RAND Europe Supporters and Friends Privacy Notice

This notice was updated on 29 November 2023

Introduction

This website is operated and maintained by the RAND Corporation based in the USA on behalf of RAND Europe Community Interest Company, RAND Europe (EU) AISBL and Stichting RAND Europe NL (collectively referred to in this policy as “RAND Europe”, “we” or “us”). RAND Europe UK Limited is the designated charity for charitable contributions to RAND Europe.

This Privacy Notice applies to all Supporters and Friends of RAND Europe (“you” or “your”) or services that link to it (collectively, our “Services”). Occasionally, a Service will link to a different Privacy Statement, such as the general RAND Europe Privacy Statement, that will outline the particular privacy practices of that Service.

Your privacy is important to us and we operate in compliance with EU law and the UK GDPR. We strive to ensure that we operate to highest standards with your data. This policy sets out how we collect information your data through this site and as part of your relationship and contact with us.

RAND Europe is a not-for-profit research organisation that seeks to improve policy through research. To ensure that your data is protected we have a Data Protection Officer responsible for our privacy obligations to you.

Privacy principles

We shall use your data lawfully, fairly and transparently.

We shall collect your information for specified, explicit, and legitimate purposes and compatible scientific and statistical research purposes.

Your data collected will be minimised to what is necessary.

Your data held shall be accurate and otherwise securely deleted.

We maintain your data to high security standards.

Why we process your data

We value our relationship with you and would like to send you relevant communications, offering beneficial services, thanking you for your support and sharing future opportunities to get involved, which may be of interest to you. To do so, we need to process your personal information.

When collecting and using personal information, we rely on the following legal bases for doing so:

Where we have a legitimate interest to do so for the purposes set out within this privacy notice. We have carefully considered the ways we process personal data to ensure that our activities are focussed on the interests of Supporters and Friends. When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws; Where we are required to comply with our legal obligations such as: statutory returns and undergoing audits by regulators; Where we need to perform a contract we have entered into with you; for example when you register for an event or to enable us to process a donation from you; Where you provide your consent. You can withdraw your consent at any time – please see the section on your rights within this privacy notice.

We want to be clear about our privacy practices so that you are fully informed and can make choices about the use of your information, and we encourage you to contact us at any time with questions or concerns – Data Protection Officer at REdpo@randeurope.org or in writing to Data Protection Officer, RAND Europe, Eastbrook House, Shaftesbury Road, Cambridge, CB2 8BF, United Kingdom.

The types of personal information we hold

We may hold and process the following types of personal information about you:

Name, address, telephone number, email;

Date of birth and gender;

Any information you provide to access our services;

Qualifications;

Professional and employment details;

Your current interests, activities and accolades;

Communications relating to decisions we make;

Visual images/photographs, which may come from publicly available sources where copyright allows;

Your affiliations with other organisations (e.g. board memberships);

Links to your public social media presence e.g. LinkedIn, Twitter, website or blog and membership of RAND Europe social media groups;

Records of your interactions with us (correspondence, notes) including your communication preferences;

Your attendance and/or involvement in events;

Details of the benefits/services provided to you (e.g. receiving publications and invitations to events);

Your connections with other supporters, friends, and RAND staff;

How you may be able to support us, for example our opinion of whether you are likely to volunteer or donate;

Your support for RAND Europe (e.g. your donations, volunteering, or advocacy); and Bank details and/or payment card details.

We may also process sensitive personal information about you such as:

Health information including medical conditions – we may use health information to help us to make reasonable adjustments to improve our service to you; to ensure our engagement with you is based on a suitable understanding of, and respect for, your particular circumstances.

Criminal conviction offences – we may use publicly available information relating to convictions, offences or allegations, including money laundering or bribery offences, to carry out due diligence on donors or prospective donors in line with our guidelines on the acceptance of gifts.

Race or ethnicity – we may use this information to support monitoring purposes and help to ensure activities reflect the make-up of our stakeholder community.

We do not seek to obtain sexual orientation, religious beliefs, or political opinions, but they may sometimes be inferred from other data we hold (activities or event attendance, memberships, relationships, donations to specific causes).

