Privacy Policy

 

Member Data Privacy: Rights and Obligations

Current Personal Data and Privacy Practices – Effective May 24, 2018

ESRAG respects and secures the privacy and security of individuals’ personal data. ESRAG uses Members personal data for internal administrative purposes only. ESRAG does not share individuals’ information without an individual’s explicit permission.

ESRAG collects personal information including name, email address, Rotary affilitations, location and interests to support its mission.

ESRAG posts the names, clubs and districts of individuals who submit project data with the intention of having that information shared.

ESRAG does not collect information related to birth dates.

All financial credentials are encrypted and submitted directly through ESRAG’s Merchant Service Agreement to Stripe. No financial credentials are ever received by ESRAG systems.

The full text of ESRAG’s Privacy Policy can be found below.

Terms of Service: Responsibilities of Members

By using ESRAG’s online resources, ESRAG members agree to maintain safe computing practices, including password security practices. ESRAG members with access to Corporate data agree to follow safe computing practices and non-sharing of membership personal data without the explicit consent of the individual involved.

Data Rights of Individuals

The European Union’s General Data Protection Regulation (GDPR) legislates additional data rights for individuals:

  • Right to be informed – You must be clearly informed when your data is collected and the purpose for which it is intended.
  • Right of access – You must be allowed to view the data companies have gathered on you.
  • Right to rectification – You have the right to correct erroneous information about yourself in a company’s data records.
  • Right of erasure – Also known as the “right to be forgotten”. You have the right to request the deletion of personal data held on you, although this right is not absolute.
  • Right to restrict processing – You can request the suppression of your personal data file, or restrict its processing.
  • Right to data portability – You have the right to take the data a company has collected on you and share it elsewhere, eg. to get a better customer deal.
  • Right to object – You have the right to object and prevent your data being used for particular purposes, eg. for direct marketing. This right is superseded by legal claims.
  • Rights related to automatic decision-making – You may only be profiled with your explicit consent, where this is necessary to enter into a contract or where such processing is authorised by the state.

ESRAG’s Privacy Policy provides detailed presentation of the above summary. If you have questions or a request, please write to privacy@esrag.org.

ESRAG’S PRIVACY POLICY

Version 1.0 (May 29, 2018)

Introduction

The Environmental Sustainability Rotarian Action Group (ESRAG) respects your privacy and is committed to protecting it through our compliance with this website privacy policy (“Policy”).

Maintaining protection of the information entrusted to our care by our constituents is of the utmost importance to ESRAG.

This Policy describes the types of information we may collect from you or that you may provide when you visit our website www.esrag.org (our “Website”) and our practices for collecting, using, protecting and disclosing that information.

Please note that supplementary rules apply in relation to individuals whose data we collect if they are located in the European Union or European Economic Area (in which case, please see the EU Privacy Notice below).

This Policy applies to information we collect:

  • On our Website.
  • In e-mail, text and other electronic messages between you and our Website.
  • When you interact with applications on third-party websites and services, if those applications or advertising include links to this Policy.
  • Through Rotary clubs, districts and partner organizations with whom we engage, when you become a member of ESRAG.
  • When you sign up for any events that we host.
  • When you interact with us in another way – for example, contacting us with an inquiry.

This Policy outlines our policies and practices regarding your personal information (information relating to you from which you can be identified) and how we will treat it. This Policy may change from time to time (see Changes to our Privacy Policy section below), so please check the Policy periodically for updates. If any questions arise about the meaning or interpretation of this Policy, the English-language version of this Policy is the official text.

Information We Collect About You and How We Collect It

We collect several types of information from and about users of our Website and others, including information:

  • by which you may be personally identified, including your name, e-mail address or telephone number (“personal information”);
  • that is about you individually but is not held in a form to identify you, such as age, gender, language preferences, expertise
  • about your internet connection, the equipment you use to access our Website and usage details.

We collect this information:

  • Directly from you when you provide it to us.
  • Automatically as you navigate through the Website. Information collected automatically may include usage details, IP addresses and information collected through cookies, and other tracking technologies.
  • From third parties we contract with to provide services on our behalf (such as event organizers).
  • From Rotary International, districts, clubs and partners in our global network.
Information You Provide to Us

We collect information you provide when you interact with our Website or when dealing with Rotary or our network offline including:

  • Information that you provide by making an inquiry or joining as a member. This includes information provided at the time of registering to be a member or join a mailing list through esrag.org, subscribing to services available on our Website, posting material or requesting further services via a form on our Website. We may also ask you for information when you enter a contest or promotion sponsored by us, and when you report a problem with our Website.
  • Records and copies of your correspondence (including e-mail and other electronic messages, including social media posts), if you contact us.
  • Your responses to surveys that we might ask you to complete for research purposes.
  • Details of transactions you carry out through our Website. You may be required to provide financial information before enrolling for membership or making a donation through our Website.
  • There may be features that are developed in the future, such as search queries, that may result in the collection of additional new information

You also may provide information to be published or displayed (hereinafter, “posted”) on public areas of the Website, or transmitted to other users of the Website or third parties (collectively, “User Content”). Your User Content is posted on and transmitted to others at your own risk. Although we limit access to certain pages, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Website with whom you may choose to share your User Content.

