What is this Privacy Statement?
This Privacy Statement sets out the Voluntary Principles on Security and Human Rights’ (“VPI”) information processing practices in relation to you and your personal data and applies when we collect and process personal data from you through our website. It explains VPI’s information processing practices and describes your rights regarding your personal data.
Who is responsible for your information?
“The Voluntary Principles on Security and Human Rights”, the “Voluntary Principle Initiative” or “VPI” (also referred to as “we”, “us”, or “our”) collects your information as set out below.
When and how do we collect your information?
VPI collects personal data about you when you:
- Visit our website;
- Register for a VPI event;
- Make an inquiry;
- Subscribe to an online publication; or
- Apply for employment.
What personal data do we collect?
We may collect some or all of the following types of information including:
- Personal data. Our website may collect personal data, information that either directly identifies you or could reasonably be used to identify you. Examples of personal data include your name, contact information, email address, and other information in combination with such identifiers.
- Mobile devices information. If you access our websites on your mobile telephone or mobile device, we may also collect your unique device identifier and mobile device IP address, as well as information about your device’s operating system, mobile carrier and your location information.
- Other information. In some instances, we automatically collect other basic information about you which does not directly identify you, but which may correspond with you or a particular device. We use this information to learn more about how our website is used and to otherwise improve and administer the site. Automated technologies may include the use of web server logs to collect IP addresses, “cookies” and web beacons.
You can engage with us through social media websites. When you engage with us on or through third-party social media sites or applications, you may allow us to have ongoing access to certain information from your social media account (e.g., name, e-mail address, photo, gender, birthday, the posts or the ‘likes’ you make).
How do we use your personal data?
We use the personal data you provide to us to:
- Operate our website and understand its use, for statistical purposes (number of site visits, average time visitors spend at the site, etc.) and security purposes;
- Manage and process inquiries, registrations, and other interactions with you;
- Send you information you have requested or consented to receiving such as newsletters, breaking news, and other information regarding relevant VPI activities.
With whom do we share your personal data?
We do not sell, share, or otherwise disclose the information we collect through our website, except as provided in this Privacy Statement.
We may disclose information to third parties who provide us with various business services, including monitoring and maintaining the websites and with whom we are working to provide you with services or information. We may also disclose information we collect in special cases, including when we have a reason to believe that such disclosure is necessary to identify, contact, or bring a legal action against someone who may be causing injury to or interference with our rights and property or those of any other person. We may also disclose information when we believe the law requires it and in any situation that involves threats to any person’s physical safety. When required by law, such sharing of information will be subject to an agreement with each such service provider, requiring such service provider to comply with data protection requirements.
We may disclose personal data (i) if we are required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request; (ii) in response to law enforcement authority or other government official requests; (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss; (iv) in connection with an investigation of suspected or actual illegal activity; or (v) in the event that the VPI is dissolved or otherwise reorganized. Disclosure may also be required for audits or to investigate a complaint or security threat.
Do we transfer your personal data across national borders?
We are a global organization and may transfer certain personal data across geographical borders to authorized service providers or business partners in other countries working on our behalf in accordance with applicable law. Our affiliates and third parties may be based locally, or they may be in other countries, some of which have not been determined by the European Commission to have an adequate level of data protection.
When we do, we use a variety of legal mechanisms to help ensure your rights and protections travel with your data:
- we ensure transfers within VPI are covered by agreements based on the EU Commission’s standard contractual clauses, which contractually oblige each member to ensure that personal data receives an adequate and consistent level of protection wherever it resides within the VPI;
- where we transfer your personal data outside VPI or to third parties who help provide our services, we obtain contractual commitments from them to protect your personal data. Some of these assurances are well recognized certification schemes like the EU – US Privacy Shield for the protection of personal data transferred from within the EU to the United States, or the standard contractual clauses; or
- where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal data is disclosed.
If you would like further information about whether your information will be disclosed to overseas recipients, please contact us as noted below. You also have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments, which may be redacted for reasons of commercial confidentiality) to ensure the adequate protection of your personal data when this is transferred as mentioned above.
Do we collect information from children?
Our website is not intended for children under 16 years of age. We do not knowingly collect personal data from an individual under age 16. If you are under the age of 16, please do not submit any personal data through the website.
