Data Protection Policy

GENERAL PERSONAL DATA PROTECTION POLICY

 

  1. WHAT IS THE PURPOSE OF THIS DOCUMENT?

NGO Support Center is committed to protecting the privacy and security of your personal information. This privacy policy provides information regarding the data we collect from you and how we process this data. In collecting this information, we are acting as a data controller. By virtue of the 2016/679 Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the national law N.125(I)/2018 as amended we are required to provide you with information about us, about how and why we use your data and about the rights you have over your data.

 

  1. DATA PROTECTION PRINCIPLES

We will comply with data protection law and principles, which means that your data will be:

  • Used in a transparent way, by providing you information on how your data will be used.
  • Used fairly, meaning that the processing of your data matched the description given to you.
  • Used lawfully in accordance with at least one legal basis as defined in GDPR Certification of Data Protection System.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have informed you about.
  • Kept securely.

 

  1. THE KIND OF INFORMATION WE HOLD ABOUT YOU

We collect, store, and use the following categories of personal data:

  • The information you provide when completing our membership form or when registering online to attend our events, including organisation, title/position, first name, last name, job title/professional background, telephone number, mobile number, email address, address, city and postal code. To access webinars and other virtual events administered by us via an online platform, you may be required to register. The requested personal information typically includes name and surname, and email address.
  • The information you provide when you register to the CSO database, as an organisation, including the organisation’s contact details, that is the email address, phone number, website, the name of the contact person, its surname and position in the organization and the latter person’s username and password
  • In the event that we request a payment from you and if you choose to use your credit card as a method of payment we ask for card number, expiry date, cardholder name and signature.
  • Communication information. When you send us an e-mail or other communication, we retain that communication in order to process your enquiries and respond to your requests.
  • Surveys you may be requested to fill out in some events.

Since we are a regranting administrator, we may share your data and process them with third partners in the context of:

  1. Selection of beneficiary CSOs.
  2. Conclusion of contracts with the beneficiaries.
  3. Monitoring of the implementation of the grant contracts, accountability and promotion of the projects implemented.
  4. Providing capacity building services to the beneficiaries: learning, professional support, and networking.
  5. Preparation of reports to the funders in relation to the progress of the implementation of the Programme.
  6. Evaluation of the implementation and results of the Programme.

The legal basis of the processing operations carried out for the above purposes under 1, 3, 5 and 6 is the fulfilment of the legitimate interests of the (joint) Data Controllers [Article 6(1)(f) GDPR], which consist in the correct and effective implementation of the Programme and its objectives.

The processing of personal data for the fulfilment of the purposes set out in points 2 and 4 above is carried out for the performance of a contract to which the Data Subject is a party [Article 6(1)(b)(b) of the GDPR].

In cases of data processing for the purpose of monitoring and promotion of the projects being implemented (above under 3), the legal basis is, where applicable, also the consent of the Data Subjects [Article 6(1)(a) GDPR], which is collected after provision of specific information to the Data Subjects regarding their rights etc.

 

  1. PERSONAL DATA AND DATA SUBJECTS

The following Categories of Personal Data per category of Data Subjects are processed under our regranting and capacity building programs:

 

a.Selection of Beneficiary CSOs

Categories of Data Subjects Categories of Personal Data
A) Persons submitting the application on behalf of the CSO, representatives of the CSO, members of the CSO. Partners of the CSO.

B) Persons associated with the CSO who are to be employed on the project.

 As regards category A:

(a) first name, (b) surname, (c) username (to create an account on the application platform), (d) e-mail address, (e) telephone number, (f) the person’s relationship with the CSO applying for funding.

As regards category B:

(a) first name, (b) surname, (c) professional status, (d) position and duties in the project, (e) relationship with the CSO applying for funding; form of employment, (f) home address, (g) passport – identity card details, (h) any data included by the subjects themselves in their CV.

 

b.Conclusion of contracts with CSOs

Categories of Data Subjects Categories of Personal Data
A) Contact persons (if the legal representatives of the beneficiary CSO are not themselves the contact persons)

B) Legal representatives of the beneficiary CSOs

 As regards category A:

(a) contact details.

For category B:

(a) first name, (b) surname, (c) ID number/passport number, (d) contact details, (e) any other data included in the certificate of legal representative submitted by the beneficiary CSO.

 

c.Monitoring and Project Promotion

Categories of Data Subjects Categories of Personal Data
A) Members of the project teams

B) Legal representatives of the beneficiary CSOs and their partners (if any)

C) Beneficiaries of the projects’ actions

 As regards category A: a) name, b) surname, c), d), e) professional status, f) position and duties in the project, g) form of employment – relationship with the beneficiary CSO, h) other data that may be included in the detailed periodic declaration submitted by the beneficiary CSO, i) other data that may be included in submitted tax documents, h) other data resulting from any form of excuses (e.g. (h) any other data resulting from any kind of travel tickets, tax documents relating to accommodation, catering services, etc.); j) in general, any personal data included in the material collected and submitted as evidence of the actions implemented under the project (image data – photographs, audio-visual material).

