Collection of Information
The IIS may collect and process your personal information to meet our obligations and to provide you with our products and services. The IIS will not collect any unnecessary personal data from you.
The data that we collect from you includes:
Information that you provide to us
When using our website, you will be asked to provide us with your information when you:
- fill in forms on our website, or correspond with us by phone, email or otherwise;
- register to use our services or at any subsequent point using our services;
- report a problem with our website; or
- complete any surveys we ask you to fill in that we use for research purposes (although you do not have to respond to these if you do not want to).
- Depending on the information and/or services you request, you may be asked to provide your name, email address, postal address, phone number, and similar information.
Information we collect about you
With regard to each of your visits to our website, we may automatically collect the following information:
- device-specific information, such as your hardware model, operating system version, unique device identifiers, and mobile network information;
- technical information about your computer, including where available, your IP address, operating system and browser type, for system administration and analytical purposes; and
- details of your visits to our website, including the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time), length of visits to certain pages, and page interaction information (such as scrolling, clicks, and mouse-overs).
We do not, however, seek to link this information to your name and other identifying details if you provide them.
Information we receive from other sources
When using our services, we may be in contact with third parties who may provide us with certain information about you in order to enable your use of the services.
How IIS uses your information and justification of use
Use of personal information under EU data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the ground in respect of each use in this policy. These are the principal grounds that justify our use of your information:
- Consent: where you have consented to our use of your information (you are providing explicit, informed, freely given consent, in relation to any such use and may withdraw your consent in the circumstance detailed below by notifying us);
- Contract performance: where your information is necessary to enter into or perform our contract with you;
- Legal obligation: where we need to use your information to comply with our legal obligations;
- Vital interests: where we need to use your information to protect your vital interests;
- Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights; and
- Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you or a third party.
You have consented for us to use and hold your personal data and we do so in the following ways:
- to provide you with access to our website and any other information which you request from us (consent)
- to ensure you receive information relevant to you (consent)
- for marketing, provided always that we: (i) only use aggregated and anonymised data; or (ii) only engage in direct marketing relating to the Services and/or events and initiatives organised by the IIS and (the agencies of the Aga Khan Development Network AKDN) that we believe will be of interest to you and only where you have explicitly consented to this (consent)
- to ensure the content on our Website is presented in the most effective manner for you and your computer or mobile device (legitimate interests)
- to administer our Website and for internal operations, including research, data analysis and data statistics (legitimate interest)
- to notify you about changes to our services (legitimate interest)
- We do not sell your personal data (or any other data you provide us with) to third-parties. We will not disclose or share your personal data without your consent.
We may use your information to promote our own services/events and those of our AKDN partners to you such as by regularly sending you newsletters by email and, where required by law, we will ask for your consent at the time we collect your data to conduct any of these types of promotions. If you no longer wish to receive such information you can withdraw your consent at any time.
We store any data associated with your email address with our email service provider Mail Chimp. You can see how they are updating their services to comply with the new regulations here.
We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us.
Disclosure of your information
We may disclose your personal information to organisations who work with us in providing the Website and the associated services (such as analytics providers and website developers).
We may also disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property, or safety of the IIS, our users, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection
We may disclose your personal information to third parties, the court service and/or regulators or law enforcement agencies in connection with proceedings or investigations anywhere in the world where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime (use justification: legal obligation, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities).
Where we store your personal information
Personal information provided through the Website is stored in a cloud-based database. Access to the database is limited to designated IIS staff, and our contracted third party website development company. The data can only be accessed through a secure firewall by designated individuals with a username and password, and who have been given access to the database.
Subscribers to the website: we store any data associated with your email address with our email service provider, Mail Chimp. You can see how they are updating their services to comply with the new regulations here.
No data transmission over the internet or website can be guaranteed to be secure from intrusion. However, we maintain commercially reasonable physical, electronic and procedural safeguards to protect your personal information in accordance with data protection legislative requirements.
How long we retain your personal data
We will hold the above information for as long as is necessary in order to provide you with the Services, deal with any specific issues that may raise, or otherwise as is required by law or any relevant regulatory body.
Some personal data may need to be retained for longer than this to ensure that the IIS can comply with applicable laws and internal compliance procedures, including retaining your email address for marketing communication suppression if you have opted not to receive any further marketing.
If information is used for two purposes, we will retain it until the purpose with the latest period expires but we will stop using it for the purpose with a shorter period when that period expires.
We restrict access to your personal information to those persons who need to use it for the relevant purpose(s). Our retention periods are based on business needs and your information that is no longer needed is either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed.
Under the General Data Protection Regulation (EU) 2017/676, you have various rights in relation to your personal data. All of these rights can be exercised by contacting us at firstname.lastname@example.org.
You have the following rights in relation to your personal data:
- We will use reasonable endeavours to ensure that your personal information is accurate. In order to assist us with this, you should notify us of any changes to the personal information that you have provided to us by sending us a request to rectify your personal data where you believe the personal data we have is inaccurate or incomplete;
- To ask us to delete all of your personal data. Doing so will result in the IIS deleting your personal data without undue delay (unless there is a legitimate and legal reason why the IIS is unable to delete certain of your personal data, in which case we will inform you of this in writing);
- To ask us to stop processing your personal data at any time;
- To request that the IIS provides you with a copy of all of your personal data and to transmit your personal data to another data controller in a structured, commonly used and machine-readable format, where it is technically feasible for us to do so; and
- To lodge a complaint to a supervisory authority such as the Information Commissioner’s Office in the UK (see www.ico.org.uk), although we encourage you to engage with us in the event you have any concerns or complaints.
The IIS will not ordinarily charge you in respect of any requests we receive to exercise any of your rights detailed above; however, if you make excessive, repetitive or manifestly unfounded requests, we may charge you an administration fee in order to process such requests or refuse to act on such requests. Where we are required to provide a copy of the personal data undergoing processing this will be free of charge; however, any further copies requested may be subject to reasonable fees based on administrative costs.
Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use our services, or at least those aspects of the services which require the processing of the types of personal data you have asked us to delete.
Where you request the IIS to rectify or erase your personal data or restrict any processing of such personal data, the IIS may notify third parties to whom such personal data has been disclosed of such request. However, such third parties may have the right to retain and continue to process such personal data in its own right or on other lawful grounds without your consent.
Changes to this policy
The Institute of Ismaili Studies
The Aga Khan Centre
10 Handyside Street
London N1C 4DN
For the purpose of the relevant data protection legislation, the data controller is The Institute of Ismaili Studies (registration number01324858), with its address at 210 Euston Road, London, NW1 2DA. (From July 18th 2018 our new address will be The Aga Khan Centre, 10 Handyside Street, King’s Cross London, N1C 4DN.)