Students
Organisations
Contact

Find Opportunities

Students
Organisations
Contact

Find Opportunities

Contact Us

Connect with us through any of our 30 offices around India.

Get in touch

Contact your nearest local office

City

AIESEC India

About
Blog
Organisations
Global Homes
Contact us

Students

Global Volunteer
Global Entrepreneur
Global Talent

AIESEC is a non-governmental not-for-profit organisation in consultative status with the United Nations Economic and Social Council (ECOSOC), affiliated with the UN DPI, member of ICMYO, and is recognized by UNESCO. AIESEC International Inc. is registered as a Not-for-profit Organisation under the Canadian Not-for-profit Corporations Act - 2018-02-08, Corporation Number: 1055154-6 and Quebec Business Number (NEQ) 1173457178 in Montreal, Quebec, Canada.

Please review our privacy policy as your continue to browse our website Privacy policy I Agree

General Policy
Retention Policy
Data Breach Management Procedure
Customer Policy
Events Policy
Members Policy

Privacy Notice - GENERAL DATA PROTECTION POLICY

AIESEC in India

Data Protection Policy

Last Updated: 5th May 2019

1. Introduction

1.1. General Statement

We are required to process relevant personal data regarding members/employees, volunteers, applicants, alumni and customers as part of our operations: thus, we shall take all reasonable steps to do so in accordance with this policy. It is important that personal data is processed lawfully and appropriately, in accordance with the requirements of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and abiding by the appropriate local/national laws regarding privacy.Personal data is any information relating to an identified or identifiable individual, such as members/employees, volunteers, applicants, alumni, customers and anyone else with whom we do business. Personal data is an important and valuable asset, and the way we handle this data should demonstrate respect, promote trust and avoid security incidents. In many cases, there are laws that govern how we collect, use and dispose of personal data: for these reasons, we must follow the law and the internal policies/guidelines for handling personal data.We respect the confidentiality of personal data, in both paper and electronic form: information shall not be used/disclosed improperly and/or used by someone who is not authorised to do so. Furthermore, we are committed to protecting and respecting the privacy of our stakeholders, because we respect the trust that is being placed in us to use personal information appropriately and responsibly: therefore, we have to take our data protection duties seriously.

1.2. About this Policy

This policy and any other documents referred to in it clarify the basis on which we will deal with any personal data we collect and/or process: thus, this policy is applicable to every data processing activity carried out by us. Please note that this policy is not part of the agreement/contract signed by our members/employees, so it can be amended at any time and its provisions shall be respected by all those who participate in our processing activities.Every director, member/employee, contractor and third party – including the ones related to the local committees – working for or acting on behalf of AIESEC in India, including AIESEC in Ahmedabad, AIESEC in Bangalore, AIESEC in Baroda, AIESEC in Bhubaneswar, AIESEC in Chandigarh, AIESEC in Chennai, AIESEC in Dehradun, AIESEC in Delhi IIT, AIESEC in Delhi University, AIESEC in Hyderabad, IIT ISM Dhanbad, AIESEC in IIT KGP, AIESEC in Indore, AIESEC in Jaipur, AIESEC in Jalandhar, AIESEC in Jodhpur, AIESEC in Kolkata, AIESEC in Ludhiana, AIESEC in M.AH.E, AIESEC in Mumbai, AIESEC in Nagpur, AIESEC in Nashik, AIESEC in Navi Mumbai, AIESEC in NIT Trichy, AIESEC in NMIMS Shirpur, AIESEC in Patiala, AIESEC in Pune, AIESEC in Shillong, AIESEC in South Mumbai, AIESEC in Surat, AIESEC in Visakhapatnam, and AIESEC in VIT must be aware of and follow this policy.Our Data Protection Officer is responsible for ensuring compliance with the data protection requirements and with this policy (*please refer to point 5., “Data Protection Officer”). Any questions about the operation of this policy and/or any concerns that this policy is not being followed should be referred to the Data Protection Officer.

1.3. Main Definitions

Expressions mentioned in this policy shall have the same meaning provided by the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the appropriate laws. For basic understanding of this policy, the main concepts are:

Personal data (whether stored electronically or paper based) means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Right to access | You have the right to access your own personal data and the right to receive relevant information regarding the processing of your personal data. Thus, you can ask us for a copy of the personal data we hold about you so that you can know if and what kind of personal data is being processed, why it is being processed and who is processing it, being able to enforce yourrights. You can contact us so as to exercise this Right.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Special categories of personal data is an expression which refers to sensitive categories of personal data, such as the ones regarding a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sexual orientation or sexual life. In general, it is forbidden to process sensitive personal data; in case it is processed, conditions must be met. Please note that data about criminal offences or convictions are another “special” category and we do not process such data.

2. Data Processing Principles

Anyone processing personal data must ensure that activities respect the provisions of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), ensuring that data is:

processed lawfully, fairly and in a transparent manner in relation to the data subject;
processed for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
accurate and, where necessary, kept up-to-date;
not kept for longer than necessary for the intended purposes;
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lastly, we must be able to demonstrate compliance with all the principles mentioned above – and, of course, respect the rights of the data subjects. In this way, we must keep a register of data processing activities, which must be updated periodically and reflect/regulate the way we use personal data.

2.1. Lawfulness, Fairness and Transparency

Processing must be done fairly and without adversely affecting the rights of the individual: thus, in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), we will only process personal data where it is in line with a lawful ground – which, according to the relevant provisions of the Article 6 (1) of such regulation, are:

the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Please note that when sensitive personal data is being processed, additional conditions must be met. Furthermore, all processing activities must be recorded in the appropriate register.

2.1.1. Consent

Whenever consent is the lawful basis for processing, it must be:

recorded, so that we can demonstrate that the data subject has consented to the processing of his/her personal data;
given in a free, specific, explicit, informed and unambiguous manner. If consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language;
easy to be revoked at any time.

If communications (including direct marketing) are sent to individuals based on their consent, the option for the individual to revoke consent must be clearly available and systems should be in place to ensure such revocation is reflected effectively.

2.2. Purpose Limitation

We may collect and process the personal data we receive directly from a data subject (for example, when he/she completes forms and/or sends information via mail, phone or email) and data we receive from other sources (including, for example, location data, business partners, payment/delivery services and others).We will only process personal data for specific purposes or for any other purposes specifically permitted by the data protection laws. We must notify the purposes to the data subject when we first collect the data (in case data was provided directly to us) or as soon as practicable (where data was received from a third party).

