Privacy Policy

1. Introduction

Relief Validation Limited is committed to safeguarding and protecting Personal Data of private individuals. RVL is aware of the risks involved, and of the importance of having appropriate data protection standards in place. These can include RVL Members, suppliers, business contacts, visitors to RVL building, employees and other people the organization has a relationship with or may need to contact.

Safeguarding the Personal Data of all these people is an essential aspect of protecting people’s lives, integrity and dignity. The Processing of Personal Data touches all areas of RVL’s activity, whether operational or administrative.

This Policy describes the principles to be followed when Processing Personal Data. It also describes how these principles should be implemented and what needs to be done in case of a Data Transfer and Personal Data Breach event in order to comply with reporting requirements.

The aim of this Policy is to:

  • a. comply with national and international data protection laws and regulations
  • b. protect the rights of Individuals
  • c. protect RVL from the risks of Data Breach, and
  • d. protect RVL from undesired legal sanctions which may include hefty fines.

2. Definations

  • Anonymization means the process of modifying data sets, making it permanently impossible to identify individuals.
  • Data Breach means a breach of security leading to the accidental or unlawful destruction, loss or alteration of – or to the unauthorized disclosure of, or access to – Personal Data transmitted, stored or otherwise processed.
  • Data ProcessorData Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  • Data Processor means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the Data Controller
  • Individual(s) means a natural person (i.e., an individual) who can be identified, directly or indirectly, in particular by reference to Personal Data.
  • Data Transfer means any act that makes Personal Data accessible, whether on paper, via electronic means or the internet, or any other method to any Third Party not linked in one way or another to RVL.
  • International Organization(s) means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
  • Personal Data means any information relating to an identified or identifiable natural person. This may include an identifier such as a name or audio-visual materials, an identification number, location data or an online identifier; it may also mean information that is linked specifically to the physical, physiological, genetic, mental, economic, cultural, or social identity of an Individual. The term also includes data identifying or capable of identifying deceased person.
  • Processing means any operation or set of operations – by automated and other means – that is performed upon Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transiting, disseminating or otherwise making available, aligning or combining, or erasing.
  • Recipient means Third Party, public authority, agency or other body – that is, someone or something other than the Individual or RVL – to which the Personal Data is disclosed.
  • Sensitive Personal Data means specific Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic Data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
  • Third Country means any other country or jurisdiction outside of Bangladesh.
  • Third Party means a natural or legal person, public authority, agency or body other than the Individual or RVL.

3. Applicability of the Policy

This Policy applies to Personal Data processed by RVL. It applies to all staff members of the RVL (including hosted staff, individuals seconded by other organizations and volunteers) regardless of location and office type, Council and Commission members, other RVL stakeholders, anyone Processing Personal Data under the name of RVL or using the RVL logo or anyone using IT tools or systems provided by the RVL, collectively referred to as “RVL Personal Data Users”.

Further, it also applies to RVL as a Data Controller or Data Processor with respect to Personal Data relating to Individuals.

This Policy comprises the internationally accepted data protection principles without replacing the existing national laws. It supplements the national data protection laws. The relevant national law will take precedence in the event that it conflicts with this Policy, or it has stricter mandatory requirements than this Policy. In particular, the reporting requirements for data Processing under applicable national laws must be observed. The content of this Policy must also be observed in the absence of corresponding national legislation.

4. Principles of data processing

4.1 Legitimate and fair Processing

RVL processes Personal Data in a lawful and fair manner in relation to the Individual. RVL only processes Personal Data with respect to this Policy and applicable laws. In order to do so RVL ensures that a legal basis of Processing Personal Data exists such as the following:

4.1.1 Consent of the Individual

RVL ensures that consent is obtained from the Individual prior to Processing Personal Data. This consent is obtained in writing or electronically for the purposes of documentation and is valid only if given voluntarily. If, for any reason, the consent of the Individual is not given before Processing Personal Data, it should be secured in writing as soon as possible after the beginning of the Processing.

4.1.2 Legitimate Interest of the RVL

RVL may process Personal Data without express consent if it is necessary to enforce a legitimate interest of RVL or a Third Party provided that interest is not overridden by the interests and rights of the individual. At RVL, legitimate interest exists where there is a relevant and appropriate relationship between RVL and the Individual such as where the Individual is a Council member, Commission member, RVL Staff members etc.

