IFLA Data Protection Policy — full text

Background

The General Data Protection Regulation (GDPR) applies to the processing of personal data in the Union as of 25 May 2018. To be compliant with the provisions of the General Data Protection Regulation, IFLA has amended its Data Protection Policy accordingly and therefore complies with Dutch and European legislation.

For its daily functioning IFLA collects and processes personal data of data subjects. To ensure a high level of protection of personal data, IFLA’s Data Protection Policy clarifies which personal data IFLA processes, whereto IFLA processes personal data, and the control data subjects have of their own personal data processed by IFLA.

IFLA’s Data Protection Policy refers to the processing of personal data of all data subjects within IFLA, not only to members, affiliates and those active in IFLA’s professional units but also to its employees, guests, visitors and external relations.

IFLA’s Data Protection Policy focuses on the fully or partially automated processing of personal data which takes place under the responsibility of IFLA and on the underlying documents contained in a file or which are intended to be included therein.

At IFLA, protecting personal data is broadly interpreted. IFLA aims to optimise the quality of the processing and the security of personal data with a balance between privacy, functionality and safety.

Definitions

Controller IFLA Governing Board.
Data Subject members of IFLA, natural persons participating in IFLA’s professional units, employees of IFLA, guests, visitors and external relations.
GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Member of IFLA Associations, institutions and individuals as mentioned in Articles 4.2, 4.3, 4.4, 4.5, and 4.6 of the IFLA Statutes (version October 2008).
Processor a natural or legal person, public authority, agency or other body which processes personal data on behalf of IFLA.
Personal Data any information relating to data subjects.
Personal Data breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Policy  this IFLA Data Protection Policy.
Processing collecting, storing and processing for membership records and purposes relating to membership and IFLA’s professional units as required under the IFLA Statutes. Providing current membership lists to IFLA offices responsible for any membership mailings, and communications listed under membership benefits. Using for general interest mailings and communications related to the IFLA annual congress and the Federation’s activities. Management of payroll and personnel administration.
Third Party organisation IFLA has a working or cooperating agreement with.

Principles Processing Personal Data ​

IFLA processes personal data in a lawful, fair and transparent manner.

To do so IFLA:

  • processes personal data on one of the legal bases as mentioned in Article 6 of the GDPR;
  • collects personal data for specified, explicit and legitimate purposes and does not process personal data in a manner that is incompatible with those purposes;
  • when processing personal data, the amount and type of data remains limited to the personal data necessary in relation to the purpose. The data shall be adequate, relevant and not excessive for the specific purpose;
  • processes personal data in the least significant manner and in a reasonable proportion to the intended purpose;
  • takes measures to ensure, as far as possible, that the personal data to be processed, is accurate and up to date;
  • protects personal data adequately according to the applicable security standards;
  • processes personal data no longer than necessary for the purposes of the processing, in accordance with the applicable storage and destruction periods taken;
  • offers any data subject the right to inspection, improvement, addition, removal, respectively or foreclosure of the personal data contained in the individual processes, and has the right of objection as formulated in this policy;
  • offers the data subject an unambiguous so-called opt-out procedure in all voluntary registrations.

Role and Responsibilities regarding processing personal data

In order to make the coherence of the data protection organisation consistent and to align the initiatives and activities in the area of processing personal data, IFLA recognises a number of roles that are assigned to its staff.

At strategic level, governance and compliance, as well as objectives, scope and ambition in terms of privacy aspects, are being discussed. The applicable body at the strategic level is the Governing Board.

At tactical level, the strategy is translated into plans, standards to be used, and evaluation methods. These plans and instruments govern the implementation of the policy. The applicable body at tactical level is the Secretary General.

At the operational level, the issues are discussed which concern the day-to-day operations (execution). Employees of IFLA are responsible at the operational level.

Governing Board

The Governing Board of IFLA is ultimately responsible for the lawful and careful processing of personal data and establishes the policy, measures and procedures in the field of processing. The Governing Board is regarded as the controller within the meaning of the GDPR.

Secretary General

The Secretary General has the primary responsibility for the lawful and careful processing of personal data. This also includes the choice of measures and their implementation and enforcement. Furthermore, the Secretary General is responsible for communicating the policy, measures and procedures to all relevant parties.

