our Advisory Services, including market and use analysis, industry information and promotional recommendations, or (p) communicate with you for marketing purposes.

In this context, the legal basis for our Processing of your Personal Data is either the necessity to perform contractual and other obligations that we have towards you or our business clients or carrying out our legitimate activities as a logistics organization.

We may also use your data to comply with applicable laws and exercise legal rights as the basis for our data Processing.

We may also use your Personal Data for internal purposes, including auditing, data analysis, system troubleshooting, and research. In these cases, we base our Processing on legitimate interests in performing the activities of the organization.

10. Sharing of Personal Data

We share your Personal Data with other parties in the following circumstances:

a. Third-Party Providers. We may provide Personal Data to third parties for their Processing in performing functions on our behalf (for example, logistics, insurance, payments, security, data analysis, surveys, and so forth). In such instances, the providers will be contractually required to protect Personal Data from additional Processing (including for marketing purposes) and transfer in accordance with this Global Data Privacy Policy and applicable laws. This may include transfers or onward transfers to third parties that are outside of the EEA and outside of the United States. In these circumstances, relevant protections approved under the GDPR will be undertaken to protect your Personal Data. Under certain data protection laws, including the GDPR, Global Access Group, LLC, Global Access, LLC, and Shipito, LLC, are liable if a third-party provider that we have engaged to Process Personal Data fails to fulfil its data protection obligations.

b. Organizational Entities. We may transfer Personal Data to from Shipito, LLC, to Global Access, LLC, in order to facilitate logistics and related services. A data sharing and processing agreement has been concluded between the two entities to ensure that Global Access, LLC, is contractually required to protect Personal Data from additional Processing and transfer outside of the purposes stipulated by Shipito, LLC.

c. Legal Requirements. We may access and disclose your Personal Data to regulatory bodies if we have a good-faith belief that doing so is required under regulation. This may include screening against the Consolidated Screening List for which the United States Government maintains restrictions on certain exports, re-exports or transfers of items. This may also include submitting Personal Data required by local customs authorities and tax authorities. Additionally, we may disclose your Personal Data and other information as required by law, including in response to lawful requests by public authorities or to meet national security or law enforcement requirements. We may also disclose your Personal Data to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of the resource, of any individual, or of the general public; to maintain and protect the security and integrity of our services or infrastructure; to protect ourselves and our services from fraudulent, abusive, or unlawful uses; or to investigate and defend ourselves against third-party claims or allegations.

11. Storage of Personal Data

We may store your Personal Data in data centers in the United States, cloud storage solutions, or on our premises, including corporate offices and warehouses. To ensure the adequacy of protection of data that we transfer between Shipito, LLC, and Global Access, LLC, we have concluded a data transfer and processing agreement between these entities. You may be entitled to review our data sharing and processing agreements if you contact us per the contact details provided at the end of this Global Data Privacy Policy. We endeavor to utilize third-party service providers from the United States that have certified with the EU-U.S. Privacy Shield Framework.

12. Personal Data Security

In accordance with our global Security Policy, our subsidiaries Global Access, LLC, and Shipito, LLC, use technical and organizational measures to protect the Personal Data received against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems. Security measures implemented include:

(1) SSL is used on all pages where Personal Data is collected;

(2) Data requiring a higher level of protection, such as payment card account numbers and passport numbers, is encrypted prior to transmission to the database for storage;

(3) Web and database servers are protected using firewalls;

(4) Passwords used for account registration cannot be ‘defaulted’;

(5) User access is tracked;

(6) Role-based security is applied to system access;

(7) All employees are contractually obligated to maintain the confidentiality of Personal Data accessible through their employment;

(8) Regular system backups are made;

(9) Regular maintenance is performed on systems; and

(10) Systems are monitored for security.

13. Retention of Personal Data

In accordance with our global Retention Policy, our subsidiaries Global Access, LLC, and Shipito, LLC, retain collected Personal Data, including Personal Data collected via website and mobile applications, API calls and FTP and browser-based file uploads for a reasonable period of time to fulfill the Processing purposes mentioned above. Personal Data is then archived for time periods required or necessitated by law or legal considerations. When archival is no longer required, Personal Data is deleted from our records. We regularly review our Retention Policy to ensure it complies with our obligations under data protection laws and other regulatory requirements. We regularly audit our databases and archived information to ensure that Personal Data is only stored and archived in alignment with our Retention Policy.

14. Personal Data Rights

We rely upon our customers maintaining the accuracy of the Personal Data they provide through our websites: www.shipito.com; www.goopping.com; and www.expatexpress.com, including the ability to add, edit and delete contact, payment and delivery information. Where you are the account holder, you may view and edit the Personal Data you have provided by accessing your account online under the Account Profile menu online. Where you are not the account holder, you may reach out to the person that provided your Personal Data and request that they make any required update under the Account Profile menu of their registered account. This typically occurs where you have received delivery of a package that was arranged by another person. In addition, you may contact us with your Personal Data inquiries or for assistance in modifying or updating your Personal Data and to exercise additional statutory rights such as: access, rectification, data portability, objection, Processing restriction, and erasure of your Personal Data. Our contact details are provided at the end of this Global Data Privacy Policy.

We rely upon our business clients maintaining accurate Personal Data in their client systems that we access through API calls and FTP and browser-based file uploads in order to facilitate logistics services. You may contact the business client who provided your Personal Data to request changes to your Personal Data or exercise any rights you may have, including the right to: access, rectification, data portability, objection, Processing restriction, and erasure of your Personal Data, or for assistance in modifying or updating your Personal Data.

