📜Personal Privacy and Data Protection

Introduction

Definitions

This document employs terms related to the DCDR Advocacy that can be found in the TIOF terminology.

For a structure of The IO Foundation, please visit

• The IO Foundation's Organizational Chart

• The IO Foundation's Organizational Taxonomy

About this document

This document, hereinafter the Policy, sets out the position maintained by TIOF in matters of Data Privacy and Data Protection that you will need to be aware of while being a TIOF Member. You should familiarize yourself with it and comply with it at all times. Any questions you may have with regard to its contents or what you have to do to comply with it should be referred to your corresponding Team Human Resources Manager.

Any Member who breaches this Policy will face disciplinary action, which could result in dismissal for gross misconduct. Any non-employee who breaches this Policy may have their contract (or equivalent official relationship with TIOF) terminated with immediate effect.

Scope

This document directly applies to:

• All TIOF Members

This document indirectly applies to:

• All TIOF Contributors

The policies set out in this document apply to all TIOF Members unless otherwise indicated. They therefore apply to Members of the Boards (Directors, Advisers, Consultants), Employees, Volunteers and Interns; this is irrespective of their engagement type. They equally apply to all Contributors and will be used as part of the selection criteria when engaging with them.

This Policy applies within all TIOF Spaces, including (although not limited to) management activities, contributions or events; it and also applies when an individual is officially representing the organization in public spaces. Examples of representing the organization include (although not limited to) using an official e-mail address, posting via any official channel or acting as an appointed representative at an event.

Policy details

Data Privacy and Personal Privacy Interest statement

Definitions

• Personal Data: Any information related to an identified or identifiable natural person.

• Processing: Any operation or set of operations performed on personal data, such as collection, storage, use or disclosure.

• Data Subject: A natural person whose personal data is processed by the organization.

• Data Controller: The entity that determines the purposes and means of the processing of personal data.

• Data User: An individual or entity, including TIOF Members, TIOF Collaborators or any other third parties, who is authorized by the organization to access, use or process personal data in line with the purposes defined by the Data Controller. Data Users must handle personal data in compliance with this policy, relevant laws and the instructions provided by the Data Controller to ensure the privacy and security of the data.

• Data Processor: The entity that processes personal data on behalf of the Data Controller.

Principles of Data Processing

The IO Foundation adheres to the following principles for the lawful, fair and transparent processing of personal data:

• Lawfulness, Fairness and Transparency: Personal data is processed lawfully, fairly and in a transparent manner with respect to the data subject.

• Purpose Limitation: Personal data is collected for specified, explicit and legitimate purposes, strictly for the advancement and achievement of its advocacy, and is not further processed in a manner incompatible with those purposes.

• Data Minimization: Only data that is necessary for the specified purposes is collected.

• Accuracy: The organization ensures personal data is accurate and kept up-to-date. Inaccurate data is erased or rectified without delay.

• Storage Limitation: Personal data is retained only for as long as necessary for the purposes for which it was collected. The data subjects are entitled to access and deletion of their data at any given time upon request.

• Integrity and Confidentiality: Personal data is processed securely, ensuring protection against unauthorized or unlawful processing and accidental loss, destruction or damage.

• Accountability: The organization is responsible for demonstrating compliance with data protection laws and this policy.

Lawful Bases for Processing

The IO Foundation will only be process Personal data if at least one of the following legal bases applies:

• Consent: The data subject has given explicit consent for the processing of their personal data for one or more specific purposes.

• Contractual Necessity: Processing is necessary for the performance of a process to which the data subject is a party or to take pre-contractual steps at the request of the data subject.

• Legal Obligation: Processing is necessary to comply with a legal obligation to which the the organization is subject.

• Vital Interests: Processing is necessary to protect the vital interests of the data subject or another person.

• Public Interest: Processing is necessary for the performance of a task carried out in the public interest.

• Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by the organization or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Rights of Data Subjects

Data subjects have the following rights regarding their personal data:

• Right to Access: Data subjects have the right to request and obtain confirmation as to whether personal data concerning them is being processed, and if so, to access the data and information about the processing.

• Right to Rectification: Data subjects have the right to request the correction of inaccurate personal data or completion of incomplete data.

• Right to Erasure (Right to be Forgotten): Data subjects can request the deletion of their personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

• Right to Restrict Processing: Data subjects can request the restriction of processing under specific conditions.

• Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller.

• Right to Object: Data subjects have the right to object to the processing of their personal data based on legitimate interests or public interest, including profiling.

