Introduction and contents
Our values guide everything that we do – including our editorial approach and how we use personal data. We are strongly committed to keeping your personal data safe. This commitment exists throughout the lifecycle of your personal data, from the design of any Guardian service which uses personal data to the deletion of that data.
To complement our global approach to privacy protection, this policy also incorporates specific information privacy rights granted to individuals under Californian and Australian privacy law.
We think carefully about our use of personal data, and below you can find the details of what we do to protect your privacy. This policy covers, among other topics:
-
Information about your rights, the choices available to you, and our obligations in the UK, European Union, in California, in Australia, and elsewhere.
-
Transparency about how we collect and use your personal data, including when and how it is shared.
-
Information on how we protect your personal data.
-
Information on how we will facilitate your rights and respond to your questions.
Find out more about how we manage your personal data below.
Contents
-
About this privacy policy
-
Who we are and how to contact us
-
The types of personal data we collect about you
-
How we collect personal data
-
How we use your personal data
-
Personal data that we receive about you from other organisations
-
Children’s personal data
-
Security of your personal data
-
When we share your personal data
-
International data transfers
-
How long we keep your personal data
-
How we may contact you
-
Your privacy and data protection rights
-
Your California privacy rights
-
Your rights under the Australian Privacy Act
-
Contacting us for information about your personal data
1. About this privacy policy
This privacy policy explains how we collect, use, share, and transfer your personal data when you engage with Guardian News & Media Ltd (“GNM”) as a i) provider of content in a freelance or other commercial capacity; and/or ii) third party licensee customer of our content products and services (“Engagements”). This privacy policy also explains your data privacy rights.
Personal data is any information about you by which you can be identified or be identifiable. This can include information such as your name, email address, postal address, phone number, mobile number or billing details.
When we refer to “personal data” in this policy, we are also referencing “personal information,” as it is defined under California law, and as it is defined under Australian law.
2. Who we are and how to contact us
Guardian News & Media Limited, Kings Place, 90 York Way, London N1 9GU is the data controller in respect of your personal data that you share with us. This means that we are responsible for deciding how and why we hold and use your personal data. If you want to contact us directly, you can find our contact details in the “Contact us for information about how we use your personal data” section below.
3. The types of personal data we collect about you
We collect your personal data when you enter into an Engagement with GNM. We will only collect your personal data in line with applicable laws. We collect your personal data in the following ways:
-
Directly from you, e.g. when you submit your personal data such as bank details and signed contracts to support Engagements.
-
Personal data we generate about you, e.g. personal data we use to authenticate you, or personal data in the form of your IP address or your preferences.
-
Personal data we collect from third parties, e.g. when you sign a contract using Adobe Sign.
More details about the types of personal data we collect are provided below.
The Types of Personal Data We Collect About You
At GNM, respecting your privacy and safeguarding your data is paramount to us. When you accept an Engagement with GNM, we may collect, store, and process various types of personal data. Here’s an overview of the types of data we may collect:
4. How we collect personal data
We collect personal data from you in a variety of ways, including, but not limited to:
-
When contributors are engaged
-
When you submit your personal data such as bank details and signed contracts to support Engagements
-
When you purchase any content-related products and services from GNM
5. How we use your personal data
We use personal data collected as above only when we have a valid reason and the legal grounds to do so. We determine the legal grounds based on the purposes for which we have collected your personal data.
Legal grounds for using your personal data
The legal ground may be one of the following:
-
Performance of a contract with you (or in order to take steps prior to entering into a contract with you): We will use your personal data if we need to in order to perform a contract with you.
-
Compliance with law: In some cases, we may have a legal obligation to use or keep your personal data.
-
Our legitimate interests: We may process your personal data where it is necessary for our legitimate interests in a way that might be expected as part of running GNM and in a way which does not materially impact your rights and freedoms. Please refer to the table below for examples of when we rely on our legitimate interests to use your personal data.
