This policy outlines how personal and sensitive data is collected, stored and processed responsibly by our organisation. It ensures compliance with legal and ethical standards, prioritising privacy and security. Access to data is limited to authorised purposes only, with safeguards against misuse or unauthorised disclosure. This policy also commits to transparency, accountability and timely updates in case of changes or breaches.
Collecting and using information
Personal data
APC’s practice consists of giving people as much control as possible over the collection and use of their personal data. Our practices are compliant with GDPR guidelines. Personal data can be defined as “information that can be used to identify people, such as names, email addresses, telephone numbers, postal address, passport numbers, etc.” There are times when we may need to collect and process personal data from you in order to provide you the information or the support you need.
In the table below is a list of the types of personal data we might collect from you and the purposes for which we would use it.
Types of information | Purpose |
|---|---|
Website statistics: We collect the date, time and length of your visit, browser identification and, in some cases, IP address. | This information is anonymised and for internal use and analysis of website traffic only. |
Website cookies: We use the necessary cookies to make the website usable by enabling basic functions like page navigation and access to secure areas of the website. | To improve and tailor your website experience. |
Email sign-up to our newsletter. | Stored in APC’s CiviCRM database for dissemination of the newsletter. We confirm your consent to receive the newsletters regularly. |
Information of subscribers to other news (statements, etc.): First name, last name, work email or other email if provided; also the following details, if provided: phone number, address, preferred language, gender, date of birth, topics of interest. |
|
Member-related information: Name of organisation, name of contact, work email or other email if provided; also the following details, if provided: phone number, address, preferred language, topics of interest. | Stored in APC’s database(s) for dissemination of information to members and associates, such as events including council meetings and thematic group sessions and meetings; to access and use APC’s network-only space; and to receive other information relevant for membership in APC. |
Information of contacts who are not subscribers to APC’s newsletters and other news or APC network members: first name, last name, work email or other email if provided; also the following details if provided: phone number, address, preferred language, topics of interest. | To share resources and information relevant to stated topics of interest of the contacts. |
Information required to process job applications, including information contained on a CV, in an application letter and in contact information. | To process job applications. This information is deleted as soon as it is not needed anymore. |
Personal information of people who attend events or need travel arrangements, including residence and travel documents. | To register for events, arrange travel and accommodation, and process visa requests. This information is deleted as soon as it is not needed anymore. |
We will only collect personal information from you when we need this information and we will not process your personal information other than for the purposes for which you shared it with us. You will always have the option to unsubscribe from receiving information or to request to be deleted from our database, which we will act on accordingly. We do not perform any profiling activities, including automated decision making, where your personal data is processed by automated means.
Consent
We don't collect your information without your permission. We don't use your information without your permission. Any time we collect any personal information, we will ask you for your consent. APC might request your consent in varying forms: ticking a box on a form, signing up with your email address to receive a newsletter, filling out a form to register for an event or a form on our website, or signing on to a written statement.
APC uses informed consent before recording or using audio or video, unless the recording is made in a public space where such recordings are common and expected, e.g. a conference or lecture. The same policy applies to taking photographs.
It is your right to withdraw your consent at any time. You can do so by unsubscribing from the information you receive or by using the contact details below. Please note, however, that withdrawing your consent will not affect the lawfulness of our use of your information based on the consent you gave prior to withdrawal.
Receiving newsletters
APC offers various newsletters. Users can sign up by clicking on the “Subscribe” buttons on our websites or via email. We will not use your information to send you unwanted information or to sell or rent email addresses. Furthermore, you can unsubscribe from the newsletters at any time using the link included in every email you receive. Once you unsubscribe, APC will completely remove your data from our databases. Alternatively, you may remove your address from our mailing lists by sending an email to privacy AT apc.org
Legitimate interests
There are a few cases where APC will process your personal data based on legitimate interests, without having to seek your express consent, with the assurance that the data will be protected. This is a specific provision under the GDPR, and it applies when:
- The processing isn’t required by law, but provides a clear benefit.
- The processing carries little risk of infringing on your data privacy.
- There is a reasonable expectation that your data will be used in this way.
Legitimate interest data processing ensures that APC can efficiently provide you with information without having to seek individual consent for every communication with you (or where in some cases it might not be possible for us to seek your consent). For example, we may process your personal data if you are a member or an associate in order to provide you with information relevant to your membership, such as:
- When you have subscribed to one of our newsletters and we want to inform you about another newsletter or new resources relating to a similar or related topic
or
- When a new form of processing would be more efficient.
Before undertaking such processing, we will consider your rights and freedoms and will only commence such processing where we do not think your rights will be infringed.
Information sharing
We may share the personal data that you provide us with partners, to the extent necessary for the purpose of providing required information. You will generally be notified if your data is shared. This may include data of event registrations needed to access the venue or the locations where events organised by APC are held.
We may also share personal data with third parties who provide services to APC, such as technical infrastructure or service providers, software platform providers, travel agencies and external advisors. In all these cases, we will ensure that those third parties treat your information with the necessary care and confidentiality and we will put in place the required contractual documentation.
APC will never store any sensitive data on third-party online services, e.g. Flickr, Facebook, Google Docs.
APC's Nextcloud may be used for storing work-related A/V material and images of other people only when such material does not contain sensitive information.
Zoom meeting recordings are immediately downloaded, processed, and deleted or stored safely.