As regards category B: (a) name, (b) surname, (c), (d) contact telephone number, (e) e-mail address, (f) any other data included in the certificate of legal representative submitted by the beneficiary CSO.

As regards category C: any personal data included in the material collected and submitted as evidence of the actions implemented under the project (image data – photographs, audio data – audiovisual material).

 

 

d.Capacity Building

Categories of Data Subjects Categories of Personal Data
Category A: Trainees – members/staff of the beneficiary CSO

Category B:  Trainers/Facilitators

 For category A: a) full name, b) contact telephone number, c) status/position in the beneficiary CSOs, d) video and audio data (if the training/support is provided online via a video conferencing platform), e) any data disclosed during the training/support (if the training/support is provided online via a video conferencing platform).

As regards category B: (a) full name, (b) data resulting from submitted CV, (c) image and audio data (if the training/support is provided online via a videoconferencing platform)

In order to compile the required reports and to complete the project evaluation, all the data under a, b and c above are processed. It should be noted, however, that the reports and evaluation results only include statistical and numerical data.

 

  1. HOW IS YOUR PERSONAL INFORMATION COLLECTED?

We collect personal information about you from the following sources:

  • You, directly.
  • From our online platform service provider
  • Your employer/organisation.

 

  1. HOW WE WILL USE INFORMATION ABOUT YOU

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract we have entered into with you for the provision of a service or as part of a grant agreement between your organisation and the NGO Support Centre.
  • Where we need to provide you with the information that you request from us.
  • Where we need to comply with a legal obligation.
  • We may in some circumstances rely on your consent. In those circumstances, we will specifically ask whether you agree to us using your data in specified ways. You can withdraw your consent and ask us to delete your information at any time – please see section 11.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. As you have shown interest in becoming a member or attending our events, we rely on this legal basis to send you information and updates about future events that may be of interest to you. If you DO NOT wish to receive this information, you have the right to object to this at any time, by contacting our officer, responsible for data protection, at [email protected] or by clicking the unsubscribe link at the bottom of our e-mails.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

 

  1. AUTOMATED DECISION-MAKING

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

 

  1. DATA SHARING

We may share your data with third parties, including lead partners in projects, donors and third-party service providers, where it is necessary to administer the working relationship with your organisation. We may also share your information where this is required by law.

We use data processors, such online registration forms to help facilitate the organization of activities.

 

  1. TRANSFERING INFORMATION OUTSIDE THE EU

When we transfer personal data to countries outside the EEA, we make such transfers to a recipient (i) located in a country that provides an adequate level of protection for personal data or (ii) under appropriate safeguards in accordance with the provisions of applicable data protection laws (e.g. under an agreement in the form of standard data protection clauses adopted by the European Commission), the form of which is available at https://ec.europa.eu/info/law/law-topic/data-protection /international-dimension-data-protection/standard-contractual-clauses-scc_en. In some cases, we may carry out such transfers where we have obtained the express consent of such data subjects to the proposed transfer, given that the data subject has been informed of the potential risks of such a transfer (in the absence of a adequacy decision and appropriate safeguards).

If you have any questions about this or need any further information please contact our officer, responsible for data protection, on 22875099 or at [email protected].

 

  1. DATA SECURITY

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees who need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

Details of these measures may be obtained from the officer responsible for data protection.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

 

  1. DATA RETENTION

We will retain your personal information only for as long as we need it or until you withdraw your consent, (in those instances where we process your information based on your consent) or you object to processing when exercising your rights in accordance with section 11 below. You can contact our officer, responsible for data protection at [email protected] to find out more about our retention times.

 

  1. RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION

Under certain circumstances, by law you have also the right to:

  • Request access to your personal information (commonly known as a “data subject access request”. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party but only for information processed by automated means and where the processing is based on your consent or on contract.
  • Right to withdraw consent at any time for processing for any purpose for which you have given consent.

If you want to exercise any of the above rights, please contact our officer, responsible for data protection,at [email protected].

 

  1. DATA PROTECTION OFFICER

We have appointed an officer, responsible for data protection, to oversee compliance with this privacy policy. If you have any questions about this privacy policy or how we handle your personal information, please contact our officer, responsible for data protection, at [email protected].

You have the right to make a complaint at any time to the Office of the Commissioner of Personal Data Protection, the Cyprus supervisory authority for data protection matters. You can find out more about at www.dataprotection.gov.cy (Telephone: +357 22818456, Email: commissioner dataprotection.gov.cy).

 

  1. AMENDMENT OF THIS POLICY

The NGO Support Centre reserves the right to regularly review and amend the present Policy, either in whole or in part, when necessary. Users are advised to consult our website to make sure that they are aware of the policy’s most recent version.