Privacy policy
City Year South Africa values and respects the privacy of all of our website visitors and e-mail recipients. The privacy policy below details our practices for collecting, using and disclosing personally identifiable information. This Website (www.cityyear.org.za) is maintained and operated by City Year South Africa.
Last updated: October 7, 2020
This Privacy Policy describes our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.
We use Your Personal data to provide and improve the Service. By using the service, you agree to the collection and use of information in accordance with this privacy policy.
The City Year South Africa website is hosted in the United Kingdom and monitored by the City Year South Africa team. City Year, Inc. staff may advise on web content.
Interpretation and Definitions
Interpretation
The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
- Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to City Year South Africa, 41 Fox Street, Marshalltown, Johannesburg 2107.
- Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
- Country refers to: South Africa
- Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
- Personal Data is any information that relates to an identified or identifiable individual.
- Service refers to the Website.
- Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
- Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
- Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
- Website refers to City Year South Africa, accessible from cityyear.org.za
- You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
Information tracked by City Year South Africa
City Year South Africa collects web usage statistics strictly for the purpose of managing and maintaining our Websites. All such information is anonymous. The uses of this data are for technical and/or content-development purposes, such as troubleshooting, detecting security risks, and optimizing navigation and other features.
We use various software programs that summarize visitor activity data, which may include: TCP/IP addresses, URLs visited on the City Year South Africa Website, and referring Websites, applications and sources.
Also, like many others, this site uses cookies to help us personalize your experience. Cookies allow websites to store your preferences so that it can recognize you when you come back and can respond appropriately.
Except as might be required by law, we do not share, sell, rent or otherwise disclose any information we receive from you with any third parties.
Types of data collected
Personal Data
While using Our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:
- Email address
- Usage Data
Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as your device’s internet protocol address (e.g. IP address), browser type, browser version, the pages of our service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When you access the service by or through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that your browser sends whenever you visit our service or when you access the service by or through a mobile device.
Tracking Technologies and Cookies
We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze Our Service. The technologies We use may include:
- Cookies or Browser Cookies. A cookie is a small file placed on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if You do not accept cookies, you may not be able to use some parts of our service. Unless you have adjusted Your browser setting so that it will refuse cookies, our service may use Cookies.
- Flash Cookies. Certain features of our service may use local stored objects (or flash cookies) to collect and store information about your preferences or your activity on our service. Flash cookies are not managed by the same browser settings as those used for browser cookies. For more information on how you can delete flash cookies, please read “Where can I change the settings for disabling, or deleting local shared objects?” available at https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html#main_Where_can_I_change_the_settings_for_disabling__or_deleting_local_shared_objects_
- Web Beacons. Certain sections of our service and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).
Cookies can be “Persistent” or “Session” cookies. Persistent cookies remain on your personal computer or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser. Learn more about cookies: What Are Cookies?.
We use both Session and Persistent Cookies for the purposes set out below:
Necessary / Essential Cookies
Type: Session Cookies
Administered by: us
Purpose: These cookies are essential to provide you with services available through the website and to enable you to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these cookies, the services that you have asked for cannot be provided, and we only use these cookies to provide you with those services.
Cookies Policy / Notice Acceptance Cookies
Type: Persistent cookies
Administered by: us
Purpose: These cookies identify if users have accepted the use of cookies on the website.
Functionality Cookies
Type: Persistent cookies
Administered by: us
Purpose: These cookies allow us to remember choices you make when you use the website, such as remembering your login details or language preference. The purpose of these cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you use the Website.
For more information about the cookies we use and your choices regarding cookies, please visit our Cookies policy or the cookies section of our privacy policy.
Use of Your Personal Data
The company may use personal data for the following purposes:
- To provide and maintain our service, including to monitor the usage of our service.
- For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services you have purchased or of any other contract with us through the Service.
- To contact you: To contact you by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
- To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information.
- To manage your requests: To attend and manage your requests to us.
- For business transfers: We may use your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by us about our service users is among the assets transferred.
