Data Privacy

This Privacy Policy was last updated on Nov 29, 2023.

Introduction 

This policy provides you with information about how and why Stichting Bellingcat (a foundation incorporated in the Netherlands) and Bellingcat Fund (a 501c3 charity incorporated in the United States), processes your personal data with regard to: 

  • our fundraising and communication, 
  • when you attend events, 
  • or when you apply to work for Bellingcat, 

and how we respect your privacy and protect your personal data.

Our privacy role 

Generally speaking, with regard to your personal data we are a controller within the meaning of the GDPR. This means we have certain statutory duties and responsibilities regarding our processing activities. This Privacy Policy serves to inform you on how we meet our duties and responsibilities. 

Does this Privacy Policy apply to you?

This Privacy Policy applies to collecting and processing of personal data provided by job applicants, funders, individual donors, volunteers, consultants, training participants, partner organisations and all other stakeholders in our regular course of business. 

What are Bellingcat’s interests and purposes in processing my personal data and what kinds of personal data are processed?

Bellingcat is funded and supported by voluntary contributions. To continue publishing groundbreaking stories that expose wrongdoing and counter disinformation it is vital that our relationships with our supporters and partners are strong and based on transparency and information. By supporting or donating to Bellingcat, you actively help us fulfill our mission. In the course of our relationship with you, we will be processing your personal data under certain circumstances, as explained below. If we did not process your personal data, we would not be able to provide the services you request or accept your donations.

Our website does not use tracking cookies. Instead, we employ a privacy-conscious analytics platform, namely Plausible, which refrains from tracking users or engaging in the processing of personal data.

We process your personal data only for the following purposes, to the extent that we have collected the personal data for that purpose.

Fundraising and communication

Keeping you up to date with our mission

We process your personal data in order to update you on the impact of our research and on how your contributions and financial support make a difference – with your prior permission. We’ll then use your personal data to send you electronic updates or information about upcoming events, projects and any opportunities we think will be of interest to you.

When donating to Bellingcat you are asked about your wish to receive updates about our organisation. If you do not opt in for receiving updates (by checking the respective box) you will not receive any communication from Bellingcat with the exception of a confirmation of the receipt of your donation.

When Bellingcat processes your personal data to keep in touch with you, for instance with updates about our organisation via the Bellingcat newsletter and the workshop mailing list, we also rely on your prior consent.  You can, however, opt out of our communications at any time. If you no longer wish to receive electronic communications from us, you can unsubscribe by clicking on the link at the bottom of our emails.

The personal data we process are your contact details, i.e. name, and email address. We do not under any circumstances share your personal data with third parties.

Processing and screening of donations

When you choose to contribute to Bellingcat financially, we process your personal data in order to administer your donation, together with our payment providers or banks. 

When we process your personal data in such a context, we do so only to administer your donation and fulfil our legal and ethical requirements with regards to fundraising.

When Bellingcat processes your personal data in relation to the examination of proposed gifts, it is always in accordance with the legitimate interests of Bellingcat, which require processing of such data.

The personal data we process is the information you provide alongside your donation, being your name and email address and/ or address. We don’t, under no circumstances, share your personal data with third parties.

Widening the network of our supporters

In order to widen our circle of supporters and partners, we reach out to individuals and potential partners that we think may be interested in our mission and want to help fund our work. To gain a full understanding of the individuals, companies or foundations that may want to support our research we draw on external publicly available sources, but only when we have compelling reason to believe that this adds valuable information to help us grow our circle of supporters and partners.

Major gifts and leaving a legacy to Bellingcat

If you choose to remember Bellingcat in your will, we process your personal data in order to administer your generous contribution. 

Additionally, in order to uphold and protect our principles and values, all charitable bequests to Bellingcat must comply with strict ethical principles – otherwise, they will be rejected. To know whether all criteria have been met, we need to make sure that eligible contributions above 5,000 EUR (cash, in-kind donations, estate, etc.) from potential private supporters and partners (individuals, companies, foundations, etc.) comply with our legal obligations and do not contradict our AML Policy and Privacy Policy. Wherever possible, we rely on internal resources to assess the risks associated with receiving support from potential supporters. Where necessary, we also consult reliable external open sources.

Whenever we process your personal data in relation to any gift or contribution, we do so only on the basis of our legitimate interest in strengthening our mission with the backing and generosity of our supporters and partners. Sometimes, however, we are obliged to process your data to comply with legal obligations (i.e. respect your legacy wishes).