2.2.1. Information to Individuals

Whenever we process personal data relating to an individual, we will inform the data subject about:

the purpose(s) for which we intend to process that personal data, as well as the legal basis for the processing;
where we rely upon the legitimate interests of the business to process personal data, the legitimate interests pursued;
the recipients or categories of recipients of the personal data, if any;
the fact that we intend to transfer personal data to a country or international organisation outside the European Union/European Economic Area and the appropriate and suitable safeguards in place;
the existence of each of the rights of the data subject and their respective explanation, paying special attention to:
- the right to request from us (*considering that we are the “data controller”) access to and rectification or erasure of personal data or restriction of processing;
- the right to object to processing and the right to data portability.
information about the period that the information will be stored or the criteria used to determine that period;
the right to withdraw consent at any time (if consent was given) without affecting the lawfulness of the processing before the consent was withdrawn. This right must be indicated at the moment the consent of the data subject is requested and/or in the appropriate privacy notice;
the right to lodge a complaint with the appropriate supervisory authority;
the existence of automated decision-making (including profiling) and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual;
our identity and contact details (*considering that we are the “data controller”), of our Data Protection Officer and, where applicable, of our representative.

Data subjects shall also be able to understand how to exercise their rights: in order to comply with these points (from the details regarding information to the enforcement of the rights), we shall have in place a easily accessible privacy notice.Regarding the deadlines for providing such information, it is important to consider the source of the personal data and remind that:

if personal data was obtained directly from the individual, we must inform him/her about the points mentioned above at the time when data is obtained. In addition, he/she must also be provided with the following:
- whether the provision of the personal data is a statutory or contractual requirement/obligation, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and any possible consequences of failing to provide the data.
if personal data was obtained from other sources, we must provide him/her with this information as soon as practicable, but within one month of obtaining it. The individual must also be provided with:
- the types or categories of personal data which are to be processed;
- the source the personal data originates from and whether it came from publicly accessible sources.

2.3. Data Minimisation

We must process data in an adequate, relevant and non-excessive manner: thus, we will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject.

2.4. Accuracy

We will ensure that personal data we hold is accurate and kept up-to-date.In order to comply with such principle, we will check the accuracy of any personal data at the point of collection and at regular intervals subsequently, taking all reasonable steps to destroy/correct inaccurate or out-of-date data and giving individuals the opportunity to enforce their right to rectify data concerning them.

2.5. Storage Limitation

We will not keep personal data longer than is necessary for the purpose(s) for which it was collected. We will take all reasonable steps to erase/anonymise or archive from our systems all data which is no longer required, following our internal retention policies.

2.6. Integrity and Confidentiality

We must process data in accordance with the rights of the data subjects and in a manner that ensures security, integrity and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.Personal data shall not be transferred to people/organisations situated in countries without adequate protection safeguards or in situations which do not meet the appropriate circumstances mentioned in the Articles 44–49 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Please note that the individual must be informed of the transfer.

2.6.1. Data Security

We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.We will put in place technical and organisational measures to maintain the security of all personal data under our responsibility, during the whole flow. In this way, personal data will only be transferred to data processors if they agree to comply with the procedures and policies and/or if they put in place adequate measures.Our processing activities will be guided by the concepts of confidentiality and integrity of the personal data, as specified below:

confidentiality, applying measures which guarantee that data is protected against unauthorised or accidental use or disclosure – and, therefore, accessed only by people who are authorised to use the data and who are needed for the achievement of the purposes;
integrity, applying measures which guarantee that data is protected against unauthorised or accidental loss, destruction or alteration and guaranteeing that it is accurate and suitable for the purpose(s).

Our security procedures include:

secure offices and workplaces, guaranteeing that the files are stored in buildings which count on appropriate safeguards (such as locks, security systems, etc.) and on furniture which allows extra protection (e.g.: locked drawers, etc). Personal information is always considered confidential and should be kept in a secure place where unauthorised people cannot see it;
data minimisation, requesting only the appropriate data for our purpose(s);
internal policies/guidelines which consider the principles/rights in the development of future projects and in the assessment of current practices;
equipment safety, making regular backups, installing anti-virus softwares in platforms/devices and inserting passwords in every system/platform/device. Furthermore, members/employees must ensure that confidential information is not shown to passers-by and that they log off from systems/platforms/devices whenever they are left unattended;
usage of modern and secure softwares which are kept-up-to-date;
review and update of data which is out-of-date, taking every opportunity to ensure data is up-to-date;
storage of data in as few places as necessary, without creating unnecessary additional data sets;
methods of disposal, such as shredding papers and/or anonymising/erasing virtual data whenever it must be destroyed;

Our staff should also pay attention to further guidelines:

the only people able to access the data covered by the policy shall be those who need it for their work and for the achievement of the purpose(s) informed to the data subject;
data shall not be shared – formally or informally – to individuals outside our organisation except where it is necessary to do so in order to facilitate an exchange experience ;
our staff should participate in the trainings/activities regarding data protection, read the appropriate materials and get to know the appropriate laws;
members/employees shall keep all data secure, by taking sensible and reasonable precautions. Thus, it is advised that they:
- use strong passwords in systems/platforms/devices;
- never share passwords;
- never disclose personal data to unauthorised individuals, either within the organisation or outside it;
- never leave personal data unattended and/or where unauthorised people could see it;
- use only appropriate services/platforms/systems and secure devices;
- request help to the appropriate managers/Data Protection Officer in case they are unsure about any aspect of data protection.

2.6.2. Data Transfers

As a general rule, personal data may be transferred outside the European Union/European Economic Area or to an international organisation only if the country to which the personal data is transferred ensures an adequate level of protection for the rights and freedoms of data subjects.Personal data may also be transferred based on appropriate safeguards or in case one of the derogations of the Article 49 (1) of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is met, especially:

the data subject has given his/her explicit consent, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
the transfer is necessary to protect the vital interests of the data subject or of other persons;
the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.

Subject to the requirements mentioned above, personal data we hold may be processed by staff operating outside the European Union/European Economic Area who work for us: such staff may be engaged in, among other things, the fulfilment of contracts with the data subject, the provision of support services, etc.

