Log in
About us Our team Vacancies Opportunities Projects Media Guide Contacts
search-icon
ENG УКР
Log in
search-icon

Internews Ukraine Confidentiality Policy

This NGO INTERNEWS UKRAINE Confidentiality Policy (the ‘Policy’ or the ‘Confidentiality Policy’) covers the processing of personal data of natural persons (personal data subjects) that may be obtained by INTERNEWS UKRAINE NON-GOVERNMENTAL ORGANIZATION under the Constitution of Ukraine, Law of Ukraine “On Personal Data Protection” (the ‘Law of Ukraine’) and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, the ‘GDPR’) and other applicable European legislation on personal data protection; hereinafter together referred as the ‘Legislation’.

The Confidentiality Policy has been drawn up for you to know:

  • what the personal data are;
  • which your personal data we collect;
  • how and why we use them and to whom we transfer your personal data;
  • how we protect the confidentiality of your personal data;
  • how to contact us and whom you should contact if you have questions about your personal data processing.

We process your personal data only if one of the requirements outlined in Article 6 of GDPR is met, including but not limited to:

  • you have given consent to your personal data processing;
  • processing is necessary for the provision of services to you;
  • processing is necessary for compliance with the legislation of the country in which you are staying.

The Confidentiality Policy covers all information obtained through our website, event registration forms, e-mail marketing, tender and sub-grant applications for cooperation, work requests, marketing tools, etc.

We commit to the protection of the personal data of our clients, potential clients, and other people who have contacted us, that is why we are eager to protect the confidentiality of your personal data. The Administration undertakes to take all necessary measures to prevent the misuse of your personal data, which become known to us. We will process your personal data in strict compliance with applicable Legislation and only if there are legal grounds for such processing.

You are not obliged to provide us with your personal data but we will not be able to provide some of our services to you without certain information about you. If we control the means of the processing of your personal data and determine the purposes for which such personal data are used, the Administration is a “controller of personal data” within the meaning of GDPR, other applicable European legislation on personal data protection, and the Law of Ukraine.

1. Terms and Definitions

Personal data shall mean information or aggregate information about a natural person who is identified or may be identified (the User);

Special categories of personal data shall mean so-called “sensitive” personal data that may cause harm to the personal data subject at work, in an educational institution, in the living environment, or may lead to discrimination in society. For example, this is personal data that contain information about racial or ethnic origin, political views, religious or other convictions, membership in trade unions, as well as data about health or sexual life, biometric and genetic data. Within the meaning of Ukrainian legislation, this is personal data processing of which poses a particular risk to personal data subjects;

A personal data subject shall mean a natural person to whom personal data relate and who can be identified or has already been identified based on such personal data;

A website administration (the ‘Administration’, ‘we’, ‘us’) shall mean INTERNEWS UKRAINE NON-GOVERNMENTAL ORGANIZATION, address: 15 RYZKA STREET, Kyiv, 04112, Ukraine, date of registration: July 10, 1996, a record number: 10741200000014204;

Personal data processing shall mean any operation or set of operations such as collection, registration, accumulation, storage, adaptation, alteration, updating, use and dissemination (distribution, sale, transfer), depersonalization, or destruction of personal data which may involve the use of information (automated) systems;

Dissemination of personal data shall mean actions related to the transfer of information about a personal data subject with their consent;

Use of personal data shall mean any actions taken by the Administration to process data, actions taken to protect them, as well as actions taken to grant partial or full rights to process personal data to other subjects of relations connected to personal data, carried out with the consent of personal data subjects or subject to the Legislation;

Depersonalization of personal data shall mean the withdrawal of information that allows directly or indirectly identifying a person;

A User shall mean a personal data subject, any legally capable natural person who has joined the Confidentiality Policy in their interests and has ever accessed the website;

An Online Service shall mean a service owned by the Administration on the Internet (internews.ua) and containing text, graphic, and other information that is perceived as a whole and supported by a set of system software tools;

Registration shall mean the User’s actions to fill out and submit a registration form for participation in a relevant event, program, or activity organized by NGO Internews Ukraine;

Authorization shall mean entering by the User of their login and password in the Online Service or using alternative methods of identification (Mobile ID, Google or Facebook account, etc.);

A Policy shall mean this Confidentiality Policy on internews.ua/terms.

