Effective Date: 13/01/2019
Responsibility: CEO & Head of Finance and Operations
Review Period: Annually
Last Review: 25/09/2024
Relates to: CEO, executive staff, senior staff, staff, volunteers and all other associates
Goal
The data protection policy aims to depict the legal data protection aspects in one summarising document. It can also be used as the basis for statutory data protection inspections. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR), but also to provide proof of compliance.
Preamble
Irida’s Data Protection Policy refers to our commitment to treat the information of employees, beneficiaries, stakeholders, and other interested parties sharing information with us with the utmost care and confidentiality. With this policy, we ensure that we gather, store, and handle data fairly, transparently, and with respect to individual rights.
As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data, etc.
Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply:
Our data will be:
Moreover, when collecting personal data, we ensure that they are:
Our data will not be:
In addition to ways of handling the data, the company has direct obligations towards people to whom the data belongs. Specifically, we must always:
To exercise data protection, we’re committed to:
The organization takes data security seriously. The organization has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
Where the organization engages third parties to process personal data on its behalf, such parties do so based on written instructions, are under a duty of confidentiality, and are obliged to implement appropriate technical and organizational measures to ensure the security of data.
Suppose the organization discovers that there has been a breach of data that poses a risk to the rights and freedoms of individuals. In that case, it will report to the CEO and the Head of Finance and Operations within 48 hours of discovery. The organization will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, we shall immediately inform the specific individuals that there has been a breach and provide them with information about all potential consequences and the mitigation measures we
have taken.
A breach of data protection guidelines will invoke disciplinary and possibly legal actions.