1.1 Stichting Health Action International (“HAI”) is committed to complying with privacy and data protection laws, including:a) the General Data Protection Regulation (“the GDPR”) within the European Union (known as
the Algemene verordening gegevensbescherming in The Netherlands); and
b) all other applicable laws and regulations relating to the processing of Personal Data and Sensitive Personal Data and privacy, including statutory instruments and, where applicable, the guidance and codes of practice issued by the Dutch Data Protection Authority, known as the Autoriteit Persoonsgegevens, or any other supervisory authority.
(together “the Legislation”)
1.2 This Policy sets out what we do to protect individuals’ Personal Data (including Sensitive Personal Data).
1.3 Anyone who handles Personal Data in any way on behalf of HAI will be subject to this Policy. Section 3 of this Policy describes what comes within the definition of “Personal Data”.
1.4 This Policy may be amended from time to time to reflect any changes in the Legislation, or regulatory guidance.
2. ABOUT THIS POLICY
2.1 The types of Personal Data that we may handle include details of: Employees, employment candidates, contractors/suppliers (where they are individuals), members, supporters, donors, event attendees, and/or journalists.
3. DEFINITIONS OF DATA PROTECTION TERMS
3.1 The following terms will be used in this Policy and are defined below:
3.2 Data Subjects include all living individuals about whom we hold Personal Data (for instance, an employee or a HAI supporter). A Data Subject need not be a European national or resident. All Data Subjects have legal rights in relation to their Personal Data.
3.3 Personal Data means any information relating to a living person who can be identified directly or indirectly from that information (or from that information and other information in our possession). Personal Data can be factual (such as a name, address, or date of birth) or it can be an opinion (such as a performance appraisal). It can also include an identifier, such as an identification number, location data, and/or an online identifier specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
3.4 Data Controllers are the people who, or organisations which, decide the purposes and the means for which, any Personal Data is processed. They have a responsibility to process Personal Data in compliance with the Legislation. HAI is the data controller of all Personal Data that we manage in connection with our work and activities.
3.5 Data Processors include any person who processes Personal Data on behalf of a Data Controller. Employees of Data Controllers are excluded from this definition, but could include other organisations, such as website hosts, fulfilment houses, or other service providers which handle Personal Data on our behalf.
3.6 European Economic Area (“EEA”) includes all countries in the European Union, as well as Norway, Iceland and Liechtenstein.
3.7 Processing is any activity that involves use of Personal Data, whether or not by automated means. It includes, but is not limited to:
f) adapting or altering;
h) disclosing by transmission;
i) disseminating or otherwise making available;
j) alignment or combination;
l) erasing; or
m) destruction of personal data.
3.8 Sensitive Personal Data (which is defined as “special categories of Personal Data” under the GDPR) includes information about a person’s:
a) racial or ethnic origin;
b) political opinions;
c) religious, philosophical or similar beliefs;
d) trade union membership;
e) physical or mental health or condition;
f) sexual life or orientation;
g) genetic data;
h) biometric data; and
i) such other categories of Personal Data as may be designated as “special categories of Personal Data” under the Legislation.
4. DATA PROTECTION PRINCIPLES
4.1 As a party that may or will control and process Personal Data, HAI must comply with the six data protection principles set out in the GDPR.
4.2 In relation to Personal Data, HAI will ensure it is:
a) processed fairly, lawfully and transparently;
b) collected for specified, explicit and legitimate purposes and not further processed in a way which is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary for the purpose for which it is held;
d) accurate and, where necessary, kept up to date;
e) not kept longer than necessary; and
f) processed in a manner that ensures appropriate security of the Personal Data.