Usage Details, IP Addresses, Cookies and Other Technologies

As you navigate through and interact with our Website, we may automatically collect certain information about your equipment, browsing actions and patterns, including:

  • Details of your visits to our Website, including traffic data, location data, logs and other communication data and the resources that you access and use on our Website.
  • Information about your computer and internet connection, including your IP address, operating system and browser type.

The information we collect in this way is anonymous. It is aggregated into statistical data to help us improve our Website and to deliver a better and more personalized service by enabling us to:

  • Estimate our audience size, browser statistics, popularity of content and usage patterns.
  • Speed up your searches.
  • Recognize you when you return to our Website.

The technologies we use for this automatic data collection may include:

  • Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website.

We do not collect personal information automatically.

How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal information

  • To present our Website and its contents to you.
  • To provide you with information, resources or services that you request from us.
  • To offer and fulfill our core business purposes which include:
    • Fulfilling ESRAG’s obligation to members of the Rotary Family
    • Financial processing
    • Facilitating event planning
    • Communicating key organizational messages
    • Supporting the programs and membership of ESRAG, Rotary, and other Rotary affiliates
    • Complying with any legal obligations
  • To fulfill any other purpose for which you provide it.
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
  • To notify you about changes to our Website or any products or services we offer or provide though it.
  • To allow you to participate in interactive features on our Website.
  • Store information about your preferences, allowing us to customize our Website according to your individual interests.
  • In any other way we may describe when you provide the information.
  • For any other purpose where we have your consent.

We may also use your information to contact you about our own and third-parties’ goods and services that may be of interest to you. ESRAG confirms that it will not sell or trade its membership data.

Disclosure of Your Information

We may disclose aggregated information about our users, and information that cannot be used to identify any individual, without restriction.

We may disclose personal information that we collect or you provide as described in this Policy:

  • To contractors, service providers and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
  • To fulfill the purpose for which you provide it.
  • For any other purpose disclosed by us when you provide the information.
  • With your consent.
  • We may also disclose your personal information:
  • To comply with any court order, law or legal process, including to respond to any government or regulatory request.
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of ESRAG, Rotary, Rotarians, Rotary clubs, Rotary districts or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
Donor Privacy Information

ESRAG will not sell, trade or share a donor’s personal information, including their name, phone number, email, or physical address with non-ESRAG third parties nor will it send donors mailings on behalf of other unrelated organizations. This policy applies to all information received by ESRAG, both online and offline, as well as any electronic, written or oral communication.

Accessing and Correcting Your Information

To access or correct your personal information, you may send us an e-mail at privacy@esrag.org to request access to, correct or delete any personal information that you have provided to us. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

Children Under the Age of 16

Our Website is not intended for children under 16 years of age, without the explicit permission of their Guardian. No one under age 16 may provide any personal information to or on our Website, without the explicit permission of their Guardian. We do not knowingly collect personal information from children under 16, unless their Guardian has authorized it. If you are under 16, do not use or provide any information on our Website or on or through any of its features/register on our Website, use any of the interactive or public comment features of our Website or provide any information about yourself to us, including your name, address, telephone number, e-mail address or any screen name or user name you may use, without the explicit permission of your Guardian. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, which was not authorized by their guardian, please contact us at privacy@esrag.org.

California Privacy Rights

California state law permits users of our Website that are California residents to request certain information regarding our disclosure of personal information (if any) to third parties for their direct marketing purposes. ESRAG does not disclose personal information to third parties for their direct marketing purposes. If you suspect such a disclosure has been made, please send an email to privacy@esrag.org.

