At 28 Too Many, we respect your privacy rights and take the security of your Personal Data very seriously.
Data protection laws have changed in recent years with the General Data Protection Regulations (GDPR) coming into effect from 25th May 2018 and the Data Protection Act 2018 which is the UK’s implementation of the GDPR. Individuals now have greater rights on the Personal Data or Personally Identifiable Information (PII) that is held about them.
Personal Data is any information capable of identifying an individual (‘data subject’). This information may include but is not limited to: Name, address, email, telephone number, IP address.
How do we collect your Personal Data
28 Too Many collects Personal Data requested on our website https://www.28toomany.org/ for the purpose of sending research updates to subscribers.
28 Too Many may collect Personal Data for the purpose of responding to an enquiry or for fulfilling a contract or service for our clients. If you choose to withhold any Personal Data required, it may not be possible to provide a response or to provide the required service.
28 Too Many may collect financial information for payment processing through a third-party payment processor but retains no financial or personally identifiable information on its own systems.
It is very important that the Personal Data that we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us at [email protected] and we will update it accordingly.
How do we use your Personal Data - Lawful Basis of Processing
28 Too Many will only process Personal Data where we have a legal basis to do so.
28 Too Many uses Personal Data from our website for the purpose of fulfilling an enquiry.
28 Too Many uses Personal Data from our website for the purpose of direct marketing, where we have obtained your explicit consent as appropriate.
28 Too Many uses Personal Data from our clients for the purpose of fulfilling a contractual obligation. ie. Providing a service.
28 Too Many may use Personal Data where we need to comply with a legal obligation.
28 Too Many may use Personal Data where it is necessary for our legitimate interests and the interests and fundamental rights of the data subject do not override those interests. These legitimate interests include:
How do we protect your Personal Data
28 Too Many has put in place appropriate security measures and controls to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees and other third parties who have a business need to use such data. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.
When you enter Personal Data on our website, it is encrypted in transit using TLS/SSL and transmitted over HTTPS.
We maintain appropriate administrative, technical and physical safeguards to protect Personal Data at rest on our systems. This may include password protection, access/authentication controls, pseudonymisation and encryption.
How long do we retain your Personal Data
28 Too Many will only retain your Personal Data for as long as is necessary to fulfil the purposes for which it was collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Personal Data collected from our website for the purpose of responding to an enquiry is retained by 28 Too Many for 30 days and then is securely deleted.
Personal Data collected for the purposes of direct marketing is retained by 28 Too Many for as long as you give us your explicit consent to do so. This marketing and subscriber information is maintained by Mailchimp, an online marketing platform operated by The Rocket Science Group LLC.
28 Too Many will retain Personal Data on behalf of our clients for as long as required to provide our services to that client or as otherwise required to by law. Where a Client does not undertake a service with 28 Too Many for more than 2 years, their Personal Data will be deleted.
International transfer of Personal Data
28 Too Many do not transfer any of your Personal Data to systems outside of the European Economic Area (EEA).
Data Controller and Processor
28 Too Many processes Personal Data both as a Controller and as a Processor as defined in the GDPR.
All Personal Data is stored securely on Dropbox, Digital Ocean or Amazon Web Services. All website hosting is performed in accordance with the highest security regulations. 28 Too Many has sought confirmation from its providers, ensuring compliance with the GDPR. Eg. All data is processed on servers in the European Economic Area (EEA) only.
Third Party Processors
28 Too Many works with a number of third-party service providers including but not limited to the ones named in the ‘Data Controller and Processor’ section.
These third parties may have access to, or process Personal Data or Client Data as part of providing those services for us. We limit the Personal Data provided to these service providers to that which is reasonably necessary for them to perform their functions. We have sought confirmation that our third-party processors and service providers are GDPR compliant, thus requiring them to maintain the confidentiality of any Personal Data provided to them.
28 Too Many does not carry out business with or knowingly collect any Personal Data from anyone under the age of 13. In the event that we find out or are informed that we have collected information from a child under the age of 13, we will delete that Personal Data as quickly as possible.