- For other purposes: We may use your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our service, products, services, marketing and your experience.
We may share your personal data in the following situations:
- With Service Providers: We may share your personal data with service providers to monitor and analyze the use of our service, to contact you.
- For business transfers: We may share or transfer your personal data in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
- With Affiliates: We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy policy. Affiliates include our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with us.
- With business partners: We may share your information with our business partners to offer you certain products, services or promotions.
- With other users: when you share personal data or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. If you interact with other users or register through a third-party social media service, your contacts on the third-party social media service may see your name, profile, pictures and description of your activity. Similarly, other users will be able to view descriptions of your activity, communicate with you and view your profile.
- With Your consent: We may disclose your personal data for any other purpose with your consent.
Retention of Your Personal Data
The company will retain your personal data only for as long as is necessary for the purposes set out in this privacy policy. We will retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
The company will also retain usage data for internal analysis purposes. Usage data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our service, or we are legally obligated to retain this data for longer time periods.
Transfer of your personal data
Your information, including personal data, is processed at the company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
Your consent to this privacy policy followed by your submission of such information represents your agreement to that transfer.
The company will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy and no transfer of your personal data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal data.
Disclose of your personal data
Business Transactions
If the company is involved in a merger, acquisition or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.
Law enforcement
Under certain circumstances, the company may be required to disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
The company may disclose your personal data in the good faith belief that such action is necessary to:
- Comply with a legal obligation
- Protect and defend the rights or property of the company
- Prevent or investigate possible wrongdoing in connection with the service
- Protect the personal safety of users of the service or the public
- Protect against legal liability
Security of your personal data
City Year uses various security measures to ensure the safety of your personal data. We strive to follow best practices regarding network and server configuration, firewalls, security patches and other measures to protect all data on City Year systems. However, we cannot guarantee that these measures will prevent the theft or unintentional disclosure of personally identifiable data.
City Year staff will never ask you to supply sensitive financial and personal data over the phone or email.
Donor Privacy Policy
City Year South Africa is committed to cultivating and maintaining strong relationships with our donors built on mutual trust. The privacy policy applies to collection of information, including information collected on our website. By submitting your information to us or to any of our staff, you consent to the terms and conditions of the policy and to our processing personal data for the purposes stated in the privacy policy.
Links to other websites
We provide links to other websites that may contain information of interest to our visitors, and for the purpose of submitting online donations. City Year South Africa takes no responsibility for, and exercises no control over, third part organizations’ privacy policies, security practices, views or the accuracy of any information contained on other such websites.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
Accessibility
City Year South Africa strives to provide a Web site that is accessible to all visitors. Please contact us at infosouthafrica@cityyear.org.za if you have problems accessing any part of our website.
Using Text and Images
All information provided on this website that is not secured is considered public information. Logos of leadership sponsors and other partners on the City Year South Africa website are the trademarks of their respective companies. All other images, including the City Year logo and patch, are copyrighted material and may not be reused without explicit written permission from City Year South Africa. Please contact the Communications department at infosouthafrica@cityyear.org.za for permission to use text or images.
International Users
Our Website is hosted in the United Kingdom and is intended for and directed to users in South Africa. If you access the website from any region or country with laws or regulations governing personal data collection, use, and disclosure, that differ from UK or South African laws, please be advised that through your continued use of the website, which is governed by UK or South African law and this privacy policy, you are transferring your personal data to the UK and South Africa and you consent to that transfer.
Personal Data
“Personal Data” is information that identifies you personally, such as your name, address, telephone number, and email address. We collect and store the personally identifiable information that you have provided us. Here are some examples of ways in which we may collect your information.
- We may collect your name, email address and other contact information if you register for an event.
- We may collect your name, email address, telephone number and payment information when you make a contribution through City Year Inc, Givengain, or via bank transfer
The above list provides a sample of personal data that may be collected by City Year South Africa. From time to time, we may collect personal data from you in ways not described above.
Use and disclosure of private data
We safeguard, according to high standards of security and confidentiality, any information our users share with us.
