IFES Data Protection Policy

LAST UPDATED June 11, 2018

International Foundation for Electoral Systems

1. Purpose
1.1. International Foundation for Electoral Systems is committed to complying with privacy
and data protection laws including:
1.1.1. The Regulation (EU) 2016/679 of the European Parliament (“General Data
Protection Regulation” and/or "the GDPR") and any related legislation which
applies in the EU, including, without limitation, any legislation derived from the
Data Protection Bill 2017;
1.1.2. The Privacy and Electronic Communications Regulations (2003) and any successor
or related legislation, including without limitation, E-Privacy Regulation 2017/0003;
1.1.3. All other applicable laws and regulations relating to the processing of personal
data and privacy, including statutory instruments or any other supervisory
1.2. This policy sets out what we do to protect individuals' personal data.
1.3. Anyone who handles personal data in any way on behalf of International Foundation for
Electoral Systems must ensure that we comply with this policy. Section 3 of this policy
describes what comes within the definition of "personal data". Any breach of this policy
will be taken seriously and may result in disciplinary action or more serious sanctions.
1.4. This policy may be amended from time to time to reflect any changes in legislation,
regulatory guidance or internal policy decisions.

2. Scope
2.1. The types of personal data that we may handle include details of: Employees,
Consultants, Contractors, Donors, and Social Media followers.
2.2. The IT Director at International Foundation for Electoral Systems is responsible for
ensuring compliance with the GDPR and with this policy. Any questions or concerns
about this policy should be referred in the first instance to the Richard Twigg who can be
contacted at rtwigg@ifes.org or at 202-350-6720.
2.3. This Policy does not cover data rendered anonymous or where pseudonyms are used.
Data is rendered anonymous if individuals are no longer identifiable or are identifiable
only with a disproportionately large expense in time, cost or labor. The use of
pseudonyms involves the replacement of names or other identifiers with substitutes, so
that identification of individual persons is either impossible or at least rendered
considerably more difficult. If data rendered anonymous become no longer anonymous
(i.e. individuals are again identifiable), or if pseudonyms are used and the pseudonyms
allow identification of individual persons, then this Policy shall apply again.

3. Definitions
3.1. Consumer - Any natural person, but excludes any individual acting in his or her capacity
as an Employee or Supplier.
3.2. Data Subjects - All living individuals about whom we hold personal data, for instance an
employee or a supporter. A data subject need not be a EU national or resident. All data
subjects have equal legal rights in relation to their personal data.
3.3. Employee - means any current, former or prospective employee, temporary worker,
intern or other non-permanent employee of IFES or any current or prospective subsidiary
or affiliate of IFES. There is a separate privacy policy for employee data
3.4. Personal Data - Any information relating to a living person who can be identified directly
or indirectly from that information (or from that information and other information in
our possession}. Personal data can be factual (such as a name, address or date of birth)
or it can be an opinion (such as a performance appraisal). It can also include an identifier
such as an identification number, location data, an online identifier specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that
3.5. Data Controllers - People who, or organizations which, decide the purposes and the
means for which, any personal data is processed. They have a responsibility to process
personal data in compliance with the GDPR. International Foundation for Electoral
Systems is the data controller of all personal data that we manage in connection with our
work and activities.
3.6. Data Processors - Any person who processes personal data on behalf of a data controller.
Employees of data controllers are excluded from this definition, but it could include other
organizations such as website hosts, fulfilment houses or other service providers which
handle personal data on our behalf.
3.6.1. Processing is any activity that involves use of personal data, whether or not by
automated means. It includes but is not limited to:
3.6.2. Collecting, recording, organizing, structuring, storing, adapting or altering,
retrieving, disclosing by transmission, disseminating or otherwise making
available, restricting, erasing or destruction of personal data.
3.7. Sensitive Personal Data - includes information about a person’s:
3.7.1. Racial or ethnic origin, political opinions, religious, philosophical or similar beliefs,
trade union membership, physical or mental health or condition, sexual life or
orientation, genetic data, or biometric data.
3.8. Supplier - means any supplier, vendor or other third party (including independent
contractor) that provides services or products to IFES.

4. Data Protection Principles
4.1. Anyone processing personal data must comply with the six data protection principles set
out in the GDPR. We are required to comply with these principles (summarized below),
and show that we comply, in respect of any personal data that we deal with as a data
4.2. Personal Data should be:
4.2.1. Process fairly, lawfully and transparently
4.2.2. Collected for specified, explicit and legitimate purposes and not further processed
in a way which is incompatible with those purposes
4.2.3. Adequate, relevant and limited to what is necessary for the purpose for which it is
4.2.4. Not kept longer than necessary
4.2.5. processed in a manner that ensures appropriate security of the personal data

