Personal data processing
Hey there, fellow DPO/privacy & data protection enthusiast! π
Since you're GDPR savvy and already overwhelmed with limited time, I'll simply state that you're entitled to all GDPR rights, including access. Just reach out if you have any questions: your controller here is me, Rie Aleksandra Walle at dpohub@noties.consulting.
When you sign up for the DPO Hub you must share your email address, payment details, name, billing address and, if you're purchasing as a business, Tax ID number (for VAT purposes). The purpose is to give you access to the DPO Hub and the data is required if you want to subscribe. The legal basis is contract. This data is kept for as long as you subscribe, and then for 3,5 years for accounting obligations. I use Stripe to process your payment securely and they retain certain personal data to comply with legal obligations, such as anti-terrorism and anti-money laundering laws.
If you're a Founding Member and would like to receive the carefully put together welcome gift, you must also share your address. I'll then keep this for as long as I might send you something-something in snail mail. This is based on your consent and you can withdraw this at any time, after which I'll delete the data promptly, at the latest within a month.
Your email address is required to log in to the DPO Hub. You can also add your name. Once logged in, you can change these details yourself. Your email address is also used to send you news alerts but you can unsubscribe from these at any time.
The platform I've built the DPO Hub on allows for the following analytics: Newsletter opens and click, Member sources and Outbound link tagging. These are permanently disabled. Statistics showing when a member signed up, logged in and emails received cannot be disabled, however, and is as such considered as part of the contract (where the purpose is to fulfill the contract). If you cancel your subscription, your profile, and all related data, will be deleted within two months.
Finally, I use Fathom Analytics for website analytics, software that was built with privacy at the very core. Your IP address and User Agent are only processed in pseudonomised form for 24-48 hours (read more here). The purpose is to assess the use of the DPO Hub in the most privacy-friendly way as possible, for example which pages are the most visited. The legal basis is f), where my legitimate interest is to continually improve the DPO Hub.
Processors/recipients (including in a third country):
- Stripe is based in the US and is certified under the EU-US Data Privacy Framework.
- I briefly use Zapier Inc., also DPF certified, to automatically create your membership after payment.
- DPO Hub is built on a platform by Ghost Foundation Ltd, a "proud non-profit organisation building open source technology for journalism". Ghost confirms they store "all data in the EU."
- If you reply to news alerts, it goes to my Proton Mail inbox.
Again, if you have any questions or concerns, just email me!