Privacy and cookie policy (original) (raw)

The Guardian Foundation privacy and cookie policy

Introduction and contents

This is the privacy and cookie policy for The Guardian Foundation. The Guardian Foundation is an independent charity with a focus on increasing access to the media.

Our values guide everything that we do – including how we use personal data. We are strongly committed to keeping your personal data safe. This commitment exists throughout the lifecycle of your personal data, from the design of any use of personal data to the deletion of that data.

To complement our global approach to privacy protection, this policy also incorporates specific information privacy rights granted to individuals under Californian and Australian privacy law. This reflects our relationship with individuals including our beneficiaries in these locations.

We think carefully about our use of personal data, and below you can find the details of what we do to protect your privacy. This policy covers, among other topics:

• Information about your rights, the choices available to you, and our obligations in the UK and the European Union, in California, in Australia, and elsewhere
• Transparency about how we collect and use your personal data, including when and how it is shared
• Information on how we protect your personal data
• Information on how we will facilitate your rights and respond to your questions

Find out more about how we manage your personal data below:

1. Introduction and contents
2. About this privacy policy
3. Who we are and how to contact us
4. The types of personal data we collect about you
5. How we collect personal data
6. How we use your personal data
7. Additional information we collect via cookies and similar technologies when you access our services
8. Personal data shared by event partners
9. Using children’s personal data
10. Security of your personal data
11. When we share or sell your personal data
12. International data transfers
13. How long we keep your personal data
14. How we may contact you
15. Your privacy and data protection rights with regard to the personal data that we hold about you
16. Your California privacy rights
17. Your rights under the Australian Privacy Act
18. Contact us for information about how we use your personal data
19. Changes to this privacy policy

About this privacy policy

This privacy policy explains how we collect, use, share and transfer, and sell (for California residents) your personal data when you use the services provided on our site or interact with us; and your data privacy rights. Personal data is any information about you by which you can be identified or be identifiable. This can include information such as:

• your name, date of birth, email address, postal address, phone number, mobile number, financial details, such as payment cards you use to purchase products or support us
• information about your device (such as the IP address, which is a numerical code to identify your device that can provide information about the country, region or city where you are based)
• information relating to how you use and interact with our site and services
• information relating to your personal circumstances

When we refer to “personal data” in this policy, we are also referencing “personal information,” as it is defined under California law, which you can read more about below, and as it is defined under Australian law, which you can read about here.

Sometimes our site may contain links to sites and services that are not part of the The Guardian Foundation offering. These sites and services have their own privacy policies. If you follow a link to these non-Guardian Foundation sites and apps, you should read the privacy policy shown on their site.

Who we are and how to contact us

The Guardian Foundation, Kings Place, 90 York Way, London N1 9GU is the data controller in respect of your personal data. This means that we are responsible for deciding how and why we hold and use your personal data. If you want to contact us directly, you can find our contact details in the “How to contact us” section below.

The types of personal data we collect about you

We collect your personal data when you visit our site, engage in services or contribute to The Guardian Foundation or when you interact with us. We will only collect your personal data in line with applicable laws. We collect your personal data in various ways:

• directly from you, when you sign up for our services and when you browse our site
• personal data we generate about you, e.g. personal data we use to authenticate you, or personal data in the form of your IP address or your preferences
• personal data we collect from third parties, e.g. personal data that helps us to combat fraud or which we collect, with your permission, when you interact with your social media accounts

Below you will find more information about the categories of personal data we collect across our charitable programmes and use of our site:

Behind the Headlines

We collect the following personal data when you visit our Education Centre, register your interest in Behind the Headlines through our online registration form, or when you contact us directly:

• your contact details, such as name, address, email address, phone number;
• your organisation and job role; and
• details relating to your visit to the Education Centre or a Guardian Foundation event, such as dates, other visitor information, and special requirements

NewsWise

We collect the following personal data when you register your interest with the NewsWise programme in any capacity, including as a teacher, volunteer, or for a family event. This may be through our online registration form or when you contact us directly via phone or email:

• your contact details, such as name, email address, phone number; and
• your organisation and job title and information about your role, or your academic institution and details of your studies e.g. degree area and year of graduation
• details relating to visits to schools, such as dates and any special requirements that you choose to provide to us to enable us to support attendance

GNM Archive

We collect the following personal data when you contribute to the archive or contact us directly about our archive collections or arrange to visit the reading room:

• your contact details, such as name, email address, phone number; and
• details relating to your visit to the GNM archive, such as dates, other visitor information and special requirements
• Personal Interview records for the GNM archive

