1. General provisions
This personal data processing and protection policy (hereinafter referred to as the Policy) is an internal and normative document of the NGO “Investigative Journalists”(hereinafter referred to as the NGO), which stipulates the procedure and conditions for the protection of processing and processed personal data by the NGO, the general provisions of the regulating NGO, as well as the main means to implement relevant requirements, and the responsibilities of the official of the NGO, the competent persons.
2. Terminology and definitions
Personal data: any information about a physical person that enables or may enable the direct or indirect identification of a person.
Personal data processing, regardless of the method of implementation (including automated, with or without the use of any technical means), any action or group of activities related to the collection or storage, or entry, or coordination, or organization, or saving, or use, or transformation, or restoring, or transferring, or correcting, or blocking or destruction of personal data, or performing other operations.
Personal Data Collector: the NGO “Investigative Journalists” that organizes and (or) implements personal data processing.
Data subject: citizens (physical persons), employees, service providers, and partners, who establish contractual and (or) other relations with the NGO.
Database: a set of personal data, systematized by certain features.
Information system: a set of information technologies or technical means used for the processing of personal data entered into the database, electronically or non-electronically.
Personal data protection: a set of technical, organizational, and organizational and technical measures to protect information concerning the personal data subject that can be identified on the basis of certain or similar information.
Information: data, regardless of its format.
Non-governmental organization: the non-governmental organization "Investigative Journalists".
Publicly available personal data: information that, with the consent of the data subject or by conscious action to make one’s personal information public, is made available to certain or uncertain persons, as well as information that is legally intended to be publicly available.
Disclosure of personal data: actions aimed at disclosing personal data to a particular person or certain group of persons.
Employees (NGO employees): full-time or part-time employees of the NGO, regardless of their position in the NGO.
3. Measures to ensure the security of processed personal data
- In order to ensure the protection of the processed personal data, the NGO shall take the necessary legal, organizational and technical protection measures in accordance with the normative requirements of the competent bodies of state power (regulatory bodies).
- The rules and requirements for protection and processing of personal data should be taken into account during the preparation of corporate documents related to all the spheres of the NGO's activity, including:
– all types of civil law contracts;
– agreements on the transfer and acceptance of physical and "information objects" protected by copyright and adjacent rights, as well as by the owners’ rights, including the rights of information protection;
– Internal and external agreements, regulations, procedures (charters), and orders;
– design and evaluation, procurement, structural, technological, software and operation documentation for information systems, automated systems and (or) databases.
- Personal data protection measures are developed in accordance with the RA legislation and technical capabilities of the NGO.
- Personal data processing and security requirements to be observed by the employees of the NGO responsible for personal data processing:
– subject’s consent for the processing of personal data in all cases provided by law, especially, in case of transfer or receipt of data by third parties;
- The organization is guided by the following requirements when processing personal data:
– legitimacy of goals and means of processing and trustworthiness of data;
– ensuring the legality of personal data processing, which implies data processing with the consent of the subject;
– matching of actual and stated purposes of processing,
– matching of the amount and nature of the personal data, means of processing and purposes;
– sufficient data for processing purposes, and impermissibility of excessive data for processing purposes;
– advising information system users about the legal and safe handling of personal data,
– accuracy, integrity, reliability and security of personal data in information systems,
– advising the subject about the legally significant consequences of the processing of one’s personal data, giving the opportunity to influence the accuracy and completeness of data.
4. The purpose of personal data processing
Personal data processing is done under signed agreements for the purpose of interaction, and execution of legal acts and normative documents.
5. Data subject’s consent and the rights of personal data subjects
- The processing of personal data is legal provided:
– data has been processed in accordance with the law, and the data subject has given one’s consent to it, except for the cases directly provided by this Law or other laws, or
– The processed data was obtained from publicly accessible sources of personal data.
- The consent of the data subject is considered to be received, and the NGO has the right to process it when:
– personal data are mentioned in the document addressed to the NGO and signed by the data subject, except for cases when the content of the document is essentially an objection against personal data processing;
– the NGO received the data on the basis of a contract with the data subject, and uses it for the purposes specified in that contract;
– the data subject voluntarily provides information about one’s personal data, orally or in writing, to the NGO for the purpose of using it.
- The data subject may give one’s consent in person or through a representative, if such competence is provided by a power of attorney.
- The consent of the data subject shall be given in writing or electronically with a certified electronic digital signature, and in the case of oral consent, through such credible actions that clearly indicate the data subject’s approval of the use of personal data.
- Personal data can be processed without the data subject’s consent of, if data processing is directly provided by law.
- The personal data subject has the right to receive information on the processing of one’s personal data, including data that will contain:
– confirmation of the fact of and the purpose of personal data processing,
– means of personal data processing,
– the subjects with whom personal data has been or can be shared,
– the list of processed personal data and sources thereof,
– the dates of personal data processing,
– possible legal consequences for the data subject as a result of personal data processing.
6. Personal data confidentiality
Information about personal data obtained by an NGO is confidential and is protected by law.
The employees of the NGO and other persons who have the right to access processed personal data have signed the order of non-disclosure of confidential information, as well as have been warned about possible disciplinary, administrative, civil and criminal liability in case of breach of the legislation in the field of personal data processing.
7. Final provisions
- This Policy, as well as its all amendments, shall be approved by the Chairman of the NGO and shall enter into force upon publication on the NGO hetq.am and mediafactory.am websites.
- As soon as further editions of this Policy enter into force, its previous editions shall be considered null and void.
- If the provisions of this policy contradict the legislation of the Republic of Armenia, the relevant provisions of the legislation of the Republic of Armenia shall apply.