• National Western Stock Show Schedule
  • National Western Stock Show Tickets
  • National Western Stock Show Rodeo
  • National Western Stock Show Horse Show
  • National Western Stock Show Livestock
  • National Western Stock Show Special Events
  • Coors Western Art
  • National Western Stock Show Trade Show
  • National Western Stock Show International Agri-Business Center
Powered By Century Link

Like National Western on Facebook Follow National Western on Twitter

Compliance with the European Union’s General Data Protection Regulation (GDPR)

For the National Western Stock Show, National Western Complex, Rodeo All Star Weekend, The Denver County Fair, Coors Western Art, and Honoring The Legacy Campaign. (Referred to as NWSS within the context of this document)
Version 2018-08-30

This document provides an overview of the National Western Stock Show and all of its entities compliance with the European Union’s General Data Protection Regulation, or GDPR, which became effective on May 25, 2018. It provides a summary of the areas covered by the GDPR, NWSS’s high-level compliance in terms of governance and responsible parties, a general discussion about NWSS’s IT Security and Privacy environment, and specific information regarding the nature and legitimate business need for processing the data.

The GDPR applies to organizations involved in the processing of personally identifiable information (PII) of individuals located in the EU. An organization may or may not maintain an “establishment” in the EU and be covered by GDPR.1 Without determining if or when NWSS maintains an establishment, we recognize that GDPR applies when, acting as a controller or processor, “the processing activities are related to offering goods or services to data subjects in the [EU],” even when the goods and services are offered for free.2 Further, GDPR protections apply when NWSS processes the PII of data subjects in the EU, and that processing is related to the “monitoring” in the EU of the “behavior” of data subjects as their behavior takes place within the EU.3

Web pages and other forms may, through the use of forms, collect PII as well as by recording IP addresses or recognizing cookies4 from the end user. All such PII that we collect is extremely well protected, and NWSS desires to be transparent about how we secure and protect such data. Therefore, all NWSS governed web pages that are offering services to individuals which process PII shall include a URL reference to this document on the home web page offering such a service.

Provisions of the GDPR

The GDPR subtends three areas involving individual’s personal data, each provided in a subsection below.

General Principles for Processing Data

Personal Data shall be:
  • Processed (i.e. collected, handled, stored, backed up, made accessible, disclosed and destroyed) fairly, lawfully and transparently. An organization must have a ‘legal basis’ for processing an individual’s personal data (e.g. the individual has consented to the processing, or the processing is necessary to operate a contract with them, or the processing is necessary to fulfil a legal obligation).
  • Processed only for specified, explicit and legitimate purposes.
  • Adequate, relevant and limited to only what is necessary or for which consent has been given.
  • Accurate (and corrected if it becomes inaccurate).
  • Not retained for longer than necessary – data retention periods.
  • Processed securely.

An Individual’s Rights under the GDPR

  • The right to be informed of how their personal data are being used. This right is usually fulfilled by ‘privacy notices’ (or ‘privacy policies’) which set out how an organization will use an individual’s personal data, who it will be shared with, etc.
  • The right of access to their personal data.
  • The right to have their inaccurate personal data corrected.
  • The right to have their personal data erased (right to be forgotten).
  • The right to restrict the processing of their personal data pending its verification or correction.
  • The right to receive copies of their personal data in a machine-readable and commonly- used format (right to data portability).
  • The right to object: to processing (including profiling) of their data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest
  • The right not to be subject to a decision based solely on automated decision-making using their personal data.