Personal data we generate about you

When you use our sites or apps we may also use cookies or similar technology to collect extra data, including:

• your IP address - a numerical code to identify your device, together with the country, region or city where you are based
• your geolocation data - your IP address can be used to find information about the latitude, longitude, altitude of your device, its direction of travel, your GPS data and data about connection with local Wi-Fi equipment
• information on how you interact with our services
• your browsing history of the content you have visited on our sites, including how you were referred to our sites via other websites
• details of your computer, mobile, TV, tablet or other devices, for example, the unique device ID, unique vendor or advertising ID and browsers used to access our content

We will not collect special categories of data from you - such as personal data concerning your race, political opinions, religion, health or sexual orientation - unless you have chosen to provide that type of personal data to us.

Personal data when you post comments about the Guardian Foundation on other social media sites

• If you have mentioned The Guardian Foundation in posts on social media sites, then we may collect your social media handles. For example, when you mention The Guardian Foundation in a tweet, we may collect your Twitter handle
• When you post publicly (comments) on our site

When you post publicly (comments) on our sites

When you post on a discussion board or comment publicly on an article on our site, the personal data you post, including your username and other information about yourself, may be publicly accessible. This personal data can be viewed online and collected by other people. We are not responsible for the way these other people use this personal data. When contributing to a discussion, we strongly recommend you avoid sharing any personal details, including information that can be used to identify you directly such as your name, age, address and name of employer. We are not responsible for the privacy of any identifiable information that you post in our online community or other public pages of the site.

How we collect personal data

We collect personal data when you:

• are a beneficiary of the Guardian Foundation
• participate for example in Behind the Headlines, Newswise or GNM Archive activities
• pay for a product or service
• attend our events
• participate in surveys or interviews
• use mobile devices to access our content
• access and interact with our site
• through cookies and other similar technology
• when you contact us via email, social media, or similar technologies or when you mention us on social media

How we use your personal data

We use personal data collected through our site only when we have a valid reason and the legal grounds to do so. We determine the legal grounds based on the purposes for which we have collected your personal data.

Legal grounds for using your personal data

The legal ground may be one of the following:

• Consent: Often we will use your personal data because we have asked for your consent, which you can withdraw at any time. Examples of where we ask for your consent include:
  • to send email communications and newsletters to you. You can withdraw your consent at any time by replying to the email.
  • to place non-essential cookies, or other similar technology. We provide more details of how we use cookies in this policy. You can withdraw your consent to us placing these cookies at any time through our Privacy Settings.
• Performance of a contract with you (or in order to take steps prior to entering into a contract with you): We will use your personal data if we need to in order to perform a contract with you. For example, where you have signed up to or registered your interest in becoming involved in one of our programmes or attending our events.
• Compliance with law: In some cases, we may have a legal obligation to use or keep your personal data.
• Our legitimate interests: We may process your personal data where it is necessary for our legitimate interests in a way that might be expected as part of running the Guardian and in a way which does not materially impact your rights and freedoms. For example it is in our legitimate interests for us to: understand our beneficiaries, promote our programmes and operate our site efficiently and to analyse what content has been viewed on our site, so that we can understand how it is used. Examples of when we rely on our legitimate interests to use your personal data include:
  • to contact you in relation to programmes you are involved in or have registered an interest in
  • to display Guardian Foundation content on Vimeo. We process personal data so that business customers can access this video player and we can understand how users interact with our content
  • when we analyse what content has been viewed on our site, so that we can understand how they are used and improve our content
  • for internal administrative purposes related to when you use our services - such as our accounting and records - and to make you aware of any changes to our services
  • to collect and log IP addresses to improve the website and monitor website usage,
  • to personalise our services (for example, so you can sign in) by remembering your settings, and recognising you when you sign in on different devices
  • enabling you to share our content with others using social media or email
  • when responding to your queries and to resolve complaints
  • for security and fraud prevention, and to ensure that our sites and apps are safe and secure and used in line with our terms of use

Data protection law includes certain exemptions when personal data is processed for the purposes of journalism. Those exemptions apply to some of the ways the Guardian Foundation uses personal data. This Privacy Policy does not cover personal data that is processed for the purposes of journalism.

Cookies

Additional information we collect via cookies and similar technologies when you access our services

What is a cookie?

A cookie is a small file that can be placed on your device that allows us to recognise and remember you. It is sent to your browser and stored on your computer’s hard drive or tablet or mobile device. When you visit our site, we may collect information from you automatically through cookies or similar technology, such as a tag, pixel, or other web beacon.

