Samvera Privacy Policy

Samvera Privacy Statement

This policy describes how the Samvera Community will process and manage your personal data.  It applies to the data collected through community activities such as online and face-to-face meetings. Samvera cares about protecting your privacy. Our primary objective in meeting the Eurpean Union’s General Data Protection Regulation (GDPR) and related privacy legal requirements is service to our community. 

In cases where general Personally Identifying Information (PII) is processed by Samvera, unambiguous consent will be requested. In cases where more sensitive PII is processed, explicit consent will be gained. Consent may be revoked by the data subject at any time. The data subject may also exercise their other rights at any time, and those acting as Data Controllers and Data Processors (see below) must have a means to address those requests.

Data Controllers and Data Processors have an obligation to ensure the proper storage and security of any processed PII, and must also notify affected Data Subjects within established timeframes (72 hours) if a breach has been identified.  You can request access to the information we process about you at any time. If at any point you believe that the information we process relating to you is incorrect, you can request to see this information and may in some instances request to have it restricted, corrected or erased. You may also have the right to object to the processing of data and the right to data portability.  If a Data Subject wishes to assert any of these Rights of the Individual please contact Samvera aims to respond within 72 hours of receiving an inquiry.

Samvera will not disclose information to third parties unless it is provided with explicit consent or it is required to do so to comply with a legally valid and binding order.  For further information on our approach or to discuss aspects of this policy, please contact:

What kind of personal data do we capture and why?


The systems behind Samvera’s web presence, e.g., the website, wiki, etc., will, during their normal operations, acquire personal data, the transmission of which is considered as implied in the use of Internet communication protocols. These data are not collected with a view to being associated with identified data subjects, but given their nature they may, through processing and association procedures, allow identification of the individuals who navigate through the Samvera web sites.

With respect to such data, no individually identifiable information will be processed.

Samvera Community activities and conference procedures

When you register for a Samvera event, participate in an event’s organisation, or get involved in one of Samvera’s Interest or Working Groups you will be required to provide personal information to record your involvement for ongoing communication.  This may include, but not be limited to, your name, e-mail address, institution and, when relevant, details related to the work you are involved in. Payment details will also be required if submitting payment for an event.

The host organisation for a Samvera Community activity/event may share your personal information (with the exception of payment details) with local organisers and volunteers to support the organisation and management of the conference. If the host institution elects to share your personal information with fellow event attendees (through participant lists), vendors, sponsors or third party contractors, we will ask you for permission to do this in the registration form.

Changes to this privacy policy

This privacy policy may be subject to changes and updates, in whole or in part, due to changes in applicable law, and if changes are made to the way in which your data is processed we will inform you of such changes. We invite you to consult the up-to-date privacy policy from time to time.

Key Terms

Consent: the agreement of a data subject to share personal data. Consent must be unambiguous (and in the case of sensitive personal data must be explicit, i.e. “opt-in”), and must be able to be withdrawn.

Data Controller: the entity that dictates the terms for processing data. With respect to Samvera the Data Controllers are identified as the members of the Samvera Board.

Data Processor: the entities that manage all processing of the data on behalf of the controller. With respect to Samvera the Data Processors are identified as:

Atlassian, EventBrite, Excel spreadsheets, Google documents, Google Forms, Google Sheets, LinkedIn, Samvera GitHub, Samvera IRC, Samvera mailing lists (Google Groups), Samvera Slack, Samvera website (Google Analytics cookies), Twitter, WordPress, YouTube, Zoom

As evident in this list, Samvera uses a range of external services to conduct its business, for example for its mailing lists, wiki, annual survey, and more. Personal data captured through these sites will be processed in accordance with the relevant privacy policy of the owning organization of the service, including:

Data Subject: a natural person whose PII may be tracked within a given system.

General Data Protection Regulation (GDPR): The EU’s new comprehensive set of regulations for the handling of personal data on the Internet by service providers. It went live on May 25 2018, and is pertinent to anyone who manages personally identifying information of EU citizens. The complete regulation is available here: The GDPR defines the responsibilities that Data Controllers and Data Processors must adhere to with respect to the collection, processing, storage and destruction of any PII that can identify a Data Subject.

Lawful Basis for Processing Personal Data: the basis by which a Data Controller must explain their ability to process data.

Personally Identifying Information (PII), or Personal Data: any information that can potentially be used to identify a person, such as: their name(s); email address; mailing address; phone number; social network posts; or an IP address.

Rights of the Individual (Data Subject): The GDPR mandates the following rights of the individual, which it refers to as the “data subject”:

  •         the right to be informed;
  •         the right of access;
  •         the right to rectification;
  •         the right to erasure;
  •         the right to restrict processing;
  •         the right to data portability;
  •         the right to object;
  •         the right not to be subject to automated decision-making including profiling.

In order to adhere to the GDPR, the people acting in the role of Data Controller, in conjunction with those serving as a Data Processor, will provide adequate means for individuals to assert these rights.


This privacy policy is inspired by Open Repositories privacy policy.