+40 750 441 590 contact@youngsteps-kenya.org Brașov, Romania
Facebook
LinkedIn
Instagram

GDPR – PRIVACY POLICY

1. Purpose of the Privacy Policy

The YOUng Steps Kenya Association aims to provide an adequate level of protection for the processing of personal data.

The Privacy Policy complies with the principles of the European Union General Regulation on the protection of data subjects with regard to the processing of personal data and on the free movement of such data 679/2016 (hereinafter referred to as “GDPR”). The Privacy Policy aims to provide an internationally applied framework within the Association to achieve an adequate level of protection of personal data for the benefit of all stakeholders.

2. Scope of this policy

This policy applies to the processing of personal data by the YOUng Steps Kenya Association. Personal data is any information relating to an identified or identifiable natural person, such as biographical information (name, dates of birth, etc.), employment data (addresses, position, telephone numbers and email addresses, etc.) online identifier (IP address) or one or more specific elements of his or her physical, physiological, genetic, mental, economic, cultural or social identity.

This policy contains generally accepted data protection principles, without replacing the existing legal framework. The policy is in accordance with European and national law on the processing of personal data and applies to the operations of the YOUng Steps Kenya Association. The Association is committed to ensuring that this policy fully complies with applicable national and European laws on the protection of personal data and the free movement of personal data.

This policy does not apply to identifying data of legal entities such as companies or other organisations with legal personality.

This policy does not apply to anonymous data, such as statistical data. However, the mere absence of a name does not imply that the data are anonymous, it should be impossible to identify a data subject directly or indirectly.

This policy may be amended under the coordination of the association’s data protection team.

3. Definitions

Operator

The natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down by applicable law.

Processor

The natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Personal data

Any information relating to an identified or identifiable natural person (“data subject”).

Specific data

Personal data concerning racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health and data concerning a natural person’s sex life or sexual orientation.

The person concerned

An identified or identifiable natural person whose personal data are processed. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Processing

Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Breach of security of personal data

A security breach that results in the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data transmitted, stored or otherwise processed.

Recipient

A natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities to whom personal data may be disclosed in the framework of a specific inquiry in accordance with Union or national law will not be considered as recipients; the processing of such data by those public authorities will comply with the applicable data protection rules in accordance with the purposes of the processing.

4. Identification of the operator

YOUNG STEPS KENYA ASSOCIATION

Contact address: Str. C.D. Gherea nr. 4. Ap. 4, 500003, Brasov, Romania

C.I.F: 49309638

Website: https://youngsteps-kenya.org

E-mail: contact@youngsteps-kenya.org

 5. Principles relating to the processing of personal data

5.1 Lawfulness and fairness

Personal data must be processed lawfully and fairly in relation to the data subject. Any processing of personal data will only be lawful insofar as the processing is based on a basis for processing laid down by law. Where special categories of personal data are processed, this will only be done when one of the derogation conditions specified by law applies.

5.2 Transparency

The controller shall take appropriate measures to provide the data subject with any information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing or by other means, including where appropriate in electronic form.

5.3 Purpose limitation

The purposes for which personal data are processed must be explicit and legitimate and must be determined at the time of collection. Personal data may not be processed in a way incompatible with those purposes.

5.4 Data minimisation

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

5.5 Accuracy of data

Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

5.6 Limiting data storage

Personal data may not be processed for longer than is strictly necessary for the processing in question. Once personal data are no longer necessary for the purpose of the processing, they must be rendered anonymous or deleted.

Personal data may be stored for longer periods in so far as they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes.

5.7 Data integrity and confidentiality

The processing of personal data must be done in a way that ensures their security including protection against unauthorised or unlawful processing, accidental loss, destruction or damage. Confidentiality commitments are in place with employees, consultants and other parties who have access to personal data. In addition, a password-based access restriction system shall be implemented to ensure that individuals can access only those personal data that they need for the performance of their duties.

5.8 Data accountability

YOUng Steps Kenya must be able to demonstrate compliance with the principles of lawfulness, fairness, transparency, minimisation, purpose limitation, storage limitation, integrity and confidentiality of the processing of personal data. Data protection policies, control elements, procedures, checklists and other measures constituting the data protection framework are systematically documented.

5.9 Data protection from the moment of conception and implicitly

Control elements and compliance with the principles related to the processing of personal data are proactively developed from the design and elaboration phase of processing operations. The strictest privacy settings must be applied by default to any processing. Compliance with the data protection principle from the time of design and by default is a functional requirement throughout the lifetime of YOUng Steps Kenya operations involving the processing of personal data.

