Data Protection Policy

Data Protection Policy

Last updated 13th May 2024

GDI

Means: 

  1. Disinformation Index Ltd, a company limited by guarantee, registered in England & Wales with company number 11297397 and registered as data controller at the  Information Commissioner’s Office with registration n. ZA830060; and/or
  2. Disinformation Index, Inc., a nonprofit nonstock corporation with public charity status incorporated in Delaware and operated exclusively for charitable and educational purposes within the meaning of section 501(c)(3) of the Internal Revenue Code of 1986; and/or
  3. GDI Global Disinformation Index gUG, a nonprofit limited liability company (tax number 27/613/05773) with registered office in Berlin, which exclusively and directly pursues charitable purposes within the meaning of the section "tax-privileged purposes" of the German Fiscal Code.

Each of the above is a separate legal entity.

THIS WEBSITE IS NOT INTENDED FOR CHILDREN AND WE DO NOT KNOWINGLY COLLECT ANY PERSONAL DATA RELATING TO CHILDREN.

1. Data protection principles

GDI respects your privacy and is committed to processing data in accordance with its responsibilities under legislation in the countries in which it operates, which includes (but is not limited to) the GDPR (General Data Protection Regulation (EU) 2016/679). Here we inform you how we do that.

Article 5 of the GDPR sets out seven key principles which govern how we process personal data.   In accordance with these 

  • personal data shall be:
  • processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes) (‘purpose limitation’);
  • processed in a way that is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’); and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’); and 
  • the controller shall be responsible for, and be able to demonstrate compliance with, the above principles (‘accountability’).”

2. Scope 

This policy applies to all personal data processed by GDI.

3. Lawful, fair and transparent processing

To ensure its processing of data is lawful, fair and transparent, GDI keeps a record of processing activities, which is regularly reviewed. 

Individuals have rights in relation to the processing of their data, including the right to access, correct, erase, object, restrict, withdraw consent in relation to the processing of their personal data in accordance with legal requirements, and any such requests made to GDI shall be dealt with in a timely manner, and in accordance with the applicable data protection legislation. However, please be aware that not all of these rights are absolute and that there may be situations in which you cannot exercise them or they are not relevant.

If you provide us with personal information about other people, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. By submitting any information to us, you confirm that you have the right to authorise us to process it on your behalf in accordance with this privacy policy.

4. Data we collect about you

Sometimes you provide us with data, for example by signing up to a contract or corresponding with us, or sometimes we collect data about you from other sources, like publicly available websites to undertake research in accordance with our objectives, in which case we keep in place appropriate safeguards and security measures to ensure that such information is, where appropriate, encrypted, aggregated, anonymised, pseudonymised  or altered to prevent identification of a natural person and discarded when no longer relevant.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  1. Identity Data includes first name, last name, any previous names, username or similar identifier, title.
  2. Contact Data includes billing address, delivery address, email address and telephone numbers.
  3. Financial Data includes bank account and payment card details.
  4. Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.
  5. Communications Data includes your communication preferences.

5. Lawful purposes

All data processed by GDI shall fall within one or more of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests, in which case, we make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law) (see ICO guidance for more information). GDI keeps a note of the appropriate lawful basis in the record of activities and - where consent is relied upon as a lawful basis for processing data - evidence of opt-in consent will be kept with the personal data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and in compliance with the applicable data protection legislation. 

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). 

6. Retention 

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To ensure that personal data is kept for no longer than necessary, GDI has in place a policy for each area in which personal data is processed and reviews this policy, and the underlying processes regularly. The said policy considers what data should/must be retained, for how long, and why.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

7. Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. However, it is important to note that data transmission over the Internet is never 100% secure. You provide personal data at your own risk.

We also limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know, and appropriate security is in place to avoid unauthorised sharing of information.They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

When personal data is deleted, the data is rendered irrecoverable.

Appropriate back-up and disaster recovery solutions are in place.

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, GDI shall promptly assess the risk to people’s rights and freedoms and, if appropriate, report this breach to the applicable regulator.

8. Disclosure of your personal data

We may share your personal data with third parties we have engaged in a project and/or service providers, professional advisors, funders, public entities and between GDI legal entities. 

We do that only when strictly necessary, and/or required and/or permitted by the law and/or where we have stated or informed you otherwise (e.g. in this policy or on our website) and in any event according to the safeguards and good practices detailed in this policy.  

We require all third parties to respect the confidentiality, privacy and security of your personal data, as applicable, and to treat it in accordance with the law. We do not allow our third-party processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

9. International transfers

Whenever we transfer your personal data out of the country in which the relevant GDI legal entity operates, if required, we ensure a similar degree of protection is afforded to it by ensuring that the following safeguards are in place:

  1. We will only transfer your personal data to countries that have been deemed by the UK and/or EU to provide an adequate level of protection for personal data;
  2. We may use specific standard contractual terms approved for use in the UK and/or EU which give the transferred personal data the same protection as it has in the UK and/or EU, namely the International Data Transfer Agreement, or the International Data Transfer Addendum, and/or the European Commission’s standard contractual clauses for international data transfers.
  3. The transfer otherwise complies with the applicable data protection laws, for example, because you have explicitly consented to the proposed transfer.

10. Complaints

You have the right to make a complaint at any time to a supervisory authority. In the UK the supervisory authority for data protection issues is the Information Commissioner’s Office (ICO). We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.

11. Changes to the privacy policy and your duty to inform us of changes 

We keep our privacy policy under regular review in response to changing legal, regulatory or operational requirements. Historic versions can be requested by contacting us. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

12. Third-party links 

This website may include links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Any downloadable documents, files or media made available on this website are provided to you at your own risk. While all precautions have been undertaken to ensure only genuine downloads are available, we advise you to verify their authenticity using third party anti-virus software or similar applications. We accept no responsibility for third party downloads and downloads provided by external third party websites and similarly advise you to verify their authenticity using third party anti-virus software or similar applications.

13. Contacts

If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact us in the following ways:

Email address: privacy@disinformationindex.org

Postal address: 124 City Road, London, England, EC1V 2NX