Responsibilities of NWSS under the GDPR

The GDPR introduces a range of accountability requirements to encourage a proactive and documented approach to compliance. These accountability requirements include:
  • Implementing policies, procedures, processes and training to promote ‘data protection by design and by default’.
  • Having appropriate contracts in place when outsourcing functions that involve the processing of personal data.
  • Maintaining records of the data processing that is carried out across the organization.
  • Documenting and reporting personal data breaches.
  • Defining GDPR Controllers as the points of contact for questions regarding the GDPR for data and services from the units covered.
  • Identifying and acting on data retention periods for its data, and acting upon that (i.e. purging data) when the retention period is exhausted.
The GDPR sets out various exemptions from compliance, two of which are pertinent to institutions structured similarly to NWSS.
  • Personal data processed for journalistic, artistic, literary or ‘academic purposes’ are exempt from the principles and almost all of the rights, though not the accountability requirements.5
  • Personal data processed for ‘scientific or historical research purposes’, ‘statistical purposes’ or ‘archiving purposes in the public interest’ are exempt from two of the principles (those stating that personal data shall be processed solely for specified purposes and not kept for longer than necessary) and most of the rights, though not the other principles, the right to be informed (unless providing the privacy notice would be impossible or would involve ‘disproportionate effort’), or the accountability requirements.6
An individual’s consent is not required under the GDPR to process personal information for legitimate business purposes. Fortunately, almost all of the data we collect falls into this category, and direct, affirmative consent is not required. However, activities which are peripheral to the NWSS’s learning environment, research environment, and outreach environment are exempt from having to obtain affirmative consent.

Finally, it is noted that NWSS is required to collect, secure, keep, and maintain PII data under a wide variety of mandatory rules, regulations, and policies, including:
  • State of Colorado records retention policy mandates keeping various types of documents and information for various time periods, as required by the State of Colorado Records Retention Manual (http://www.colorado.gov/pacific/archives/state-agency-records- management).
  • GLBA – the federal Gramm-Leach-Bliley Act of 1999 (12 USC §1811) is synergistic with the GDPR, and requires certain protections to be put into place regarding IT Security and privacy of an individual’s financial records.
  • SOX – the federal Sarbanes-Oxley Act of 2002 (116 USC §745) mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud, specifying reporting and retention clauses for financial data.
  • Statewide reporting into the Colorado Department of Higher Education is required of student unit records into the statewide SURDS (Statewide Unit Record Data System) is required by state law.
  • Mandatory Record Retention Policies required by the IRS on all financial transactions.

General IT Security and Privacy Environment, and NWSS’s GDPR Environment

Over about the last five plus years, there is no area in central IT to which we have paid more attention and devoted more effort than IT Security and Privacy. Over this time period, we have put many additional protections in place to enhance IT security and preserve individuals’ privacy, especially in regards to Personally Identifiable Information (PII). Specifically, in response to the GDPR, we have
  1. Identified Controllers for PII data for all of our relevant IT systems and services. Controllers are generally knowledgeable about the data collected, the business needs for the data, data retention and disposal periods, and other factors pertinent to their areas. Controllers may also refer individual requests to others with greater knowledge than they have, especially concerning reporting and business intelligence needs.
  2. Reviewed all of the PII we collect, and verified a business need to collect it.
  3. Reviewed storage and preservation of PII in our internal systems, and established necessary retention periods from a business needs perspective.
  4. Identified which information can be purged from which systems, over which time periods.
  5. Reviewed, revised and put into place contractual terms for all of our external vendors to comply with the GDPR who hold our PII. Most especially important here are added terms and conditions for data retention and disposal.
  6. Included an affirmative acknowledgment for GDPR for staff, and our affiliates agreeing to participate as an NWSS patron under our GDPR compliance in our Acceptable Use Statement that all users must accept.
  7. Worked with our Institutional Review Board to understand that there must be both data retention and disposal clauses in all IRB-approved protocols.
  8. While requests may be made for an individual’s PII data to be removed from out systems, this will only be possible in very limited circumstances, as we are required by federal and state statues, state fiscal rules, and other strictures to retain data for 1) required reporting, including retaining data for sufficient periods of time to respond to questions or queries regarding the data, and to allow us to recreate reports from multiple data sources, and 2) employ the use of data for business analytics to inform strategic and operational directions for NWSS to provide both more efficient and more effective IT services. The systems used for these purposes are our most well-protected systems, deep behind firewalls and access control lists, with granular access for individual users to only the data they need for business purposes.

How to Use the Information in This Document

Individuals residing in the EU who are covered under the GDPR may query the GDPR Controller for their area of particular interest, identified in Table 1 below in section “GDPR Areas and Controllers,” for specific questions regarding the processing of their personal data. General questions may be directed to the Facility’s General Controller for the GDPR, also identified in Table 1 in the section “GDPR Areas and Controllers.”

