This privacy policy sets out how the “Global Illicit Flows Programme” uses and protects any information that you give to the “Global Illicit Flows Programme” when you use this website.

The “Global Illicit Flows Programme” is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

The “Global Illicit Flows Programme” may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 25/05/2018.

What personal data we collect and why we collect it

We will collect your basic personal data from the contact form in order to answer you properly as soon as possible. And we be keep them in order to contact you in the future. If you wish to remove your data from our register, please do contact us. No other interaction with the website will collect personal data.


Comments are forbidden in this website.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.


If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.


We use Google Analytics to trace number of visitors, and the origin from them, no any other personal data will be provided  and used by us.

Who we share your data with

We won’t share any personal data with anyone.

How long we retain your data

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.


We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Contact information

You can contact us about your privacy at: [email protected]

What data breach procedures we have in place

The policy is designed to aid compliance with the General Data Protection Regulation or GDPR, and takes account of the Article 29 Data Protection Working Party’s guidance on personal data breach notifications.

As the Working Party state in that guidance, “controllers and processors are … encouraged to plan in advance and put in place processes to be able to detect and properly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary”.

A formal personal data breach notification procedures is recommended by the Working Party: “To aid compliance with Articles 33 and 34, it would be advantageous to both controllers and processors to have a documented notification procedure in place, setting out the process to follow once a breach has been detected, including how to contain, manage and recover the incident, as well as assessing risk, and notifying the breach”.

“Personal data breach” under the GDPR covers more than just the unauthorised disclosure of personal information. The phrase is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the company”.

The policy covers three different types of notification: (i) notifications by a data controller to a supervisory authority, such as the Information Commissioner’s Office in the EU; (ii) notifications by a data processor to the data controller whose data is the subject of the breach; and (iii) notifications by a data controller to data subjects, ie human beings. Three schedules to the policy contain notification forms, one for each type of notification.

Whilst the policy does cover incident detection and response in summary form, it is primarily concerned with notification, and larger organisations at least should combine this document with more detailed policies covering detection and response. Moreover, the policy focuses upon personal data breaches, not information security incidents generally.

The policy is not designed for use in relation to any non-GDPR data breach notification rules and – if any other such rules apply to the relevant business – the policy would need to be adapted accordingly before use.