1.1 Thomson Reuters Foundation (‘We’, ‘Us’, or ‘Our’) is a registered charity in England and Wales (number 1082139) and a company limited by guarantee registered in England (number 04047905) at 5 Canada Square, Canary Wharf, London, E14 5AQ.
1.2 Please read these terms of use carefully before you start to use https://www.trust.org/ (our website), as these will apply to your use of our website. We reserve the right to amend these terms and conditions from time to time.
1.3 We take your privacy very seriously and we ask that you read this Privacy Policy carefully as it contains important information on:
1.3.1 Your Rights
1.3.2 The personal data we collect about you and why we collect the data;
1.3.3 What we do with your data, and
1.3.4 Who your information will be shared with.
HOW YOU CAN CONTACT US
In case of any questions regarding our privacy practices, if you would like to execute your rights or would like to submit a complaint, please contact [email protected]. You may also use the Contact Us form available on our website to reach out to us with any questions, concerns or comments.
CHANGES TO THE PRIVACY POLICY
We may change this Privacy Policy from time to time. You should check this Privacy Policy occasionally to ensure you are aware of the most recent version.
USEFUL WORDS AND PHRASES
4.1 Some word or phrases have particular meanings under Data Protection Laws and are used throughout this Privacy Policy:
4.1.1 Data Protection Laws: the laws and regulations which govern the handling of data applicable including the UK Data Protection Act 2018, the General Data Protection Regulations and the Privacy and Electronic Communications Regulations.
4.1.2 Personal Data: Any information about an identifiable individual that we can use to identify them either directly or indirectly from that information alone or in combination with other information we possess or can reasonably possess. Personal Data includes but is not limited to names, addresses, email addresses, phone numbers, and identification numbers.
4.1.3 Processing: any operations performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, use, transmission, restriction, erasure or destruction.
4.1.4 Sensitive Personal Data: Information about an identifiable individual revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
INFORMATION WE COLLECT
5.1 Personal data provided by you To provide you with our services, we may collect your information including:
5.1.1 Contact Data: This is information such as your name, email address which we collect when you sign up for our events, contact us by email, subscribe to any of our newsletters, use our services or provide such information through our surveys.
5.1.2 Profile Data: This is information such as the organisation you work for, your job title and role, and your area of expertise which we collect when you sign-up to use any of our services.
5.1.3 Financial data: such as payment related/ billing information.
5.1.4 Video images/photographs/audio: in connection with the trainings we provide as well as remote meetings.
5.1.5 Location data: This is information such as your country of residence or the country in which you work which we may collect when you register for our events, respond to a tender opportunity, or apply for job opportunities.
5.2. Aggregated Data
We will also collect analytics data where you accept certain cookies, we may collect information on how you use our website and services. This may include Aggregated Data such as statistical or demographic data. Aggregated Data will be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.
5.3 Special category personal data
To help us understand the diversity of our applicants, you may voluntarily provide certain special category personal data in connection with job applications such as information about your race/ ethnicity, gender identity, sexuality. Such special category data will be processed in an aggregated form that does not contain identifiable information and is used solely for the purpose of monitoring diversity among applicants in accordance with relevant data protection laws.
We may need to process your special categories of personal data if processing is necessary to comply with laws that apply to us in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime when conducting due diligence on programme/ project partners as required by charity laws.
5.4 Personal data provided by third parties
At times, we will also collect personal information from third parties such as: organisations with whom you have dealings including recruitment agencies, referrers, your company/organisation; individuals who may reach out to us directly for purposes of providing you with legal assistance (in the case of journalists facing certain legal risks who are referred to us); third-party donation platforms which provide us with your personal information when you make a donation through these them which we use for financial reporting purposes; and from publicly available records.
PERSONAL DATA USES AND LAWFUL BASES
6.1 Purpose of processing Personal Data
6.1.1 Delivery of our Services including – trainings, mentorships and fellowship programmes, pro-bono legal support through our TrustLaw and Legal Network for Journalists at Risk (LNJAR) networks, events such as Trust Conference, provision of non-public and public workforce disclosure data and disclosure scorecards through the Workforce Disclosure Initiative (WDI) platform.
6.1.2 Comply with our Legal and Regulatory obligations – such as establishing your identity in order to comply with legal and regulatory obligations under charity law which may require us to conduct due diligence on partners by ascertaining name, address, financial information, criminal history of persons with significant control.
