Data Privacy Notice - Official Misfits Records Store
Data Privacy Notice
We are ELEVENTYFOUR LP d/b/a SANDBAG USA with address 1320 s. Main Street, #30, Los Angeles, CA 90015. Our Data Protection Lead can be contacted at dataprotection@sandbaguk.com. We have produced this privacy notice in order to keep you informed of how we handle your personal data. All handling of your personal data is done in compliance with the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (“Data Protection Legislation”). The terms “Personal Data”, “Special Categories of Personal Data”, “Personal Data Breach”, “Data Protection Officer”, “Data Controller”, “Data Processor”, “Data Subject” and “process” (in the context of usage of Personal Data) shall have the meanings given to them in the Data Protection Legislation. “Data Protection Lead” is the title given to the member of staff leading our data protection compliance programme in lieu of a requirement for a Data Protection Officer.
What are your rights?
When reading this notice, it might be helpful to understand that your rights arising under Data Protection Legislation include:
- The right to be informed of how your Personal Data is used (through this notice);
- The right to access any personal data held about you;
- The right to withdraw consent at any time, by opting-out using the options present in communications;
- The right to rectify any inaccurate or incomplete personal data held about you;
- The right to erasure where it cannot be justified that the information held satisfies any of the criteria outlined in this policy;
- The right to prevent processing for direct marketing purposes, scientific/historical research or in any such way that is likely to cause substantial damage to you or another, including through profile building; and
- The right to object to processing that results in decisions being made about you by automated processes and prevent those decisions being enacted.
You can access certain of your personal data held about you by logging in to your account on the store where you made your purchase. You can also gain access to your personal data by emailing dataprotection@sandbaguk.com with the subject line: “Subject Access Request”. When you submit a ‘subject access request’, you will need to provide confirmation of your identity by contacting us using the email address associated with your profile or attaching a photocopy of your driver’s license or passport. This is provided free of charge and our response will be made within thirty (30) days unless our Data Protection Lead deems your request as being excessive or unfounded. If this is the case, we will inform you of our reasonable administration costs in advance and/or any associated delays, giving you the opportunity to choose whether you would like to pursue your request. If you believe we have made a mistake in evaluating your request, please see the section ‘Who can you complain to?’.
If you have questions about any of the rights mentioned in this section, please contact our Data Protection Lead at dataprotection@sandbaguk.com.
Who is the Data Controller?
- If your data has been passed to us by a third party for processing under their instruction, that third party is the Data Controller. They should have notified you that they would be passing your personal data to us, SANDBAG USA, at the time they collected your data and within their own privacy notices/standards. On some of the websites we manage, we collect your data on behalf of a Data Controller to add you to a mailing list or forum and we may pass your data to the Data Controller. For a list of Data Controllers, please see the section ‘Third Party Interests’ below.
- Where we collect your personal data for fulfilling purchases from one of our stores, or where you have opted in to receive marketing or other communications from us in relation to your previous purchase or to be added to a mailing list or forum that we manage, we are the Data Controller.
- If we have received your personal data as part of a direct administrative relationship between our business and yours, we are the Data Controller.
What are the lawful bases for processing personal data?
Under Data Protection Legislation, there must be a ‘lawful basis’ for the use of personal data. The lawful bases are as follows:
- ‘your consent’;
- ‘performance of a contract’;
- ‘compliance with a legal obligation’;
- ‘protection of your, or another’s vital interests’;
- ‘public interest/official authority’; and
- ‘our legitimate interests’.
What are SANDBAG USA’s ‘legitimate interests’?
Legitimate interests are a flexible basis upon which the law permits the processing of an individual’s personal data. To determine whether we have a legitimate interest in processing your data, we balance the needs and benefits to us against the risks and benefits for you of us processing your data. This balancing is performed as objectively as possible by our Data Protection Lead. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest. If you would like to find out more about our legitimate interests, please contact dataprotection@sandbaguk.com.
About our processing of your data
We might collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:
Identity Data such as names, usernames or similar; marital status; title; date of birth; sex and gender.
Contact Data such as addresses; email addresses and telephone numbers.
Financial Data such as bank account and payment card information.
Transaction Data such as information about payments and details of purchases you have made.
Technical Data such as IP addresses; login data; browser info; time zone; location; browser plug-ins; operating systems; platforms and other technology on the device used to access this website.
Profile Data such as usernames; passwords; security answers; purchases/orders; interests; preferences; feedback and responses to surveys, blogs and messages.
Usage Data such as analytics relating to how you use the website.
Marketing and Communications Data such as your preferences about receiving communications from us or third parties.
Children
This Website is not directed toward children (as defined by local law), nor does SANDBAG USA knowingly collect information from children without parental consent except where in compliance with applicable law.
