volunteers, donors and any other person whose personal data (see below) is collected and processed by or on behalf of Sabeel for any reason. “Natural Person” A living person. A human being. The term “natural person” does not include any “legal person” such as a company, partnership or corporation. “Personal Data” Any information relating to an identified or identifiable natural person is “personal data”. This includes, but is not limited to, name, identification number, location, online identifier or any physical, physiological, genetic, mental, economic, cultural or social identity of a natural person. “Special Category Data” Certain data is considered to be sensitive in nature and is referred to as “special category” data. Special category data is any data which reveals the racial or ethnic origin, the political opinions, the religious or philosophical beliefs, any trade-union memberships or any natural person. Any data such as genetic or biometric data which can uniquely identify a natural person or data concerning the sex life or sexual orientation of a natural person is also special category data. “Controller” The “controller” for the purposes of this policy is Sabeel. The controller is the natural or legal person who either alone or jointly with others determines the purposes and means of processing of personal data. “Processor” A “processor” is a natural or legal person who processes personal data under the direct and express instructions of a controller. “Processing” Any operation which is performed on personal data such as but not limited to collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction amounts to processing of that personal data. Data Protection Principles Every person working for, with or on behalf of Sabeel must adhere to the following principles when dealing with personal data. Personal data must only be:
A.Processed lawfully, fairly and in a transparent manner in relation to the subject(‘lawfulness, fairness and transparency’)
B.Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
C.Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
D.Accurate and, where necessary, kept up to date; every reasonable step must betaken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay(‘accuracy’)
E.Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (‘storage limitation’)
F.Processed in a manner that ensures appropriate security of personal data,including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (‘integrity and confidentiality’)
Data Subject Rights
Every data subject has the following rights which must be upheld in a timely manner in order to comply with the law:
Right of access – the right to obtain a copy of personal data of the data subject and the details of processing carried out by or on behalf of Sabeel Ltd; Right of rectification – the right to ensure that errors in data held by Sabeel Ltd are corrected; Right to erasure – the right, under certain circumstances, to ensure that personal data held by Sabeel Ltd on that natural person is erased; Right to restriction – the right to restrict the processing of personal data under certain circumstances;
Right to portability – the right to obtain a copy of personal data obtained by the controller from the data subject in a portable machine readable form and also to have it transferred to another controller if so desired; and Right to objection – the right to object to the processing of their personal data under certain circumstances. Each of these data subject rights is, in effect, a controller obligation. It is incumbent on the controller to facilitate the exercise of these rights. From 25.05.18 the controller can only charge a fee following a request to exercise the right of access under very limited circumstances. The controller must respond to a request to access a copy of personal data within one calendar month. Any employee, servant or agent of Sabeel Ltd who receives or becomes aware of any request from a data subject must forward that request to the data processing manager immediately. Data subjects seeking to exercise any of the above data subject rights are requested to make their request to the data processing manager at Sabeel Ltd to ensure a prompt and effective response. Controller Obligations In addition to the data subject rights, which themselves amount to controller obligations, the controller must comply with other obligations when processing the personal data of natural persons. These include: Data Minimisation: Sabeel Ltd will only collect such personal data as is required to do the required processing. This will differ depending upon whether the data subject is an employee, a
volunteer or a donor. Data Retention: Sabeel Ltd will only retain personal data for as long as is reasonably required by law or good practice following the last contact with the data subject. This retention period differs depending upon whether the data subject is an employee, a volunteer or a donor. Sabeel Ltd has a policy of carrying out a data cleansing exercise annually and as a result data will be retained for no longer than one year in excess of the required retention period. Otherwise it would be excessively cumbersome for Sabeel Ltd to manage the data cleansing process effectively. Privacy by Design: Sabeel Ltd has a responsibility to design and engineer its systems so that personal data is not misused and so that it is stored and processed in a manner which is consistent with minimising the opportunity for data loss and data being processed in a manner which has no lawful basis. Article 13 and Article 14 notifications: Where personal data has been obtained from the data subject directly, it is Sabeel Ltd responsibility to provide the data subject with the following information if the data subject does not already have it:
A.The identity and the contact details of the controller;
B.The contact details of the data protection officer if such a person has been appointed;
C.The purposes of the processing and the legal basis for that processing;
D.What, if any, legitimate interest of Sabeel Ltd or of a third party is relied on as the legal basis of the processing;
E.The recipients of categories of recipients of the personal data, if any;
F.If transfer of the data to a third country or to an international organisation is intended, whether or not there is an adequacy decision of the European Commission in force in respect of that country or any appropriate or suitable safeguards which are relied upon and how the data subject can obtain a copy of those safeguards;
G.For how long the personal data will be stored or the criteria used to determine that period;
H.The existence of the right of the data subject to request from Sabeel Ltd access to and rectification of or erasure of the personal data or restriction of processing concerning the data subject or to object to the processing as well as the right to data portability;
I.Where the processing is based on the data subject’s consent the fact that the data subject may withdraw that consent at any time unless prevented from doing so by law;
J.The right of the data subject to lodge a complaint with a supervisory authority(regulator);
K.Where the provision of the personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, the data subject must be informed of this and whether he or she is required to provide the personal data and of the consequences of non-compliance with this requirement;
L.If any automated decision making or profiling is carried out using the personal data then the data subject must be informed about this and provided with a meaningful explanation as to the logic involved and the envisaged consequences of this processing for the data subject;
M.Where Sabeel Ltd intends to process the data for a purpose other than that for which the data were collected, Sabeel Ltd must provide the data subject with a further notification including reminding him or her of his or her statutory rights in respect of that processing.
