Privacy statement - Give a Day
Give a Day is committed to processing (your) personal data in a legal, fair and transparent manner.
In this privacy statement relating to www.giveaday.be, we inform you in general terms about the way in which Give a Day processes personal data about you. We focus on the volunteers on the platform in the present statement. We provide more explanation elsewhere for visitors of the platform (primarily cookies), representatives and employees of organisations as well as representatives and employees of local governments that manage a local platform and act as joint data controllers according to article 26 GDPR. We also have separate privacy statements for employees of Give a Day and job applicants.
This general privacy statement supplements the special privacy statements that you will find when Give a Day requests information, such as when creating the account, on your profile page, in forms, etc.
1. General Part
1.1. Give a Day as data controller
1.1.1. Give a Day
"Give a Day" in this privacy statement refers to Give a Day, a cooperative with a social purpose under Belgian law. Give a Day is identified by its company number, and at the same time its VAT number, BE0659.887.535. The registered office of Give a Day is located at Veldstraat 98 in 2520 Ranst (Belgium).
The most up-to-date and additional information on Give a Day and its activities can be found on the website www.giveaday.be, in particular in the section "What is Give a Day?".
1.1.2. Data controller
For a number of processing operations on the www.giveaday.be platform, Give a Day determines why and (broadly speaking) how the (personal) data is processed. This makes Give a Day the data controller of these (personal) data. This means that Give a Day is responsible to comply with the legal requirements regarding the processing of (personal) data.
Give a Day is not always the (only) data controller. Sometimes Give a Day is the data controller together with or alongside other platform administrators, e.g. municipalities or organisations. In the context of volunteer management system for organisations where the volunteer is active, Give a Day acts purely as a processor and the organisation is the data controller.
For example, organisations determine what they do with the data of volunteers on the platform that they have received in response to a volunteer opportunity they published as part of their roles as volunteer coordinator. Within the context of volunteer management of active volunteers within the nonprofit, the organisation determines what they do with the data.
You can check those roles (such as matching and management) in Appendix 1 below or by requesting the data registry. This also applies if they would have exported that data from the platform before it was removed by the volunteer or Give a Day. In that case, the organization or local administration is the datacontroller.
1.2. Give a Day Data Protection Officer (“DPO”)
Give a Day has not formally appointed a Data Protection Officer, as this is not (yet) necessary for Give a Day.
This does not mean that there is nobody to ask your questions to or to share your comments about privacy and data protection. You can submit these questions or comments:
- through the contact form
- by mail to the registered office of Give a Day or
- by email to privacy@giveaday.be
1.3. Your rights
1.3.1. Your rights
The General Data Protection Regulation gives you a number of rights as a data subject. You can read all about it in the General Data Protection Regulation (GDPR), mainly in chapter 3.
In summary:
- You have the right to information on the processing of your personal data before they are processed (art. 12-14 GDPR). This information is provided to you by Give a Day via this general privacy statement and, where relevant, specific privacy statements, e.g. in (online) forms, in your profile, etc. (see below).
- You have a right of access to the data processed about you (art. 15 GDPR). If the information is not accurate, you can demand the rectification in writing (art. 16 GDPR).
- Under certain conditions, you have a right to erasure, also known as the "right to be forgotten" (Art. 17 GDPR) and/or you may demand restrictions of processing, for example, if Give a Day keeps your personal data or transfer them to third parties if there is no reason (or no longer any reason) to do so (Art. 18 GDPR).
- You have a right to receive certain information which you have given Give a Day and which Give a Day processes digitally or to transfer it to third parties (art. 19 GDPR). This is also known as the "right to (data) portability".
You also have these rights with respect to organisations and local authorities that (together with or independently of Give a Day) are responsible for processing your data, which will usually be the case for platform administrators, for example. See the section on "www.giveaday.be as a platform".
1.3.2. Who can exercise these rights?
As a rule, you must exercise your rights yourself.
If you are a volunteer’s (legal) representative, you can in principle exercise the rights of the person represented on behalf of the person represented. For example, a parent or guardian can exercise the rights of his or her child or the person under guardianship, unless the child or the person under guardianship opposes this or it (apparently) goes against the interests of the child or the person under guardianship.
1.3.3. How can you exercise these rights?
To exercise these rights, you can use the Give a Day contact form. You can also exercise your rights by sending a letter to Give a Day's registered office or contact Give a Day at privacy@giveaday.be.
If you exercise your rights, we ask you to be as specific as possible so that your question can be treated effectively.
We also point out that your identity must be reasonably verifiable in order to exercise your rights so as to avoid someone else exercising them. As a matter of principle, we will identify you and verify your identity in the same way as when we collected your data. So sometimes we will have to ask you to provide proof of your identity. This is, for example, the case:
- if you write a letter, we will need to be able to link you to your account and/or profile as a user/volunteer
- if you ask us to do something that requires us to provide you with data, because we do not want to provide your data to another person
- if you ask for important data to be deleted, because we do not want anyone to be able to delete data that you expect us to have
If you send your request electronically (even if it may be unsafe, e.g. an ordinary email), you accept (the risks associated with the fact) that Give a Day will respond via the same channel.