We also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data can be derived from your Personal Data but is not itself Personal Data as it cannot be used to reveal your identity. If Aggregated Data is ever used in combination with your Personal Data and becomes identifiable, it will be treated in accordance with this notice.
Reference | What categories of information about you do we process? | Why are we processing your data? | Where did we get your personal data from? |
Fulfilment of Music, Merch & Tickets Orders | · Identity Data
· Contact Data · Transaction Data · Technical Data |
Whenever we sell you a product, such as music, merchandise or tickets, we use your personal data in order to manage your order, process payments and make sure that you receive your products. This processing is conducted lawfully on the basis of ‘performance of a contract’. | Directly obtained at the point of sale. |
Fan Community Management (including sign-up mailing lists and forums) | · Identity Data
· Contact Data · Profile Data · Technical Data · Marketing and Communications Data |
If you join or opt in to be added to one of our fan communities, we, our subsidiary or the third parties listed in the section Third Party Interests below, will use your personal data to contact you with updates related to the subject of the mailing list or forums that you have subscribed to, as well as occasionally running competitions or other community events. These messages and websites might contain cookies, web-beacons, unique identifiers or similar to monitor our marketing distribution. This processing is conducted lawfully on the basis of ‘your consent’. | Directly obtained when you sign-up or opt in. |
Direct Marketing | · Identity Data
· Contact Data · Transaction Data · Technical Data · Marketing and Communications Data |
If you are a current customer or if you previously purchased from us or if you opted in to marketing communications, and providing that you haven’t opted-out before or since we collected your personal data, we, our subsidiary or the third parties listed in the section Third Party Interests below, may occasionally send you marketing related to the products that you purchased or the artist whose products you purchased. These messages might contain cookies, web-beacons, unique identifiers or similar to monitor our marketing distribution. This processing is conducted lawfully on the basis of ‘our legitimate interests’ and ‘your consent’. | Directly obtained at the point of sale or when you opt in. |
Customer Services | · Identity Data
· Contact Data · Transaction Data |
If you wish to contact us regarding an aspect of our service, including complaints or enforcing your consumer rights in relation to a product or service that we have sold you, we will use your personal data in order to investigate a claim, evaluate your needs and/or possibly take action, such as sending you a replacement product. This processing is conducted lawfully on the basis of ‘compliance with a legal obligation’. | Directly obtained at the point of sale, and at the time of enquiry (if applicable). |
Internal Analysis | · Identity Data
· Contact Data · Transaction Data · Technical Data |
We, our affiliates or the third parties listed in the section Third Party Interests below, may use the data we collect from you to carry out internal analysis in order to provide a better service to you. We may combine information we receive from other sources with information you give to us and information we collect about you. This process is conducted lawfully on the basis of ‘our legitimate interests’. | Directly obtained at the point of sale. |
B2B Relations | · Identity Data
· Contact Data |
If you are an employee of one of our business partners, we may use your personal data to communicate with you and your business about achieving our respective business objectives. This processing is conducted lawfully on the basis of ‘performance of a contract’. | Directly obtained from you or referred to us by one of yours or our partners. |
What happens if I refuse to give SANDBAG USA my personal data?
If your personal data is used for selling you music, merchandise or tickets, your personal information has, in part, been collected as part of a statutory obligation arising under our contract with you and applicable laws. Failure to process your data could result in us being unable to fulfil your orders.
The information about you that we have collected for the performance of our contracts is required in order for us to successfully fulfil our obligations to you. If you choose not to provide the personal data requested, we will not be able to enter into a contract with you to provide the services we offer. If we are already processing your personal information under a contract, you must end our contractual relationship (as/where permitted) in order to exercise some of your rights. We process some personal information as part of a contractual relationship with a Data Controller. Any requests to restrict this type of processing should be forwarded to the Data Controller; they will be responsible for discussing your concerns and making any decisions.
What profiling or automated decision making does SANDBAG USA perform?
SANDBAG USA does not perform any profiling or automated decision making based on your personal data.
How long will your personal data be kept?
SANDBAG USA holds different categories of personal data for different periods of time. Wherever possible, we will endeavour to minimise the amount of personal data that we hold and the length of time for which it is held.
- If ‘consent’ is the basis for our lawful processing of your data, we will retain your data so long as both the purpose for which it was collected, and your consent, are still valid. For mailing lists, forums and marketing, we will consider your consent as valid so long as you continue to receive our emails and have not opted-out/unsubscribe, or login to our website forums. If your email address ceases to receive our messages (e.g. ‘bounces-back’), we will consider this a withdrawal of consent. Occasionally, we might identify a legitimate interest in retaining some of your personal data that has been obtained by consent. If we do, we will inform you that we intend to retain it under these conditions and identify the interest specifically.
