Your Privacy is important to us.

ROTARY'S PRIVACY POLICY

https://my.rotary.org/en/privacy-policy

If you are a resident of the European Union (EU) or European Economic Area (EEA) whose personal data we collect, the following additional information applies.

Introduction

If you are an EU or EEA resident and Rotary knowingly collects your personal data, we will do so in accordance with applicable laws that regulate data protection and privacy. This includes, without limitation, the EU General Data Protection Regulation (2016/679) ("GDPR") and EU member state national laws that implement or regulate the collection, processing and privacy of your personal data (together, "EU Data Protection Law").

This EU privacy notice ("EU Privacy Notice"), which should be read in conjunction Rotary's Privacy Policy, provides additional information as required under EU Data Protection Law on how we handle or process the personal data we collect and who we may share it with.

This Privacy Notice also provides information on your legal rights under EU Data Protection Law and how you can exercise them.

How Personal Data is Collected

Because of the global nature of Rotary and our clubs, Rotary may hold and process personal data that is collected from clubs, districts, and partner organizations around the world, including within the EU/EEA.

This also means that if you contact the Rotary network and are a resident in the EU/EEA, your personal data may be transferred from the EU/EEA to Rotary headquarters in the United States, and may also be accessed and processed from Rotary's international offices in Australia, Brazil, India, Japan, South Korea, and Switzerland.

U.S. data privacy laws are currently not considered to meet the same legal standards of protection for personal data as those set out under EU Data Protection Law. However, to safeguard personal data received from the EU/EEA, we transfer personal data to the U.S. or other third countries only under an approved contract or another appropriate mechanism that is legally authorized under EU Data Protection Law. If you use the RI Reporting Portal to report a Severe Incident (as defined below), the transfer will be based on your consent and you will be informed accordingly prior to submitting the personal data.

This is to make sure that the personal data that Rotary receives and processes (as it relates to residents of the EU/EEA) is properly safeguarded in accordance with similar legal standards of privacy provided by EU Data Protection Law.

Direct Marketing

If Rotary provides direct marketing communications to individuals in the EU/EEA regarding services and/or events that may be of interest, this will be done in accordance with EU Data Protection Law. Where we contact individuals for direct marketing purposes by SMS, email, social media, and/or any other electronic communication channels, this will only be with the individual's consent or in relation to similar services to services that the individual has purchased (or made direct inquiries about purchasing) from Rotary before.

Individuals may also object or withdraw consent to receive direct marketing from us at any time, by contacting us at privacy@rotary.org.

Reporting Portal for Severe Incidents

As part of the Rotary’s youth protection policies, any individual is asked to notify us of allegations or incidents of abuse or harassment of youth (with or without a sexual reference) or targeted contact with youth with intent to abuse (known as grooming) (collectively, we refer to this as a “Severe Incident”). The notification shall be made via the RI Reporting Portal. The form includes information about the incident itself (location, relationship to a Rotary program, description, actions taken (including notification of law enforcement and parent/guardian), the clubs and districts involved, and whether professional assistance was provided. Finally, the subject of the reporting is the first name, surname, and Rotary affiliation of an alleged/confirmed offender.

Please do not submit other data than those requested in the form. Especially, please refrain from mentioning persons other than the alleged/confirmed offender by name in the “description” field.

We use the abovementioned data to contact the district to determine what specific actions the district has taken. If we determine that the actions taken are not sufficient and the district is unwilling to follow instructions, we may take action at our discretion to protect the participant. The data may be also used to determine that the district is in violation of the Rotary Youth Protection Policies. Once it is confirmed that there is a founded suspicion against an individual to have been involved in the Severe Incident, this data will be entered into our database. The data of youth volunteer applicants within the district will be compared with the database in order to effectively exclude the participation of individuals who have an entry in the database. The data of individuals that have been expelled from Rotary membership is compared against the data of applicants for membership to prevent re-entry into a Rotary or Rotaract club globally. Only our staff with special designation to receive youth protection reports will have access to the information provided.

The collection of data when there is a Severe Incident is first and foremost for the purpose of youth protection, i.e. to prevent persons who are under a founded suspicion to have caused a Severe Incident from continuing to participate in Rotary youth programs in the future, either as hosts or as voluntary supporters in the context of the youth program. The aim is also to prevent such persons that have been expelled from Rotary membership from being readmitted by other clubs or from participating in an in-person Rotary event, such as the International Convention. Finally, the purpose of reporting a Severe Incident is to maintain and enforce a uniform minimum standard of youth protection in all Rotary districts worldwide, regardless of the existence or quality of locally applicable rules. Individuals that have been found to have been involved in a Severe Incident cannot be a Rotary or Rotaract club member or attend in-person Rotary events. The reporting of a Severe Incident is in line with Rotary reporting obligations and thus serves to support clubs in complying with Rotary’s youth protection policies and to enable the exercise of supervisory powers over local clubs and districts, as they may lose their eligibility to participate in youth programs.

The legitimate interest here lies in the desire to ensure the protection of minors, the prevention of further Severe Incidents, the desire to exclude members who have violated Rotary’s youth protection policies, and to ensure uniform standards in all clubs and districts worldwide.