How do we use cookies?

When you use our sites or apps we may also we may also use cookies or similar technology to collect extra data, including:

• your IP address - a numerical code to identify your device, together with the country, region or city where you are based
• your geolocation data - your IP address can be used to find information about the latitude, longitude, altitude of your device, its direction of travel, your GPS data and data about connection with local Wi-Fi equipment
• information on how you interact with our site or services
• your browsing history of the content you have visited on our sites, including how you were referred to our sites via other websites
• details of your computer, mobile, TV, tablet or other devices, for example, the unique device ID, unique vendor or advertising ID and browsers used to access our content

We use the following types of cookies on our sites:

• Essential - These cookies are essential for the operation of our site. If you set your browser to block these cookies, some parts of our site will not work.
• Performance - These cookies are used to count how often you visit our site and understand how you use our site. We use this information to measure the performance of our site, which allows us to get a better sense of how our users engage with our service and to improve our site so that users have a better experience. For example, we collect information about which of our pages are most frequently visited, and by which types of users.
• Functionality - These cookies are used to recognise you and remember your preferences or settings when you return to our site so that we can provide a more personalised experience for you.

It is possible to stop your browser from accepting cookies by changing your browser’s cookie settings. You can usually find these settings in the “options” or “preferences” menu of your browser. The following links may be helpful, or you can use the “Help” option in your browser.

• Cookie settings in Internet Explorer
• Cookie settings in Firefox
• Cookie settings in Chrome
• Cookie settings in Safari web and iOS

Useful links

If you would like to find out more about privacy, cookies and their use on the internet, you may find the following links useful:

• Microsoft cookies guide
• All About Cookies
• The Information Commissioner’s Office

If you would like to contact us about cookies please email dataprotection@theguardian.com.

Personal data that we receive about you from other organisations

Adding to or combining the personal data you provide to us

When you sign up to our programmes we may add to the personal data you give us by combining it with other personal data shared with us by other trusted organisations. This includes, for example, the region that you are located in, so that we can show you relevant information about our programmes and activities. We may also add personal data to improve the accuracy of your delivery address when we send out mail and to ensure the accuracy of the information we hold.

Personal data shared by event partners

When you register or book a ticket for a Guardian Foundation event organised by an event partner, your registration data may be shared with us by the event partner.

Using children’s personal data

We do not aim any of our products or services directly at children under the age of 13 and we do not knowingly collect personal data about children under 13. Some of our services may have a higher age restriction and this will be shown at the point of registration. We also note that California law prohibits sale of personal data of consumers between 13-16 years of age unless The Guardian Foundation has authorised the sale. We comply with this requirement.

Security of your personal data

We have implemented appropriate technical and organisational controls to protect your personal data against unauthorised processing and against accidental loss, damage or destruction. Unfortunately, sending any information, including personal data, via the internet is not completely secure. Although we will do our best to protect your personal data once with us, we cannot guarantee the security of any personal data sent to our site while still in transit and so you provide it at your own risk.

When we share your personal data

Within the Guardian group of companies

Depending on where you live, we may share your personal data within the Guardian group of companies in the UK, US, or Australia. We may share it in order to perform a contract with you, for administrative purposes, or when we have a legitimate interest in doing so. For example:

• If you enter a competition then we may share your data with Guardian Journalists involved in the shortlisting of entries
• If you are going to one of our events hosted by an event partner, we may share your personal data with that partner for event administration purposes
• If we receive a letter, email or another form of communication from you that we consider to be significant to the history of the Guardian, we may consider this for the Guardian Archive for historic and archiving purposes

With external organisations
We share your personal data with other organisations that are not directly linked to us under the following circumstances:

Service providers - We may share your data with other organisations that provide services on our behalf. We may do this to perform a contract we have entered into with you, where it is in our legitimate interests or with your consent. Examples of when we may share your data with service providers include sharing with:

• website hosting providers, such as Visible Dots
• online payments processors who process credit and debit card transactions on our behalf
• fraud management providers that help us to identify and prevent online fraud
• internet and cloud hosting services providers, such as Amazon Web Services (AWS)
• software service providers such as Salesforce that assist us with our relationship management
• communications services providers
• error tracking software providers, such as Sentry and Google Firebase, to help us diagnose and fix errors and optimise the performance of our website
• service providers that provide us with insights and analytics that help us to improve our services. For example, we use Google Analytics to understand how visitors engage with our site. If you don’t want Google Analytics to be used in your browser, you can install the ‘Google Analytics Opt-Out Browser Add-On’, provided by Google
• Embedded video player providers, such as Vimeo, to provide content on our websites.
• data management companies, such as Formstack, that help us collect data via online forms and surveys
• Webinars hosting for example through Zoom