2.6.3. Disclosure of Personal Data

Personal data shall not be transferred to external individuals and/or organisations except where it is necessary to do so in order to facilitate an exchange experience. Internally, data may be processed by the individuals acting under the power of AIESEC in India.Personal data may also be disclosed to the appropriate agencies in accordance with the law.

2.6.3.1 Rights of the Data Subject

Anyone processing personal data must ensure that activities respect the provisions of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), guaranteeing that the rights of the data subjects are respected, in particular:

- right to be informed, receiving proper details on how data is going to be processed (*please refer to point 2.2.1., “Information to Individuals”);
- right to access, being able to receive a confirmation as to whether or not personal data concerning him/her is being processed and access any data held about him/her by the data controller, following the provisions of the Article 15 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
- right to rectification, being able to request rectification or completion of data concerning him/her;
- right to object, being able to express that he/she does not – or no longer – agree with the processing and, therefore, asks the data controller to stop processing activities regarding a particular situation. This right applies to direct marketing: thus, please note that the right to object to direct marketing is absolute and we must not challenge the decision of the individual, stopping such processing activities immediately;

right to erasure, being able to request the erasure of personal data where there is no compelling reason for its continued processing. Please note that this right is subject to some specific circumstances, which are mentioned in the Articles 17 and 19 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
right to restriction of processing, obligating the data controller to suspend/pause the processing of personal data, either because of a request of the data subject or because of a situation which demands it to do so;
right to data portability, being able to obtain his/her data from the controller so as to transfer it to another system;
rights regarding automated decision-making, including:
the primary right not to be subject to activities only based on automated processing and whose decisions have legal or relevant effects on him/her;
the secondary rights – whenever automated decision-making is carried out either because of a contract or because of the consent of the data subject – to be informed (*about the existence of automated decision-making, its logics/criteria and consequences), express his/her point of view, challenge the decision and obtain human intervention.
right to compensation and liability, as well as the right to lodge a complaint with a supervisory authority.

We shall inform data subjects of their rights and we shall also make it easy for data subjects to enforce their rights, using the respective appendix according to the type of contract for information, while using the email address of the Data Protection Officer to enforce their rights. Personal data shall be easily accessible to the appropriate individuals within our organisation and, where possible, data subjects should have access to their data via a secure self-service (*please refer to point 4., “Subject Access Requests”).

2.6.3.2 Subject Access Requests

Data subjects can send a request for information regarding if and what information we hold about them, why we hold such data, how to gain access to data, how to correct/update details, how we deal with data protection, etc. (*please refer to point 3., “Rights of the Data Subject). Whenever a member/employee receives a request, it shall be forwarded to Alejandro Hüsser Diaz (alejandro.husser.2@aiesec.net) immediately.Data subjects shall be informed of their right and must know that they should address their requests to the Data Protection Officer: Alejandro Hüsser Diaz, via email (alejandro.husser.2@aiesec.net).We may take reasonable steps to verify the identity of the individual who is requesting the data: personal data shall only be sent to the individual to which it is related, so it is vital to make sure that information is only given to a person who is entitled to it. Every request sent in writing must be responded within one month – and, if the request is made electronically, data shall be provided electronically (where possible).Please note that we may supply the data subject with a standard request form, but the individuals are not obligated by law to use it: all written requests must be addressed properly, even if they do not follow the “template” provided by us.

4.1. Guidance for the responsible for Subject Access Requests

It is vital that the Article 15 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is read and followed. Besides, the guidelines below shall be useful.

4.1.1. Procedures upon receipt of a Subject Access Request

Whenever we are the data controller, we shall proceed with the following steps upon receiving a Subject Access Request:

confirm whether we are the “data controller”;
verify the identity of the data subject; if necessary, request any further evidence regarding the identity of the data subject;
verify if the access request is sufficient and if the requested information is clear; if not, request additional information;
verify whether requests are unfounded or excessive (particularly if they are repetitive): if so, we may refuse to act on the request or charge a reasonable fee. We shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request;
promptly acknowledge receipt of the request and inform the data subject of any costs involving its processing. Please note that, as a general rule, the request must be handled free of change;
verify whether we process the data requested; if we do not process any data, inform the data subject accordingly;
verify whether the data requested also involves data about other data subjects and make sure this data is filtered before the requested data is supplied to the data subject.

4.1.2. Procedures to respond to a Subject Access Request

Whilst responding to a subject access request, follow the guidelines below:

make sure to respond to the request within one month after it is received:
- if the request is particularly complex, we may extend this initial period by two months, but we must communicate to the data subject in a timely manner within the first month and explain why the extension is necessary;
- if we do not take action on the request of the data subject, we must inform the data subject about the reasons for not taking action and of his/her rights to lodge complaints/seek judicial remedy at latest within one month of receipt of the request.
if a request is submitted in electronic form, information should preferably be provided in a commonly used electronic format (*e.g.: text or html). It is not forbidden to send information via email, but we must ensure that the transfer is secure;
if information is kept on paper, we can provide the data subject with a paper copy of his/her information;
if data on the data subject is processed, make sure to include at least the following information in the response:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data;
- where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the data has not been collected from the data subject, the source of such data;
- the existence of any automated decision-making (including profiling) and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
provide a copy of the personal data undergoing processing. Once again, this should be provided in a commonly used electronic form if the data subject has submitted the request electronically and if he/she does not request otherwise.
An organisation shall not provide an individual with the individual’s personal data or other information if the provision of that personal data or other information, as the case may be, could reasonably be expected to —
- threaten the safety or physical or mental health of an individual other than the individual who made the request;
- cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
- reveal personal data about another individual;
- reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or
- be contrary to the national interest.
An organisation shall not inform any individual that it has disclosed personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual.
If an organisation is able to provide the individual with the individual’s personal data and other information requested without the personal data or other information excluded, the organisation shall provide the individual with access to the personal data and other information without the personal data or other information excluded in the previous points.

4.1.2.1 Data Protection Officer

We have appointed Sauarbh Kamboj as the Data Protection Controller (DPO) who will endeavour to ensure that all personal data is processed in compliance with this policy and with the principles of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Appropriate national laws are also relevant to this policy.

4.1.2.2 Participation in Data Protection

Everyone who works for or with us has some responsibility for ensuring data is collected, stored and handled appropriately: thus, teams which handle personal data must ensure that it is processed in accordance with this policy, the data protection principles, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the appropriate laws.