Right to Petition for Redress

Individuals residing in the EU who are covered under the GDPR who have contacted a Controller in their area of interest, and received an answer with which they are unsatisfied, or have not received an answer within a reasonable time period may petition for redress7 to the Facility’s General Controller for the GDPR, identified in Table 1 in the section “GDPR Areas and Controllers.” The Facility’s General Controller for the GDPR shall caucus with the Vice President of Finance, and respond to the request, normally within one week of receipt of the request. Should the individual be unsatisfied with that answer, or have not received an answer within two weeks of submitting the request, the individual may contact Facility’s General Controller for the GDPR and request that the response be reviewed by the Facility’s Senior Team, whose response shall be final.

General Approaches to Special Circumstances

There are several areas that merit special circumstances for services of a general nature, as described below.

General data collection

NWSS collects very little information of a personal nature, except as needed to fulfill a required business function. In most cases, we will not be able to accommodate “right to be forgotten” requests, as we must maintain complete and comprehensive information in order to facilitate efficient and effective operations in our environment. We simply do not have excess capacity to ingest and/or process extra information, nor do we ever sell your personal information to any provider for a fee. All of our sensitive data is maintained behind very robust firewalls, and intrusion inhibitive services, and therefore kept very secure and highly private.

System and network logs

NWSS is required by several laws (referenced above) to maintain system and network logs for specified periods of time. In most cases the retention period for the data is determined by the software/application, and we have little or no say in that. As these logs are a legal requirement, we cannot support the “right to be forgotten” in these logs. However, we can assure you that these logs are only used by us internally for purposes of analyzing and tuning (optimizing) our service delivery. We never distribute these, so that they are extremely secure and very private.

Site traffic information and cookies

On your first visit to this site you were asked (by a notification banner) to accept our use of cookies and similar technologies and we would like to explain how we use these technologies.
National Western's websites make use of cookies to save and retrieve information about your visit to our sites. Cookies are small files of software which save and retrieve information about your visit to a website or application. They reside in your internet browser to help remember your preferences and previous activity. You can find more information about cookies at allaboutcookies.org and youronlinechoices.eu.
Cookies currently used on our site identify you as an anonymized number. We and our partners (e.g., marketing partners or analytics providers) use cookies and log files to analyze trends, administer the website, track users movements around the website, and gather demographic information about our user base. We may receive anonymized reports based on the use of these technologies by our partners on an aggregated basis. We also use this data to provide the site’s content, ensure the functionality of our information technology systems, and to optimize our website. The data of log files will be stored separately from your other personal data.
Users can control and refuse the use of cookies at the individual browser level. Cookies installed can be deleted. If you reject cookies, you may still use our website, but your ability to use some features or areas of our website may be limited.
When you visit our website, the following categories of cookies will be set in your browser:
Strictly necessary cookies
These cookies are essential in order to enable you to move around a site and use its features. Without these cookies services you have asked for cannot be provided.
Registered Visitor Cookie - A unique identifier given to each registered user, used to recognize you anonymously through your visit and when you return to the site.
Performance cookies
These cookies collect information so that we can analyze how our visitors use our site. These cookies do not collect information that identifies you. All information these cookies collect is anonymous and is only used to improve how our site works.
Functional cookies
These cookies allow websites and applications to remember choices you make (e.g., such as your user name or the region you are in) and provide enhanced, more personal features.
We may use information collected from functional cookies to identify user behavior and to serve content based on the user profile. These cookies cannot track your browsing activity on other websites. They do not gather any information about you that could be used for advertising or to record where you’ve been on the Internet outside our site.
Analytics cookies
In order to keep our website services relevant, easy to use and up-to-date, we use web analytics services to help us understand how people use the site.
Cookies allow web analytics services to recognize your browser or device and, for example, identify whether you have visited our website before, what you have previously viewed or clicked on, and how you found us. The information is anonymous and only used for statistical purposes, and it helps us to analyze patterns of user activity and to develop a better user experience.