For marketing communication an ‘unsubscribe’ option is provided in the footer of every marketing communication. In addition, we may be contacted directly to unsubscribe. Our contact details are provided at the end of this Global Data Privacy Policy.

On your request, we are happy to assist you with the contact details of the business client(s) or customers who provided your Personal Data to us. You may also contact us to assist you with your inquiries or in exercising your rights in regards to our business clients. Our contact details are provided at the end of this Global Data Privacy Policy.

15. Effective Date and Amendments

This document is effective May 25, 2018. This document may be amended from time to time.

16. Contact Details

Inquiries may be made to:
Organization: Global Access Group, LLC.
Contact: Data Protection Officer (Chris Bauer)
Address: 9815 South Monroe St, Suite 510, Salt Lake City, UT 84070
Email: [email protected]

EU Representative
Contact: EU Representative (Daniel Eigner)
Address: Rastenfeld 151 Rastenfeld, 3532 Austria
Email: [email protected]

In the event that your Personal Data was processed on behalf of another company, you may also directly contact that company about your Personal Data. Global Access, LLC, Processes Personal Data on behalf of other companies who are its business clients. On your request, we are happy to assist you with the contact details of the business client(s) who provided your Personal Data to us.

17. Appendix

Please find the key GDPR regulatory provisions below.

Article 12 Transparent information, communication and modalities for the exercise of the rights of the Data Subject

1. The Controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to Processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means.

2. The Controller shall facilitate the exercise of Data Subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the Controller shall not refuse to act on the request of the Data Subject for exercising his or her rights under Articles 15 to 22, unless the Controller demonstrates that it is not in a position to identify the Data Subject.

3. The Controller shall provide information on action taken on a request under Articles 15 to 22 to the Data Subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.

4. If the Controller does not take action on the request of the Data Subject, the Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request. The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. Without prejudice to Article 11, where the Controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.

7. The information to be provided to Data Subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended Processing. Where the icons are presented electronically they shall be machine-readable.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

Article 13 Information to be provided where Personal Data are collected from the Data Subject

1. Where Personal Data relating to a Data Subject are collected from the Data Subject, the Controller shall, at the time when Personal Data are obtained, provide the Data Subject with all of the following information: (a) the identity and the contact details of the Controller and, where applicable, of the Controller’s representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the Processing for which the Personal Data are intended as well as the legal basis for the Processing; (d) where the Processing is based on point (f) of Article 6(1), the legitimate interests pursued by the Controller or by a third party; (e) the recipients or categories of recipients of the Personal Data, if any; (f) where applicable, the fact that the Controller intends to transfer Personal Data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the Controller shall, at the time when Personal Data are obtained, provide the Data Subject with the following further information necessary to ensure fair and transparent Processing: (a) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period; (b) the existence of the right to request from the Controller access to and rectification or erasure of Personal Data or restriction of Processing concerning the Data Subject or to object to Processing as well as the right to data portability; (c) where the Processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal; (d) the right to lodge a complaint with a supervisory authority; (e) whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data; (f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.

3. Where the Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected, the Controller shall provide the Data Subject prior to that further Processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the Data Subject already has the information.

Article 14 Information to be provided where Personal Data have not been obtained from the Data Subject

1. Where Personal Data have not been obtained from the Data Subject, the Controller shall provide the Data Subject with the following information: (a) the identity and the contact details of the Controller and, where applicable, of the Controller’s representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the Processing for which the Personal Data are intended as well as the legal basis for the Processing; (d) the categories of Personal Data concerned; (e) the recipients or categories of recipients of the Personal Data, if any; (f) where applicable, that the Controller intends to transfer Personal Data to a recipient in a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the Controller shall provide the Data Subject with the following information necessary to ensure fair and transparent Processing in respect of the Data Subject: (a) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period; (b) where the Processing is based on point (f) of Article 6(1), the legitimate interests pursued by the Controller or by a third party; (c) the existence of the right to request from the Controller access to and rectification or erasure of Personal Data or restriction of Processing concerning the Data Subject and to object to Processing as well as the right to data portability; (d) where Processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal; (e) the right to lodge a complaint with a supervisory authority; (f) from which source the Personal Data originate, and if applicable, whether it came from publicly accessible sources; (g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.

3. The Controller shall provide the information referred to in paragraphs 1 and 2: (a) within a reasonable period after obtaining the Personal Data, but at the latest within one month, having regard to the specific circumstances in which the Personal Data are processed; (b) if the Personal Data are to be used for communication with the Data Subject, at the latest at the time of the first communication to that Data Subject; or (c) if a disclosure to another recipient is envisaged, at the latest when the Personal Data are first disclosed.

4. Where the Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data were obtained, the Controller shall provide the Data Subject prior to that further Processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

5. Paragraphs 1 to 4 shall not apply where and insofar as: (a) the Data Subject already has the information; (b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that Processing. In such cases the Controller shall take appropriate measures to protect the Data Subject’s rights and freedoms and legitimate interests, including making the information publicly available; (c) obtaining or disclosure is expressly laid down by Union or Member State law to which the Controller is subject and which provides appropriate measures to protect the Data Subject’s legitimate interests; or (d) where the Personal Data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.