Privacy Notice

What does this Privacy Notice do?
This Privacy Notice (“Notice”) explains e.p.a.’s information processing practices. It applies to any personal information you provide to us and any personal information we collect from other sources. This Notice is a statement of our practices and of your rights regarding your personal information.  This is not a contractual document, and it does not create any rights or obligations on either party, beyond those which already exist under data protection laws.

This Notice does not apply to your use of a third-party site linked to this website.

Who is responsible for your information?
e.p.a. is responsible for your personal information (and the controller for the purposes of data protection laws) that we collect from or about you.

When and how do we collect your information?
We collect personal information in the following ways: forms (via wordpress, toolset plug-ins or podio.com), newsletter (e.p.a. rainbow letter via CleverReach®).

What information do we collect?
In general, we collect personal information about you that you provide to us or usage of our websites.

Information you provide to us
When you request services, we ask that you provide accurate and necessary information that enables us to respond to your request. When you provide personal information to us, we use it for the purposes for which it was provided to us as stated at the point of collection or as obvious from the context of collection, for example providing a quote, requesting participation with us or creating a profile on our website or application.

More information about the categories of personal information collected for each of our services, together with the purpose and legal basis for collecting the information is provided below.

We will not knowingly collect any sensitive personal information unless this is required and you are notified of such. Sensitive personal information includes a number of types of data relating to: political opinions; religious or other similar beliefs; trade union membership; physical or mental health; sexual life.

If you provide us with sensitive personal information, you understand and give your explicit consent that we may collect, use and disclose this information to appropriate third parties for the purposes described in this Notice. If you provide personal information about other individuals such as employees or dependents, you must obtain their consent prior to your disclosure to us.

Information we collect over the e.p.a. website and social media.

We may ask you for personal and contact information, e.g. names, e-mail, phone numbers, date of birth, ID card or passport number, home address, when you register for events or directly visit our website.

In some instances, we automatically collect certain types of information when you visit our websites and through e-mails that we may exchange. Automated technologies may include the use of web server logs to collect IP addresses, “cookies” and web beacons. Further information about our use of cookies can be found in our Cookie Notice.

Content you post. If you post information when you interact with our websites through social media sites, plug-ins or other applications, depending on your privacy settings, this information may become public on the Internet. You can control what information you share through privacy settings available on some social media sites. For more information about how you can customize your privacy settings and how third-party social media sites handle your personal information, please refer to their privacy help guides, privacy notices and terms of use.

Mobile devices.  If you access our websites on your mobile telephone or mobile device, we may also collect your unique device identifier and mobile device IP address, as well as information about your device’s operating system, mobile carrier and your location information. We may also ask you to consent to providing your mobile phone number (for example, so that we can send you push notifications).

Categories of personal information we may collect and disclose (as defined under applicable law).
 
e.p.a. rainbow letter (newsletter): name, contact information, organisation (via cleverreach®)

Instagram

Youtube

Legal basis
All processing (i.e. use) of your personal information is justified by a “lawful basis” for processing. In the majority of cases, processing will be justified on the basis that:

Do we collect information from children?
We do not directly provide services to children, and we do not knowingly collect personal information from children.

How long do we retain your personal information?
How long we retain your personal information depends on the purpose for which it was obtained and its nature. We will keep your personal information for no more than the time required to fulfil the purposes described in this privacy notice unless a longer retention period is permitted by law.

We have implemented appropriate measures to ensure your personal information is securely destroyed in a timely and consistent manner when no longer required.

Do we disclose your personal information?
Within e.p.a
We may share your personal information with other e.p.a partners within the e.p.a. network to serve you, coordinate and organise projects including for the activities listed above, with funders that acquire your personal information to pay out or justify financial support. 

Examples include:
Legal Requirements and Business Transfers
We may disclose personal information (i) if we are required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request. (ii) in response to law enforcement authority or other government official requests, (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, (iv) in connection with an investigation of suspected or actual illegal activity or (v) in the event that we are subject to a merger or acquisition to the new owner of the business, or in the event of the dissolution of our business. Disclosure may also be required for company audits or to investigate a complaint or security threat.