Agencies and authorities if required by law - We may reveal your personal data to any law enforcement agency, court, regulator, government authority, or in connection with any legal action if we are required to do so to meet a legal or regulatory obligation, where the request is proportionate, or otherwise to protect our rights or the rights of anyone else (for example, in response to valid and properly served legal process such as subpoena or warrant). We will attempt to notify you prior to disclosing your data unless (i) prohibited by applicable law from doing so, or (ii) there are clear indications of unlawful conduct in connection with your use of The Guardian Foundation services.

Event sponsors and partners - we may share your personal data with sponsors of Guardian Foundation events and partners who we hold events with for marketing purposes when you have given your permission for us to do so.

These transfers to third parties may constitute “sale” of your personal information under California law. A California resident can halt these sales at any time by pressing the “California resident - Do not sell” link that is located in the footer of every page on our site. Third-parties do not sell personal information that has been sold to them by the Guardian unless you have first received explicit notice and are provided an opportunity to exercise the right to opt out. You can read further about your California rights here. Anyone using the Guardian Foundation sites may manually inspect the sharing, transfer, and sale of their personal data in the cookie section of this policy.

When we share your personal data, as specified above, with any organisation which accesses your data in the course of providing services on our behalf, they will be governed by strict contractual restrictions to make sure that they protect your data and comply with applicable law. We may also independently audit these service providers to make sure that they meet our standards.

International data transfers

Data we collect may be transferred to, stored and processed in any country or territory where one or more of The Guardian Foundation service providers are based or have facilities. While other countries or territories may not have the same standards of data protection as those in your home country, we will continue to protect personal data that we transfer in line with this privacy policy.

Whenever we transfer your personal data out of the UK or the European Economic Area (EEA), we ensure similar protection and put in place at least one of these safeguards:

• We will only transfer your personal data to countries that have been found to provide an adequate level of protection for personal data.
• We may also use specific approved contracts that use Standard Contractual Clauses for the protection of personal data where appropriate, with our service providers that are based in countries outside the UK and EEA, including those based in the US and Australia. These contracts give your personal data the same protection it has in the UK and EEA.

If you are located in the UK or the EEA, you may contact us for a copy of the safeguards which we have put in place for the transfer of your personal data outside the UK or the EEA.

How long we keep your personal data

We keep your personal data for only as long as we need to. How long we need your personal data depends on what we are using it for, as set out in this privacy policy. For example, we may need to use it to answer your queries about an event or a product or service and as a result may keep personal data while you are still using our product or services. We may also need to keep your personal data for accounting purposes, for example, where you have made a payment. If we no longer need your data, we will delete it or make it anonymous by removing all details that identify you. If we have asked for your permission to process your personal data and we have no other lawful grounds to continue with that processing, and you withdraw your permission, we will delete your personal data. However, when you unsubscribe from our communications, we will keep your email address to ensure that we do not send you any communications in future.

How we may contact you

Communications and newsletters

If we have your permission, we may send you materials we think may interest you, such as communications about specific programmes and events which you have signed up for.

If you have signed up to be involved in one of our programmes or attend one of our events, we may send you an email or phone you with information about the programme or event. If you have agreed to receive information about The Guardian Foundation programmes through the registration forms on our site we may email you with further information. You can decide not to receive these communications and will be able to ‘unsubscribe’ directly by replying to the email

Market research

Sometimes we may contact you for market research purposes, for example about a survey. You can opt out from being contacted in this way by contacting us on info@theguardianfoundation.org

Responding to your queries or complaints

If you have raised a query or a complaint with us, we may contact you to answer your query or to resolve your complaint.

Your privacy and data protection rights with regard to the personal data that we hold about you

You have a number of rights with regard to the personal data that we hold about you and you can contact us with regard to the following rights in relation to your personal data:

• You have the right to receive a copy of the personal data we hold about you
• You have the right to correct the personal data we hold about you
• Where applicable, you may also have a right to receive a machine-readable copy of your personal data
• You also have the right to ask us to delete your personal data or restrict how it is used, consistent with the GDPR. There may be exceptions to the right to erasure for specific legal reasons which, if applicable, we will set out for you in response to your request
• Where applicable, you have the right to object to processing of your personal data for certain purposes
• Where you have provided us with consent to use your personal data, you can withdraw this at any time
• If you do not want us to use your personal data for marketing analysis you can reply to the email

If you would like to exercise any of your rights specified above, please email

dataprotection@theguardian.com or write to the Data Protection Officer at Guardian News & Media Limited, Kings Place, 90 York Way, London N1 9GU. Who will manage the request independently with The Guardian Foundation within one month.