The contact details of the Secretary General are:

IFLA Secretary General
IFLA Headquarters
Prins Willem-Alexanderhof 5,
2598 BE The Hague, Netherlands
PO Box 95312, 2509 CH The Hague, Netherlands
Tel +31 70 3140884
Email ifla@ifla.org
Website www.ifla.org/hq

System owner

The system owner is responsible for ensuring that the application and associated ICT facilities provide a good support to the process for which it is responsible and meets the policy. The system owner ensures that, both now and in the future, the application continues to meet the requirements and wishes of data subjects and laws and regulations.

IFLA Employees

Careful dealing of personal data is everyone's responsibility. Employees are expected to behave incorruptibly. IFLA does not accept that unsuitable behaviour creates unsafe situations that lead to damage to IFLA or to data subjects.

Legal and Careful Processing of Personal Data

Processing personal data is based on one of the legal grounds as described in Article 5 of the GDPR.

Personal data processed by IFLA come from:

  • the data provided to IFLA on its Membership Application and Section Registration forms;
  • the data provided to IFLA on its Membership Update forms;
  • the data provided to IFLA on Update and Registration forms for Professional Units;
  • relevant correspondence exchanged by post and by email;
  • all invoices, including the financial data contained within them;
  • the data provided by employees, guest, visitors and external relations;
  • archives of past membership data and invoices of the same nature as that described above.

In the course of its registration and membership renewal process, IFLA collects personal data on its members. IFLA processes the following contact details of Members of IFLA:

  • name;
  • designated contact person [if applicable];
  • highest official of the organisation [if applicable];
  • address;
  • postal address;
  • email address;
  • web address [ if available];
  • Skype address [ if available];
  • twitter address [if available];
  • blog/vlog link [if available];
  • fax numbers [if available];
  • telephone numbers.

IFLA processes the following contact details of those participating in IFLA’s Professional Units:

  • name;
  • designated contact person [if applicable];
  • highest official of the organisation [if applicable];
  • address;
  • postal address;
  • email address;
  • web address [ if available];
  • Skype address [ if available];
  • twitter address [if available];
  • blog/vlog link [if available];
  • fax numbers [if available];
  • telephone numbers.

The (special category) Personal Data which IFLA Processes, relates to members and individual persons and includes:

  • contact details for the responsible person within an association or institution;
  • contact details relating to persons nominated and/or elected to IFLA Professional Units;
  • contact details for affiliates of IFLA;
  • contact details relating to persons who have registered with IFLA’s subscriber services including bulletin boards and email lists;
  • relevant correspondence and invoices relating to membership activities;
  • relevant correspondence relating to persons nominated and/or elected to IFLA Professional Units;
  • photos of persons elected to to IFLA Professional Units.

IFLA Processes the following (special category) personal data of its employees:

  • contact details;
  • copy of identity document.

Special Categories of Personal Data

The processing of special personal data is, in principle, prohibited, unless there is a legal basis, explicit consent of the Data Subject or an overriding public interest. IFLA processes passport photos of those who are members of the Governing Board after their explicit consent.

Use of Personal Data

IFLA defines the purposes for processing beforehand in a concrete and specific manner.

Personal data as provided on the member registration/renewal forms and on the registration and renewal forms for the Professional units will be used for the following purposes:

  • Membership administration including membership of professional committees and subscriber services;
  • notification of IFLA Officers’ and Professional Unit Members’ details on the IFLA website (available to the public). Notification of Professional Unit Members will only contain basic membership details (name, institution (where appropriate) and country).

Personal data will not be further processed in a manner that is incompatible with the purposes for which IFLA obtained the information.

IFLA takes the necessary steps to ensure that personal data, in view of the purposes for which they are collected or subsequently processed, are accurate and accurate.

In the case of (research) projects, infrastructural changes or the acquisition of new systems, a privacy impact assessment (PIA) will be taken into account from the outset. IFLA applies the principles "Privacy by Design" and "Privacy by Default" in implementation.

The organisation of the security

IFLA carries out an adequate level of security and implements appropriate technical and organisational measures to protect personal data against loss or against any form of unlawful processing. These measures are aimed at preventing unnecessary or unlawful collection and processing of personal data.