Do we transfer your personal information across geographies?
We are an International organization and may transfer certain personal information across geographical borders to our network partners in other countries working on our behalf in accordance with applicable law. Our partners may be based locally, or they may be overseas some of which have not been determined by the European Commission to have an adequate level of data protection.

When we do, we use a variety of legal mechanisms to help ensure your rights and protections travel with your data:

  • we ensure transfers within are covered by agreements based on the EU Commission’s standard contractual clauses, which contractually oblige each member to ensure that personal information receives an adequate and consistent level of protection wherever it resides within;
  • where we transfer your personal information outside of us or to third parties who help provide our products and services, we obtain contractual commitments from them to protect your personal information. Some of these assurances are well recognized certification schemes like the EU – US Privacy Shield for the protection of personal information transferred from within the EU to the United States, or the standard contractual clauses; or
  • where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information are disclosed.

If you would like further information about whether your information will be disclosed to overseas recipients, please contact us as noted below. You also have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments, which may be redacted for reasons of commercial confidentiality) to ensure the adequate protection of your personal information when this is transferred as mentioned above.

Do we have security measures in place to protect your information?
The security of your personal information is important to us and we have implemented reasonable physical, technical and administrative security standards to protect personal information from loss, misuse, alteration or destruction. We protect your personal information against unauthorized access, use or disclosure, using security technologies and procedures, such as encryption and limited access. Only authorized individuals access your personal information, and they receive training about the importance of protecting personal information.

What choices do you have about your personal information?
We offer certain choices about how we communicate with our web site users or other individuals, and what personal information we obtain about them and share with others.

You may also choose not to receive communications from us by contacting us as noted below.
 
How can you update your communication preferences?
Newsletters
If you request electronic communications, such as an e-newsletter, you will be able to unsubscribe at any time by following the instructions included in the communication. You can also contact e.p.a. at office@epa-network.org.

Email
Contact us by e-mail or postal address as noted below. Please include your current contact information, the information you are interested in accessing and your requested changes.
If we do not provide you with access, we will provide you with the reason for refusal and inform you of any exceptions relied upon.

Other rights regarding your data
Data protection laws vary among countries, with some providing more protection than others. Subject to certain exemptions, and in some cases, particularly if you reside in a jurisdiction with applicable privacy laws, dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal information.  
 
We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal information requested to you.

You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Right to Access
You have right to access personal information, and the categories thereof, which we hold about you. If you have created a profile, you can access that information by visiting your account or making a request online or by phone (as provided below).

Right to Rectification
You have a right to request us to correct your personal information where it is inaccurate or out of date.

Right to be Forgotten (Right to Erasure)
You have the right to request under certain circumstances to have your personal information erased. Your information can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data.

Right to Restrict Processing
You have the right to restrict the processing of your personal information, but only where:
•   its accuracy is contested, to allow us to verify its accuracy; or
•   the processing is unlawful, but you do not want it erased; or
•   it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
•   you have exercised the right to object, and verification of overriding grounds is pending.

Right to Data Portability
You have the right to data portability, which requires us to provide personal information to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) consent; or (ii) the performance of a contract to which you are a party.

Right to Object to Processing
You have the right to object the processing of your personal information at any time, but only where that processing is has our legitimate interests as its legal basis. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

International Transfers
As noted above, you can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the European Union.


Contact Us
If you have any questions, would like further information about our privacy and information handling practices, would like to discuss opt-outs or withdrawing consent, or would like to make a complaint about a breach of the law or this Privacy Notice, please contact: office@epa-network.org

Alternatively, you have the right to contact your local Data Protection Authority.


Changes to this Notice
We may update this Notice from time to time. When we do, we will post the current version on this site, and we will revise the version date located at the bottom of this page.
We encourage you to periodically review this Notice so that you will be aware of our privacy practices.

This Notice was last updated on 20.11.2020