DATA PROTECTION AND PRIVACY POLICY
Introduction
At Legal Action Worldwide (LAW), we are committed to being transparent about how we collect and use personal data and to ensure compliance with data protection obligations. This policy sets out LAW’s commitments to data protection, and individual rights and obligations in relation to personal data.
1. Data protection principles
LAW is committed to processing data in accordance with applicable data protection laws, including the Swiss Federal Act on Data Protection (FDPA) and the General Data Protection Regulation (GDPR).
2. General provisions
This policy applies to all personal data, set out below, processed by LAW.
LAW understands that storing data in a secure manner is essential.
LAW stores personal data using reasonable physical, technical and administrative safeguards to secure data against foreseeable risks such as unauthorized disclosure and use, alteration, or destruction of data.
Personal data collection shall be limited to LAW internal use only. LAW shares this information with certain service providers strictly as needed for their services, and only for that purpose. The collected personal data is not sold, disclosed, rented, or otherwise shared with third parties.
LAW processes personal data only for the purposes for which they were provided.
3. Lawful purposes
LAW processes of personal data is based on the principle of lawfulness and relies on one of the following legal bases:
- Written consent
- contract (e.g. staff recruitment)
- compliance with a legal obligation (e.g. social declarations)
- public interest: the public interest pursued by LAW is to provide legal information, assistance and representation to some of the most vulnerable victims of human rights violations and international crimes.
- prosecution of specified, explicit and legitimate interests of LAW
Questions about this policy, or requests for further information, should be directed to info@legalactionworldwide.org.
4. Definitions
“Personal data” is any information that relates to a living individual who can be identified from that information.
“Processing” is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
“Data subject” is the person whose data is being processed.
“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.
“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
5. Data processing: Purpose and Personal information collected
- Communication: LAW may use information collected to create mailing list to send communication materials such as: newsletters, articles, letters/advocacy calls, events invitations, fundraising appeals. Personal information collected includes emails, name, surname, job title, agency, social media account name as well as other data possibly included in registration forms for events.
- Human resources: LAW may collect data for managing human resources and/or for recruitment purposes. Personal information collected includes CV, address, next of kin, passport, education certificates, references, criminal records, personal coordinates (email, phone, etc), proof of life, driving license, birth certificate, residency certificate, bank details, pension scheme details, insurances, salary slips, CSI Watchdog reports as well as other data possibly provided within the scope of the recruitment process or employment period.
Where LAW processes special categories of personal data or criminal records data to perform obligations, to exercise rights in employment law, or for reasons of substantial public interest, this is done in accordance with relevant legislation applicable in country.
LAW will update HR-related personal data promptly if an individual advises that their information has changed or is inaccurate.
Personal data gathered during the employment, contract or internship is held within the individual’s personnel file (both hard copy and electronic format), and on HR systems. LAW will keep a record of its processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR). - External parties such as donors and partners: name, surname, address, email address, financial data such as payment information, organization, job title.
- Legal activities : LAW may collect and use information from beneficiaries, victims and survivors of human rights violations as well as suspected perpetrators of those crimes in the context of legal assistance as well as documentation, investigation or preparation of case files. Personal data collected may include name, surname, address, email address, contact information, gender, thumb prints, ethnicity, hometown, age, parents’ names, immediate family (spouse, children), relevant identification number and other data possibly provided or collected from publicly available sources.
6. Data minimisation
- LAW shall ensure that personal data stored and processed by LAW are adequate, relevant and limited to what is necessary for the purposes of processing.
- LAW shall keep accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
- LAW shall keep personal data only for the period necessary for processing.
- LAW shall adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage
7. Individual rights
Individuals have the right to make a subject access request and when received by LAW, it will inform the individuals of the following:
- whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
- to whom their data is or may be disclosed, if applicable to include recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
- for how long their personal data is stored or how that period is decided;
- their rights to rectification or erasure of data, or to restrict or object to processing;
LAW shall stop processing or erase data if the individual’s interests override LAW legitimate grounds for processing data (whereby LAW relies on its legitimate interests as a reason for processing data);
LAW shall stop processing or erase data if processing is unlawful; and stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override the organisation’s legitimate grounds for processing data.
8. Data security
LAW takes the security of personal data seriously and has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
Where LAW engages with third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
9. Impact assessments
Some of the processing that LAW carries out may result in risks to privacy. Where processing would result in a high risk to individual rights and freedoms, LAW will carry out an impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
10. Data transfers
Unless explicitly stated otherwise, personal data is only shared with LAW employees for the proper performance of their duties, and, in limited cases, with third party such as service providers and contractors working under obligations of confidentiality and appropriate contractual safeguards, solely to provide services to LAW.
HR-related personal data may be transferred to countries outside the EEA for recruitment purpose using secure systems.
11. Data retention duration
LAW processes and stores data for the duration necessary to fulfill contractual or legal obligations, for the duration required for the purposes for which they were collected, as long as legitimate interests persist, or until the given consent is withdrawn. In certain circumstances, LAW may be obliged to retain personal data for a longer period due to legal requirements.
12. Data breach
Should LAW discover that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Executive Director and relevant authorities (if applicable in relevant countries) within 72 hours. As an organisation, LAW will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will inform the affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
13. Controller of Personal data processing
All personal data processed by LAW in the context of this Policy are controlled by LAW, which is considered to be the data controller.
Contact : info@legalactionworldwide.org
Address: Rue de Varembé 3, Third Floor, 1202 Geneva, Switzerland
This Privacy Policy went into effect on 21st December 2023. LAW reserves the right to update this Privacy Policy from time to time, as laws evolve or as our services or processes activities change. If LAW updates its Privacy Policy, it will post a new version on its website.