Effective date: 1 June 2022. Last updated: 11 August 2022
WHO WE ARE (DATA CONTROLLER)
The Enforced Disappearance Legal Database (the Database) is owned by Middlesex University (the “the University”, “we”, “us” or “our”), which is the Data Controller. Middlesex University is an exempt charity by virtue of the Charities Act 1960. The Database’s day-to-day operation is maintained by EHRAC, which sits within Middlesex University’s School of Law.
Our Contact Details
Our postal address is:
Data Protection Officer
Middlesex University’s website is: https://www.mdx.ac.uk/
For any privacy-related questions, Middlesex University’s Data Protection Officer can be contacted directly at: email@example.com
For any other questions, please write to our Database Repository Team who can be contacted at: EDLDInfo@mdx.ac.uk
EHRAC’s website address is: https://ehrac.org.uk/en_gb/
Our Database website address is: https://edld.ehrac.org.uk/
PURPOSE OF PROCESSING PERSONAL DATA
Our purpose for processing the Database’s users’ (“you” or “your”) data is to support the functionality of this Database, in order to achieve Middlesex University’s and EHRAC’s goals. “Personal” is defined as any information that can identify you directly or indirectly.
HOW WE GET THE PERSONAL DATA AND WHY WE HAVE IT
We collect and process personal data about the Database’s users. We collect this personal data about you and how you use our website for internal learning purposes, to make sure we are meeting our Database’s objectives, and to help us improve your experience. The personal data we collect is set out below, alongside the relevant legal ground.
Under the General Data Protection Regulation 2018 (GDPR), we are required to inform you of what information we collect and how we will process this information. This will ensure that we are transparent when using your data.
Grounds for processing
GDPR commits Middlesex University to establishing a lawful basis before processing your personal data. GDPR identifies several principles that Middlesex University is committed to meeting:
- Personal data must be used lawfully;
- Personal data must be collected for only valid reasons that Middlesex University has clearly stated;
- Personal data must be relevant to the purposes we have told you about and limited only to those purposes;
- Personal data and records must be accurate and kept up to date;
- Personal data is kept no longer than necessary and for the reasons listed above;
- Personal data is kept securely.
- Consent: Consent is defined by the Information Commissioner’s Office (ICO) as offering individuals real choice and control.
- Legitimate Interest: Legitimate Interest is defined by the ICO as using people’s personal data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
We collect and process the following information:
- Personal identifiers, information, contacts and characteristics (name, email address and messages you send to us directly).
- Cookie identifiers (essential and/or non-essential, depending on your cookie preferences)
- Location data (only when you specifically opt-in to this through your cookie preferences)
- Gender data (only when you specifically opt-in to this through your cookie preferences)
HOW LONG WE RETAIN YOUR PERSONAL DATA FOR, HOW WE STORE IT AND HOW WE DESTROY IT
Your personal data is stored on our secure network. Our systems and accounts have appropriate security measures in place including passwords, restricted access and/or encryption. We have currently retained Cyber Essentials.
We store your personal data in the following ways:
- Personal identifiers, contacts and characteristics.
- Messages you send to our Database contact email are forwarded to the Database Repository Team within EHRAC and are stored in their email accounts until deleted.
- Aggregated and/or anonymised personal data is stored in our organisational systems for internal learning, record-keeping and reporting.
- Cookie identifiers, activity data, location data and gender data.
- Essential cookies are stored by our Database website until they are automatically or manually deleted. Non-essential cookies are stored by our Database website and the third-party services used until they are automatically or manually deleted.
We retain your personal data until:
- You exercise your right to object to us retaining your personal data and we are required by law to comply
- Your personal data is deleted by the third-party system it is stored within
- Your personal data is no longer necessary or required by us to fulfil the purposes we collected it for
- Six years have lapsed since data collection, after which we will delete it
For any further questions, you can refer to our Retention Schedule or contact the Data Protection Officer at firstname.lastname@example.org.
We will only retain your personal data for longer than six years if required by law, legal proceedings or a legal complaint or claim made against us.
How data is deleted depends on the type of data:
- Personal identifiers, contacts and characteristics.
- Messages you send to our Database contact email will be deleted from the Database Repository Team’s email accounts. It may take some time for the personal data to be deleted from Microsoft’s servers. For more information, see: https://privacy.microsoft.com/en-gb/privacystatement.
- Cookie identifiers.
- Essential cookies are stored until they are automatically or manually deleted. Non-essential cookies are stored in our organisational Google Analytics account until deleted. For more information on both kinds of cookies, see: https://support.google.com/analytics/answer/6004245?hl=en#zippy=%2Cour-privacy-policy.
- Location data and gender data.
- These pieces of personal data come from you opting-in to non-essential cookies. They are stored in our organisational Google Analytics account until it is deleted. For more information, see: https://support.google.com/analytics/answer/6004245?hl=en#zippy=%2Cour-privacy-policy.
- Aggregated and anonymised personal data stored in our organisational systems will be deleted from our files. It may take some time for the personal data to be deleted from Microsoft’s servers. For more information, see: https://privacy.microsoft.com/en-gb/privacystatement.
HOW WE SHARE YOUR PERSONAL DATA
We may share your personal data when resolving, appealing and/or defending any complaint or claim made against us in relation to this Database, in which case we may share your data within the Middlesex University School of Law, more widely throughout the University as appropriate, insurers, legal advisors (solicitors and/or barristers), the Courts or equivalent.
We may include aggregated and anonymised data (which no longer identifies you) in our internal and/or external reports.
If you have any questions or concerns about this notice, please contact:
- EHRAC’s Database Repository Team directly at: EDLDInfo@mdx.ac.uk; or
- Middlesex University’s Data Protection Officer at: email@example.com
You have a right to lodge a complaint with the Information Commissioner’s Office (ICO). If you do have any concerns about how we have handled your personal data we would kindly ask that you contact us in the first instance before you speak to the ICO so that we have an opportunity to put things right. The ICO’s address is:
Information Commissioner’s Office
The ICO’s Helpline number is: 0303 123 1113
The ICO’s website is: https://www.ico.org.uk