5. Processing data fairly and lawfully
5.1. The first data protection principle requires that personal data is obtained fairly and
lawfully and processed for purposes that the data subject has been told about.
Processing will only be lawful if certain conditions can be satisfied, including where the
data subject has given consent, or where the processing is necessary for one or more
specified reasons, such as where it is necessary for the performance of a contract.
5.2. To comply with this principle, when we receive personal data about a person directly
from that individual, which we intend to keep, we need to provide that person with "the
fair processing information". In other words, we need to tell them:
5.2.1. The type of information we will be collecting (categories of personal data
5.2.2. Who will be holding their information, i.e. International Foundation for Electoral
Systems including contact details and the contact details to the IT Director
5.2.3. Why we are collecting their information and what we intend to do with it for
instance to process donations or send them mailing updates about our activities
5.2.4. The legal basis for collecting their information (for example, are we relying on
their consent, as part of a contract between the parties, or on our legitimate
interests or on another legal basis
5.2.5. If we are relying on legitimate interests as a basis for processing what those
legitimate interests are
5.2.6. Whether the provision of their personal data is part of a statutory or contractual
obligation and details of the consequences of the data subject not providing that
5.2.7. The period for which their personal data will be stored or, where that is not
possible, the criteria that will be used to decide that period
5.2.8. details of people or organizations with whom we will be sharing their personal
5.2.9. if relevant, the fact that we will be transferring their personal data outside the
organization and details of relevant safeguards
5.2.10. The existence of any automated decision-making including profiling in relation to
that personal data
5.3. Where we obtain personal data about a person from a source other than the person his
or her self, we must provide that individual with the following information in addition to
that listed under 5.2 above
5.3.1. The categories of personal data that we hold
5.3.2. The source of the personal data and whether this is a public source
5.4. In addition, in both scenarios, (where personal data is obtained both directly and
indirectly) we must also inform individuals of their rights outlined in section 9 below,
including the right to lodge a complaint with the EU and, the right to withdraw consent to
the processing of their personal data.
5.5. This fair processing information may be provided in numerous places including on web
pages, in mailings or on application forms. We must ensure that the fair processing
information is concise, transparent, intelligible and easily accessible.

6. Processing data for the original purpose
6.1. The second data protection principle requires that personal data is only processed for the
specific, explicit and legitimate purposes that the individual was told about when we first
obtained their information
6.2. This means that we should not collect personal data for one purpose and then use it for
another. If it becomes necessary to process a person's information for a new purpose,
the individual should be informed of the new purpose beforehand. For example, if we
collect personal data such as a contact number or email address, in order to update a
person about our activities it should not then be used for any new purpose, for example
to share it with other organizations for marketing purposes, without first getting the
individual's consent.

7. Personal data should be adequate and accurate
7.1. The third and fourth data protection principles require that personal data that we keep
should be accurate, adequate and relevant. Data should be limited to what is necessary
in relation to the purposes for which it is processed. Inaccurate or out-of-date data
should be destroyed securely, and we must take every reasonable step to ensure that
personal data which is inaccurate is corrected.

8. Not retaining data longer than necessary
8.1. The fifth data protection principle requires that we should not keep personal data for
longer than we need to for the purpose it was collected for. This means that the personal
data that we hold should be destroyed or erased from our systems when it is no longer
needed. If you think that we are holding out-of-date or inaccurate personal data, please
speak to The Director of IT.
8.2. For guidance on how long particular types of personal data that we collect should be kept
before being destroyed or erased, please contact the Director of IT.

9. Rights of individuals under the GDPR
9.1. The GDPR gives people rights in relation to how organizations process their personal
data. Everyone who holds personal data on behalf of International Foundation for
Electoral Systems needs to be aware of these rights. They include (but are not limited to)
the right:
9.1.1. to request a copy of any personal data that we hold about them (as data
controller), as well as a description of the type of information that we are
processing, the uses that are being made of the information, details of anyone
to whom their personal data has been disclosed, and how long the data will
be stored (known as subject access rights;
9.1.2. to be told, where any information is not collected from the person directly,
any available information as to the source of the information;
9.1.3. to be told of the existence of automated decision-making;
9.1.4. to object to the processing of data where the processing is based on either
the conditions of public interest or legitimate interests;
9.1.5. to have all personal data erased (the right to be forgotten) unless certain
limited conditions apply;
9.1.6. to restrict processing where the individual has objected to the processing;
9.1.7. to have inaccurate data amended or destroyed; and
9.1.8. to prevent processing that is likely to cause unwarranted substantial damage
or distress to themselves or anyone else.

10. Types of Data Collected
10.1. Personal Data relating to Consumers may include:
Contact information, such as name, job title, company, postal address, email address
and telephone number; and Personal Data in content Consumers provide on our
website and other data collected automatically through the website (such as IP
addresses, browser characteristics, device characteristics, operating system, language
preferences, referring URLs, information on actions taken on our website, and dates and
times of website visits).
10.2. Personal Data relating to Suppliers may include:
Contact information, such as name, job title, company, postal address, email address
and telephone number, tax identification number, bank account information,
information required for us to perform due diligence, background checks, health and
safety-related reports, testing, and certifications required by law to perform services;
and Personal Data in content Suppliers provide on our website and other data collected
automatically through the website (such as IP addresses, browser characteristics, device
characteristics, operating system, language preferences, referring URLs, information on
actions taken on our website, and dates and times of website visits).