We will only share your personal data if you give us specific permission to do so.
We will permit only a limited number of authorized employees, who are trained in the proper handling of donor information, to have access to that information. Employees who violate our privacy policy will be subject to our disciplinary process.
We will not sell, trade, or share your personal data, collected on the website or through any other business activities with anyone else.
We will not send you mailings on behalf of other organizations.
We will use your information to comply with the law or in the good faith belief that such action is necessary to conform to the requirements of law or comply with legal process served on us, protect and defend our rights or act in urgent circumstances to protect the personal safety of others.
We will use the personal data to protect against potential fraud. We may verify with third parties the information collected in the course of processing a gift, event registration or other donation.
You have the right to review information that we have collected about you.
To review that information please contact us in writing at 41 Fox Street (Edura House)
Marshalltown
Johannesburg 2107
Changes to this privacy policy
City Year reserves the right to modify this privacy policy at any time without notification. Any such changes will be reflected on this privacy policy page. Any change, update, or modification will be effective immediately upon posting on our website. Please check this page periodically for changes or updates that may affect you.
Data protection principles
At City Year South Africa we take your privacy seriously and are committed to protecting your personal data. We endeavor to ensure that your personal data will be processed in accordance with the General Data Protection Regulations and that:
- it will be processed fairly and lawfully.
- it will be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- it will be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- it will be accurate and, where necessary, kept up to date.
- it will not be kept for longer than is necessary for that purpose or those purposes.
- it will be processed in accordance with the rights of data subjects under this legislation.
- technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
City Year South Africa will from time to time collect personal data about you in order to support our charitable purpose. We will not distribute or pass your personal data to third parties unless we have your consent or are required by law to do so.
Scope
By using our site, you consent to our website’s privacy policy.
Subject access requests
Any member of the public who is a subject of personal data held by City Year South Africa are entitled to:
- Ask for what information the charity holds about them and why.
- Ask how to gain access to the information held about them.
- Be informed on how to keep the data up to date.
- Be informed on how the charity is meeting its data protection obligations.
Please write to:
City Year South Africa
41 Fox Street (Edura House)
Marshalltown
Johannesburg 2107
We will comply as soon as reasonably possible.
Complaints Procedure
If anyone wishes to complain to City Year South Africa about how their personal data has been processed, how their (GDPR) complaint has been handled, or appeal against any decision made following a complaint they can do so by writing to:
41 Fox Street (Edura House)
Marshalltown
Johannesburg 2107
Contact us
If you have any questions about this privacy policy, you can contact us:
By visiting this page on our website: www.cityyear.org.za/contact-us
What personal data is collected and on what lawful basis?
1. Recruitment
The recruitment department collects information about individuals interested in joining City Year South Africa, including contact details (name, address, email address, telephone number), educational institution attended, and personal demographic/background information (such as age, sex, ethnicity). An expression of interest will only be advanced and personal data collected if consent is granted on the initial form. It is then recorded on the contact’s record.
2. Program
Program obtains the above information about individuals if they become volunteer mentors. On joining the program, a Volunteer Agreement and Confidentiality Agreement are signed and recorded on the contact’s record. The volunteer mentor also marks that they
have read this Data Protection policy. The Agreement provides City Year South Africa with the legitimate interest to hold and process their personal data for the duration of their year of service. More detail about the information we collect and how we use it is in section 2 below.
When volunteer mentors complete their year of service with City Year South Africa and become alumni, program may then ask for consent, via a privacy notice, to hold their information for impact reporting purposes and this is recorded on the contact’s record.
Program processes school data about pupils in the schools in which we serve.
The department collects the following details: first names and surnames, information about whether the pupil is eligible for free school meals, has special educational needs, speaks English as an additional language, and the year in which they would have completed year 11/GCSEs. They also collect school pupils’ progress data throughout the year in order to measure the impact of the program.