N.Where Sabeel Ltd obtained personal data of a data subject other than directly from the data subject Sabeel Ltd must provide the data subject with the information outlined above together with:
O.The name and contact details of the source of the personal data and, if applicable, whether it came from publicly accessible sources.
In this second case, Sabeel Ltd must provide this information to the data subject no later than one month after obtaining it or when it is first used to communicate with the data subject (if that is its purpose) whichever is the sooner. Sabeel Ltd is also required to communicate the above information to a data subject no later than when it is disclosed to another recipient. As a matter of policy, Sabeel Ltd does not disclose personal data to third parties for any other purpose than for the processing of that data in relation to payment of wages, salaries, expenses or the processing of donations and for that purpose alone. Where the data subject is attending an Sabeel Ltd function, Sabeel Ltd may need, in order to facilitate the operation of that function and the attendance of the data subject, Sabeel Ltd does not sell or transfer personal data to any organisation for the purpose of direct marketing or for any other purpose other than for processing of payments or booking of accommodation or travel as outlined above.
Record keeping. Sabeel Ltd as controller has a responsibility to keep written records (which may be stored in electronic form) in accordance with Article 30. These records are (as applicable to Sabeel Ltd):
A.name, contact details of Sabeel Ltd as controller;B.the purposes of the processing;C.description of the categories of data subjects and of the categories of personal data;D.categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;E.where applicable, transfers of personal data to a third country (outside of the EEA) or an international organisation, including the identification of that third country or international organisation and, in the case of transfers carried out in relation to performance of a contract between Sabeel Ltd and the data subject, a description of suitable safeguards in place to protect the rights and freedoms of the data subject;F.where possible the envisaged time limits for retention of the different categories of data;G.a general description of the technical and organisational security measures in placeH.to safeguard the rights and freedoms of the data subject.I.These records may be made available to the regulator on request.
Information Security Measures Sabeel Ltd has put in place and will continue to monitor and maintain a number of systems, processes and procedures to ensure and assure that the personal data of data subjects, be they employees, volunteers, donors or clients, is kept securely and safely at all times. These measures include but are not limited to: encryption of all data sets at rest, control of all backup datasets which are in any event encrypted; and maintaining physical and logical security in relation to access to any personal data. The person responsible for information security at Sabeel Ltd is Y, the information technology manager. Data Protection Breaches A data protection breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Any employee, servant, agent of Sabeel Ltd or any volunteer working with Sabeel Ltd who becomes aware of a data protection breach or a possible data protection breach is required to inform the data protection manager as soon as possible. On becoming aware of a breach, Sabeel Ltd as controller is obliged to inform the regulator within 72 hours. Data subjects must be informed of any breach affecting their personal data within X days unless Sabeel Ltd is able to demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects. Penalties Everyone working for and with Sabeel Ltd is reminded that data protection is taken very seriously both by Sabeel Ltd and by the community as a whole. From 25.05.18 very serious financial penalties may be applied by a competent data protection supervisor (regulator) for breaches of the law and failure to keep personal data safely and securely. These penalties could be sufficiently large to close down Sabeel Ltd. The maximum fine that can be levied is €20m or 4% of worldwide revenue.