Data Protection Policy
Article 1 – Aim of the Data Protection Policy
JK TECH Initiatives (hereafter referred to as ‘JK TECH’) acknowledges that information technology should be at the service of every citizen. Information technology development shall take place in the context of international co-operation. Information technology shall not violate human identity, human rights, privacy, or individual or public liberties.
JK TECH is committed to international compliance with data protection laws which is including but are not limited to GDPR, CCPA, HIPPA, GLBH…. Etc… This Data Protection Policy applies worldwide to JK TECH and is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation of trustworthy relationships and the reputation of JK TECH as a credible organization.
The Data Protection Policy ensures an adequate level of data protection as prescribed by relevant legal frameworks, including in countries that do not yet have adequate data protection laws.
JK TECH data protection policy is meant to be a practical and easy-to-understand document to which all JK TECH departments, stakeholders and partners can refer to.
Article 2 – Scope of the Data Protection Policy
This Data Protection Policy applies to all entities/subsidiaries of JK TECH, including network, and branch offices in all countries of operation.
- The policy applies to all JK TECH staff/employees and governance members.
- The provision of this policy may also be applied to any person employed by an entity that carries out assignments for JK TECH.
- In particular, this policy applies to implementing partners, suppliers, sub-grantees, stakeholders and other associated entities.
JK TECH’s Data Protection Policy applies to all personal data that JK TECH holds relating to identifiable individuals, meaning any information relating to an identified or identifiable individual.
Article 3 – JK TECH’s Sets of Data and Definitions
JK TECH’s Data Protection Policy applies to all sets of personal data, currently stored, maintained and handled by JK TECH, and more specifically to the following identified sets of personal data:
- JK TECH’s personnel, including national and international staff, interns, and volunteers.
- JK TECH’s direct and indirect beneficiaries, including interviewees.
- JK TECH’s contractors, suppliers, consultants, and implementing partners currently under contract with JK TECH.
Personal data herein referred to, means any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. This can include in particular:
- Names of individuals
- Postal or living addresses
- Email addresses
- Telephone numbers
- Identity card and passport
- Date and place of birth
- Identification of relatives
- Business reference
Processing of personal data means any operation or set of operations in relation to such data, whatever the mechanism used, especially the obtaining, recording, organization, retention, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction.
Article 4 – Application of National Laws and Sources of Authority
JK TECH is headquartered in Republic of India, New Delhi and observes the laws of India and applicable IT Act including Data Rules and Regulations. It also operates in more than three (3) countries. JK TECH Country Operations observe the laws of their country.
This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed. Each entity of JK TECH, including network and branch offices is responsible for compliance with this Data Protection Policy and the legal obligations.
At the same time, JK TECH has rules and standards that seek to create a consistent approach and which, in some cases, may be stricter than national or local laws. This Policy must, therefore, be followed in addition to the relevant national and local laws on data protection.
In the event of conflicts between national legislation and the Data Protection Policy, JK TECH will work with the relevant country offices to find a practical solution that meets the purpose of the Data Protection Policy.
The purpose of the policy is aimed at guiding JK TECH staff/employee(s) and must be considered together with: JK TECH’s Code of Conduct and other relevant policies.
Article 5 – Principles for Processing Personal Data
- Fairness and Lawfulness
- When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
- Collected data shall be adequate, relevant and not excessive in relation to the purposes for which they are obtained and their further processing.
- Individual data can be processed upon voluntary consent of the person concerned.
- Restriction to a Specific Purpose
- Personal data can be processed only for the purpose that was defined before the data was collected. Personal data shall be obtained for specified, explicit and legitimate purposes, and shall not subsequently be processed in a manner that is incompatible with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require justification.
- The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be made aware of, or informed of:
- The purpose of data processing.
- Categories of third parties to whom the data might be transmitted.
- Processing of personal data must have received the consent of the data subject or must meet one of the following conditions: compliance with any legal obligation to which JK TECH is subject; the protection of the data subject’s life; the performance of a public service mission entrusted to JK TECH.
- Confidentiality and Data Security
- Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
- Personal data shall be retained in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which they are obtained and processed. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
- Factual Accuracy and Up-to-datedness of Data
- Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented, or updated.
Article 6 – Data Processing
- Consent to Data Processing
- Individual data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. In certain exceptional circumstances, consent may be given verbally, however, the same is required to be documented later.
