TaroWorks Data Processing Policy

1. INTRODUCTION

This TaroWorks Data Processing Policy (the “Policy”) applies to TaroWorks, any subsidiary or any holding company from time to time of TaroWorks, and any subsidiary from time to time of a holding company of TaroWorks (collectively, “TaroWorks”).

This Policy sets out the high-level statements applicable to TaroWorks. This Policy is supplemented by the Privacy Policy governing TaroWorks activities as a data collector, available at www.taroworks.org/privacy-policy.

The protection of Personal Data (as defined below) is important to TaroWorks. Maintaining the confidentiality and security of our clients data, as well as that of our Personnel (as defined below), and other people we do business with, is essential in order to meet our contractual and regulatory obligations, maintain the trust of our employees and uphold TaroWorks’ reputation.

2. POLICY SCOPE

This Policy applies when TaroWorks Processes (as defined below) data or information relating to an identified or identifiable natural person (as defined below), including but not limited to, name, address, IP address, bank account information, phone number, government issued numbers such as social security numbers and any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data (“Personal Data”), which, for the purpose of this Policy, includes any such information about clients, employees, donors, volunteers and service providers.

For the purpose of this Policy:

“Controller” means the organization, natural or legal person, public authority, agency or another body who alone or jointly with others, determine the specific purpose and means of the Processing of the Personal Data.

“Data Breach” means a scenario in which a third-party gains unauthorized access to data, including Personal Data.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

“Sensitive Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data identifying a natural person, health data or data concerning a person’s sex life or sexual orientation.

This Policy is applicable to all TaroWorks personnel (including TaroWorks employees), contractors, volunteers, temporary staff, consultants, representatives working on behalf of TaroWorks and third parties within or engaged by TaroWorks or any of its contractors (together, the “Personnel”).

This Policy shall apply to Personal Data relating to TaroWorks Personnel, clients, vendors, donors, volunteers and other people TaroWorks does business with and any other individual whose personal information TaroWorks holds and uses. Some provisions shall only apply to data regulated by the GDPR as determined by TaroWorks Clients, however, TaroWorks aims to comply with the GDPR and all relevant law and regulations.

3. POLICY OBJECTIVE AND DEFINITION

The objective of this Policy is to promote the lawful and compliant Processing of Personal Data, including the prevention of its unauthorised use, disclosure or access.

This Policy sets out the TaroWorks policy, high-level controls and responsibilities to ensure the Policy objectives can be met.

4. GOVERNANCE AND ACCOUNTABILITY

4.1 Compliance with the Policy:

(a)            TaroWorks’ CEO approves this Policy.

(b)            TaroWorks’ CEO has direct responsibility for developing and maintaining this Policy.

(c)            TaroWorks’ CEO shall provide advice, guidance and training on the implementation of, and compliance with this Policy, along with governance, monitoring and reporting against the Policy;

(d)           The CEO shall be supported by the head of product and head of market development who shall be responsible for embedding data protection compliance within their segment.

(e)            TaroWorks’ CEO shall provide advice, guidance and training to facilitate compliance with this Policy throughout any change management process.

(f)            All members of staff are directly responsible for adhering to this Policy and complying with the data protection guidance and implementing the procedures appropriate to their core business functions and operational area.

(g)           All TaroWorks Personnel and third parties within or engaged by TaroWorks are responsible for ensuring that their team members comply with this Policy, and appropriate guidance and procedures.

(h)           All Personnel and third parties have a duty to understand, support and comply with this Protection Policy, guidance and procedures. Failure to comply may lead to disciplinary and/or legal action against TaroWorks Personnel or third parties that could lead to dismissal, breach of contract claims and criminal prosecution.

(i)            All Personnel and third parties (when relevant) must affirm their understanding of and acceptance to abide by this Policy and appropriate guidance and procedures.

5. POLICY STATEMENTS

5.1 Fair and lawful processing:

TaroWorks shall Process Personal Data lawfully and fairly.

(a)           Legal basis for processing:

TaroWorks relies on Controllers to determine the legal basis under the applicable jurisdiction’s laws for Processing Sensitive Personal Data. For Personal Data subject to the European General Data Protection Regulation (the “GDPR”), TaroWorks shall ensure it relies on the Controller’s selection of one of the following legal bases for each Processing activity:

1. Consent;
2. Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
3. Processing is necessary for compliance with a legal obligation to which TaroWorks is subject;
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in TaroWorks; or
6. Processing is necessary for the purposes of the legitimate interests pursued by TaroWorks or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data.

Where the Processing is based on consent from the data subject, TaroWorks expects the consent obtained by the Controller should be freely given, specific and unambiguous and be indicated by a positive action taken by the data subject. The data subject shall be informed of the method for withdrawing consent. If the consent is given in the context of a written declaration that deals with other matters, the consent should be clearly distinguishable.

