Article 2 – Scope of the Data Protection Policy
This Data Protection Policy applies to all entities of THEPOWELL, including network and branch offices in all countries of operation.
- The policy applies to all THE POWELL staff and governance
- The provision of this policy may also be applied to any person employed by an entity that carries out missions for
- In particular, this policy applies to implementing partners, suppliers, sub-grantees, stakeholders, and other associated entities.
THEPOWELL’s Data Protection Policy applies to all personal data that THEPOWELL holds relating to identifiable individuals, meaning any information relating to an identified or identifiable individual.
Article 3 – THEPOWELL’s sets of data and definitions
THEPOWELL’s Data Protection Policy applies to all sets of personal data, currently stored, maintained, and handled by THEPOWELL, and more specifically to the following identified sets of personal data:
- THEPOWELL’s personnel, including national and international staff, interns, and volunteers,
- THEPOWELL’s direct and indirect beneficiaries, including interviewees,
- THEPOWELL’s individual donors and sympathizers,
- THEPOWELL’s contractors, suppliers, consultants, implementing partners are currently under contract with THEPOWELL.
Personal data herein referred to, means any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity. This can include in particular:
- Names of individuals
- Postal or living addresses
- Email addresses
- Telephone numbers
- Identity card and passport
- Date and place of birth
- Identification of relatives
- Business reference
Processing of personal data means any operation or set of operations in relation to such data, whatever the mechanism used, especially the obtaining, recording, organization, retention, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction.
Article 4 – Application of National Laws and sources of authority
THEPOWELL is headquartered in Switzerland and observes the laws of Switzerland and of the Geneva Canton, including the Federal Act on Data Protection of 19 June 1992 (the Data Protection Act, the “DPA”) and the Ordinance to the Federal Act on Data Protection of 14 June 1993 (“ODPA”). It also operates in more than 15 countries. THEPOWELL Country Operations observe the laws of their country.
This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed. Each entity of THEPOWELL, including network and branch offices, is responsible for compliance with this Data Protection Policy and its legal obligations.
At the same time, THEPOWELL has rules and standards that seek to create a consistent approach and which, in some cases, maybe stricter than national or local laws. This Policy must, therefore, be followed in addition to the relevant national and local laws on data protection.
In the event of conflicts between national legislation and the Data Protection Policy, THEPOWELL will work with the relevant country offices to find a practical solution that meets the purpose of the Data Protection Policy.
The purpose of the policy is aimed at guiding THEPOWELL staff and must be considered together with:
- ACTED’s Child Protection Policy; THEPOWELL’s Code of Conduct and policies that are annexed to it;
- THEPOWELL’s global manuals and
Article 5 – Principles for Processing Personal Data
- Fairness and Lawfulness
- When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair
- Collected data shall be adequate, relevant, and not excessive in relation to the purposes for which they are obtained and their further
- Individual data can be processed upon voluntary consent of the person
- Restriction to a specific purpose
- Personal data can be processed only for the purpose that was defined before the data was collected. Personal data shall be obtained for specified, explicit, and legitimate purposes, and shall not subsequently be processed in a manner that is incompatible with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require justification.
- However, further data processing for statistical, scientific, and historical purposes shall be considered compatible with the initial purposes of the data collection, if it is not used to make decisions with respect to the data
- The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be made aware of or informed of:
- The purpose of data processing;
- Categories of third parties to whom the data might be transmitted
- Processing of personal data must have received the consent of the data subject or must meet one of the following conditions: compliance with any legal obligation to which THEPOWELL is subject; the protection of the data subject’s life; the performance of a public service mission entrusted to
- Confidentiality and Data Security
- Personal data is subject to data It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification, or destruction.
- Deletion: Personal data shall be retained in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which they are obtained and processed. There may be an indication of interests that merit protection or historical significance of this data in individual If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
- Factual Accuracy and Up-to-datedness of Data
- Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or
Article 6 – Data Processing
- Consent to Data Processing
- Individual data can be processed upon the consent of the person concerned. Declarations of consent must be submitted In certain exceptional circumstances, consent may be given verbally.
- Data processing Pursuant to Legitimate Interest
- Personal data can also be processed if it is necessary to enforce a legitimate interest of THEPOWELL. Legitimate interests are generally of a legal (such as filing, enforcing, or defending against legal claims), audit, or financial nature. Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the individual merit protection. Before data is processed, it must be determined whether there are interests that merit protection. Control measures that require the processing of personal data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the organization in performing the control measure (e.g. compliance with legal provisions and internal rules of the organization) must be weighed against any interests meriting protection that the individual affected by the measure may have in its exclusion, and cannot be performed unless appropriate.
