EDF data protection policy
The European Disability Forum (“EDF,” “we,” or “us”) is committed to privacy and data protection. EDF needs to gather and use certain information about Data Subjects. These can include members, partners, sponsors, suppliers, business contacts, employees, participants in our events, and other people the organisation has a relationship with or may need to contact.
This Data Protection Policy (the “Policy”) to set out the standards and procedures we apply when Processing Personal Data, in accordance with our obligations under the EU General Data Protection Regulation and its national implementing laws (“GDPR”). Amongst others, this Policy helps to ensure that EDF:
- Complies with the GDPR and follows good practice;
- Employees are informed about their responsibilities when handling Personal Data; and
- Handles data breaches appropriately.
“Personal Data” means any data relating to an identified or identifiable individual, including, for example, name, contact information, identification number, location data, online identifier, IP address etc.
“Data Subject” is the individual to whom the Personal Data relates.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
This Policy applies to all our staff members, including Board members, Committee members, (temporary) employees, interns, volunteers, consultants or contractors, regardless of the office or workplace (hereinafter referred to as “Employees”, “you” or “your”).
This Policy is applicable as of January 25th 2021 following staff training. The Policy has been reviewed by the executive committee and approved on May 28th 2021.
Contact for questions
If you have any questions regarding this Policy, please contact our Data Protection Officer (“DPO”), Muriel Davia, at firstname.lastname@example.org.
1. Privacy Principles
Each Employee who Processes Personal Data is required to comply with the following privacy principles:
1.1.1 Employees may only Process Personal Data for specified, explicit and legitimate purposes (e.g., to maintain our website and its member area to organise events and send event invitations, to arrange travel accommodation for speakers), and not further Process the data in a manner that is incompatible with those purposes. Any new purpose must first be approved by our DPO, which will indicate whether you need to provide the Data Subject with an opportunity to opt-in or opt-out from the new purpose. If you are not sure whether a purpose or use of Personal Data is new, please contact our DPO.
1.2 Legal Basis
1.2.1 Personal Data may only be Processed when one of the below legal bases is provided:
- Consent: The Data Subject has provided his or her free, specific, informed and unambiguous consent (e.g., by ticking a non-pre-ticked checkbox after being provided with sufficient notice about the Processing).
- Contract or memorandum of understanding (MOU): The Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract.
- Legal obligation: We are required by law to Process the Personal Data.
- Legitimate interest: We, or a third-party, have a legitimate interest in Processing the Personal Data for that specific purpose (e.g., in some cases, fraud prevention may be considered a legitimate interest). Please contact our DPO to help you determine whether we have a legitimate interest in Processing Personal Data as intended.
1.2.2 Legal basis for specific Processing activities:
- Marketing (including newsletters and policy papers): As a general rule, sending electronic marketing communications to individuals requires obtaining the individual’s prior consent. In addition, marketing communications should contain a mechanism by which the recipient can object to receiving further marketing communications (e.g., an opt-out/unsubscribe link in a marketing email). Before sending marketing communications to Data Subjects, you must obtain the authorisation of your line manager or our DPO.
- Sensitive Personal Data (This covers data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation.), such as health data and information regarding disabilities: As a general rule, the Processing of sensitive Personal Data is only allowed in very limited cases. If you consider that the Processing of sensitive Personal Data is absolutely necessary, you should obtain authorisation from our DPO prior to such Processing.
- Children’s Personal Data: If you intend to Process Personal Data of children under the age of 13, you should obtain authorisation from our DPO prior to such Processing as we need to implement additional safeguards for such Processing.
1.4 Records of processing activities and data protection impact assessments
1.4.1 If you plan to carry out a new Personal Data Processing activity, you should inform your line manager or our DPO to ensure that we update our records of processing activities (also referred to as ‘data maps’ or ‘article 30 records’). Our DPO will also verify if a Data Protection Impact Assessment (“DPIA”) needs to be completed for that activity.
1.5 Privacy safeguards
1.5.1 Privacy by design: You must take into account privacy considerations when developing new products and services and strive to make the product or service as privacy-friendly as possible.
1.5.2 Privacy by default: You must ensure that the default settings of our products and services are as privacy-friendly as possible.
1.5.3 Data integrity: You must limit the collection and usage of Personal Data to that which is relevant for the intended purposes for which it was collected, and ensure that such Personal Data is reliable, accurate, complete, current and kept up-to-date.
1.5.4 Data retention: We must delete Personal Data when it is no longer necessary for the purpose for which we collected it, unless we are required by law to keep it for a longer period or if we anonymise the data so that it no longer constitutes Personal Data. (As long as Personal Data can be linked back to the individual, it remains Personal Data. Pseudonymized data is still Personal Data and does not qualify as anonymized data.) A new purpose for which the data is useful is not a justification for keeping the data for a longer period of time. Please note that the data retention periods are different depending on the purpose for which Personal Data is used. Please refer to Appendix 1 – Data Retention for more information on the different retention periods that apply to each purpose. If the purpose for a Processing of Personal Data is not listed in Appendix 1 , please contact our DPO and request updating Appendix 1 to include the new purpose and the applicable data retention period.