Third Party Applications

We will respect and protect your privacy as set out in this Privacy Policy. We will share your personal data with third parties except in the ways that are described in this Privacy Policy - and we do not and will not sell your personal data.
Categories of non-National Western parties with which we share your personal data include hosts and cloud service providers, marketing agencies, and sub-contractors involved in the fulfilment of our contractual obligations towards our clients.
Facebook conversion pixels
We use the “Custom Audience pixel” of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) on our website. With its help, we can keep track of what users do after they see or click on a Facebook advertisement. This enables us to monitor the effectiveness of Facebook ads for purposes of statistics and market research. Data collected in this way is anonymous to us, which means we cannot see the personal data of individual users. However, this data is saved and processed by Facebook. Facebook can connect this data with your Facebook account and use it for its own advertising purposes, in accordance with Facebook’s Data Policy which can be found at https://www.facebook.com/about/privacy/. You can allow Facebook and its partners to place ads on and outside of Facebook. A cookie can also be saved on your device for these purposes.
Please click here if you would like to withdraw your consent https://www.facebook.com/settings/?tab=ads#_=_

Google Analytics
Our website uses Google Analytics, a web analysis service of Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, google.com(“Google Analytics” or “Google”). Google Analytics employs cookies that are stored to your computer in order to facilitate an analysis of your use of the site. The information generated by these cookies, such as time, place and frequency of your visits to our site, including your IP address, is transmitted to Google’s location in the US and stored there.
In using Google Analytics our website employs the extension “anonymizeIp”. In doing so, Google abbreviates and thereby anonymizes your IP address before transferring it from EU/EEA member states. Google uses this information to analyze your use of our site, to compile reports for us on internet activity and to provide other services relating to our website.
Google may also transfer this information to third parties where required to do so by law or where such third parties process this data on Google’s behalf. Google states that it will in never associate your IP address with other data held by Google. You can prevent cookies from being installed by adjusting the settings on your browser software accordingly as noted elsewhere in this Privacy Policy. You should be aware, however, that by doing so you may not be able to make full use of all the functions of our website.
Google Analytics also offers a deactivation add-on for most current browsers that provides you with more control over what data Google can collect on websites you access. The add-on tells the JavaScript (ga.js) used by Google Analytics not to transmit any information about website visits to Google Analytics. However, the browser deactivation add-on offered by Google Analytics does not prevent information from being transmitted to us or to other web analysis services we may engage.
Google Analytics also uses electronic images known as web beacons (sometimes called single pixel gifs) and are used along with cookies to compile aggregated statistics to analyze how our site is used.
You can find additional information on how to install the browser add-on referenced above at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

For the cases in which personal data is transferred to the US, Google has self-certified pursuant to the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework).
Google Tag Manager (GTM)
Google Tag Manager (GTM”) is a tag management system to manage JavaScript and HTML tags used for tracking and analytics on websites. Tags are small code elements that, among other things, are used to measure traffic and visitor behavior: to understand the effect of online advertising and social channels; to set up remarketing and orientation towards target groups; and to test and optimize websites. GTM makes it easier for us to integrate and manage our tags. We use GTM on our website to include the following tracking tools:
  • Google Analytics
  • Facebook Conversion Pixels
If you have performed deactivation, GTM takes this deactivation into account. For more information about GTM’s privacy practices can be found at https://policies.google.com/privacy?hl=en and terms of use at https://www.google.com/analytics/tag-manager/use-policy/.

GDPR Areas and Controllers

Below, we indicate separately for each system and/or service the GDPR Controller (the “Controller”) for the system and/or service. Each Controller has reviewed the data collected for their system and/or service, removed from collection any data items not needed for reporting or business purposes, established a data retention period, and agreed to serve as the point of contact for individuals who may have questions about GDPR compliance.
1 GDPR Art. 3(1) and Recital 22
2 Rec. 23
3 Art. 4(2)(b) and Rec. 24
4 Rec. 30 states:
“Natural persons may be associated with online identifiers provided by their devices… such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
5  Art. 85(2), Rec. 153
6  Art. 89(1), Rec. 159
7 Art.47, Rec.108