Data Security

We have implemented technical and operational measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration and disclosure. All personal information you provide to us is stored on password-protected databases and we use Secure Sockets Layer (SSL) to ensure that the transmission of sensitive data for payments and contributions is encrypted and appropriately safeguarded. We train our employees on the importance of information security and focus specifically on practices for protecting against unauthorized disclosure of personal data. ESRAG’s Operating Manual will soon include an Information Technology Guidelines, Policies, and Standards section in which responsibilities, practices, training protocols, and repositories logging events are maintained.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. Passwords registered with our Website are encrypted to ensure protection against unauthorized access to your personal information. We ask you not to share your password with anyone. We urge you to be careful about giving out information in public areas of our Website. The information you share in public areas may be viewed by any user of our Website.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website or over any public network. Any transmission of personal information is at your own risk. Without prejudice to any mandatory legal obligations to which we may be subject, we are not responsible for circumvention of any privacy settings or security measures contained on our Website.

Changes to Our Privacy Policy

ESRAG may change, add, modify or remove portions of this Policy at any time, which shall become effective immediately upon posting on this page. The date the Policy was last revised is identified at the bottom of the page. It is your responsibility to review this Policy for any changes. By continuing to use our Website, you agree to any changes in the Policy.

EU Privacy Notice

If you are a resident of the European Union (EU) or European Economic Area (EEA) whose personal information we collect, the following additional information applies to you.

1 Introduction

1.1 – Where you are an EU or EEA resident and ESRAG knowingly collects your personal information (also called ‘personal data’), we will do so in accordance with applicable laws that regulate data protection and privacy. This includes, without limitation, the EU General Data Protection Regulation (2016/679) (‘GDPR’) and EU member state national laws that implement or regulate the collection, processing and privacy of your personal data (together, ‘EU Data Protection Law’).

1.2 – This EU privacy notice (‘EU Privacy Notice’) which should be read in conjunction with ESRAG’s Privacy Policy provides further information as required under EU Data Protection Law on how we handle or process the personal data we collect and who we may share it with.

1.3 – This Privacy Notice also provides information on your legal rights under EU Data Protection Law and how you can exercise them.

2 How personal data is collected

2.1 – Because of the global nature of our organization and its club network, ESRAG may hold and process personal data that is collected from clubs, districts and partner organizations around the world, including within the EU/EEA.

2.2 – This also means that if you are a member or individual contact of this network resident in the EU/EEA, your personal data may be transferred to ESRAG from the EU/EEA to ESRAG via Rotary headquarters in the United States.

2.3 – US data privacy laws are currently not considered to meet the same legal standards of protection for personal data as set out under EU Data Protection Law. However, in order to safeguard personal data received from the EU/EEA, Rotary only allows such a transfer of personal data to the US or other third countries under an approved contract or another appropriate mechanism which is legally authorized under EU Data Protection Law.

2.4 – This is to make sure that the personal data that ESRAG receives receives and processes (so far as it relates to residents of the EU/EEA) is properly safeguarded in accordance with similar legal standards of privacy you would enjoy under EU Data Protection Law.

3 The lawful grounds on which we collect and process personal data

3.1 – We process your personal data for the above purposes, relying on one or more of the following lawful grounds under EU Data Protection Law:

(a) where you have freely provided your specific, informed and unambiguous consent for ESRAG to process your personal data for particular purposes:

(b) where we agree to provide services to you, in order to set up and perform our contractual obligations to you and/or enforce our rights:

(c) where we need to process and use your personal data in connection with our legitimate interests as a global network and being able to effectively manage and operate our organization in a consistent manner across all territories. We will always seek to pursue these legitimate interests in a way that does not unduly infringe on your legal rights and freedoms and, in particular, your right to privacy: and/or

(d) where we need to comply with a legal obligation or for the purpose of us being able to establish, exercise or defend legal claims.

4 Disclosing your personal data to third parties

4.1 – We may disclose your personal data to certain third party organizations who are processing data solely in accordance with our instructions (called ‘data processors’) such as companies and/or organizations that support our business and operations (for example providers of web or database hosting, IT support, payment providers, event organizers, agencies we use to conduct fraud checks or mail management service providers) as well as professionals we use such as lawyers, insurers, auditors or accountants. We only use those data processors who can guarantee to us that adequate safeguards are put in place by them to protect the personal data they process on our behalf.

4.2 – We may also disclose your personal data to third parties who make their own determination as to how they process your personal data and for what purpose(s) (called “data controllers”). The external third party data controllers identified above may handle your personal data in accordance with their own chosen procedures and you should check the relevant privacy policies of these companies or organizations to understand how they may use your personal data.

4.3 – Other than as described above, we will treat your personal data as private and will not routinely disclose it to third parties without you knowing about it. The exceptions are in relation to legal proceedings or where we are legally required to do so and cannot tell you (such as a criminal investigation). We always aim to ensure that your personal data is only used by third parties we deal with for lawful purposes and who observe the principles of EU Data Protection Law.
5 How long we retain your personal data for

5.1 – ESRAG retains personal data identifying you for as long as necessary in the circumstances – for instance, as long you are a member of a club or have a relationship with our network: for a reasonable period to send you marketing where we have regular contact with you, or as may be needed to enforce or defend contract claims or as is required by applicable law.

