Privacy policy
This policy is applicable to edri.org and other websites managed by EDRi as mentioned below, concerning all personal data processed via publicly available digital services provided by European Digital Rights (EDRi), AISBL registered at 12 Rue Belliard, 1040 Brussels, Belgium.
EDRi is the data controller of the processing described in this policy.
To submit a data access request or ask for more information about EDRi’s data protection and privacy policy, you can contact EDRi’s Data Protection Officer at DPO [at] edri [dot] org.
Communications
Website
We use personal data as described below to provide you with the edri.org page and other EDRi pages, make sure the communication remains secure and we use anonymous data for reporting and evaluation purposes.
We honour encrypted browsing (https) by default. Our websites are managed by our trustworthy service provider, Spectre Operations, based in the Netherlands. Spectre Operations acts as a processor of data whereas EDRi is the data controller. We have signed a data processing agreement with Spectre Operations. Spectre Operations will only use the logs and any other information for troubleshooting the supplied services and for monitoring usage patterns for security purposes.
Our website does not use cookies or web beacons and we do not collect data on clicked links. The processing of web usage data is kept to a minimum.. We have no control over tracking technologies used by sites and services to which we link.
The processing of web usage data is kept to a minimum. For reporting and evaluation purposes, we collect some statistics on the visits and downloads on our website with Matomo, a web analytics platform that gives us 100% data ownership. All data collected is anonymised, and we do not share it with third parties. The server software retains access logs (which contain individual IP addresses and pages visited) for the purposes of troubleshooting and generating aggregate statistics. We use this information to provide an indication of faults and to identify peak usage times so that we can decide when to make major site modifications.
The legal basis for this processing is our legitimate interest, under art 6(1)(f) of the General Data Protection Regulation (GDPR).
EDRi also manages four other websites, accessible via edri.org: “StopScanningMe.eu”, “Platformpower.eu”, “Reclaimyourface.eu” and privacycamp.eu. These websites all have a privacy policy, which details the processing of personal data in a similar way.
Emails
- How do we process your information?
We process your contact details when you contact us by email or via our website or when we interact with you in the context of our advocacy work. We process the information you provide us, such as your name and email address to handle your requests and complete your registration to newsletters and press releases. The legal basis for such processing is your consent under art 6(1)(a) GDPR. If the processing of your personal data concerns EDRi’s advocacy work as explained below, the legal basis for this processing can be your consent under art 6(1)(a) or EDRi’s legitimate interest under art 6(1)(f) GDPR.
When you send us an email it is stored on our email server in the Netherlands and potentially on recipients’ local devices. As a result, in some circumstances there may be a legal obligation to share information for example under a court order under Dutch jurisdiction.
We limit the processing of traffic data to a minimum: we log details of the email addresses and mail servers involved in delivery.
Each EDRi employee is responsible for managing and enforcing data minimisation with regard to the communications that s/he receives or sends, and we endeavour to keep this information stored securely through the use of encrypted emails. We keep emails for a maximum of 24 months, after which they are deleted.
We do not solicit information on political and religious beliefs or medical information. When such sensitive personal information is provided to us through our email or postal addresses, we delete or anonymise this information as soon as possible.
EDRi staff members use PGP to encrypt emails. You can find their keys on the EDRi website and on public keyservers.
- Advocacy related contacts
We run a variety of open and closed mailing lists hosted on our servers at Spectre Operations. If you interact with us in the context of our advocacy work for instance by supporting a campaign and/or registering to a mailing list concerning that campaign, we will process your email address and possibly other contact details you share with us.
These contact details are stored on our self-hosted Customer Relationship Management system (CiviCRM). This information is processed for the purpose of list management and to be able to interact with you in the way you’d expect. The data we process through our CRM may include registration to mailing lists, data related to other interactions we had with you, for instance as part of our advocacy work if you work in a role in politics or media, or if you have been involved in a campaign activity led by EDRi. This helps us to efficiently carry out our mission and manage our interactions with you.
If you have subscribed to the EDRi supporters mailing list, we may ask you occasionally to participate in a survey, to help us understand better our audience. This helps us to efficiently carry out our mission and manage our interactions with you.
These data are kept confidential and available only to selected EDRi staff members. They will not be shared with third parties.
We will delete your personal data as soon as you ask us to be removed from a mailing list or from our database. Emails collected from supporters to a European Citizen Initiative are deleted 12 months after the end of the collection period.
- Newsletters and press releases
If you subscribe to EDRi-gram or to one of EDRi’s other newsletters, including the press releases, the information you provide, such as your e-mail address, names and background will be stored and processed on our self-hosted CRM as described above. It will be used by EDRi’s comms team to send you the mailings you subscribed to. Aggregate information about subscribers such as the number of subscribers can be used for other publications.
EDRi commonly uses (‘double’) confirmed opt-in for subscribers to any mailinglist unless you email us, call us or orally tell us to add you to a given mailinglist. Subscribers may also be added via an opt-in system attached to a campaign website.
By using professional, self-hosted mailinglist software like Mailman and CiviCRM, EDRi aims at minimising the abuse risk of email addresses by third parties.