How we collect your data

We collect personal information in three ways:

Directly from you during your ongoing relationship with RAND Europe; From publicly available sources; and From third parties providing us with services or acting on our behalf.

Personal Information may be collected from the following range of sources:

We and our staff generate about you, such as event attendance, meetings, groups and information in connection with your attendance and involvement with RAND Europe;

Through this website: www.rand.org, and any other RAND-authorised internet services, websites, products, social media, or software applications that enable you to use, access, view, listen to and/or download RAND content or to interact with us online (or through any other digital means) on any device. We collect information that you provide to us by filling out forms on the website or by corresponding with us.

Through dedicated business or government sites, such as Companies House, or publications and articles in the public domain, such as the Queen’s Birthday Honours List. We may use this information to assess your level of engagement, and your inclination to volunteer or make donations;

Email correspondence you have with RAND Europe; and

Our servers, logs, and other technologies automatically collect certain information to help us administer, protect, and improve our Services; analyse usage; and improve users’ experience.

We receive and store certain types of information whenever you interact with us. This includes the use of "cookies". Please refer to our cookies policy as described on the RAND Europe Privacy Statement for further information regarding our use of cookies.

How we use data about you

We use your personal information for the following purposes:

For administration of your record held on our database;

To identify opportunities, products and services that may be of interest to you, and to invite you to get involved with RAND activities, including events, fundraising, donating, mentoring, guest speaking, and research. This may include disclosing personal data to trusted third parties, such as appointed service providers, from time to time;

To undertake due diligence in accordance with our Gift Acceptance and Ethical Fundraising Policy;

To personalise better, and send communications to you including tailored information, proposals, appeals, and requests for donations;

To enable all financial transactions to and from us, including donations;

To issue recognition for your support (e.g. sharing stories from those who have benefited from your support via our publications);

To ensure the data we hold is up to date and accurate;

To identify future opportunities to get involved, which may be of interest to you (e.g. asking you to speak at RAND events or support priority projects);

For the purpose of consulting, informing and gauging your opinion about our products and services; for example: surveys, including analysis and research, in order to improve our understanding of our Supporters and Friends;

We may analyse your data to create additional information about you. For example, to assess your level of engagement, your inclination to donate or volunteer and potential areas of interest for future contact, and may use trusted external companies to do this on our behalf;

To ensure that content from our websites or services is presented in the most effective manner for you and for your computer or device by gathering aggregate information about our users, using it to analyse the effectiveness and efficiency of communications;

To carry out our contractual obligations with you, which will include the operation and delivery of our services, and dealing with requests and enquiries;

Where it is necessary to comply with a legal and/or statutory obligation including those related to diversity and equal opportunity; and

To notify you about changes to our services.

Who we share your data with

We may, from time to time, share your personal information within RAND Europe associated entities or third parties working on our behalf.

RAND Europe may also be required to collect and process certain information for external agencies and government bodies. These bodies include, but are not limited to the Charity Commission, and Her Majesty’s Revenue & Customs.

RAND Europe may share your personal information with our trusted partners and selected third parties to help us perform functions such as sending you e-mails and postal mail. All such third parties are prohibited from using your personal information except to provide these services to RAND Europe, and they are required to maintain the confidentiality of your information. RAND Europe ensures such third parties handle your information in accordance with the GDPR.

Below are the reasons we may share personal information:

We will facilitate communication between our Supporters and Friends, but we will not release any personal information without your prior consent.

Within RAND Europe: Associated entities are provided data by a variety of RAND teams and functions, and personal information will be made available to them if necessary for the provision of Services, account administration, and technical support, for instance.

Our business partners: We occasionally partner with other organisations to deliver co-branded services, provide content, or to host events, conferences, and seminars. As part of these arrangements, we and our partners may collect and share information about you. RAND Europe will handle personal information in accordance with this Privacy Notice, and we encourage you to review the privacy statements of our partners to learn more about how they collect, use, and share personal information.

Our selected third-party service providers: We partner with and are supported by service providers both in the UK and around the world. Personal information will be made available to these parties only when necessary to fulfil the Services they provide to us, such as event registration, donation handling, and prospect research. Our third-party service providers are not permitted to share or use personal information we make available to them for any other purpose than to provide services to us.