4.1.2.3 Data Breaches

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, we shall promptly assess the risks to the rights and freedoms of individuals: if necessary, the breach shall be reported to the appropriate supervisory authority – and, if appropriate, the individuals affected by the incident shall be communicated. Please refer to our Data Breach Management Procedure and to the appropriate templates.

4.1.2.4 Disclaimer

This policy should be used together with other documents, which are mentioned below:

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) – officially “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”;
Data Breach Management Procedure;
Internal Retention Policies;

4.1.2.5 Alterations to this Policy

We reserve the right to change this policy at any time. Where appropriate, we will notify changes by email.

AIESEC in India Member - Retention Policy

Last Updated: 5th May 2019

Please review this document carefully regarding the collection and use of personal information submitted through the AIESEC Member Recruitment Drive sign up form. By submitting information to the AIESEC Member Recruitment Drive sign up form indicates that you have read this document and agree to its terms.As used herein, AIESEC is the biggest Global Youth Run Organisation which exists in 126 countries and territories. AIESEC which exists in different countries and territories are legally separated and are independent entity even though all the processes running are the same. Please see the section below to know how your personal detail will be protected in this organisation, AIESEC.

PRIVACY

Any personal information you submit through the Recruitment Drive is being submitted to AIESEC in Malaysia. Unless otherwise stated at the time of collection, the personal information requested and the way in which it is used will be in accordance with this document and with the laws of the General Data Protection Regulation, Regulation (EU) 2016/679.

COLLECTION OF PERSONAL INFORMATION

The Recruitment System maintains personal information that you as a candidate voluntarily submit and, in some cases, personal information that is submitted on your behalf. You are responsible for ensuring that any personal information submitted by or about you to the Recruitment Drive is accurate, complete, and up-to-date. If you are providing personal information about an individual otherthan yourself, you must obtain the consent of the individual forthe collection and use of information as described in this document before submitting any of his/her personal information.

INFORMATION USE

Your personal information will be used to manage your application for AIESEC recruitment processes, to contact you during yourinterview, to send you announcements, and to request additional information as required. Where permitted by law, your personal information may also be used for general statistical analysis and reporting purposes, including visitor activity and demographic reports. To the extent any information of a sensitive nature is submitted with your application (e.g., data relating to gender,race or ethnic origin,religious beliefs, physical or mental health or sexual orientation), you agree that such information may be used in accordance with applicable law and this document. The Recruitment Drive does not seek sensitive personal information except where it is required by the recruitment process of the Local Chapterin which the position you are applying for is located.Should you be accepted as a member of AIESEC, your personal information may be used in connection with the Team Leader-Team Memberrelationship as permitted by the General Data Protection Regulation.

INFORMATION DISCLOSURE

Except as disclosed in this document, or as otherwise disclosed at the point of collection, your personal information will only be made available to individuals (i) within the Local Chapterto which you are applying for a position and/or(ii) the AIESEC in Malaysia personnel. Your personal information will not be accessible by other Local Chapters. Personal information may also be disclosed to law enforcement,regulatory, or other government agencies, orto otherthird parties, in each case to comply with legal orregulatory obligations orrequests.

INFORMATION RETENTION

Your personal information will be retained forthe period necessary to complete the recruitment process orfor maximum of 5 years to meetregulatory obligations, or as may be necessary to facilitate any ongoing relationship. Where permitted by law, your personal information may also be retained to consider you for other opportunities provided by AIESEC for which you may be qualified.

INFORMATION SECURITY

The Recruitment System covered by this document has in place reasonable commercial standards of technology and operational security to protect all information from unauthorized access, disclosure, alteration, or destruction.Your use of the recruitment system is at your own risk, and you assume fullresponsibility and risk of loss resulting from your usage. no aiesec entity will be liable for any direct, indirect, special, incidental, expectancy, exemplary, consequential, or punitive damages or any other damages whatsoever, whetherin an action of contract, statute, tort (including, without limitation, negligence), or otherwise,relating to the use of orreliance upon the recruitment system.The above disclaimers and limitations of liability are applicable to the fullest extent permitted by law, whetherin contract, statute, tort (including, without limitation, negligence) or otherwise. if any portion of the foregoing is not fully enforceable for any reason, the remainder shall nonetheless continue to apply.

Privacy Notice - GENERAL DATA PROTECTION POLICY

AIESEC in India

GDPR COMPLIANCE

Data Breach Management Procedure

Introduction

Reference: Breach ProcedureType: ProcedureStatus: Approved by AIESEC InternationalCreator: Saurabh Kamboj – DPO of AIESEC in IndiaReview Period: AnnualVersion and Date: Last Updated on 5th May 2019

1. Scope, Purpose and Users

This Data Breach Management Procedure provides general principles and a model to respond to and mitigate personal data breaches, especially if one (or both) of the circumstances mentioned below are applicable:

The controller/processor is established in the European Union/European Economic Area (EU/EEA), regardless of whether the processing takes place in the European Union/European Economic Area (EU/EEA) or not;
The controller/processor processes data of individuals who are in the European Union/European Economic Area (EU/EEA) and the processing activities relate to the offering of goods or services to those individuals in the European Union/European Economic Area (EU/EEA) or to the monitoring of these individuals' behaviour within the European Union/European Economic Area (EU/EEA).

This Data Breach Management Procedure sets the general principles and actions for managing the response to a data breach and fulfils the obligations regarding the notification to supervisory authorities and individuals, as mentioned in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).All members/employees, contractors and third parties working for or acting on behalf of AIESEC in India must be aware of and follow this Data Breach Management Procedure in the event of a personal data breach. Furthermore, please note that all members/employees, contractors and third parties working for or acting on behalf of AIESEC in India are responsible forreporting any personal data breach to the Data Protection Officer(DPO) of AIESEC in India.The response to any breach of personal data (as defined by the legislation) can have a serious impact on the reputation of an organisation: therefore, exceptional care must be taken when responding to data breaches. Not all data protection incidents result in data breaches – and not all data breaches require notification –, so this procedure shall assist staff in developing an appropriate response to a data breach based on the specific characteristics of the incident.

Reference

This Data Breach Management Procedure should be used together with other documents, which are mentioned below:

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) – officially "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)";
Data Protection Policy;

Definitions

This Data Breach Management Procedure may use some technical terms: thus, please find below their definitions, based on the Article 4 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Expressions mentioned in this procedure shall have the same meaning provided by the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the appropriate laws.

