Business Show 2018 Competition The General Data Protection Regulations (‘GDPR’) require us (33 Bedford Row) as Data Controllers to have a legitimate reason for processing personal data. In respect to the competition prize draw being held at the Business Show 2018 (the ‘Competition’), we propose to rely upon the consent of those who choose to engage/enter, for the legitimate reason for processing their personal data (or legitimate interests in the event you are a qualifying business) In the event that you choose to enter/engage with the Competition, we will be relying upon your consent as the Data Subject. In order to rely upon your consent, we must be able to demonstrate that your consent was “freely given specific and informed indication…” of your wishes as a Data Subject, signifying your agreement to your personal data being processed. By placing your business card into the silver container, you have agreed to enter the Competition. You consent to your personal data being processed for the purposes of undertaking the prize draw and, in the event that your business card is drawn from the silver container, you consent to being contacted for the purposes of notifying you that you have won the Competition and for the purposes of arranging for you to receive the prize, and any other ancillary or supplemental purpose connected with the above. At the point when you enter the Competition, you will be separately requested to give your consent to having your personal data processed for purposes beyond holding the Competition (as outlined above). You will be requested to give your consent to having your personal data processed for purposes of us sending you, through the email address on your business card, promotional and marketing material about us and the services offered by our members. You will receive no more than 3 emails from us containing such promotional and marketing material. Unless requested to earlier, we will destroy the personal data collected from you within 1 month of the later of the following two events: (a) the Competition draw; (b) the third or final email sent to your containing promotional and marketing material. In any event, your personal data will be destroyed within 3 months of the date your engage/enter the Competition. Consent We adhere to the following statements about consent in the Preamble to the GDPR: ‘(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.’ (42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC1 a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.’ (43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance. Your Rights As the Data Subject, you will have a subject access right, rectification right and a right to object to direct marketing. You will have the right to have personal data processed for restricted purposes and the right to transfer data/have it transferred to another Data Controller (data portability). You will have the right to be forgotten, in that you can request that your personal data be erased by the Data Controller and no longer processed. This will be where the data is no longer necessary in relation to the purposes for which it is processed, where you, the Data Subject, have withdrawn your consent, and where you object to the processing of your data or where the processing does not comply with the Regulation. We will keep an internal record in relation to all of your personal data we process. The record will include amongst other things, details of the purpose of processing of personal data, recipients, transfers to third countries, time limits for erasure as well as a general description of the technical and organisational measures in place protecting the data.