We will not otherwise use, share, disseminate, publish or disclose your personal data (except as may be required in response to litigation, investigations or other legally required disclosures).
How long we store your personal data
The duration for which personal data is stored on APC servers is limited to a strict minimum. This corresponds to the period necessary for the purposes of providing the information you have requested, or as required for legal compliance purposes. For further information on how long we will store your personal data in any particular case, please do not hesitate to contact us using the details below.
Links to third-party websites
Our websites may contain links to other websites of interest. However, once you have used these links to leave our website, you should note that we do not have any control over other external websites. Therefore, we cannot be responsible for the protection and privacy of any information which you provide while visiting such websites, and such websites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Rights
- Access: You may contact us at any time in order to request access to the personal information we hold about you. We will confirm whether we are processing your personal data, and provide details of the categories of personal data concerned and the reasons for our processing. We can also provide you with a copy of your personal information on request.
- Rectification: If the information we hold appears to be inaccurate, we will not use it and will not allow others to use it until it is verified. You can ask us to correct or complete your personal data by contacting us at any time. To the extent possible, we will inform anyone who has received your personal data of any corrections we make to it.
- Restriction: In certain circumstances, it may be possible to require us to limit the way in which we process your personal information (e.g. require us to continue to store your personal data but not otherwise process it without your consent). Such circumstances include the following:
- When you think the data we hold about you is inaccurate, processing can be restricted while it is being rectified.
- When you object to processing that is being carried out on the grounds that it is necessary for our legitimate interests, the processing can be restricted while we determine whether such grounds override your interests.
- When we no longer need the personal data but you require the data in order to establish, exercise or defend a legal claim, our processing can be restricted.
- Removal of your data: You may ask to have the information we have on you deleted or removed. We will try to do so promptly, and to the extent possible, we will inform anyone who has received your personal information of your request. However, we must keep track of certain transaction information, such as past event registrations and similar information, for legal compliance purposes of our funders, auditors and accountants, so we may not be able to fully delete your information in certain circumstances.
- Receiving/transferring your personal data: You may also ask us to send you the personal data we hold on you in an electronic, structured and user-friendly format, or you may ask us to send this data to another person.
- Objections: When we are processing your personal information to pursue legitimate interests without your consent, you may object to us processing your personal data. In particular, when we are using your personal data to contact you for purposes of sharing information and resources, you may object to such processing at any time.
- Complaints: If you are located in the EEA and you believe that our processing of your personal data is in breach of data protection law, you have the right to lodge a complaint with the relevant data protection supervisory authority in the country where you are based or any place in the EEA where you believe the infringement has occurred. You may also contact us at any time if you wish to complain about our processing of your personal data. APC.org’s supervisory authority on data privacy is the UK’s Information Commissioner’s Office.
For any of the requests listed above, please use the contact details below. APC will make reasonable efforts to respond promptly and at the latest within one month. Our response to such requests may be limited to information under our direct control.
SECURITY
Security measures
We limit access to personal data that we collect about you to specific APC staff, who we reasonably believe need to have access to your information in order to provide you with the information you request from us. We have security measures in place to help protect against the loss, misuse and alteration of the information under our control. While we cannot guarantee that loss, misuse or alteration of data will not occur, we ensure that our systems adhere to the highest security standards so as to help safeguard against such occurrences. In case you have any questions about these measures, please use the contact details provided below.
No method of transmission over the internet or method of electronic storage is 100% secure. We use recognised standards and accepted means to protect your personal data, but we cannot guarantee its absolute security. If you have any questions about our security, you can email us through the contact details below.
Children’s privacy protection
APC does not target and its websites are not intended for children under the age of 16. In the case that APC discovers that data from children has been collected, we will immediately delete such data. In any other case where APC might find itself in the position to have to collect information from children, we will require the express consent of an adult with parental responsibility for the child.
Opting out
If you do not wish to receive certain communications from APC you may opt out by:
- Following the opt-out instructions that we include in each of our communications with you
or
- Informing us at privacy@apc.org that you no longer wish to receive such communications.
We will comply with such requests unless these communications from us are required by law or do not require your consent under applicable laws. Your opting out may restrict APC’s ability to provide you with the full extent of our services.
Contact details
If you would like to get in touch with us with regard to your personal data, please contact us at privacy[@]apc[.]org
Use this email address if you want us to:
- Provide a copy of any personal information about you that we have stored in our systems.
- Delete personal information about you that we have stored in our systems.
Changes to this document
This version of the Privacy Policy was last updated on September 2025 and represents a major revision of the previously published information. This document provides a comprehensive framework outlining APC’s policies, standards and practices related to responsible data management. It clarifies our commitment to the safety and protection of personal and sensitive data, and to upholding privacy across both APC’s public and private digital spaces.
APC’s approach to data is defined through a set of policies that govern the various layers and aspects of our communal infrastructure, both internally and externally. This document outlines the elements of those policies that are specifically relevant to APC websites and our online workspaces.
If there are any changes to APC’s data and privacy policies – whether related to processes, procedures or other relevant matters – they will be reflected in this document. We will update it on our website and other appropriate platforms to ensure it remains accurate and transparent, so you are informed about what data we collect, how we use it, and under what circumstances we may disclose it.
APC reserves the right to modify this document at any time. We encourage you to review it regularly. If significant changes are made, we will notify you via email or through a notice on our website’s homepage.