INTRODUCTION
The Conversation respects your privacy and is committed to protecting your personal data. This privacy notice explains what personal data we collect from you when you visit our website or use our services, what we do with it and how we keep it safe. It also explains your privacy rights and how the law protects you.
- IMPORTANT INFORMATION AND WHO WE ARE
- THE DATA WE COLLECT ABOUT YOU
- HOW PERSONAL DATA IS COLLECTED
- HOW WE USE PERSONAL DATA
- DISCLOSURES OF PERSONAL DATA
- INTERNATIONAL TRANSFERS
- DATA SECURITY
- DATA RETENTION
- YOUR LEGAL RIGHTS
1. IMPORTANT INFORMATION AND WHO WE ARE
The Conversation is a news website written by academics working with our team of professional editors to provide timely, expert insight into current affairs. The Conversation in the UK is a non-profit company (company limited by guarantee) and registered charity, funded by our member universities, other education and philanthropic funding bodies, and the generous donations of our readers.
As a non-commercial organisation we do not carry advertisements on our website or in our newsletters. We do not create profiles of you, our readers, based on data about you that we gather from your use of our site. We do not employ other organisations to do this. The data we collect about our readers is only the bare minimum required to deliver our services to readers, such as website content and newsletters. This privacy notice will explain what we collect, what we do with it, and your rights to access or control that data.
DATA CONTROLLER
The Conversation is a network comprising eight legal entities which operate ten editions of The Conversation, in Australia and New Zealand, Canada (with English and French editions), France, Indonesia, South Africa, Spain, the UK and US. When this notice discusses “The Conversation”, “we,” or “us”, this refers to the legal entity that produces the edition in your region (as listed in section 6 below) which acts as the data controller. The edition may be changed using the switch in the top-left corner of the website. In all cases, queries, questions or complaints relating to your data and your privacy rights should be directed to europe-privacy@theconversation.com in the first instance.
CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES
This privacy notice was last updated October 2022. This version reflects data protection law under the European Union General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and the EU e-Privacy Directive (Privacy and Electronic Communications (EC Directive) Regulations 2003 in the UK). This notice outlines your rights under law as it applies in the UK and EU/EEA. Past versions of The Conversation’s privacy notices can be requested from europe-privacy@theconversation.com
It is important that the personal data we hold about you is accurate and current. Where you are able to, please keep your personal data on our systems up to date, or otherwise keep us informed if your personal data changes during your relationship with us. For example by updating your details if you have created a reader or author account on theconversation.com, or by updating the email address with which you have signed up for one of our newsletters, or by letting us know when you no longer want to use our services.
THIRD-PARTY LINKS
We include links to third-party websites on theconversation.com. Clicking on those links may allow third parties to collect or share data about you, which they will do in accordance with their own privacy policies. We do not control these third-party websites and are not responsible for their privacy policies. We encourage you to read the privacy notice of every website you visit.
2. THE DATA WE COLLECT ABOUT YOU
Personal data means any information about an individual from which that person can be identified. It does not include data where the capability to identify a person has been removed (anonymous data). Because we don’t use advertising we don’t collect much information about readers visiting our website.
The information we collect depends on how you interact with our website and services.
Website visitors: if you visit theconversation.com, our website will collect certain elements of technical data about the device you are using to browse our website, such as browser version, screen size and resolution. We do this to provide you with the best browsing experience, for example so that the website looks its best whether you are using a small screen on a mobile phone or a large desktop monitor. As is the case with any website on the internet, our web server will log your IP address as having accessed our site and this will be stored for a period of time for troubleshooting, technical and security purposes. This IP address is not stored alongside any other data that could identify an individual.
We use Google Analytics, a software service based in the US, to collect statistical data on those reading our website, such as which articles are read, how long is spent on a page, and which links are clicked on. This is to establish the patterns of use of our site, to identify popular and unpopular content, and to provide a better service. Google Analytics processes visitor IP addresses to identify geographic location (country), but this is stored as aggregate statistical data, and cannot identify an individual. Your IP address will be discarded once processed by Google Analytics and is not stored. When you visit our site and read our content, you consent to your personal data being processed in this way.
If you read our content via a third party site that has republished an article (a “republisher”), we will receive data indicating which article has been read and the identity of the republisher’s site. This also includes your IP address, which will be processed in order to identify your general geographic location (country). This is stored as aggregate data from which it is not possible to identify an individual. Your IP address will be retained for a fixed retention period and then discarded.
