Our Privacy Policy has one principle and four elements


The principle derives from professional and personal experience. We believe we know the privacy rules around Europe, and how those are interpreted and managed in most countries, so first of all we think we understand what we should be doing professionally. Second, our personal experience is no different to any other user's: we don't like being chased around the web, and we're somewhat alarmed by how much of our data appears to be out there. So that provides our principle: we manage your data in the same way as we would want our own to be managed. That means (the following are the four elements referenced above):


  1. We don’t place cookies that track behaviour, other than those that help us understand how our own website is being used, and not any behaviour beyond that;
  2. We only have access to your ‘personal data’ (i.e. data that identifies you) if your email when registering provides that. We keep that data secure, we don’t pass it on to anyone else, and we don’t use it to be in touch without your permission. We’re really not interested in who you are, just what you need;
  3. Under GDPR, the legal basis that we use in order to ‘process’ that personal data (that can mean simply storing it) is ‘legitimate interest’. We explain that below via the three-part test set out by the ICO, the UK’s Data Protection Authority. This process is compatible with jurisdictions in other European countries, as it's compliant with a Regulation that applies directly in member states (retained law in the U.K.;
  4. We can’t be held responsible for cookies which other websites may place on your computer. This may happen when you click on a link to a Code of Conduct or a legislative text in the database, which will direct you to an external website beyond our control.


Processing personal data lawfully


Reproduced below is the three-part test for ‘legitimate interest’ as the lawful basis for processing personal data, as referenced above and as required by the ICO. The information below is the same as we have provided to the ICO.

1. Purpose test: is there a legitimate interest behind the processing?


We are a start-up business. WikiRegs is a regulatory database which provides free access online to rules that affect marketing communications in nine countries in Europe in the first instance, and worldwide in due course. The service is aimed at international advertising agencies and advertisers. The information it provides is not available elsewhere, and certainly not for free. Its benefit is that it helps agencies and advertisers understand multinational content and channel rules, thus avoiding what can be expensive mistakes. In order for us to secure any kind of return on investment (which has been considerable), it's important that we obtain the user’s email address when the user registers. We don't need to know the person’s name, and do not request that on registration, but we recognise that some email addresses, albeit very likely to be business addresses, may identify the individual.


2. Necessity test: is the processing necessary for that purpose?


The reason that we require email addresses is fourfold:


  1. We need to communicate with users about additional services that will or may become available; some of those services may be free, some may be at a cost. We will ask for users’ consent in the event that we wish to use their email for that purpose, and they will be given the opportunity to opt out on registration and on each contact occasion thereafter;
  2. We don’t need to know who users are; we do need to know, however, what kind of organisation they belong to, as that helps us to develop the service in line with user needs;
  3. We need to know how many unique users are accessing the service, as that is valuable information for potential investors. Requiring an email address as a user name lessens the likelihood of the original user information being used by multiple users ‘fraudulently’ and thus reducing unique usership;
  4. We need to have a means by which we may communicate with users, and vice versa.
3. Balancing test: is the legitimate interest overridden by the individual’s interests, rights or freedoms?


That question is probably best answered by the individual and, of course, the individual will answer it when an email address is requested and the full privacy issues are clearly spelt out to that person. However, we can confirm, based on qualitative information, that there is considerable industry interest in this service: as we have said, it is not available elsewhere, and it can lead to the avoidance of costly and embarrassing mistakes when developing international advertising.


We hope the above is a clear explanation of our 'legitimate interests' basis for processing personal data, and how we manage our Privacy and Cookie policy. Any questions, just send us an email