Privacy Notice for ARCTIC Websites

The ARCTIC multi-stakeholder initiative (“ARCTIC”, “we”, “us”, “our”), is committed to protecting your privacy. At all times we aim to respect any personal information you share with us, or that we receive from other organizations, and keep it safe. This Privacy Notice (“Notice”) provides information about the different types of personal information that we collect and the ways in which we use it. This Notice applies to all those who interact with us online through the website:

  • All other authorized tools
  • Or whose personal information we otherwise collect

Although please note that if you are an employee or worker at the ARCTIC, there is a separate privacy notice).

This Notice contains important information about your personal rights to privacy. Please read it carefully to understand how we use your personal information.

The provision of your personal information to us is voluntary. However, without providing us with your personal information, your use of our services or your interaction with us may be impaired.

If you have any questions, please contact us using the contact details included at section 16.

  1. Who we are?
  2. When do we collect personal information about you?
  3. What personal information do we use?
  4. What about personal information that is considered more sensitive?
  5. How we use your personal information
  6. Lawful basis
  7. Do we share your personal information?
  8. International Data Transfers
  9. Securing your personal information
  10. Children’s personal information
  11. How long do we keep your personal information?
  12. Your rights and preferences
  13. Data Protection Officer
  14. Other websites
  15. Changes to this Notice
  16. How to contact us

1. Who we are?

ARCTIC is a non-profit multi-stakeholder member organisation established and headquartered in CITY, The Netherlands and our website is operated by ARCTIC in the Netherlands. We have members based in all parts of the world representing various types of organizations so that we provide our support and services globally. Consequently, we collect and use personal information of individuals in various other jurisdictions, such as Member States of the EU. Please note that there are certain aspects of this Notice that only apply when we are required to comply with some jurisdiction-specific laws, for example the EU General Data Protection Regulation (“GDPR”). In general, if you are interacting with us from outside the EU, the GDPR is likely to apply.

Please see section 8 for information about the transfer of your personal information.

2. When do we collect personal information about you?

We may obtain your personal information from a variety or number of sources and we will collect personal information about you:

  1. When you give it to us directly

For example, if you provide us with your email address to sign up to receive our news updates. Or where you provide your personal information in the course of an e-survey.

  • When we obtain it indirectly

Your personal information may be shared with us by third parties – for instance we may be provided with your personal information by service providers, other initiatives. To the extent that we have not done so already, we will notify you when we receive personal information about you from them and tell you how and why we intend to use that personal information.

  • When it is publicly available

Your personal information is available on open platforms – for instance you personal information is listed on documentation or publications including a statement that you might be contacted in relationship to the documentation or publication, we will notify you when we make use of personal information obtained from public space and tell you how and why we intend to use that personal information.

  • When you visit our website

We also collect certain types of information about you automatically every time you interact with us online. While the information obtained may not be personal information under the laws of the country you are based in, we recognize that there are certain laws (for example the GDPR) which consider these types of information to be personal information.

Those types of information include:

  • technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms; and
  • information about your visit to our website, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.

Please refer to our Cookie Notice for details of the way the use of cookies may affect your personal information.

In general, we may combine your personal information from these different sources for the purposes set out in this Notice.

3. What personal information do we use?

We may collect, store and otherwise process the following kinds of personal information (which may be considered personal information according to the laws of the country where you are located when you interact with us):

  1. Your full name and professional contact details, including email address, postal address, telephone number;
  2. Profile information and username if you register on our website;
  3. Information you provide in connection with your registration in our member-area e.g. email address, company name
  4. Information about the use of our information and communications systems;
  5. Financial information including bank details (no personal bank details);
  6. Your communication preferences;
  7. Information about your professional status and role; and
  8. Information you upload to ARCTIC webportal

4. What about personal information that is considered more sensitive?

Certain countries have laws (for example, the GDPR in the EU) that recognise particular types of personal information as more sensitive and therefore requiring greater protection, for example information about your health, ethnicity, political opinions or religious beliefs. This is known as special category data under the GDPR.