- Telecommunications and Internet
- Telephone equipment, e-mail addresses, intranet, and internet along with internal social networks are provided by THEPOWELL primarily for work-related assignments. They are a tool and an organizational resource. They can be used within the applicable legal regulations and internal THEPOWELL communication In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.
- There will be no general monitoring of telephone and e-mail communications or intranet/ internet To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the network used by THEPOWELL that block technically harmful content or that analyze the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet, and internal social networks can be blocked for a temporary period. Evaluations of this data from a specific person can be made only in concrete, justified case of suspected violations of policies and/or procedures of THEPOWELL. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed in the same manner as the THEPOWELL regulations.
- Rights of the Data Subject
All individuals who are the subject of personal data held by THEPOWELL are entitled:
- To request information on which personal data relating to him/her has been stored, how the data was collected, and for what intended If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected. If personal data is transmitted to third parties, individuals should be informed of such a possibility. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
- To request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other Existing retention periods and conflicting interests meriting protection must be observed.
- To object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal This does not apply if a legal provision requires the data to be processed.
Article 7 – Transmission of Personal Data
Transmission of personal data to recipients outside or inside THEPOWELL is subject to the authorization requirements for processing personal data under Section 6 and requires the consent of the data subject. The data recipient must be required to use the data only for defined purposes.
In the event that data is transmitted to a recipient outside THEPOWELL, this recipient must agree to maintain a data protection level equivalent to this Data Protection Policy. This does not apply if the transmission is based on a legal obligation.
The processing of personal data is also permitted if national legislation requests, requires, or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the individual that merit protection must be taken into consideration.
In certain circumstances, the THEPOWELL Data Protection Policy allows personal data to be disclosed, based on a legal obligation, to law enforcement agencies, without the consent of the data subject.
Only THEPOWELL’s Executive Director can validate any such disclosure in writing, ahead of the disclosure, after ensuring the request is legitimate, motivated by the requester, appropriate, necessary, and does not pose a threat or direct risk to THEPOWELL.
Before approving such disclosure, THEPOWELL’s Executive Director will check that the recipient of the data uses the data for the defined purposes only and that it demonstrates the capacity and will to abide by such an obligation.
Where necessary, THEPOWELL’s Executive Director will refer to legal advisers for advice, and to THEPOWELL’s Committee for validation, notably but not only in cases involving direct security threats and implications or global organizational risks including reputation.
Article 8 – Subject access and modification requests to personal data
All THEPOWELL staff and external individuals to the NGO can contact THEPOWELL to request rights as listed in Article 6 section 4 – Rights of the Data Subject to be applied.
Individual subject access requests from individuals should be addressed by email or in writing. If not in writing, the request should be taken and handled by a duly authorized THEPOWELL staff and registered in a log for reference and follow-up.
Any individual subject access request received by THEPOWELL will be duly verified before being handled, with the verification of the identity of anyone making a subject access request, before handing over any information.
THEPOWELL will ensure to respond to individual requests in a timely manner.
THEPOWELL will ensure that any data subject, including but not only personnel, individual donors and sympathizers, and beneficiaries, have the means to contact THEPOWELL to verify the data THEPOWELL holds about them, and can have authorised THEPOWELL personnel update and correct personal information. Such an obligation entails the following:
- THEPOWELL staff should have access to their personal files and to any information held by THEPOWELL on them, by simple request to Human Resources department, to be presented and corrected by a duly authorized staff only. The consultation of any information on any other staff is strictly prohibited.
- Individual donors and sympathizers listed by THEPOWELL can reach out to THEPOWELL to check the data held by THEPOWELL and have it corrected as well as deleted. Information on this right and on how to reach out to THEPOWELL for such a purpose should be clearly indicated on THEPOWELL website, as well as on the main media of communication to Individual donors and sympathisers, including donation receipts and donor documentation, and upon request when calling THEPOWELL HQ. Such responsibility lies at the global level with the THEPOWELL Head of Human Resources.
- THEPOWELL current direct and indirect beneficiaries (including survey interviewees) shall have access to THEPOWELL to check any data THEPOWELL holds on them, to ensure its correctness, fairness, and to have it modified and updated upon request by duly authorized THEPOWELL personnel. For such a purpose, THEPOWELL teams at the country level should set up and maintain a complaints response mechanism that is both open and accessible to individuals, with limited constraints, while ensuring that any request by individuals is duly followed by appropriate corrective measures and communications. Contact information to uphold this right and reach out to THEPOWELL for such a purpose should be clearly indicated on THEPOWELL website as well as on other means of public information at country Such responsibility lies with the THEPOWELL Country Focal Point at a country level and with THEPOWELL’s Heads of Programmes and Research at the global level.