We may also use personal information to meet our internal and external audit or governmental requirements, information security purposes, and as we otherwise believe to be necessary or appropriate: Under applicable law, which may include laws outside your country of residence; To respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence; To enforce our terms and conditions; and To protect our rights, privacy, safety, or property, or those of other persons.



How long we keep your data

We retain your personal data in support of your relationship with RAND Europe unless you request otherwise, or there is no longer a legal basis for holding your personal data. Where we no longer need to retain personal information, we ensure it is securely disposed of.

How we secure your data

Your data is maintained confidentially and securely by us at all times. We will only disclose your data if you have explicitly consented for us to do so or if you are taking part in our research and have been explicitly informed before providing your data that this will happen. We only share your data with organisations and employees who are involved in delivering the service we offer you or the research you participate in. Our employees and any organisations we pass your data to are subject to legal obligation to comply with data protection law that assures the confidentiality and protection of your data.

We implement high standards of security in respect of handling your data which include the use of secure encryption of portable devices, secure file transfer, password secured data files and access control to stored information. Our technical and organisational measures are subject to continuous improvement in accordance with technological development. RAND Europe is accredited for ISO 27001 certification and Cyber Essentials Plus.

Where we use external companies to collect or process personal data on our behalf, we complete comprehensive checks on them and put contracts in place. This outlines our expectations and requirements in line with the law regarding how they manage the personal data they have collected or have access to.

How we keep your data secure in other countries

Your personal information may be transferred by us or our trusted partners outside of the United Kingdom.

RAND Europe has networks, databases, servers, systems, and support located throughout the world. RAND Europe collaborates with third parties such as cloud hosting services and suppliers located in the United States and other countries to serve the needs of the RAND Europe workforce and clients.

We take appropriate steps to ensure that personal information is processed, secured, and transferred according to applicable law. In some cases, we may need to disclose or transfer your personal information within RAND Europe or to third parties in areas outside of your home country.

RAND Europe shall ensure that your personal information transferred to countries outside of the United Kingdom is adequately protected by transferring the personal information on terms of the standard data protection clauses adopted by the European Commission.

This means, your rights and protection remain with your data, in other words: we use approved contractual clauses, data transfer agreements, and other measures designed to ensure that the recipients of your personal information protect it. If you would like to know more about our data transfer practices, please contact our Data Protection Officer at REdpo@randeurope.org or in writing to Data Protection Officer, RAND Europe, Westbrook Centre, Milton Road, Cambridge, CB4 1YG, UK.

Your legal rights

We respect your right to access and control your information, and we will respond to requests for information and, where applicable, will correct, amend, or delete your personal information.

Under certain circumstances, by law you have the right to:

Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Request correction of personal information that we hold about you. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.

Request erasure of your personal information in limited circumstances. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

Object to processing of your personal information where we are processing your personal information on the basis of our legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we may be processing your personal information for direct marketing purposes.

Request the restriction or suspension of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Object to any direct marketing (for example, email marketing or phone calls) by us, and to require us to stop such marketing.

Object to any automated decision-making about you, which produces legal effects or otherwise significantly affects you.

Request the transfer of your personal information to another party.

If you wish to exercise any of these rights, please contact the RAND Europe Data Protection Officer by email at REdpo@randeurope.org or in writing to Data Protection Officer, RAND Europe, Eastbrook House, Shaftesbury Road, Cambridge, CB2 8BF, United Kingdom.

Where you request information from us, we will need to confirm your identity to ensure the security of your data. We will endeavour to respond within 30 days, but our response time may vary depending on the complexity of your request. A fee will not normally be charged unless a request is considered to be without basis, repetitive or excessive. Where we request a fee, it shall always be reasonable.

Changes to this policy

This privacy notice was last updated on 29 November 2023.

RAND Europe reserves the right to amend this policy at any time. Any changes to this privacy notice will be posted on this page. Older versions of this policy are maintained and can be accessed on request to the Data Protection Officer by email at REdpo@randeurope.org or in writing to Data Protection Officer, RAND Europe, Eastbrook House, Shaftesbury Road, Cambridge, CB2 8BF, United Kingdom.

If you wish to lodge a complaint in relation to the processing of your data, you may contact the Information Commissioner’s Office.