International Trade and Global Business


You and the European Privacy Law

Europeans are very much in favor of the concept of the “right to be forgotten,” an important cultural nuance that Mr. Ross must have forgotten before he criticized the right to assert this right in a way that might burden U.S. companies.

We at WPG have provided information on EU privacy laws in the past and were intrigued recently when we received an email from the National Theatre of London.  On its website was a what we thought a very comprehensive privacy policy that spells out in very plain language what the Theatre does with your personal information—all in accord with the new law.
You need not follow this approach exactly, or in such detail, but if you receive personal information from EU citizens, most typically in the form of what you collect in an e-commerce transaction, you must protect their personal information.  This means communicate, communicate, communicate what your policy is.  Post it clearly on your website.  Put a link to your privacy policy in emails to the EU customer. 

We’ve edited the National Theatre policy for space constraints and relevancy to our readers.  This isn’t legal advice, but rather what we think is an approach worth capturing in your privacy policy. We’ve divided this discussion into three blog posts, so make sure to read all if you want a full grasp of how organizations are attempting to comply.  If you don’t have time to read the blogs, the big takeaway is that if you are careless in handling personal data of European citizens you can get into real legal and financial trouble.  Complying is not difficult, and you may find the European standard makes so much sense that you’ll want to adopt it for all of your customers no matter where they live.


“The National Theatre is committed to protecting your personal information, being transparent about what data we hold and giving you control over how we use it. The purpose of this Privacy Policy is to give you a clear explanation about how we use the information we collect from you.

How do we collect personal information?
We collect your information when you interact with us. This could include booking tickets online, by phone, or in person, ordering an item from our online shop. It could also be when you sign up to receive updates from us by email and other digital channels. We also monitor how audiences use the website to help us understand how it could be improved.

What information do we collect from you?

We only collect the information that’s necessary to carry on our business, provide the particular product or service you’ve requested and to keep you informed. There are occasions when you can choose not to give us certain information, but this may mean that we cannot provide you with certain products or services and that our communications are less relevant and personalized. The type of information we collect depends on where and when it is gathered. Read on to find out more.
Information we obtain directly from you:
When you create an account with us, register on our website, purchase tickets or other items from us, ask us for information…either online, by post or phone, we need to collect information from you in order to provide the service or information you are requesting or to process your application. We collect the following information in the registration and booking process:
      Prefix and name
      Email address
      Date of Birth
      Contact phone number(s)
      Payment card details.
      Delivery address(s)
      Billing address

 When you visit our website, we may collect the following information:
 Automatically populated IP address: a public IP address is a unique number which allows a computer, group of computers or other internet connected device to browse the internet. The log file records the time and date of your visit, the pages that were requested, the referring website (if provided) and your internet browser version.

Cookies: for further information about Cookies and how the National Theatre uses them, please read our Cookie Policy.

If you contact us with feedback online, by email, by phone or in person, we keep a record of the correspondence on our database to help us improve customer service.

You and the New European Privacy Law, Part 2

In this blog post we continue the case study of the National Theatre of England and how it communicates how it handles personal information in accord with the EU’s new privacy law.  Much has been written about the law, but there are few examples available of how organizations are explaining their policy to their clients and customers. We continue our series with how the National Theatre handles personal information where third parties are concerned.

“Information we receive from third parties:
In certain circumstances, your information will be shared with us by third parties. For example:

-Arts organisations: we collect personal information from other arts organisations that the National Theatre works with;
-Service providers: we collect personal information from our website developer, IT support provider, payment services provider, restaurant and bar booking service agents and agents who sell tickets on our behalf (we only work with agents who are members of the Society of Ticket Agent Retailers). For donors, we sometimes use service providers to verify source of funds as required by law; and
-Publicly available sources: we combine information you have given to us with information available from external sources. This will only be done when you give permission to the relevant third party organisations to share with us the data they hold on you, or if the data is already publicly available, or if we are required by law or requested by the police or a regulatory or government authority investigating potentially illegal activities. From time to time we screen our database against recognised data sources such as National Change of Address file and cleanse our file or correct inaccurate data. We may also update inaccurate data if the information is available.
-Social media plugins: we may use social media plugins from the following service providers who are based both inside and outside the EU: Facebook, WhatsApp and Twitter. Such plugins allow you to register with us using your social media account, and you will be aware when this is happening. By providing your social media account details you are authorizing that third party to share with us certain information about you.;
-Employers and referees: if you are a job applicant we may contact your recruiters, current and former employers and/or referees, who may be based inside or outside the EU, to provide information about you and your application.

