Relief Validation Limited is committed to safeguarding and protecting Personal Data of private individuals. RVL is aware of the risks involved, and of the importance of having appropriate data protection standards in place. These can include RVL Members, suppliers, business contacts, visitors to RVL building, employees and other people the organization has a relationship with or may need to contact.
Safeguarding the Personal Data of all these people is an essential aspect of protecting people’s lives, integrity and dignity. The Processing of Personal Data touches all areas of RVL’s activity, whether operational or administrative.
This Policy describes the principles to be followed when Processing Personal Data. It also describes how these principles should be implemented and what needs to be done in case of a Data Transfer and Personal Data Breach event in order to comply with reporting requirements.
The aim of this Policy is to:
This Policy applies to Personal Data processed by RVL. It applies to all staff members of the RVL (including hosted staff, individuals seconded by other organizations and volunteers) regardless of location and office type, Council and Commission members, other RVL stakeholders, anyone Processing Personal Data under the name of RVL or using the RVL logo or anyone using IT tools or systems provided by the RVL, collectively referred to as “RVL Personal Data Users”.
Further, it also applies to RVL as a Data Controller or Data Processor with respect to Personal Data relating to Individuals.
This Policy comprises the internationally accepted data protection principles without replacing the existing national laws. It supplements the national data protection laws. The relevant national law will take precedence in the event that it conflicts with this Policy, or it has stricter mandatory requirements than this Policy. In particular, the reporting requirements for data Processing under applicable national laws must be observed. The content of this Policy must also be observed in the absence of corresponding national legislation.
RVL processes Personal Data in a lawful and fair manner in relation to the Individual. RVL only processes Personal Data with respect to this Policy and applicable laws. In order to do so RVL ensures that a legal basis of Processing Personal Data exists such as the following:
RVL ensures that consent is obtained from the Individual prior to Processing Personal Data. This consent is obtained in writing or electronically for the purposes of documentation and is valid only if given voluntarily. If, for any reason, the consent of the Individual is not given before Processing Personal Data, it should be secured in writing as soon as possible after the beginning of the Processing.
RVL may process Personal Data without express consent if it is necessary to enforce a legitimate interest of RVL or a Third Party provided that interest is not overridden by the interests and rights of the individual. At RVL, legitimate interest exists where there is a relevant and appropriate relationship between RVL and the Individual such as where the Individual is a Council member, Commission member, RVL Staff members etc.
RVL may process Personal Data in order to enforce a contract entered into with the Data Subject or to comply with a contractual obligation.
In other cases, the Processing of Personal Data may be necessary to comply with applicable law.
RVL may process Personal Data for the performance of a task carried out in the public interest or in the exercise of official authority vested in RVL.
RVL processes Personal Data in a transparent manner.
Communications with the Individual must be in clear and plain language, easily accessible and easy to understand. RVL Personal Data Users must provide the Individual with sufficient information about the data Processing when Personal Data is obtained. The minimum information to be provided is included in section 5.1 Right to receive information.
RVL Personal Data Users Processing Personal Data will decide how this information is to be communicated after taking into account security measures and the urgency of Processing.
When collecting Personal Data, RVL Personal Data Users determine the specific purpose(s) for which data is processed, and only process it for those purposes. All Personal Data collected should be clearly documented including the purpose for collection.
The Personal Data handled by RVL must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed. This means that RVL Personal Data Users should not process Personal Data unless it is necessary to process it in order to achieve the purpose for which it was obtained.
RVL Personal Data Users must ensure that Personal Data kept on file is correct and kept up to date. Inaccurate or incomplete Personal Data should be rectified or deleted. The exception to this principle would be the case when a legitimate interest exists to retain Personal Data. Historical data, accurate at the time of collection, can be kept for as long as it is required to be kept. Once historical data is no longer necessary it should be deleted.
RVL Personal Data Users must treat Personal Data in a confidential manner. They must ensure that Personal Data is securely stored with suitable organizational and technical measures to prevent unauthorized or illegal Processing.
