Privacy Policy & Data Processing Agreement

IWSR is the trading name of IWSR Drinks Market Analysis Limited, a company registered in England and Wales with ICO registration number ZA476880, whose registered address is at Nutmeg House, 60 Gainsford St, London, United Kingdom, SE1 2NY. 


If you have any questions about this policy, including any requests to exercise your legal rights, please contact us by:

This policy was last updated on 5th June 2024.

Privacy Policy

How do you use my data?

  • When you use our website and consent to our use of cookies we will collect information about how you use our website. We use this information to improve our website and to better understand how our clients use it. More detail on the information we collect and how we do this is set out in our Cookie Policy below.
  • When you create and log into your account we will collect your name, email address, address, company name, job title, phone number and country where your business / employer operates. We collect this in order to take steps to enter into a contract with you and allow you to purchase our products and services.
  • When you purchase products and services from us we will use your account information detailed above and will collect your payment details. We collect this in order to take steps to enter into a contract with you and allow you to purchase our products and services.
  • When you sign up to receive our updates we will collect your name and email address to provide you with our updates in line with any preferences you have told us about. When we send you our updates because you have opted-in to receive them, we rely on your consent to contact you.You can unsubscribe from our updates at any time by responding to any email you receive from us to tell us you wish to unsubscribe or by contacting us using the details above.
  • When you contact us with a query either by phone, email, via our ‘contact us’ page or via social media, we will usually collect your name, social media handle and contact details, because it’s in our legitimate interest to make sure we can properly respond to your query.
  • When you attend one of our events or webinars (including virtual events via video conferencing providers), we will usually collect your name, address, email address and phone number. We collect this information because it’s in our legitimate interests to promote our business and to know who’s attending our events. You may also choose to make your name, title and company available to other attendees during the event.
  • When you apply for a job with us we may collect your name, contact details, recruitment information (e.g. right to work documentation and references), test results, qualifications, accreditations and any additional information we may receive from you or our recruitment partners.We will use your personal information to assess your suitability for our available roles. We do this to perform our contract obligations or to take steps at your request, before entering into a contract. Where we process your right to work documentation, we will do so to comply with our legal obligations.
  • If our business is sold. We process your personal information for this purpose because we have a legitimate interest to ensure our business can be continued by the buyer. If you object to our use of your personal information in this way, the buyer of our business may not be able to provide services to you.


Who do you share my data with?

  • Business partners, suppliers, and investors for the performance of the contract we enter into with them or you.
  • Promotional events and marketing organisations, we do not sell data for marketing purposes, but may share your data with an event organiser for the purposes of running events and webinars, and for sending you marketing. We will always tell you before (usually on the event registration form) and you will be given the chance to opt-out before we do this.
  • Regulators/ Authorities/ Enforcement Agencies if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of our clients or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
  • Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.


Where do you store my data?

We store your data on our servers and third party servers which are based both in the UK and outside of the UK.

When working with third parties we may need to transfer your personal data outside of the UK and / or EU.

Whenever we transfer your personal information outside of the UK and the EU, we ensure it receives additional protection as required by law. To keep this policy as short and easy to understand as possible, we haven’t set out the specific circumstances when each of these protection measures are used. You can contact us using the contact details above for more detail on this.


How long do you keep my data for?

We will only retain your personal information for as long as we need it unless we are required to keep it for longer to comply with our legal, accounting or regulatory requirements.

In some circumstances we may carefully anonymise your personal data so that it can no longer be associated with you, and we may use this anonymised information indefinitely without notifying you. We use this anonymised information to improve our products and services.


What are my rights under data protection law?

You have various other rights under applicable data protection laws, including the right to:

  • access your personal data (also known as a “subject access request”);
  • correct incomplete or inaccurate data we hold about you;
  • ask us to erase the personal data we hold about you;
  • ask us to restrict our handling of your personal data;
  • ask us to transfer your personal data to a third party;
  • object to how we are using your personal data; and
  • withdraw your consent to us handling your personal data.

You also have the right to lodge a complaint with us or the Information Commissioner’s Office, the supervisory authority for data protection issues in England and Wales. If you are based in the EU you can find your relevant supervisory authority here.

Please keep in mind that privacy law is complicated, and these rights will not always be available to you all of the time.

