Here at EduMais, our love for our supporters, donors, volunteers, and students – the numerous beating hearts of our organization – is allied with many of our core values, such as respect, dignity, security and transparency.
It is our understanding that these same values underpin new European data protection laws, which come into effect on 25th May 2018 (GDPR). As a result, we have developed a policy outlining how we handle and protect data in order to uphold these values, especially as we believe it is vital to keep the data of all those involved in our organization as secure as possible.
This policy is written in accordance with the General Data Protection Regulation (GDPR) 2018, as well as the Data Protection Act 1998, and applies to:
- Stichting Edumais Foundation, registered under number 71167757, RSIN number 858606677, Ebbingedwinger 10, 9712 MA, Groningen, Netherlands.
- Edumais, part of Associação de Ex-conselheiros e Conselheiros da Infância, Rua México, no.119, 1401, Rio de Janeiro, Brasil.
- All pages hosted on the Edumais site and other services Edumais runs, such as our social media accounts.
1. What data Edumais collects
i) Contact information (for supporters, donors etc.)
In the vast majority of cases – with the notable exception of volunteer applications – Edumais will only collect your name and email address, which you provide directly to us when you sign up for our newsletter, for example. We will use your email address to send out our newsletters with updates on our work, as well as for other relevant reasons related to our legitimate interests as a volunteer organization, noted in point 4. below
Providing that you signal your consent for us to do so, Edumais will store this data for a period of 24 months, at which point we will then seek your renewed consent to receive communications from us. This data will be held securely by MailChimp, a marketing automation platform we use to facilitate the distribution of our newsletters. MailChimp adheres to strong privacy protections, handling personal data appropriately and in concordance with EU legal requirements set out in the GDPR legislation. Mailchimp’s policy on privacy protection can be found by following this link: https://mailchimp.com/legal/privacy/
ii) Impersonal data
Like the vast majority of websites, Edumais automatically collects certain, de-personalized information about its website visitors, such as Internet Protocol (IP) addresses (a number with which it is possible to identify a computer or other device connected to the internet), referring pages, browser types, date/time stamps, and clickstream data. Though this data can provide us with demographic information about our website visitors, at no point is it used to identify individual users. Instead, Edumais uses this data in order to monitor, administer and improve the effectiveness of our website and its security, as well as to analyse trends and track movements around the site.
iii) Volunteer data
In order to increase our outreach, Edumais is signed up with a number of websites that enable us to recruit volunteers. Each of these companies has its own policies regarding the collection and use of personal information, which we would urge you to read over before considering an application. Edumais is not responsible for the use of your data by these third-party websites.
The data that these third-party websites send to us in the event of an application – or that you send to us directly if you apply through our website or email address – will necessarily contain far more personal information than if you were just signing up for our newsletters. The data that might be collected over the course of a volunteer application includes, but is not limited to: name, date of birth, address, phone number, passport number, resumé, letter of motivation, criminal record check, health insurance details, interview notes, letter of acceptance, contracts, and policy acknowledgement forms.
When you fill out our Application Information Form, which will be sent to you whether you apply directly with us or through a third-party website, you consent to the collection of this data. This data enables us to carry out essential checks to assess your eligibility to work as a volunteer with us: we use it to screen for the most suitable candidates to work with our underprivileged children. If you are declined as a volunteer, then we will not store this data beyond the application process. If you are accepted, we will store this data throughout the time that you carry out voluntary work with us. Once you have completed your voluntary position, your data may still be retained in order for us to meet our operational needs or legal and administrative requirements, though your data will be securely archived or deleted once an appropriate amount of time has passed for us to meet our obligations.
iv) Sensitive personal data, including financial details
We will only collect sensitive personal data where absolutely necessary and with explicit consent. All sensitive personal data is stored on a secure database, to which only a limited number of relevant staff have access. It is deleted when no longer relevant, is never shared with third parties, and is available to you at any point should you wish to see it (if it is your data, that is!).
v) Children’s data
The safety and security of the children we work with is of paramount importance to us and we follow all applicable laws with regards to collecting data from children. We keep the data we collect on our children to a bare minimum, often no more than their names and dates of birth. We also collect data to monitor the children’s progress in the classroom. We do not share this information with any third-parties – except for our partner organization, Solar Meninos da Luz – at any time, nor under any circumstances.
The use of children’s data, such as photographs of them in promotional material, occurs only where we have prior consent from their parent(s) or guardian(s), especially when they are under the age of thirteen. It is highly unlikely that any child – not just the children we work with, but any child – would seek to send personal information to our website, but in the event of this happening this information should also only be submitted with the consent of a relevant parent or guardian.
2. How data is kept secure
Although Edumais endeavours to keep what personal data we do store as safe as possible by employing appropriate technical controls, it is nevertheless true that the transmission of information over the internet is never entirely secure. We will do our absolute best within the means available to us as a small organization to protect the data transmitted to our site: our online forms are always encrypted, for example, and our network is protected and routinely monitored. However, you should also be aware that at the moment of transferring data to us we cannot wholly guarantee its security.
Edumais uses industry-standard tools, such as firewalls and encryption, to protect the confidentiality of your data once it has been transferred to us. We also make every effort to protect against the misuse, alteration or loss of the data under our control, with appropriate security features in place to attempt to both prevent unauthorised access to the data and to detect any attempts at doing so. We are aware of our responsibilities to report any significant data breach as soon as possible, and within seventy-two hours of our realisation that it has occurred, in order to safeguard the confidentiality of personally identifiable information.
