This GDPR Policy sets out how CoinLaw, operated by Barry Elad, complies with the General Data Protection Regulation (Regulation (EU) 2016/679) and the United Kingdom General Data Protection Regulation. It applies to readers, newsletter subscribers, and contributors located in the European Economic Area, the United Kingdom, and the European Free Trade Association states. This page supplements the Privacy Policy with the disclosures the regulations specifically require.
Identity of the Controller
CoinLaw is operated as a sole-trader publication by Barry Elad. There is no separate corporate entity, and there is no statutory requirement for us to appoint a Data Protection Officer under Article 37 GDPR. The controller can be reached at media@coinlaw.io for all data-protection matters. Postal correspondence is accepted on request.
Categories of Personal Data We Process
We deliberately collect the minimum data set required to operate a publication, in line with the Article 5(1)(c) data minimisation principle.
- Reader telemetry: anonymised analytics identifiers (Google Analytics 4 in IP-anonymised mode), referrer, country at country level, device class, time on page
- Newsletter list: email address and date of subscription, held in our email service provider’s environment
- Comment submissions: name, email address (not displayed), IP address (held in WordPress logs), and the comment text. The IP is retained for spam-filter operation and is purged with the rolling log rotation
- Contact-form submissions: name, email address, message body
- Server logs: IP address, requested URL, timestamp, user agent
We do not collect special-category data within the meaning of Article 9. Where a reader voluntarily includes such data in a comment or contact message, we treat it under the same retention rules and do not process it further.
Lawful Basis for Each Processing Activity
A short table is clearer than a paragraph here.
| Processing | Article 6(1) basis |
|---|---|
| Newsletter delivery | (a) consent |
| Optional analytics cookies | (a) consent |
| Aggregated, anonymised analytics for site improvement | (f) legitimate interests |
| Comment moderation, spam control | (f) legitimate interests |
| Server log retention for security | (f) legitimate interests |
| Responding to a reader contact request | (b) performance of a request |
For (f) legitimate interests, we have conducted a Legitimate Interests Assessment recording why our interest in operating a secure, abuse-free publication outweighs the data subject’s expectation of privacy. The assessment is available on request to the supervisory authority.
Retention Schedule
- Analytics records: maximum 14 months in GA4
- Newsletter subscribers: until unsubscribe; an additional 30 day suppression hold to avoid resubscribing in error
- Comment data: indefinite while the article is published; deleted on subject request
- Contact-form submissions: 24 months from final reply, after which the thread is deleted
- Server logs: rotated within 30 days, except where retained for an active security investigation
Reader Rights Under the GDPR and UK GDPR
The articles cited below are the primary statutory references.
- Access (Article 15): obtain confirmation of whether we hold your data, and a copy of it
- Rectification (Article 16): correct inaccurate or incomplete data
- Erasure (Article 17): require deletion, subject to the limited exceptions in Article 17(3) such as the right to freedom of expression
- Restriction (Article 18): pause our processing while a query is open
- Portability (Article 20): receive data you provided to us in a structured, commonly used, machine-readable format
- Objection (Article 21): object to processing under legitimate interests, including direct marketing
- Withdrawal of consent (Article 7(3)): withdraw consent at any time, without affecting prior lawful processing
- No automated decision-making (Article 22): we do not subject readers to automated decisions producing legal or similarly significant effects, so this right does not arise here
How to Exercise a Right
Send an email to media@coinlaw.io with the subject line “GDPR, [right being exercised]” (for example, “GDPR, Access” or “GDPR, Erasure”). Include enough information for us to locate your records (the email address used to subscribe is usually sufficient). We may request additional verification before disclosing or deleting data, in line with Recital 64.
We respond within one calendar month, extendable by a further two months for complex requests, with notice within the original month.
International Transfers
Some of our processors are established outside the EEA and the UK. Where they are, we rely on:
- Standard Contractual Clauses adopted by the European Commission in 2021, supplemented by the UK International Data Transfer Addendum where the UK GDPR applies
- The UK to US Data Bridge for transfers to certified US recipients under the EU to US Data Privacy Framework
We do not transfer reader data to jurisdictions without an adequacy decision or Standard Contractual Clauses in force.
Supervisory Authorities
You may lodge a complaint with the supervisory authority of your habitual residence, place of work, or alleged infringement (Article 77).
- United Kingdom: Information Commissioner’s Office, ico.org.uk
- European Economic Area: the directory at the European Data Protection Board, edpb.europa.eu
- Switzerland: Federal Data Protection and Information Commissioner, edoeb.admin.ch
Document Control
We revise this document whenever our processors or data flows change. The date below records the last substantive review rather than a fixed schedule, so it moves only when the policy itself does. Last reviewed: 5 May 2026.
