Who we are
- The ReclaimYourFace.eu website does not collect personal data about its users. We collect anonymous usage data for reporting and evaluation purposes. We manage our emails and newsletter securely and in accordance with EDRi’s policies available at https://edri.org/privacy-policy/.
- Website users that choose to sign our petition will be asked to provide personal data, which will be processed securely by our contracted third-party software provider, Fix The Status Quo (“FTSQ”), acting as data processor. This is done for the purpose of collecting public campaign support under the basis of legitimate interest in Article 6(1)(f) of the General Data Protection Regulation (GDPR). Data will be encrypted by FTSQ and held on their secure server in Germany. EDRi acts at the data controller.
- Where supporters have given their explicit consent to be contacted further by EDRi under the basis of consent in Article 6(1)(a) in the GDPR, we will use these data only to keep supporters updated about the campaign and other relevant digital rights campaigns. Only EDRi will be able to decrypt these data.
- Where supporters have given their explicit consent to be contacted further by other organisations participating in the ReclaimYourFace campaign (under Art 6(1)(a)), those organisations will act as joint data controller with EDRi. They will use these data only to keep supporters updated about their work on digital rights. Only the specific organisation will be able to decrypt these data.
Petition (“Proca app”) on ReclaimYourFace.eu
EDRi runs a petition on ReclaimYourFace.eu which collects specific personal data only of the users that choose to sign the petition (“supporters”), in order to show their support for the ReclaimYourFace campaign. This data is collected under the basis of legitimate interest according to Article 6(1)(f) of the GDPR. The petition software (“Proca app”) is developed by Fix The Status Quo (“FTSQ”), a not-for-profit campaigning organisation based in Estonia which produces secure and open-source campaigning tools for civil society organisations. EDRi has contracted FTSQ to provide us and our campaign partner organisations with trusted, secure petition services and has put in place a data processing agreement for this.
For the purpose of this petition tool, the data controller will be European Digital Rights (EDRi). Throughout the campaign, EDRi will be able to export encrypted data from FTSQ about those supporters that have consented to being contacted by EDRi. EDRi will be the only entity with the private key to decrypt this supporters’ list. These data will be transferred to EDRi’s self-hosted CRM for the purpose of registering supporters to the EDRi Campaign mailing list, and managed according to EDRi’s newsletters policy (see below).
Personal data collected:
The Proca app will collect a supporter’s first name and email address, which is necessary on the basis of our legitimate interest in gathering support for the campaign. The app will also collect this data in order for EDRi to contact those supporters that have consented to further contact. Optionally, supporters may also provide their last name, country, and a statement of support which will be used to gather information about types of support for the campaign.
Upon receipt of supporter data at their server, FTSQ will immediately encrypt and then store the data in order to be able to share supporter numbers, and – where supporters have consented, their information – with EDRi. FTSQ will have no further access to the data. The data will only be available to EDRi staff members in the communications or campaigns teams who are using the data for communicating to supporters or for reporting anonymous aggregated support data.
We do not share any information with social media or any other third parties. If you choose to share on social media that you have supported the petition, please be aware that these services engage in extensive data collection and processing practices that are governed by their own terms of service.
Anonymous aggregated data about support:
EDRi will use aggregated data about the countries from which supporters are signing the petition, and anonymised statements of support, for advocacy purposes. In addition to the personal data entered into the petition form by the supporter, the EDRi server will count the number of individual signatures that have been received across all instances of the petition, and will provide this number to all website visitors in the top of the petition widget as an anonymous aggregate. No personal data will be collected or stored for the purpose of this counter. No other data will be collected.
Destruction of personal data after the campaign:
Personal data about the petition signatories on Proca Foundation’s server will be destroyed no later than 6 months after the petition collection ends. Personal data held on EDRi’s newsletter list on the basis of consent given by supporters of the petition will be managed according to EDRi’s newsletter policy, available below and at https://edri.org/privacy-policy/.
Withdrawal of consent:
Supporters may withdraw their consent to be contacted further by EDRi at at any time by emailing email@example.com or by self-managing their newsletter settings as per EDRi’s newsletter policy by unsubscribing from the Campaign mailing list. This withdrawal will not affect the legal basis on which the supporter’s data were originally processed.
