GDPR Compliance Policy for Art in the Middle Magazine LLC

GDPR Compliance Policy for Art in the Middle Magazine LLC

Effective Date: April 30, 2025
Last Updated: April 30, 2025
Version: 2.0

Table of Contents

1. Introduction
2. What is GDPR?
3. Our Commitment to GDPR Compliance
4. Data We Collect
5. Legal Bases for Processing
6. Your Rights Under GDPR
7. How to Exercise Your Rights
8. Cookies and Tracking Technologies
9. Third-Party Data Sharing
10. Data Retention Periods
11. Children's Privacy
12. International Data Transfers
13. Profiling and Automated Decision-Making
14. Data Security Measures
15. Data Breach Procedures
16. Data Protection Impact Assessments
17. Vendor Management and Accountability
18. Privacy by Design and Default
19. Staff Training and Awareness
20. Updates to This Policy
21. How to Contact Us

Introduction

Art in the Middle Magazine LLC ("Art in the Middle," "we," "us," or "our") is committed to protecting the personal data of our clients, customers, and website visitors. This GDPR Compliance Policy outlines how we comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), which is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).

This document explains:

• What personal data we collect and process
• Why we collect and process this data
• How long we keep your data
• Your rights regarding your personal data
• How we protect your data
• Who we share your data with and why

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA areas.

The GDPR's primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. The regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.

Our Commitment to GDPR Compliance

Art in the Middle Magazine LLC is fully committed to complying with GDPR requirements. This includes:

1. Lawful, Fair, and Transparent Processing: We process personal data lawfully, fairly, and transparently.
2. Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes.
3. Data Minimization: We ensure personal data is adequate, relevant, and limited to what is necessary.
4. Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
5. Storage Limitation: We keep personal data in a form that permits identification for no longer than necessary.
6. Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security.
7. Accountability: We are responsible for and can demonstrate compliance with GDPR principles.

Data We Collect

We collect and process the following categories of personal data:

Legal Bases for Processing

Under GDPR, we process personal data based on one or more of the following legal bases:

1. Consent: When you have given clear consent for us to process your personal information for a specific purpose. For example:
   • Newsletter subscriptions
   • Marketing communications
   • Cookie usage for non-essential purposes
   • Participation in surveys or research
2. Contractual Necessity: When processing is necessary to fulfil our contractual obligations to you. For example:
   • Processing subscription orders
   • Managing your account
   • Providing customer support
3. Legitimate Interests: When processing is necessary for our legitimate interests or those of a third party, provided those interests don't override your fundamental rights and freedoms. Our legitimate interests include:
   • Improving our content and services
   • Fraud prevention and security measures
   • Analytics to understand how users interact with our website
   • Business development and strategic planning
4. Legal Obligation: When processing is necessary to comply with our legal obligations. Examples include:
   • Tax and financial reporting requirements
   • Responding to legal requests from authorities
   • Maintaining business records required by law
5. Vital Interests: In rare circumstances, when processing is necessary to protect someone's life or safety.

Right to Object: You have the right to object to processing based on legitimate interests. To exercise this right, please contact our Data Protection Officer at info@artinthemiddle.com.

Your Rights Under GDPR

If you are in the EU or EEA, you have the following rights under GDPR:

1. Right to Be Informed
   • You have the right to be informed about the collection and use of your personal data.
   • We provide this information through this policy and additional privacy notices where appropriate.
2. Right of Access
   • You have the right to request a copy of the personal data we hold about you.
   • We will provide this information in a structured, commonly used, and machine-readable format.
3. Right to Rectification
   • You have the right to have inaccurate personal data rectified or completed if it is incomplete.
   • We will respond to rectification requests within 30 days.
4. Right to Erasure (Right to Be Forgotten)
   • You have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
   • This right applies in specific circumstances, such as when the data is no longer necessary for the purpose it was collected.
5. Right to Restrict Processing
   • You have the right to request the restriction or suppression of your personal data.
   • When processing is restricted, we may store your data but not further process it.
6. Right to Data Portability
   • You have the right to obtain and reuse your personal data for your own purposes across different services.
   • We will provide your data in a structured, commonly used, and machine-readable format.
7. Right to Object
   • You have the right to object to processing based on legitimate interests, direct marketing, and processing for research and statistics.
   • For direct marketing, this right is absolute - we will always honour your objection to direct marketing.
8. Rights Related to Automated Decision Making and Profiling
   • You have rights related to automated decision-making (making a decision solely by automated means without human involvement) and profiling.
   • We will inform you when we use automated decision-making with significant effects and provide you with a way to request human intervention.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer using the contact information provided at the end of this policy. We've made this process as straightforward as possible:

1. Submit a Request: Use our dedicated GDPR request by sending email at info@artinthemiddle.com.
2. Verification: We'll verify your identity to ensure we're providing data to the right person. This may require additional information from you.
3. Response Timeline: We will respond to your request within 30 days. If we need more time due to complex requests, we'll notify you and may extend our response time by up to two additional months.
4. Response Format: We'll provide information electronically in a commonly used format.
5. Fees: We do not charge a fee for processing standard requests. However, we may charge a reasonable administrative fee if requests are manifestly unfounded, excessive, or repetitive.

Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your experience, analyse usage patterns, and deliver personalized content and advertising. Here's how we use these technologies:

Types of Cookies We Use

1. Essential Cookies: Required for basic website functionality (always active)
2. Functional Cookies: Enhance user experience by remembering preferences
3. Analytics Cookies: Help us understand how visitors use our site
4. Advertising Cookies: Used to deliver relevant ads and measure their effectiveness
5. Social Media Cookies: Enable sharing and social features

Cookie Management

You can manage your cookie preferences through:

1. Our Cookie Banner: When you first visit our site, our cookie consent banner allows you to:
   • Accept all cookies
   • Reject non-essential cookies
   • Customize your preferences by category
2. Preference Centre: You can change your cookie preferences at any time through our "Cookie Settings" link in the website footer.
3. Browser Settings: Most browsers allow you to block or delete cookies. Instructions for managing cookies in popular browsers:
   • Google Chrome
   • Mozilla Firefox
   • Safari
   • Microsoft Edge

Do Not Track Signals

Some browsers transmit "Do Not Track" signals. We honour Do Not Track signals where technically feasible, but not all features of our site may be compatible with this setting.

Third-Party Data Sharing

We share personal data with certain third parties to help us operate, provide, improve, and promote our services. All third-party data recipients are contractually obligated to protect and use your data only for the purposes outlined in this policy.

Categories of Third-Party Recipients

Major Third-Party Partners

We work with the following major third-party vendors (this is not an exhaustive list):

1. Google (Analytics, Ads)
2. Facebook/Meta (Social plugins, advertising)
3. TikTok Pixel (Social plugins, advertising)
4. Mailchimp (Email marketing)
5. Amazon Web Services (Cloud hosting)
6. Hotjar (User behaviour analytics)

For a complete and current list of our third-party vendors, please visit: www.artinthemiddle.com/vendors

Third-Party Accountability

We implement the following measures to ensure third parties comply with GDPR:

1. Data Processing Agreements (DPAs): All third parties must sign GDPR-compliant DPAs.
2. Vendor Assessment: We conduct privacy and security assessments before engaging new vendors.
3. Regular Audits: We periodically review our vendors' compliance with data protection requirements.
4. Transfer Safeguards: We ensure appropriate safeguards for international data transfers.

Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. Here are our standard retention periods:

Data may be retained longer in the following circumstances:

• Legal obligation requires longer retention
• To resolve disputes or enforce agreements
• For archiving purposes in the public interest, scientific or historical research, or statistical purposes

Children's Privacy

Our services are not directed to children under 16 years of age, and we do not knowingly collect personal data from children under 16. We implement the following measures to protect children's privacy:

1. Age Verification: We employ appropriate measures to verify age where services might appeal to children (e.g., requiring date of birth for account creation).
2. Parental Consent: If we discover we have collected personal data from a child under 16, we will promptly:
   • Seek parental consent
   • Delete the information if consent is not obtained
3. Limited Processing: Even with parental consent, we limit the processing of children's data to what is necessary.

If you believe we have inadvertently collected data from a child under 16, please contact our Data Protection Officer immediately at info@artinthemiddle.com.

International Data Transfers

Art in the Middle Magazine operates globally, which means your information may be transferred to, stored in, or processed in countries outside your country of residence, including countries that may not have the same data protection laws as the country where you reside.

Countries Where We Process Data

We process data in the following key locations:

• United Arab Emirates (headquarters)
• United States (cloud servers)
• United Kingdom (editorial team)
• Saudi Arabia (editorial team)
• Qatar (editorial team)
• Bahrain (editorial team)
• Germany (European operations)
• Singapore (Asia-Pacific operations)

Transfer Safeguards

When we transfer personal information outside the European Economic Area (EEA), United Kingdom, Switzerland, or other regions with comprehensive data protection laws, we ensure appropriate safeguards are in place, which may include:

• European Commission approved Standard Contractual Clauses (SCCs): Our primary legal mechanism for data transfers
• Binding Corporate Rules for transfers within our corporate group
• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate protection
• Derogations under Article 49 of the GDPR such as explicit consent or contractual necessity
• UK International Data Transfer Agreement (IDTA) for transfers from the UK
• Supplementary Measures such as encryption and access controls to enhance protection

You can request a copy of the specific safeguards applied to your data by contacting our Data Protection Officer.

Profiling and Automated Decision-Making

Our Use of Profiling

We use profiling techniques in the following contexts:

1. Content Recommendations: To suggest articles and content based on your reading history and preferences
2. Marketing Segmentation: To categorize subscribers for relevant communications
3. Analytics: To understand audience segments and content performance

Automated Decision-Making

We do not make decisions with legal or similarly significant effects based solely on automated processing. Where we use automated decision-making:

1. We provide meaningful information about the logic involved
2. We explain the significance and consequences of such processing
3. We ensure human oversight is available when needed
4. We implement safeguards such as regular testing for bias and errors

Your Rights Regarding Profiling

You have the right to:

• Object to profiling for direct marketing purposes
• Request human intervention in significant automated decisions
• Express your point of view about automated decisions
• Contest automated decisions

To exercise these rights, please contact our Data Protection Officer at info@artinthemiddle.com

Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Our security measures include:

Technical Measures

1. Encryption: All data in transit uses TLS encryption; sensitive data at rest is encrypted
2. Access Controls: Role-based access controls and multi-factor authentication
3. Network Security: Firewalls, intrusion detection systems, and regular vulnerability scanning
4. Backup Systems: Regular backups with encryption and secure off-site storage
5. Monitoring: 24/7 security monitoring and alerting systems

Organizational Measures

1. Information Security Policies: Comprehensive and regularly updated security policies
2. Employee Training: Regular data protection and security awareness training for all staff
3. Access Management: Strict need-to-know basis for data access
4. Vendor Assessment: Security review of all third-party providers
5. Physical Security: Secure premises with controlled access to server rooms and offices

Compliance and Certification

1. Regular Audits: Internal and external security audits
2. Penetration Testing: Annual penetration testing by independent security firms
3. Industry Standards: Adherence to ISO 27001 principles and NIST Cybersecurity Framework

Data Breach Procedures

Art in the Middle Magazine LLC has implemented comprehensive procedures to detect, report, and investigate personal data breaches.