- THEPOWELL contractors and suppliers can reach out to THEPOWELL Hub to check data held by THEPOWELL and have it corrected. Such responsibility lies with the HQ officer in charge of Hub
- THEPOWELL implementing partners shall have access to THEPOWELL to check any data THEPOWELL holds on them, to ensure its correctness, fairness, and to have it modified and updated upon request by duly authorized THEPOWELL Such responsibility lies with the THEPOWELL Country Focal Point at a country level and with the THEPOWELL head of Programmes at the global level.
Article 9 – Providing information
THEPOWELL aims to ensure that individuals are aware that their data is being processed and that they understand:
- How the data is being used;
- How to exercise their rights;
To these ends, the current policy is shared with all THEPOWELL staff and available on request by individuals. A version of this Policy is also available upon request to THEPOWELL HQ.
Any subscriber or user of an electronic communication service shall be informed in a clear and comprehensive manner by THEPOWELL, except if already previously informed, regarding the purpose of any action intended to provide access, by means of electronic transmission, to information previously stored in their electronic connection terminal device, or to record data in this device; the means available to them to object to such action.
Article 10 – Confidentiality of Processing
Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies. Duly-authorized employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.
Article 11 – Processing Security
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification, or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification). The technical and organizational measures for protecting personal data are part of THEPOWELL’s ITC management and must be adjusted continuously to the technical developments and organizational changes.
Article 12 – Data Protection Control
Compliance with the Data Protection Policy and the applicable data protection laws is checked regularly with data protection audits and other controls. The performance of these controls is the responsibility of THEPOWELL’s Executive Director or appointed representative. The results of the data protection controls performed by the appointed representative must be reported to the Executive Director. THEPOWELL’s Committee must be informed of the primary results as part of the related reporting duties. On request, the results of data protection controls will be made available to the responsible data protection authority. The responsible data protection authority can perform its own controls of compliance with the regulations of this Policy, as permitted under national law.
Article 13 – Violation, sanction, and reporting
Any failure to comply with the current policy or to deliberately violate the rules set in the policy will result in the launch of an appropriate investigation by THEPOWELL.
Depending on the gravity of the suspicion or accusations, THEPOWELL may suspend staff or relations with another stakeholder during the investigation. This will not be subject to challenge.
Depending on the outcome of the independent investigation, if it comes to light that anyone associated with THEPOWELL has deliberately violated the rules set in the policy for its personal profit or any other usage of personal data, or has systematically and deliberately contravened with the principles and standards contained in this document, THEPOWELL will take immediate disciplinary action and any other action which may be appropriate to the circumstances. This may mean, for example, for:
- Employees – disciplinary action/dismissal;
- Trustees, officers, and interns – ending the relationship with the organisation;
- Partners – withdrawal of funding/support;
- Contractors and consultants – termination of
Depending on the nature, circumstances, and location of the case and violation, THEPOWELL will also consider involving authorities such as the police to ensure the protection of personal data and victims.
The reporting of suspected or actual violations of this policy is a professional and legal obligation of all staff and partners. Failure to report information can lead to disciplinary action.
THEPOWELL encourages its staff and stakeholders to report suspected cases that involve any THEPOWELL staff, consultants, board members, guests, or staff of THEPOWELL’s partner organizations, their board members, staff, and or suppliers.
THEPOWELL encourages its staff and stakeholders to report suspected cases through the following means:
- Staff and interns can report contacting
- standard lines of hierarchy (contained in staff Terms of Reference);
- the Head of Human
- Beneficiaries and their representatives can report using the Complaints and Response Mechanism (CRM) 1.
- Suppliers and contractors can use the confidential
- Individual donors and sympathizers can refer to the confidential email address.
All reports will be treated as confidential in line with THEPOWELL’s Code of Conduct and THEPOWELL’s Human Resources guidelines.
THEPOWELL will not tolerate false accusations which are designed to damage a member of staff’s reputation. Anyone found making false accusations will be subject to investigation and disciplinary action.
Article 14 – Responsibilities
THEPOWELL’s Committee is responsible to ensure that the legal requirements and those contained in this Data Protection Policy, for data protection are met (e.g. national reporting duties).
The management staff is responsible for ensuring that organizational, Human Resources, and technical measures are in place so that any data processing is carried out in accordance with data protection. The managers must ensure that their employees are sufficiently trained in data protection.
Compliance with these requirements is the responsibility of the relevant employees.
Article 15 – Implementation of the policy
This policy has been approved by THEPOWELL’s Executive Director in November 2020 and comes into effect immediately. It could be reviewed regularly.