Effective Date: 13/01/2019
Responsibility: CEO & Head of Finance and Operations
Review Period: Annually
Last Review: 25/09/2024
Relates to: CEO, executive staff, senior staff, staff, volunteers and all other associates
INTRODUCTION
Goal
The data protection policy aims to depict the legal data protection aspects in one summarising document. It can also be used as the basis for statutory data protection inspections. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR), but also to provide proof of compliance.
Preamble
Irida’s Data Protection Policy refers to our commitment to treat the information of employees, beneficiaries, stakeholders, and other interested parties sharing information with us with the utmost care and confidentiality. With this policy, we ensure that we gather, store, and handle data fairly, transparently, and with respect to individual rights.
PRINCIPLES
As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data, etc.
Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply:
Our data will be:
● Accurate and kept up-to-date.
● Collected fairly and for lawful purposes only.
● Processed by the company within its legal and moral boundaries
● Protected against any unauthorized or illegal access by internal or external parties.
Moreover, when collecting personal data, we ensure that they are:
● processed lawfully, fairly, and in a transparent manner in relation to individuals.
● collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be incompatible with the initial purposes.
● adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
● accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the
purposes for which they are processed, erased or rectified without delay.
● kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
● processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Our data will not be:
● Communicated informally.
● Stored for more than a specified amount of time.
● Transferred to organizations, states, or countries that do not have adequate data protection policies.
● Distributed to any party other than the ones agreed upon by the data's owner (exempting legitimate requests from law enforcement authorities).
In addition to ways of handling the data, the company has direct obligations towards people to whom the data belongs. Specifically, we must always:
● Let people know which of their data is collected.
● Inform people about how we will process their data.
● Inform people about who has access to their information.
● Have provisions in cases of lost, corrupted, or compromised data.
● Allow people to request that we modify, erase, reduce, or correct data contained in our databases
COMMITMENT
To exercise data protection, we're committed to:
● Restrict and monitor access to sensitive data.
● Develop transparent data collection procedures.
● Train employees in online privacy and security measures.
● Build secure networks to protect online data from cyberattacks.
● Establish clear procedures for reporting privacy breaches or data misuse.
● Include contract clauses or communicate statements on how we handle data.
● Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization, etc.).
DATA SECURITY
The organization takes data security seriously. The organization has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
Where the organization engages third parties to process personal data on its behalf, such parties do so based on written instructions, are under a duty of confidentiality, and are obliged to implement appropriate technical and organizational measures to ensure the security of data.
DATA BREACHES
Suppose the organization discovers that there has been a breach of data that poses a risk to the rights and freedoms of individuals. In that case, it will report to the CEO and the Head of Finance and Operations within 48 hours of discovery. The organization will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, we shall immediately inform the specific individuals that there has been a breach and provide them with information about all potential consequences and the mitigation measures we
have taken.
A breach of data protection guidelines will invoke disciplinary and possibly legal actions.