Skip to main content

Privacy Policy

I. PURPOSE AND OBJECTIVE

1.1. This Policy establishes the requirements and procedures for collecting, processing, and protecting the personal data of individuals (including children and youth) who participate in our projects and with whom we interact, as well as for storing and protecting information on the public resources of the Charitable Organization “OLENA ZELENSKA FOUNDATION” (hereinafter referred to as the Foundation).

1.2. The Policy does not apply to the Foundation’s processing of data / information of legal entities and the data / information not constituting personal data of individuals.

1.3. The Policy has been developed based on the Ukrainian Constitution, the Laws of Ukraine “On Personal Data Protection,” “On Information,” and “On Charitable Activities and Charitable Organizations,” and other laws, regulations, and by-laws, as well as the Foundation’s Charter.

1.4. The Policy constitutes an integral part of the Foundation’s relevant transactions with individuals, particularly benefactors and beneficiaries (recipients of charitable assistance, services, etc.).

1.5. This Policy, posted at https://zelenskafoundation.org , also notifies personal data subjects of the personal data controller, the composition and content of personal data collected in connection with visiting / using the website, such subjects’ rights, the purpose of collecting their personal data, and the third parties to whom such personal data may be transferred.

1.6. This Policy aims to:

 ensure that the Foundation’s activities comply with Ukrainian laws regarding the collection, processing and storage of personal data of beneficiaries and the Foundation’s Team members

 ensure mechanisms and procedures for protecting and keeping confidential the collection, processing, and storage of personal data and information about beneficiaries, as well as to raise the level of awareness and responsibility of the Foundation’s Team members in the field of information security.

2. DEFINITIONS

2.1. Personal data: any information relating to an identified individual (the “beneficiary”).

2.2. Foundation’s Team: persons engaged in implementing the Foundation’s projects and working for, on behalf of, and, in any capacity, at the Foundation, regardless of whether such a person receives a salary (or service fees), works on a volunteer basis, provides services to the Foundation, or is the Foundation’s vendor or partner. These include, but are not limited to, (fulltime and part-time) employees, service providers, advisors, contractors, suppliers, and partners.

2.3. Beneficiary: a person who directly receives goods or services under the Foundation’s projects. The persons defined by this term include vulnerable and affected groups, especially children, youth, internally displaced persons and others in need.

2.4. Personal data processing: any operation or set of operations performed with personal data, including their collection, recording, organization, storage, adaptation, alteration, extraction, use, transfer, dissemination, consolidation, blocking, deletion or destruction, etc.

2.5. Personal data base: an organized structure that contains beneficiaries’ personal data and ensures their systematization and access thereto.

2.6. Personal data base owner: the Foundation, which owns and manages the base of the beneficiaries’ and Foundation Team members’ personal data.

2.7. Personal data subject: an individual to whom personal data relates and who is or can be identified using such data.

2.8. Personal data subject’s consent: any documented, in particular, written, voluntary expression of an individual’s will to allow processing of their personal data according to the stated purpose of the processing.

2.9. Personal data anonymization: removal of the information that allows for identifying an individual.

2.10. Storing the information: ensuring the proper condition of information and its physical storage media.

2.11. Confidentiality of information: a feature of the information that means that no unauthorized user and/or process can obtain it. Information is kept confidential if the established rules for learning it are followed.

3. RESPONSIBLE PERSONS AND APPLICATION SCOPE

3.1. This Policy shall apply to the entire Foundation’s Team, including full-time, part-time, or temporary employees, all contractors, customers, and partner organizations cooperating with the Foundation in implementing the projects or organizational activities; all those providing services under the contract and indirectly; beneficiaries; and others involved in financial or other relations with the Foundation, each of whom is entitled to protection.

3.2. The Foundation Director decides on the collection, processing, storage, and transfer of personal data and on protecting confidentiality and information security.

3.3. The Foundation Director is responsible for ensuring the implementation of this Policy on the safe and correct collection, storage, processing, and transfer of personal data, confidentiality, and information security, responding to requests, and developing and implementing information security policies and procedures.

3.4. The Foundation Director may issue a corresponding order to appoint other Foundation employees responsible for storing, processing, and transferring personal data and for confidentiality and information security.

3.5. The Foundation Director is responsible for familiarizing the Team members with this Policy and will take measures to raise the Team’s awareness of protection and security in the processing and storage of personal data, confidentiality, and information security.

3.6. The Foundation Director, Board members, heads of departments, and project managers of the Foundation are obliged to take adequate measures to collect, process and store personal data and confidentiality and may not transfer personal data to other parties at their request without the written permission of the Foundation Director.

3.7. Software, antivirus programs, and operating system updates on all network devices in the Foundation are installed exclusively by the system administrator with the Director’s approval.