The Edumais website contains hyperlinks to websites owned and operated by other organisations. These include some of our most notable supporters, such as Level Up Village, Hope for Tomorrow, and Voys, as well as our partners Solar Meninos de Luz, Books Hostel, and Brayce. Although these trusted organisations play a crucial role in Edumais’s project, it is not possible for Edumais to accept any responsibility or liability for the privacy or security practices of any other organisation’s website, no matter how much we value their contribution to our cause. As good practice, we recommend that you review any privacy or cookie policies governing the use of personal information submitted to any website you visit, even if Edumais provides a link to it.
3. Who has access to your data
Within Edumais, our volunteers only have access to the data required to perform the tasks relevant to their particular role. All of our volunteers, particularly those working within any kind of administrative or technical capacity requiring greater access to data, are given training in data protection and security appropriate to our organization’s capabilities. Regular reviews will be undertaken to ensure that data is only accessible to suitably trained volunteers still involved in the running of Edumais.
As noted above, some third-parties will be involved in the processing of your data, with the handling of donations by PayPal or GoFundMe a notable example. While we cannot assume responsibility for the data usage by such third-parties, they should only have access to the data they need to handle the process and should not be using it for any other purposes.
Data collected by Edumais will only be used for the purposes for which it was obtained. Any marketing that you consent to will be from Edumais alone: you will not receive marketing from any other companies, charities, or other organisations as a result of giving your details to us. Under no circumstances will Edumais ever sell or share your data with any other organization or third-party.
4. How we use your data
There are various ways in which Edumais uses your data, which include the following:
- To send our supporters marketing information about our projects, fundraising activities, and appeals where we have their consent or it is otherwise within our legally recognised legitimate interests to do so.
- To keep you updated on our work.
- To inform you of volunteering opportunities.
- To offer you ways in which to support and/or fund our work.
- To support fundraising and campaigning, as well as to determine the effectiveness of our campaigns.
- To support volunteers in the fulfilment of their roles.
- To review records and to carry out audits in order to verify that our administrative processes are compliant with GDPR legislation.
- To keep a record of donations made and actions taken by our supporters and our communications with them.
- To make enquiries about your interactions with us and to respond to any complaints you might have about our interactions with you.
- To invite you to participate in surveys about, for example, our social media output.
- To ensure we do not send unwanted information to supporters or members of the public who have informed us they do not wish to be contacted.
- To provide you with any information that you have requested from us, in the event of a subject access request, for instance.
- To implement any instructions you give us with regard to withdrawing consent to send marketing information, or deleting the data we hold about you.
- To use IP addresses to identify the location of visitors to our website and to block any disruptive use of it.
- To engage in data analysis with the purpose, for example, of enhancing or modifying our website.
- To invite you to any events that Edumais might hold.
5. How we will communicate with you
Edumais will only send emails for marketing purposes – which by law includes updates on our work, as well as details on how that work can be supported – where we have already received explicit consent from the recipient or, in rare cases, where it is in our legally recognised legitimate interests to do so. At no point will we contact you, however, if you actively indicate the withdrawal of your consent to receive marketing information, which you can do at any time.
In almost all cases, consent will be understood to last for 24 months, after which point Edumais will seek the renewal of your consent for marketing purposes. There are instances where exceptions to this rule may be reasonably applied: were you to sign up for a recurring donation, for example, we would understand each donation to refresh consent for a period of 24 months to enable us to keep you informed of the impacts of your generosity. Were you then to discontinue this recurring donation, the period of 24 months would begin from your last donation, unless you request to stop receiving marketing materials altogether. You would be informed of this policy at the moment you make your first donation.
We will respond to any questions you contact us with via the medium used to contact us, most likely email. If we need to contact you for any administrative purposes, this too would be done by email.
6. How to change the way Edumais engages with you
Although you will be asked to give your consent to receive direct marketing from Edumais when you sign up to our newsletters, for example, it is possible for you to withdraw this consent at any time. Edumais respects your right to do so and we have adhered to GDPR legislation by making the withdrawal of your consent as easy as it is to give: just click on the unsubscribe link at the end of all of our emails. You can also email us at firstname.lastname@example.org to state that you would no longer like to be contacted by us.
Should you request that Edumais stops sending you marketing materials, we will nevertheless keep a record of your contact details to enable us to comply with your request not to be contacted, owing to the requirement of documentation outlined in the GDPR legislation.
As well as documentation, the GDPR places great emphasis on maintaining the accuracy of data stored: please help Edumais to comply with the legislation in this regard by notifying us of any changes to your data held by us. This can be done by contacting us at email@example.com
You can request that any personal data held by Edumais is amended, relocated or deleted, and we will carry out these requests in a timely manner. The GDPR also gives you the right to request access to any data Edumais holds about you at any time, which you can do by contacting us at the email address listed above. Were you to ask for all of your personal data to be removed from our records, we would keep only the data relevant to the proper administrative and historical documentation of Edumais’s activities. After a reasonable amount of time for this to take place – and in no more than five years – we would then entirely delete your data from our records.
7. How to find out more or make a complaint
Edumais operates in accordance with the GDPR legislation. A useful, extended guide to this legislation can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
As noted above, you have a right to ask for a copy of the information Edumais holds about you, which would be supplied to you within one month of the time of request. Fees are not normally charged to carry out such a request, though the GDPR does provide room to do so if your request is particularly complex or time-consuming.
If you have any questions or complaints with regard to Edumais’s processing of your data which were not answered by this policy document, then again please contact us at firstname.lastname@example.org
8. Changes to this policy
It’s possible that this policy may change every now and then. The revised version will be published on Edumais’s website and any significant changes will be communicated to supporters, donors and volunteers either on the website or via email.