6. Informing data subjects about the processing of personal data

YOUng Steps Kenya processes personal data for the following purposes:

6.1. Marketing activities and organisation of events

Purpose: To promote the model (values, skills, competencies, specific intervention, objectives) and image of YOUng Steps Kenya.

– Facebook, Instagram, Linikedin or other social media account name;

– Details of studies completed and qualifications obtained;

– Data on previous work experience;

– Photo images, video and/or audio recordings;

– Other personal data derived from the collaboration between the parties 

Duration of processing: duration of the activity plus one year.

6.2 Identification and selection of donors and sponsors

Purpose: To carry out the selection of donors and sponsors to support YOUng Steps Kenya.

Legality: Legitimate interest of YOUng Steps Kenya in supporting its projects and functional/support activities.

Targeted persons: individuals, representatives of targeted companies, representatives of funding institutions, representatives of targeted foundations and NGOs, representatives of suppliers.

Personal data:

– Identifying data: name, surname, position, place of work, date of birth;

– Contact data: telephone number and e-mail address, mailing address;

– Other personal data specific to a type of event (mentioned in the event-specific consent).

Duration of processing: duration of the selection process plus one year.

6.3. Signing and implementation of sponsorship and funding contracts, direct donations through specialised websites

Purpose: To execute the sponsorship contract to support the YOUng Steps Kenya programme.

Legality: Steps taken to sign the sponsorship contract and implement the sponsorship contract.

Targeted persons: individuals, representatives of targeted companies, representatives of instittions, representatives of targeted foundations and NGOs, representatives of suppliers.

Personal data:

– Data identifying the sponsoring representatives: name and surname, date of birth, gender, position, place of work, signature;

– Identification data for individual donors: name and surname, date of birth, sex, domicile, ID card number and series, nationality, position, place of work, bank account, signature;

– Contact details: telephone number and e-mail address, mailing address;

– Other personal data derived from the specific subject of the sponsorship contract.

Duration of processing: the duration of the sponsorship contract, plus an archiving period of 10 years.

6.4. Management of recruitment activity

Purpose: Recruitment and selection of staff to carry out the work of YOUng Steps Kenya.

Legality: Steps taken by the person concerned to sign the CIM.

Data subjects: Candidates for posts declared available.

Personal data:

– Identifying data: full name, date of birth, gender, domicile/residence, nationality;

– Contact details: telephone number and e-mail address;

– Details of studies followed and qualifications obtained;

– Details of previous professional experience;

– Data required to confirm legal obligation to work in Romania (for non-EU citizens);

– Identification data of the person making the recommendation (name, surname, place of work, position, telephone, e-mail)

– Additional data voluntarily provided by you in your CV or for the conclusion of the individual employment contract (e.g. photo, hobbies, data concerning the possession of a driving licence, residence permit, residence registration certificate, marital status, etc.);

– Criminal record, integrity screening (Ministry of Justice portal).

Duration of processing: duration of the recruitment and selection process plus one year after its completion, for the defence of the association against any complaints made by candidates – art. 20 in conjunction with art. 8 of Ord. 37/2000 on the prevention and sanctioning of all forms of discrimination.

6.5. Management of volunteer recruitment and selection

Purpose: To run the recruitment and selection of volunteers for support activities in YOUng Steps Kenya.

Legality: consent of the persons concerned

Data subjects: applicants for volunteer positions at YOUng Steps Kenya

Personal data:

– Identifying data: full name, date of birth, gender, domicile/residence, nationality;

– Contact details: telephone number and e-mail address;

– Details of education and qualifications obtained;

– Details of previous professional experience;

– Data resulting from the selection process;

– Additional data voluntarily provided by you in your CV or for the purpose of the volunteer contract (e.g. photo, hobbies, data concerning the possession of a driving licence, residence permit, residence registration certificate, marital status, etc.).

Duration of processing: duration of the recruitment and selection process plus one year after its completion, for the defence of the association against any complaints made by candidates – art. 20 in conjunction with art. 8 of Ord. 37/2000 on the prevention and sanctioning of all forms of discrimination.

6.6. Management of the volunteer contract at YOUng Steps Kenya

Purpose: To run the volunteer management for the implementation of specific volunteering activities in YOUng Steps Kenya.

Legality: Art. 6.1 b – steps to sign the contract and to implement the volunteer contract.

Targeted persons: candidates for the volunteer position at YOUng Steps Kenya.