Special Category Data
28 Too Many does not collect any Special Category or sensitive personal data. Special Category data is defined in the GDPR as information that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We also do not collect any information about criminal convictions and offences.
Data breach or compromise of Personal Data
28 Too Many have put in place procedures to deal with any suspected data breach.
In the event that Personal Data is compromised as a breach of security, 28 Too Many will promptly notify any affected data subjects or clients as well as the Information Commissioner’s Office (ICO) in compliance with the GDPR.
Since 25th May 2018, individuals have extended rights in relation to our use of their Personal Data. These are:
Right of access to your Personal Data
You are entitled to a copy of the personal information we hold about you and certain details of how we use it. You will not have to pay a fee to access your Personal Data. However, we may charge a reasonable fee if your request is manifestly unfounded, excessive or repetitive.
If your request is made electronically, we will provide the Personal Data in a commonly used electronic format, once we have verified your identity. Else it will be in writing.
Right to rectification
28 Too Many takes reasonable steps to ensure that the Personal Data we hold about you is accurate and complete. However, if you do not believe that this is the case, please contact us and make a request for rectification verbally or in writing.
Please note that 28 Too Many can refuse to comply with a request for rectification if we believe that we are satisfied that the data is accurate or that a request is manifestly unfounded or excessive (In which case we can charge a reasonable fee before dealing with the request).
In either case we will contact you within one month of the request.
Right to erasure
This right is also known as ‘the right to be forgotten’. It is not absolute and only applies in certain circumstances, whereby you have the right to ask us to erase your personal information. An example would be where the Personal Data we collected is no longer necessary for the original purpose for which it was collected or where an individual withdraws their consent (Where consent was the lawful basis for holding the data).
Please note that a request for right to erasure also needs to be balanced against other factors, for example according to the type of personal information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request.
Right to restrict processing
This is not an absolute right but in certain circumstances, as an alternative to requesting the erasure of Personal Data, you are entitled to ask us to stop using your Personal Data. An example would be where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to process your personal information.
When processing is restricted, 28 Too Many are still permitted to store the Personal Data but not to use it.
Right to data portability
In certain circumstances, you have the right to ask that we transfer any Personal Data that you have provided to us to another organization or third party. The Personal Data will be provided free of charge and in a structured, commonly used and machine-readable form such as a CSV file.
Right to object
You can ask us to stop sending you direct marketing messages at any time. 28 Too Many will stop processing Personal Data for direct marketing purposes as soon as we receive an objection.
Right not to be subject to automated-decision making
An individual has the right to object to their Personal Data being input into a system or computer and a decision or profile being calculated by an automatic process rather than by a human.
28 Too Many do not make automated decisions or carry out profiling using Personal Data.
Right to withdraw consent
Where 28 Too Many has asked you for explicit consent, you have the right to withdraw your consent to further use of your Personal Data at any time. Please note we may not be able to provide you certain services if you withdraw your consent.
If you wish to exercise any of the rights set out above, you can do so by contacting us in the ‘How to Contact Us’ section below. You will not have to pay a fee. However, we may charge a reasonable fee for the administrative costs of complying with the request if your request is manifestly unfounded, excessive or repetitive.
We may also need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (Or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
Once we have confirmed your identity, we will endeavour to implement any requests within 7 days and no later than one month from the time of the original request.
Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Links to other websites
How to Contact Us
If you wish to contact 28 Too Many, wish to withdraw your consent or have any additional questions about our collection and storage of your Personal Data, please contact us by email at [email protected]
If you are not happy with any aspect of how 28 Too Many collect and use your data, you have the right to lodge a complaint to the Information Commissioner’s Office (ICO) https://ico.org.uk/, who are the UK supervisory authority for data protection issues.
However, we would be grateful if you could contact us first if you do have a complaint so that we can try to resolve it for you.
Last updated: 04/05/2020