We may need to request specific information from you to help us confirm your identity. If your request is complicated or if you have made a large number of requests, it may take us longer. We will let you know if we need longer than one month to respond. You will not have to pay a fee to obtain a copy of your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.

Your California privacy rights

Under the California Consumer Privacy Act, California Civil Code Section 1798.100, if you are a resident of California you may contact us with regard to the following rights in relation to your personal data:

• Right of Access: You have a right to request access to the personal data we may hold on you for the past twelve (12) months. You may submit up to two (2) requests per year of access to your personal data.
• Right to Deletion: You also have the right to ask us to delete personal data we may hold on you or restrict how it is used. There may be exceptions to the right to deletion for specific legal reasons which, if applicable, we will set out for you in response to your request.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your California Consumer Privacy Act rights.

If you want to make any of these requests, please contact dataprotection@theguardian.com or by calling our designated toll-free number (888) 777-6069. Who will deal with requests independently with The Guardian Foundation to provide for access to your personal data within forty-five (45) days for California-specific requests. To help us respond as you expect, please specify that you are making a request under the California Consumer Privacy Act. We may need to request specific information from you to help us confirm your identity.

Your rights under the Australian Privacy Act

The Australian privacy Act has rules around how we handle your personal information that may be different to rules in other regions. These rules are set out in the Australian Privacy Principles in force under the Privacy Act 1988 (Cth) (the Australian privacy Act). We are required to treat your personal information in line with those principles, including to disclose to you what personal information we collect and how we use it, to store your information securely and to support you in exercising your rights.

Personal information we collect and use

When we refer to “personal data” throughout this policy, we are also referencing “personal information”, as it is defined under Australian law, which you can read about here.

Details about the personal information that we collect, use and disclose is set out throughout this privacy policy. You can navigate these relevant sections by going to the contents section at the top of the page.

Your rights

Your rights to privacy are also protected by the Australian Privacy Act, including your:

• Right of access to the personal information held about you; and
• Right of correction to correct your information when it is incorrect.

These principles and rights are reflected throughout this privacy policy.

We and our partners use cookies and similar technologies to collect information about your use of the website to help create reports and statistics on the performance of the website. Analytics cookies such as Google Analytics collect information such as your IP address, device type and operating system, referring URLs, location and pages visited. If you don’t want Google Analytics to be used in your browser, you can install the ‘Google Analytics Opt-Out Browser Add-On’, provided by Google.

For a complete description of our use of cookies and similar technologies globally, please see the Cookie section above.

If you have contacted us at dataprotection@theguardian.com with a privacy related complaint and you are not satisfied with our handling of that complaint, you may refer that complaint to the Office of the Australian Information Commissioner:

GPO BOX 5218, Sydney NSW 2001

T 1300 363 992

E enquiries@oaic.gov.au

Contact us for information about how we use your personal data

For individuals based outside the European Union, Australia or U.S,:

If you have any questions about how we use your personal data or if you have a concern about how your personal data is used, please contact the Data Protection Officer at Guardian News & Media Limited, Kings Place, 90 York Way, London N1 9GU. Or, email dataprotection@theguardian.com.

Complaints will be dealt with by the Data Protection Team independently with The Guardian Foundation, and will be responded to within 30 days.

If you are not satisfied with the way your concern has been handled, you can refer your complaint to the Information Commissioner’s Office.

If you have a question about anything else, please see our Contact us page here.

For individuals based in the European Union:

Since we do not have an establishment in the European Union, we have appointed an EU based representative to serve as a direct contact for data protection authorities and individuals on our behalf, who can be contacted at theguardian@mcf.ie or MCF Legal Technology Solutions Limited, Riverside One, Sir John Rogerson's Quay, Dublin 2, Ireland.

Changes to this privacy policy

If we decide to change our privacy policy we will post the changes here. If the changes are significant, we may also choose to email all our registered users with the new details. If required by law, we will get your permission or give you the opportunity to opt out of any new uses of your data.

Changes to this privacy policy to date

The most recent changes to this privacy policy were made on:

• 24 March 2022
• 7th April 2021
• 21 May 2018

A list of all previous changes are available upon request.