- If we process your data on the basis of ‘legitimate interests’, we will retain your data for as long as the purpose for which it is processed remains active.
- All categories of personal data that are held by us because they are essential for the performance of a contract, will be held for a period of six years, or as otherwise required under applicable law, for the purposes of exercising or defending legal claims.
Who else will receive your personal data?
SANDBAG USA may pass your data to the third parties listed in the section ‘Third Party Interests’ below.
Does your data leave the EU?
Yes. Details are included in the section ‘Third Party Interests’ below.
Cookies
Our Webstores use cookies and other tracking technologies to distinguish you from other users of our Webstores. This helps us to provide you with a good experience when you browse our site and allows us to improve our websites. For detailed information on the cookies and other technologies we use and the purposes for which we use them see our Cookies Policy.
Third Party Interests
Data Controllers
Name or Category of Third Party Controller | What processing is being performed? | If applicable – who is their representative within the EU? |
Sandbag UK | We share your information with our affiliate as joint controller, for their management of sales made through our stores setup on behalf of our UK clients. | Sandbag UK – please contact dataprotection@sandbaguk.com for further information. |
The client to whom we provide this webstore, which may be an independent artist, artists’ management and/or record label and any of our such client’s management and/or record label | We may share your information with these third parties in order for them or us to send you marketing communications, and to keep you up to date with news, events and merch related to the artist products you purchased or mailing lists and forums you signed up to. | Please contact dataprotection@sandbaguk.com if you would like to find out about a specific representative. |
Regulatory authorities | We are joint Controller with these authorities who require reporting of processing in some situations. | Please contact dataprotection@sandbaguk.com if you would like to find out about a specific representative. |
Postal/courier providers | Where these providers act as Data Controller, we are joint Controller with them for the purposes of order fulfilment. | Please contact dataprotection@sandbaguk.com if you would like to find out about a specific representative. |
Payment Processors with whom you already have a relationship, such as PayPal | We are joint Controller with these service providers who simply pass payments you make through their services directly to us based on a transaction. These transactions are subject to the provider’s privacy notices/policies. | Please contact dataprotection@sandbaguk.com if you would like to find out about a specific representative. |
Our Data Processors.
Name or Category of Third Party Processor | Purposes for carrying out processing | If applicable – where does data leaving the EEA go and what safeguards are in place? |
Web hosting providers | Website hosting, including the storage of data forming the website content and processing your Technical Data (and Profile Data, where applicable) in order to provide you with access to our websites. | In the interests of providing a quality service, we use providers located in the United States. These providers are either Privacy Shield certified or bound by the contractual provisions of the EU Commissions model clauses. |
Internal technology providers | · CRM and ERP software providers, whose services we use in order to manage our business with you.
· Telephony providers. · Office software providers, such as email clients. · IT Support services, who might require access to our systems (with our strict supervision) in order to remedy faults with our technology. |
In the interests of providing a quality service, we use providers located in the United States. These providers are either Privacy Shield certified or bound by the contractual provisions of the EU Commissions model clauses. |
Marketing technology providers | Providers who enable us to send you our marketing emails | In the interests of providing a quality service, we use providers located in the United States. These providers are either Privacy Shield certified or bound by the contractual provisions of the EU Commissions model clauses. |
Payment Services Providers | We use these processors so that we can take electronic or card payments securely and without the requirement for you to disclose this data to us. | In the interests of providing a quality service, we use providers located in the United States. These providers are either Privacy Shield certified or bound by the contractual provisions of the EU Commissions model clauses. |
Affiliates | In order for us to fulfil our obligations to you, we may engage Sandbag UK to process your data on our behalf. | In the interests of providing a quality service, we use our affiliates located in the United Kingdom. These affiliates are bound by the contractual provisions of the EU Commissions model clauses. |
Our European Data Representative
Name of European Data Representative | Purposes for carrying out processing | Contact Details |
DataRep | We share your information with DataRep as part of our obligation to have a European data representative at the end of the Brexit transition period under the GDPR | For contact details please visit their website at: https://www.datarep.com/. |
Who can you complain to?
In addition to sending us your complaints directly to dataprotection@sandbaguk.com, you can send complaints to our supervisory authority. As our parent company, Sandbag Limited, is based in the UK, our supervisory authority is the Information Commissioner’s Office. If you believe that we have failed in our compliance with data protection legislation, complaints to this authority can be made by visiting https://ico.org.uk/concerns/.
If you are an EEA citizen, please contact DataRep by visiting https://www.datarep.com/ if you believe that we have failed in our compliance with the data protection legislation.