RVL keeps Personal Data for as long as it is necessary to perform its activities and as is required by applicable law. Personal Data not useful for RVL should be deleted unless national legislation requires it to be retained for a certain period of time. RVL will also delete Personal Data if the Individual withdraws his or her consent for Processing unless another legal basis of processing the Personal Data exists which prevents RVL from deleting the Personal Data.
RVL may store Personal Data for archiving purposes for a determined period compatible with applicable laws.
RVL respects rights conferred to Individuals to ensure protection of Personal Data. These rights include:
At a minimum, RVL Personal Data Users must provide the Individual with the following information when Personal Data is obtained:
The Individual may request which Personal Data relating to him or her has been collected and stored, how the Personal Data was collected, and for what purpose.
Disclosure of Personal Data should not be automatic. RVL Personal Data Users must consider all the circumstances surrounding the request for access and any restrictions to access that may be applicable. Access to Personal Data will only be given to the Individual if his or her identity can be verified.
If Personal Data is incorrect or incomplete, the Individual can request that it be corrected or supplemented. This will only be considered if the identity of the Individual can be verified. Upon verification of the allegation, RVL will make the necessary change(s). In certain circumstances historical data may need to be kept in accordance with section 4.5 Accuracy
The Individual may request his or her Personal Data to be deleted if the Processing of such Personal Data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the Data Processing has lapsed or has ceased to be applicable for other reasons.
However, the right to erasure does not apply, and Personal Data will continue to be retained:
The Individual has the right to receive his or her Personal Data in a structured, commonly used and machine-readable format and has the right to transfer such Personal Data to another Data Controller provided the Processing was based on consent or was necessary for the performance of a contract and was carried out by automated means.
Where technically feasible the Individual may request RVL to transfer his or her Personal Data to another Data Controller.
The Individual may object at any time to compelling legitimate grounds relating to their particular situation, to the Processing of Personal Data concerning them. Such objection will be accepted if the fundamental rights and freedoms of the Individual in question outweigh RVL’s legitimate interests, or the public interest.
An objection to Personal Data Processing does not apply if a legal, contractual or financial provision requires the Personal Data to be processed.
The Individual has the right to restrict the Processing of his or her personal data where there exists a particular reason for the restriction. This means that the Individual can limit the way that an organization uses his or her Personal Data. This may be because:
The Individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
6.1.1 It is the responsibility of RVL Personal Data Users to ensure that Personal Data processed for or on behalf of RVL, is in compliance with this Policy.
6.1.2 It is the responsibility of RVL Personal Data Users to ensure that Individuals:
6.1.3 RVL Personal Data Users will ensure that Third Parties they allow to process Personal Data:
RVL Personal Data Users may have access to Personal Data in RVL Portals. RVL Personal Data Users undertake to use Personal Data exclusively for RVL work and will ensure that Personal Data under their responsibility is kept up to date, in the RVL portal and any other IT tool in which RVL Personal Data User is required to enter Personal Data.
To the extent possible, RVL Personal Data Users are required to use IT tools provided by RVL (such as the shared drives, Constituents Relationship Management (“CRM”), Human Resources Management System (“HRMS”), as they comply with the requirements of this Policy.
In particular, when RVL collaborates with another entity in Processing Personal Data, RVL Personal Data Users should ensure that the responsibilities of all the parties concerned as described in this Policy or applicable law are outlined very clearly and set out in a contract or other legally binding arrangement.
In particular, while designing a database and drafting procedures for collecting Personal Data, the principles of data Processing and the rights of Individuals stipulated in the present Policy must be taken into account and incorporated to the greatest extent possible.
RVL Personal Data Users should process Personal Data in a manner that ensures an appropriate degree of security. This includes prevention of unauthorized access to, or use of Personal Data and the equipment used for data Processing. This relates in particular to access rights to databases, physical security, computer security and network security, the duty of discretion and the conduct of all RVL Personal Data Users who have access to Personal Data.
