Professional Documents
Culture Documents
Data Protection Policy
Data Protection Policy
Data Protection Policy
on the Protection of
Personal Data of Persons
of Concern to UNHCR
DATA PROTECTION
POLICY
CONTENTS
2 BASIC PRINCIPLES.................................................................. 14
2.1 Basic principles of personal data processing................ 15
2.2 Legitimate and fair processing...................................... 15
2.3 Purpose specification.................................................... 16
2.4 Necessity and proportionality....................................... 16
2.5 Accuracy........................................................................ 16
2.6 Respect for the data subject’s rights............................. 16
2.7 Confidentiality............................................................... 17
2.8 Security.......................................................................... 17
2.9 Accountability and supervision..................................... 17
CONTENTS 3
3 RIGHTS OF THE DATA SUBJECT............................................ 18
3.1 Information.................................................................... 19
3.2 Access........................................................................... 20
3.3 Correction and deletion................................................ 20
3.4 Objection...................................................................... 20
3.5 Modalities of requests................................................... 21
3.6 Recording and response by UNHCR............................. 21
3.7 Restrictions.................................................................... 23
CONTENTS 5
1
GENERAL
PROVISIONS
1.2 RATIONALE
GENERAL PROVISIONS 7
has a responsibility to process it in a way that respects data
protection principles.2
1.3 SCOPE
Consent
Data controller
Data processor
GENERAL PROVISIONS 9
Data protection impact assessment
Data subject
Implementing Partner
Person of concern
GENERAL PROVISIONS 11
© UNHCR / Dalia Khamissy
Third party
GENERAL PROVISIONS 13
2
BASIC
PRINCIPLES
BASIC PRINCIPLES 15
2.3 PURPOSE SPECIFICATION
2.5 ACCURACY
2.8 SECURITY
BASIC PRINCIPLES 17
3
RIGHTS OF
THE DATA
SUBJECT
3.4 OBJECTION
(i)
It would constitute a necessary and proportionate
measure to safeguard or ensure one or more of the
following:
(b)
The overriding operational needs and priorities of
UNHCR in pursuing its mandate.
(ii)
There are grounds for believing that the request is
manifestly abusive, fraudulent or obstructive to the
purpose of processing.
(i)
The nature of the personal data breach, including
the categories and number of data subjects and data
records concerned;
4.5.3 Data controllers are to keep the Data Protection Officer fully
informed of any DPIA carried out under their responsibility
and to share a copy of the DPIA.
4.6 RETENTION
5.2 VERIFICATION
(ii)
require the third party to undertake that its data
protection and data security measures are in
compliance with this Policy; and
6.2.3 The Data Protection Officer and the Legal Affairs Service
(LAS) are to review and clear all data transfer agreements.
Copies of final agreements are to be lodged with the Data
Protection Officer.
(ii)
the requesting law enforcement agency or court is
competent in relation to the detection, prevention,
investigation or prosecution of the offence in question;
(iii)
The transfer will substantially assist the law
enforcement agency or court in the pursuit of these
purposes and that the personal data cannot otherwise
be obtained from other sources;
(i)
Determining the applicable legitimate basis for
and the specific and legitimate purposes of data
processing;
(ii)
Ensuring the implementation of organizational and
security measures as well as assessing data security of
third parties;
(iii)
Establishing internal procedures, for example in
the form of Data Protection Standard Operating
Procedures, covering all relevant aspects of this Policy,
in particular regarding the respect for the rights of the
data subject and measures aimed at ensuring data
confidentiality and security;
(iv)
Ensuring that data protection and data security
aspects are adequately included in Implementing
Partner agreements;
(i)
Providing advice, support and training on data
protection and this Policy;
(ii)
Maintaining inventories of information provided by
data controllers and data protection focal points,
including data transfer agreements, specific instances
of data sharing by UNHCR with third parties,
data protection impact assessments, data breach
notifications and complaints by data subjects;
(iii)
Actively encouraging data controllers and other
relevant actors to undertake measures aimed at
compliance with this Policy;
(iv)
Monitoring and reporting on compliance with this
Policy;
7 Information on the function of the IGO and how to make a complaint is available
at: http://www.unhcr.org/pages/52e11b746.html.