Data Protection Policy
1. Purpose of the Policy
This Data Protection Policy sets out how Flaxur collects, uses, stores, and protects personal data in the course of its activities. The policy is intended to ensure that personal data is handled lawfully, fairly, transparently, and securely, in line with applicable data protection laws and recognised good practice.
Flaxur is committed to respecting the privacy and rights of individuals whose personal data it processes.
2. Scope of the Policy
This policy applies to:
-
All personal data processed by Flaxur
-
All programmes, projects, services, and activities undertaken by the organisation
-
All individuals acting on behalf of Flaxur, including directors, staff, volunteers, consultants, and partners where applicable
The policy covers personal data relating to programme participants, partners, donors, suppliers, website users, and other stakeholders.
3. Definitions
For the purposes of this policy:
-
Personal data means any information relating to an identified or identifiable individual.
-
Processing means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
-
Data subject refers to the individual to whom personal data relates.
4. Data Protection Principles
Flaxur processes personal data in accordance with the following principles:
-
Lawfulness, fairness, and transparency
Personal data is processed lawfully, fairly, and in a transparent manner. -
Purpose limitation
Personal data is collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes. -
Data minimisation
Only personal data that is relevant and necessary for the intended purpose is collected and processed. -
Accuracy
Reasonable steps are taken to ensure personal data is accurate and, where necessary, kept up to date. -
Storage limitation
Personal data is not retained for longer than necessary for the purposes for which it was collected, subject to legal and operational requirements. -
Integrity and confidentiality
Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised access, loss, or misuse.
5. Lawful Basis for Processing
Flaxur processes personal data on one or more lawful bases, which may include:
-
The consent of the data subject
-
The performance of a programme, service, or agreement
-
Compliance with a legal or regulatory obligation
-
Legitimate organisational purposes aligned with Flaxur’s public-benefit objectives
Where consent is relied upon, it is obtained in a clear and informed manner.
6. Types of Personal Data Processed
Depending on the context, Flaxur may process personal data such as:
-
Names and contact details
-
Demographic or organisational information
-
Programme application or participation information
-
Communication records
-
Website usage information
Flaxur does not intentionally collect excessive or irrelevant personal data.
7. Data Security Measures
Flaxur implements appropriate technical and organisational measures to protect personal data, including:
-
Access controls and role-based permissions
-
Secure storage of digital and physical records
-
Password protection and authentication controls
-
Staff and contributor awareness of data protection responsibilities
Security measures are proportionate to the sensitivity of the data and the risks involved.
8. Data Sharing and Third Parties
Personal data may be shared with third parties only where necessary and appropriate, such as:
-
Programme delivery or support partners
-
Service providers supporting IT, communications, or administration
-
Regulatory or lawful authorities where required
Where third parties process personal data on Flaxur’s behalf, reasonable steps are taken to ensure that appropriate safeguards are in place.
9. Data Retention and Disposal
Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected or to meet legal, regulatory, or reporting obligations.
When personal data is no longer required, it is securely deleted, destroyed, or anonymised in accordance with internal procedures.
10. Rights of Data Subjects
Subject to applicable law, individuals whose personal data is processed by Flaxur may have rights including:
-
The right to access their personal data
-
The right to request correction of inaccurate data
-
The right to request deletion or restriction of processing, where appropriate
-
The right to withdraw consent where processing is based on consent
Requests relating to personal data will be handled in a reasonable and timely manner.
11. Breach Management
Flaxur takes data security seriously. Any suspected or actual personal data breach is addressed promptly, and appropriate steps are taken to mitigate risks, assess impact, and comply with any applicable reporting obligations.
12. Roles and Responsibilities
All individuals acting on behalf of Flaxur are responsible for:
-
Handling personal data in line with this policy
-
Reporting concerns or potential breaches promptly
-
Respecting confidentiality and data protection requirements
Oversight of data protection matters is handled in line with Flaxur’s governance and internal accountability structures.
13. Review and Updates
This Data Protection Policy is reviewed periodically and may be updated to reflect changes in law, organisational practices, or risk considerations. The most current version will be made available on the Flaxur website.
14. Contact
Questions or requests relating to this policy or the handling of personal data may be directed to:
Email: compliance@flaxur.org