• Right to Withdraw Consent: If personal data is processed based on consent, the data subject has the right to withdraw consent at any time without affecting the lawfulness of the processing based on consent before its withdrawal.

Data Collection and Processing

The IO Foundation collects personal data in the following ways:

• Directly from the Data Subject: Through registration forms, surveys, applications, email or other direct interactions.

• Automatically: Through the use of cookies or other tracking technologies on our website and other platforms.

• Third Parties: Where lawful, personal data may be obtained from third-party sources for specific purposes (e.g., partnerships, publicly available data).

The data collected may include:

• Personal Identification Information:

  • Full name, address, phone number, email address, date of birth and sex.

  • Identification numbers such as passport number, national identification card or driver’s license.

• Professional Information:

  • Employment details such as job title, employer, work address and work contact information.

  • Professional qualifications, resumes or work experience where relevant (e.g., for volunteers or job applicants).

• Financial Information:

  • Bank account details, payment card numbers or other financial information where necessary for processing donations, grants or disbursements.

  • Tax identification numbers for regulatory or reporting purposes.

• Demographic Information:

  • Information related to nationality and language preferences when relevant for the organization’s operations or for delivering culturally appropriate services and information.

• Sensitive Personal Data:

  • Data such as health information, disability status, religious or philosophical beliefs or other sensitive categories of data when necessary for providing specific services (for example when organizing events), complying with legal requirements or safeguarding individual rights.

• Location Data:

  • IP addresses or geographic location data collected through interactions with our website or other platforms to improve service delivery, analytics relevant to the organization's advancement and achievement of its advocacy and provide region-specific content.

• Technical Information:

  • Device type, operating system, browser type and browsing behavior (e.g., pages visited, links clicked among others) gathered automatically through cookies and other appropriate tracking technologies.

• Communication Data:

  • Records of communications with our organization, including emails, phone calls and any other interaction or correspondence made via our website, social media or other official communication channels.

• Survey or Feedback Data:

  • Responses to surveys, questionnaires, feedback forms or program evaluations conducted to assess the impact of our activities or improve future operations.

• Volunteer and Event Data:

  • Information provided by individuals who register for the organization's events, participate in programs or offer volunteer services, including availability, skillsets and preferences for activities.

• Photographs, Audio, and Video Data:

  • Media files such as photographs, video recordings or audio files, which may be collected during events, workshops or other activities, with explicit consent for specific purposes.

Data Retention

The IO Foundation retains personal data only for as long as necessary to fulfill the purposes for which it was collected, in line with legal, regulatory or contractual obligations and observing at all times the provisions detailed in this policy. Upon expiration of the retention period, personal data will be securely deleted, anonymized or archived in compliance with applicable laws.

Data Security

The IO Foundation implements appropriate technical and organizational measures to protect personal data from unauthorized access, misuse, alteration or destruction. These measures include:

• Encryption of personal data whenever technically possible

• Access controls to limit data access to authorized TIOF Members only

• Regular security audits and reviews

• Employee training on data privacy and security best practices

Data Transfers

Personal data may be transferred to countries outside the European Economic Area (EEA), the United States and Malaysia. Where such transfers occur, the organization ensures that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other lawful mechanisms, to protect the data in accordance with applicable laws.

Data Breach Notification

In the event of a data breach, on the part of the organization or one of its applicable data controllers, data users or data processors, that poses a risk to the rights and freedoms of data subjects as detailed in this policy, the organization will notify the relevant supervisory authorities without undue delay and, where required, the affected individuals. Data breach notifications will be made in accordance with applicable data protection laws, including GDPR, U.S. law, Malaysia’s PDPA and any other applicable jurisdiction.

Data Processors

When engaging third-party data processors to process personal data on its behalf, the organization will ensure that these processors comply with applicable data protection laws and adhere to this policy.

Children’s Privacy

The IO Foundation does not knowingly collect personal data from children under the age of 13 (in the U.S.) or under the relevant age of consent as defined by applicable local laws without verifiable parental consent. Should the organization discover that it has inadvertently collected data from a child without consent, it will take steps to delete such data promptly.

Changes to this Policy

The IO Foundation reserves the right to amend this policy at any time to ensure continued compliance with applicable laws. Any significant changes to this policy will be communicated to data subjects through appropriate means, including website updates or direct communication where applicable.

Contact Information

For any questions, concerns, or requests related to this policy or the processing of personal data, please contact The IO Foundation via email to: [email protected]