We might also receive information about you from third parties if you have indicated to such third party that you would like to hear from us.

Why do we collect this information, and what do we do with it?
The main reasons we collect information are to provide a service you have requested, to keep you up to date with news and events, to personalise your communications, or to contact you if we need to obtain or provide additional information. The information we collect about our audiences also helps us understand how we can best meet their needs.
We will use your information for the purposes listed below either on the basis of:

-performance of your contract with us and the provision of our services to you;
-your consent (where we request it);
-where we need to comply with a legal or regulatory obligation; or
-our legitimate interests (see below for further information).

Specifically, we use the information we collect from you in the following ways:

To manage your booking or purchase with us. We will use your personal information to:

-fulfil ticket, merchandise, donation and membership requests (on the basis of performing our contract with you);
-process payments (on the basis of performing our contract with you). Please note that the National Theatre does not store any Credit Card or other payment information once the transaction has been completed unless you have asked us to store your card details for future bookings. provide good customer service at the theatre or by phone (on the basis of performing our contract with you or on the basis of our legitimate interests to provide you with customer service); and
-contact you with important information relating to your booking or purchase, such as confirming your order, reminding you of an upcoming performance you’ve booked for or letting you know about cast changes, travel disruption or changes to event times that may affect your visit (on the basis of performing our contract with you or on the basis of our legitimate interests to provide you with service information).

To send you marketing communications. We will use your personal information to:

-keep you up-to-date with news, offers, talks and events, products and information, and let you know about opportunities to support our work at the South Bank and in schools and communities across the UK (where you have provided your consent or on the basis of our legitimate interests to provide you with marketing communications where we may lawfully do so). You can tailor your preferences at any time by logging into the website and visiting the MyNT section;
-send information by post about how you can support the National Theatre (on the basis of our legitimate business interests to seek support); and
-send marketing information to companies and organisations about ways to support us (on the basis of our legitimate business interests to promote the National Theatre).

To personalise your experience (on the basis of our legitimate interests to present you with the right kinds of products and services). We will use your personal information to:

-help us target our marketing communications so that they’re more relevant to you. You can opt-out of personalised communications by selecting 'Remove profiling' in the Contact preferences section of your account: login and visit MyNT;
-keep track of your interests and preferences so that we can contact you with information that is relevant to you;
-show you advertising on such Social Media platforms as Facebook and Instagram or via other third-party advertising that may appear on other websites you use. You can opt-out of targeted advertising (please note that you may not see fewer ads, but they will be less relevant to your interests);
-help make the experience of using our website better and to personalise the service you receive from us – this means we will remember your previous visits and track the pages on our website that you visit;
-understand your interests and personalise communications to you. For more information please see our Cookie Policy.

To conduct research (on the basis of our legitimate interests to improve our products, services and customer service). We will use your personal information:

-for classifying our audiences into groups or segments, using information from bookings and digital interactions, and publicly available information. We do this to better understand our audience and tailor messaging accordingly;
-to measure and understand how our audiences respond to a variety of marketing activity so we can ensure our activity is well targeted, relevant and effective;
-to undertake audience research via an online or telephone survey or in person. Participation in these is entirely voluntary, so you can choose whether or not to disclose any information requested. We will make it clear whether your response to surveys is anonymous or not and, should you provide any further information, the National Theatre will inform you how it will be used;
-to analyse and continually improve the services we offer including our artistic programme, our website and our other products;
-to help us run the test version of our website that we use internally to pilot new features and ensure the smooth running of our web services; and
-to help diagnose and manage the website, to audit the geographical make-up of users, and to establish how they have arrived at the website.

