Uplift Data Protection & Privacy Policy (Updated 22nd September 2020)

This document provides a concise policy regarding the data protection obligations of Uplift and is part of our commitment to data protection by design and default.

Uplift is a data controller with reference to the personal data which it manages, processes and stores.

Uplift commitment to data protection

Transparency and accountability are core principles at Uplift, which is why we respect your rights to privacy and data control. Participants and members can expect full compliance with both the General Data Protection Regulation (GDPR) and Ireland’s own data protection laws.

Purpose of this Policy

As a data controller, Uplift and its staff (hereafter referred-to collectively as Uplift) must comply with the data protection Principles set out in the relevant Irish and EU legislation.

This Policy applies to all personal data collected, processed and stored by Uplift in the course of its activities. This Policy is designed to ensure Uplift’s compliance with the following legislation:

  • The European General Data Protection Regulation (GDPR)
  • The EU Electronic Communications “ePrivacy” Regulations (2011)

The GDPR confers rights on individuals as well as additional responsibilities on those persons and organisations processing personal data and Uplift will ensure that all policies and activities are done in compliance with this legislation.

(1) Why does Uplift collect and process personal data?

Uplift, as a data controller, collects, processes and stores personal data on an ongoing basis – only when a member permits us to do so. Uplift collects data about its staff, volunteers, donors, partners and members who come into contact with the organisation through our work. We process personal data for the following reasons:

  • The collection and management of petition signatures;
  • The collection and management of survey results;
  • The facilitation of communication between Uplift members and individuals (e.g., politicians and CEOs) related to campaigns;
  • The facilitation of community events;
  • The facilitation of sharable community content for social media;
  • The notification of members, regarding relevant activities, via instant messaging services (SMS, WhatsApp or similar) and by phone;
  • Communication between members of the public, staff, and volunteers;
  • The collection and management of donations;
  • The operation, monitoring and evaluation of our work;
  • The recruitment, management and payment of staff;
  • Ensuring the security of staff and premises;
  • Compliance with statutory obligations.

This Policy applies to all data collected, both manually and automated, held by Uplift. This includes electronic and paper records.

(2) What data does Uplift collect and process?

In order to provide you with an optimal web experience, build community power and positive change in Ireland, we need to collect and process your personal data.

The following table gives a summary of the personal data we collect from you, how we process it, and according to personal data protection regulations, what is the legal basis for the processing of your personal data.

Personal data collected Personal data processing Legal basis for processing
Contact data (name, email address, phone number) sending you emails about campaigns and fundraising Consent
Social media data (handle, public comments, private messages to Uplift) Answering campaign related queries, re-broadcasting values aligned content Legitimate Interest to pursue our campaign goals
Survey data Informing campaign strategy, sharing results to influence decision makers Legitimate Interest to pursue our campaign goals
Activity data (petitions signed, politicians contacted etc.) Informing campaign strategy, matching content to the most relevant audience Legitimate Interest to pursue our campaign goals
Publicly available contact data (email, social media handles, phone number) Contacting individuals (politicians, journalists, public figures such as CEOs) with persuasive messages, factual arguments, member stories, press releases and other campaign information Legitimate Interest to pursue our campaign goals
Cookie/pixel tracking We use cookies and tracking pixels to provide you with a better web experience. Please read our Cookies Policy for more information. Legitimate Interest to provide a smooth and easy to use platform
Financial data We use your credit card or bank account details to process donations Consent

Lawful processing

We are required to have one or more lawful grounds to process your personal information. Only 3 of these are relevant to us:

  • Personal information is processed on the basis of a person’s consent
  • Personal information is processed on the basis of a contractual relationship
  • Personal information is processed on the basis of legitimate interests

(2.a) Consent

We will ask for your consent to use your information for the following purposes:
to send you electronic communications such as emails, surveys, newsletters and fundraising emails
to collect and analyse sensitive personal information in the form of survey responses

(2.b) Contractual relationships

Most of our interactions with subscribers and website users are voluntary and not contractual. However, sometimes it will be necessary to process personal information so that we can enter contractual relationships with people. For example, if you apply for a paid position, role or to volunteer with us.

(2.c) Legitimate interests

Applicable law allows personal information to be collected and used if it is reasonably necessary for our legitimate activities (as long as its use is fair, balanced and does not unduly impact individuals’ rights).

We will rely on this ground to process your personal data when it is not practical or appropriate to ask for consent.

Achieving our purposes

These include (but are not limited to) pursuing campaigns in line with our values:

  • Social justice is about the fair distribution of wealth, resources and privileges within society. Uplift members believe in the right of people to realise their full potential. This includes taking a stand on the rights of low paid workers, progressive taxation, challenging exploitation, access to quality accommodation, health care, and public services.
  • Uplift members believe that discrimination and prejudice need to be challenged so that everyone can participate fully and equally. This includes taking a stand against racism, sexism, classism, transphobia, ableism, homophobia and biphobia. It also means taking a stand for the rights of communities experiencing economic, social, and political exclusion.
  • Our planet is in extreme danger and Uplift members stand up for protecting our natural resources, including our woodlands, by fighting policies and practices that cause climate change and environmental destruction.