Personal data (whether stored electronically or paper based) means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,restriction, erasure or destruction;
Controller means the natural orlegal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, underthe direct authority of the controller or processor, are authorised to process personal data;
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Procedures

4.1. General Actions

4.1.1. Containment and Recovery

The first steps regarding personal data breaches should be taken:

identify/contact the responsible forinvestigating and managing the breach;
establish who should be aware of the breach (*i.e., who are the individuals that could assist the organisation – such as lawyers, MCVPs in charge of external relations, PR support, etc. – and, if appropriate, the individuals affected by the breach and/orthe supervisory authority);
identify and implement any steps required to contain the breach;
identify and implement any steps required to recover any losses and limit the damage of the breach;
if appropriate, inform police, insurance company, press and/or other bodies.

4.1.1.2. Contact Person

The Data Protection Officer of AIESEC in India and the response team shall be responsible for investigating/managing incidents. In case a personal data breach has been detected or is suspected, he/she must be contacted immediately via the appropriate lines:it@aiesec.inData Protection Representative : Mr. Saurabh Kamboj303, Tanishka commercial building, Akurli Road,Kandivali East Mumbai, Maharashtra, 400101

4.1.2. Assessment

Personal data breaches must be managed according to their risk, so the risks associated with the breach should be assessed in order to identify an appropriate response as soon as the immediate containment of the incident happens.

4.1.3. Notification

Depending on the nature of the personal data breach, individuals and/or supervisory authorities must be notified: thus, the full extent of the breach should understood so that communications are clear and complete.The MCVP Partnerships Development should be notified whenever communications to the public are expected to happen and the Data Protection Officer of AIESEC in India shall be the final responsible for communicating with stakeholders (including, especially, the supervisory authority).

4.1.3.1. Notification to the Supervisory Authority

It is important to consider the possibility of having to inform the appropriate supervisory authority of the data breach, paying attention to the points below and to the templates developed forthe event of a personal data breach:

AIESEC in India – as data controller – is responsible for assessing whether the supervisory authority should be notified in the event of a personal data breach;
If the personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the personal data breach must be notified to the supervisory authority;
If the assessment carried out by AIESEC in India indicates that the personal data breach must be informed to the supervisory authority, AIESEC in India – as data controller – shall proceed with the notification without undue delay, and, where feasible, not later than 72 hours after having become aware of it;
If AIESEC in India does not notify the supervisory authority within 72 hours, the notification shall be accompanied by the reasons forthe delay;
If AIESEC in India cannot provide all the information at the same time, the information may be provided in phases without undue further delay;
According to the Article 33 (3) of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the notification of the personal data breach to the relevant supervisory authority must present, at least, the following information:
- the nature of the personal data breach – including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Data Protection Officer of AIESEC in India shall be responsible for reporting the personal data breach to the appropriate supervisory authority and for cooperating with it;
It is highly recommended that the templates developed for reporting a personal data breach to the appropriate supervisory authority are used in the event of an incident.

4.1.3.2. Communication to Individuals

Depending on the nature of the personal data breach, individuals should be informed based on the guidelines below:

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject(s) immediately;
The communication to the data subject(s) affected by the personal data breach must describe in clear and plain language the nature of the personal data breach and contain, at least, the following information:
- the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The communication to the data subject(s) should count on the advice of the appropriate marketing/public relations team. Furthermore, besides the basic points mentioned in the sub-point above, it is recommended that the message should present:
- details regarding the breach (*e.g.: what happened, when the breach occurred, what types of data were involved in the breach, etc.);
- advice on how people can protect their personal data;
- information about how AIESEC in India is working so that similar events do not occurin the future;
- How the data subject(s) will be informed of updates.
The communication to the data subject(s) shall not be required if any of the following conditions are met:
- AIESEC in India – as data controller – has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that renderthe personal data unintelligible to any person who is not authorised to access it, such as encryption;
- AIESEC in India – as data controller – has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longerlikely to materialise;
- The communication would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
If AIESEC in India – as data controller – has not already communicated the personal data breach to the data subject(s), the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in the Article 34 (3) of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) are met.
It is highly recommended that the templates developed for communicating a personal data breach to data subject(s) are used in the event of an incident.

4.1.4. Evaluation and Response

A brief report regarding the breach (including its details, the way it was handled, recommendations on how to prevent similar events/risks, etc.) should be written and attached to the official Records of Data Breaches. All reports regarding personal data breaches must be issued by the Data Protection Officer and the response team of AIESEC in India

4.1.4.1. Records of Data Breaches

AIESEC in India – as data controller – shall document any personal data breaches – including the ones which have not been reported to the supervisory authority –, comprising the facts relating to the personal data breach, its effects and the remedial action taken (*please refer to the sub-point 6. of the point 4.1.3.1, "Notification to the Supervisory Authority");
In case the supervisory authority requests access to the Records of Data Breaches, AIESEC in India must provide the appropriate documentation, enabling the Supervisory Authority to verify compliance with the Article 33 (5) of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
Data breaches must be recorded in a central place and managed by the Data Protection Officer, who will have the duty to keep it up-to-date and document every aspect of the breach. The Records of Data Breaches and the details/documents related to it (such as reports, decisions and notifications) must be stored permanently.

Alterations to this Procedure

This document is valid from 05.05.2019. The incumbent Data Protection Officer is the final responsible for this document. AIESEC in India reserve the right to change this procedure at any time: where appropriate, the entity will notify changes by mail or email.

Questionnaire

This Appendix to the Data Breach Management Procedure provides a list of question which shall be useful during the assessment of the personal data breach.

What happened? Please provide a description of the nature of the breach, including as much detail as possible.
Where did the breach happen?
When did the breach happen?
Who detected the breach?
When was the breach detected?
How did the breach happen?
What was the cause of the breach?
What kind of data was affected by the breach? (Please note: all individual types of data should be identified – e.g.: name, address, bank account number, CVs, etc.)
How many individuals and/orrecords were affected by the breach?
What categories of individuals were affected by the breach? (Please note: all individual categories of data subjects should be identified – e.g.: customers, members, employees, etc.)
What happened to the data?
Were there any protections in place?
What are the potential consequences and adverse effects forindividuals? How serious or substantial are they and how likely are they to occur? (*Please refer to the Recital 85 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)).
- What could the data tell a third party about an individual?
- What effects could this cause?
- What value does the information have?
What processes/systems were affected and how? (Please note: mention all process/systems – e.g.: website is off-line, system is inaccessible, etc.)