Lawful Grounds on Which We Collect and Process Personal Data

We process your personal data, relying on one or more of the following lawful grounds under EU Data Protection Law:

• When you have freely provided your specific, informed, and unambiguous consent for Rotary to process your personal data for particular purposes
• Where we agree to provide services to you to set up and perform our contractual obligations to you and/or enforce our rights
• Where we need to process and use your personal data in connection with our legitimate interests and need to effectively manage and operate our global organization consistently across all territories. We will always seek to pursue these legitimate interests in a way that does not unduly infringe on your legal rights and freedoms and, in particular, your right to privacy; and/or
• Where we need to comply with a legal obligation or to establish, exercise, or defend legal claims

Please also note that some of the personal data we receive and that we process may include what is known as "sensitive" or "special category" personal data about you, for example, personal data regarding your ethnic origin or political, philosophical, and religious beliefs. This is not the type of data that Rotary or its clubs routinely collect, but if we process this sensitive or special category data, we will do it only in situations where:

• You have provided us with your explicit consent to use it
• We have a legal obligation to process this data in accordance with EU Data Protection Law
• It is needed to protect your vital interests (or those of someone else), such as in a medical emergency
• You have clearly chosen to publicize this information; or
• It is needed in connection with a legal claim that we have or may be subject to

Disclosing Your Personal Data to Third Parties

We may disclose your personal data to certain third-party organizations that are processing data solely in accordance with our instructions ("Data Processors"), such as companies and/or organizations that support our business and operations (for example, providers of web or database hosting, IT support, payment providers, event organizers, agencies we use to conduct fraud checks, or mail management service providers), as well as professionals we use such as lawyers, insurers, auditors, or accountants. We use only those Data Processors that can guarantee to us that they have put adequate safeguards in place to protect the personal data they process on our behalf; these guarantees are established by entering data processing agreements that contain appropriate data transfer mechanisms (such as the inclusion of "Standard Contractual Clauses") or provisions where the Data Processors state they are certified under the EU-US Data Privacy Framework).

In certain circumstances, for example, if you travel on Rotary business, we may also disclose your personal data to third parties called "Data Controllers." These third parties may include travel agencies, airlines, car rental agencies, and hotels. Because of the nature of the business of the Data Controllers, they will make their own determinations as to how they process your personal data. As Data Controllers, they are required to follow the EU Data Protection Law and are required to protect personal data with adequate safeguards and provide you with notice if their processing goes beyond the instructions Rotary provided. The types of external third-party Data Controllers listed above may handle your personal data in accordance with their own procedures, and you should check the relevant privacy policies of these companies or organizations to understand how they may use your personal data.

Data collected via the RI Reporting Portal will not be shared with other Data Controllers; they will be processed, however, by our Data Processor Customer Expressions Corp., 300 March Road, Suite 501, Ottawa, ON, Canada K2K 2E2.

Other than as described above, we will treat your personal data as private and will not routinely disclose it to third parties without your knowing about it. The exceptions are in relation to legal proceedings or where we are legally required to do so and cannot tell you (such as a criminal investigation). We always aim to ensure that your personal data is used only by third parties we deal with for lawful purposes and who observe the principles of EU Data Protection Law.

How Long We Retain Your Personal Data

Rotary retains your personal data for as long as necessary in the circumstances — for instance:

• As long you are a member of a club or have a relationship with our network
• For a reasonable period to send you donation information, program information, and marketing materials where we have regular contact with you, or
• As may be needed to enforce or defend contract claims or as is required by applicable law.

Rotary has adopted a Records Management Policy (which we may make available on request). The criteria we use for determining the relevant retention and disposal periods we adopt are based on the purpose for which we hold data and the reasonable expectations of those whose personal data we collect in these circumstances, taking into account various legislative requirements and guidance issued by relevant EU regulatory authorities. For example, we retain the names of alleged/confirmed offenders reported via the RI Reporting Portal for 10 years from the date of entry in the database.

In accordance with the above retention policy, the personal data that we no longer need will be disposed of and/or anonymized so you can no longer be identified from it.

History and archives
To preserve Rotary's history and legacy, Rotary retains historical and archival information about its clubs, which may also include limited personal data of its members.

Your Personal Data Rights

In accordance with your legal rights under EU Data Protection Law, you have a "subject access request" right, under which you can request information about the personal data that we hold about you, what we use that personal data for and who it may be disclosed to, as well as certain other information.

Usually we will have one month to respond to a subject access request. However, we reserve the right to verify your identity, and we may, in case of complex requests, require an additional two months to respond. We may also charge for administrative time in dealing with any manifestly unreasonable or excessive requests. We may also require additional information to locate the specific data you seek, and certain legal exemptions under EU Data Protection Law may apply when we respond to your subject access request.

Under EU Data Protection Law, EU/EEA residents also have the following rights, which you may exercise by making a request to us in writing:

• That we correct your personal data if it is inaccurate or incomplete
• That we erase your personal data without undue delay if we no longer need to hold or process it
• To object to any automated processing (if applicable) that we carry out in relation to your personal data
• To object to our use of your personal data for direct marketing
• To object to and/or to restrict the use of your personal data for a purpose other than those set out above unless we have a compelling legitimate reason; or
• That we transfer personal data to another party where the personal data has been collected with your consent or is being used to perform services under a contract with you and is being processed by automated means

So we can fully comply, please note that these requests may also be forwarded to third-party data processors that are involved in the processing of your personal data on our behalf.

If you make a request and are not satisfied with our response, or you believe that we are illegally processing your personal data, you have the right to complain to the Office of the Information Commissioner in the United Kingdom.

Controller

The controller for the processing of your personal data is Rotary International, One Rotary Center, 1560 Sherman Avenue, Evanston, IL 60201-3698, USA. If you would like to exercise any of the rights set out above, please contact us at privacy@rotary.org.

Last modified: 22 July 2024