Purpose and lawful basis for processing

The Information Commissioner’s Office of the United Kingdom currently acts as Secretariat for the Global Privacy Assembly (GPA). We process the personal data of GPA members, members of the Programme Advisory Committee, applicants and current members of the Reference Panel, observers, alumni, volunteers, conference speakers and members of the public who proactively engage with us via our communication channels.

Data is processed by us to further international cooperation amongst data protection and privacy commissioners and fulfil our role as the GPA Secretariat as set out in the Conference Rules and Procedures. This role includes processing to handle member and observer applications, handle matters relating to the establishment of the GPA Reference Panel, develop the GPA census and the SDSC Questionnaire, facilitate GPA events, produce and distribute the GPA newsletter and communicate conference news and press releases to interested parties.

The lawful basis that we rely on to process this personal data is Article 6(1)(e) of the GDPR 2016, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

Where the information processed is special category data, the lawful basis that we rely on to process this data is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of individuals’ fundamental rights and Schedule 1 part 2(6) of the DPA 2018, which relates to statutory and government purposes.

In the case of the GPA e-newsletter, the lawful basis that the we rely on to process the names and email addresses of recipients is consent under Article 6(1)(a) of the GDPR.

What we need

We process names and contact details to communicate with relevant individuals about the work of the GPA and its events. We may also process photographs and biography information, or survey information received from members or individuals involved in our activities or attending our events, as well as health data relating to any dietary requirements or access needs.

What we do with it

We will use your name and contact details to correspond with you about the GPA. This will include communicating with you about events, to distribute key messages from the GPA’s Executive Committee and to provide you with the GPA newsletter where we have your consent to do so.

Where we hold contact information for representatives of the media, we will use this to send you any press releases concerning the work of the GPA.

Any contact information we hold for individuals applying for the GPA Reference Panel, will only be used in relation to the activities of this Panel, unless you have indicated that you wish to receive further information from us about other GPA activities.

Data will be shared with our data processors (see section on data processors below) when required to fulfil our role as GPA Secretariat.

How long we keep it

We will retain this data for the duration of our tenure as Secretariat of the GPA. This is currently scheduled to end October 2021 (renewed in October 2019). In 2021, the next elected Secretariat will become the controller for this data.

What are your rights?

We process your personal data for our regulatory purposes, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which will depend on why we are processing it.

We rely on your consent to process your contact details for the purpose of distributing the GPA e-newsletter. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If at any point you want to withdraw your consent for the newsletter or to our processing of your data more generally please email secretariat@globalprivacyassembly.org or call us on (International dial code (+44) 0303 123 1113 with your request. If you do that, we will update our records to reflect your wishes.

For more information on your rights, please see ‘Your data protection rights‘.

Do we use any data processors?

Yes – we use the following data processors:

  • Youtube (social media)
  • SnapSurvey
  • Microsoft (email and virtual meeting platform)
  • Revealing Reality

Do we transfer data overseas?

Yes – we transfer data overseas from the United Kingdom, primarily to the members of the GPA Executive Committee from Burkina Faso, Philippines, Australia, Argentina, Mexico, New Zealand and Albania.

Controller’s contact details

The Information Commissioner’s Office (ICO) of the United Kingdom currently acts as the Secretariat and controller for the GPA.

Our Data Protection Officer is Louise Byers. You can contact her at dpo@ico.org.uk or via the details given below.

There are many ways you can contact us, including by phone, email, live chat and post. More details can be seen here.

Further redress

If you remain dissatisfied after having contacted our DPO, you can make a complaint about the way we process your personal information to the ICO as the UK supervisory authority. Complaints about us are handled in the same way as a complaint about any another organisation.