You can go to IWSR’s subscription centre and select or change your contact preferences at any time. A link to the subscription centre can be found at the bottom of all IWSR marketing emails.



Data Processing Agreement


This Data Processing Agreement (“DPA”) may be incorporated by reference in any agreement (“Agreement”) you as a customer (“Customer”) have with IWSR Drinks Market Analysis Limited (“IWSR”) where personal data is being processed, and shall continue until such Agreement terminates.


Agreed Terms

1. Definitions

1.1  “Agreed Purpose” means the performance by IWSR of its obligations under the Agreement including the promotion of the IWSR Products by IWSR.

1.2  “Customer Data” means the following types of Personal Data relating to Customer or its personnel may be shared with IWSR in connection with its provision of the products or services: name, gender, address, data or birth, email address and financial information.

1.3  “Data Protection Law” means, where applicable, the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 (“UK GDPR”); the Data Protection Act 2018 (“DPA 2018”); and the European Privacy and Electronic Communications Directive (Directive 2002/58/EC) (as updated by Directive 2009/136/EC), each as amended or replaced from time to time and all other national, international, regional, federal or other laws related to data protection and privacy that are applicable to any territory where IWSR processes personal data or is established.

1.4  “Personal data”, “personal data breach”, “controller”, “processor”, “processing”, “data subject” and “supervisory authority” shall have the meanings ascribed to them under Data Protection Law.

1.5  “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021.


2. Interpretation

2.1  All capitalised terms used but not otherwise defined in this DPA shall have the meaning given to them in the Agreement.

2.2  To the extent any provision of this DPA conflict with any term of the Agreement, the relevant provision of this DPA shall prevail.


3. Status of the parties

3.1  For the purposes of this DPA, the Customer and IWSR agree that IWSR acts as a processor and Customer acts as a controller in respect of the Customer Data.

3.2  The particulars of the processing are set out in the Schedule.


4. Customer obligations

Customer shall comply with its obligations under Data Protection Law and shall in particular:

4.1  Ensure that it is entitled to transfer the relevant Customer Data to IWSR so that IWSR may lawfully use, process and transfer the Customer Data in accordance with the Agreement on the Customer’s behalf; and

4.2  The relevant data subjects have been informed of such use, processing, and transfer as required by all applicable Data Protection Laws.


5. IWSR obligations

IWSR shall comply with its obligations under Data Protection Law and shall in particular:

5.1  Only process the Customer Data for: (i) the Agreed Purpose; (ii) as instructed by the Customer; and (iii) as necessary to comply with IWSR’s requirements under any applicable law;

5.2   If IWSR is aware that the Customer’s processing instructions infringe applicable laws, IWSR shall notify the Customer immediately (unless prevented from doing so by applicable laws) and not carry out the relevant processing;

5.3  Maintain all appropriate technical and organisational measures to ensure security of the Customer Data including protection against unauthorised or unlawful processing (including, without limitation, unauthorised or unlawful disclosure of, access to and/or alteration of the Customer Data) taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the likelihood and severity of risk in relation to the rights and freedoms of the data subjects;

5.4  Ensure that all persons authorised by IWSR to process the Customer Data are subject to either contractual or statutory obligations of confidentiality;

5.5  Provide reasonable assistance to Customer to demonstrate its compliance with the Data Protection Law, including but not limited to: (i) ensuring compliance with its security, breach notification, impact assessment and prior consultation obligations; and (ii) responding to (a) any request from a data subject to exercise its rights under Data Protection Law (without responding to that request unless authorised to do so by the Customer); and (b) any other correspondence or enquiry received in connection with the processing of the Customer Data;

5.6  Notify the Customer without undue delay as soon as it becomes aware of any personal data breach in connection with the Customer Data;

5.7  Maintain appropriate records and information in compliance with Data Protection Law and on request by the Customer, make available such records information necessary to demonstrate IWSR’s compliance with this DPA and otherwise permit, and contribute to, audits carried out by the Customer (or its authorised representative); and

5.8  On termination or expiry of the Agreement, destroy or return (as the Customer directs) all Customer Data in its power, possession or control and delete all existing copies of such data except to the extent IWSR is required to retain a copy the personal data by law.