Your choices regarding your information
You may update, correct, or change your information by contacting us at firstname.lastname@example.org or by following the instructions below in this Privacy Statement.
How can you update your communication preferences?
We take reasonable steps to provide you with communication about your information. You can update your communication preferences by contacting us by e-mail at email@example.com. Please include your current contact information, the information you are interested in accessing and your requested changes.
How long do we retain your personal data?
How long we retain your personal data depends on the purpose for which it was obtained and its nature. We will keep your personal data for the period necessary to fulfill the purposes described in this Statement unless a longer retention period is permitted or required by law. In specific circumstances we may store your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
Do we have security measures in place to protect your information?
The VPI takes steps to protect your information from unauthorized access. While we take reasonable measures to protect the information you submit via the website against loss, theft, and unauthorized use, disclosure, or modification, we cannot guarantee its absolute security. No internet, email, or mobile application transmission is ever fully secure or error free. Email or other messages sent through the website may not be secure. You should use caution whenever submitting information through email or the website and take special care in deciding which information you provide us.
Are we responsible for the websites to which we link?
We are not. The VPI does not endorse and is not responsible for the content of third-party websites or resources, and our privacy statement does not apply to any sites that are not affiliated with VPI, even if you access them via a link on our site. You should review the privacy policies of any third-party site before providing any information.
General Data Protection Regulation
We only collect and process your personal data if we have a legal basis which include:
- Legitimate interest. We process your personal data based on our legitimate interests in communicating with you and managing your interactions with you.
- Compliance with applicable laws or performance of a contract. We process your personal data as necessary for the performance of a contract or as necessary for us to comply with a relevant legal obligation (e.g. where we are required to make disclosures to courts or regulators.)
- Public interest. We process your personal data for the performance of a task carried out in the public interest (e.g., the tracking of human rights violations.)
- Consent. In limited circumstance we will use your consent as the basis for processing special categories of information or prior to sending you electronic communications.
EU Data Subject Rights
If you are an EU Data Subject, you have the following rights of this EU Data Subject Rights section. To exercise these rights, please email us at firstname.lastname@example.org with a description of your request.
- Right to Access. You have right to access personal data that VPI holds about you.
- Right to Rectification. You have a right to request us to correct your personal data where it is inaccurate or out of date.
- Right to be Forgotten (Right to Erasure). You have the right, under certain circumstances, to have your personal data erased. Your information can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data
- Right to Object to Processing. You have the right to object to the processing of your personal data at any time, on legitimate grounds, except if otherwise permitted by applicable law, or to lodge a complaint with a supervisory authority. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
- Right to Restrict Processing. You have the right to restrict the processing of your personal data, but only where:
- its accuracy is contested, to allow us to verify its accuracy; or
- the processing is unlawful, but you do not want it erased; or
- it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
- you have objected to processing of your data, and verification of overriding grounds is pending.
- Right to Data Portability. You have the right to data portability, which requires us to provide personal data to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) your consent; or (ii) the performance of a contract to which you are a party.
- Right to Decline Automated Decision Making. You have the right to not be subject to decisions based solely on automated decision making, which produce legal or significant effects for you, except where these are (i) necessary for a contract to which you are a party; (ii) authorized by law; (iii) based on your explicit consent.
Even where such decisions are permitted, you can contest the decision and require the VPI to exercise human intervention.
We currently do not use automated decision making (including automated decision making using profiling) when processing your personal data. If we ever use an automated decision-making solution, you have a right to request that a decision based off your personal data cannot be solely decided via an automated process.
Your California Privacy Rights
Section 1798.83 of the California Civil Code permits California residents to request from a business, with whom the California resident has an established business relationship, certain information about the types of personal data the business has shared with third parties for those third parties’ direct marketing purposes and the names and addresses of the third parties with whom the business has shared such information during the immediately preceding calendar year. You may make one request each year by emailing us at email@example.com.
If you have any questions, would like further information about our privacy and information handling practices, would like to discuss opt-outs or withdrawing consent, or would like to make a complaint about a breach of the Act or this Statement, please contact us at this address: firstname.lastname@example.org
Changes to this Statement
We may update this Statement from time to time. When we do, we will post the current version on this site, and we will revise the version date located at the bottom of this page.