4.1.3 Contractual obligation

RVL may process Personal Data in order to enforce a contract entered into with the Data Subject or to comply with a contractual obligation.

4.1.4 Compliance with a legal obligation

In other cases, the Processing of Personal Data may be necessary to comply with applicable law.

4.1.5 Public interest

RVL may process Personal Data for the performance of a task carried out in the public interest or in the exercise of official authority vested in RVL.

4.2 Transparency

RVL processes Personal Data in a transparent manner.

Communications with the Individual must be in clear and plain language, easily accessible and easy to understand. RVL Personal Data Users must provide the Individual with sufficient information about the data Processing when Personal Data is obtained. The minimum information to be provided is included in section 5.1 Right to receive information.

RVL Personal Data Users Processing Personal Data will decide how this information is to be communicated after taking into account security measures and the urgency of Processing.

4.3 Restriction to a specific purpose

When collecting Personal Data, RVL Personal Data Users determine the specific purpose(s) for which data is processed, and only process it for those purposes. All Personal Data collected should be clearly documented including the purpose for collection.

4.4 Adequate and relevant data

The Personal Data handled by RVL must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed. This means that RVL Personal Data Users should not process Personal Data unless it is necessary to process it in order to achieve the purpose for which it was obtained.

4.5 Accuracy

RVL Personal Data Users must ensure that Personal Data kept on file is correct and kept up to date. Inaccurate or incomplete Personal Data should be rectified or deleted. The exception to this principle would be the case when a legitimate interest exists to retain Personal Data. Historical data, accurate at the time of collection, can be kept for as long as it is required to be kept. Once historical data is no longer necessary it should be deleted.

4.6 Integrity and confidentiality

RVL Personal Data Users must treat Personal Data in a confidential manner. They must ensure that Personal Data is securely stored with suitable organizational and technical measures to prevent unauthorized or illegal Processing.

4.7 Retention, destruction and archiving of data

RVL keeps Personal Data for as long as it is necessary to perform its activities and as is required by applicable law. Personal Data not useful for RVL should be deleted unless national legislation requires it to be retained for a certain period of time. RVL will also delete Personal Data if the Individual withdraws his or her consent for Processing unless another legal basis of processing the Personal Data exists which prevents RVL from deleting the Personal Data.

RVL may store Personal Data for archiving purposes for a determined period compatible with applicable laws.

5. Rights of the Individuals

RVL respects rights conferred to Individuals to ensure protection of Personal Data. These rights include:

5.1 Right to receive information

At a minimum, RVL Personal Data Users must provide the Individual with the following information when Personal Data is obtained:

  • whether RVL is the Data Controller;
  • the purpose of Data Processing;
  • third parties to whom the data might be transmitted;
  • the existence of this present Policy;
  • the focal point for questions/concerns or complaints.
This information should be communicated to the Individual even in cases where the Personal Data was not obtained directly from the Individual.

5.2 Right to access

The Individual may request which Personal Data relating to him or her has been collected and stored, how the Personal Data was collected, and for what purpose.

Disclosure of Personal Data should not be automatic. RVL Personal Data Users must consider all the circumstances surrounding the request for access and any restrictions to access that may be applicable. Access to Personal Data will only be given to the Individual if his or her identity can be verified.

5.3 Right to rectification

If Personal Data is incorrect or incomplete, the Individual can request that it be corrected or supplemented. This will only be considered if the identity of the Individual can be verified. Upon verification of the allegation, RVL will make the necessary change(s). In certain circumstances historical data may need to be kept in accordance with section 4.5 Accuracy

5.4 Right to erasure – “Right to be forgotten”

The Individual may request his or her Personal Data to be deleted if the Processing of such Personal Data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the Data Processing has lapsed or has ceased to be applicable for other reasons.

However, the right to erasure does not apply, and Personal Data will continue to be retained:

  • for the implementation of the Mission of RVL;
  • if it serves a public interest;
  • for historical, statistical and scientific purposes; or
  • for the establishment, exercise or defense of legal claims;
  • for other legitimate interests (legal and financial).

5.5 Right to Personal Data portability

The Individual has the right to receive his or her Personal Data in a structured, commonly used and machine-readable format and has the right to transfer such Personal Data to another Data Controller provided the Processing was based on consent or was necessary for the performance of a contract and was carried out by automated means.

Where technically feasible the Individual may request RVL to transfer his or her Personal Data to another Data Controller.