1.5.5 Profiling and automated decision-making: You must obtain approval from our DPO before engaging in any profiling of Data Subjects, or automated decision-making which produces legal effects concerning a Data Subject or significantly affects a Data Subject.
1.6 Data security and confidentiality
1.6.1 Any Personal Data you Process must be protected in accordance with Appendix 2 – Data Security. Any questions regarding information security may be directed to the Muriel Davia who liaise directly with our IT manager.
1.6.2 Employees who Process Personal Data must have committed themselves to confidentiality contractually or are under an appropriate statutory obligation of confidentiality (e.g., legal secrecy obligations such as for medical professions).
1.6.3 You must take all reasonable and appropriate actions in their conduct at EDF to maintain the confidentiality of Personal Data, including by not disclosing any Personal Data without the appropriate executive, legal or DPO approval.
1.6.4 Any accidental or unauthorised access to Personal Data must be communicated without delay to our DPO, who will take appropriate measures to mitigate the incident and notify supervisory authorities and Data Subjects, where required.
1.6.5 You must keep all data, including, but not limited to Personal Data secure, by taking sensible precautions and following the guidelines set forth in Appendix 2.
1.7 Agreements and data sharing
1.7.1 Agreements with recipients of Personal Data of EEA and Swiss Data Subjects should include certain privacy and data protection clauses. This includes both contracts with service providers who will process Personal Data on our behalf (also referred to as “processors”) (e.g., data hosting providers, marketing agencies, accountants), as well as organizations to whom we disclose Personal Data, but who will Process the data for their own business purposes (also referred to as “independent controllers”) (e.g., European Institutions and third party contractors in the context of event organization).
1.7.2 We are responsible for compliance with applicable laws for EEA Personal Data that we receive or disclose to third parties on our behalf. Any data disclosure to independent controllers may only be done in compliance with the principles set forth in Appendix 3 – Data Sharing.
1.7.3 You should consult with our DPO before entering into such agreements.
1.8 International Data Transfers
1.8.1 EDF must provide adequate protection when transferring Personal Data from the EEA or Switzerland to a location outside the EEA or Switzerland. You should consult with our DPO before conducting such international data transfers to ensure that EDF put in place the appropriate data transfer safeguards prior to the transfer.
1.9 Requests and notifications
1.9.1 Requests from Data Subjects: If you receive a claim or request from a Data Subject (e.g., a website visitor, another employee, a job applicant, vendor or other partner, or any other Data Subject), regarding his or her Personal Data, you must immediately communicate that claim or request to our DPO at email@example.com with the subject line ‘Data Subject Request’, who will handle this request as per our Data Subject Request Handling Policy for more details. Please see Appendix 4 – Data Subjects’ Rights to this Policy for information on the rights that Data Subjects’ have with regard to their Personal Data under GDPR.
1.9.2 Notifications from Service Providers: If you receive a notification from a service provider (or processor) regarding the Personal Data that the service provider Processes on our behalf must immediately forward such notification to our DPO.
1.9.3 Requests from Public Authorities: If you receive a request from a public authority regarding the Personal Data we Process, you must immediately forward such request to our DPO. Our DPO will respond expeditiously to complaints. The response will address whether the complaint has merit and, if so, how EDF will rectify the problem.
2. Training and awareness
2.1 All our Employees handling Personal Data receive periodic privacy and data protection training covering the standards of this Policy to help them understand their responsibilities when handling Personal Data.
2.2 Our DPO will monitor developments with regard to privacy, data protection and information security legislation and inform and advise EDF and our Employees about data protection obligations, including through awareness-raising campaigns and training.
3. Data protection officer
3.1 In addition to the specific tasks laid out in the other sections of this Policy, the DPO is also responsible for:
- Keeping our board updated about EDF’s data protection responsibilities, risks and issues;
- Reviewing all data protection procedures and related policies;
- Handling data protection questions from staff and anyone else covered by this policy;
- Dealing with requests from Data Subjects, including when they request to exercise their rights under GDPR; and
- Maintaining and updating our internal records of Processing;
- Advising on the due diligence and engagement of third parties, who’s services may involve Processing Personal Data (such as data storage providers).
3.2 The Data Protection Officer may be contacted via: firstname.lastname@example.org.
4.1 Our Employees will cooperate with any (internal) audit of our data processing facilities.
5. Failure to comply
5.1 Failure to comply with this Policy may result in disciplinary actions against you, up to and including termination of employment, in accordance with the applicable employment agreement, work rules, labour laws or any other applicable rules or regulations, and/or civil or criminal penalties.