The personal data we process are:

  • the information you provide before or at the time of your bequest, such as your title, first and last names, country of residence, postal address, phone number and email address
  • the information we receive from you or any third parties involved such as notaries or banks, in order to be able to accept your contribution.

Attending events hosted by Bellingcat

We collect personal data and background information you may want to share with us, e.g. contact details, professional experiences, general interests or food preferences, when you complete a registration form to attend or take part in a Bellingcat-hosted event or workshop. Such processing is necessary if you attend any of our events or interact with our representatives as either a guest, speaker or participant.

We collect and process your personal data solely to maintain your contact information for administering our events, providing you with information about upcoming events and keeping in touch with you.

Please note that during events, filming and/or photography may take place. We may use the photos/videos on our website or in social media posts. If you prefer not to be photographed, please let our photographers know during the event.

Whenever we process your personal data in relation to organizing an event, we do so only in accordance with our legitimate interests. If we process your personal data during events, we do so only for administrative purposes. With regard to any filming or photography that may take place during our events, we process personal data only with your consent.

Applying for a job or as a volunteer

The data and documents that are provided by the applicant when responding to a vacancy are processed to determine whether the applicant qualifies for a position within Bellingcat. For the purposes of selection, the recruitment process may include comparing the data of the applicant with the vacancy requirements and contacting them if necessary to request additional information. Where applicable, we may also contact the mentioned reference persons. 

Bellingcat processes personal data that may be relevant to the recruitment and selection procedure. In any event, this concerns the information provided by the applicant, including name and address details or other contact details provided. Other relevant data, such as education, courses followed, internships and employment history of the applicant will also be processed for the purposes of the selection procedure. 

If it is necessary for the position, applicants may be subjected to a (pre) screening and an assessment. In that case, the persons responsible for carrying the (pre) screening will be given access to the personal data necessary for that process. Whenever we process your personal data in relation to assess your suitability, to conduct background checks or to communicate with you, we do so on the basis of legitimate interest.

For volunteer applicants, we request names and emails and ask for the consent to keep that information for up to one year. When a volunteer off-boards from a project, we ask whether they would like to keep their email on our mailing list or be deleted from our system.

All new and existing employees are undergoing a standardised employee screening process. This comprehensive procedure involves an examination of the Curriculum Vitae submitted during your application, a thorough verification of your original training certificates, diplomas, and testimonials, as well as confirmation of your income tax payment (note that you only need to provide proof of payment, not a full tax income report). In certain cases, particularly for Dutch and EU residents, an application for a Certificate of Good Conduct may also be necessary.

What’s crucial in this process is that your privacy and consent are paramount. This process is administered by independent partners who are authorised by the Dutch government to conduct secure employee screening.

Who else do you share my personal data with?

We do not sell or trade your personal data with any other entity, nor send messages or mailings to our supporters and partners on behalf of other entities or organisations. Within Bellingcat your personal data is only shared with staff members who need access for the processing purposes regarding our work.

Access to your personal data will therefore be limited to those individuals who need the information for the purposes for which the personal data were collected. This also includes individuals, who are involved in the recruitment and selection process. Furthermore, the processing of your personal data takes place in among others ICT-systems or other related systems. In such cases, we may share some of your personal data with third parties.

We only provide your personal data to third parties if this is necessary for one or more of the purposes listed in section 4. Your personal data may be shared with the following third parties:

  • External advisors such as consultants and lawyers;
  • Referees named in the cover letter or resume to verify your competences; 
  • Enforcement- and governmental agencies that regulate Bellingcat; 
  • If you have given your consent or if this results from a legal provision: other third parties; and
  • Auditors: external auditors that control compliance with local regulations (including tax, payroll)
  • Processors: Bellingcat relies on various third-party service providers, which qualify as processors, including IT providers, email distribution services, and video conferencing platforms, to effectively manage and process personal data on behalf of Bellingcat.

Our foremost commitment is to safeguard the security of your personal data. We have implemented a comprehensive set of measures to ensure the protection of your information. These measures include robust data encryption during transmission and storage, which is designed to prevent any unauthorised access or disclosure. Furthermore, we are diligent in adhering to European data protection regulations (GDPR) by ensuring that all data is exclusively stored within the European Union. Additionally, In addition to entering into data processing agreements with processors, we require processors to enter into non-disclosure agreements to prevent any unlawful disclosure of personal data.

Where do we store and transfer your personal data?

When processing your personal data for the purposes specified above, we may in some cases disclose your personal data to an organisation located outside the European Economic Area. 

