Privacy policy

This policy is applicable to all personal data processed by European Digital Rights, registered at 20 Rue Belliard, 1040 Brussels, Belgium. We strictly limit the processing of your personal information, and work only with other organisations who do the same.

Any subpoena or attempts by government agencies or private sector organisations to gain access to any information that you give us will be vigorously challenged.

Communications

Emails received through brussels(at)edri.org are reviewed by one staff member and sent onwards when necessary to other staff members. Similarly, emails sent to our other general addresses, e.g. press(at)edri.org, are reviewed and deleted as quickly as possible. We use email service providers based in the Netherlands. As a result, our emails are susceptible to lawful access under that jurisdiction. Our current service provider is Vigilo (see below).

Information we receive by post is collected by one staff member, reviewed, and sent onwards when necessary to other staff members. These items are destroyed as soon as possible. We do not disclose the names of senders to third parties, and we endeavour to keep files secure. When the content of messages is shared with others outside of EDRi, we de-identify the messages as much as possible.

We run a variety of open and closed mailing lists, and the membership of closed mailing lists are kept confidential, though this information is shared with our mail service providers for the purpose of list-management.

We do not have a back-up policy for our communications. Each employee, as he or she sees fit, may retain the content of specific communications that he or she receives and sends, but we endeavour to keep this information stored securely through the use of encrypted emails.

We do not solicit information on political and religious beliefs or medical information. When such sensitive personal information is provided to us through our email or postal address, we delete or anonymise this information as soon as possible.

Traffic data of emails we send and receive through the services of Vigilo is not subject to the Netherlands data retention legislation and is hence kept for 2 weeks only for the purposes of troubleshooting delivery issues. We only log details of the email addresses and mailservers involved in delivery.

EDRi staff members also use PGP to encrypt emails. Please request further information if you want to sign or encrypt emails with PGP so we can exchange keys.

Telephone calls received on our number are serviced by Belgacom and are beyond our control. As a result, the traffic data for these calls may be retained in accordance with various laws and a voluntary code of practice for the retention of communications data. Our practice is to delete these messages as soon as possible.

Employee Information

Occasionally we receive employment information from prospective interns and employees. This information is shared internally until that individual becomes a candidate for employment. At that point we may share the CV with our advisers and trustees. We file unsuccessful applications for two years with the consent of the individual applicant.

We keep all accounting and administration information for auditing purposes, in accordance with standard practice and Belgian law.

Website

We honour encrypted browsing (https) by default. We work closely with our service provider, Vigilo, to ensure that your personal information is protected. Vigilo is based in the Netherlands. With regard to current data protection legislation, the company acts as a processor of data whereas EDRi is responsible as the data controller. For this purpose, we have signed an agreement with Vigilo that stipulates, amongst other things, that all data relating to our website will remain confidential unless legal exceptions apply (for instance in the case of requests for data by competent law enforcement authorities). Vigilo will only use the logs and any other information for troubleshooting the services supplied and for monitoring of usage patterns for security purposes (they are used by our web application firewall to detect hacking attempts).

Our website uses a cookie (expiring after 12 months) for managing your session. We may also point from our website to other internet services that do use cookies. These services do not fall under our control and we advise you to familiarise yourself with the privacy policies and terms of service that apply to these third party services. This is particularly the case with multi-media services and social plugins.
The processing of web usage data is kept to a minimum. Our website management software only presents us with aggregate numbers of downloads of each document and does not provide us with access to IP logs. The server software retains access logs (which contain individual IP addresses and pages visited) for 4 weeks for the purposes of troubleshooting and generating these aggregate statistics. We use this information to provide an indication of faults and to identify peak usage times so that we can decide when to make major site modifications.

We collect some statistics on the visits and downloads on our website with AWStats. All data collected is anonymised, and we do not share it with third parties.

EDRi-gram

If you subscribe to EDRI-gram, your e-mail address will only be used by the editor appointed by the EDRI-members to send you the newsletter. Subscriber information will not be provided, rented or sold to any third party. Information about subscribers is only provided in a general, aggregate form, for example the amount of subscribers.

EDRi only uses confirmed opt-in for subscribers to any mailinglist. People interested in receiving for example the newsletter EDRi-gram first have to confirm their subscription before it is effected. By using professional mailinglist software (Mailman), EDRi minimises the risk of abuse of the addresses by third parties. Subscribers can subscribe or unsubscribe themselves without any intervention from EDRi. Maintenance, system operation and security of the mailinglists are delegated to VIGILO in the Netherlands.

EDRi-gram is a closed mailinglist. Only the editor can send mail to the subscribers.

Social Media

European Digital Rights uses social media and social networking services to advance our work. These applications require the use of third party service providers. Notably, we have a YouTube, a Vimeo and a Twitter account (set links to their privacy policy).

Corrections

European Digital Rights will endeavour to keep your personal information accurate. If you require access to personal information we hold on you, wish to amend an inaccuracy, or have your information deleted from our files then please contact the Data Controller at brussels@edri.org
Changes to this policy
In the event that this policy is changed at any time, the date and nature of the change will be clearly indicated in this document. In the event that the change has a material impact on the handling of your personal information, we will contact you to seek your consent.

Questions

If you have any questions regarding our privacy policy or require any clarifications, please contact brussels(at)edri.org

About European Digital Rights

European Digital Rights AiSBL is registered as an international not-for-profit organisation in Belgium – and our address is European Digital Rights, 20 Rue Belliard, 1040 Brussels.