Introduction
As part of its daily operations and function, GeSI needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
Why this policy exists
This data management policy ensures GeSI:
- Complies with data protection law and follows good practices;
- Protects the rights of members, staff and partners;
- Is transparent about how it stores and processes individuals’ data;
- Protects itself from the risks of a data breach.
Data Protection Law
The General Data Protection Regulation (GDPR) applies in Belgium and across the EU from May 2018. It requires personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
- The controller shall be responsible for, and be able to demonstrate, compliance with the principles;
People and Responsibilities
Appointed Data Protection Officer (DPO): GeSI – Programmes and Communications
Manager
In charge of:
- Keeping senior management and board updated about data protection issues, risks and responsibilities;
- Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule
- Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data;
- Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the GDPR principles.
Scope of Information to be Processed
Data processed include:
Individuals
-
Personal history:
- Name and surname
- Date of birth
- Place of birth
- Postal address
- Picture
- Voice recordings
- Proof of identity (ID, Passport)
- Health certificate (COVID Certificate)
- Bank details
- Social Security details
- Email addresses
- Telephone numbers
- Digital Signature
- License Plate number
-
Professional history;
- CV
- Work Contracts
Corporations
- Postal addresses
- VAT numbers
- Annual revenue
- Bank details
- Company contacts
- Supplier information
- Branding materials
- Contracts and agreements
Data is collected from:
- GeSI Website (www.gesi.org)
- GeSI Newsletter
Consent:
Companies and individuals agree to the process of data by:
- Signing the GeSI Constitution
- Signing partnership agreements
- Subscribing to the GeSI Newsletter
Data is stored in:
- GeSI Protected SharePoint accessible via all staff laptops
- GeSI Members Portal
- GeSI Email accounts (luis.neves@gesi.org; v.srivastava@gesi.org)
- Micorosft Office 365 GeSI Environment
- GlueUp – Customer Relationship Manager tool
To ensure the data is:
- Accurate, not duplicated, complete and relevant to the purpose
- Not excessive, up-to-date
- Not kept for longer than necessary
Measures in place to clean and update records include:
- Temporary records are deleted as soon as their purpose is completed
- Records undergo updating procedures every month
GeSI only processes data of individuals who have a direct relationship with GeSI (such as our members, subscribers of our newsletter, etc.). In addition to this policy, GeSI’s Data Controller is registered and located in Belgium, therefore, we also comply with all the policies under Belgian and European law.