Privacy and Data Protection Policy

"AS250 ІNTERNATIONAL CHARITABLE FOUNDATION FOR TALENT DEVELOPMENT" - CHARITABLE ORGANIZATION

1. General Provisions

1.1. This Privacy and Data Protection Policy (hereinafter – the “Policy”) establishes the procedure for processing personal data and the measures to ensure their security within the organization, in accordance with the requirements of the General Data Protection Regulation (GDPR) of the European Union 2016/679 and the Law of Ukraine “On Personal Data Protection.”

1.2. The organization undertakes to protect the confidentiality and security of the personal data of all individuals who cooperate with us, are our beneficiaries, employees, partners, or any other stakeholders.

2. Definitions

Personal Data – any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Sensitive Data (special categories of personal data) – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation.

Data Processing – any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller – a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data. In the context of this Policy – the organization.

Data Processor – a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Consent of the Data Subject – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, through a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3. Principles of Personal Data Processing

3.1. The organization adheres to the following principles of personal data processing established by the GDPR:

Lawfulness, fairness, and transparency – processing is carried out lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose limitation – personal data are collected for specified, explicit, and legitimate purposes and are not further processed in a manner that is incompatible with those purposes.
Data minimization – personal data are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy – personal data are accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation – personal data are kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality – personal data are processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Accountability – the data controller is responsible for compliance with the above principles and must be able to demonstrate such compliance.

4. Legal Bases for Processing

4.1. The processing of personal data is lawful only if at least one of the following legal bases applies:

Consent – The data subject has given consent to the processing of their personal data for one or more specific purposes.
Performance of a Contract – Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal Obligation – Processing is necessary for compliance with a legal obligation to which the controller is subject.
Vital Interests – Processing is necessary to protect the vital interests of the data subject or another natural person.
Public Interest / Official Authority – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legitimate Interests – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

5. Rights of Data Subjects

5.1. Data subjects have the following rights in accordance with the GDPR:

Right of Access – The right to obtain from the controller confirmation as to whether personal data concerning them are being processed and, where that is the case, access to the personal data and certain related information.
Right to Rectification – The right to request that the controller correct inaccurate personal data concerning them without undue delay.
Right to Erasure (“Right to be Forgotten”) – The right to request that the controller erase personal data concerning them without undue delay under certain conditions.
Right to Restriction of Processing – The right to request restriction of processing under certain conditions.
Right to Data Portability – The right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance.
Right to Object – The right to object, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on legitimate interests or carried out in the public interest.
Rights Related to Automated Decision-Making and Profiling – The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except in cases provided for by law.

5.2. The organization ensures mechanisms for the exercise of these rights and processes requests from data subjects without undue delay.

6. Consent to the Processing of Personal Data

6.1. The consent of the data subject is a key legal basis for processing where no other lawful basis applies.

6.2. Special requirements:

Requirements for Consent – Consent must be freely given, specific, informed, and unambiguous. It may be provided through a statement or a clear affirmative action.
Withdrawal of Consent – The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Children’s Consent – In the case of providing information society services directly to a child under the age of 18, the processing of personal data is lawful only if and to the extent that consent is given or authorized by one of the parents (guardians/custodians) who holds parental responsibility for the child.

7. Security Measures and Data Protection

7.1. The organization implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons.

7.2. These measures include, but are not limited to:

Pseudonymization and encryption of personal data.
Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
Physical and software access controls to systems containing personal data.
Staff training on data protection issues.

7.3. Personal Data Breach Notification:
In the event of a personal data breach that may result in a high risk to the rights and freedoms of natural persons, the organization shall promptly notify the data subject and the relevant supervisory authority if required by the GDPR.

8. Data Transfers to Third Parties and Cross-Border Transfers

8.1. The organization may transfer personal data to third parties (processors or other controllers) only in compliance with the principles and requirements of the GDPR, in particular on the basis of an appropriate legal basis and subject to the conclusion of agreements ensuring adequate data protection.

8.2. In the case of cross-border transfers (transfer of data outside Ukraine), the organization follows the requirements of national legislation and EU standards. Transfers of personal data to countries that do not ensure an adequate level of data protection (according to the decision of the European Commission) are carried out only if appropriate safeguards are in place, such as:

Standard Contractual Clauses approved by the European Commission.
Binding Corporate Rules.
Certification mechanisms or codes of conduct.
Explicit consent of the data subject after being informed of the possible risks.

9. Data Protection Officer (DPO)

9.1. The organization appoints a Data Protection Officer (DPO) responsible for monitoring compliance with this Policy and the GDPR, providing advice, and cooperating with supervisory authorities.

9.2. DPO Contact Information:

Name: Gabriella Galambosh
Position: Director of Program Activities
Email: office@as250.org

10. Final Provisions

10.1. This Policy may be amended and updated. All changes are published on the official website of the organization or communicated to data subjects by other appropriate means.

Annex 1. Template of Public Consent for the Processing of Personal Data
(for website/web applications)

By submitting this registration form, I, as a user of the website www.as250.org, confirm my voluntary and explicit consent to the processing (collection, accumulation, storage, and use for the intended purposes) of my personal data specified in this form (for example, name, email, phone number), in accordance with the Law of Ukraine “On Personal Data Protection” and the European Union’s General Data Protection Regulation (GDPR) 2016/679.

My data is collected and used for: ensuring my participation in programs/events, informing me about the activities of the organization, fulfilling its statutory objectives, and meeting donor requirements. We value your support and promise to respect your privacy by protecting your data from unauthorized access and sharing it only with trusted partners under conditions of proper protection.

If video or photo recording is planned within the framework of the project, I also give my consent to participate in such recording and to the use of these materials by the Organization and/or its partners for promotion and informing about activities on websites, social media, newsletters, and other communication materials. The copyright to the created materials will belong to the Organization and/or its partners.

I understand that I have the right to access my data, correct or delete it, and withdraw my consent at any time. More information about my rights and the conditions of data processing can be found in the full Privacy and Data Protection Policy available on the website.