Transfers to third parties (outside the EEA) will be bound by a contract based on the standard contractual clauses for data transfers approved by the European Commission or other appropriate safeguards as provided in Article 46 of the GDPR. For further information on these safeguards, please contact contact@bellingcat.com

How long will you keep my personal data?

We will keep your personal data only for as long as necessary to fulfil the purposes we collected them for, including for the purposes of satisfying any legal, accounting, or archiving requirements. 

To determine the appropriate retention period, we take into account the nature and sensitivity of your personal data, potential risks of harm from unauthorised use or disclosure of your personal data and the purposes for which we process your personal data.

Specific retention periods for personal data are tailored to specific processing activities and the legal requirements of Bellingcat. 

To determine the appropriate retention period, we take into account the nature and sensitivity of your personal data, potential risks of harm from unauthorised use or disclosure of your personal data and the purposes for which we process your personal data.

Below is a listing of data categories and retention periods used by Bellingcat. Bellingcat may choose to amend those retention periods if a legitimate purpose arises and, or to comply with legal requirements:

CategoryRetention Period
User account informationFive (5) years after the termination of the user’s account or employment.
Financial transactionsTen (10) years to comply with accounting and financial regulations.
Marketing and communication preferencesUntil the user withdraws consent or requests removal from marketing lists
Website analytics dataAggregated and anonymized data retained for analytical purposes; No individual user data is collected
Various legal and compliance recordsAs required by applicable laws.

If you would like to receive more information about our retention period policy, please contact contact@bellingcat.com.

What are your rights regarding my personal data?

As a data subject, you have certain rights that you may exercise in the context of our processing of your personal data:

  • Right of Access: You have the right to request information about the personal data we hold concerning you. Furthermore, under certain circumstances you may verify your personal data and access them. To make such a request, you will be required to answer questions necessary for us to verify your identity.
  • Right to rectification: You are entitled to request the correction of any mistakes or inaccuracies in your personal data provided we are able to verify your identity. Please note that this does not apply in the event that your rectification request relates to an assessment carried out by our staff and you are unable to provide sufficient proof of the assessment’s inaccuracy, or respective data are contained in a record held by our archives. Please contact us to learn more about correction requests.
  • Right to erasure: You are entitled to request us to delete your personal data from our systems, for example, if the personal data is no longer necessary for the original purpose for which they were collected, if personal data has become obsolete or if you withdraw your consent to the grounds on which data is processed. However, this must be weighed against other factors. For example, we may not be able to fulfill your request due to certain legal or regulatory obligations. 
  • Right to restriction of processing: You can ask us to (temporarily) stop using your personal data, for example where you think that the personal data we hold about you may be inaccurate or where you think that we no longer need to use your personal data.
  • Right to data portability: You may have the right to request us to transfer personal data you have provided to us to a third party of your choice. This right can only be exercised when you have provided the personal data to us and when the processing is carried out by automated means, and based on your consent or to perform our obligations under a contract with you.
  • Right to object: You have the right to object at any time to the processing of your personal data which is based on our legitimate interests. Any objection of this kind will be accepted if your fundamental rights and freedoms in question outweigh our legitimate interest in processing your personal data.
  • Right to withdraw consent: You have the right to withdraw your consent at any time. We will stop the further processing of your personal data which is based on consent as soon as possible after the withdrawal. This does not affect the lawfulness of the processing before consent was withdrawn.

If you wish to exercise any of your rights, please contact us using the contact information below. Please take into account that we may not be obliged to comply with your request. If that is the case, we will make sure you will be informed of this. We will need to balance your rights and your request to exercise them with our rights and obligations to process your personal data and our obligation to protect the rights and freedoms of others. 

What if you have other questions or complaints? 

We aim always to meet the highest standards to safeguard your privacy. If you wish to learn more about how we protect your personal data or would like to exercise any of the rights set out above, or if you have any questions, concerns or complaints, please contact us.

Our contact details are:
Bellingcat
PO Box 15712
1001 NE Amsterdam
The Netherlands
contact@bellingcat.com

If you feel that your rights have been violated, you may also lodge a complaint with the Autoriteit Persoonsgegevens, the Dutch Data Protection Authority (www.autoriteitpersoonsgegevens.nl). 

Will there be any updates to this Privacy Policy?

We may update this Privacy Policy from time to time. If we make any changes to this Privacy Policy, we will publish the revised Privacy Policy on our website. In the event a change has significant privacy implications, we will endeavour to actively inform you about those changes. All changes will take effect as soon as the Privacy Policy has been posted on the website.