- Data processing Pursuant to Legitimate Interest
- Personal data can also be processed if it is necessary to enforce a legitimate interest of JK TECH. Legitimate interests are generally of a legal (such as filing, enforcing or defending against legal claims), audit or financial nature. Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the individual merit protection. Before data is processed, it must be determined whether there are interests that merit protection. Control measures that require processing of personal data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the organization in performing the control measure (e.g. compliance with legal provisions and internal rules of the organization) must be weighed against any interests meriting protection that the individual affected by the measure may have in its exclusion, and cannot be performed unless appropriate.
- Telecommunications and Internet
- Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by JK TECH primarily for work-related assignments. They are a tool and an organizational resource. They can be used within the applicable legal regulations and as per social media policy, asset policy etc. and internal JK TECH communication policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.
- To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the network used by JK TECH that block technically harmful content or that analyse the attack patterns. For security reasons, the use of telephone, equipment, e-mail addresses, the intranet/internet and internal social networks can be blocked for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of policies and/or procedures of JK TECH. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed in the same manner as the JK TECH regulations.
- Rights of the Data Subject
- To request information on which personal data relating to him/her has been stored, how the data was collected, and for what intended purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected. If personal data is transmitted to third parties, individuals should be informed of such a possibility. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
- To request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
- To object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
All individuals who are the subject of personal data held by JK TECH are entitled:
Article 7 – Transmission of Personal Data
Transmission of personal data to recipients outside or inside JK TECH is subject to the authorisation requirements for processing personal data under Section 6 and requires the consent of the data subject. The data recipient must be required to use the data only for the defined purposes.
In the event that data is transmitted to a recipient outside JK TECH, this recipient must agree to maintain a data protection level equivalent to this Data Protection Policy. This does not apply if transmission is based on a legal obligation.
The processing of personal data is also permitted if national legislation requests, requires or authorises this. The type and extent of data processing must be necessary for the legally authorised data processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the individual that merit protection must be taken into consideration.
In certain circumstances, the JK TECH Data Protection Policy allows personal data to be disclosed, based on a legal obligation, to law enforcement agencies, without the consent of the data subject.
Only JK TECH’s authorized representative can validate any such disclosure in writing, ahead of the disclosure, after ensuring the request is legitimate, motivated by the requester, appropriate, necessary and does not pose a threat or direct risk to JK TECH.
Before approving such disclosure, JK TECH’s authorized representative will check that the recipient of the data uses the data for the defined purposes only, and that it demonstrates the capacity and will to abide by such an obligation.
Where necessary, JK TECH’s authorized representative will refer to legal advisers for advice, and to JK TECH’s Committee for validation, notably but not only in cases involving direct security threats and implications or global organizational risks including reputation.
Article 8 – Subject Access and Modification Requests to Personal Data
All JK TECH staff and external individuals to the NGO can contact JK TECH to request rights as listed in Article 6 section 4 – Rights of the Data Subject to be applied.
Individual subject access requests from individuals should be addressed by email or in writing. If not in writing, the request should be taken and handled by a duly authorised JK TECH staff and registered in a log for reference and follow up.
Any individual subject access request received by JK TECH will be duly verified before being handled, with the verification of the identity of anyone making a subject access request, before handing over any information.
JK TECH will ensure to respond to individual requests in a timely manner.
JK TECH will ensure that any data subject, including but not only personnel, individual and beneficiaries, have the means to contact JK TECH to verify the data JK TECH holds about them, and can have authorized JK TECH personnel update and correct personal information. Such an obligation entails the following:
- JK TECH staff should have access to their personal files and to any information held by JK TECH on them, by simple request to Human Resources department, to be presented and corrected by a duly authorized staff only. The consultation of any information on any other staff is strictly prohibited.
- JK TECH current direct and indirect beneficiaries (including survey interviewees) shall have access to JK TECH to check any data JK TECH holds on them, to ensure its correctness, fairness, and to have it modified and updated upon request by duly authorised JK TECH personnel. For such a purpose, JK TECH teams at country level should set up and maintain complaints response mechanism that is both open and accessible to individuals, with limited constraints, while ensuring that any request by individuals is duly followed by appropriate corrective measures and communications. Contact information to uphold this right and reach out to JK TECH for such a purpose should be clearly indicated on JK TECH website.