A controller of personal data shall mean a natural or legal entity that determines the purposes and means of the processing of personal data and bears primary responsibility for their processing. Within the meaning of the Confidentiality Policy, the controller of personal data is NGO Internews Ukraine.

A processor of personal data shall mean a natural or legal person which processes personal data for the controller under the instructions (directions, orders).

2. General Provisions

2.1. The Policy applies to all of your personal data that may be obtained by us when you use the Online Service. The Policy applies to personal data received both before and after the Policy comes into force.

2.2. The purpose of the Policy is to provide you with the necessary information that allows you to assess what personal data are processed by us and for what purposes, the methods of their processing, and ensuring security.

2.3. When the Online Service is used, the Administration, by your personal actions, receives your personal data, inter alia, through third parties. In the meantime, you give consent to the processing of your personal data subject to the Policy.

2.4. If you disagree with the terms and conditions of the Policy, you must stop using the Online Service.

2.5. A personal data subject may withdraw consent to the processing of personal data. If a personal data subject withdraws consent to the processing of personal data, the Administration shall be entitled to continue processing such data without the consent of the personal data subject if there are grounds specified in the Legislation.

2.6. The Administration does not verify the authenticity of the personal data provided by the User, and it cannot assess its legal capacity. Nevertheless, the Administration assumes that the User acts in good faith, with due diligence, provides reliable and sufficient personal data, and makes all necessary efforts to keep such data up to date, without violating the rights of third parties.

2.7. By agreeing to the terms and conditions of the Policy, you confirm that at the time of collection of personal data, you are informed about the persons to whom your personal data are transferred, as well as the content and the purpose of collecting them. You confirm (warrant) that the personal data transferred to us for processing are transferred with the consent of controllers of personal data and subject to the Legislation.

2.8. Having received personal data from the User, the Administration does not assume any obligation to inform the personal data subjects (their representatives) whose personal data have been transferred to it, about the beginning of the processing of personal data because the User, who transferred the personal data, undertakes to inform them appropriately when concluding an agreement with the personal data subject and/or when obtaining consent to such transfer.

2.9. Your personal data are processed subject to the Legislation. Processing of personal data of persons residing in the EU or who are EU citizens is regulated, inter alia, by the GDPR. Besides, the legislation of other countries may law down additional requirements.

2.10. The Policy applies to all information that the Administration may receive about the User when the User uses the Online Service and when the Administration performs any agreements and contracts concluded with the User.

2.11. The Policy is an internal document of the Administration.

2.12. The controller of personal data is relieved from liability for the consequences that have occurred about the processing of personal data if they are not responsible for the event that caused such consequences. You also agree that the controller of personal data shall be entitled to provide access and transfer your personal data to third parties without any additional notifications, only if the purpose of their processing does not change and to the extent outlined in the Confidentiality Policy and/or the Legislation. No person under the age of 18 should provide us with personal data through the Online Service. We do not purposefully collect personal data from persons under the age of 18. That is why, parents and guardians should constantly monitor their children’s activities.

3. Composition of personal data

3.1. The Administration processes personal data of the User provided by them when using the website to carry out its activities and to fulfill its obligations.

3.2. The personal data of the User include surname, name, patronymic, e-mail address, mobile/corded phone number, country of residence, links to your social networks, and any other information, provided by you:

  • as answers to our questions, if they are provided in forms, questionnaires, or requests for our events, activities, and programs;
  • in commercial offers;
  • in applicant forms, resumes, motivation letters, employee questionnaires, etc.
  • photos and videos of events and activities that may contain personal data about you, such as images and location,
  • as well as the User’s IP address, browser, and device information used to access our website, their country and location, duration and time of the visit.

We ask you to provide only the personal data necessary to provide the service you have chosen, to receive a newsletter or a response to your special request/claim. In the meantime, if you decide to provide us with additional personal data, we will also be able to process them with the required level of protection.

3.3. The Administration shall be entitled to law down the requirements for the composition of personal data that must be provided for using the Online Service. If certain data are not marked by the Administration as mandatory, their provision or disclosure shall be provided or disclosed by the User voluntarily.

3.4. Data automatically transferred to the Administration through the software installed on the device when the User uses the Online Service are as follows: IP address, browser information and type of device operating system, technical characteristics of hardware and software, date and time of access to the Online Service.