Personal data:

– Identifying data: name and surname, place and date of birth, gender, residence, personal numerical code, series and number of identity card, driving licence;

– Contact details: telephone number, e-mail address, address of residence;

– Details of previous professional experience;

– Additional data resulting from other documents provided by you (e.g. curriculum vitae; identity card; driving licence, if applicable; residence registration certificate or residence permit, if applicable);

– Photographs, video and/or audio recordings;

– Other data related to the position held in the association (annual evaluation, quality of professional performance, etc.).

Duration of processing: duration of the volunteer contract plus an archiving period of 10 years.

6.7 Management of financial and operational audit activity

Purpose: Conducting financial and operational audit work.

Legality: legitimate interest of the operator in compliance and efficiency of financial and operational activity

Persons concerned: all persons having a role in the conduct of the audited activity.

Personal data:

– Personal data contained in the audited activities.

Duration of processing: 10 years.

6.8 Complaints and disputes management

Purpose: To carry out the specific activity of complaint and dispute resolution.

Legality: legitimate interest pursued by the controller to protect the interests of the organisation.

Persons concerned: all persons involved in the handling of complaints and disputes.

Personal data:

– Identifying data: name and surname, place of work, position, telephone number, e-mail address;

– Other data relevant to the handling of complaints and disputes.

Duration of processing: depending on the case, according to the legislation in force, and subsequently for a period of 2 years after the complaint or dispute has been settled.

7. Recipients

Volunteers, participants and members of YOUng Steps Kenya;

Funders and sponsors, potential sponsors, donors and individual fundraisers;

Event organisation and communication service providers (PR agencies, logistics, communication, bloggers/influencers, media companies);

National and European institutions and organisations co-interested in EU/public funded projects 

Third parties: ANAF, Protection and Anti-Money Laundering, Court etc..;

Support service providers 

 8. Rights of the targeted persons

The rights you have with regard to your personal data:

Under Regulation (EU) 679/2016, you can exercise any of the following rights:

∙ the right of access to personal data concerning you;

∙ the right to request the rectification or updating of personal data when they are inaccurate or incomplete;

∙ the right to request the erasure of personal data if, for example, the data are no longer necessary for processing, or the data subject objects to the processing or the processing of personal data has been unlawful;

∙ the right to data portability, meaning the transfer of your personal data to another personal data controller in a structured machine-readable format;

∙ the right to restrict the processing of personal data in cases where, for example, the lawfulness of the processing or the accuracy of the data is contested. Once restricted, the controller can only store the personal data, cannot use it further and can only lift the restriction after having informed the data subject of this intention. Each recipient to whom personal data has been disclosed must be informed of any rectification, erasure or restriction that has been carried out to comply with this request;

∙ the right to object to the processing if it is carried out for the protection of our legitimate interest if your particular situation gives rise to compelling reasons;

∙ the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or affects you to a significant extent;

∙ the right to lodge a complaint with us and/or the competent data protection authority;

∙ the right to withdraw your consent at any time to the processing of personal data to which you have previously consented;

To exercise these rights, as well as for any further questions regarding this notice or in relation to YOUng Steps Kenya’s use of personal data, please contact us by choosing any of the communication methods described below, while specifying your name, postal or email address (depending on how you wish to communicate), your telephone number as well as the purpose of your request.

9. Security and confidentiality

YOUng Steps Kenya Association and its employees have implemented technical and organisational measures to protect personal data against accidental or unauthorised destruction, accidental loss, alteration or unauthorised access. These measures are developed taking into account the results of risk analysis of the processing carried out and are evaluated and tested at regular intervals. Security and confidentiality require measures to increase awareness, training and communication of personal data protection issues within the organisation (training for all employees who have access to personal data, allocation of responsibilities, etc.). Techniques such as data minimisation, limiting the storage period of information, pseudonymisation, encryption, confidentiality agreements, physical integrity of data carriers and logging according to access rights depending on the role in the processing of personal data should be considered.

10. Data transfer

The transfer of personal data is guaranteed from a security point of view in the countries of the European Union / European Economic Area and in other countries considered by the European Commission as providing an adequate level of protection. Where personal data is exported by YOUng Steps Kenya acting as a controller in the European Union to recipients in countries that do not provide an adequate level of protection, YOUng Steps Kenya has ensured that adequate safeguards, standard contractual clauses on the protection of personal data or approved certification mechanisms are in place. Where the rights and freedoms of data subjects have been violated by an importing YOUng Steps Kenya entity located in a third country without an adequate level of protection, YOUng Steps Kenya, which exported the data, undertakes to uphold the rights of the data subject in accordance with this policy against the importing YOUng Steps Kenya entity.

 11. Contact details

For any necessary information regarding GDPR you can use the email address below:

e-mail: contact@youngsteps-kenya.org