We don’t intend to collect these types of personal information. We will only collect and use this sensitive information if there is a valid reason for doing so and where the law allows us to. For instance, there are stricter rules about the collection and use of sensitive information where EU law applies. When we collect sensitive information or criminal conviction data about you and we are required to tell you what our lawful basis is for doing so, we will set this out.

5. How we use your personal information

ARCTIC will use your personal information:

  1. To fulfil your requests to submit a member application or register on the website or portal;
  2. To allow us to review, evaluate and administer membership generally, including both validations and recognitions;
  3. To enable us to monitor progress of and completion of any work stream programs;
  4. To contact you if you are involved in a program we are administering;
  5. To contact you to make recommendations, proposals or notices to you about opportunities you may potentially be interested in;
  6. To make administrative and marketing communications;
  7. To enable you to use our online services e.g. RBA Online, RRA Platform;
  8. To administer any financial transaction between us;
  9. To register you for an event and any administration associated with the event;
  10. To contact you for our advocacy purposes in respect of sector accountability;
  11. For research purposes so that we can identify key trends or findings in connection with our programs and projects;
  12. To satisfy legal obligations which are binding on us;
  13. For the prevention of fraud or misuse of service; and
  14. For the establishment, defence of enforcement of legal claims.

6. Lawful basis

Under certain laws, we are required to rely on one or more lawful grounds to collect and use the personal information that we have outlined above. We consider the grounds listed below to be relevant:

  1. Legal obligation

Where the processing of your personal information is necessary for us to comply with a legal obligation to which we are subject e.g. because we have to provide information to tax authorities.

  • Contractual relationship

Where it is necessary for us to use your personal information in order to perform a contract to which you are a party (or to take steps at your request prior to entering a contract). For example [ Terms of membership].

  • Legitimate interests

We rely on this basis where applicable law allows us to collect and use personal information for our legitimate interests and the use of your personal information is fair, balanced and does not unduly impact your rights.

When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).

  • Consent

We may obtain your consent to use your personal information in certain circumstances e.g. to send you email marketing. We will ensure that when we obtain your consent you are free both to give it and to decline to give it. Additionally, you may always withdraw your consent at any time without any further detriment to you.

7. Do we share your personal information?

Personal information collected by the ARCTIC (through the website or otherwise) may be shared with audit partners and vendors for the purposes set out in section 5 of this privacy notice.

Except where set out in this Notice, the ARCTIC will not sell, rent or lease your personal information to other third parties. However, we may ask third-party processors to assist us or we may disclose your personal information to selected third party processors (such as agents or sub-contractors) for the purposes outlined at section 5. The third-party processor in question will be obligated to use any personal information they receive in accordance with our instructions.

Non-exhaustively, third-parties who we may share personal information with include:

  1. suppliers and sub-contractors for the performance of any contract we enter into with them, for example IT service providers such as software developers, website hosts or cloud storage providers;
  2. insurers and banks;
  3. third parties who help us organise and administer our events;
  4. financial companies that process payments on our behalf;
  5. professional advisors such as accountants, auditors and lawyers;
  6. parties assisting us with research to monitor the impact/ effectiveness of our work and services; and/ or
  7. regulatory authorities, such as tax authorities.
  8. We reserve the right to disclose your personal information to third parties:
    1. in the event that we buy or sell any business or assets, in which case we will disclose your personal information to the prospective buyer or seller or such business or assets;
    1. if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
    1. to protect any ARCTIC operations including the rights, safety and property of ARCTIC and our staff; and
    1. if we are under any legal or regulatory obligation to do so e.g. to comply with legal process or requests from government authorities.

8. International Data Transfers

Certain countries have rules around the transfer of personal information across borders and require us to ensure that personal information remains protected according to appropriate standards (for example, EU Member States under the GDPR).

Since we are based in the Netherlands, personal information collected in the can be potentially transferred outside the EU to other ARCTIC representative or partner locations.

