General

Welcome to ECCRI CIC’s privacy policy. This policy applies to all ECCRI CIC projects and activities, including the Google.org Cybersecurity Seminars program.

ECCRI respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

This website is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

Controller

ECCRI CIC is the controller and responsible for your personal data (collectively referred to as “ECCRI”, “we”, “us” or “our” in this privacy policy).

Our contact details

Postal Address: 47 Boutport Street, Barnstaple, EX31 1SQ, UK
E-mail: contact@europeancyber.org

Please contact us using the contact details set out above if you have any questions about this privacy policy or our privacy practices, or any questions of requests to exercise your legal rights (further details are set out in the Your data protection rights section of this policy).

The type of personal data we collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store, process and transfer the following kinds of personal data:

  • Personal identifiers, contacts, and characteristics (for example, name and contact details)
  • Online identifiers and technical information (for example, IP addresses, your login data, browser type and version, time zone setting and location, and cookie data)
  • Financial information (for example, bank or card details)
  • Employment information (for example, current and previous employers)
  • Educational information (for example, qualifications and exam results)

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

How we collect personal data

We use different methods to collect data from and about you including through:

Direct interactions. You may give us your identity details, contact and financial data by filling in forms, applications or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

  • apply for our services, projects, schemes, programs or workshops;
  • register for an online event;
  • create an account on our website;
  • subscribe to our publications;
  • request marketing to be sent to you;
  • enter a competition, promotion or survey; or
  • give us feedback or contact us.

Automated technologies or interactions. As you interact with our website, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies.

Third parties or publicly available sources. We may also receive personal data about you from various third parties and public sources.

How we use your personal data, why we have it, and lawful basis

The table below (Table 1) describes the various forms of personal data we collect, why we have it and the lawful basis for processing this data, under the UK General Data Protection Regulation (“UK GDPR”). We have processes in place to ensure that only those people in our organisation who need to access your data can do so. A number of data elements are collected for multiple purposes, as the table below shows.

When we process on the lawful basis of legitimate interest, we apply the following test to determine whether it is appropriate:

  • The purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden, or not, by the individual’s interests, rights or freedoms.

We also only process and share personal data when the law allows us to and to comply with our legal obligations. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Data processing types

Table 1

Data processed

How we get this data

Why we use this data

 

Lawful basis for processing of personal data

a) Personal identifiers,
contacts and characteristics, employment information and educational information.

This data is typically provided by you as a participant in one of our projects – for example, as an applicant under the Open Call process for the Google Cybersecurity Seminars Program.

We use this data in order to
deliver these projects – for example, using applicant information to select the highest quality applications for the Cybersecurity Seminars program.

 

Register you in relations to applications for our programs or events.

 

We may also use this information for other purposes beyond the specific project within which it was collected, as long as those purposes are within the overall community interest purpose of ECCRI CIC: to advance education for the public benefit in relation to the impact of digital and emerging technologies on global affairs.

 

Contractual obligation, where we need to perform the contract we are about to enter into or have entered into with you.

 

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

b) Personal identifiers, contacts, and characteristics and online identifiers.

This data may also be collected
through other interactions with ECCRI CIC (for example, by contacting us via
our website or email address, or by registering to participate in an online
event).

 

We use this data to respond to
queries, to run events, and to gather participant statistics and feedback
about events. We also use this information to manage our relationship with you e.g. notifying you about privacy policy changes or terms.

Contractual obligation, where we need to perform the contract we are about to enter into or have entered into with you.

 

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

 

c) Personal identifiers, contacts, and characteristics and financial information.

This data are provided by you in order to receive payment (for example, expenses claims, honoraria, or payment for goods or services).

We use this information to pay suppliers, contractors, and partners, and ultimately to deliver ECCRI projects. We may also use this information to manage payments, fees and charges and to collect and recover money owed to us.

Contractual obligation, where
we need to perform the contract we are about to enter into or have entered
into with you.

 

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

 

d) Personal
identifiers, contacts, and characteristics and online identifiers

This data may also be collected by visiting our website or otherwise engaging with ECCRI CIC online (for example, via social media).

 

We use this information to collect information about our reach and engagement, and to improve and design our projects.