6.1.3 Administration – Maintain internal records, which will include the collection of names, addresses, employment information of members, service providers and other stakeholders; to maintain and develop our relationship with you; to carry out recruitment activities if you are applying for a job; to process tender applications submitted by you; to maintain and update our records; manage communications with you based on the feedback you may opt to provide in surveys.
6.1.4 Manage Claims – pursue available remedies or limit any damages that we or our clients may sustain and to respond to any feedback or complaints that we may receive;
6.1.5 To monitor our website usage to improve our services – please see our Cookie Policy which explains what cookies are and why we use them.
6.2. Lawful Bases of Processing your data
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing your personal data are:
6.2.1 Consent
By signing up for Our newsletters, or completing surveys, You are giving clear consent to process Your personal data for the specified purposes.
6.2.2 Contract
We may process your personal information when it is necessary to fulfil our contractual obligations under any agreement, we have entered into with you. These agreements may pertain to:
i. The provision of agreed upon services.
ii. Engaging you as a participant, fellow, trainee or mentee of one of our events or programmes.
iii. Engaging you in your capacity as a representative of a donor or partner in our projects and initiatives.
We may process your personal information before entering into any formal contractual arrangements with you. This could occur during due diligence checks on new partners and individuals we plan to engage for services, or when we request for quotes or proposals from potential service providers.
6.2.3 Legitimate Interest:
Where processing this data is necessary for Our legitimate interest which are not overridden by your data protection interests or fundamental rights and freedoms. The following are examples of the purposes for which we will process your Personal Data on this basis:
i. Maintaining internal records
ii. Ensuring regulatory compliance – for example due diligence when onboarding partners
iii. To permit us to pursue our rights and remedies
iv. To permit us to manage and respond to any enquiries or complaints
v. Ensuring we understand how you interact with our website and optimise your experience.
vi. You as a client or in our own right.
ACCESS, STORAGE AND TRANSFER OF PERSONAL DATA
7.1. Who will have access to your personal data?
We only share your personal data with third parties with your consent or other lawful basis for doing so, in accordance with this Policy. Specifically, in relation to your relationship with us:
7.1.1 We may share your personal data with third party service providers whom we engage to provide services including web development, trainings and mentorships, consultancy services, ticketing, technology, insurance, recruiting and employment processes and legal advisory service providers.
7.1.2 We may share your personal information with our donors and partners whom we collaborate with on projects, or events.
7.13 Legal and or regulatory authorities including courts or public authorities who may compel disclosure, such as HMRC and the Information Commissioner’s Office.
7.2 International Transfers of Personal Data
We securely store your Personal Data at a destination outside the United Kingdom (“UK”). It may also be processed by staff operating outside the UK who work for us.
7.2.1 In the event that your personal data is processed outside of the UK, you should know that some countries do not have the same data protection laws as the UK. In particular, non- EEA countries may not provide the same degree of protection for your personal data, may not give you the same rights in relation to your personal data and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal data.
7.2.2 However, whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to your Personal Data by having a lawful basis for transferring your Personal Data and implementing appropriate safeguards and taking all reasonable technical and organisational steps in accordance with this policy and Data Protection Laws.
7.2.3 When transferring your personal data to countries outside the UK or the EEA, we will ensure that, where required by applicable law, at least one of the following safeguards is implemented:
Adequacy decisions:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government.
Model clauses:
Where we use certain service providers, we may use specific clauses approved by the European Commission and UK Government which give personal data the same protection it has in Europe and the UK.
7.3 How we keep your data secure
We employ both encryption in transit and encryption at rest to ensure the confidentiality of your data. When you complete a form or questionnaire on one of our platforms, the information you submit is encrypted by HTTPS as it is transferred to TRF systems and remains encrypted the whole time it is stored. This mitigates the risks involved in either physical attacks (e.g. theft of hardware from data centres) or “man-in-the-middle” attacks where data is intercepted.
7.4 When we delete your data
We retain personal data in line with our internal policies, contractual terms and where necessary for us to meet our legal, regulatory and professional obligations. Our default retention periods will differ, depending on the circumstances. In any case, the criteria that we apply is to delete data when it is no longer necessary for us to hold it.
YOUR RIGHTS
As a data subject, you have the following rights under the Data Protection Laws:
8.1 You have the right to:
8.1.1 Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
8.1.2 Request correction of the personal data that we hold about you.
8.1.3 Request erasure of your personal data. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
8.1.4 Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
8.1.5 Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
8.1.6 Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
8.1.7 Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Complaints to the regulator
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