Subscribers can subscribe or unsubscribe themselves, without any intervention from EDRi. Maintenance, system operation and security of the mailinglists are delegated to Spectre Operations.
Social Media
Our website does not use any cookie or social plugin, which means you are not tracked by social media when you visit our website.
We have YouTube, Facebook, Twitter and LinkedIn accounts, as we use social media and social networking services to advance our work. These applications require the use of third-party service providers. Please note that some of these services engage in extensive data collection and processing practices that are governed by their own terms of service.
EDRi has access to the following personal data available on these services:
- Data visible by default on the platforms (such as names and pseudonyms, profile pictures or avatar, presentation message)
- Other data made public by the user as part of their general settings on the platform concerned (publications, messages exchanged between EDRi’s account and the user)
- Platform usage data for the production of anonymous statistics
We make limited use of this information, for the following purposes:
- Technical administration of accounts (creation, publications)
- Interactions (public or private messaging) with subscribers and other platform users
- Awareness raising on EDRi’s activities in relation with digital rights
- Statistics of use
- Social media monitoring, to better understand our audience (see below).
The legal basis for the processing of these data is EDRi’s legitimate interest (art. 6(f) GDPR).
Apart from this limited use, we do not further process or store the information listed above: only statistics are used about the engagement rate, demographics (average age, location), used device, followers, etc. to evaluate EDRi’s communications performance and feed into future strategies.
Social media monitoring
In order to better consider the interests of the general public in the protection of digital rights and better shape our communications, we need to understand how social media users understand these topics. To this end, we analyse social media activity related to digital rights and monitor the use of our own social media channels. We analyse for instance how our posts are liked, shared, or commented on social networks.
EDRi is the data controller for this data processing. The legal basis for this monitoring is our legitimate interest under art. 6(1)(f) GDPR. We ensure that adequate and specific safeguards are implemented for the processing of personal data, in line with the GDPR.
We use an external provider established in the European Union to process and analyse public social media data on our behalf and according to our instructions. We do not directly interact with social media users whose data are being processed and, in principle, do not have access to their contact details, which prevents us from providing relevant information individually. We have therefore included such information in this privacy policy. Further information and points of contact related to the processing of personal data can be found in the privacy policy of our external provider.
The external provider collects and analyses data from publicly available sources, including public social media platforms, websites and online newspapers. The external provider only processes information that is publicly available, such as:
- identification data (name, username, user identification and geographical area if available)
- personal characteristics (age, gender and family status)
- consumer habits
- hobbies and interests
- professional and educational background
- pictures and videos
- other categories of data published in news articles, online sources and social media posts.
While the external provider collects the personal data listed above, we only analyse some of these data, mostly in an aggregated format.
We have set up strict limitations on the topics we monitor and have ensured that authorised EDRi staff, when accessing and using the external provider’s database, are bound by clear instructions and confidentiality obligations.
We may store reports containing selected personal data (such as “top mentions” including the tweet of an influencer) for a maximum of 3 years after which they will be deleted. All personal data processed by the external provider on the EDRi’s account will be deleted 6 months from the end of the contractual relationship with them.
Donations
When you support EDRi by making a donation, we only collect information necessary to process the donation. This includes your identification data (name, first name, address, country), the sum, the frequency of payment, your credit card details or account number, the type of payment, your email and the information whether you want to be informed of EDRI’s activities.
The legal basis for such processing is your consent under art 6(1)(a) GDPR.
This information is securely stored by our service provider, Spectre Operations, based in the Netherlands.
Signing of EDRi online campaigns
If you sign an EDRi online campaign, we collect the data your provide us with (First name, Last name, country) as well as the date and time of the signature. We will use these data only for the purpose for which you provide them to us. In the case of open letters and petitions, your first/last name and country might be handed over by EDRi to the responsible body / addressee of the open letter as a list on paper, if applicable. We need your email address for the verification of your entry. However, the email address will not be published or passed on under any circumstances. Unless you are subscribed to a mailing list or your data is stored due to another reason mentioned in our privacy policy, your information will be deleted within 6 months after the campaign has ended. Publication (by name) or disclosure to third parties will only take place if you have expressly permitted this. The legal basis for this processing is your consent in accordance with Art. 6, Para. 1, lit. a – GDPR.
Your rights
You have the following rights under the General Data Protection Regulation:
- right to access your data and understand what data we process about you
- Correct your data if they are wrong
- You can also oppose further processing of your data,
- Request to erase your data,
- Request to limit your data’s processing,
- Receive your data, in a structured, widely used and readable form and transmit it to another controller
The contact for exercising your rights at EDRi is dpo (at)edri(dot)org. We will reply to you within one month. For the processing of data by our external provider for social media monitoring purposes, you can contact privacy(at)meltwater(dot)com
You can also contact us at dpo(at)edri(dot)org if you have any questions regarding our privacy policy or require any clarifications.
We are governed by the Belgian data protection authority, who is competent to receive your complaints (https://www.autoriteprotectiondonnees.be/citoyen).
Changes to this policy
In the event that this policy is changed at any time, the date and nature of the change will be clearly indicated in this document. In the event that the change has a material impact on the handling of your personal information, we will contact you to seek your consent. The previous version from January 2019 can be found here.
[Last updated on 22 March 2023]