Only program staff are able to identify the pupils by name and all data is anonymized for use in impact evaluation and reporting across the organization. There is a GDPR agreement between the partner school and City Year South Africa that covers this data collection under legitimate purpose for the period of the partnership.
3. Development
The Development department collects details about corporate and trust funders, individual donors, corporate volunteers and prospective supporters. Development also records contact details of key contacts at our current funders and prospective funders’ organizations under legitimate purpose (name, email address, organization and job title) to support with the stewardship of our partners and new business funding requests.
When making an individual donation, contacts’ details (name, address, email address, telephone number), and information about the amount donated is collected. When making an online credit card donation individual givers’ payment details are processed through a third-party secure server payment gateway.
When required, consent is requested via an online privacy notice and is recorded on the contact’s record.
4. Communications
The communications department collects contact details from individuals external to City Year South Africa through various marketing systems. When people visit our website, City Year South Africa asks for their consent for the use of ‘cookies’ which are a type of file stored on internet devices (PC, phone or tablet) and used by most websites in various ways, including enabling visitors to login and generally personalize and improve the online experience.
Why is data collected and how do we use it?
1. Recruitment (staff & VMs)
Recruitment collects information for the purposes of contacting and keeping track of applicants, and for equal opportunities monitoring within City Year South Africa. If an applicant is successful, the information will be used for personnel records and payroll and other payment purposes which will be processed both manually and automatically. We may also use aggregate information for reporting purposes, but this will not include personal data; for example, we create statistics and related graphs to show the level of ethnic diversity across volunteer mentors through figures and do not include names.
City Year South Africa will use your data to apply for necessary DBS checks only if you are successful in getting a place on our program. At this stage we will also be required to see original identification documentation. Your personal data supplied for the purpose of this application will be kept for as long as necessary. Once the checks are submitted or you are unsuccessful in gaining a place on the program, we will delete scans/shred paper copies of documentation that you provided.
2. Program
Pupils
A major component of volunteer mentor activity is engaging with pupils who are at risk of falling behind with their attendance, behavior or curriculum. City Year South Africa needs this information about each pupil to compile such lists and to assess our impact in anonymized reports.
Volunteer Mentors
For the duration that a volunteer mentor is on the program we will retain personal and sensitive information about their health and well-being and their progress throughout their year of service, through their personal development plan, surveys and in limited cases, occupational health assessments. We will also retain interview notes and observation records. We may require them to complete a CV which will be used to support their career development by sharing their C.V.s (with permission) with third parties for Interview Skills practice and share information about them with their Corporate Mentor while we are matching them. We will also gather stories, quotes and photos from their experience of their service year and will use these to communicate the positive experiences of completing a year of service.
Safeguarding
We ensure that no identifying details are recorded by program staff and that the only information we hold about a safeguarding incident is a log of the nature of the incident. The only exception to this is when an issue is raised about a child outside of the school setting, in which case an email with the details of concern will be emailed to the school. This email will remain confidential and held in a closed Google team drive accessible only to Designated Safeguarding Leads in the organization.
Alumni
It is important to City Year South Africa that we keep in touch with previous volunteer mentors. We often need to provide references and verification of full-time volunteering. We want to understand what alumni go on to do, find ways of supporting them in their future career paths and keep them engaged in the City Year South Africa mission.
3. Development
Development collects personal data to process donations and to collect Gift Aid on donations. Development needs to keep a record of who donates and when for our financial records and to pursue future donations. Development also contacts corporate volunteers and funders, who are supporting our work, about upcoming events and news to keep them updated.
4. Communications
The communications department aims to inform stakeholders, members of the public, political, potential funders and recruits about City Year South Africa’s mission and how they can support with growth and impact of the program. It is essential then that we collect contact details and personal data about those who interact with us, or may wish to, to increase City Year South Africa’s communication reach.
How is data protected?
We will keep all personal data secure. Most of the data collected across departments is stored and safely protected (via password access) in Salesforce. Data may also be stored in City Year South Africa shared drive which is only accessible to City Year South Africa staff by role (via personal login and two step verification), and some folders/documents with particularly sensitive data will be password protected with restricted access to only the necessary members of relevant staff.