5. PROCESSING DATA FAIRLY AND LAWFULLY
5.1 When receiving Personal Data about a person directly from that individual, HAI will provide that person, upon request, with “the fair processing information”:
a) the type of information we will be collecting (categories of Personal Data concerned);
b) who will be holding their information (i.e., HAI, including contact details, and the contact details of HAI’s Data Protection Officer);
c) why we are collecting their information and what we intend to do with it (for instance, to process donations or send them mailing updates about our activities);
d) the legal basis for collecting their information (for example, are we relying on their consent, or on our legitimate interests, or on another legal basis);
e) if we are relying on legitimate interests as a basis for processing what those legitimate interests are;
f) whether the provision of their Personal Data is part of a statutory or contractual obligation and details of the consequences of the data subject not providing that data;
g) the period for which their Personal Data will be stored or, where that is not possible, the criteria that will be used to decide that period;
h) details of people or organisations with whom we will be sharing their Personal Data;
i) if relevant, the fact that we will be transferring their Personal Data outside the EEA and details of relevant safeguards; and
j) the existence of any automated decision-making, including profiling in relation to that Personal Data.
5.2 HAI will inform individuals of their rights outlined in Section 8, below, including the right to lodge a complaint with the Autoriteit Persoonsgegevens, and the right to withdraw consent to the processing of their Personal Data.
6. PROCESSING DATA FOR THE ORIGINAL PURPOSE
6.1 HAI will only process data for the specific, explicit and legitimate purposes that the individual was told about when HAI first obtained their information.
6.2 If it becomes necessary to process a person’s information for a new purpose, HAI will contact the affected person to obtain his/her consent.
7. NOT RETAINING DATA LONGER THAN NECESSARY
7.1 HAI will keep Personal Data for as long as it is required for the purposes for which it was initially collected. This may vary depending on the type of Personal Data collected and the purposes for which the data were collected.
8. RIGHTS OF INDIVIDUALS UNDER THE GDPR
8.1 You have the right to access your Personal Data, to correct your Personal Data if the information that HAI has is erroneous and, in some cases, to delete your Personal Data. You may obtain a copy or correct or request deletion of your Personal Data by contacting our Data Protection Officer, Tim Reed (Executive Director of HAI), at firstname.lastname@example.org or +31 (0) 20 412 4523, or by writing to us at Overtoom 60 (2), 1054 HK Amsterdam, The Netherlands.
8.2 HAI is permitted to keep certain portions of your Personal Data in order to meet our legal, financial, audit, and business needs, even if you request its deletion.
8.3 In addition to these access and deletion rights, you may have the right to object to specific data processing and request for restriction of the processing, as well as a right to data portability. You can also request to be told, where any information is not collected from you directly, of any available information as to the source of the information, or to be told of the existence of automated decision-making.
8.4 Under this Policy, you have the right to withdraw consent at any time, and the right to lodge a complaint with the Autoriteit Persoonsgegevens.
9. DATA SECURITY
9.1 HAI will have procedures in place to keep the Personal Data that it holds secure, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
10. TRANSFERRING DATA OUTSIDE THE EEA
10.1 The GDPR requires that when organisations transfer Personal Data outside the EEA, they take steps to ensure that the data is properly protected. HAI may transfer Personal Data outside the EEA in the following circumstances: Website hosting, bulk email distribution.
10.2 As such, Personal Data may be transferred to people or organisations in these countries without the need to take additional steps beyond those you would take when sharing Personal Data with any other organisation. In transferring Personal Data to other countries outside the EEA (which are not on this approved list), HAI will enter into a European Commission-approved agreement, seek the explicit consent of the individual, or rely on one of the other derogations under the GDPR that apply to the transfer of Personal Data outside the EEA.
11. PROCESSING SENSITIVE PERSONAL DATA
11.1 On some occasions, we may collect information about individuals that is defined by the GDPR as special categories of Personal Data, and special rules will apply to the processing of this data. In this Policy, we refer to “special categories of Personal Data” as “Sensitive Personal Data”.
11.2 Purely financial information is not technically defined as Sensitive Personal Data by the GDPR.
11.3 In order to process Sensitive Personal Data, HAI will obtain explicit consent from the individuals involved.
12. THIRD-PARTY SITES
12.1 HAI’s website may contain links to third-party sites. This Policy does not apply to third-party websites and you should review the privacy disclosures of those websites before using them.
13. MONITORING AND REVIEW OF THE POLICY
13.1 This Policy is reviewed annually by our Board to ensure that it is achieving its objectives.
13.2 HAI may change this Policy at any time without prior notice. All changes are effective immediately after they are published on our website.
Further details on how to control Cookies is available at www.aboutcookies.org.