6. Cross-Border Transfers

If an adequate protection measure for the international transfer of personal data is required under the Data Protection Law and has not otherwise been arranged by the parties, the Standard Contractual Clauses shall be incorporated into this DPA in the schedule as if they had been set out in full.


7. Sub-Processors

7.1  The Customer authorised IWSR to engage the sub-processors listed at Schedule 1, subject to: (i) IWSR entering into a written agreement with such sub-processors containing obligations which comply with Data Protection Law; and (ii) IWSR remaining liable for any breach of this DPA that is caused by its sub-processors.

7.2  IWSR shall inform the Customer of any changes concerning the addition or replacement of other sub-processors thereby giving the Customer the opportunity to reasonably object to such changes.


8. Limitation of Liability

Subject to the limitation of liability provisions in the Agreement, to the extent that Customer has an entitlement under Data Protection Law to claim from IWSR compensation paid by the Customer to a data subject as a result of a breach of Data Protection Law to which IWSR contributed, IWSR shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant data subject.


9. Changes

The Customer and IWSR shall agree in good faith any reasonable changes required to this DPA to comply with any changes to Data Protection Law.




1. Incorporation of the EU SCCs

1.1  To the extent clause 6.1 applies and the transfer is made from a UK or EU based Customer to an IWSR entity based outside of the UK or EU, this Schedule 1 and the following terms shall apply: Module 4 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Processor, the importer is a Controller and the transfer requires such additional protection.


2. Clarifications to the EU SCCs

2.1  For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be:

  • 2.1.1  If the exporter is established in an EU Member State: The Irish Data Protection Commissioner;
  • 2.1.2  Where the exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) GDPR, it shall notify the importer of this and the EU Member State in which the exporter’s representative is appointed shall be the competent Supervisory Authority; and
  • 2.1.3  Where the exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) GDPR but has not appointed a representative pursuant to Article 27(1) GDPR: the exporter shall notify the importer of its chosen competent supervisory authority, which must be the Supervisory Authority of an EU Member State in which the Data Subjects whose personal data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

2.2  For the purposes of clause 8.1(d) of the EU SCCs, at the end of the provision of the processing services the exporter shall delete all Personal Data and shall certify to the importer that it has done so, if requested to provide such certification by the importer in writing.

2.3  For the purposes of clauses 17 and 18 of the EU SCCs, the laws and courts of Ireland shall apply.


3. Processing Particulars for the EU SCCs

The Parties

3.1  Exporter (Processor): IWSR

3.2  Importer (Controller): Customer


Description Of Data Processing

3.3  Categories of data subjects: End licence users.

3.4  Categories of personal data transferred: Customer Data.

3.5  Sensitive data transferred: None.

3.6  Frequency of the transfer: Continuous.

3.7  Nature of the processing: Storage and use.

3.8  Purpose of the processing: For the Agreed Purpose.

3.9  Duration of the processing: For the duration of the Agreement.

3.10  Sub-Processor Transfers: As set out at clause 7. The approved sub-processors are:

  • Amazon Web Services, Data hosting and backups, UK
  • Salesforce, Customer Relationship Management, UK
  • Microsoft (Office 365), Data hosting, UK (Exchange and Teams), EU (SharePoint)
  • WPEngine, Data hosting and backups, UK


3.11  Competent Supervisory Authority: As set out at paragraph 2.1.


3.12  Technical and Organisational Measures:

  • Physical Access Control: Restriction of access to buildings, data centres and server rooms as necessary, adequate locks on all doors, monitoring of unauthorised access, and written procedures for employees, contractors and visitors covering confidentiality and security of information.
  • System Security: Restricting access to systems depending on the sensitivity/criticality of such systems, use of password protection where such functionality is available, maintaining records of the access granted to which individuals, ensuring prompt deployment of updates, bug-fixes and security patches for all systems, appropriate security over wireless networks (802.11x) and remote access tools (including two factor authentication).
  • Sub-Processor Vetting: Selection of sub-processors based on technical expertise, trustworthiness and compliance with legislation, ensuring prompt instruction of Sub-Processors, ensuring prompt notification of the Processor or Controller in the event of a data security breach and, capability of Sub-Processors to correct and/or erase data upon instruction.



Cookie Policy

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also helps us make improvements.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.