Privacy Notice - Customers

AIESEC in India

Privacy Notice

Last Update: 2nd May 2019

BASICS ABOUT US

We are AIESEC in India, a youth leadership movement which is passionately driven by one cause: peace and fulfilment of humankind's potential. We are registered in the official bodies of India underthe number 45624, underthe societies registration act of 1860. Ourregistered address is F.26,First floor Connaught Place, New Delhi. We comprise AIESEC in India and also the 30 local committees across India. We are committed to protecting and respecting the privacy of our website visitors. This policy explains how we process information that can be used to directly orindirectly identify an individual (“personal data”): thus, this policy applies to the situations in which we act as data controller of personal data and explains when and why we collect personal information about individuals, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

COLLECTION AND USAGE OF PERSONAL DATA ABOUT YOU

What Information Do We Collect? When you access our web pages, certain technical information is automatically collected. We collect no otherinformation except when you deliberately send it to us, for example, by emailing us or applying to our program.We analyse aggregate traffic/access information forresource management and site planning purposes. We reserve the right to use log detail to investigate resource management or security Concerns. Some of our web pages use “cookies.” Usually a cookie enables a website to tailor what you see according to the way you entered the site (for example, if you entered via a certain link, or if you are using a mobile device). We also use non-identifying and aggregate information to better design our website. For example, we may determine that the average visitortypically views our website for a certain number of minutes, orthat a certain percentage of men vs. women applied to our program. Nevertheless, we do not gather or disclose information that could identify those specific individuals.Our web pages may use Google Analytics or other similar services to analyse web traffic for design purposes. In such cases, the information described above may be shared with the entities providing the analytical service. We do not control the privacy policies of these entities, howevertheir services also fall underthe requirements for compliance set out by the General Data Protection Regulation (25/5/2018).When you choose to provide information about yourself or someone else with us, we use the information only to fulfil, orrespond to, your request. We do not share this information with outside parties, except to the extent necessary to complete that request.We never use or share the information you provide to us in ways unrelated to the intended purpose and without also providing you an opportunity to opt-out. We are dedicated to preventing unauthorised data access, maintaining data accuracy, and ensuring the appropriate use of information. We strive to put in place appropriate safeguards to secure the information we collect online.What Do We Use YourInformation For?The information we collect from you may be used in any of the following ways:To process your application to ourinternship programsTo assist our staff with your host company placementTo assist our staff with welfare provision and medical supportTo notify next of kin in the case of emergency issuesTo assist our staff with visa processing servicesTo comply with local country laws regarding registration of visitorsTo pre-book necessary services such as the accommodationTo provide insights on international internships at higher education conferences (pertaining tooverall data,ratherthan individual persons)To administer a contest, promotion, survey or other site featureTo arrange internship placements (company contacts)To facilitate university partnerships (university contacts)The email address you provide may be used to send you information,respond to enquiries,and/or otherrequests or questions.How Long Is My Information Retained?We normally keep your personal data providing you have demonstrated an interest in our products and services within the past two years. You can request us to delete it at any point, and can easily opt-out of any communication using the associated links within our correspondence or by emailing us at it@aiesec.in.

YOUR CONSENT

By using our website, you consent to our privacy policy.

RETENTION OF PERSONAL DATA ABOUT YOU

We normally keep your personal data providing you have demonstrated an interest in our products and services within the past two years. You can delete your account on aiesec.org made through aiesec.in at any given point of time through preference and settings present in profile section on aiesec.org. You can request us to delete it at any point, and can easily opt-out of any communication using the associated links within our correspondence or by going to your profile on aiesec.org, you can also email us forthe same at it@aiesec.in.

RECIPIENTS OF PERSONAL DATA ABOUT YOU

We may transferinformation about you to other AIESEC entities and partners for purposes connected with the ones mentioned in this privacy notice orforthe management of our business. We do this to provide you with different and relevant internship opportunities.

YOUR RIGHTS

You are guaranteed severalrights, which are mentioned below:

Right to be informed | You have the right to be informed about the processing of your personal data. Thus, in orderto make you able to make decisions regarding your privacy and have control over your personal data, we tell you why we need your personal data, what is the legal ground for processing it and every relevant detailregarding the processing activities, as you can see in this privacy policy.
Right to access | You have the right to access your own personal data and the right to receive relevant information regarding the processing of your personal data. Thus, you can ask us for a copy of the personal data we hold about you so that you can know if and what kind of personal data is being processed, why it is being processed and who is processing it, being able to enforce yourrights. You can contact us so as to exercise this Right.
Right to rectification | You have the right to have your personal data rectified/completed in case it is inaccurate/incomplete. You can contact us so as to exercise this right.
Right to erasure | In certain circumstances, you may request the erasure of personal data where there is no compelling reason forits continued processing. You can contact us so as to exercise this right.
Right to restriction of processing | Under certain circumstances, we may suspend processing activities – and you may also ask us to pause the processing of your personal data. In other words, we will keep your data, but won't further process it – and you can contact us so as to exercise this right.
Right to data portability | You may obtain your data from us so as to transferit to another system: thus, we will provide you with a copy in a structured, commonly used format. You can contact us so as to exercise this right.
Right to object | In some circumstances, you have the right to object (*i.e., say that you don't – or no longer – agree with the processing and ask us to stop) to the processing of your personal data regarding your particular situation. This right applies to processing based on direct marketing purposes and, usually, to some other purposes (such as some legitimate interests).
Rights regarding automated decision making | You have the primary right not to be subject to activities only based on automated processing and whose decision has legal orrelevant effects on you. However, whenever we carry out automated decision making (either because of a contract or

because of your consent), you shall be able to be informed, express your point of view, challenge eventual decisions and obtain human intervention. You can contact us so as to gatherfurther information. If you have provided consent forthe processing of your data, you have – in certain circumstances – the right to withdraw that consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn. By the way, if you want to know more about yourrights, we suggest that you read the guidance provided by the Information Commissioner's Office of the United Kingdom, which is available online.Lastly, if you are not happy with the way we are dealing with personal data, you may contact a supervisory authority: it@aiesec.in.Data Protection Representative : Mr. Saurabh Kamboj303, Tanishka commercial building, Akurli Road, Kandivali EastMumbai, Maharashtra, 400101

ABOUT YOUR PRIVACY

Information shall be handled based on the principle of confidentiality, so it is stored securely and accessed by authorised individuals only. We are committed to implementing and maintaining appropriate technical, security and organisational measures to protect personal data against unauthorised or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure, such as we encrypt the transmission and storage of that information using industry standard encryption technologiesWe will take allreasonable steps to ensure that your data is treated securely and in accordance with this privacy notice. Please note that the transmission of information via the internet is not completely secure: even doing our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site (so any transmission is at your own risk), but, once we have received yourinformation, we will use strict procedures and security features to prevent unauthorised access.