4. Grounds and purpose of personal data processing

4.1. The grounds for personal data processing are as follows:

  1. consent of the personal data subject to the processing of their personal data by the Administration;
  2. conclusion and performance of an agreement to which the personal data subject is a party or which is concluded in favor of the personal data subject, or for implementation of measures preceding the conclusion of the agreement at the request of the personal data subject;
  3. the Administration’s need to fulfill the requirements outlined in the Legislation.

4.2. The purpose of personal data processing is as follows:

  • to send commercial (marketing) messages to the User containing additional information about services, current promotions, and special offers related to the services provided by the Administration through the Online Service.
  • to identify the personal data subject when they use the Online Service;
  • to provide the User with goods and/or services subject to the terms of cooperation;
  • to communicate with the personal data subject, if necessary, including by sending offers, information materials, notifications, information and requests, advertising, as well as processing requests of the personal data subject;
  • to improve the quality of the Online Service, its usability, development of new functionality, and improve the quality of service;
  • to conduct statistical and other research based on depersonalized data;
  • the Administration fulfills contractual and other obligations to the User under agreements concluded between the Administration and the User or third parties in the interests of the User;
  • to achieve other goals, and carry out the statutory activities of the NGO Internews Ukraine, which do not contradict the legislation of Ukraine and the EU in force.
5. Basic principles of personal data processing

5.1. The Administration shall process personal data under the following principles:

5.1.1. Lawfulness of the purposes and methods of personal data processing;

5.1.2. Processing of personal data for specific, clear, and legitimate purposes. Later, personal data will not be processed in a manner that is incompatible with such purposes;

5.1.3. Compliance of the purpose of personal data processing with the purposes previously determined and declared in advance when collecting personal data;

5.1.4. Compliance with the list and volume of processed personal data, as well as methods of processing personal data to the stated purpose of processing;

5.1.5. Reliability of personal data, their sufficiency for processing, the inadmissibility of processing personal data that is excessive concerning the purposes of personal data processing;

5.1.6. Ensuring the accuracy of personal data during the processing of personal data, their sufficiency, and, where necessary, relevance to the purpose of personal data processing.

5.1.7. Inadmissibility of combining databases containing personal data, which are processed for purposes that are incompatible with each other;

5.1.8. Processing in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and unintentional loss, destruction, or damage, with the use of appropriate technical and organizational tools.

5.2. The Administration shall process personal data for statistical or other research purposes subject to their mandatory depersonalization.

5.3. The Administration does not process personal data relating to racial or ethnic origin, political views, religious or other convictions, membership in political parties and trade unions, criminal charges or convictions as well as data about health or sexual life, biometric and genetic data.

5.4. Personal data shall be processed subject to the Legislation.

6. Term of personal data processing

6.1. The term of personal data processing is determined based on the purposes of processing, but it shall not be longer than determined by the Legislation.

6.2. Personal data, the processing (storage) period of which has expired, must be destroyed or depersonalized unless otherwise provided by the Law of Ukraine. Personal data are stored in a form that allows identifying the personal data subject for no longer than the purposes of personal data processing require, unless the personal data storage period is established by the Law of Ukraine. The processed personal data are subject to destruction or depersonalization after the achievement of the processing purposes or in case of loss of the need to achieve these purposes, unless otherwise provided by the Law of Ukraine. We must also consider the periods for which we may need to store your personal data to comply with our legal obligations to you or regulatory authorities (subject to the GDPR).

6.3. We must also consider the periods for which we may need to store your personal data to comply with our legal obligations to you or regulatory authorities.

6.4. We may minimize the personal data we use about you over time, or we may even make your data anonymous so that they can no longer be linked to you personally. In this case, we will be able to use this information for statistical or other purposes without further notifying you, as such information is no longer personal data.

7. Persons authorized to process personal data by the Administration

7.1. To achieve the purposes of the Policy, only those employees of the Administration who are entrusted with such a duty subject to their official (labor) duties are allowed to process personal data. Other employees may be granted access only in cases outlined in the Law of Ukraine. The Administration shall warrant on behalf of its employees the observance of confidentiality and ensure the security of personal data during their processing.

7.2. The Administration shall be entitled to transfer personal data to third parties in the following cases:

  • the personal data subject has expressed their consent to such actions in writing;
  • the transfer is provided for by Ukrainian or other relevant legislation within the framework of the procedure established by law. In the meantime, access to personal data is not provided to a third party if the said person refuses to undertake obligations to ensure compliance with the requirements of the Law of Ukraine or cannot ensure their fulfillment.