(3) Who has access to your data?

Uplift staff have access to your data and they process it in line with the purposes and practices outlined in this document.

Petition starters can access a limited subset of data related to their campaign. They can see your full name and county so that they can deliver the list of signatures to the target of the petition. Petition starters are bound by our terms and conditions and required to use your data only for the purpose of petition delivery.

Campaign targets receive a subset of your data, depending on the action:

  • Petitions: petition deliveries include your full name
  • Emails: when Uplift facilitates sending an email to a campaign target with a template, your email address, name, postal address and any other data you include in the email body is shared
  • Phone calls: when Uplift facilitates making a phone call to a campaign target, the target receives your phone number (via caller ID)
  • Surveys: where specified survey answers or summary results are shared to persuade campaign targets or the public. We will always indicate when a survey is intended to be shared

(3.a) The use of third-party data processors

In the course of its role as data controller, Uplift engages third-party service providers, or data processors, to process personal data on its behalf.

In each case, a formal, written contract is in place with the processor, outlining their obligations in relation to the personal data, the security measures that they must have in place to protect the data, the specific purpose or purposes for which they are engaged, and the understanding that they will only process the data

  • as instructed by Uplift, and
  • in compliance with the European General Data Protection Regulation and the EU Electronic Communications Regulations.

The contract will also include reference to the fact that the data controller is entitled, from time to time, to audit or inspect the data management activities of the data processor, and to ensure that they remain compliant with the relevant legislation, and with the terms of the contract.

Regular audit trail monitoring will be carried out to ensure compliance with this Agreement by any third-party entity which processes personal data on behalf of Uplift.

Failure of a data processor to manage Uplift’s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts if necessary.

(4) How is your data protected?

Uplift will ensure that the personal data it collects will be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. To this end, Uplift will employ high standards of security in order to protect the personal data under its care. Uplift’s Password Policy and Data Retention & Destruction Policies guarantee protection against unauthorised access to, or alteration, destruction or disclosure of any personal data held by Uplift in its capacity as data controller.

In the event of a data breach likely to result in a risk to the rights and freedoms of the data subject or other persons, Uplift will notify the Irish Data Protection Commissioner without undue delay and, where feasible, within 72 hours after having become aware of the breach, in line with Article 33 of the GDPR.

(5) How is your data processed?

Uplift processes data in a variety of ways in order to run effective campaigns. Most often, this involves emailing members or reviewing survey data.

(5.a) Why are we sending you emails?

Uplift sends or facilitates the sending of emails in several ways:

  • Emails from Uplift staff team about campaign updates, opportunities for action and fundraisers. You only get these emails if you took action with us at some point in the past and selected “Yes, tell me how I can support people powered change”, and you can opt out any time by clicking the unsubscribe link in any of these emails
  • Emails confirming your action or “Thank you” emails. Everyone gets these emails so that we can be sure the real owner of the email address took this action, and to give you the opportunity to correct the record if necessary
  • Emails from petition starters via MyUplift. Petition starters are able to email anyone who signed their petition and selected “Yes, tell me how I can support people powered change”, with some moderation by the Uplift staff team. You can opt out any time by clicking the unsubscribe link in any of these emails
  • Direct responses – when you get in touch by responding to one of our emails or sending a message to theteam@uplift.ie, a volunteer or member of the staff team will respond to you directly
  • Emails to individuals (politicians, public figures such as CEOs) from Uplift members. Uplift facilitates these messages with templates and tips for email writing, but they are sent by individual members (as reflected in the “from” address).
  • Emails to journalists. We will occasionally send press releases with information we feel is newsworthy or otherwise relevant to journalists.

(5.b) Member surveys and research

We may use your personal information to undertake research.

We may combine this information with other personal information you have given us in the past, or which we collect via member surveys (see section 6 below) for this purpose. And we may collect demographic and attitudinal information for this analysis.

This may include creating member ‘personas’ and profiles of your interests. This helps us to get a better understanding of your background, interests and preferences in order to improve our communications and/or interactions with you, to help ensure they are targeted to be relevant and appropriate, and to provide information (sometimes through third parties) about campaigns and other aspects of our services which we consider may be of interest to you. It also allows us to better understand our members and ensure your member experience is tailored to your needs.

Additionally it allows us to (i) focus our resources on issues of interest to our members, and (ii) send out communications through mediums (for example, we might focus on advertising in publications where most of our members get their news), that are of interest to our members.

We may analyse this information in anonymous/ aggregated form (so that it does not identify you) and share that analysis with key decision makers – for example, to tell TDs that hundreds of Uplift members in their constituency are nurses.

We rely on our legitimate interests to undertake data processing for these purposes. If we use your special category data for these purposes, we will obtain your explicit consent where necessary or rely on other conditions under applicable data protection law.

We may use third parties, such as data analysts, to assist us with undertaking this type of research and profiling.

