Data processing agreement
Data processing agreement between Friends of the Earth Scotland, Friends of the Earth (England, Wales and Northern Ireland) and Platform London
Effective date: 23/2/2021
Friends of the Earth Scotland (FoES) (as the data controller) has agreed to share personal data with Friends of the Earth England, Wales and Northern Ireland (FoE EWNI) and Platform in their roles as coalition partners of UK Divest. For the purposes of this agreement, FoE EWNI and Platform will act as third-party data processors for FoES.
This agreement sets out how the processors will handle personal data belonging to the controller and ensure that both the controller and processors understand their responsibilities.
1. Subject matter
FoE EWNI, FoES and Platform are responsible for managing personal data of subscribers to the ‘UK Divest’ mailing list. The list shall be used exclusively for communications relating to fossil fuel divestment campaigns.
UK Divest may also hold personal data relating to people who have registered for events via Eventbrite.
2. Nature and purpose of the processing
The legal basis of collecting and processing this data falls under the categories of ‘consent’ and ‘legitimate interest’.
Opt-in subscription to the UK Divest mailing list
FoES, together with FOE EWNI and Platform, process the personal data of those who sign up to the UK Divest mailing list in order to keep them informed about relevant campaign news, events and activities.
Sign-ups to this list may come from a variety of sources, including:
- direct subscriptions via the UK Divest website’s online form;
- explicit opt-ins via online and/or offline event sign-up forms (including at third-party events), online campaign actions hosted by a third-party (e.g. a petition hosted on the FoE EWNI/FoES website), etc.
The following text will always be used for any online or offline subscriptions to the MailChimp list:
FoES, together with FOE EWNI and Platform, hold a record of people who have registered for events securely on Eventbrite and/or Google Drive (as necessary) for administrative communication relating to the event, including access needs.
3. Type of personal data and categories of data subject
FoES, FoE EWNI and Platform may process several of personal data types on behalf of UK Divest, e.g. first name, last name, email address, phone number, address, postcode.
Categories of data subject are subscribers to the UK Divest mailing list (direct and indirect), people who register for online and offline events hosted by UK Divest, and users of divest.org.uk.
4. Data access, storage and duration of the processing
Data may be held securely on MailChimp. Personal data used for the purposes of contacting individuals via the UK Divest mailing list will be uploaded directly to MailChimp and stored securely there. Personal data of mailing list subscribers will be permanently deleted from any individual devices and any paper records destroyed once uploaded to MailChimp.
When individuals sign up to the UK Divest mailing list via third parties (e.g. through an online action hosted by FoE EWNI or FoES via Impact Stack), subscribers will not be contacted by the host organisations or added to the host organisation’s own mailing list/s, unless they have explicitly opted in to also hear from this organisation. Any personal data collected in this way will be securely downloaded by one of the below named staff members and uploaded directly to MailChimp. Personal data will be permanently deleted from any individual devices once uploaded to MailChimp, however the e-action host may store this data in line with their own policies.
The personal data of anyone who registers for a UK Divest event but who does not explicitly opt-in to the UK Divest mailing list will be destroyed from personal devices once the event has taken place. However, this data will be kept on Eventbrite.
One named staff member from each of the organisations will have access to this data.
Currently this will be:
- FoES – Ric Lander
- FoE EWNI – Rianna Gargiulo
- Platform – Robert Noyes
In the event that the campaign is closed, the staff above will be responsible for destroying all personal data.
5. Obligations and rights of FoE Scotland
The controller is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles of: (1) Lawfulness, fairness and transparency, (2) Purpose limitation, (3) Data minimisation, (4) Accuracy, (5) Storage limitation, (6) Integrity and confidentiality and (7) Accountability.
This may include:
- being able to demonstrate how and when they obtained a data subject’s consent to processing their personal data;
- being able to verify parental consent where it is required for the processing of a young person’s data;
- removing personal information from UK Divest’s systems at any time when required to by the data subject and notifying FoE EWNI and Platform of this;
- reporting a personal data breach to the ICO under the GDPR if it is likely to result in a risk to people’s rights and freedoms, not later than 72 hours after having become aware of it. If there is the likelihood of a high risk to people’s rights and freedoms, FoES will also need to report the breach to the individuals who have been affected;
- paying compensation in the event of damage or distress to an individual as a result of the data controller’s negligence when using personal information.
6. Responsibilities and liabilities of FoE EWNI and Platform
FoE EWNI and Platform must:
- only act on the written instructions of FoES (unless required by law to act without such instructions);
- ensure that people processing the data are subject to a duty of confidence;
- take appropriate measures to ensure the security of processing;
- only engage a sub-processor with the prior consent of FoES and a written contract;
- assist FoES in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- assist FoES in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- delete or return all personal data to FoES as requested at the end of the contract, and;
- submit to audits and inspections, provide FoES with whatever information it needs to ensure that they are both meeting their Article 28 obligations and tell FoES immediately if it is asked to do something infringing the GDPR or other relevant data protection law.
FoE EWNI and Platform should also be aware that:
- they may be subject to investigative and corrective powers of supervisory authorities (such as the ICO) under Article 58 of the GDPR;
- if they fail to meet its obligations, they may be subject to an administrative fine under Article 83 of the GDPR;
- if they fail to meet their GDPR obligations it may be subject to a penalty under Article 84 of the GDPR;
- if they fail to meet their GDPR obligations it may have to pay compensation under Article 82 of the GDPR, and;
- nothing within this contract relieves FoE EWNI or Platform of their own direct responsibilities and liabilities under the GDPR.
7. Data safeguards
To ensure safety and anonymity, and to protect or reduce risks of potentially negative impacts of processing this data, FoES, FoE EWNI and Platform will take the following steps to safeguard these various categories of personal data:
- always obtain explicit consent and provide information regarding the purpose of the processing, the lawful basis for the processing and any recipients of the personal data at the point of data collection;
- include clearly on all email communications a data subject’s right to unsubscribe or remove their details from the list;
- only provide access to the personal data of both mailing list subscribers and local campaigners to the above-named individuals (one per organisation);
- ensure the personal data of mailing list subscribers is stored only on MailChimp and, where data is collected indirectly and then manually uploaded (e.g. through online/offline event sign-up forms, online petitions/actions), data will be permanently deleted from personal devices as soon as data is successfully uploaded. Neither the data controller nor the data processors are permitted to store copies of this personal data outside of MailChimp;
- only email mailing list subscribers through MailChimp, to ensure an accessible paper-trail of all communications with this list;
- function creep will be prevented by setting out a clear understanding among all three organisations of what is and isn’t appropriate to communicate with this list;
- reduce the risk of misuse and loss of data by regularly changing passwords, including promptly changing passwords and access/permissions to shared folders in the event of any of the above-named individuals leaving their respective organisations/roles;
- both the data controller and data processors will take all necessary measures to keep data safe insofar as this is possible – e.g. keeping passwords secure, not leaving laptops or other devices unattended, not using USBs to store data, not transferring data via email without a secure password on files);
- never requesting more data than is strictly necessary for its purpose;