Privacy and Cookie Policy
Introduction
Open Rights Group campaigns for and strongly believes that you have the right to control the use of your personal information, and that your privacy must be respected. That is why we strictly limit the collection and processing of your personal data. We will not use personal data that you provide to us in a manner inconsistent with the purposes for which you provided it to us.
This privacy and cookie policy (“Policy”) describes how we will process any personal information that we may collect about you as a supporter or member, as a visitor to our website or our office. We do not and will not sell, rent or lease personal data, nor send marketing on behalf of third parties.
This policy does not address other personal data processing operations, for example Open Rights Group’s internal processing operations including, for example, human resources, logistics and administration. Information related to these processing operations is provided to data subjects at the point of data collection, or subsequently, as required by law.
1. Who is Open Rights Group?
Open Rights Group (“ORG”, “we”, “us”, “our”) is a dedicated group of digital rights defenders working on Internet censorship, free speech, privacy, surveillance and data protection.
Digital technology has transformed the way we live and opened up limitless new ways to communicate, connect, share and learn across the world. But along with all the benefits, technological developments have created new threats to our human rights. We raise awareness of these threats and challenge them through public campaigns, legal actions, policy interventions, public education and technology projects.
2. Data Controller
Open Rights Group is the data controller for data processing in accordance with this policy and is registered with the Information Commissioner as a data controller (registration number Z1179257).
We are a non-profit and a company limited by guarantee (UK registered company number 05581537). Our registered offices are at 12 Duke’s Road, London, WC1H 9AD.
If you have any questions about this Policy, our data processing practices, or your rights, you can contact us (details provided below).
3. The personal data we collect, how we use it and the legal basis for this
Set out below is an explanation of the ways we collect and use, or “process” your data and the legal basis for this in accordance with applicable data protection laws.
If you support one of our campaigns or take an action on our website:
If you sign an Open Rights Group petition or campaigning action, we collect the information you provide including your name, email address and postal address. We collect information required for the campaign action itself. For example, your postcode is necessary for letter campaigns to Members of Parliament to verify you are a constituent. The legal basis for this processing is your consent.
If you subscribe to our emails:
We collect the information you provide – your name and email address – in order to send you updates about our work, when you sign-up online to receiving emails from us. The legal basis for this processing is your consent, which you may withdraw at any time by unsubscribing to our emails.
If you donate to us:
If you make an online donation to us, you are asked to provide your name, email address, telephone number and payment information this information is used to process your donation. The legal basis for this processing is entry into a contract with you to facilitate the donation and we retain this data on the basis of compliance with legal obligations related to taxation and finance that require us to maintain records of these transactions.
If you join us as a member making regular donations:
In addition to the processing related to making a donation described above, if you join us as a member making regular donations we will retain your name, email address, telephone number and payment information in order to correspond with you about the impact of your donations on our work. The legal basis for this processing is your consent and entry into a contract with you to facilitate the ongoing donations.
If you create an account with us:
If you create an account with us, we collect your name, email address and [other details?] which allows you to add content to or edit a webpage we host. We retain this information for as long as your account is open. The legal basis for this processing is your consent.
If you add content to a website we host:
If you contribute content to a website that we host (such as a comment, wiki modification, or file upload) Open Rights Group collects information including your name, username, email address, and IP address. We retain this information for at least as long as the content is accessible online. These details will not be shared with third parties, except where legally required such as to provide a defence from defamation claims and to facilitate resolution of copyright disputes. The legal basis for this processing is your consent and we retain this data on the basis of our legitimate interest in maintaining our website.
If you email a mailing list we host:
Emails sent to any Open Rights Group hosted public email mailing lists are retained for reference purposes. The public mailing list archives are a public resource. Mails sent to public lists are not made available except to subscribers. The legal basis for this processing is your consent and we retain this data on the basis of our legitimate interests in maintaining our website and archiving information.
If you contact us by phone, email or in writing:
If you exchange emails, telephone conversations or other electronic communications with our staff members, our systems will record details of those conversations, sometimes including their content. When you contact us, we may keep a record of the communication we have with you. The legal basis for this processing is our legitimate interests in operating, managing and developing our organisation and our work.
Work-related contacts:
In the course of our work, we collect information such as the names, contact details and work-related information about individuals and organisations we work with and who contact us, including journalists and media professionals. We keep this information in order to invite you to collaborate on and participate in relevant work-related activities.
This includes the details of those whose professional interests align closely with our own and individuals who participate directly in our activities, as well as those who we have current contractual obligations with or who we may in the future enter into an agreement with. We also keep the details of other professional contacts if you have consented to hearing from us for this purpose.
We collect this information through business cards, personal contact or occasionally recommendations from partners. The legal basis for this processing is our legitimate interests in operating, managing and developing our organisation and our work.
If you visit our website:
We collect some analytics data about the way you access and interact with our website using the free, self-hosted and open source Matomo analytics software. Any data collected through the Matomo software is carried out by computer systems which we operate and is never transferred to any third party. The legal basis of this processing is our legitimate interest in providing you with a functional website, gauging unique site views and understanding the geographical reach of our content. More information is provided about this processing at paragraph 5 below.
The data collected may include information about your operating system and version, your web browser version, your system language, your screen size and resolution, and some other metadata which allows us to optimise your browsing experience. The data collected to Matomo is never associated with you directly, and is only associated with a partially-anonymised representation of your IP address.