5.2 – ESRAG is following Rotary’s data retention policy for EU residents (which may be made available on request) that sets out the different periods we may retain personal data with respect to relevant purposes in accordance with our duties under EU Data Protection Law. The criteria we use for determining the relevant retention and disposal periods we adopt are based on the purpose for which we hold data and the reasonable expectations of those whose personal data we collect in these circumstances, taking into account various legislative requirements and guidance issued by relevant EU regulatory authorities.

5.3 – In accordance with the above retention policy, the personal data that we no longer need will be disposed of and/or anonymized so you can no longer be identified from it.

6 Your personal data rights

6.1 – In accordance with your legal rights under EU Data Protection Law, you have a ‘subject access request’ right under which can request information about the personal data that we hold about you, what we use that personal data for and who it may be disclosed to as well as certain other information.

6.2 – Usually we will have one month to respond to a subject access request. However, we reserve the right to verify your identity and we may, in case of complex requests, require a further two months to respond. We may also charge for administrative time in dealing with any manifestly unreasonable or excessive requests. We may also require further information to locate the specific information you seek and certain legal exemptions under EU Data Protection Law may apply when responding to your subject access request.

6.3 – Under EU Data Protection Law. EU/EEA residents also have the following rights which are exercisable by making a request to us in writing:

(a) that we correct personal data that we hold about you which is inaccurate or incomplete;

(b) that we erase your personal data without undue delay if we no longer need to hold or process it;

(c) to object to any automated processing (if applicable) that we carry out in relation to your personal data, for example if we conduct any automated credit scoring;

(d) to object and/or to restrict the use of your personal data for purpose other than those set out above unless we have a compelling legitimate reason; or

(e) that we transfer personal data to another party where the personal data has been collected with your consent or is being used to perform contract with you and is being processed by automated means.

6.4 – So we can fully comply, please note that these requests may also be forwarded on to third party data processors who are involved in the processing of your personal data on our behalf.

6.5 – If you would like to exercise any of the rights set out above, please contact us at the address below.

6.6 – If you make a request and are not satisfied with our response, or believe that we are illegally processing your personal data, you have the right to complain to the Office of the Information Commissioner in the United Kingdom.

Intellectual Property FAQ

We are obligated to preserve the intellectual property rights of the photographer, and the privacy rights of the people whose images are in the photographs. It is consistent with our Four Way Test to honor both bundles of rights 

Q1) If a photo has previously been published in the media, i.e. a newspaper article, does it require the individual’s approval?

You cannot reuse the photograph image, infographic, or recording done by someone else without their permission in writing, even if it has been published elsewhere. You can not copy and paste an image you have seen on the web, even if you credit the photographer for the source. Why? Clubs have had to pay $500 to an entity that polices the rights of certain media services. The notion of “fair use“ which allows a student to copy a page for a project does not apply to an organization like Rotary or ESRAG re-publishing an image on their website or in a brochure. The correct procedure is to get written permission from the photographer to reuse their image; you can offer to credit the photographer for their creative work. They may ask you to pay them for the right to reuse it. ESRAG is in the process of developing an intellectual property policy but doesn’t at this moment have a ‘photographer’s consent to reuse’ .

You may rely on the photographer’s having secured the consent to use the image of everyone in his or her work that can be identified, if you are paying for use. However, it’s good to ask the photographer whether he/she has releases from all of the people whose faces are identifiable in the photograph. 

If you cannot get the permission of the photographer to reuse their creative work, the best strategy might be to recreate the image with willing models who have signed releases and a volunteer photographer will allow ESRAG  to reuse their creative work. 

Q2) Do we need permission for group photos? i.e. a picture of multiple shoppers at a farmers market

In any photograph or video, people whose faces are recognizable cannot have their image reused unless they have signed a model’s release. This is to protect those individuals’ right to privacy. 

ESRAG has a one page image release form

The next step for ESRAG is to receive a copy of each release that our CME team can file with the photo. This is how Rotary International handles each model’s right to privacy as required by the GDPR.  Furthermore, it helps ESRAG build a proper library of images that tell our stories and protect the rights of both photographers and models. 

Contact Information

If you have any questions about ESRAG’s privacy protection practices or believe we have not adhered to this Policy, please contact us at privacy@esrag.org.

Last updated: July 15, 2022