Privacy Notice - GENERAL DATA PROTECTION POLICY
AIESEC in India
Data Protection Policy
Last Updated: 5th May 2019
1.1. General StatementWe are required to process relevant personal data regarding members/employees, volunteers, applicants, alumni and customers as part of our operations: thus, we shall take all reasonable steps to do so in accordance with this policy. It is important that personal data is processed lawfully and appropriately, in accordance with the requirements of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and abiding by the appropriate local/national laws regarding privacy. Personal data is any information relating to an identified or identifiable individual, such as members/employees, volunteers, applicants, alumni, customers and anyone else with whom we do business. Personal data is an important and valuable asset, and the way we handle this data should demonstrate respect, promote trust and avoid security incidents. In many cases, there are laws that govern how we collect, use and dispose of personal data: for these reasons, we must follow the law and the internal policies/guidelines for handling personal data. We respect the confidentiality of personal data, in both paper and electronic form: information shall not be used/disclosed improperly and/or used by someone who is not authorised to do so. Furthermore, we are committed to protecting and respecting the privacy of our stakeholders, because we respect the trust that is being placed in us to use personal information appropriately and responsibly: therefore, we have to take our data protection duties seriously.
1.2. About this PolicyThis policy and any other documents referred to in it clarify the basis on which we will deal with any personal data we collect and/or process: thus, this policy is applicable to every data processing activity carried out by us. Please note that this policy is not part of the agreement/contract signed by our members/employees, so it can be amended at any time and its provisions shall be respected by all those who participate in our processing activities. Every director, member/employee, contractor and third party – including the ones related to the local committees – working for or acting on behalf of AIESEC in India, including AIESEC in Ahmedabad, AIESEC in Bangalore, AIESEC in Baroda, AIESEC in Bhubaneswar, AIESEC in Chandigarh, AIESEC in Chennai, AIESEC in Dehradun, AIESEC in Delhi IIT, AIESEC in Delhi University, AIESEC in Hyderabad, IIT ISM Dhanbad, AIESEC in IIT KGP, AIESEC in Indore, AIESEC in Jaipur, AIESEC in Jalandhar, AIESEC in Jodhpur, AIESEC in Kolkata, AIESEC in Ludhiana, AIESEC in M.AH.E, AIESEC in Mumbai, AIESEC in Nagpur, AIESEC in Nashik, AIESEC in Navi Mumbai, AIESEC in NIT Trichy, AIESEC in NMIMS Shirpur, AIESEC in Patiala, AIESEC in Pune, AIESEC in Shillong, AIESEC in South Mumbai, AIESEC in Surat, AIESEC in Visakhapatnam, and AIESEC in VIT must be aware of and follow this policy. Our Data Protection Officer is responsible for ensuring compliance with the data protection requirements and with this policy (*please refer to point 5., “Data Protection Officer”). Any questions about the operation of this policy and/or any concerns that this policy is not being followed should be referred to the Data Protection Officer.
1.3. Main DefinitionsExpressions mentioned in this policy shall have the same meaning provided by the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the appropriate laws. For basic understanding of this policy, the main concepts are:
2. Data Processing PrinciplesAnyone processing personal data must ensure that activities respect the provisions of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), ensuring that data is:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- accurate and, where necessary, kept up-to-date;
- not kept for longer than necessary for the intended purposes;
2.1. Lawfulness, Fairness and TransparencyProcessing must be done fairly and without adversely affecting the rights of the individual: thus, in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), we will only process personal data where it is in line with a lawful ground – which, according to the relevant provisions of the Article 6 (1) of such regulation, are:
- processing is necessary for compliance with a legal obligation to which the controller is subject;
2.1.1. ConsentWhenever consent is the lawful basis for processing, it must be:
- easy to be revoked at any time.
2.2. Purpose LimitationWe may collect and process the personal data we receive directly from a data subject (for example, when he/she completes forms and/or sends information via mail, phone or email) and data we receive from other sources (including, for example, location data, business partners, payment/delivery services and others). We will only process personal data for specific purposes or for any other purposes specifically permitted by the data protection laws. We must notify the purposes to the data subject when we first collect the data (in case data was provided directly to us) or as soon as practicable (where data was received from a third party).
2.2.1. Information to IndividualsWhenever we process personal data relating to an individual, we will inform the data subject about:
- the recipients or categories of recipients of the personal data, if any;
- the existence of each of the rights of the data subject and their respective explanation, paying special attention to:
- the right to object to processing and the right to data portability.
- the right to lodge a complaint with the appropriate supervisory authority;
- if personal data was obtained directly from the individual, we must inform him/her about the points mentioned above at the time when data is obtained. In addition, he/she must also be provided with the following:
- if personal data was obtained from other sources, we must provide him/her with this information as soon as practicable, but within one month of obtaining it. The individual must also be provided with:
- the types or categories of personal data which are to be processed;
- the source the personal data originates from and whether it came from publicly accessible sources.
2.3. Data MinimisationWe must process data in an adequate, relevant and non-excessive manner: thus, we will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject.
2.4. AccuracyWe will ensure that personal data we hold is accurate and kept up-to-date. In order to comply with such principle, we will check the accuracy of any personal data at the point of collection and at regular intervals subsequently, taking all reasonable steps to destroy/correct inaccurate or out-of-date data and giving individuals the opportunity to enforce their right to rectify data concerning them.