OUR PRIVACY MANAGER/DATA PROTECTION OFFICER

We have a Privacy Manager/Data Protection Officer who is responsible for matters regarding privacy and data protection. Thus, in case you have any questions regarding this policy and/or our privacy practices: it@aiesec.in.Data Protection Representative : Mr. Saurabh Kamboj303, Tanishka commercial building, Akurli Road, Kandivali EastMumbai, Maharashtra, 400101

FOR FURTHER INFORMATION ABOUT US

In case you want to contact us, please feel free to do so! AIESEC in India303, Tanishka commercial building, Akurli Road, Kandivali EastMumbai, Maharashtra, 400101it@aiesec.in.

REVIEW OF THIS POLICY

We keep this policy underregularreview, so please check this page occasionally to ensure that you’re happy with any changes. This policy was last updated in 22nd May 2018

Privacy Notice - Events

AIESEC in India

Privacy Notice for Events

Last Update: 2nd May 2019

BASICS ABOUT US

We are AIESEC in India, a youth leadership movement which is passionately driven by one cause: peace and fulfilment of humankind's potential. We are registered in the official bodies of India under the number 45624, under the societies registration act of 1860. Ourregistered address is F.26,First floor Connaught Place, New Delhi. We comprise AIESEC in India and also the 30 local committees across India. We are committed to protecting and respecting the privacy of our event visitors and registrants. This policy explains how we process information that can be used to directly or indirectly identify an individual (“personal data”): thus, this policy applies to the situations in which we act as data controller of personal data and explains when and why we collect personal information about individuals, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

COLLECTION AND USAGE OF PERSONAL DATA ABOUT YOU

The purposes of processing your personal data are to send you information about the event, send update emails about the event, send important necessary documents, to assist our staff to support you during your registration process and event. Personal data we process may include Name, Email, Phone Number, College Name, and anything entitled in the ‘Registration Form’ of the event.We gather your personal data via ‘Eventregistration form’ filled by you.

RETENTION OF PERSONAL DATA ABOUT YOU

We normally keep your personal data providing you have demonstrated an interest in our products and services within the past two years. You can request us to delete it at any point by emailing us forthe same at it@aiesec.in.RECIPIENTS OF PERSONAL DATA ABOUT YOUWe process your details internally. However, we may disclose information about you to partners and sponsors of events so as to provide you with personalised offers, offered to event participants.We may transfer information about you to other AIESEC entities and partners for purposes connected with the ones mentioned in this privacy notice orforthe management of our business. We do this to provide you with different and relevant internship opportunities.

YOUR RIGHTS

You are guaranteed several rights, which are mentioned below:

Right to be informed | You have the right to be informed about the processing of your personal data. Thus, in order to make you able to make decisions regarding your privacy and have control over your personal data, we tell you why we need your personal data, what is the legal ground for processing it and every relevant detail regarding the processing activities, as you can see in this privacy policy.
Right to access | You have the right to access your own personal data and the right to receive relevant information regarding the processing of your personal data. Thus, you can ask us for a copy of the personal data we hold about you so that you can know if and what kind of personal data is being processed, why it is being processed and who is processing it, being able to enforce your rights. You can contact us so as to exercise this right.
Right to rectification | You have the right to have your personal data rectified/completed in case it is inaccurate/incomplete. You can contact us so as to exercise this right.
Right to erasure | In certain circumstances, you may request the erasure of personal data where there is no compelling reason forits continued processing. You can contact us so as to exercise this right.
Right to restriction of processing | Under certain circumstances, we may suspend processing activities – and you may also ask us to pause the processing of your personal data. In other words, we will keep your data, but won't further process it – and you can contact us so as to exercise this right.
Right to data portability | You may obtain your data from us so as to transferit to another system: thus, we will provide you with a copy in a structured, commonly used format. You can contact us so as to exercise this right.
Right to object | In some circumstances, you have the right to object (*i.e., say that you don't – or no longer – agree with the processing and ask us to stop) to the processing of your personal data regarding your particular situation. This right applies to processing based on direct marketing purposes and, usually, to some other purposes (such as some legitimate interests).
Rights regarding automated decision making | You have the primary right not to be subject to activities only based on automated processing and whose decision has legal orrelevant effects on you. However, whenever we carry out automated decision making (either because of a contract or because of your consent), you shall be able to be informed, express your point of view, challenge eventual decisions and obtain human intervention. You can contact us so as to gatherfurtherinformation.

If you have provided consent for the processing of your data, you have – in certain circumstances – the right to withdraw that consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn.By the way, if you want to know more about your rights, we suggest that you read the guidance provided by the Information Commissioner's Office of the United Kingdom, which is available online.Lastly, if you are not happy with the way we are dealing with personal data, you may contact a supervisory authority: it@aiesec.in Data Protection Representative : Mr. Saurabh Kamboj 303, Tanishka commercial building, Akurli Road, Kandivali East Mumbai, Maharashtra, 400101

ABOUT YOUR PRIVACY

Information shall be handled based on the principle of confidentiality, so it is stored securely and accessed by authorised individuals only. We are committed to implementing and maintaining appropriate technical, security and organisational measures to protect personal data against unauthorised or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure, such as we encrypt the transmission and storage of that information using industry standard encryption and transmission technologies.We will take all reasonable steps to ensure that your data is treated securely and in accordance with this privacy notice. Please note that the transmission of information via the internet is not completely secure: even doing our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site (so any transmission is at your own risk), but, once we have received your information, we will use strict procedures and security features to prevent unauthorised access.

