Privacy & Data Use Policy

Update: On 16 March 2023 we very made minor changes to slightly improve readability.
See older versions of this policy.

Read this document to understand how and why the Irish Council for Civil Liberties uses your personal data, and what companies process your data on our behalf. We'll update this policy whenever we make material changes to our practices, and we’ll announce the change at the top of this page to let you know.

Where is the consent banner/pop-up on this website?

The ePrivacy Directive¹ requires that you be notified before a website or app stores information on your device, unless that storage is necessary to show you the particular information you wanted to view. ICCL's website is designed to work without saving any extraneous information,² including cookies, on your device. Learn how >

ICCL led the complaints that resulted in a landmark EU-wide regulatory decision against misleading consent spam.

How and why your data are used by ICCL

(Hit the + for detail)

Purpose of processing	Categories of personal data processed	Legal basis of processing	Duration of storage
To operate a mailing list.	E-mail address, pseudonym or real name, frequency of viewing emails, clicks on emails, and geographic region.	Consent.	The time necessary to deliver the requested service (see detail of storage in United States).
To learn what email campaigns have the most impact.	E-mail address, pseudonym or real name, professional description, frequency of viewing emails, clicks on emails, and geographic region.	Our interest in making our campaigns effective. The data are used in a way that does not negatively affect your rights or interests.	Duration of subscription to the E-mail list (see detail of storage in United States).
To conduct general correspondence.	Data sent by the person communicating.	Our interest in correctly responding to correspondents, and maintaining good relations with them. The data are used in a way that does not negatively affect your rights or interests.	Indefinite (see detail of storage in United States).
To send campaign communications by text message.	Mobile phone number.	Consent.	Duration of membership (see detail of storage in United States).
To organise local campaigns.	Name, email, constituency.	Consent.	Duration of a person’s subscription to the Email list or duration of a person’s membership (see detail of storage in United States).

Purpose of processing	Categories of personal data processed	Legal basis of processing	Duration of storage
To advertise about campaigns to people who use Facebook.	For Facebook: Facebook ID (not available to ICCL, and used by Facebook for people logged in to Facebook), actions on Facebook, location, age, gender, previously visited website, device details. See Facebook controller agreement.	Our interest in defending people’s rights over the long term, which is balanced with everybody’s interest in gaining protection from online surveillance, and against the risk of Facebook’s data processing.	ICCL does not receive personal data from Facebook. Facebook stores the data until the user deletes their Facebook account .

Purpose of processing	Categories of personal data processed	Legal basis of processing	Duration of storage
Maintain a record of membership.	Name, email, address, phone number.	Consent.	Duration of membership (see detail of storage in United States).
To receive donations.	Name, email, address, phone number, type of credit card. (You give a company called Stripe your credit card details too, but ICCL does not receive them).	Contract.	6 years (see detail of storage in United States).
To record donations and membership fees.	Name, email, phone number, address, donation.	Legal obligation to record transactions.	6 years (see detail of storage in United States).
To record potential donors.	Name, email, phone number, address	Legitimate interest.	Indefinite (see detail of storage in United States).
To record potential donors' interests.	Topics of interest	Consent³	Indefinite (see detail of storage in United States).
To inform members of the AGM.	Name, email, phone number, address.	Legal obligation to keep members informed of meetings such as the AGM.	Duration of membership (see detail of storage in United States).
To manage relationships with members.	Name, email, phone number, address, duration of membership.	Consent.	Duration of membership (see detail of storage in United States).
To record consent.	Name, email, phone number, address, details of processing consented to.	Legitimate interest.	Duration of a person’s subscription to the Email list or duration of a person’s membership.

Purpose of processing	Categories of personal data processed	Legal basis of processing	Duration of storage
To assess the eligibility of job candidates.	Name, contact details, application materials.	Legitimate interest.	1 year after the role the person has applied for has been filled.
To conduct general correspondence.	Data sent by the person communicating.	Our interest in correctly responding to correspondents, and maintaining good relations with them. The data are used in a way that does not negatively affect your rights or interests.	Indefinite (see details of storage in United States).

How and why your data are used by ICCL

You have the right to ask what information we have about you, update incorrect information, delete it, object to our use of it, or get a copy of it. You can contact us at info@iccl.ie. If you are in the European Economic Area, you also have the right to complain to your local data protection authority (though everyone should have this right).

Keeping your visits to the ICCL website confidential

ICCL loads nearly everything (fonts, images, javascript, analytics) from its own server, to minimise the need for your device to send information about you to other organisations. ICCL's website uses no trackers - except for a mechanism on the donation page that protects ICCL against fraud. We use an analytics service called Matomo configured to operate with anonymous settings and running on our own servers so that even Matomo does not learns what you do when you visit us.

Automated decisionmaking

A company called Stripe operates an antifraud mechanism called "Radar" on our behalf to prevent fraud on the donation and join pages. Radar examines behaviour on the payments page to detect automatic "bots", and checks whether your credit card has been associated with fraud previously. If this system makes a mistake when you try to join or pay, please contact us to let us know.

Where your data go

Europe

ICCL websites are hosted on infrastructure operated on our behalf by Anu Internet Services, which uses servers in the Netherlands.

Membership signup forms are hosted on our behalf by Agitate.ie, which is also hosted in the Netherlands.

Surveys are hosted on our behalf by Survey Hero, which uses infrastructure in Ireland and Germany. After two months, survey responses are deleted and moved to Salesforce.

United States

If you are a member of ICCL, we keep a record of your membership using a system called Salesforce. If you ask us to keep in touch with you by email, we will use a company called MailChimp to do so. Every email we send includes an unsubscribe link.

If you email us we will receive it through Microsoft’s Exchange email system. It is possible (but unlikely) that we may record information from that Email in Asana, which is a tool that ICCL uses to schedule tasks.

If you make a donation to ICCL through our website, then your credit card data are processed by a company called Stripe. An antifraud tool called hCaptcha is present on our payment page.

Some or all Salesforce, MailChimp, Microsoft, Stripe, Asana, and hCaptcha servers are in the United States. If personal data relating to you is transferred to these servers, contractual provisions provide safeguards that are intended to be equivalent to those provided in the EU.

See our contracts for MailChimp, Salesforce, Microsoft, Asana, and hCaptcha. Our contract with Stripe is here, and it describes the safeguards applied when it sends your data to the US here.

Note, however, that Microsoft is subject to the US Foreign Intelligence Surveillance Act (FISA) and Executive Order (EO) 12333, and may be compelled to transfer data to the US pursuant to a court order or an US intelligence services request.

Notes

Article 5(3) of the ePrivacy Directive.
Information is stored on your device for the sole purpose of carrying out your instructions or providing what you have requested.
We obtain explicit consent, in the form of a double opt-in, because these data may reveal political views.

Purpose of processing	Categories of personal data processed	Legal basis of processing	Duration of storage
To provide efficient access to ICCL websites on the Internet.	IP address, web browser version and type of machine.	Our interest in maintaining a website. The data are used in a way that does not negatively affect your rights or interests.	1 week.