3.8. The system administrator shall check the operating system and software updates at least once a quarter to ensure the Foundation’s maximum level of security and protect the network connection through encrypted protocols, firewalls, and other security technologies.

3.9. The Foundation Board supervises and operates the processing of the Foundation’s personal data, confidentiality, and information security.

4. CONFIDENTIALITY, PRESERVATION AND PROTECTION OF THE FOUNDATION’S INFORMATION

4.1. The system administrator creates the Foundation’s work mail on zelenskafoundation.org domain for employees at the beginning of their employment with the Foundation.

4.2. The Foundation Director sends a request to the system administrator to create a work mail for a new employee.

4.3. After receiving the corporate mail, the employee will receive the relevant instructions and access to the Foundation’s cloud technologies, such as Google Drive and others. Users are granted only the privileges and access levels required to perform their duties.

4.4. The Foundation’s Team members may use the work e-mail address only to communicate with others in the framework of their duties related to the Foundation’s activities.

4.5. Using corporate mail for personal purposes is prohibited.

4.6. If confidential information needs to be transmitted by e-mail, two-level encryption should be used to ensure the data are transmitted securely according to the e-mail settings.

4.7. The Foundation’s Team members must comply with the requirements for information confidentiality from the moment they receive the Foundation’s work e-mail. They shall not disclose confidential information to any third parties without the Foundation Director’s proper permission.

4.8. Upon termination of cooperation with a Team member, the Foundation system administrator, at the Director’s request, blocks the account on the termination day and archives it two weeks later.

4.9. When publishing information on public resources, the confidentiality of personal data and sensitive information of the Foundation must be maintained. This is the responsibility of the

Information and Public Relations Department Head. This applies to the social media web pages (Facebook, Telegram channels, etc.) of the Foundation and corporate website https://zelenskafoundation.org .

4.9. Access to the public resources where the Foundation’s information is posted is restricted and available only to responsible persons with relevant authorizations. The Information and Public Relations Department Head periodically checks the list of administrator users of social media pages and other shared resources (groups, channels, etc.).

4.10. Any information that becomes known to the Foundation’s Team members due to the performance of their duties as agreed with the Foundation, and the disclosure of which may harm the Foundation, is a corporate secret and shall not be disclosed to third parties or published without the prior consent of the Foundation. The party in breach shall be liable for disclosing this information according to the laws in effect in Ukraine.

4.11. Confidential information shall also include information that is of actual or potential commercial value to the Foundation and is unknown to third parties, and in respect of which the Foundation takes measures to protect its confidentiality, as well as other information that is not a corporate secret, but declared by the Foundation as confidential.

4.12. The Team members undertake not to disclose or reveal to third parties any confidential information provided to them by the Foundation during the agreement term and for three (3) years after its termination and not to use it for any purpose other than the purpose for which the Foundation provided such information without the prior written consent of the Foundation’s director. The Foundation reserves the right to control the use of confidential information by Team members and its safety, as required.

4.13. The Team members and the Foundation undertake to keep negotiations, correspondence, and other actions related to the contractual terms confidential and not disclose such information to third parties without the other party’s written consent.

5. PERSONAL DATA BASES OWNED BY THE FOUNDATION

5.1. The Foundation processes personal data to implement its projects, protect beneficiaries and Team members, and other purposes determined by laws in effect in Ukraine.

5.2. The grounds for the right to use personal data to arise are:

● personal data subject’s consent to the processing of their personal data in writing or by electronic means (Annex 1)

● permission to process personal data granted to the Foundation according to the legislation of Ukraine, solely to exercise its powers.

5.3. The Foundation owns and processes the following personal data bases:

5.3.1. A beneficiaries’ data base that contains basic information about the Foundation beneficiaries, including first and last names, contact information, information about the support received, etc. The purpose of processing the beneficiaries’ personal data base is to comply with legal requirements, exercise the rights granted to the Foundation by current legislation, and ensure the implementation of tax and accounting, auditing relations, etc.

5.3.2. A base of personal data of the Foundation’s Team members, which contains information on the first and last names, patronymic, date and place of birth, home and mobile phones, email address, place of registration, passport details, taxpayer record card registration number, education, marital status, children, citizenship, passport, driver’s license and its category, criminal record, work experience, and other data, as required. The purpose of processing the base of personal data of the Foundation’s Team members is to maintain personnel records, prepare statistical, administrative, and other information on personnel issues, and prepare internal documents on the implementation of rights and obligations in the field of labor relations and social protection, etc., following the requirements of the laws and internal standards and policies of the Foundation.

5.3.3. As an owner of the base of personal data of its beneficiaries and Team members, the Foundation undertakes to use this data only for the purposes specified in the charter or other local regulations and following the principles of legality, fairness and transparency.

5.4. The Foundation will not transfer the personal data of its beneficiaries and Team members to the third parties without proper legal grounds, such as the consent of the beneficiaries or legal requirements of the relevant authorities.