Instances of the petition on campaign partner organisations’ websites
The ReclaimYourFace campaign is a cross-civil society campaign, and as such, other organisations taking part in the campaign will also run unique versions (‘instances’) of the ReclaimYourFace petition relating to their national context. Personal data submitted to instances of the petition run by these specified organisations, listed at https://reclaimyourface.eu/the-movement, will be collected under the basis of legitimate interest according to Article 6(1)(f) of the GDPR. These organisations will not be considered ‘third parties’ to data collected by EDRi, nor will EDRi be considered a ‘third party’ to data collected by them.
For these other instances, data controllership will depend on the consent option chosen by the supporter, although data collected about supporters will only ever be available to the specific organisation to which supporters have consented, and never to any otherorganisations:
- If the supporter chooses to only be contacted by the other organisation, EDRi and the other organisation will act as joint data controllers. However, EDRi will have no access to the data and no control over how it is managed by the other organisation;
- If the supporter consents to be contacted by both the other organisation and by EDRi, then EDRi and the other organisation will be joint data controllers. Both entities will retain control over the set of data that they hold, and will not be jointly liable for how the other entity manages supporter data. Information about and privacy policies for the other organisation will be available on their website; or
- If the supporter does not provide any consent for their data to be used, EDRi will act as the controller. The supporter’s signature will be counted by FTSQ as a unique anonymous signature, and no other organisations, entities or persons shall have any access to their personal data.
EDRi uses non-personal data to provide you with the ReclaimYourFace.eu site, make sure it remains secure and use anonymous data for reporting and evaluation purposes.
We honour encrypted browsing (https) by default. Our website is managed by our trustworthy service provider, Spectre Operations, based in the Netherlands. Spectre Operations acts as a processor of website data whereas EDRi is the website data controller. We have signed a data processing agreement with Spectre Operations. Spectre Operations will only use the logs and any other information for troubleshooting the supplied services and for monitoring usage patterns for security purposes.
For reporting and evaluation purposes, we collect some statistics on the visits and downloads on our website with Matomo, a web analytics platform that gives us 100% data ownership. All data collected is anonymised, and we do not share it with third parties.
Our server software retains access logs (which contain anonymised IP addresses and pages visited) for the purposes of troubleshooting and generating aggregate statistics. We use this information to provide an indication of faults and to enable troubleshooting, and delete these data after 24 hours.
If you consent to being contacted by EDRi about updates on the ReclaimYourFace campaign and other digital rights campaigns by the EDRi network which may be of interest, you will be added to EDRi’s Campaign newsletter. The information you provide, such as your e-mail address and name will be stored and processed on our self-hosted CRM. It will only be used by EDRi’s communications and campaigns teams to send you the mailings to which you have consented. The information will never be shared with third parties of any kind. Aggregate information about subscribers such as the number of subscribers can be used for other publications.
EDRi commonly uses (‘double’) confirmed opt-in for subscribers to any mailing list unless you email us, call us or orally tell us to add you to a given mailing list. In any of those cases the legal ground for the collection and processing is Article 6.1 (a) GDPR. By using professional, self-hosted mailing list software like Mailman and CiviCRM, EDRi aims at minimising the abuse risk of email addresses by third parties. Subscribers can subscribe or unsubscribe themselves, without any intervention from EDRi. Maintenance, system operation and security of the mailing lists are delegated to Spectre Operations and subscribers may also be added via an opt-in system attached to a campaign website.
The ReclaimYourFace campaign team can be contacted at firstname.lastname@example.org which is hosted by EDRi. Emails that are sent to the campaign address or to individual staff of the coordinating organisation, EDRi, will be stored on EDRi’s email server in the Netherlands and potentially on recipients’ local devices. As a result, emails are susceptible to lawful access under Dutch jurisdiction. Our current service provider is Spectre Operations. For more information on the email policy for EDRi staff members, see https://edri.org/privacy-policy/.
The Reclaim Your Face campaign uses social media to advance our work. These applications require the use of third party service providers. Notably, we have a Twitter account. Please note that these services engage in extensive data collection and processing practices that are governed by their own terms of service.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge at any time a complaint with the European Data Protection Supervisor or with a data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that your data is unlawfully processed.
The contact details of the national authority which will receive and process the said personal data and the contact details of the national data protection authorities can be consulted here.
Changes to this policy
In the event that this policy is changed at any time, the date and nature of the change will be clearly indicated in this document. In the event that the change has a material impact on the handling of your personal information, we will contact you to seek your consent.
[Last updated on 27 October 2020]