7.3. The Administration shall be entitled to entrust the processing of personal data to a third party with the consent of the personal data subject, unless otherwise provided by the Ukrainian legislation, based on an agreement concluded with a third party, containing a confidentiality and non-disclosure of personal data clause.

7.4. Representatives of public authorities (including controlling, supervisory, law enforcement, and other authorities) have access to personal data processed by the Administration to the extent and in the manner prescribed by the Legislation.

8. Implementation of personal data protection

8.1. The Administration’s activities on the processing of personal data in information systems are inextricably linked to the Administration’s protection of the confidentiality of the information received if it does not contradict the legislation in force.

8.2. The personal data protection system includes organizational and (or) technical measures determined considering current threats to the security of personal data and information technologies used in information systems. The Administration updates these measures with the advent of new technologies, if necessary.

8.3. Personal data are exchanged during their processing in information systems through communication channels protected by technical means of information protection.

8.4. When processing personal data in information systems, the Administration shall undertake:

  • to take measures aimed at preventing unauthorized access to personal data and (or) transferring to persons who shall not be entitled to access such information;
  • to timely detect facts of unauthorized access to personal data;
  • to prevent influence on technical means of automated processing of personal data, which may result in their functioning being disrupted;
  • to quickly restore personal data modified and destroyed as a result of unauthorized access to them;
  • to monitor constantly the level of security of personal data.

8.5. Personal data are kept confidential, except for cases when the technology of the Online Service or the settings of the software used by the User provide for the open exchange of information with other Users of the Online Service or with any users of the Internet.

8.6. The Administration implements the following requirements of the Ukrainian legislation in respect of personal data:

  • requirements for the confidentiality of personal data;
  • requirements for ensuring the exercise of rights by the personal data subject;
  • requirements for ensuring the accuracy of personal data, and, where necessary, relevance concerning the purposes of personal data processing (with the adoption (ensuring the adoption) of measures to delete or clarify incomplete or inaccurate data);
  • requirements for protecting personal data from unauthorized or accidental access to them, destruction, alteration, blocking, copying, provision, dissemination, as well as from other unlawful actions concerning personal data;
  • other requirements of the Law of Ukraine.

8.7. Under the Law of Ukraine, the Administration on its own determines the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations outlined in the legislation in relation to unauthorized or unlawful processing of personal data and against their unintentional loss, destruction, or damage. The Administration adheres to the principle of minimizing personal data. We process only the information about you that we need, or information to which you consent to provide beyond the limits of the necessary processing. Besides, we have configured all interfaces of the Online Service and applications for the provision of services so that the highest possible level of confidentiality is maintained, and settings can be adjusted at your discretion. When transferring personal data to government agencies, we always use the most secure and proven ways of transferring such data.

9. Cookies and other tracking technologies

Cookies are small text files that websites store on your computer or mobile devices when you start using them. In such a manner, the website will temporarily remember your preferences and the actions you have taken, including but not limited to the fact that you do not need to enter some data again. Our cookies as such do not identify an individual user, but only the computer or mobile device you are using. Cookies and other tracking technologies in our Online Service may be used in various ways, for example, to operate the Online Service, analyze traffic, or for advertising purposes. We use cookies and other tracking technologies, in particular, to improve the quality and efficiency of our services. For more information about what cookies are, how they work, how to manage them, or how to delete them, please visit www.allaboutcookies.org. We would like to inform you that you can configure the settings of some Internet browsers to disable cookies and other tracking technologies. In doing so, you should understand that if you disable some cookies, the functionality of the Online Service may be limited and you may not be able to use all its benefits, and some pages may not function properly.

10. Rights of Personal Data Subject

10.1. Rights of personal data subjects under the Ukrainian legislation:

10.1.1. to know about the sources of collection, location of their personal data, purpose of their processing, location and/or place of residence (temporary residence) of the controller or processor of personal data, or to issue a respective proxy on obtaining such information to the authorized persons, except for cases established by the Law of Ukraine.