You and the New European Privacy Law, Part 3

This is the third blog in the series on the new EU privacy law.  We’ve quoted at length from the privacy policy of the National Theatre of England, which we think is admirably comprehensive and clearly expressed.  The new law attempts to balance the legitimate need of business to be successful with the rights of EU citizens to have certain personal information protected.  In the age of the “surveillance state,” we think discussions about how to strike this balance are enormously important.  We begin with the section describing the National Theatre’s business interests and we end with a discussion of implications for your business.

“To ensure security and protect our business interests. In certain circumstances, we use your information to ensure the security of our services, buildings, and people, including to protect against, investigate and deter fraud, unauthorised or illegal activities, systems testing, maintenance and development (on the basis of our legitimate interests to operate a safe and lawful business or where we have a legal obligation to do so).

To comply with our legal obligations. In certain circumstances, we will need to use your information to comply with our legal obligations, for example to comply with any court orders or subpoenas, carry out due diligence in accordance with statutory regulations or keep our database accurate and relevant, for example, using National Change of Address (on the basis of our complying with a legal obligation).

Legitimate interests

Where we refer to using your information on the basis of our ‘legitimate interests’, we mean our legitimate business interests in conducting and managing our business and our relationship with you, including the legitimate interest we have in:

-personalising, enhancing, modifying or otherwise improving the services and/or communications that we provide to you;
-detecting and preventing fraud and operating a safe and lawful business;
-improving security and optimisation of our network, sites and services; and
-providing you with customer service.

Where we use your information for our legitimate interests, we make sure that we take into account any potential impact that such use may have on you. Our legitimate interests don’t automatically override yours and we won’t use your information if we believe your interests should override ours unless we have other grounds to do so (such as your consent or a legal obligation). If you have any concerns about our processing please refer to the ‘How can you manage your personal information?’ section below.

Where is your information?
We’re committed to protecting your personal information. We adopt robust and appropriate technologies and policies to protect it from unauthorised access and improper use. In addition, whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it as it would have in the EEA.

As part of the services offered to you, the personal information you provide may be transferred to countries outside the European Economic Area (EEA). By way of example, this may happen if any of the computer servers used to host the website are located in a country outside of the EEA. If the National Theatre transfers your personal information outside of the EEA in this way, we will take steps to ensure that your privacy rights continue to be protected as outlined in this privacy policy.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following transfer solutions are implemented:
(a)    Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries; and
(b)    Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

In particular, if you live in the USA and are an actual or prospective donor we may transfer your information to the American Associates of the National Theatre (AANT), a New York-based organisation which raises money to support the work of the National Theatre. We may also transfer your data if you are attending an event organised by AANT.

How long do we keep your data?
We will keep your information only for as long as is reasonably necessary for the purposes set out in this Privacy Policy and to fulfil our legal obligations. We will not keep more information than we need.

The retention period will vary according to the purpose, for example if purchasing a ticket only, we will typically keep your data for up to eight years from the date of your last transaction whereas, if you have pledged a legacy to the National Theatre, we will hold your details until notified by your executors. For further information about how long we will keep your information, please contact the Data Protection Manager using the contact details outlined in this policy.

Is personal information shared with any third parties?
The National Theatre will never share, sell, rent or trade your personal information to any third parties for marketing purposes without your prior consent. We will ask for your consent to share personal information with arts organisations who have collaborated with us on shows you have seen.

Some of our service providers may have access to your data in order to perform services on our behalf (payment processing is a good example of this) or to advise us (such as legal advisors). We make sure anyone who provides a service for the National Theatre enters into an agreement with us and meets our standards for data security. They will not use your data for anything other than the clearly defined purpose relating to the service or advice that they are providing.

We may also disclose personal information to appropriate third parties to assist in anti-fraud checks and investigations.