(5.c) Pixel tracking

We use ‘pixel trackers’ (including trackers provided by SendGrid) to provide us with insights about the way you interact with our emails, so we can learn about the effectiveness of our communications. For example, these tools tell us when and if you open an email from Uplift and whether you click on a link within the email. This is useful because it allows us to decide what kind of content you and our other members are interested in receiving.

We may then change the type of emails we send to you and our membership, or stop sending you emails at all if it seems you are no longer interested to hear from us.

These tools also protect our communications from being incorrectly flagged as ‘spam’ by email providers.

If you use an email client that allows it, you can ‘block’ pixels by changing your settings to block images being loaded by default.

(5.d) Donations

Financial transactions carried out on our website are usually handled through Stripe, Inc. (“Stripe”), a third party payment services provider. We recommend that you read Stripe’s privacy policy (available at https://stripe.com/en-ie/privacy) prior to effecting any transactions with us. We will provide your personal data to Stripe only to the extent necessary for the purposes of processing payments for transactions you enter into with us. We do not store your financial details.

You may also donate to us using PayPal. If you donate using PayPal, your personal information will be provided to PayPal so they can process your donation. Please see their privacy notice for more information about how they use and retain your personal information: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full.

Alternatively if you set up a direct debit, we will use a provider called GoCardless to process your regular direct debit payments.

(5.e) Public contact data

In the pursuit of our campaign goals, Uplift may collect and categorize publicly available contact information (emails, phone numbers and social media handles). For this specific category, we engage in the following practices:

  • We record the public source of the data and when it was collected
  • We audit the data at least annually and remove any data which is no longer publicly available

(6) Your Rights

Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for direct marketing purposes or to be unsubscribed from our email list at any time. You also have the following rights:

(6.a) Right to be informed

You have the right to be told how your personal information will be used. This Policy and other policies and statements used on our website and in our communications are intended to provide you with a clear and transparent description of how your personal information may be used.

(6.b) Right of access

You can write to us to ask for confirmation of what information we hold about you and to request a copy of that information. Provided we are satisfied that you are entitled to see the information requested and we have successfully confirmed your identity, we will provide you with your data. The simplest way to access your data is to use the form on this page: https://www.uplift.ie/gdpr-data-requests/

(6.c) Right of erasure

You can ask us for your personal information to be deleted from our records. In many cases we would propose to suppress further communications with you, rather than delete it. The simplest way to ask for your data to be erased is by sending an email to datadeletion@uplift.ie

(6.d) Right of rectification

If you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated.

(6.e) Right to restrict processing

You have the right to ask for processing of your personal data to be restricted if there is disagreement about its accuracy or legitimate usage.

(6.f) Right to data portability

To the extent required by applicable data protection laws, where we are processing your personal information (i) under your consent, (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact or (iii) by automated means, you may ask us to provide it to you – or another service provider – in a machine-readable format.

To exercise these rights, please send a description of the personal information in question using the contact details in section 9 below. We also have specific pages to unsubscribe from our email list (https://id.uplift.ie/subscriptions/unsubscribe?subscription=1). Where we consider that the information with which you have provided us does not enable us to identify the personal information in question, we reserve the right to ask for (i) personal identification and/or (ii) further information.

Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you consult the Data Protection Commission (“DPC”) guidance – or please contact us using the details in section 9 below.

You are further entitled to make a complaint including about the way we have processed your data to the DPC. For further information on how to exercise this right, please see the guidance at https://www.dataprotection.ie/en/individuals/raising-concern-commission.

(7) Data retention

Uplift will ensure that personal data is not kept for longer than what is strictly necessary for the purpose for which the data is processed, in line with the principles laid down in Article 5 of the GDPR.

To fulfil this commitment, Uplift has developed a Data Retention and Destruction Policy and associated schedule to ensure Uplift fulfils its obligation in regards to retention periods for all categories of personal data processed by the organisation.

Once the respective retention period has elapsed, Uplift undertakes to destroy, erase or otherwise put this data beyond use, in line with its Data Retention and Destruction Policy.

(8) Review

This Policy will be reviewed at least annually by the Board of Directors to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations.

(9) Contact

We are not required by law to have a “Data Protection Officer” – however we have a Data Protection Manager.

Please let us know if you have any queries or concerns whatsoever about the way in which your data is being processed by either emailing the Data Protection Manager at dataprotection@uplift.ie and/or our wider team at theteam@uplift.ie

(10) Supervisory authority

Uplift’s headquarters is in Ireland. Should you wish to contact the relevant supervisory authority in relation to a data protection issue involving Uplift, you should contact:

The Irish Data Protection Commissioner

Telephone +353 57 8684800

+353 (0)761 104 800 

Fax +353 57 868 4757
Postal Address Data Protection Commissioner
Canal House
Station Road
Portarlington
Dublin Office 21 Fitzwilliam Square
Dublin 2
D02 RD28
Ireland.
Portarlington Office Canal House
Station Road
Portarlington
R32 AP23 Co. Laois