Data Protection Policy
Article – Aim of the Data Protection Policy
IMPACT Initiatives (hereafter referred to as ‘IMPACT’) acknowledges that information technology should
be at the service of every citizen. Information technology development shall take place in the context of
international co-operation. Information technology shall not violate human identity, human rights,
privacy, or individual or public liberties.
IMPACT is committed to international compliance with data protection laws. This Data Protection Policy
applies worldwide to IMPACT and is based on globally accepted, basic principles on data protection.
Ensuring data protection is the foundation of trustworthy relationships and the reputation of IMPACT as
a credible organisation.
The Data Protection Policy ensures the adequate level of data protection as prescribed by relevant legal
frameworks, including in countries that do not yet have adequate data protection laws.
IMPACT data protection policy is meant to be a practical and easy to understand document to which all
IMPACT departments, stakeholders and partners can refer to.
Scope of the Data Protection Policy
This Data Protection Policy applies to all entities of IMPACT, including network and branch offices in all
countries of operation.
1. The policy applies to all IMPACT staff and governance members.
2. The provision of this policy may also be applied to any person employed by an entity that carries
out missions for IMPACT.
3. In particular, this policy applies to implementing partners, suppliers, sub-grantees, stakeholders
and other associated entities.
IMPACT’s sets of data and definitions
IMPACT’s Data Protection Policy applies to all sets of personal data, currently stored, maintained and
handled by IMPACT, and more specifically to the following identified sets of personal data:
IMPACT’s personnel, including national and international staff, interns and volunteers,
IMPACT’s direct and indirect beneficiaries, including interviewees,
IMPACT’s individual donors and sympathisers,
IMPACT’s contractors, suppliers, consultants, implementing partners currently under contract
with IMPACT.
Personal data herein referred to, means any information relating to a natural person who is or can be
identified, directly or indirectly, by reference to an identification number or to one or more factors specific
to his physical, physiological, mental, economic, cultural or social identity. This can include in particular:
Names of individuals
Postal or living addresses
Email addresses
Telephone numbers
Identity card and passport
Date and place of birth
Identification of relatives
Fingerprints
Business reference
Geo-referencing
Application of National Laws and sources of authority
IMPACT is headquartered in Switzerland and observes the laws of Switzerland and of the Geneva
Canton, including the Federal Act on Data Protection of 19 June 1992 (the Data Protection Act, the
“DPA”) and the Ordinance to the Federal Act on Data Protection of 14 June 1993 (“ODPA”). It also
operates in more than 15 countries. IMPACT Country Operations observe the laws of their country.
This Data Protection Policy comprises the internationally accepted data privacy principles without
replacing the existing national laws. It supplements the national data privacy laws. The relevant national
law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter
requirements than this Policy. The content of this Data Protection Policy must also be observed in the
absence of corresponding national legislation. The reporting requirements for data processing under
national laws must be observed. Each entity of IMPACT, including network and branch offices is
responsible for compliance with this Data Protection Policy and the legal obligations.
At the same time, IMPACT has rules and standards that seek to create a consistent approach and which,
in some cases, may be stricter than national or local laws. This Policy must, therefore, be followed in
addition to the relevant national and local laws on data protection.
In the event of conflicts between national legislation and the Data Protection Policy, IMPACT will work
with the relevant country offices to find a practical solution that meets the purpose of the Data Protection
Policy.
Data Processing
1. Consent to Data Processing
Individual data can be processed upon consent of the person concerned. Declarations
of consent must be submitted voluntarily. In certain exceptional circumstances, consent
may be given verbally.
2. Data processing Pursuant to Legitimate Interest
Personal data can also be processed if it is necessary to enforce a legitimate interest
of IMPACT. Legitimate interests are generally of a legal (such as filing, enforcing or
defending against legal claims), audit or financial nature. Personal data may not be
processed based on a legitimate interest if, in individual cases, there is evidence that
the interests of the individual merit protection. Before data is processed, it must be
determined whether there are interests that merit protection. Control measures that
require processing of personal data can be taken only if there is a legal obligation to do
DATA PROTECTION POLICY | IMPACT | Version 1 – Nov. 2016 7
so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality
of the control measure must also be examined. The justified interests of the organisation
in performing the control measure (e.g. compliance with legal provisions and internal
rules of the organisation) must be weighed against any interests meriting protection that
the individual affected by the measure may have in its exclusion, and cannot be
performed unless appropriate.
Transmission of Personal Data
The processing of personal data is also permitted if national legislation requests, requires or authorises
this. The type and extent of data processing must be necessary for the legally authorised data
processing activity, and must comply with the relevant statutory provisions. If there is some legal
flexibility, the interests of the individual that merit protection must be taken into consideration.
In certain circumstances, the IMPACT Data Protection Policy allows personal data to be disclosed,
based on a legal obligation, to law enforcement agencies, without the consent of the data subject.
Only IMPACT’s Executive Director can validate any such disclosure in writing, ahead of the disclosure,
after ensuring the request is legitimate, motivated by the requester, appropriate, necessary and does
not pose a threat or direct risk to IMPACT.
Before approving such disclosure, IMPACT’s Executive Director will check that the recipient of the data
uses the data for the defined purposes only, and that it demonstrates the capacity and will to abide by
such an obligation.
Where necessary, IMPACT’s Executive Director will refer to legal advisers for advice, and to IMPACT’s
Committee for validation, notably but not only in cases involving direct security threats and implications
or global organisational risks including reputation.
Subject access and modification requests to personal data
All IMPACT staff and external individuals to the NGO can contact IMPACT to request rights as listed in
Article 6 section 4 - Rights of the Data Subject to be applied.
Individual subject access requests from individuals should be addressed by email or in writing. If not in
writing, the request should be taken and handled by a duly authorised IMPACT staff and registered in a
log for reference and follow up.
Any individual subject access request received by IMPACT will be duly verified before being handled,
with the verification of the identity of anyone making a subject access request, before handing over any
information.
IMPACT will ensure to respond to individual requests in a timely manner.
IMPACT will ensure that any data subject, including but not only personnel, individual donors and
sympathisers, and beneficiaries, have the means to contact IMPACT to verify the data IMPACT holds
about them, and can have authorised IMPACT personnel update and correct personal information. Such
an obligation entails the following:
IMPACT staff should have access to their personal files and to any information held by IMPACT
on them, by simple request to Human Resources department, to be presented and corrected
by a duly authorised staff only. The consultation of any information on any other staff is strictly
prohibited.
Individual donors and sympathisers listed by IMPACT can reach out to IMPACT to check the
data held by IMPACT and have it corrected as well as deleted. Information on this right and on
how to reach out to IMPACT for such a purpose should be clearly indicated on IMPACT website,
as well as on the main media of communication to Individual donors and sympathisers, including
Responsibilities
IMPACT’s Committee is responsible to ensure that the legal requirements, and those contained in this
Data Protection Policy, for data protection are met (e.g. national reporting duties).
Management staff are responsible for ensuring that organisational, Human Resources, and technical
measures are in place so that any data processing is carried out in accordance with data protection.
The managers must ensure that their employees are sufficiently trained in data protection
Compliance with these requirements is the responsibility of the relevant employees.
Implementation of the policy
This policy has been approved by IMPACT’s Executive Director on November 2016 and comes into
effect immediately. It could be reviewed regularly