What Constitutes a Data Breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Our Response Process

1. Detection and Internal Reporting:
   • All staff are trained to recognize and report potential breaches
   • Dedicated reporting channel to our security team
2. Assessment:
   • Immediate assessment of the nature and scope of the breach
   • Determination of what data was affected and who is impacted
   • Risk assessment for affected individuals
3. Containment and Recovery:
   • Immediate steps to contain the breach and mitigate harm
   • Recovery measures to restore any lost data
   • Security improvements to prevent similar breaches
4. Notification to Authorities:
   • We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, where feasible
   • If the breach is unlikely to result in a risk to individuals' rights and freedoms, we may determine that notification is not required
5. Notification to Affected Individuals:
   • If the breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected individuals without undue delay
   • Notifications will include:
     • Clear description of the breach
     • Name and contact details of our DPO
     • Likely consequences of the breach
     • Measures taken or proposed to address the breach
     • Steps individuals can take to protect themselves
6. Documentation:
   • All breaches are documented in our internal breach register
   • Documentation includes facts about the breach, effects, and remedial actions

How We Will Notify You

In the event of a breach requiring notification, we will contact affected individuals via:

• Email (primary method)
• Phone call for urgent situations
• Postal mail if email is unavailable
• Public notice on our website (in cases where direct contact is impossible or would involve disproportionate effort)

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms.

When We Conduct DPIAs

We perform DPIAs in the following situations:

1. When implementing new technologies or systems that process personal data
2. For systematic and extensive profiling or automated decision-making
3. When processing special categories of data on a large scale
4. When monitoring publicly accessible areas on a large scale
5. When combining or matching data from multiple sources
6. For any processing the supervisory authority considers high risk

Our DPIA Process

Our DPIA methodology includes:

1. Systematic description of processing operations and purposes
2. Assessment of necessity and proportionality of processing
3. Risk assessment for individuals' rights and freedoms
4. Mitigation measures to address risks
5. Documentation of findings and decisions
6. Consultation with DPO and where appropriate, data subjects
7. Prior consultation with supervisory authorities where high risk remains

Vendor Management and Accountability

We implement a comprehensive vendor management program to ensure all third parties who process personal data on our behalf comply with GDPR requirements.

Vendor Selection and Due Diligence

Before engaging any third-party vendor, we:

1. Conduct privacy and security assessments
2. Review their GDPR compliance documentation
3. Verify they implement appropriate technical and organizational measures
4. Check their data breach notification procedures
5. Evaluate their subcontractor management practices

Contractual Safeguards

All third-party data processors must sign:

1. Data Processing Agreements (DPAs) that include all Article 28 GDPR requirements
2. Standard Contractual Clauses for international transfers where needed
3. Confidentiality provisions binding their employees and subcontractors

Ongoing Vendor Management

We maintain oversight of our vendors through:

1. Regular compliance reviews and audits
2. Performance monitoring against service level agreements
3. Security incident reporting requirements
4. Updates and notification processes for changes to processing activities
5. Annual re-certification of compliance

Sub processor Management

We require our processors to:

1. Maintain a current list of sub processors
2. Obtain our approval before engaging new sub processors
3. Flow down GDPR obligations to all sub processors
4. Take full responsibility for sub processors' compliance

For our current list of approved vendors and sub processors, please visit www.artinthemiddle.com/vendors.

Privacy by Design and Default

We implement appropriate technical and organizational measures to integrate data protection principles into our processing activities and business practices.

Privacy by Design Principles

We incorporate the following principles into our product development and business processes:

1. Proactive not Reactive; Preventative not Remedial
   • We anticipate and prevent privacy-invasive events before they occur
   • We conduct privacy risk assessments at the planning stage
2. Privacy as the Default Setting
   • We ensure maximum privacy by ensuring personal data is automatically protected
   • No action is required from individuals to protect their privacy
3. Privacy Embedded into Design
   • Privacy is an essential component, not an add-on
   • Privacy is integrated into our systems and practices
4. Full Functionality — Positive-Sum, not Zero-Sum
   • We avoid false trade-offs like privacy vs. security
   • We demonstrate that both privacy and functionality can be achieved
5. End-to-End Security — Full Lifecycle Protection
   • We ensure secure data management throughout the entire lifecycle
   • We implement secure data collection, retention, and deletion practices
6. Visibility and Transparency — Keep it Open
   • We document our data practices and make them available to users
   • We ensure accountability to individuals and regulators
7. Respect for User Privacy — Keep it User-Centric
   • We offer user-friendly privacy options and defaults
   • We provide clear notices and intuitive controls

