Privacy Policy

PRIVACY POLICY

Effective date: 1 June 2022. Last updated: 11 August 2022

We are committed to protecting your privacy. This Privacy Policy sets out what data we collect, why we collect it and how we use it in relation to the European Human Rights Advocacy Centre (EHRAC) Database. This Policy also explains your rights and how you can exercise them. For more information or to see how Middlesex University may use your personal data please refer to Middlesex University’s Privacy Policy (https://www.mdx.ac.uk/about-us/policies/privacy).

WHO WE ARE (DATA CONTROLLER)

The Enforced Disappearance Legal Database (the Database) is owned by Middlesex University (the “the University”, “we”, “us” or “our”), which is the Data Controller. Middlesex University is an exempt charity by virtue of the Charities Act 1960. The Database’s day-to-day operation is maintained by EHRAC, which sits within Middlesex University’s School of Law.

Our Contact Details

Our postal address is:

Data Protection Officer
Middlesex University
The Burroughs
Hendon
London
NW4 4BT
United Kingdom

Middlesex University’s website is: https://www.mdx.ac.uk/

For any privacy-related questions, Middlesex University’s Data Protection Officer can be contacted directly at: dpaofficer@mdx.ac.uk

For any other questions, please write to our Database Repository Team who can be contacted at: EDLDInfo@mdx.ac.uk

EHRAC’s website address is: https://ehrac.org.uk/en_gb/

Our Database website address is: https://edld.ehrac.org.uk/

PURPOSE OF PROCESSING PERSONAL DATA

Our purpose for processing the Database’s users’ (“you” or “your”) data is to support the functionality of this Database, in order to achieve Middlesex University’s and EHRAC’s goals. “Personal” is defined as any information that can identify you directly or indirectly.

HOW WE GET THE PERSONAL DATA AND WHY WE HAVE IT

We collect and process personal data about the Database’s users. We collect this personal data about you and how you use our website for internal learning purposes, to make sure we are meeting our Database’s objectives, and to help us improve your experience. The personal data we collect is set out below, alongside the relevant legal ground.

Under the General Data Protection Regulation 2018 (GDPR), we are required to inform you of what information we collect and how we will process this information. This will ensure that we are transparent when using your data.

For any further information about your rights, please visit Middlesex University’s Privacy Policy (https://www.mdx.ac.uk/about-us/policies/privacy).

Grounds for processing

GDPR commits Middlesex University to establishing a lawful basis before processing your personal data. GDPR identifies several principles that Middlesex University is committed to meeting:

  1. Personal data must be used lawfully;
  2. Personal data must be collected for only valid reasons that Middlesex University has clearly stated;
  3. Personal data must be relevant to the purposes we have told you about and limited only to those purposes;
  4. Personal data and records must be accurate and kept up to date;
  5. Personal data is kept no longer than necessary and for the reasons listed above;
  6. Personal data is kept securely.

Providing your data to Middlesex University through using this Database, you consent to the collection and use of it in line with the law and this Privacy Policy, which may change from time to time, without warning.

When processing your personal data for Middlesex University, we will ensure we establish a lawful basis and clearly state which basis we are relying upon. Out of the six lawful bases, for the purposes of this Database and this Privacy Policy, Middlesex University will process your personal data under:

  • Consent: Consent is defined by the Information Commissioner’s Office (ICO) as offering individuals real choice and control.
  • Legitimate Interest: Legitimate Interest is defined by the ICO as using people’s personal data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

We collect and process the following information:

  • Personal identifiers, information, contacts and characteristics (name, email address and messages you send to us directly).
  • Cookie identifiers (essential and/or non-essential, depending on your cookie preferences)
  • Location data (only when you specifically opt-in to this through your cookie preferences)
  • Gender data (only when you specifically opt-in to this through your cookie preferences)

HOW LONG WE RETAIN YOUR PERSONAL DATA FOR, HOW WE STORE IT AND HOW WE DESTROY IT

Storage

Your personal data is stored on our secure network. Our systems and accounts have appropriate security measures in place including passwords, restricted access and/or encryption. We have currently retained Cyber Essentials.

We store your personal data in the following ways:

  • Personal identifiers, contacts and characteristics.
    • Messages you send to our Database contact email are forwarded to the Database Repository Team within EHRAC and are stored in their email accounts until deleted.
    • Messages you send to our Data Protection Officer’s contact email are stored in accordance with our central Privacy Policy.
    • Aggregated and/or anonymised personal data is stored in our organisational systems for internal learning, record-keeping and reporting.
  • Cookie identifiers, activity data, location data and gender data.
    • Essential cookies are stored by our Database website until they are automatically or manually deleted. Non-essential cookies are stored by our Database website and the third-party services used until they are automatically or manually deleted.

Duration

We retain your personal data until:

  • You exercise your right to object to us retaining your personal data and we are required by law to comply
  • Your personal data is deleted by the third-party system it is stored within
  • Your personal data is no longer necessary or required by us to fulfil the purposes we collected it for
  • Six years have lapsed since data collection, after which we will delete it

For any further questions, you can refer to our Retention Schedule or contact the Data Protection Officer at dpa@mdx.ac.uk.

Deletion

We will only retain your personal data for longer than six years if required by law, legal proceedings or a legal complaint or claim made against us.

How data is deleted depends on the type of data:

HOW WE SHARE YOUR PERSONAL DATA

We may share your personal data when resolving, appealing and/or defending any complaint or claim made against us in relation to this Database, in which case we may share your data within the Middlesex University School of Law, more widely throughout the University as appropriate, insurers, legal advisors (solicitors and/or barristers), the Courts or equivalent.

We may include aggregated and anonymised data (which no longer identifies you) in our internal and/or external reports.

For information about international transfers, please refer to our central Privacy Policy (https://www.mdx.ac.uk/about-us/policies/privacy).

FURTHER INFORMATION

If you have any questions or concerns about this notice, please contact:

You have a right to lodge a complaint with the Information Commissioner’s Office (ICO). If you do have any concerns about how we have handled your personal data we would kindly ask that you contact us in the first instance before you speak to the ICO so that we have an opportunity to put things right. The ICO’s address is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

The ICO’s Helpline number is: 0303 123 1113

The ICO’s website is: https://www.ico.org.uk