A risk analysis on privacy and information security is part of the internal risk management and control system of IFLA.

Confidentiality

At IFLA all personal data is classified as confidential. Information from correspondence, invoices and archival documents will not be published in any way.

Also persons who are not already subject to confidentiality by virtue of their duties, occupations or statutory requirements are obliged to confidentiality of the personal data which they acquire, except insofar as any legal requirement obliges them to be notified or the necessity for disclosure results from their duties.

Storage periods / destruction periods per species given

Personal data are no longer stored than necessary for the purposes for which they are collected or used. Personal data will be removed from the scope of the active administration after no more than two years following the cancellation or deletion of membership. IFLA holds financial information for no more than seven years in accordance with Dutch law.

Transfer of personal data to third parties

Sub-contracting to a processor

If personal data is processed by a processor, processing is arranged in a written agreement between IFLA and the processor.

Transfer personal data outside the European Union (including the EEA)

As an international organisation with a global membership, it is often necessary for IFLA to share personal data with members, Regional Offices and Section Officers, and third-party partners both inside and outside of the European Union in order for IFLA to fulfill its duties and responsibilities to its Members.

The Dutch government has identified countries outside of the EU that in its opinion lack adequate personal data protection laws. This list includes most of the countries in which IFLA members, and Regional and Sectional Offices, and third-party partners are located. Personal data may be sent to these countries over the course of membership.

With regard to special categories of Personal data, these will not be disclosed to third parties without the explicit consent of the data subject.

Personal Data Breaches

Any question, complaint or notice regarding the processing of personal data within IFLA is regarded as an incident. The most notorious form of such an incident is a personal data breach.

Message and registration

Data subjects, processors or third parties can report an incident. Incidents are to be reported to the Secretary General. IFLA keeps a record of each incident and the way the incident is dealt with. The reporting on personal data incidents therefore forms part of the annual report of the Governing Board.

IFLA acts accordingly with the procedure laid down for that purpose, which can be found in the annex to this policy.

In any event, if the personal data of the data subjects or business processes, the finances or the proper name of IFLA are at risk, the Secretary General will inform the Governing Board.

Personal data breaches are reported in accordance with the specific provisions concerning personal data breaches set by the Autoriteit Persoonsgegevens.

Rights of the Data Subject

Disclosure

IFLA informs its data subjects about their rights by means of general notice at its website. In addition, IFLA aims in accordance with law and regulations, to provide rights to certain circumstances to data subjects to protect their personal data.

IFLA provides data subjects also with the following information:

  • the existence of the right to request from IFLA access to, and rectification or erasure of, personal data concerning the data subject;
  • the right to file a complaint with the Autoriteit Persoonsgegevens;
  • the recipients or categories of recipients of the Personal Data, if any.

Announcement of adjustments policy

If this policy is substantially amended or changed, IFLA shares this generally, to ensure careful and proper processing.

Right to inspection

Members may inspect their own personal data through the online IFLA membership system, and, where incorrect, may modify, correct, supplement or remove them.

This can be done free of charge.

Communication

The statement of IFLA regarding processing personal data contains a complete overview thereof in an understandable form, a description of the processing purposes, the categories of personal data to which the processing relates, and the categories of recipients, as well as available information about the origin of the personal data and time limit for data retention.

Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. IFLA shall no longer process the personal data unless IFLA demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

If the answer of IFLA does not lead to an acceptable result, the data subject has the opportunity to initiate a petition procedure with the relevant court.

Finally

This policy has been determined by the Governing Board of IFLA, December 2017.

Changes to this Policy will be announced via the website of IFLA. 

Relevant laws and regulations

General Data Protection Regulation

IFLA has implemented the legal requirements and taken appropriate technical and organisational measures against loss and unlawful processing of personal data implemented by this policy.

Archives Act

IFLA complies with the requirements of the Archive Act on how to deal with information recorded in (digitized) documents, information systems, websites, etc.

Telecommunications Act

The measures taken by IFLA to comply with privacy laws are also sufficient to ensure the privacy of users on public networks. The regulations of the Telecommunications Act in relation to the authorised drainage and storage obligation have been implemented separately.

Related links:

Last update: 11 June 2018