OUR PRIVACY MANAGER/DATA PROTECTION OFFICER

We have a Privacy Manager/Data Protection Officer who is responsible for matters regarding privacy and data protection. Thus, in case you have any questions regarding this policy and/or our privacy practices:it@aiesec.in. Data Protection Representative : Mr. Saurabh Kamboj303, Tanishka commercial building, Akurli Road, Kandivali EastMumbai, Maharashtra, 400101

FOR FURTHER INFORMATION ABOUT US

In case you want to contact us, please feel free to do so! AIESEC in India303, Tanishka commercial building, Akurli Road, Kandivali EastMumbai, Maharashtra, 400101 it@aiesec.in.

REVIEW OF THIS POLICY

We keep this policy under regular review, so please check this page occasionally to ensure that you’re happy with any changes. This policy was last updated in 2nd May 2019

Privacy Notice - Members

AIESEC in India

Privacy Notice for Members of AIESEC in India

Last Update: 2nd May 2019

BASICS ABOUT US

We are AIESEC in India, a youth leadership movement which is passionately driven by one cause: peace and fulfilment of humankind's potential. We are registered in the official bodies of India under the number 45624, under the societies registration act of 1860. Ourregistered address is F.26,First floor Connaught Place, New Delhi. We comprise AIESEC in India and also the 30 local committees across India.We are committed to protecting and respecting the privacy of our Members. This policy explains how we process information that can be used to directly or indirectly identify an individual (“personal data”): thus, this policy applies to the situations in which we act as data controller of personal data and explains when and why we collect personal information about individuals, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

COLLECTION AND USAGE OF PERSONAL DATA ABOUT YOU

The purposes of processing your personal data are Membership Knowledge and Understanding, Data Storage for Membership Relation, Alumni Engagement and Rewards – and the legal basis for such activities is General Data Protection Regulation (25/5/2018). Personal data we process may include Full Name, Email, Number, Gender, Address, Parental Information, Personal Documents, Address Proofs, College/University Documents. We gather your personal data via Forms, CRM Tool (EXPA), General Compliance Undertaking and Membership Data Information (Member Connect)

RETENTION OF PERSONAL DATA ABOUT YOU

We normally keep your personal data for 5 Years.. You can request us to delete it upon leaving, and can easily opt-out of any communication using the associated links within our correspondence or by going to your profile on aiesec.org, you can also email us for the same at it@aiesec.in.RECIPIENTS OF PERSONAL DATA ABOUT YOUWe may transfer information about you to other AIESEC entities and partners for purposes connected with the ones mentioned in this privacy notice orforthe management of our business. We do this to provide you with different and relevant opportunities.

YOUR RIGHTS

You are guaranteed several rights, which are mentioned below:

Right to be informed | You have the right to be informed about the processing of your personal data. Thus, in order to make you able to make decisions regarding your privacy and have control over your personal data, we tell you why we need your personal data, what is the legal ground for processing it and every relevant detail regarding the processing activities, as you can see in this privacy policy.
Right to access | You have the right to access your own personal data and the right to receive relevant information regarding the processing of your personal data. Thus, you can ask us for a copy of the personal data we hold about you so that you can know if and what kind of personal data is being processed, why it is being processed and who is processing it, being able to enforce your rights. You can contact us so as to exercise this right.
Right to rectification | You have the right to have your personal data rectified/completed in case it is inaccurate/incomplete. You can contact us so as to exercise this right.
Right to erasure | In certain circumstances, you may request the erasure of personal data where there is no compelling reason forits continued processing. You can contact us so as to exercise this right.
Right to restriction of processing | Under certain circumstances, we may suspend processing activities – and you may also ask us to pause the processing of your personal data. In other words, we will keep your data, but won't further process it – and you can contact us so as to exercise this right.
Right to data portability | You may obtain your data from us so as to transferit to another system: thus, we will provide you with a copy in a structured, commonly used format. You can contact us so as to exercise this right.
Right to object | In some circumstances, you have the right to object (*i.e., say that you don't – or no longer – agree with the processing and ask us to stop) to the processing of your personal data regarding your particular situation. This right applies to processing based on direct marketing purposes and, usually, to some other purposes (such as some legitimate interests).
Rights regarding automated decision making | You have the primary right not to be subject to activities only based on automated processing and whose decision has legal orrelevant effects on you. However, whenever we carry out automated decision making (either because of a contract or because of your consent), you shall be able to be informed, express your point of view, challenge eventual decisions and obtain human intervention. You can contact us so as to gatherfurtherinformation.

If you have provided consent for the processing of your data, you have – in certain circumstances – the right to withdraw that consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn.By the way, if you want to know more about your rights, we suggest that you read the guidance provided by the Information Commissioner's Office of the United Kingdom, which is available online.Lastly, if you are not happy with the way we are dealing with personal data, you may contact a supervisory authority: it@aiesec.in.Data Protection Representative : Mr. Saurabh Kamboj303, Tanishka commercial building, Akurli Road,Kandivali East Mumbai, Maharashtra, 400101

ABOUT YOUR PRIVACY

Information shall be handled based on the principle of confidentiality, so it is stored securely and accessed by authorised individuals only. We are committed to implementing and maintaining appropriate technical, security and organisational measures to protect personal data against unauthorised or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure, such as we encrypt the transmission and storage of that information using industry standard encryption technologies We will take all reasonable steps to ensure that your data is treated securely and in accordance with this privacy notice. Please note that the transmission of information via the internet is not completely secure: even doing our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site (so any transmission is at your own risk), but, once we have received yourinformation, we will use strict procedures and security features to prevent unauthorised access.

OUR PRIVACY MANAGER/DATA PROTECTION OFFICER

FOR FURTHER INFORMATION ABOUT US

In case you want to contact us, please feel free to do so! AIESEC in India303, Tanishka commercial building, Akurli Road, Kandivali EastMumbai, Maharashtra, 400101 it@aiesec.in.

REVIEW OF THIS POLICY

We keep this policy under regular review, so please check this page occasionally to ensure that you’re happy with any changes. This policy was last updated in 5th February 2019.

Close I agree

Safety always comes first. In the light of the novel Coronavirus (COVID-19) outbreak, we decided to stop all operations regarding our exchange programs until 15th of April. We advise you to ensure you are aware of the latest information available on the WHO website and through your national and local public health authority.