 

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Data disclosure, storage, and transfer

If You Fail To Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with products or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

Third Party Links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Disclosures of your personal data

Third Party Service Providers who we may share your data with or who could potentially have access:

1. Government and law enforcement agencies:

We may be required by law to share your data with other organisations, such as government or law enforcement agencies:

  • to satisfy any applicable law, regulation, legal process, or governmental request;
  • to detect, prevent, or otherwise address fraud, security, or technical issues;
  • protect our rights, property or safety, our users and the public;
  • to prevent a crime; harm to another.

2. Professional advisors including lawyers, bankers, auditors and insurers:

This may include exchanging information with other companies and organisations for fraud protection and spam/malware prevention if required by law. It may also include third parties to whom we sell, transfer, or merge parts of our business or our assets. (Please note we do not sell any personal data to third parties).

3. External assessors and experts

We may share this information with external experts or other organizations to help us deliver our services, including the review of grant applications. The exception is the Google Cybersecurity Seminars program, where all personal data contained in your grant application will be redacted by ECCRI CIC before it shares your application with Google or external experts for further review, and no personal data will be shared with Google.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How we store your personal data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Participant data: We keep personal identifiers, contacts and characteristics, employment information and educational information collected as part of our projects for three years after the end of the project, to ensure we can comply with potential audits, reviews, or other monitoring and evaluation requirements. We will then securely dispose of your personal data by deleting it from our systems.

The exception to the three-year retention period set out above is any personal data provided as part of an application to the Google Cybersecurity Seminars Program where that application and the details within it are not recommended for a grant award by ECCRI CIC. Personal data in non-recommended applications will be deleted within three months of the open call window closing.

Other project data: We keep personal identifiers, contacts, and characteristics and online identifiers shared through other project-based interactions with ECCRI CIC for up to three years. We will then securely dispose of your personal data by deleting it from our systems.

Payment data: We keep personal identifiers, contacts, and characteristics and financial information collected for payment purposes for three years after the contract ends or payment is made. We will then securely dispose of your personal data by deleting it from our systems.

Online engagement data: We keep personal identifiers, contacts, and characteristics and online identifiers collected indirectly through online interactions with ECCRI CIC for up to three years. We will then securely dispose of your personal data by deleting it from our systems.

International Transfers of Personal Data

We may transfer to, and store the data we collect about you in, countries other than the country in which the data was originally collected, including the United States, Canada or other destinations outside the European Economic Area (“EEA”) and the United Kingdom. Those countries may not have the same data protection laws as the country in which you provided the data.

Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

If we transfer your data to other countries, we will protect the data as described in this Privacy Policy and comply with applicable legal requirements providing adequate protection for the transfer of data to countries outside the EEA and outside the United Kingdom.

  • Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensure at least one of the following safeguards is implemented:
    the country to which the personal data will be transferred has been deemed to provide an adequate level of protection for personal data (e.g. there is an adequacy decision in place); or
  • we have put in place appropriate safeguards in respect of the transfer, for example we have entered into EU standard contractual clauses and required additional safeguards with the recipient, or the recipient is a party to binding corporate rules approved by an EU or UK supervisory authority or we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

 

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

Rights and complaints

Your data protection rights

Under certain circumstances, under data protection law, you have rights in relation to your personal data including:

Your right of access – You have the right to request a copy of your personal data.
Your right to rectification – You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete personal data you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal data in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal data in certain circumstances.
Your right to object to processing – You have the the right to object to the processing of your personal data in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.
Your right to withdraw consent – You are able to remove your consent at any time. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. You can do this by contacting contact@europeancyber.org.

For requests, we will require you to prove your identity – this is in accordance with ICO guidance to ensure that the request is from you and not someone impersonating you and is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.

Acceptable forms of identification can be: passport, driving licence, birth certificate, utility bill (from last 3 months), current vehicle registration document or a bank statement (from last 3 months).

We will try to respond to your request within 30 days of us confirming your identity. This is in line with the requirements of Data Protection Act 2018/UK GDPR. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Please contact us at contact@europeancyber.org if you wish to make a request.

How to complain

If you have any concerns about our use of your personal data, please contact us at contact@europeancyber.org

You can also complain to the ICO if you are unsatisfied with our use of your data.

The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk

Last updated: 22 November 2023