5.6 Right to object

The Individual may object at any time to compelling legitimate grounds relating to their particular situation, to the Processing of Personal Data concerning them. Such objection will be accepted if the fundamental rights and freedoms of the Individual in question outweigh RVL’s legitimate interests, or the public interest.

An objection to Personal Data Processing does not apply if a legal, contractual or financial provision requires the Personal Data to be processed.

5.7 Right to restriction of processing

The Individual has the right to restrict the Processing of his or her personal data where there exists a particular reason for the restriction. This means that the Individual can limit the way that an organization uses his or her Personal Data. This may be because:

  • the accuracy of the Personal Data is contested by the Individual;
  • the Processing is unlawful, and the Individual opposes the erasure of the Personal Data and requests the restriction of their use instead;
  • RVL no longer needs the Personal Data for the purposes of the Processing, but the Personal Data is required by the Individual for the establishment, exercise or defense of legal claims;
  • the Individual has objected to the Processing pending the verification whether the legitimate grounds of RVL override those of the Individual.

5.8 Automated individual decision-making, including profiling

The Individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

6. RVL Commitments

6.1 Responsibility/Accountability

6.1.1 It is the responsibility of RVL Personal Data Users to ensure that Personal Data processed for or on behalf of RVL, is in compliance with this Policy.

6.1.2 It is the responsibility of RVL Personal Data Users to ensure that Individuals:

  • understand that RVL is bound by this RVL Data Protection Policy to protect Personal Data of Individuals participating in RVL work;
  • consent to their Personal Data being processed in the context of RVL work;
  • agree that their Personal Data could be transferred to countries with laws that may not
  • are informed that they can contact RVL using the online communication channel located at to ask any questions they may have regarding their Personal Data

6.1.3 RVL Personal Data Users will ensure that Third Parties they allow to process Personal Data:

  • agree to use the Personal Data they access only in the context of RVL work;
  • comply with this Policy and applicable laws. This is so even when the RVL Personal Data Users provide access to Personal Data to people within their network, Third Party or through social media, other online groups, chatrooms or bulletin boards etc
  • understand that they remain bound by these obligations with regard to Personal Data/work undertaken while they were part of RVL even after their contribution to RVL work ends.

6.2 RVL Portals and tools

RVL Personal Data Users may have access to Personal Data in RVL Portals. RVL Personal Data Users undertake to use Personal Data exclusively for RVL work and will ensure that Personal Data under their responsibility is kept up to date, in the RVL portal and any other IT tool in which RVL Personal Data User is required to enter Personal Data.

To the extent possible, RVL Personal Data Users are required to use IT tools provided by RVL (such as the shared drives, Constituents Relationship Management (“CRM”), Human Resources Management System (“HRMS”), as they comply with the requirements of this Policy.

6.3 Arrangements with our partners (including consultants)

In particular, when RVL collaborates with another entity in Processing Personal Data, RVL Personal Data Users should ensure that the responsibilities of all the parties concerned as described in this Policy or applicable law are outlined very clearly and set out in a contract or other legally binding arrangement.

6.4 Data protection by design and by default

In particular, while designing a database and drafting procedures for collecting Personal Data, the principles of data Processing and the rights of Individuals stipulated in the present Policy must be taken into account and incorporated to the greatest extent possible.

6.5 Data security and storage

RVL Personal Data Users should process Personal Data in a manner that ensures an appropriate degree of security. This includes prevention of unauthorized access to, or use of Personal Data and the equipment used for data Processing. This relates in particular to access rights to databases, physical security, computer security and network security, the duty of discretion and the conduct of all RVL Personal Data Users who have access to Personal Data.

RVL Personal Data Users undertake to store electronic equipment and Personal Data safely. RVL has implemented technical measures to ensure that Personal Data stored electronically (such as on shared drives, Union Portal, CRM, HRMS, CS etc.) is protected from unauthorized access, accidental deletion and malicious hacking attempts. To the extent possible, Personal Data should be stored on those systems and RVL Personal Data Users should avoid keeping Personal Data on personal devices (such as laptops, tablets, smart phones, USB Drives, DVDs etc.) and should protect by strong passwords access to any system used. In cases where RVL Personal Data Users are using external tools not provided by RVL to process Personal Data, they undertake to ensure that appropriate technical and organizational measures to protect Personal Data are implemented prior to processing it and should formally document such use and keep the documentation available for auditing purposes.

