GDPR Data Policy

The Director of Professors Without Borders and the board are responsible for ultimate data issues and control. Day to day control will be administered by the CTO or [name person]. Conatct for any data related questions about Professors Without Borders and subsidiaries.

This policy will be reviewed annually as part of the AGM pre-process. Any changes wil be ratified at the AGM.

Data definition
We take the definition of data to include names, addresses and contact details of people who have signed up for emails or any other further information requests and channels. Data will also cover employee data, intern data and related information.

Breach reporting
If there is a breach in any way we will directly contact, via email in the first instance, all affected parties. Where we don’t have email addresses we will endeavour to send letters and/or call the persons involved. We will also post an urgent update on all our websites.

Lawful, fair and transparent processing
Data and information will be collected according to the relevant laws of the territory for which it is relevant. Currently online data falls under EU safe harbor governance and adheres to UK Charity laws.

Data audit
Currently we hold data as;
• Email information within the Mailchimp email service
• Phone numbers and addresses other than that are held in a corporate shared drive as google document format records.

If any individual wishes to see their data they should contact and we will arrange for open access within a reasonable timeframe of no more than two weeks. No data will ever be shown to anyone who doesn’t need to see it in pursuit of their duties.

Purpose limitations
All data collected is held under one of the lawful purposes as listed below. All our current data is collected with consent, in order to communicate charity messages or for the purpose of communicating information about our programmes.
• Consent – you said we could have your data.
• Contractual – any contracts with you that we need to create.
• Legal obligation – processing is necessary for compliance with a legal obligation
• Vital interests – this is part of safeguarding where we legally have to comply with a regulation.
• Public tasks – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business
• Legitimate interests – processing is necessary for purposes of legitimate interests pursued by the business or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. Contact if youre unsure if this covers you.

Data minimisation
We will only hold the minimum data that is needed to fulfil the obligation we have undertaken with you.

Data will be reviewed annually including an annual mail out to ask if you want your data removing.

Storage limitations
We will retain data for as long as we need it. If you no longer are part of the organisation then we wil remove it at your request. Emails can all be unsubscribed from within the body of the mail.

Integrity and confidentiality
All our data is stored on systems held by large service companies, Google and Mailchimp being the main two. We rely on these companies for backups as part of their service agreements.