main

​​PRIVACY INFORMATION NOTICE

1. BACKGROUND

ACTED is an association, registered with the Paris Trade and Companies Register under number n°402 886 816 and located at 33 rue Godot de Mauroy 75009 in Paris. ACTED (“ACTED”, “us”) collects yours or other individuals Personal data as part of its whistleblowing process.
This Privacy notice (“Privacy notice”) illustrates ACTED’s commitment to respect the privacy and the protection of your Personal data.
For the proper understanding of this Privacy notice, it is specified that ACTED is to be considered as the controller of your Personal data and ESQ Groupe AG (“ESQ”) as is processor for the technical implementation of the reporting system.

2. DEFINITIONS

« Recipient » means a natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether or not a third party;
« Personal data » means any information relating to an identified or identifiable natural person; an “identifiable natural person” is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
« Applicable regulation » means current legislation relating to the protection of privacy with regard to automated data processing, in particular the Act n°78-17 of 6 January 1978 on Information Technology, Data files and Civil liberties and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
« Data Controller » means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data.
« Third party » means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process Personal data;

3. DATA CONTROLLER

As Data controller, ACTED is committed to respect all the principles as established by the Applicable regulation. ACTED processes your Personal data lawfully by ensuring that the processing carried out have a legal basis (lawfulness). ACTED also commits to process your Personal data only for specific purposes (purpose limitation) and to process only adequate, relevant and limited Personal data (data minimization). Furthermore, ACTED carries out all reasonable steps to ensure that your Personal data is accurate (accuracy). ACTED commits not to store your Personal data beyond the time necessary to process them (storage limitation). ACTED also implements security measures in order to ensure the integrity and confidentiality of your Personal data (integrity and confidentiality).

4. PROCESSING PURPOSES

The reporting system enables you to contact us and report any compliance or legal violations. We process your personally identifiable information (if provided) in order to investigate the reports you make through the reporting system and to investigate suspected breaches of ACTED’s Code of Conduct and organisational policies. Should we need to come back to you with queries, we will only communicate with you via the reporting system. The confidentiality of the information you provide is our top priority. Personal data that ACTED collects are therefore processed for the following purposes: - - collect and process alerts or reports aimed at revealing a breach of a specific rule (i.e. ACTED’s Code of Conduct and organisational policies or legal obligations such as crime prevention, the fight against corruption and influence peddling, reporting of serious violations of human and fundamental rights); accompany the victims and take the necessary measures following the alert

5. LEGAL BASES OF THE PROCESSING

5.1. Processing of Non-Sensitive data
The processing that ACTED carries out are based, alternatively or cumulatively, on the following legal bases:
   - your consent given when you report via the reporting system (Art. 6 para. 1 lit. a European General Data Protection Regulation, GDPR);
   - the fulfilment of legal obligations. In particular, this includes reports related to criminal, competition and labour law and the French law No. 2016-1691 of December 9, 2016 on transparency, the fight against corruption and the modernization of economic life (1) (known as SAPIN II) (Art. 6 para. 1 lit. f GDPR) ;
   - the legitimate interest pursued by the Data controller (Art. 6 para. 1 lit. c GDPR).
When ACTED processes your Personal data to meet its legitimate interest, it implements strong safeguards in order to ensure that your privacy is protected and that your fundamental rights and freedoms are respected. In addition, we use your personal data in anonymous form for statistical purposes. We do not intend to use your personal data for purposes other than those listed above. Otherwise, we will obtain your prior consent.

5.1. Processing of Sensitive data
In the event that you provide sensitive data to ACTED, the legal basis is your express consent given through the reporting system (Article 9 2. (a) of the GDPR) and/or the exception provided in Article 9 2. (c) of the GDPR, namely the safeguarding of the vital interest of the data subjects.

6. CATEGORIES OF PERSONAL DATA COLLECTED

6.1. Personal data that ACTED collects directly from you
The categories of Personal data that ACTED collects directly from you may include: 
   a) Identification data (e.g. first and last name, personal telephone number, e-mail address, country of residence);
   b) all the information you provide to us through the reporting system.
It is possible that you may provide sensitive data when filling out the questionnaire. Make sure that the data you provide is relevant to your alert.
In this case, ACTED ensures that sensitive data is processed in accordance with the requirements of the GDPR.