11. Data Security
11.1. The sixth data protection principle requires that we keep secure any personal data that
we hold.
11.2. We are required to put in place procedures to keep the personal data that we hold
secure, including protection against unauthorized or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organizational
11.3. When we are dealing with sensitive personal data, more rigorous security measures are
likely to be needed, for instance, if sensitive personal data (such as details of an
individual's health, race or sexuality) is held on a memory stick or other portable device
it should always be encrypted.
11.4. When deciding what level of security is needed, your starting point should be to look at
whether the information is sensitive or highly confidential and how much damage could
be caused if it fell into the wrong hands.
11.5. The following security procedures and monitoring processes must be followed in
relation to all personal data processed by us:
11.5.1. Encryption of personal data
11.5.2. Measures to restore availability and access to data in a timely manner in event
of physical or technical incident;
11.5.3. Process for regularly testing, assessing and evaluating effectiveness of security
11.5.4. backing up data (daily back-ups should be taken of all data on the system and
data should not be stored on local drives or removable media as these will not
be backed up);
11.5.5. Entry controls (any stranger seen in entry-controlled areas should be
11.5.6. Staff should ensure that individual monitors do not show confidential
information to passers-by and that they log off from their PC when it is left
11.5.7. Personal data must always be transferred in a secure manner (the degree of
security required will depend on the nature of the data - the more sensitive
and confidential the data, the more stringent the security measures should be)
other measures to ensure confidentiality, integrity, availability and resilience of
processing systems;
11.5.8. Desks and cupboards should be kept locked if they hold confidential
information of any kind (personal information is always considered
confidential) and staff must keep data secure when travelling or using it
outside the offices.

12. Transferring Data Including Transfers Outside of the EU
12.1. The GDPR requires that when organizations transfer personal data outside the EU, they
take steps to ensure that the data is properly protected. We may transfer personal data
outside the EU to entities in the United States of America in the following
circumstances: Confidential information for travel logistics, background checks for
employment or consultant verification, medical, performance.
12.2. Other Third Parties: We may be required to disclose certain Personal Data to other third
parties: (i) As a matter of law (e.g. to tax and social security authorities); (ii) to protect
Our legal rights; (iii) in an emergency where the health or security of an employee is
endangered (e.g. a fire); (iv) to Law Enforcement Authorities in accordance with the
relevant legislation in the different EEA Member States.
12.3. NOTE: The European Commission has determined that the United States of America
(USA) does not have an adequate level of data protection as defined in Article 45 of
the GDPR. The United States of America does not require entities to have the same
level of data protection and the European Union. Additionally, the USA provides
limited recourse in the event of a unauthorized disclosure
12.4. For more information, please speak to the IT Director.

13. Processing sensitive personal data
13.1. On some occasions we may collect information about individuals that is defined by the
GDPR as special categories of personal data, and special rules will apply to the
processing of this data. In this policy we refer to "special categories of personal data" as
"sensitive personal data". The categories of sensitive personal data are set out in the
definition in Section 3.5.
13.2. Purely financial information is not technically defined as sensitive personal data by the
GDPR. However, care should be taken when processing such data, as the EU will treat a
breach relating to financial data very seriously.
13.3. In most cases, in order to process sensitive personal data, we must obtain explicit
consent from the individuals involved. As with any other type of information, we will
also have to be absolutely clear with people about how we are going to use their
13.4. It is not always necessary to obtain explicit consent. There are a limited number of other
circumstances in which the GDPR permits organizations to process sensitive personal
data. If you are concerned that you are processing sensitive personal data and are not
able to obtain explicit consent for the processing, please speak to the Director of IT.

14. Notification
14.1. We will report breaches (other than those which are unlikely to be a risk to individuals)
to the EU where necessary, within 72 hours. We will also notify affected individuals
where the breach is likely to result in a high risk to the rights and freedoms of these

15. Monitoring and review of the policy
15.1. This policy is reviewed annually by our Policy Working Group to ensure that it is
achieving its objectives.

16. Obligations toward Data Protection Authorities
16.1. We will respond diligently and appropriately to requests from Data Protection
Authorities (“DPAs”) about this Policy or compliance with applicable data protection
privacy laws and regulations. Employees who receive such requests should contact the
Director of Information Technology. We will, upon request, provide DPAs with names
and contact details of relevant persons. With regard to transfers of Personal Data
between IFES entities, the importing and exporting IFES entities will (i) cooperate with
inquiries from the DPA responsible for the entity exporting the data and (ii) respect its
decisions, consistent with applicable law and due process rights. With regard to
transfers of data to third entities, we will comply with DPAs’ decisions relating to it and
cooperate with all DPAs in accordance with applicable legislation.