10.1.2. to receive information on conditions of access to personal data, in particular information about third persons their personal data are transferred to;

10.1.3. to access their personal data;

10.1.4. to receive a response about whether their personal data are processed as well as to receive information on the content of their personal data within the period that is no longer than 30 days from the moment the relevant request was received, unless otherwise prescribed by the Law of Ukraine;

10.1.5. to submit a motivated request to a controller of personal data with objection against the processing of their personal data;

10.1.6. to submit a motivated request to change or destroy their personal data by any controller and processor of personal data, if such data are processed illegally or are inaccurate;

10.1.7. to protect their personal data from illegal processing and accidental loss, destruction, or damage due to a deliberate concealing, failure to provide them or provision of such data with delay, as well as to protect from the provision of data which are inaccurate or disgraceful for the honor, dignity, and business reputation of an individual;

10.1.8. to lodge complaints on their personal data processing to the Ukrainian Parliament Commissioner for Human Rights or courts;

10.1.9. to use legal remedies in case of violation of legislation on the protection of personal data;

10.1.10. to submit reservations in respect of restricting the right to process their personal data while providing their consent;

10.1.11. to withdraw consent to the processing of their personal data;

10.1.12. to know the automatic mechanism of processing of personal data;

10.1.13. to be protected from an automated decision that has legal consequences for them

10.1.14. The Administration shall be entitled to entrust the processing of personal data to a third party with the consent of the personal data subject, unless otherwise provided by the Ukrainian legislation based on an agreement concluded with a third party containing a confidentiality and non-disclosure of personal data clause.

10.1.15. Representatives of public authorities (including controlling, supervisory, law enforcement, and other authorities) have access to personal data processed by the Administration to the extent and in the manner prescribed by the Legislation.

10.2. Other rights of personal data subjects under the GDPR: In addition to the Ukrainian legislation on personal data protection, the Administration is attentive to ensuring your rights under the GDPR.

10.2.1. The right to information. We are ready to provide personal data subjects with information about which of their personal data we process. If you want to know what personal data we process, you can request this information at any time, including by contacting the Administration. The list of data that we must provide you with can be found in Articles 13 and 14 of the GDPR. However, when you contact us, you must inform us of your specific requirements so that we can legally consider your request and respond. Please note that if we are unable to verify your identity through the exchange of electronic messages or when you contact us by phone, or in case of reasonable doubt about your identity, we may ask you to provide an identity document or personally visit the Administration. This is the only way we can avoid disclosing your personal data to a person who may be impersonating you. We will process requests as soon as possible, but at the same time, please remember that providing a complete and legitimate response regarding personal data is a complex process that can take up to a month.

10.2.2. The right to rectify data about you. If you find that some of the personal data we process about you are incorrect or outdated, please let us know. In such a case, we may ask you to provide an identity document or personally visit the Administration. If you want to correct the personal data processed by us, you can make the corrections yourself by logging into your personal account in the Online Service (if any) or by contacting the Administration. In some cases, we will NOT be able to change your personal data. In particular, when your personal data have already been used in the process of fulfilling the contract and/or it is contained in a tax document that was drawn up under the tax legislation.

10.2.3. Withdrawal of consent to personal data processing and the right to be forgotten. If the Administration processes your personal data based on consent to the processing of personal data (in particular, for marketing/advertising mailings), further processing can be terminated at any time. It is enough to withdraw your consent to such processing. You can also exercise your right to be forgotten. In the cases outlined in Article 17 of the GDPR, the Administration will destroy your personal data that it processes, except for personal data that we will be obliged to keep under the requirements of the Legislation. Also in this case, for security purposes, the Administration may ask you to provide an identity document or personally visit the Administration.

11. Place of storage of personal data

The Administration has an extensive database of personal data. To ensure their security, we use the cloud services of Microsoft. The data are stored in data centers in Lviv, Ukraine.

12. Changes made to the Confidentiality Policy

The Administration may change or terminate the Policy unilaterally without prior notice to the Users, including if required by the Legislation. The new version of the Policy comes into force from the moment it is posted on the Online Service unless otherwise provided by the new version of the Policy. Therefore, we ask you to visit internews.ua to make sure that you have the latest information.

13. Appeals on the protection and processing of personal data

13.1. If you have any questions, comments, complaints, or requests regarding the protection and processing of personal data, please e-mail us at info@internews.ua. We endeavor to respond to any emails promptly, where possible, and provide our response within the period required by applicable legislation. When you send us an email with an inquiry, we may ask you to provide us with information to verify your identity.

13.2. The administrative authority for personal data protection in Ukraine is the Department for Personal Data Protection of the Secretariat of the Ukrainian Parliament Commissioner for Human Rights. You can contact it with complaints or suggestions if you believe that your rights have been violated in relation to personal data processing.