Sensitive Personal Data is considered extremely sensitive and therefore additional care must be taken when dealing with it. For Personal Data subject to the GDPR, TaroWorks shall ensure it relies on the Controller’s selection of one of the following legal bases for each Processing activity:

1. explicit consent;
2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the data subject in the fields of employment, social security and social protection law under national or EU law or a collective agreement providing for appropriate safeguards for the interests of the data subject;
3. Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;
4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the Processing relates solely to the members, former members or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed outside that body without the consent of the data subjects;
5. Processing relates to Personal Data which is manifestly made public by the data subject;
6. any other acceptable legal bases which may arise in relevant law.

(b)           Transparency:

1. TaroWorks shall Process Personal Data in a transparent way ensuring notices, policies and consents are concise, intelligible, easily accessible, provided in clear and plain language and are easy to understand and free of charge;
2. Upon written request, and for data subject to the GDPR, TaroWorks shall communicate the name and contact details of the data Controller;

5.2 Purpose limitation:

TaroWorks shall not further Process Personal Data in a manner that is incompatible with the purposes set forth by the Controller.

Any further Processing of Personal Data that is incompatible with the original purpose that it was collected for must be approved by the CEO.

5.3 Data minimisation & storage limitation:

TaroWorks maintains measures and procedures which minimize the Processing of Personal Data to that which is adequate, relevant and limited to what is necessary as determined by the Controller, and shall erase the Personal Data when no longer necessary for the purposes for which they were processed, except in cases of data used in the aggregate or for statistical purposes, which may be further retained.

5.4 Accuracy:

TaroWorks generally does not maintain the capability to modify any data of Controllers/Clients. TaroWorks shall rely on Controllers to ensure that Personal Data shall be accurate and, where necessary, kept up to date, when TaroWorks provides any Processing Services on their behalf.

TaroWorks shall refer any written request by the data subject relating to accuracy to the Controller.

5.5 Security:

TaroWorks maintains appropriate measures to ensure the integrity, availability and confidentiality of Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. This includes an internal Information Technology Policy that limits TaroWorks employees’ access to Personal Data collected by clients.

5.6 General obligations

TaroWorks shall comply with the following obligations for data subject to the GDPR:

(a)           Data Breach notification:

TaroWorks Personnel shall notify the CEO of TaroWorks of Data Breaches immediately on discovery of the breach. If the Data Breach has the potential for serious harm to an individual’s rights and freedoms, TaroWorks will inform each individual where it holds proper contract information without undue delay (certain exceptions may be applicable, if there are new security standards or it would involve disproportionate effort), and at a minimum will inform the Controller

TaroWorks may also be required to notify one or more regulators in different jurisdictions of Data Breaches. Notifiable Data Breaches relating to Personal Data subject to the GDPR must be notified to the supervisory authority within 72 hours.

(b)           Privacy by design and default:

TaroWorks shall consider privacy compliance at the outset of new projects (e.g., new IT systems, new research projects using Personal Data) or when looking at mergers or acquisitions, taking into consideration the risks to data subjects.

(c)           Data subjects’ rights:

TaroWorks generally does not maintain the capability to access, modify or delete data collected or maintained by Controllers/Clients. TaroWorks shall rely on Controllers to observes data subjects’ rights of access, portability, rectification, erasure, processing restriction to Personal Data.

TaroWorks shall refer any written request by a data subject on these topics to the Controller.

(d)           Appointment of data processors:

TaroWorks shall use only Processors providing sufficient guarantees to implement appropriate technical and organisational measures such that the Processing meets the requirements of this Policy or that of a data Controller.

1. Where the Personal Data to be Processed is subject to the GDPR, TaroWorks shall ensure that a contract is entered into with third-party Processors which addresses relevant requirements of the GDPR.

(e)           Training and awareness:

TaroWorks shall provide training to staff who are involved in any Processing of Personal Data.

1. TaroWorks also ensures that Personnel who have access to, or responsibility for, handling Personal Data are provided with appropriate guidance and training.
2. All Personnel are required to indicate their acceptance of this Policy.

(f)            Data transfers

TaroWorks Personnel shall be cautious when transferring Personal Data. TaroWorks Personnel shall transfer all data subject to appropriate safeguards and under a contract.

(g)           Resources and audit:

TaroWorks shall ensure the necessary resources are made available to implement and monitor policies, procedures and controls and conduct internal data protection audits to ensure compliance with this Policy.

Interested to learn more?

Please fill the form to receive customized information about how TaroWorks can improve your frontline operations. For general inquiries, send us an email at: hello@taroworks.org.