6.2. Personal data that ACTED collects from other sources
Personal data that ACTED does not indirectly collect from you.

7. YOUR RIGHTS

You have several rights as a data subject. You can exercise these rights at any time and ACTED commits to make every effort to process your request as quickly as possible. Thus, you benefit from the following rights:
   - right of access: the right to be informed and request access to all or part of your Personal data;
   - right of rectification: the right to request the modification or update of your Personal data;
   - right of of erasure: the right to request that ACTED permanently erases all your Personal data;
   - right to restrict the collection and processing: the right to request that ACTED temporarily stops the processing of all or part of your Personal data;
   - right to object to the collection and processing of your Personal data: the right to object to certain processing of your Personal data for reasons relating to your particular situation;
   - right to data portability: the right to request a copy of your Personal data in a readable format for personal use or for transmission to a third party.

You also have the right to communicate instructions regarding the storage, deletion and disclosure of your Personal data after your death.
You can exercise your rights by sending a request email to the following address: dpo@acted.org.
For any request, ACTED reserves the right to verify your identity. If you have asserted the right to correction, deletion or restriction of the processing of the personal data, we are obliged to inform all Recipients to whom we have disclosed the personal data relating to you of this correction or deletion of the data or restriction of the processing, unless this proves to be impossible or involves disproportionate effort. Upon request, we will inform you of these Recipients.
Finally, without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your place of residence, workplace or place of presumed infringement, if you are of the opinion that the processing of your personal data is in breach of the GDPR.”

8. RECIPIENTS AND SHARING OF PERSONAL DATA

The Recipients of your Personal data are entities, authorities and authorized persons whose functions require them to have knowledge of your Personal data. In such circumstances, the Recipients of your Personal data are as follows:
   - ACTED’s Transparency, Conformity and Investigation department 
   - ACTED’s IT department;

ACTED operates internationally and has locations in various countries within and outside the European Union. The stored data can only be inspected by authorised individuals within ACTED. Insofar as this is necessary to fulfil the aforementioned purpose, authorised individuals from our subsidiaries may also be authorised to inspect the data. This would happen, for example, if the investigation of your report is carried out in the country concerned. All individuals authorised to inspect the report are obliged to maintain strict confidentiality as per ACTED’s Code of Conduct.

Also, ACTED may share your Personal Information with third parties in the following ways:
   - The Data Protection Officer or lawyers: ACTED may share your Personal data when it appears necessary. These Recipients are subject to legal or contractual obligations that result in preserving the confidentiality of your Personal data.
   - ACTED’s IT subcontractors: ACTED shares your Personal data as part of the outsourcing of its telecommunication, storage, backup and archive services, as well as of some of its information systems. For those purposes, we have concluded data processing agreement with all our IT subcontractors to ensure data protection.

ACTED strives to process personal data only within the European Union. However, where this is not possible, ACTED ensures that all necessary steps have been taken to allow the legal transfer of personal data outside the European Union.

9. SECURITY

In accordance with Applicable regulation, ACTED makes every effort to process your Personal data securely and confidently.
In particular, ACTED implements technical and organizational measures needed to ensure the security and confidentiality of the Personal data collected and processed, including to prevent it from being distorted, damaged or communicated to unauthorised Third parties, by ensuring a level of security appropriate to the risks involved in the processing and to the nature of the Personal data to be protected, taking into account the level of technology and the cost of implementation.

The reporting system includes an option for anonymous communication via an encrypted connection. When you use the reporting system, your IP address and your current location are not stored at any time. After sending a message, you will receive access data to the reporting system inbox so that you can continue to communicate with us in a secure manner.

We maintain appropriate technical measures to ensure data protection and confidentiality. The data you provide will be stored on a secure database. All data stored on the database is encrypted by using state-of-the-art technology.

10. STORAGE LIMITATION

In the context of the processing carried out during the donation process, ACTED takes care not to store your Personal data beyond the period necessary to fulfill the purpose for which the Personal data were collected and in accordance with Applicable regulation. Personal data is only stored for the time necessary for as long as necessary to provide the assistance requested and is not retained thereafter. In addition, your personal data may be stored if this is required by European or national law to fulfil legal obligations, such as storage obligations. Subsequently, all personal data will be deleted, blocked or anonymised.

11. MODIFICATION OF THE PRIVACY NOTICE

ACTED may be required to make changes in this Privacy notice. In such a case, ACTED will use its best efforts to inform you. The date of this Privacy notice will be amended accordingly for each modification.

In the event that a change to this Privacy notice is likely to have a fundamental impact on the nature of the processing or a substantial impact on you, ACTED will inform you sufficiently in advance so that you can exercise your rights e.g. object to the processing).