In addition to the above, we also rely on the legitimate interests below to use your personal data:
-
For internal administrative purposes related to our services - such as our accounting and records.
-
To inform you of any changes to our services, such as updates to our terms and conditions.
-
When we respond to your queries and to resolve complaints.
-
For security and fraud prevention, and to ensure that our sites and apps are safe and secure and used in line with our terms of use.
-
To contact you directly via email if you send us emails or contact us
6. Personal data that we receive about you from other organisations
Personal data shared by Adobe Sign
When you sign a contract in connection with activities, services, features or resources available on our Rights and Contribution System module.
7. Children’s personal data
We do not aim any of our products or services directly at children under the age of 13 and we do not knowingly collect personal data about children under 13 in providing our services.
We also note and comply with the California law which prohibits sale of personal data of consumers between 13-16 years of age unless their guardian has authorised the sale.
8. Security of your personal data
We have implemented appropriate technical and organisational controls to protect your personal data against unauthorised processing and against accidental loss, damage or destruction.
Sending any information, including personal data, via the internet is not completely secure. We cannot guarantee the security of any personal data sent to our site while still in transit and so you provide it at your own risk.
9. When we share your personal data
Within GNM group companies
Depending on where you live, we may share your personal data within GNM group companies in the UK, US, or Australia. We may share it in order to perform a contract with you, for administrative purposes, or when we have a legitimate interest in doing so.
With external organisations
We share your personal data with other organisations that are not directly linked to us under the following circumstances:
Service providers - We may share your data with other organisations that provide services on our behalf. We may do this to perform a contract we have entered into with you, where it is in our legitimate interests or with your consent. Examples of when we may share your data with service providers include sharing with:
-
E-signature service providers that allow us to send, sign, track, and manage signature processes online.
-
Online payments processors who process credit and debit card transactions on our behalf.
-
Fraud management providers that help us to identify and prevent online fraud.
-
Content delivery to customers.
Agencies and authorities if required by law - We may reveal your personal data to any law enforcement agency, court, regulator, government authority, or in connection with any legal action if we are required to do so to meet a legal or regulatory obligation, where the request is proportionate, or otherwise to protect our rights or the rights of anyone else (for example, in response to a valid and properly served legal process such as subpoena or warrant). If we have your contact details, we will take reasonable steps to attempt to notify you prior to disclosing your data unless (i) prohibited by applicable law from doing so, or (ii) there are clear indications of unlawful conduct in connection with your use of GNM services.
Organisation/s that buy any of GNM group companies - We may share your personal data to any other organisation that buys, or to which we transfer all, or substantially all, of our assets and business. If this sale or transfer takes place, we will use reasonable efforts to try to make sure that the organisation we transfer your personal data to uses it in line with our privacy policy.
When we share your personal data, as specified above, with any organisation which accesses your data in the course of providing services on our behalf, they will be governed by strict contractual restrictions to make sure that they protect your data and comply with applicable law. We may also independently audit these service providers to make sure that they meet our standards.
California resident - Do not sell
These transfers to third parties may constitute “sale” of your personal information under California law. A California resident can halt these sales at any time by pressing the “California resident - Do not sell” link that is located in the footer of every page on our site. Third-parties do not sell personal information that has been sold to them by GNM unless you have first received explicit notice and are provided an opportunity to exercise the right to opt out.
10. International data transfers
Data we collect may be transferred to, stored and processed in any country or territory where one or more of our GNM group companies or service providers are based or have facilities. While other countries or territories may not have the same standards of data protection as those in your home country, we will continue to protect personal data that we transfer in line with this privacy policy.
Whenever we transfer your personal data out of the UK or the European Economic Area (EEA), we ensure similar protection and put in place at least one of these safeguards:
-
We will only transfer your personal data to countries that have been found to provide an adequate level of protection for personal data.
