Data Privacy Protection Policy for Mind to Heart Community-Based Organization (CBO)
Effective Date: September 21, 2024
At Mind to Heart Community-Based Organization (“Mind to Heart”), we are committed to protecting the personal data of all individuals who engage with our services, whether as beneficiaries, donors, volunteers, employees, or partners. This Data Privacy Protection Policy outlines the principles and practices that guide the collection, processing, storage, and sharing of personal data in accordance with applicable data protection laws.
1. Purpose
The purpose of this policy is to ensure that Mind to Heart complies with data protection laws and regulations, including but not limited to the Kenya Data Protection Act, 2019, the General Data Protection Regulation (GDPR) (where applicable), and other global standards. This policy provides transparency on how we protect personal data and respect the privacy rights of individuals.
2. Scope
This policy applies to all personal data collected, processed, and stored by Mind to Heart through any means, including our website, www.mindtoheartglobal.org, email communications, event registrations, donations, and collaborations with partners. It covers all employees, volunteers, contractors, and third-party service providers who process personal data on our behalf.
3. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person. This includes, but is not limited to, names, contact information, identification numbers, location data, financial data, and online identifiers.
- Data Subject: The individual whose personal data is being processed by Mind to Heart.
- Processing: Any operation performed on personal data, such as collection, recording, storing, modifying, using, sharing, or deleting.
- Data Controller: Mind to Heart, which determines the purposes and means of processing personal data.
- Data Processor: Any third party that processes personal data on behalf of Mind to Heart.
4. Principles of Data Protection
Mind to Heart adheres to the following key principles when processing personal data:
- Lawfulness, Fairness, and Transparency: We collect and process personal data lawfully and in a transparent manner. Individuals are informed about the purposes of data collection and how their data will be used.
- Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and not processed for other purposes unless consent is obtained or legally required.
- Data Minimization: We collect only the data that is necessary for the purposes for which it is processed.
- Accuracy: We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.
- Storage Limitation: Personal data is kept for no longer than is necessary for the purposes for which it was collected or as required by law.
- Integrity and Confidentiality: We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure.
- Accountability: We are responsible for ensuring compliance with these principles and can demonstrate adherence to this policy.
5. Data Collection
We collect personal data from individuals in the following ways:
- Directly from Data Subjects: Through event registration, donation forms, subscription to newsletters, partnership inquiries, and volunteer applications.
- Automatically: Through cookies and similar technologies when users visit our website.
- Third-Party Sources: Through social media interactions or partner organizations, when lawful.
The categories of personal data collected may include:
- Contact information (name, email, phone number, address)
- Payment and donation information
- Volunteering or event participation details
- Communications and correspondence records
- Cookies and tracking data
6. Legal Basis for Processing
We process personal data based on one or more of the following legal grounds:
- Consent: The data subject has given explicit consent to process their personal data for a specific purpose.
- Contractual Necessity: Processing is necessary to perform a contract with the data subject or take steps at the data subject’s request before entering into a contract.
- Legal Obligation: Processing is necessary to comply with legal requirements.
- Legitimate Interests: Processing is necessary for our legitimate interests, provided that those interests are not overridden by the data subject’s privacy rights.
7. Data Subject Rights
Mind to Heart respects the rights of individuals regarding their personal data. Data subjects have the following rights:
- Right to Access: Individuals can request a copy of their personal data and details of how it is processed.
- Right to Rectification: Individuals can request that inaccurate or incomplete data be corrected.
- Right to Erasure (“Right to be Forgotten”): Individuals can request the deletion of their personal data under certain conditions.
- Right to Restrict Processing: Individuals can request to limit the processing of their data under specific circumstances.
- Right to Data Portability: Individuals can request that their personal data be transferred to another data controller.
- Right to Object: Individuals can object to the processing of their data for direct marketing or other specific purposes.
- Right to Withdraw Consent: Individuals may withdraw their consent for processing at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, individuals can contact us at the details provided below.
8. Data Security
Mind to Heart implements robust security measures to safeguard personal data from unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption: Sensitive data such as payment information is encrypted during transmission and storage.
- Access Controls: Only authorized personnel have access to personal data, and they are required to adhere to strict confidentiality protocols.
- Regular Security Audits: We regularly review our security practices to ensure they meet industry standards.
- Third-Party Security: We ensure that our third-party service providers maintain security practices that meet our standards.
9. Data Sharing and Disclosure
Mind to Heart does not sell, rent, or trade personal data. We may share personal data with third parties only in the following situations:
- Service Providers: Trusted third parties who help us deliver our services (e.g., payment processors, IT service providers) and are bound by confidentiality agreements.
- Legal Compliance: We may disclose personal data if required by law or in response to valid legal processes.
- With Consent: We may share data with third parties with the explicit consent of the data subject.
10. International Data Transfers
Mind to Heart may transfer personal data to third parties or service providers located in countries outside Kenya. Where such transfers occur, we ensure that appropriate safeguards are in place to protect the data in accordance with applicable data protection laws.
11. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. After the retention period, personal data will be securely deleted or anonymized.
12. Data Breach Response
In the event of a data breach, Mind to Heart will:
- Notify affected individuals if the breach poses a high risk to their privacy rights.
- Take immediate steps to mitigate the breach and prevent further unauthorized access.
- Report the breach to relevant authorities as required by law.
13. Training and Awareness
All employees, volunteers, and contractors are trained on data protection principles and their responsibilities under this policy. Mind to Heart ensures ongoing education on privacy laws and best practices.
14. Review and Updates
This policy is reviewed regularly to ensure it remains up to date with changes in laws and regulations. Updates will be communicated through our website and other appropriate channels.
15. Contact Us
If you have any questions or concerns about this Data Privacy Protection Policy or how your personal data is handled, please contact us at:
Mind to Heart CBO
Email: [info@mindtoheartglobal.org
Phone: +254 723 000 633/+254 702 269 113
This policy demonstrates Mind to Heart’s commitment to protecting the privacy and personal data of all individuals we engage with. We are dedicated to ensuring compliance with data protection laws and best practices in all our operations.