Subscribers: if you subscribe to our newsletters, we use the email address you provide to send the newsletter(s) you have requested to that address. The Conversation uses Campaign Monitor to send its email newsletters, a software service based in the US. Our subscriber lists – containing your email address – are stored on Campaign Monitor’s servers in the US. Campaign Monitor’s data protection and privacy policies conform to GDPR, and as a data processor for The Conversation the company is contractually obliged to process your data only as we direct and only in such a way that is compatible with data protection principles and your rights under GDPR or other relevant privacy law. When you sign up for a newsletter from The Conversation, you consent to your data being processed in this way. Neither The Conversation nor Campaign Monitor will ever use the data you have provided for reasons other than those for which you provided it, or transfer it to any third parties, except with your consent.
Readers: regular visitors to theconversation.com may wish to sign up for a reader account so that they can comment on articles and engage in discussion with our authors and other readers. We ask readers to provide their name, email address and, optionally, a job title or profession to provide some context to the comments they leave. If you post a comment under your reader account, your comment and your name will be published to the site. Your commenter profile and any biographical details you have added will be public. When you sign up for a reader account and post comments on our site, you consent to your personal data being processed and shared in this way. Your personal data is not used for any other purpose, or transferred to any other party, without your consent.
Authors: our authors are academics and researchers from all over the world, but chiefly in the countries in which The Conversation’s editions operate. In order to write for The Conversation, authors agree to create, or allow us to create on their behalf, a short profile that provides some background to their research and expertise. Profiles are public and will necessarily contain several items of personal data including name, job title, institution, email address, a short research biography and a profile picture, typically taken from sources that are already public, such as a university profile page. Authors may edit their own profiles, and we ask that they strive to keep them up-to-date, such as when changing jobs or institutions.
If you as an author have an article published on The Conversation your name, job title, and institution will be appended as the article’s byline, providing you with full credit for your work. The Conversation publishes articles under a Creative Commons CC-BY-ND licence which allows other organisations to republish our content. This means that, as an author, the personal details contained in your byline will be used by other parties that republish your articles in order to credit you for your work. When you sign up for an author account or when we create one for you in the process of commissioning an article, you consent to your personal data being processed in this way. We will not otherwise share authors’ details with third parties without your consent.
Donors: readers who support The Conversation through donations provide their name, email address and financial details. Depending on jurisdiction, or where legally obliged, or where they consent to do so, they may also provide a postal address. We may contact donors by email in the future, and we may cross-reference donors with our other data, for example to identify where donors are also subscribers or website users/commenters. Financial details are stored securely by a third party payment processor, not by The Conversation. We will not share the personal data or details of donors with any other third parties, except where legally obliged to. When you donate to The Conversation, you consent to your data being processed in this way.
IF YOU FAIL TO PROVIDE PERSONAL DATA
If you fail to provide data we need to collect when requested, either data required for us to perform a service under a contract that we have with you, or where we need to collect personal data by law, we may not be able to perform the contract we have or are trying to enter into with you. For example, we cannot send you a newsletter if you have not provided an email address. In this case, we may have to cancel a service we have agreed to provide.
3. HOW IS YOUR PERSONAL DATA COLLECTED?
We collect data on you either through your direct interaction with the site, or programmatically through your actions, or from third parties.
Direct interactions: You may give us your name, email address, or other details by filling in forms, for example in order to subscribe to a newsletter or set up a reader account.
Programmatic interactions: As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. This data may be collected and stored in our web server logs. We also collect data from you if you read our articles via another website that has republished our work.
Third parties or publicly available sources: In order to create profiles for authors writing for The Conversation, we may use personal biographic data about the author from publicly available third party sources, for example from their university website profile or from other linked, public accounts such as ResearchGate, Academia.edu, or LinkedIn. This information is to show readers the experience and expertise of the author whose article they are reading, and to provide authors with a profile and ‘landing page’ for their written work for The Conversation. Authors may login to their account on theconversation.com and edit their profile as desired (subject to minimum necessary details as laid out in the terms and conditions). We do not use this information for any other purpose or transfer it to any other party.
Other examples of data sourced from third parties may include:
Technical Data, for example:
- (a) Google Analytics (Google is a company based outside the UK and EU)
- (b) search information providers (such as Google Search, based outside the UK and EU)
Contact, Financial and Transaction Data, from payment services providers, for example if you make a donation to The Conversation (Stripe, Paypal and Salesforce are companies based both inside and outside the UK and EU).
4. HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- In order to offer the services you have asked us to provide (lawful basis of contract)
- Where we need to comply with a legal or regulatory obligation (lawful basis of legal obligation)
- Where necessary for our legitimate interests (or those of a third party), where those interests are not overridden by your interests and fundamental rights (lawful basis of legitimate interests).
PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA
We have set out below a description of all the ways we plan to use your personal data, and which lawful basis defined by GDPR we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data under more than one lawful basis depending on the specific purpose for which we are using it.
| User type | Personal data collected | Use | Lawful basis |
|---|---|---|---|
| Website visitors, readers via republication | IP address | For technical, security and legal purposes | (3) |
| Subscribers | Email address | To send newsletters | (1) |
| Readers | Name, email, occupation, profile picture | To provide commenter profiles | (1) |
| Authors | Name, email, job title, institution, brief professional biography, profile picture | To provide author profiles | (1) |
| Donors | Name, email, address, financial data | To process donations and contact donors in the future | (1, 2, 3) |
MARKETING AND COMMUNICATIONS FROM US
We send newsletters to subscribers where requested. We may from time to time send other emails to you as a subscriber, relating to content offered by The Conversation, to survey you for your thoughts about our site, to solicit your support through donations, or to deliver other notices. You may unsubscribe from receiving emails from The Conversation at any time using the prominent unsubscribe link at the bottom of every email we send. We will never sell your data or share it with third parties without your consent.
COOKIES
Like most websites we use cookies to help ensure smooth functioning of the website. A cookie is a small text file that contains certain information, for example about your device, or about options you have selected for a website. Under the European Union e-Privacy Directive (the Privacy and Electronic Communications (EC Directive) Regulations in the UK) we are required to inform users of our use of cookies, both those that are strictly necessary for the functioning of the site and cookies that are recommended but not necessary, and in respect of the latter gain consent for their use.
The Conversation does not use advertising. We do not use cookies to create or store personal profiles of information on our readers for sale to or use by advertisers. Our cookies are used to:
- set and remember the edition of The Conversation a user sees by default when visiting our site (which can be changed from the switcher in the top left corner) (necessary)
- save user’s authentication state, to recognise whether they are logged in or not (necessary)
- save user’s settings for the Job Board and record whether the user is logged in (necessary)
- save a user’s site preference whether to see pop-ups (recommended)
- allow Google Analytics to generate statistics about the number of visitors to the site, and their use of the site (recommended)
Visitors landing on theconversation.com for the first time will see a cookie consent pop-up, explaining the cookies we use and asking visitors to consent to their use. You may consent to either all cookies or only necessary cookies from this pop-up. You may also set your browser to automatically refuse some or all browser cookies. However if you disable or refuse necessary cookies, please note that some parts of the website may become inaccessible or function incorrectly. You can manage your cookie preferences from the Consent preferences link in the site footer.
CHANGE OF PURPOSE
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose, and that purpose is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the lawful basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where required or permitted by law.
5. DISCLOSURES OF YOUR PERSONAL DATA
We may share your personal data with data processors: third-party companies that we use in order to deliver our services. We do so only when it is appropriate, where we have a legal basis to do so, and where data processing agreements are in place. These legally binding contracts (“standard contractual clauses” created and approved by the European Commission) oblige third parties acting as processors for The Conversation to protect your data. We may share your personal data with law enforcement or government agencies if compelled to do so, such as to meet a legal obligation.
6. INTERNATIONAL TRANSFERS
Your personal data as stored and used by The Conversation network and its constituent companies and may be accessed from or transferred outside the UK, European Union or European Economic Area. Where it is necessary to transfer your data to a third party, such as through the use of data processors, we will:
- ensure that data has a similar degree of protection either because the country we transfer to has been deemed by the European Commission to provide equivalent levels of data protection (“GDPR adequacy decision”), or
- perform a transfer impact assessment as laid out in the European Data Protection Board’s Recommendations 01/2020 on supplemental data transfer tools (v.2, June 2021) in order to establish and enact measures, proportionate to the risk, that ensure personal data is protected to a standard that meets that available in the UK, EU or EEA under GDPR. This may be applied through use of the UK/EU approved standard contractual clauses, or through other contractual means.
