Project:Privacy policy

From Wikibase Personal data
Jump to navigation Jump to search

Privacy Policy

We obviously care tremendously about privacy and data protection principles. We want to be fully transparent with what our service does and how it works. If what follows is not clear, please address any question you might have to dataprotection@personaldata.io.

For our users

Our core commitment

We are committed to the interests of the users of the PersonalData.IO service, without any ambiguity.

We have embedded this commitment into our own governance:

We are a nonprofit organisation registered in Geneva, Switzerland.

We will never sell any of our users' data or even derivative products. The project is currently dependent on a team of volunteers, some external funding, and donations. To put our service on a more sustainable financial footing in the future, we might eventually offer paying services. There is no current plan to do this.

Value proposition to our users

The core proposition of our service is to offer our "active contributors" the possibility of helping others in their communities (the "champions") to exercise their data rights with respect to many organizations. We strive to do this in a convenient and scalable way, but under the **absolute condition that our systems would not touch any of the personal data of these "champions"**. We do process personal data for these "active contributors" (wiki, forum, mailing list), under the basis of consent and for clear purposes.

We jointly call "active contributors" and "champions" the "users" of our services.

If you are not a user of our service, we are unlikely to process your personal data unless some very particular exceptions apply (see further below).

Personal data we collect about our active contributors

Taking a wide view of what constitutes personal data, currently we collect personal data about our active contributors in the following ways:

  1. through the use of server logs;
  2. through our various forms, each designed for a very particular purpose and requiring your explicit consent;
  3. through security or tracking cookies (under our full control);
  4. through the registration form with our mailing list service;
  5. through account information and subsequent use of our forum or wiki;
  6. through responses received by champions, in the rare cases where these champions decide to become "active contributors" (this change would thus happen on the basis of their explicit consent);
  7. through direct communication with you (email interactions, for instance).

Why we collect this data

All of those processing operations applying to the personal data of our "active contributors" are absolutely necessary for the purposes we seek to achieve (taking into account unfortunate measures we had to take, such as requiring an account to edit the wiki, in order to protect against spam).

Our data retention policy for users

For all the above data points (except server logs and mailing list, forum and wiki registrations), we retain the personal data of "active contributors" indefinitely, as is appropriate given the initial purpose for collecting such data points.

For mailing list, forum and wiki registrations, we retain data for as long as the "active contributor" has not made the explicit request to unsubscribe or delete their account.

For logs data, we are still in the process of defining appropriate retention times.

For our non-users

We do collect personal data about non-users in two very limited circumstances.

For contact persons at organizations collecting personal data

In order to be able to connect our users with organizations with the scale and convenience required for effective protection of their personal data, we assert the need to aggregate in a meaningful way relevant information for each organization on how data subjects might exercise their rights. Sometimes those contact details are for individuals (e.g. professional email of a Data Protection Officer or a person internally responsible for such processing). We fully recognize these contact details would often constitute personal data of those individuals. Our legal basis for collecting this data in such cases is our legitimate interest to offer our services to our users. It is clear that in such circumstances, those individuals have full right to object to such processing of their personal data, which they can exercise by directly emailing us. In such circumstances, we would reevaluate the situation and communicate with the data subject directly.

For other professionals

Sometimes, in circumstances where the previous point is not applicable, we collect personal data about professionals in the personal data industry and other connected areas. The purpose then is to help our community at large better understand forces and dynamics at play in the personal data ecosystem.

This might be the case for instance because:

  • we want to attach the name of an author to a scholarly article or a talk they have given;
  • we want to attach an affiliation to an individual, as listed in a source (such as a university homepage or a Twitter account description) that would be publicly accessible, without an account;
  • because we want to keep track of a public list of participants to a conference.

In most cases this information is already public information, but we instead apply (conservatively) the "legitimate interest" test for the purpose of processing this personal data under the GDPR. Of course these individuals can directly exercise their objection right by emailing us.

Supervisory authority

Given that we are established in Switzerland, our processing of personal data, regardless of residency of the data subjects, is covered by the the Swiss Data Protection Act. This means our supervisory authority under that act is the Swiss Federal Data Protection Commissioner.

Additionally, for individuals residing in the European Union, the General Data Protection Regulation envisions that we would be subject to that Regulation as well, and obliges us to inform you of which would be our Supervisory Authority. However, this Regulation does not specify which would be the Supervisory Authority in the case of a data controller established in Switzerland, which we find very unfortunate: simply said, no one knows the answer we are supposed to provide. The best we can do is to suggest that you ask the Data Protection Authority in your country of residence for guidance on that matter. If you need assistance with this step, definitely let us know.

Your personal data rights

Regardless of whether you are a user or not of our services, and irrespective of your country of residence, we are committed to respecting the European General Data Protection Regulation (in addition of course to the Swiss Data Protection Act).

You have the following rights:

  1. right to be informed by us on any processing of your personal data;
  2. right to obtain a copy of your personal data (right of access);
  3. right to rectification of any incorrect or no longer relevant personal data;
  4. right to erasure of your personal data;
  5. right to object to the processing of your personal data, including the right to withdraw your consent;
  6. right to restrict the processing of your personal data;
  7. right to receive a copy of your personal data in a structured, commonly used and machine-readable format (right to portability);
  8. right for this personal data to be transferred directly to another data controller if technically feasible.

All these rights can be exercised by reaching out to dataprotection@personaldata.io.

Contact

Should you have any additional question on these matters, please contact us at dataprotection@personaldata.io.

With lots of data protection love,

PersonalData.IO

Date of last change: February 23rd 2020. Previous versions: May 25th 2018 (diff).