Implementation Methods

1. Data Minimization
   • We collect only what is necessary for specified purposes
   • We implement purpose limitation by design
2. Default Privacy Settings
   • Our products and services have privacy-protective default settings
   • Marketing opt-ins are never pre-selected
3. Technical Measures
   • We implement pseudonymization and data de-identification where possible
   • We use encryption for data in transit and at rest
4. Access Controls
   • We enforce least-privilege principles for staff data access
   • We implement role-based access controls
5. Retention Limits
   • We build automated deletion capabilities into our systems
   • We enforce retention periods through technical controls

Staff Training and Awareness

All our staff members who process personal data have received training on GDPR requirements and our data protection policies. We regularly conduct refresher training to ensure ongoing compliance.

Training Program

Our comprehensive data protection training program includes:

1. Initial Training for All Staff
   • GDPR fundamentals and principles
   • Individual rights under GDPR
   • Staff responsibilities for data protection
   • Identifying and reporting data breaches
   • Security best practices
2. Role-Specific Training
   • Enhanced training for teams handling sensitive data
   • Technical training for IT and development staff
   • Marketing team training on consent requirements
   • Customer service training on handling data subject requests
3. Annual Refresher Training
   • Updates on regulatory changes
   • Lessons learned from incidents
   • Best practices and procedure updates
4. Awareness Program
   • Regular privacy newsletters
   • Privacy champions network
   • Simulated phishing exercises
   • Data protection reminders and tips

Training Documentation

We maintain records of all training activities, including:

• Training content and materials
• Attendance records
• Assessment results
• Training effectiveness evaluations

Culture of Privacy

We foster a privacy-aware culture through:

• Executive leadership commitment
• Privacy considerations in performance evaluations
• Recognition of privacy-protective behaviours
• Clear escalation paths for privacy concerns

Updates to This Policy

We may update this GDPR Compliance Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors.

How We Make Updates

1. Policy Review Process
   • Regular reviews at least annually
   • Ad-hoc reviews when regulations change
   • Reviews following major system changes
2. Notification of Changes
   • Material changes will be notified via:
     • Email to registered users
     • Prominent notice on our website
     • Within our mobile applications
3. Version Control
   • Each update is assigned a new version number
   • Previous versions remain accessible in our policy archive
   • Change logs summarize modifications between versions
4. Effective Date
   • Each version displays its effective date
   • We typically provide 30 days' notice before material changes take effect

Your Options

When we make material changes to this policy, you may:

• Continue using our services under the updated terms
• Update your privacy preferences in response to changes
• Request deletion of your data if you do not agree with the changes
• Unsubscribe from our services if permitted by your subscription terms

How to Contact Us

Data Protection Officer (DPO)

Art in the Middle Magazine LLC has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and implementation to ensure compliance with GDPR requirements. Our DPO can be contacted at:

Data Protection Officer
Art in the Middle Magazine LLC
Sharjah Media City
Sharjah, United Arab Emirates
Email: info@artinthemiddle.com

Additional Contact Methods

For GDPR-related inquiries:

• Email: info@artinthemiddle.com
• Postal Mail:
  Privacy Team
  Art in the Middle Magazine LLC
  P.O. Box 12345
  Sharjah Media City
  Sharjah, UAE

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority in the EU member state where you reside, work, or where an alleged infringement of GDPR has occurred. A list of EU Data Protection Authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en

© 2025 Art in the Middle Magazine LLC. All rights reserved.