The Conversation network consists of companies operating worldwide. The table below shows these companies, their location, and the steps taken to ensure protection of your personal data. The constituent companies of each edition of The Conversation are joint data controllers with The Conversation Media Group Ltd in Australia, which manages and hosts theconversation.com and associated site and user data.
| Edition of The Conversation | Country | Name and address of constituent company | Protection measures |
|---|---|---|---|
| Australia & New Zealand |
Australia New Zealand |
The Conversation Media Group Ltd Tenancy B, Level 5 700 Swanston Street Carlton VIC 3053 The Conversation Media Group Ltd PO Box 5290 Waterloo Quay Wellington 6140 |
Standard contractual clauses, internal data- sharing agreement and privacy policy EU GDPR adequacy decision |
| United Kingdom | United Kingdom | The Conversation Trust (UK) Limited Shropshire House (4th Floor) 11-20 Capper Street LONDON, WC1E 6JA |
UK/EU GDPR adequacy decision, standard contractual clauses, internal data-sharing agreement and privacy policy |
| United States | United States | The Conversation US, Inc. 303 Wyman Street, Suite 300 Waltham, MA 02451 |
Standard contractual clauses, internal data- sharing agreement and privacy policy |
| Africa | South Africa | The Conversation Africa, Inc. 18th Floor, University Corner Cnr Bertha and Jorissen Streets Braamfontein, 2000 |
Standard contractual clauses, internal data- sharing agreement and privacy policy |
| France | France | The Conversation France (assoc. 1901) 14, rue Sainte-Cécile 75009 Paris |
EU member state, standard contractual clauses, internal data-sharing agreement and privacy policy |
| Canada Canada (Français) |
Canada | The Conversation Canada Academic Journalism Society 77 Bloor St. W., Suite 600 Toronto M5S 1M2 La Conversation Canada 5455 avenue de Gaspé, suite 710 Montréal, Québec H2T 3B3 |
EU GDPR adequacy decision, internal data- sharing agreement and privacy policy |
| Indonesia | Indonesia | The Conversation Kantor Akademi Ilmu Pengetahuan Indonesia Kompleks Perpustakaan Nasional Jl. Medan Merdeka Selatan No. 11 Jakarta Pusat 10110 |
Standard contractual clauses, internal data- sharing agreement and privacy policy |
| España | Spain | Asociación The Conversation España Gran Vía, 28 28013, Madrid |
EU member state, internal data-sharing agreement and privacy policy |
In addition The Conversation uses a number of third party processors to provide services to our readers:
| Processor company | Purpose of processing | Location | Protection measures |
|---|---|---|---|
| OVH | Website hosting | UK, Europe, various | Transfer impact assessment, standard contractual clauses and data processing agreement |
| Fastly | Web hosting CDN | UK, Europe, various | |
| AWS | Services and data hosting | US, UK, Europe, various | |
| Imgix | Image CDN | US | |
| Google Analytics for website audience statistics | US | ||
| Campaign Monitor | Managing subscriber lists, sending newsletters | US | |
| Salesforce | Managing donor contact lists and donations data | US, UK, Europe, various | |
| Stripe | Payment processor | US, UK, Ireland | |
| PayPal | Payment processor | US, UK, Luxembourg | |
| Zapier | Donor and subscriber processing, automation | US | |
| Helpscout | Support desk ticket service | US | |
| SurveyMonkey | User surveys | US |
7. DATA SECURITY
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Information held by The Conversation is stored securely on our hosting partners servers, including through use of data encryption. Data is stored on servers distributed across several regions worldwide in order to provide a quality of service to readers all over the world.
In addition, we limit access to your personal data to only those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data according to our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
8. DATA RETENTION
FOR HOW LONG WILL YOU USE MY PERSONAL DATA?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. You can request details of our retention periods for different elements of your personal data by contacting us at europe-privacy@theconversation.com
In some circumstances you can ask us to delete your data. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice.
9. YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under data protection laws in relation to your personal data. If you wish to exercise any of these rights set out below, please contact europe-privacy@theconversation.com. No fee is usually required, but we may charge a reasonable fee for your request, or refuse to comply, if it is clearly unfounded, repetitive or excessive.
WHAT WE MAY NEED FROM YOU
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
TIME LIMIT TO RESPOND
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
YOUR LEGAL RIGHTS
You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific reasons, of which you will be notified if applicable at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information that override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Any questions, queries or requests should be directed to europe-privacy@theconversation.com