When Personal Data is stored physically or when Personal Data usually stored electronically, it should be kept in a physically secure place where unauthorized people cannot see it (e.g., in a locked drawer or filing cabinet). Papers and printouts containing Personal Data should not be left where unauthorized people could access them (e.g., on a printer) and should be shredded and disposed of securely when no longer required.

In any case, when retention of Personal Data is no longer necessary, all records should be securely destroyed or anonymized. Anonymization of Personal Data is allowed if it is necessary to RVL’s Mission.


It is the responsibility of RVL Personal Data Users in charge of newsletters to ensure that express consent is obtained from the Individuals and recorded.

Where the Individual has not given his or her express consent to receive newsletters, his or her Personal Data should be disabled.

6.7 End of relationship with RVL

Individuals whose mandate, employment relationship or any other type of relationship with RVL has ended, undertake to destroy any Personal Data in their possession which this Policy applies to and will certify its destruction in writing (if required). For RVL’s staff this will be done in accordance with Human Resources instructions.

6.8 Forms, CVs, and other supporting documents

Application forms, CVs and supporting documents should not be printed, shared by email or kept on local drives. Copies temporarily downloaded on the local drives should be deleted (e.g., by clearing the internet browser cache and/or deleting from the “Download” directory or equivalent). Where an email is received for an unsolicited application, the potential applicant shall be advised to use the appropriate system to submit his or her application (such as the HRMS for staff applications or the CS for Commission Member applications) and the email (together with its attachments) shall be deleted.

6.9 Data Breaches

Any Personal Data breach leading to the accidental or unlawful destruction, loss or alteration of – or to the unauthorized disclosure of, or access to – Personal Data transmitted, stored or otherwise processed must always be reported using the online communication channel located at In the event of a Data Breach, the Managing Director or CEO will ensure there is an appropriate response which means:

  • Establishing a team to investigate the Data Breach and develop remedial plan.
  • Informing the persons affected of the Data Breach without undue delay according to international or local regulations.
  • Informing the relevant local authorities according to international or local Regulations.

6.10 No commercial use of Personal Data

RVL does not make commercial use of Personal Data.

6.11 Data Transfer

6.11.1 External Data Transfer

RVL ensures that Personal Data is only transferred to jurisdictions or International Organizations that ensure adequate level of protection. Should it be necessary to transfer Personal Data to a Third Country or an International Organization that does not provide adequate level of protection, RVL will ensure that it maintains appropriate safeguards such as entering into appropriate contractual clauses in order to safeguard Personal Data.

When transferring Personal Data to a Third Party, RVL Personal Data Users must ensure that:

  • • the Recipient will apply a protection level equivalent to or higher than this Policy;
  • • appropriate safeguards are put in place where a Third Country or an International Organization does not provide adequate level of protection;
  • • Processing by the Recipient is restricted to the purpose authorized by RVL and;
  • • Data Transfer is compatible with the reasonable expectations of the Individual.

6.11.2 Data Transfer within RVL systems

For the sake of clarification, Data Transfer within RVL systems carried out between RVL Personal Data Users in different RVL ’s Offices or between different components of RVL are permitted and do not necessitate a written agreement provided the principles set out in this Policy are respected.

6.12 Documentation of Processing

In order to demonstrate compliance with this Policy, RVL maintains records on the categories of processing activities within its remit. RVL Personal Data Users not using IT tools and systems provided by the RVL should formally document such use and keep the documentation available for auditing purposes.

7. Implementation

7.1 Effective implementation

Effective implementation of these rules is crucial to ensure that individuals are able to benefit from the protection afforded by them.

It is the responsibility of all RVL and RVL Personal Data Users to ensure implementation of the above principles.

7.2 Authorized Processing

Personal Data Processing should be in accordance with the purposes authorized by RVL in the course of executing professional duties.

RVL Personal Data Users must not use RVL Personal Data for private or commercial purposes or disclose it to unauthorized persons.

7.3 Reporting of non-compliance

Allegations of non-compliance with this Policy should be reported using the online communication channel located at

7.4. Consultation and means of communication

RVL staff may consult with their line managers and/or Working Group as applicable if unsure of any aspects of this Policy.

Individuals may send personal data request via email to which will be responded to within a reasonable time.

8. Modification of the Policy

This Policy may be updated from time to time. Any modifications to this Policy must be in writing and approved by the Managing Director.