2.5. Storage LimitationWe will not keep personal data longer than is necessary for the purpose(s) for which it was collected. We will take all reasonable steps to erase/anonymise or archive from our systems all data which is no longer required, following our internal retention policies.
2.6. Integrity and ConfidentialityWe must process data in accordance with the rights of the data subjects and in a manner that ensures security, integrity and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures. Personal data shall not be transferred to people/organisations situated in countries without adequate protection safeguards or in situations which do not meet the appropriate circumstances mentioned in the Articles 44–49 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Please note that the individual must be informed of the transfer.
2.6.1. Data SecurityWe will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. We will put in place technical and organisational measures to maintain the security of all personal data under our responsibility, during the whole flow. In this way, personal data will only be transferred to data processors if they agree to comply with the procedures and policies and/or if they put in place adequate measures. Our processing activities will be guided by the concepts of confidentiality and integrity of the personal data, as specified below:
- data minimisation, requesting only the appropriate data for our purpose(s);
- usage of modern and secure softwares which are kept-up-to-date;
- storage of data in as few places as necessary, without creating unnecessary additional data sets;
- members/employees shall keep all data secure, by taking sensible and reasonable precautions. Thus, it is advised that they:
- use strong passwords in systems/platforms/devices;
- never share passwords;
- never leave personal data unattended and/or where unauthorised people could see it;
- use only appropriate services/platforms/systems and secure devices;
2.6.2. Data TransfersAs a general rule, personal data may be transferred outside the European Union/European Economic Area or to an international organisation only if the country to which the personal data is transferred ensures an adequate level of protection for the rights and freedoms of data subjects. Personal data may also be transferred based on appropriate safeguards or in case one of the derogations of the Article 49 (1) of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is met, especially:
- the transfer is necessary to protect the vital interests of the data subject or of other persons;
2.6.3. Disclosure of Personal DataPersonal data shall not be transferred to external individuals and/or organisations except where it is necessary to do so in order to facilitate an exchange experience. Internally, data may be processed by the individuals acting under the power of AIESEC in India. Personal data may also be disclosed to the appropriate agencies in accordance with the law.
220.127.116.11 Rights of the Data SubjectAnyone processing personal data must ensure that activities respect the provisions of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), guaranteeing that the rights of the data subjects are respected, in particular:
- rights regarding automated decision-making, including:
18.104.22.168 Subject Access RequestsData subjects can send a request for information regarding if and what information we hold about them, why we hold such data, how to gain access to data, how to correct/update details, how we deal with data protection, etc. (*please refer to point 3., “Rights of the Data Subject). Whenever a member/employee receives a request, it shall be forwarded to Alejandro Hüsser Diaz (firstname.lastname@example.org) immediately. Data subjects shall be informed of their right and must know that they should address their requests to the Data Protection Officer: Alejandro Hüsser Diaz, via email (email@example.com). We may take reasonable steps to verify the identity of the individual who is requesting the data: personal data shall only be sent to the individual to which it is related, so it is vital to make sure that information is only given to a person who is entitled to it. Every request sent in writing must be responded within one month – and, if the request is made electronically, data shall be provided electronically (where possible). Please note that we may supply the data subject with a standard request form, but the individuals are not obligated by law to use it: all written requests must be addressed properly, even if they do not follow the “template” provided by us.
4.1. Guidance for the responsible for Subject Access RequestsIt is vital that the Article 15 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is read and followed. Besides, the guidelines below shall be useful.
4.1.1. Procedures upon receipt of a Subject Access RequestWhenever we are the data controller, we shall proceed with the following steps upon receiving a Subject Access Request:
- confirm whether we are the “data controller”;
4.1.2. Procedures to respond to a Subject Access RequestWhilst responding to a subject access request, follow the guidelines below:
- make sure to respond to the request within one month after it is received:
- if data on the data subject is processed, make sure to include at least the following information in the response:
- the purposes of the processing;
- the categories of personal data concerned;
- the right to lodge a complaint with a supervisory authority;
- where the data has not been collected from the data subject, the source of such data;
- An organisation shall not provide an individual with the individual’s personal data or other information if the provision of that personal data or other information, as the case may be, could reasonably be expected to —
- reveal personal data about another individual;
- be contrary to the national interest.
22.214.171.124 Data Protection OfficerWe have appointed Sauarbh Kamboj as the Data Protection Controller (DPO) who will endeavour to ensure that all personal data is processed in compliance with this policy and with the principles of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Appropriate national laws are also relevant to this policy.
126.96.36.199 Participation in Data ProtectionEveryone who works for or with us has some responsibility for ensuring data is collected, stored and handled appropriately: thus, teams which handle personal data must ensure that it is processed in accordance with this policy, the data protection principles, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the appropriate laws.
188.8.131.52 Data BreachesIn the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, we shall promptly assess the risks to the rights and freedoms of individuals: if necessary, the breach shall be reported to the appropriate supervisory authority – and, if appropriate, the individuals affected by the incident shall be communicated. Please refer to our Data Breach Management Procedure and to the appropriate templates.
184.108.40.206 DisclaimerThis policy should be used together with other documents, which are mentioned below:
- Data Breach Management Procedure;
- Internal Retention Policies;