If you are an individual based in the EU, please note that certain countries outside of the EU have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. In such cases, where your personal information is transferred, stored, and/or otherwise processed outside the EU in a country which does not offer an equivalent standard of protection to the EU, we will take all reasonable steps necessary to ensure that the recipient implements appropriate safeguards (such as by entering into standard contractual clauses) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Notice.

If you have any questions about the transfer of your personal information, please contact us using the details at section 16.

9. Securing your personal information

ARCTIC takes reasonable technical and organizational precautions to prevent the loss, misuse or alteration of your personal information. We restrict access to those who have a need to know and we train staff in handling the information securely. Unfortunately, there is no such thing as 100% security in the online environment. As a result, we cannot and do not guarantee the security of any personal information you transmit to us through or in connection with the website.

If you believe that your interaction with us is no longer secure (e.g. you consider that the security of any account, you might have with us has been compromised) please immediately notify us by contacting us at [].

10. Children’s personal information

In general, we do not process children’s personal information. However, when we do so, where required we will not do so without their consent or, where required, the consent of a parent/ guardian. We will always have in place appropriate safeguards to ensure that children’s personal information is handled with due care.

11. How long do we keep your personal information?

In some jurisdictions, there are limits on how long we may retain your personal information. Where these limits apply, in general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records [10] years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see section 12 below), we will remove it from our records at the relevant time.

[We will otherwise keep your personal information for as long as necessary:

  1. to comply with any statutory or regulatory requirements we are subject to under applicable law;
  2. to fulfil the purposes for which the personal information was collected; or
  3. to defend our or a third party’s legal right.]

If you have any questions about the retention periods for holding your personal information, please contact us using the details at section 16 below.

12. Your rights and preferences

Please note that we will honor your requests to exercise your rights to the extent possible and required under applicable law. Certain of these rights may only be available to you if you are located in the EU when you access our website, or you otherwise engage with us. In any case these are legal rights which apply subject to exemptions.

You have the right to:

  • Ask us for confirmation of what personal information we hold about you, and to request a copy of that personal information. If we are satisfied that you have a legal entitlement to see this personal information, and we are able to confirm your identity, we will provide you with this personal information subject to any exemptions that apply.
  • Withdraw your consent at any time if we have relied on consent as the lawful ground to use your personal information.
  • Request that we delete the personal information we hold about you, as far as we are legally required to do so.
  • Ask that we correct any personal information that we hold about you which you believe to be inaccurate.
  • Object to the processing of your personal information where we: (i) process on the basis of the legitimate interests’ ground; (ii) use the personal information for direct marketing; or (iii) use the personal information for statistical purposes.
  • Ask for the provision (as part of data portability) of your personal information in a machine-readable format to either yourself or a third party, provided that the personal information in question has been provided to us by you, and is being processed by us: (i) on the basis of your consent; or (ii) because it is necessary for the performance of a contract to which you are party; and in either instance, we are processing it using automated means (i.e. no human involvement).
  • Ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate use.
  • We may ask you for additional information to confirm your identity and for security purposes, before disclosing personal information requested to you.
  • Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details in section 16 below.
  • Please note that for individuals based in the EU you may also have the right to lodge a complaint with your local data protection authority about how we use your personal information. – A list of the data protection authorities in each Member State, including their contact details, can be found here:

For further information, please contact us using the details below.

13. Data Protection Officer

Our Data Protection Officer (“DPO”) can be contacted directly at . Alternately, please use the details in section 16 below and mark the email/ letter for the attention of the DPO or ask for the DPO.

14. Other websites

We link our website directly to other sites. This Notice does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.

15. Changes to this Notice

We may update this Notice from time to time. We will notify you of significant changes by contacting you directly where reasonably possible for us to do so and by placing an update notice on our website. This Notice was last updated on 15 August 2019.

16. How to contact us

ARCTIC’s [Executive Director] is responsible for monitoring compliance with relevant legislation in relation to personal information. You can also contact the [ARCTIC Executive Director] if you have any questions about this privacy notice or our treatment of your personal information:

Email: []

16-08-2019 Version 0.1 Concept