-
We may also use specific approved contracts that use Standard Contractual Clauses for the protection of personal data where appropriate, with our service providers that are based in countries outside the UK or the EEA, including those based in the US and Australia. These contracts give your personal data the same protection it has in the UK or the EEA.
If you are located in the UK or the EEA, you may contact us for a copy of the safeguards which we have put in place for the transfer of your personal data outside the UK or the EEA.
11. How long we keep your personal data
We keep your personal data for only as long as we need to. The Engagements described in this policy relate to the acquisition and sale of intellectual property and therefore the processing duration needs to match the period for which copyright protection subsists. In most jurisdictions this period extends through the lifetime of the author plus an additional 70 years.
If we no longer need your data, we will delete it or make it anonymous by removing all details that identify you. If we have asked for your permission to process your personal data and we have no other lawful grounds to continue with that processing, and you withdraw your permission, we will delete your personal data.
12. How we may contact you
Service communications
From time to time we may send you service emails or SMS, for example, telling you your subscription is coming to an end or thanking you when you contribute or place an order with us.
Responding to your queries or complaints
If you have raised a query or a complaint with us, we may contact you to answer your query or to resolve your complaint.
Special Note to California Users
If you elect to use the “California resident - Do not sell” button, we will not recontact you about that choice for at least 12 months.
13. Your privacy and data protection rights
You have a number of rights with regard to the personal data that we hold about you and you can contact us with regard to the following rights in relation to your personal data:
-
You have the right to receive a copy of the personal data we hold about you.
-
You have the right to correct the personal data we hold about you.
-
Where applicable, you may also have a right to receive a machine-readable copy of your personal data.
-
You also have the right to ask us to delete your personal data or restrict how it is used. There may be exceptions to the right to erasure for specific legal reasons which, if applicable, we will set out for you in response to your request.
-
Where applicable, you have the right to object to processing of your personal data for certain purposes.
-
Where you have provided us with consent to use your personal data, you can withdraw this at any time.
If you would like to exercise any of your rights specified above, please email dataprotection@theguardian.com or write to the Data Protection Officer at Guardian News & Media Limited, Kings Place, 90 York Way, London N1 9GU. We will respond to all standard legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a large number of requests. In this case, we will notify you and keep you updated. .
We may need verification of your identity to proceed with a request. If you provide us with proof of identity containing information that does not match our records, we may request further proof of identity from you. This is a security measure to ensure that your personal data is not disclosed to any person who has no right to receive it.
You will not have to pay a fee to obtain a copy of your personal data (or to exercise any of the other rights). However, for any further copies requested by you, we may charge a reasonable fee based on administrative costs.
14. Your California privacy rights
The California Consumer Privacy Act 2018 (“CCPA”) and California Privacy Rights Act 2020 (“CPRA”) provide certain rights to residents of California. The CCPA and CPRA are collectively referred to as “CCPA” below.
If you are a resident of California you may contact us with regard to the following rights in relation to your personal data:
-
Right to Know: At or before the time of collection, you have a right to receive notice of our practices, including the categories of personal data and sensitive personal data to be collected, the purposes for which it is collected and used, whether such personal data is “sold or shared” and for how long personal data is retained. These details are set out in this Privacy Policy.
-
Right to Access: You have the right to request access to the personal data we may hold on you for the past twelve (12) months. You may submit up to two (2) requests per year of access to your personal data.
-
Right to Correct: You have the right to correct inaccurate personal data we hold about you.
-
Right to Opt-Out of Sale of Personal Data: For individuals sixteen (16) years or older, you have the right to opt-out of sale of personal data we may hold on you. You can exercise this right at any time by pressing the “California resident - Do not sell” link in the footer of every page on our site. For individuals between thirteen (13) to sixteen (16) years old, you have the right to opt-in to the sale of personal data we may hold on you.
-
Right to Deletion: You also have the right to ask us to delete personal data we may hold on you or restrict how it is used. There may be exceptions to the right to deletion which, if applicable, we will set out for you in response to your request.