By locking computers when staff are away from their desks, especially if individuals are not on City Year South Africa premises, City Year South Africa reduces the risk of personal data being accessed by unauthorized individuals.
Our data servers are continuously monitored, and underlying infrastructure is used to protect them from threats, including spam, malware, viruses and other forms of malicious code. We use encryption to keep data safe and private while it is in transit.
In the rare case where a physical document is required, the documents are stored in locked filing cabinets, and the data is shredded and destroyed as soon as it is no longer needed.
How long do we store data for? (retention)
Our approach is that we do not keep any information about individuals for longer than needed.
For volunteer mentors, this is for the period of their volunteering year of service.
Other contacts have retention periods defined by the specific use of their data in line with reasonable operational need.
Data auditing is also something that occurs periodically across the organization. We will contact individuals to ask for updated details at regular intervals.
How can individuals stop City Year South Africa from contacting them?
Volunteer mentor applicants, corporate volunteers and donors can either opt-out when contacted by us (mostly by email) or can contact us to correct or erase data. If individuals sign-up to our newsletter they will have the option to unsubscribe at any point and will then be removed from our contact database.
What is the process for deleting data?
Each department has a destruction schedule based on the retention period for each category of data.
If the data is stored in hard copy (e.g. paperwork) all departments use a shredder or secure destruction bin to safely dispose of documents. If the data is stored digitally (e.g. in emails or on the shared drive) the data needs to not just be deleted from the folder, but in some cases ‘double’ deleted – so deleted from the ‘recycle bin’ on email or desktop.
On G Suite, we use the spanning backup and all ex-staff files are exported and archived under a secure account that is only accessible to the IT department. Closed Spanning accounts data is purged after 30 days. Windows server – S Drive backups are done daily to Zen backup off site servers. This data backup service retains data backups for 30 days. For all off site backups data is moved and stored using 256-bit AES encryption.
On Salesforce, we have an automated process that flags when retention periods end so that a consent renewal request can then be sent. Any personal data without consent or legitimate purpose is then deleted. This also happens when individuals opt-out of our direct mailing at anytime.
What happens when we receive a subject access request?
Any member of the public who is a subject of personal data held by City Year South Africa is entitled to:
- Ask for what information the charity holds about them and why.
- Ask how to gain access to the information held about them.
- Be informed on how to keep the data up to date.
- Be informed on how the charity is meeting its data protection obligations.
Should any employee receive a request for personal data or a complaint (either formally under the general data protection regulations or informally as an ad hoc request), then please forward it to infosouthafrica@cityyear.org.za
We will comply as soon as reasonably possible.
Complaints Procedure
If anyone wishes to complain to City Year South Africa about how their personal data has been processed, how their (GDPR) complaint has been handled, or appeal against any decision made following a complaint they can do so by emailing infosouthafrica@cityyear.org.za
Data Breach Procedure
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, City Year South Africa shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office (more information on the ICO website).
Data protection principles
City Year South Africa is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
GDPR Principles that apply to this policy
General provisions
This policy applies to all personal data processed by us.
This policy shall be reviewed at least annually.
Lawful, fair and transparent processing
Individuals have the right to access their personal data and any such requests made to us shall be dealt with in a timely manner.
Lawful purposes
All data processed by us must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
We will note the appropriate lawful basis in the Register of Systems.
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in our systems.
Data minimization
We will ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy
We will take reasonable steps to ensure personal data is accurate.
Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
Archiving / removal
To ensure that personal data is kept for no longer than necessary, we will put in place an archiving policy for each area in which personal data is processed and review this process annually.
The archiving policy shall consider what data should/must be retained, for how long, and why.
Security
We will ensure that personal data is stored securely using modern software that is kept-up to date.
Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorized sharing of information.
When personal data is deleted this should be done safely such that the data is irrecoverable.
Appropriate backup and disaster recovery solutions shall be in place.