Privacy policy

This website is operated by Penal Reform International.

Penal Reform International is committed to protecting the privacy of all users of our website www.penalreform.org (“website”). This privacy notice explains your rights as an individual and how we use and protect your information. We’ll be the ‘data controller’ of the information you provide to us.

This privacy notice applies to you if:

  • you visit and browse our website.
  • you contact us.
  • you sign up for newsletters or other updates about our organisation’s work.
  • you or the organisation you work for work with us.

Contact us

If you have any queries or requests concerning this privacy notice or how we handle your data more generally, please get in touch with us using the following details:

By contacting our office at info@penalreform.org

By contacting our Executive Director at headofsecretariat@penalreform.org

 

Information we collect from you and how we use it

Here we explain what personal information we collect about you, how we use it, and the relevant legal reason (called a ‘lawful basis‘) for each way that we use it.

If you’d like to learn more about the legal reasons we can use personal information, we explain these in the next section: What do each of these legal reasons mean?

If you visit our website:

We collect:

 We will automatically collect information from you each time you use our website, although this is usually kept to a minimum. This includes:

  • technical information
  • Site browsing information, and
  • (if you opt-in) location data

What does each of these include?

Technical information

Technical information may include: Internet Protocol (IP) address, social log-in ID/email address, time zone setting,

Website browsing information

Information about your Website visit may include the full Uniform Resource Locators (URL), clickstream to, through and from our Site (including date and time), pages and services you viewed or searched for, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), traceable campaign links (e.g. in emails, or via tracking URLs) or other information from analytics or search engine providers.

Location data

We only collect location data if you give us permission (via our website cookie banner). Location data includes country location (based on your full or partial IP address and/or Google Analytics information) so that we can understand where people are located who are accessing our website and resources.

Location data may be collected in combination with device ID, so we can recognise your mobile browser or device when you return to the website.

Delivery of location services will involve us checking any of the following:

  • your current country or region, by referencing your current IP address against public sources.

You can opt-in and out of location sharing by changing your cookie, browser, or device settings (as applicable).

 
We use this to:
  • Understand how individuals use our website, our resources and how we can improve.
  • Ensure content from our website is presented in the most effective manner for you and for your computer.
  • Provide you with the information and services that you request from us or we think you may be interested in.
Our legal reason
for this is:		 We do this in our legitimate interests (where we consider these are not overridden by your rights), or with your consent if required (e.g., to non-strictly necessary cookies).

 

If you contact or engage with us

We collect:

 If you contact or engage with us, we may collect your contact information, and the other communications information you provide.

Contact information includes basic contact information you choose to provide, for example: email address, first and last name, city and country you are located in.

Communications information includes your correspondence with us, for example if you get in touch with us to report a problem with our website or to ask for information about our work. This includes: emails, messages on social media platforms, or other digital messaging, calls, letters and print materials, notes of any in-person conversations you have with us.

We use this to:
  • Contact you if you have asked us to do so, including to respond to your queries;
  • provide you with information you might request about our work;
  • provide you with technical and other service updates

Our legal reason
for this is:

 We do this in our legitimate interests (where we consider these are not overridden by your rights).

We may also do this to take steps to enter into any contract with you or to fulfil our obligations under any contract with you.

Where required, we will contact you with your consent.

 

If you sign up for updates or other communications from PRI

We collect:

 We may collect contact information (as explained above), like your name and email address.

We may also collect your preferences for what information you would or would not like to receive from us, and if you have opted out of any specific communications (e.g. our monthly e-newsletter).

We use this to:
  • Send you our monthly e-newsletter, updates and other material related to PRI. We normally communicate by email.
  • Send you surveys or other occasional updates.
  • Ask you for feedback, including through surveys

Our legal reason
for this is:

 We do this with your consent, where required. In certain circumstances, we may do this in our legitimate interests (where we consider these are not overridden by your rights).

You can opt-out of any or further communication from PRI at any time by selecting the “unsubscribe” link at the end of all our email updates.

What do each of these legal reasons mean?

We must have a relevant legal reason (also called a ‘lawful basis‘) for each way in which we use your personal information.

Lawful bases include:

  • consent,
  • a contract with you (as a data subject),
  • specified legitimate interests and
  • compliance with our legal obligations.

Consent

We use your personal information to send you information about our work (newsletters or other) or ask for your support (‘direct marketing’) if you have consented (where required by law). We may also send direct marketing without consent, where permitted by law (see ‘legitimate interests’ below).

You can opt out of further communication or direct marketing from PRI at any time by selecting the “unsubscribe” link at the end of all our updates and marketing to you.  We also rely on consent for some of the cookies we use.

Contract

We use your personal information if necessary to perform a contract you have with us or if you have asked us to take specific steps before entering that contract. We may send you service updates based on your contract with us (for example, to let you know if we make any significant changes to this Notice).

Legitimate interests

We may use your personal information if it is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not outweighed by your rights and interests.

Our legitimate interests include:

Administering, improving and expanding our Work

  • Getting your feedback and reviews.
  • Providing our website and ensuring technical bugs are identified and resolved.
  • Gathering information and developing insights about how you use PRI, including aggregating individuals’ data.
  • Developing and improving PRI.
  • Implementing and improving our security measures.
  • Growing our organisation and informing our promotional strategy.

Marketing & advertising

  • Marketing and promoting PRI to an organisation you work for or provide services to.
  • Measuring or understanding the effectiveness of marketing we serve to you and others and delivering relevant marketing to you.

Fulfilling agreements with other organisations

  • Complying with any agreement we may have with an organisation you work for or provide services to.
  • Enforcing or applying our terms or other agreements with you or an organisation you work for or provide services to.