-
Right to Limit Use and Disclosure of Sensitive Personal Data: Where applicable, you have the right to limit our use of sensitive personal data for any purposes other than to provide the services you request or as otherwise permitted by law.
-
Right to Non-Discrimination: We will not discriminate against you for exercising any of your California Consumer Privacy Act rights.
If you want to make any of these requests, please contact dataprotection@theguardian.com. We will deal with requests for access to your personal data within forty-five (45) days for California-specific requests.
To help us respond as you expect, please specify that you are making a request under the CCPA. We may need to request specific information from you to help us confirm your identity. For example, we will verify your identity before complying. If you provide us with proof of identity containing information that does not match our records, we may request further proof of identity from you.
You can designate an “authorized agent” to make requests to exercise your rights on your behalf under the CCPA. We will clarify that any “authorized agent” has your written permission in making that request. We may also contact you directly to verify your identity.
Record of Requests
We keep a record of requests that we received from users exercising their CCPA rights. If the user does not verify their identity, their request will be denied.
California “Shine the Light” Privacy Rights
Residents of California can ask us to provide a list of the types of personal data we have disclosed to third parties for direct marketing purposes and the identity of those third parties. We do not generally disclose personal data as defined under the California “Shine the Light” law. To the extent that we share email addresses with third parties in connection with online marketing that could be covered, you may opt-out through your “Manage My Account” choices.
To make a “Shine the Light” request, please email dataprotection@theguardian.com with “Shine the Light” in the subject line.
15. Your rights under the Australian Privacy Act
The Australian privacy Act has rules around how we handle your personal information that may be different to rules in other regions. These rules are set out in the Australian Privacy Principles in force under the Privacy Act 1988 (Cth) (the Australian Privacy Act). We are required to treat your personal information in line with those principles, including to disclose to you what personal information we collect and how we use it, to store your information securely and to support you in exercising your rights.
Personal information we collect and use
When we refer to “personal data” throughout this policy, we are also referencing “personal information,” as it is defined under Australian law, which you can read about here.
Details about the personal information that we collect, use and disclose is set out throughout this privacy policy. You can navigate these relevant sections by going to the contents section at the top of the page.
Your rights
Your rights to privacy are also protected by the Australian Privacy Act, including your:
-
Right of access to the personal information held about you; and
-
Right of correction to correct your information when it is incorrect.
These principles and rights are reflected throughout this privacy policy.
If you have contacted us at dataprotection@theguardian.com with a privacy related complaint and you are not satisfied with our handling of that complaint, you may refer that complaint to the Office of the Australian Information Commissioner:
GPO BOX 5218, Sydney NSW 2001
T 1300 363 992
16. Contacting us for information about your personal data
If you have any questions about how we use your personal data or if you have a concern about how your personal data is used, please contact the Data Protection Officer at Guardian News & Media Limited, Kings Place, 90 York Way, London N1 9GU. Or, email dataprotection@theguardian.com.
Complaints will be dealt with by the Data Protection Team, and will be responded to within 30 days.
If you are not satisfied with the way your concern has been handled, you can refer your complaint to the Information Commissioner’s Office.
If you have a question about anything else, please see our Contact us page here.
For individuals based in the European Union:
Since we do not have an establishment in the European Union, we have appointed an EU based representative to serve as a direct contact for data protection authorities and individuals on our behalf, who can be contacted at theguardian@mcf.ie or MCF Legal Technology Solutions Limited, Riverside One, Sir John Rogerson’s Quay, Dublin 2, Ireland.
Changes to this privacy policy
If we decide to change our privacy policy, the updated privacy policy will be posted on this page. If the changes are significant, we may also choose to email all our registered users with the new details. If required by law, we will get your permission or give you the opportunity to opt out of any new uses of your data.
Changes to this privacy policy to date
The most recent changes to this privacy policy were made in:
-
November 2024
A list of all previous changes are available upon request.