5.5. The Foundation only transfers personal data to third parties under the Foundation Director’s order.

5.6. The transfer of personal data must be based on an agreement or other written mechanisms that guarantee an adequate level of protection and ensure compliance with the requirements of Ukraine’s laws in effect on personal data protection.

6. RESTRICTED ACCESS TO PERSONAL DATA

6.1. The Foundation provides limited access to the personal data of its beneficiaries and Team members only to employees and others with the necessary written authorization from the Foundation’s Director.

6.2. Personal data is only accessible to the extent necessary to perform specific tasks and duties related to implementing the Foundation projects.

6.3. The Foundation ensures regular training and instructions to its staff on using and processing personal data according to the requirements of applicable laws at least once every six (6) months. The Director is responsible for the ongoing training and professional development of the Foundation’s Team members.

6.4. The Foundation’s personnel who have access to the personal data of the beneficiaries and Team members of the Foundation undertake to maintain confidentiality and take all necessary security measures to protect the data following this Policy and the requirements of Ukrainian legislation.

6.5. Personal data subjects are entitled to the protection of their personal data and their use in accordance with Ukraine’s current legislation and this Policy.

6.5.1. Personal data subjects shall enjoy the following rights:

 Information right: Personal data subjects are entitled to be informed that their personal data are collected and processed, about the purposes of processing, categories of data recipients and the legal basis for processing under Annex 1.

 Access right: Personal data subjects are entitled to access their personal data stored in the Foundation’s personal data base and receive copies of these data by submitting a written request to the Foundation’s Director.

 Correction right: Personal data subjects are entitled to request the correction of false or inaccurate personal data concerning them.

 Removal right: Personal data subjects are entitled to request deletion of their personal data from the Foundation’s personal data base if the data are no longer required for the specified purposes or if their processing is unlawful.

 Processing restriction right: Personal data subjects are entitled to restrict the processing of their personal data in certain situations, particularly, if the processing is unlawful or the personal data subject objects to the processing.

 Data portability right: Personal data subjects are entitled to receive their personal data that they have provided to the Foundation in a structured, commonly used and machinereadable format; to transmit the data that they have provided to the Foundation in a structured, commonly used and machine-readable format, and to transmit these data to another data controller without hindrance from the Foundation if the processing is based on consent or a contract and is performed by automated means.

 Consent withdrawal right: Where the processing of personal data is based on the consent of the data subject, the latter is entitled to withdraw their consent at any time. The consent withdrawal does not affect the lawfulness of the processing carried out before the withdrawal.

 Complaint filing right: Personal data subjects are entitled to file complaints with the relevant supervisory authorities if they believe their personal data protection rights have been violated.

6.6. The rights of personal data subjects are exercised by applying to the Foundation based on Article 16 of the Law of Ukraine “On Personal Data Protection.” The Foundation must ensure that these rights can be exercised and respond appropriately to requests from personal data subjects within the requirements of applicable laws.

7. PERSONAL DATA PROCESSING PROCEDURE

7.1. Personal data are processed in accordance with the current legislation of Ukraine, the principles of confidentiality and security of personal data.

7.2. Personal data are collected and processed in accordance with the permission provided in the established form (Annex 1).

7.3. Personal data may be processed using the automated means employed by the Foundation and without automated means (e.g., storing the written permissions in the Foundation’s office).

7.4. The Foundation ensures the implementation of appropriate measures to protect personal data from unauthorized access, accidental loss or damage, destruction, alteration, distribution or unlawful processing by constantly updating the security of the automated personal data storage facilities and a safe and secure place in the office and archive of the Foundation in case of non-automated personal data storage facilities.

7.5. Personal data may be processed by the Foundation or third parties on its behalf based on the concluded agreements or legal grounds determined by Ukrainian legislation.

7.6. The Foundation ensures the storage of personal data (both automated and nonautomated) for the period necessary to achieve the processing goals under the project implementation agreement terms unless otherwise provided by laws or an agreement with the personal data subject.

7.7. Personal data processing may be terminated at the initiative of the personal data subject, at the written request of regulatory authorities, or when fulfilling legal requirements specified by applicable laws.

7.8. Personal data may be transferred to third parties only in cases stipulated by law, the project implementation agreement, and in accordance with the requirements for ensuring the confidentiality and security of personal data.

7.9. If personal data security is breached and this may lead to unauthorized access, loss, alteration, or damage of such data, the Foundation must notify the relevant supervisory authority and personal data subjects according to the requirements of applicable laws.

7.10. The Foundation provides appropriate conditions for exercising the rights of personal data subjects, including the right to access personal data, correct false or inaccurate data, remove data, and more.

7.11. The Foundation ensures that it adheres to good practices and regulatory requirements for protecting personal data, protects the rights of personal data subjects, and prevents the risk of a breach of personal data processing security.