Data Privacy Policy of the Haki Ni Yetu Project

Text "Haki Ni Yetu - a Rights, Governance & Accountability Project for Kenyans".

1. Controller of registry

Name: KIOS Foundation
Trade registry number: 1497493-0
Postal address: Lintulahdenkatu 10, 00500, Helsinki, Finland

2. Name of registry

Haki Ni Yetu Grants Schemes

3. Contact persons for registry

Representatives of the Foundation: Visa Hytönen
Phone: 040 952 7919
Email: calls@wordpress-1175544-6194269.cloudwaysapps.com

4. Purpose, Legal Basis, and Types of Data

Article 5 of the General Data Protection Regulation (GDPR) establishes the framework for our data processing principles, with our primary legal bases being necessity and consent. Data subjects are always asked for consent for personal data collection, processing and storage before collection. All data subjects have the right to withdraw consent at any time.

The collected personal data serves the purposes of managing grant and capacity building applications and disbursing granted funds, facilitating communication with applicants, and enhancing digital service quality. The registry includes data collected in the grant application, essential details for grant payment, and particulars submitted in grant utilisation and outcome reports. The registry contains applicant contact details, along with those of potential associates, provided to us throughout the application procedure and expressions of interest. Additionally, contact information for previous referees, as supplied by the applicant, is retained within the registry. Furthermore, KIOS gathers grant payment details, insights into how applicants utilise the grant system, and technical data such as login credentials. Communication between registered applicants and the registry operator is also saved. The storage and processing of applicant information depend on their consent and the legitimate interest of the registry operator. To facilitate application processing, the application form must include personal data for both applicants and attached individuals. Insufficient data may result in application rejection.

5. Regular disclosures of personal data and transfers to third parties

Personal data is managed by KIOS staff (administrative staff and grants officers), referees appointed by the Haki Ni Yetu Project, the KIOS board, technical support, appointees of an accounting service provider, and accountants appointed by the European Commission. Information is disclosed only to the extent necessary for the functions of the receiving party and shared with third parties only when it is required for specific purposes, in compliance with applicable laws, and with the consent of the data subjects when necessary.

6. Principles of register protection

Our principles of register protection are in line with the KIOS Data Protection Policy, Haki Ni Yetu Data Protection Plan and with relevant regulations of the EU, Kenya, and Finland. We only use software that are secure and established, providing us with data encryption. We minimise the data and use access controls through out the process.

The data is stored in:

  1. the Aspicore system database, which is protected cloud service (Microsoft Azure, EU). Servers are in locked and guarded facilities, to which access is given only to nominated persons.
  2. KIOS local drive, Accessible only by nominated persons, with multifactor authentication.
  3. Data Collection via Google Forms. When data is collected via Google Forms by KIOS, only organisational data is collected, and no personal data is gathered. However, we collect organisations contact and financial details such as email addresses, revenues, names and phone numbers. The data collected is under the Google’s Privacy Policy and stored at Google Drive cloud. Our Google service does not allow us to determine the specific Google server where the data is stored, but the collected data will be treated the same as all other data within our organisation. Once the calls are over, the data is removed from Google Drive accounts and processed with Microsoft 365 then stored on KIOS local drives. Google Forms is only used in the first steps of calls. According to Google Drive the data is purged after 25 days from its systems.

7. Principles of storing personal data

Grantee data and attached personal data

  • Personal data will be archived only for as long as necessary for the purposes outlined in Item 4, but no longer than 7 years from the projects end. When personal data is processed for its purpose, it will be anonymised (deletion of any information relating to an identified or identifiable individual)
  • Financial data and supporting documents containing sensitive data are kept for a minimum of 5 years but no longer than of 7 years, from the project’s end. This information will be stored in Finland in physical archives and local drive. However, information such as bank account numbers and sensitive personal data will be removed within two years after the final report.
  • anonymisation will be used when personal data is used outside of database or KIOS archives. This would be summarising statistical reports for donors and third parties for example.

Usernames in Aspicore

  • usernames are stored, if the user has unfinished applications, which have not been marked as finished.
  • if the username has been inactive for two years, and does not have any active applications, the username will be removed from the system.

Unfinished applications in Aspicore

  • the applicant can remove any unfinished applications from the system
  • KIOS removes any unfinished and not granted applications within 12 months after the call for grants has closed.

Applications not funded

  • KIOS removes or anonymises not funded applications within two years of the decision.
  • Anonymisation removes all personal data from the application.

Messages

  • all messages concerning an application will be removed with the application or when they are of no more use.

8. The rights of the data subject

  • The right to access – You have the right to request for copies of your personal data.
  • The right to rectification – You have the right to request that KIOS correct any information you believe is inaccurate. You also have the right to request KIOS to complete the information you believe is incomplete.
  • The right to erasure – You have the right to request that KIOS erase your personal data, under certain conditions.
  • The right to restrict processing – You have the right to request that KIOS restrict the processing of your personal data, under certain conditions.
  • The right to object to processing – You have the right to object to KIOS’s processing of your personal data, under certain conditions.
  • The right to data portability – You have the right to request that KIOS transfers the data collected to another organisation, or directly to you, under certain conditions.

9. Transfer of data to third parties

Any personal data included in the grant contract may be processed by the European Commission, for the porpoise of implementing, managing, and monitoring the grant contract or to protect the financial interests of the EU, including checks, audits, and investigations. The beneficiaries have the right to access, rectify or erase their own personal data and the right to restrict the processing of their personal data or, where applicable, the right to data portability or the right to object to data processing in accordance.

10. Data Breach Response

Data subjects will be informed as soon as possible in any case of data breach, that comes known to KIOS.

 

This page is funded by the European Union. Its contents are the sole responsibility of the KIOS Foundation and do not necessarily reflect the views of the European Union.

The European Union emblem and the text "Funded by the European Union".

The Haki Ni Yetu project is implemented by the KIOS Foundation together with two Kenyan civil society organisations, InformAction and CSO Network.