In each case, these legitimate interests are only valid if they are not outweighed by your rights and interests.

If you would like further information about how we assess our legitimate interests, please get in touch with us at info@penalreform.org

Legal obligation

We may need to process your personal information to comply with our legal obligations, including under applicable law, and/or any court orders. This may include compliance with know-your-client and anti-money laundering rules.

Who do we share your information with?

We may share your personal information with:

  • our service providers, our donors, organisations we have partnerships with who may process your personal information on our behalf, following our instructions and data protection law.
    • Service providers help us with things like website and data hosting, distributing communications, supporting or updating mailing lists, and IT support services.
    • These organisations (which may be third party suppliers, agents, sub-contractors and/or other companies) will only use your information to the extent necessary to perform their support functions.
  • we may provide aggregated and anonymised data to academic institutions, service delivery partners, or research bodies. If we wish to provide any personal information which is not anonymised, we will provide detailed privacy information at the time (including individual opt-ins where applicable). Personally identifiable user data will not be shared outside of PRI without explicit user permission.
  • if we run surveys, research initiatives or other occasional activities and you opt in with a partner (for example a criminal justice body or authority who we are working with). We will provide more detailed privacy information at the time.
  • our auditors, legal advisers and other professional advisers
  • potential donors of PRI.
  • any person to whom disclosure is necessary for us to protect our rights, property, or safety, our clients, or other third parties, and to enforce our rights under this Notice or under any agreement (for example, our terms) with you. This includes exchanging information with other companies and organisations for the purposes of detecting and preventing fraud and cyber-crime
  • if required to do so by court order or if we are under a duty to disclose your information in order to comply with (and/or where we believe we are under a duty to comply with) any legal obligation. This includes exchanging information with law enforcement agencies, regulators, or other similar government bodies.

Where do we store your information?

PRI operates from offices in the United Kingdom, the Netherlands, Georgia, Jordan, Kazakhstan and Uganda, and we work in other locations including Central African Republic and Yemen, for example. For an updated list of where PRI is operating, please see our website at:  www.penalreform.org/where-we-work/

We may transfer your personal information outside the UK or outside of the EEA:

  • to store it
  • to support the operation of our organisation, where this is in our legitimate interests (and we consider these are not overridden by your rights).
  • where we are legally required to do so.

We may transfer your personal information outside the UK / EEA, including to PRI’s regional offices and country programme offices listed above.  We will put legal protections in place (like the EU Standard Contractual Clauses (EU SCCs) and UK Addendum to the EU SCCs) to safeguard personal data transfers in compliance with data protection laws.

We have International Data Transfer Agreements (IDTAs) to regulate the transfer of personal data between our offices.

How do we protect your information?

All information you provide to us is stored on our servers. Our website uses secure end-to-end encryption to protect your information. All connections into our platform are secured using industry standard security and encryption.

All data we capture is stored in secured databases and data storage systems with strict access limitations. All data access requests are logged and monitored in accordance with any threat detection policies.

Unfortunately, the transmission of information via the internet is not completely secure. We do our best to protect your personal information, but we cannot guarantee the security of your data transmitted to us, any transmission is at your own risk. Once we have received your information, we use strict procedures and security features to try to prevent unauthorised access.

Other websites

We may sometimes link to other websites. The websites will have their own privacy information, which you should read before using or sharing personal information with the website.

We are not responsible or liable for these websites, any content on them, or their policies and notices. A link does not mean we endorse the views of the linked website. We have no control over the availability of any of these websites.

How long do we keep your information for?

We will usually keep personal information:

  • for as long as necessary for the original reasons we collected it, and
  • for up to six years after that to identify any issues and resolve any legal proceedings.

We may keep your personal information for a longer period:

  • in the event of a complaint,
  • if we reasonably believe there is a prospect of legal proceedings,
  • if we are aware of pending or ongoing legal proceedings, or
  • in some circumstances, if applicable law says we must.

If you opt into receiving “marketing” or other communications from us such as e-newsletters, we will keep your relevant personal information for as long as you are receiving these. If you have opted into receiving such communications from us, but later decide to opt out (or object to any other use of your personal information), we may keep a record of your opt-out or objection so we can respect your preferences (and demonstrate our compliance).

Anonymised data

We may anonymise your personal data to create anonymised data (like aggregated statistics). You cannot be identified from anonymised data and it cannot be reverse-engineered to re-identify individuals. This kind of data is no longer personal data.

We may keep and use this anonymised data to help us provide, develop and improve our Services, including to:

  • better understand how people use PRI’s website and our resources
  • develop useful insights and improvements to PRI and
  • to provide partners or academic organisations with insight into the use of our work and aggregated outcomes information.

What rights do you have over your personal information?

In certain circumstances, you have the following rights:

  • to be provided with a copy of your personal information,
  • to ask us to correct or delete your personal information,
  • to request us to restrict how we use your personal information (for example, while we investigate your concerns about the accuracy of data, or lawfulness of a certain use),
  • to object to the further use of your personal information, including the right to object to marketing from us,
  • to request that your provided personal data be moved to a third party, and
  • where you have consented, to withdraw consent.

If you would like to exercise any of these rights in relation to the personal information we hold about you, you can contact us at info@penalreform.org.

If you have any concerns, you have the right to lodge a complaint with a data protection supervisory authority. For example: The Information Commissioner’s Office (ICO) is the supervisory authority in the UK. You can visit their website here: www.ico.org.uk. If you are in the EU, you can find your local data protection authority here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Updating this Privacy Notice

This Notice was last updated in January 2024.

We may update this Notice from time to time and will post any changes on this page. If we make any substantial changes, we will notify you.