Web server access logs containing full IP addresses are stored between 7 and 14 days and are used solely for performance and security purposes. This information is not shared with third parties.
We use Matomo to effectively deliver Open Rights Group’s website to visitors and to understand the geographic location of our audience and the reach of our website. We make a conscious choice to avoid web analytics tools such as Google Analytics where possible as part of our commitment to protecting your privacy.
If your web browser is configured to request that websites do not track you by sending a “Do Not Track” (DNT) request when loading webpages, Matomo will not collect any information from your system. More information about cookies is provided below.
If you respond to a survey from us:
From time to time we offer the option to engage in surveys to do with our work and campaign issues. We conduct these surveys on the legal basis of your consent. We generally anonymise answers so that they cannot be linked back to individual respondents.
A full information notice is provided when you begin a survey and before your consent to engage in it is collected.
4. Your data and third parties
Open Rights Group works with third party service providers who perform certain data processing tasks on our behalf. We strongly value data protection and we therefore very carefully select the third parties we work with and ensure that they share our values around data protection. All third parties that we work with are contractually obligated to act on our instructions and in accordance with current data protection legislation. We do not export data for processing outside the EU.
We will never sell, rent or trade your personal data. We will refuse to comply with law enforcement requests for access to personal data concerning users of our online services that we believe to be unwarranted, and unless legally prohibited or unable to do so, will notify the data subjects concerned. Third party service providers may also be compelled to disclose data for purposes other than which it was collected.
We are transparent about those third parties and we keep a public list (click to view) of all that we use. Supporters will be given 14 days’ notice by email before any changes to this list in our Supporter Newsletter.
5. Cookies and tracking
While we do not utilitse cookies on our website, we do use Matomo tracking pixels which can detect information from a website visitor including their device’s operating system, browser type, browser plugins, IP address and browser language. This information is used to help us understand the number of unique page visitors and where they are located.
You can opt out of the use of these tracking pixels via your browser settings. Each browser is different, so check the Help or Settings menu of your particular browser to learn how to change your cookie preferences (see below list).
6. Social media links
We use social media and social networking to increase the reach and impact of our work. Our social media pages are managed by ORG staff. Personal data processed by social media platforms is subject to the terms and conditions of those platforms, which may act as controllers of that data. Individuals who engage with our social media accounts should check the terms of the relevant platforms, which are subject to regular change, to understand how their data may be used.
ORG has accounts with the following social media platforms:
- Twitter, see Twitter’s Privacy Policy
- Facebook, see Facebook’s Data Policy
- YouTube, see YouTube Privacy Guidelines
- Instagram, see Instagram’s Privacy Policy
- LinkedIn, see LinkedIn’s Privacy Policy
- Mastodon, see Mastodon’s Privacy Policy
- Reddit, see Reddit’s Privacy Policy
7. Jurisdiction
Open Rights Group is headquartered in the United Kingdom and the data we collect is process and stored within the UK and EU in accordance with applicable data protection laws. The UK currently remains subject to EU data protection laws, however as the UK has now left the EU, it may become subject to additional requirements around transfers of data into and out of the UK. Should this eventuate, these requirements will be met by us and this Policy will be updated accordingly.
8. Retention and deletion of your information
We keep your data as long as is necessary in connection with the purpose it is collected for. We do not keep data longer than required in connection with that purpose. We will delete the information we hold about you as soon as we no longer need it or, where actionable, at your request (see “Your rights” section below). For further specific information about our retention policies, please contact us on the details provided below.
9. The security of your information
We take the security of your information very seriously. We employ physical, electronic and organisational security measures to protect the information that we collect about you from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage. For instance, we use SSL certificates on all websites we operate.
Although we do our best to protect personal data, information transmitted over the internet remains vulnerable to unauthorized access – for this reason the transmission of any personal data to our websites or via email to us is therefor at the data subjects’ own risk.
10. Your rights
Individual’s whose personal data is processed by Open Rights Group have the following rights:
- The right to be informed as to whether we hold data about the individual;
- The right of access to that information;
- The right to have inaccurate data corrected;
- The right to have their data deleted;
- The right to opt out of particular data processing operations;
- The right to receive their data in a form that makes it “portable”;
- The right to object to data processing;
- The right to receive an explanation about any automated decision-making and/or profiling and to challenge those decisions where appropriate.
You can update your preferences or unsubscribe from our mailing list at any time by clicking on the links in the newsletter, by emailing our info@openrightsgroup.org, or by calling +44 (0)207 359 7728.
You can also contact us to opt-out of or withdraw your consent to data processing we undertake, however in some cases we may need to retain data where it is kept in compliance with a legal obligation (e.g. records of donations must be kept).
You also have the right to bring concerns to your national data protection regulator if you feel that your personal data has been unlawfully processed. For example, data subjects covered by EU law may also be entitled to lodge complaints in regard to data processing or the handling of subject access requests with data protection supervisory authority in their country of residence.
Relevant supervisory authority names and contact details are listed here. The Data Protection Authority in the United Kingdom is the Information Commissioner’s Office (ICO). If you need any further information about your rights or want to lodge a concern or complaint, you may contact the ICO here.
11. Contact us
If you have a query regarding this Policy, or if you would like to exercise your rights as a data subject, please contact Martha Dark, Chief Operating Officer info@openrightsgroup.org or call +44 (0)207 096 1079.
12. Changes to this policy
We keep this Privacy Policy under regular review and will place any updates on this page. This Privacy Policy was last updated on 19 March 2020.