How can you manage your personal information?
You can access and amend the personal information that we hold for you, or request that we stop contacting you at any time.

If you have an online account with us, you can amend your personal details and contact preferences. Simply log into the web site and access your account in the MyNT section.

Or you can contact us by phoning, emailing, or writing using our contact details set out at the top of this Privacy Policy.

You have certain rights in respect of the information that we hold about you, including:

-the right to be informed of the ways in which we use your information, as we seek to do in this Privacy Policy;
-the right to ask us not to process your personal data for marketing purposes;
-the right to request that we correct or rectify any information that we hold about you which is out of date or incorrect;
-in addition to your right to lodge a complaint about us to the UK Information Commissioner’s Office (, you can lodge a complaint with the relevant authority in your country of work or residence;
-the right to withdraw your consent for our use of your information in reliance of your consent (refer to “Why do we collect this information, and what do we do with it?”   above to see when we are relying on your consent), which you can do by contacting us using any of the information at the top of this Privacy Policy;
the right to object to our using your information on the basis of our legitimate interests (refer to “Why do we collect this information, and what do we do with it?” above to see when we are relying on our legitimate interests) (or those of a third party)) and there is something about your particular situation which makes you want to object to processing on this ground;
-the right to receive a copy of any information we hold about you in connection with the performance of our contract with you or on the basis of your consent (or request that we transfer this to another service provider) in a structured, commonly-used, machine readable format, in certain circumstances; and
-the right to ask us to limit or cease processing or erase information we hold about you in certain circumstances.

How to exercise your rights

-You may exercise your rights above by contacting us 
-We will comply with your requests unless we have a lawful reason not to do so.
Every email we send to you will include details on how to change your communications preferences or unsubscribe from future communications.
-You can manage your settings for how our website uses cookies here
-You can opt-out of targeted advertising here. Please remember that you may still see the same number of adverts, but they will be adverts that appear as standard and less relevant to you.

 What we need from you to process your requests

-We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
-You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Please note that we may need to retain certain information for our own record-keeping and research purposes. We may also need to send you service-related communications relating to your website user account even when you have requested not to receive marketing communications.”

Comment on the policy

This policy is much more detailed than the usual small print, legal mumbo jumbo than often passes for a policy elsewhere.  It’s thoughtful, very detailed and written in a plain, straight forward fashion.  Businesses retain significant flexibility under the doctrine of legitimate business interests—a nod by the law’s drafters to the fact that personal info makes the world go ‘round. How best to balance the interests of maximum personal information protection with legitimate busy interests?  This is the result, and it forces businesses to tell customers what they do with their data, allow customers to opt out if they, for example, don’t want their data to be shared (sold or traded) to third parties.  Communicating, even over communicating, is the key to complying with EU law.


Blog post currently doesn't have any comments.

Leave a Comment

 Security code

Related Posts:

Trade Documentation: The Shift from Papers to Digits is On

One of the biggest costs of and impediments to more cross-border trade is the paperwork needs of the freight forward and...

Read More

OPIC Gets a Facelift and Much More Money

More U.S. government money intended to counter China’s growing influence in the developing world means more opportunities for U.S. small and...

Read More

Increase your Cyber Security IQ

In a previous post, we discussed the importance for small and midsized business engaged in cross-border trade to have in place...

Read More

Siri, Where are My Best Export Markets?”

Small and midsized exporters want to know on which new export markets they should focus.  Until now the best approach available...

Read More

A Place Where Kids Find Kindness, Compassion, and Friendship

Everyone longs for companionship—children especially.  Grown-ups can pursue any number of options for connecting with others: joining a club, volunteering, even...

Read More

Dishing it Out: Selling Food Products from the U.S. to Other Countries

Michael Strange's family has been in the ice cream business for generations.  His great-grandfather founded Bassetts Ice Cream Company in Philadelphia...

Read More

<   1  -  2  -  3  -  4  -  5  -  6  -  7  -  8  -  9  -  10 ...   >