1.3.4. Data Protection Authority
For further information about your rights with regard to data protection or if you do not agree with Give a Day's position, please contact the Belgian Data Protection Authority: www.dataprotectionauthority.be (see art. 77 GDPR).
1.4. Access to the data (“recipients”)
In this section, we indicate who generally receives, has, or may have access to your personal data.
1.4.1. Give a Day employees
Only people authorized to do so have access to (personal) data relevant to the performance of their task. These people may only use the data if and to the extent necessary for the fulfillment of their task. They are obliged to observe strict professional secrecy and to comply with all technical regulations aimed at safeguarding the confidentiality of personal data and the security of the systems which contain them.
Give a Day takes internal technical and organizational measures to prevent (personal) data getting into the hands of and being processed by unauthorized persons or being accidentally altered or destroyed.
1.4.2. Give a Day processors
For the execution of a number of processing operations, Give a Day makes use of specialized third parties who carry out (partial) assignments and the associated data processing for and on behalf of Give a Day. These third parties are referred to as “processors” in the data protection legislation. Give a Day processes the Data always on servers in Europe.
Specifically, Give a Day makes us of processors, directly or indirectly, such as:
- ICT (security) service providers, such as data centers, service providers that provide support in setting up, maintaining, testing and improving the security of Give a Day's ICT systems. Currently, the Data is stored via Azure on servers in the Netherlands and images on Amazon AWS servers in Paris.
- Communication ICT service providers, such as email campaign applications,... Sparkpost for E-mails & Messagebird for SMS are hosted on servers in Dublin, for Google Analytics explicit consent is asked when visiting the website. All these processors have taken the necessary measures to fully protect your privacy. Give a Day always bears the liability for all data it processes or has processed by its processors.
1.4.3. Local authorities, organisations, etc as partners and platform administrators
Local authorities, organisations, etc who act as partner and administrator of a local platform have in principle access to all data on the local platform, including the personal data of volunteers and representatives and employees of organisations. In addition, they can process the data in accordance with their role as local platform administrator defined in annex 1 (e.g. matching between requests for help and offers to help).
1.4.4. Volunteer organisations
Volunteer organisations post volunteer opportunities for volunteers or neighbor helpers. As soon as a visitor responds to an opportuniy, the volunteer organisation gets to see the data in order to complete further follow-up and administration. Volunteer organisations can also upload their existing active volunteers into the system, after which the volunteer will be notified. He or she will be able to log in to view the Data and adjust them where necessary. The volunteer organization can send administration, messages and informational mails through the system necessary for the execution of the volunteer task. The volunteer can take the necessary actions within the framework of his volunteer task. In addition, they may process the Data in accordance with their role as volunteer coordinator defined in Annex 1 (e.g. management and administration of the active volunteers within the organization).
1.4.4. Public
The public, i.e. the visitors of the www.giveaday.be platform, cannot receive any personal data from you directly, except for neighbor requests, where you actively respond to a neighbor request. This way one neighbor can help another neighbot.
1.5. Updates to this policy
Give a Day will periodically (at least every year) review whether changes in its organization and processes and / or its environment (such as the legal framework, technology, ...) require this statement to be amended. If necessary Give a Day will then amend this statement.
As a rule, Give a Day will not actively notify you of the change. This is also the case when the modifications do not require your consent, e.g. changes to Give a Day's registered office, changes to the layout, changes resulting from a legal obligation, etc. Nevertheless, Give a Day will try to alert you about the change, if possible without any particular additional cost (e.g. via a pop-up or an email).
2. Your relation with Give a Day
In this section, we describe in a little more detail which data will be processed and how, depending on the role that you have with regard to the website or platform. Several roles may apply, e.g. website visitor and request for help. In such a case, both sections apply.
2.1. Visitor (cookies)
Data controller: Give a Day
If you are just a visitor of the www.giveaday.be platform, then the only (personal) data that we may process about you is the data that we receive from the cookies.
For this, we refer to the cookie policy.
2.2. Contact form
Data controller: Give a Day
You can contact Give a Day via our contact form. In order to be able to help you further, we ask for the following information: your first name, your last name, your email address, and your phone number. If you have filled in the contact form (e.g. www.giveaday.be), Give a Day will only use these details to contact you and answer your question.
This data will not be kept longer than necessary to process your request.
2.3. Personal Profile
Data controller: Give a Day and Platform Administrator. In case where the volunteer is active at an Organisation as a volunteer, the Organisation is also a Data controller for administration purposes
Persons can create a personal profile. The following data are collected in the form and/or profile: first name, last name, address, age, email, phone number, interests in helping neighbors and volunteering, where to volunteer, date of birth, profile picture, short description, skills, commitment, availability, neighborhoods where one wants to help, education and work experience. When one starts working as a volunteer, the organization may ask for additional information, namely national identity number, bank account number and emergency contact person in order to complete the necessary administration (expense notes, contracts,...).