- JK TECH contractors and suppliers can reach out to JK TECH to check data held by JK TECH and have it corrected. Such a responsibility lies with the authorized representative.
Article 9 – Providing Information
JK TECH aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used;
- How to exercise their rights;
To these ends, the current policy is shared with all JK TECH staff/employee(s) and available on request by individuals. A version of this Policy is also available upon the website of JK Tech.
Any subscriber or user of an electronic communication service shall be informed in a clear and comprehensive manner by JK TECH, except if already previously informed, regarding: the purpose of any action intended to provide access, by means of electronic transmission, to information previously stored in their electronic connection terminal device, or to record data in this device; the means available to them to object to such action.
Article 10 – Confidentiality of Processing
Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies. Duly authorized employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.
Article 11 – Processing Security
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification). The technical and organizational measures for protecting personal data are part of JK TECH’s IT management and must be adjusted continuously to the technical developments and organizational changes.
Article 12 – Data Protection Control
Compliance with the Data Protection Policy and the applicable data protection laws is checked regularly with data protection authorized representative and other controls. The performance of these controls is the responsibility of JK TECH’s authorized representative or appointed representative. The results of the data protection controls performed by appointed IT representative must be reported to the authorized representative or the Management of the JK Tech. On request, the results of data protection controls will be made available to the responsible data protection authority. The responsible data protection authority can perform its own controls of compliance with the regulations of this Policy, as permitted under national law.
Article 13 – Violation, Sanction and Reporting
Any failure to comply with the current policy or to deliberately violate the rules set in the policy will result in the launch of an appropriate investigation by JK TECH.
Depending on the gravity of the suspicion or accusations, JK TECH may suspend staff or relations with other stakeholder during the investigation. This will not be subject to challenge.
Depending on the outcome of the independent investigation, if it comes to light that anyone associated with JK TECH has deliberately violated the rules set in the policy for its personal profit or any other usage of personal data or has systematically and deliberately contravened with the principles and standards contained in this document, JK TECH will take immediate disciplinary action and any other action which may be appropriate to the circumstances. This may mean, for example, for:
- Employees – disciplinary action/dismissal.
- Officers and interns – ending the relationship with the organization.
- Partners – withdrawal of support.
- Contractors and consultants – termination of contract.
Depending on the nature, circumstances and location of the case and violation, JK TECH will also consider involving authorities such as the police to ensure the protection of personal data and victims.
The reporting of suspected or actual violations to this policy is a professional and legal obligation of all staff/employee(s) and partners. Failure to report information can lead to disciplinary or any other suitable action.
JK TECH encourages its staff / employee(s)and stakeholders to report suspected cases which involve any JK TECH staff, employee(s) consultants, board members, guests or staff of JK TECH’s partner organizations, their board members, staff and or suppliers.
JK TECH encourages its staff, employee(s) and stakeholders to report suspected cases through the following means:
- Staff and interns can report contacting;
- standard lines of hierarchy (contained in staff Terms of Reference);
- the Head of Human Resources.
JK TECH will not tolerate false accusations which are designed to damage a member of staff’s/ employee reputation. Anyone found making false accusations will be subject to investigation and disciplinary action.
Article 14 – Responsibilities
JK TECH’s authorized representative is responsible to ensure that the legal requirements, and those contained in this Data Protection Policy, for data protection are met (e.g. national reporting duties).
Management staff are responsible for ensuring that organizational, Human Resources, and technical measures are in place so that any data processing is carried out in accordance with data protection. The managers and company must ensure that their employees are sufficiently trained in data protection.
Compliance with these requirements is the responsibility of the relevant employees. Employees who have questions or objections about the processing of their personal information should first contact their immediate supervisor. If the employee does not choose to submit an inquiry or complaint with an immediate management, or if the manager and employee are unable to reach a satisfactory settlement of the issues presented, the employee shall bring the matter to the Legal Head. (Contact firstname.lastname@example.org)
Article 15 – Implementation of the Policy
This policy has been approved by JK TECH’s Finance Head and Senior Vice President on December 2022 and comes into effect immediately. It could be reviewed regularly at least once in two years unless it is otherwise required to be updated due to change in applicable laws and regulations.