DATA PROTECTION & PRIVACY POLICY (GDPR-ALIGNED)

GLOBAL UNION OF CHANGEMAKERS (GUC)

Purpose

GUC is committed to protecting the personal data and privacy of its staff, volunteers, partners, donors, and beneficiaries. This policy ensures compliance with the EU General Data Protection Regulation (GDPR), international privacy standards, and best practices for non-profit organizations.

The policy aims to:

1. Safeguard personal and sensitive data collected, stored, and processed by GUC;

2. Ensure transparency and accountability in data handling;

3. Enable individuals to exercise their rights regarding their personal information;

4. Align with GUC’s constitutional values of integrity, transparency, inclusion, and respect for human dignity.

Scope

This policy applies to:

• Board members, staff, volunteers, interns, consultants, and contractors;

• Donors, beneficiaries, program participants, and partners;

• All digital and physical systems where personal data is collected, stored, or processed;

• All GUC programs, communications, fundraising, and operational activities globally.

Key Principles

GUC adheres to the following data protection principles:

Lawfulness, Fairness, and Transparency – Data is processed lawfully, fairly, and transparently;

Purpose Limitation – Data is collected only for explicit, legitimate purposes;

Data Minimization – Only the minimum necessary data is collected;

Accuracy – Data is kept accurate and up to date;

Storage Limitation – Data is stored only as long as necessary for the intended purpose;

Integrity and Confidentiality – Data is processed securely to prevent unauthorized access, loss, or misuse;

Accountability – GUC is responsible for, and able to demonstrate compliance with, all data protection principles.

Data Subject Rights

Individuals whose personal data is processed by GUC have the following rights:

Right of Access – To know what data is held and why;

Right to Rectification – To correct inaccurate or incomplete data;

Right to Erasure – To request deletion of data when no longer necessary;

Right to Restrict Processing – To limit the use of personal data in certain circumstances;

Right to Data Portability – To obtain and reuse personal data across systems;

Right to Object – To object to processing based on legitimate interests;

Rights related to Automated Decisions – To challenge automated decision-making processes.

Data Collection & Use

GUC collects personal data only for legitimate organizational purposes, including:

Program participation and monitoring;

Communication with donors, partners, and stakeholders;

Recruitment and human resources management;

Compliance with legal obligations.

Sensitive data (e.g., health information, disability status) is processed only with explicit consent or legal justification.

Data Sharing & Transfers

Personal data is not shared externally except with explicit consent, contractual obligation, or legal requirement;

International transfers are conducted only with adequate safeguards (e.g., EU-approved mechanisms);

Third-party service providers are required to comply with GDPR and GUC privacy standards.

Data Security Measures

Access to personal data is restricted to authorized personnel only;

Data is stored using secure systems, encryption, and password protection;

Regular audits, penetration testing, and security reviews are conducted;

Data breaches are managed according to GDPR requirements, including notification to supervisory authorities and affected individuals.

8. Roles & Responsibilities

8.1 Data Protection Officer (DPO)

Oversees GDPR compliance;

Provides guidance and training to staff and partners;

Investigates breaches and handles data subject requests.

8.2 Staff, Volunteers & Partners

Must follow this policy and report any suspected breaches or misuse;

Participate in data protection training;

Handle personal data confidentially and securely.

Retention & Disposal

Personal data is retained only as long as necessary for its intended purpose or as legally required;

Secure disposal mechanisms are used for both physical and electronic records;

Periodic audits ensure compliance with retention schedules.

Training & Awareness

GUC provides mandatory training on GDPR, privacy principles, and data security for all staff, volunteers, and partners;

Awareness campaigns highlight rights, responsibilities, and reporting mechanisms;

Continuous improvement through feedback and audits.

Review & Policy Update

Reviewed at least every two years or in response to legal, operational, or technological changes;

Updates communicated to all relevant stakeholders.

Approval

This Data Protection & Privacy Policy is approved by the Executive Director and Board of GUC, ensuring GUC’s commitment to protecting personal data, privacy, and organizational transparency.