A unique ID is also created to correctly identify the person.
The personal data of the help request will be used by Give a Day or the Local Platform Manager to search for a suitable help in the neighbourhood, to inform the person in need and to put the helper in contact with the help request.
If necessary, Give a Day or the Local Platform Administrator or organization where the volunteer is active may use the person's contact information to send service messages to the person (e.g., to put necessary paperwork in order or help with matching).
Give a Day, the Local Platform Administrator or the volunteer organization may contact you after your request for matching, in connection with matching for this or other volunteer opportunities, and inquire about the issues you have registered for. Contact information will be shared with the neighbor or volunteer organization to put you in touch.
This data is deleted on request of the person and in any case never processed longer than 5 years after the last activity on the platform. Only contracts and cost statements can be processed longer on legal grounds when required by law (e.g. for accounting purposes).
2.4. Employee of a Local Platform administrator or organization
Data Controller: Give a Day
In order to create an organization or sharing platform, Give a Day requests from the Local Platform Administrator or organization the first and last name, telephone number and email address of at least one employee as contact person and (lead) administrator of the platform or organization profile. Give a Day and (the lead administrator of) the organization or Local Platform Administrator can add and remove new administrators.
Administrators of an organization or local platform can change their own password. The password is never visible to the Users or to Give a Day.
Give a Day uses the email address and phone number to contact the administrators to help them set up the relevant organization profile or local platform and to send information about the latest functional and technical changes to the platform.
The email address of administrators may also be used to receive emails from current or potential Users, in particular when it is clear that the User is trying or was trying to reach the Local Platform Administrator.
If necessary, Give a Day will use administrators' contact information to send service messages to administrators (e.g., to notify about an update to administrator manuals or Terms of Use).
This data can be deleted by the administrator themselves, upon request or when the Local Platform Administrator or organization discontinues the local platform or organization profile and in any case never for longer than 5 years.
3. GIVEADAY.BE AS A PLATFORM
Through the platform, we want to facilitate the matching between requests for help and offers to help for neighbourly help or volunteer work, either automatically or manually. However, on a platform you are not alone and Give a Day is not responsible for all data processing to which the platform is connected.
For example, Give a Day is not responsible for data processing outside the platform, by volunteers (e.g. from the volunteering vacancies that they receive and/or help with), by people seeking help (e.g. from the volunteers who offered their help via the platform) and by the Local Platform Administrators (e.g. to provide additional or complementary services outside the platform or to report to their management).
On the other hand, a Local Platform Administrator is appointed for each dedicated platform. This Administrator has technically similar rights to Give a Day but they are limited to the dedicated platform. This means that the Local Platform Administrator is responsible for a number of activities and is a joint data controller together with Give a Day. The necessary arrangements have been made in that regard in an agreement with the Local Platform Administrator. As regards the exercise of your data subject rights, you may exercise these by contacting Give a Day as described in 1.3. Give a Day will coordinate, where necessary, with the Local Platform Administrator.
3.1 Local Platform Administrators
For the benefit of the Local Platform Administrators, it is clarified here that for the local platform that the Local Platform Administrator (co)manages, the Local Platform Administrator can export data from the platform. After that, Local Platform Administrators can in fact do anything with that data. As a rule, processing outside of the platform will be limited to, with respect for data protection rules
- Continuing the activities outside of the localplatform (e.g. if the local platform is stopped, but not the volunteer matching)
- reporting on an aggregate basis, i.e. without individuals being identifiable, to the policy-making bodies of the Local Platform Manager
For anything beyond this, the Local Platform Administrator will, in principle, need to further inform those involved itself.
3.2 Organisations
For the benefit of the Organisations, it is clarified here that for its active volunteers (helpers) and matches, the Organisations can export the data from the platform. After that, Organisations can in fact do anything with that data. As a rule, processing outside the platform will be limited to, respecting data protection rules
- Continuing the activities outside the organisational profile (e.g. if the organisational profile is stopped, but not the volunteer matching and or task)
- report on an aggregate basis, i.e. without individuals being identifiable, within its organisation or in the context of certain obligations (e.g. insurance)
For anything beyond that, the organisation will in principle have to further inform the persons concerned itself.
3.3 Personal profiles
For the benefit of the individuals or organsations that need or want to provide assistance, it is clarified here that the assistance provider can export the assistance requestor's data from the platform after matching and vice versa at status active. After that, they can basically do anything with that data. As a rule, processing outside the platform will be limited to, respecting data protection rules:
- Continuing the activities outside the sharing platform (e.g. contacting to facilitate the request for help,...)
For anything beyond that, the person will in principle have to further inform the data subjects themselves.