RVL Personal Data Users undertake to store electronic equipment and Personal Data safely. RVL has implemented technical measures to ensure that Personal Data stored electronically (such as on shared drives, Union Portal, CRM, HRMS, CS etc.) is protected from unauthorized access, accidental deletion and malicious hacking attempts. To the extent possible, Personal Data should be stored on those systems and RVL Personal Data Users should avoid keeping Personal Data on personal devices (such as laptops, tablets, smart phones, USB Drives, DVDs etc.) and should protect by strong passwords access to any system used. In cases where RVL Personal Data Users are using external tools not provided by RVL to process Personal Data, they undertake to ensure that appropriate technical and organizational measures to protect Personal Data are implemented prior to processing it and should formally document such use and keep the documentation available for auditing purposes.
When Personal Data is stored physically or when Personal Data usually stored electronically, it should be kept in a physically secure place where unauthorized people cannot see it (e.g., in a locked drawer or filing cabinet). Papers and printouts containing Personal Data should not be left where unauthorized people could access them (e.g., on a printer) and should be shredded and disposed of securely when no longer required.
In any case, when retention of Personal Data is no longer necessary, all records should be securely destroyed or anonymized. Anonymization of Personal Data is allowed if it is necessary to RVL’s Mission.
It is the responsibility of RVL Personal Data Users in charge of newsletters to ensure that express consent is obtained from the Individuals and recorded.
Where the Individual has not given his or her express consent to receive newsletters, his or her Personal Data should be disabled.
Individuals whose mandate, employment relationship or any other type of relationship with RVL has ended, undertake to destroy any Personal Data in their possession which this Policy applies to and will certify its destruction in writing (if required). For RVL’s staff this will be done in accordance with Human Resources instructions.
Application forms, CVs and supporting documents should not be printed, shared by email or kept on local drives. Copies temporarily downloaded on the local drives should be deleted (e.g., by clearing the internet browser cache and/or deleting from the “Download” directory or equivalent). Where an email is received for an unsolicited application, the potential applicant shall be advised to use the appropriate system to submit his or her application (such as the HRMS for staff applications or the CS for Commission Member applications) and the email (together with its attachments) shall be deleted.
Any Personal Data breach leading to the accidental or unlawful destruction, loss or alteration of – or to the unauthorized disclosure of, or access to – Personal Data transmitted, stored or otherwise processed must always be reported using the online communication channel located at www.reliefvalidation.com.bd/contact.html. In the event of a Data Breach, the Managing Director or CEO will ensure there is an appropriate response which means:
RVL does not make commercial use of Personal Data.
6.11.1 External Data Transfer
RVL ensures that Personal Data is only transferred to jurisdictions or International Organizations that ensure adequate level of protection. Should it be necessary to transfer Personal Data to a Third Country or an International Organization that does not provide adequate level of protection, RVL will ensure that it maintains appropriate safeguards such as entering into appropriate contractual clauses in order to safeguard Personal Data.
When transferring Personal Data to a Third Party, RVL Personal Data Users must ensure that:
6.11.2 Data Transfer within RVL systems
For the sake of clarification, Data Transfer within RVL systems carried out between RVL Personal Data Users in different RVL ’s Offices or between different components of RVL are permitted and do not necessitate a written agreement provided the principles set out in this Policy are respected.
In order to demonstrate compliance with this Policy, RVL maintains records on the categories of processing activities within its remit. RVL Personal Data Users not using IT tools and systems provided by the RVL should formally document such use and keep the documentation available for auditing purposes.
Effective implementation of these rules is crucial to ensure that individuals are able to benefit from the protection afforded by them.
It is the responsibility of all RVL and RVL Personal Data Users to ensure implementation of the above principles.
Personal Data Processing should be in accordance with the purposes authorized by RVL in the course of executing professional duties.
RVL Personal Data Users must not use RVL Personal Data for private or commercial purposes or disclose it to unauthorized persons.
Allegations of non-compliance with this Policy should be reported using the online communication channel located at www.reliefvalidation.com.bd/contact.html.
RVL staff may consult with their line managers and/or Working Group as applicable if unsure of any aspects of this Policy.
Individuals may send personal data request via email to info@reliefvalidation.com.bd which will be responded to within a reasonable time.
This Policy may be updated from time to time. Any modifications to this Policy must be in writing and approved by the Managing Director.