PRIVACY STATEMENT

Give a Day is committed to processing (your) personal data in a legal, fair and transparent manner.

In this privacy statement relating to www.impactdays.co, we inform you in general terms about the way in which Give a Day processes personal data about you. We focus on the volunteers on the platform in the present statement. We provide more explanation elsewhere for visitors of the platform (primarily cookies), representatives and employees of organizations as well as representatives and employees of local governments that manage a local platform and act as joint data controllers according to article 26 GDPR. We also have separate privacy statements for employees of Give a Day and job applicants.

This general privacy statement supplements the special privacy statements that you will find when Give a Day requests information, such as when creating the account, on your profile page, in forms, etc.

1. GENERAL PART

1.1. Give a Day as data controller

1.1.1. Give a Day

"Give a Day" in this privacy statement refers to Give a Day, a cooperative with a social purpose under Belgian law. Give a Day is identified by its company number, and at the same time its VAT number, BE0659.887.535. The registered office of Give a Day is located at Veldstraat 98 in 2520 Ranst (Belgium).

The most up-to-date and additional information on Give a Day and its activities can be found on the website www.giveaday.be, in particular in the section "What is Give a Day?".

1.1.2. Data controller

For a number of processing operations on the www.impactdays.co platform, Give a Day determines why and (broadly speaking) how the (personal) data is processed. This makes Give a Day the data controller of these (personal) data. This means that Give a Day is responsible to comply with the legal requirements regarding the processing of (personal) data.

It is true, however, that Give a Day is not always the (only) data controller. Sometimes Give a Day is the data controller together with or alongside other platform administrators, e.g. municipalities or non-profits.

For example, platform administrators determine what they do with the data of volunteers on the platform that they have received in response to a vacancy that they published as part of their roles as joint data controller. You can check these roles (such as matching) in the annex 1 below or by requesting the data register. This also applies if they have exported the data from the platform before it was deleted by the volunteer or Give a Day.

In that case, the organization or local government is the data controller in the first instance.

1.2. Give a Day Data Protection Officer (“DPO”)

Give a Day has not formally appointed a Data Protection Officer, as this is not (yet) necessary for Give a Day.

This does not mean that there is nobody to ask your questions to or to share your comments about privacy and data protection. You can submit these questions or comments:

• through the contact form (https://www.giveaday.be/nl-be/contacteer-ons)
  
• by letter to the registered office of Give a Day or
  
• by email to info@giveaday.be

1.3. Your rights

1.3.1. Your rights

The General Data Protection Regulation gives you a number of rights as a data subject. You can read all about it in the General Data Protection Regulation (GDPR), mainly in chapter 3.

In summary:

• You have the right to information on the processing of your personal data before they are processed (art. 12-14 GDPR). This information is provided to you by Give a Day via this general privacy statement and, where relevant, specific privacy statements, e.g. in (online) forms, in your profile, etc. (see below).
  
• You have a right of access to the data processed about you (art. 15 GDPR). If the information is not accurate, you can demand the rectification in writing (art. 16 GDPR).
  
• Under certain conditions, you have a right to erasure, also known as the "right to be forgotten" (Art. 17 GDPR) and/or you may demand restrictions of processing, for example, if Give a Day keeps your personal data or transfer them to third parties if there is no reason (or no longer any reason) to do so (Art. 18 GDPR).
  
• You have a right to receive certain information which you have given Give a Day and which Give a Day processes digitally or to transfer it to third parties (art. 19 GDPR). This is also known as the "right to (data) portability".
  

You also have these rights with respect to organizations and local authorities that (together with or independently of Give a Day) are responsible for processing your data, which will usually be the case for platform administrators, for example. See the section on "Impactdays.co as a platform".

1.3.2. Who can exercise these rights?

As a rule, you must exercise your rights yourself.

If you are a volunteer’s (legal) representative, you can in principle exercise the rights of the person represented on behalf of the person represented. For example, a parent or guardian can exercise the rights of his or her child or the person under guardianship, unless the child or the person under guardianship opposes this or it (apparently) goes against the interests of the child or the person under guardianship.

1.3.3. How can you exercise these rights?

To exercise these rights, you can use the Give a Day contact form. You can also exercise your rights by sending a letter to Give a Day's registered office or contact Give a Day at info@giveaday.be.

If you exercise your rights, we ask you to be as specific as possible so that your question can be treated effectively.

We also point out that your identity must be reasonably verifiable in order to exercise your rights so as to avoid someone else exercising them. As a matter of principle, we will identify you and verify your identity in the same way as when we collected your data. So sometimes we will have to ask you to provide proof of your identity. This is, for example, the case:

• if you write a letter, we will need to be able to link you to your account and/or profile as a user/volunteer
  
• if you ask us to do something that requires us to provide you with data, because we do not want to provide your data to another person
  
• if you ask for important data to be deleted, because we do not want anyone to be able to delete data that you expect us to have

If you send your request electronically (even if it may be unsafe, e.g. an ordinary email), you accept (the risks associated with the fact) that Give a Day will respond via the same channel.

1.3.4. Data Protection Authority

For further information about your rights with regard to data protection or if you do not agree with Give a Day's position, please contact the Belgian Data Protection Authority: www.dataprotectionauthority.be (see art. 77 GDPR).

1.4. Access to the data (“recipients”)

In this section, we indicate who generally receives, has, or may have access to your personal data.

1.4.1. Give a Day employees

Only people authorised to do so have access to (personal) data relevant to the performance of their task. These people may only use the data if and to the extent necessary for the fulfilment of their task. They are obliged to observe strict professional secrecy and to comply with all technical regulations aimed at safeguarding the confidentiality of personal data and the security of the systems which contain them.

Give a Day takes internal technical and organizational measures to prevent (personal) data getting into the hands of and being processed by unauthorized persons or being accidentally altered or destroyed.

1.4.2. Give a Day processors

For the execution of a number of processing operations, Give a Day makes use of specialized third parties who carry out (partial) assignments and the associated data processing for and on behalf of Give a Day. These third parties are referred to as “processors” in the data protection legislation.

As part of such transfers, it can happen that data are transferred to other countries where the data centres are located and whose legislation, where applicable, does not provide data protection equivalent to the European data protection. The European legislator then necessarily considers such transfers to be (legally) less secure. In a global context, however, it is unavoidable that data may in certain cases leave Europe. Give a Day, however, always tries to process the data on servers in Europe.

Give a Day ensures that the third parties concerned only have access to the information necessary for the execution of their assignments and undertake vis-à-vis Give a Day to use this information only for the execution of their assignments, according to the instructions given by Give a Day and with respect for other agreements as prescribed by law.

Give a Day cannot be held liable when these third parties, in accordance with (legal) obligations imposed abroad, transfer personal data of users to local authorities.

Specifically, Give a Day makes us of processors, directly or indirectly, such as:

• IT (security) service providers, such as data centers, service providers that provide support in setting up, maintaining, testing and improving the security of Give a Day's IT systems. The data is currently stored via Azure on servers in the Netherlands.
  
• marketing and communication agencies, such as email campaign applications, etc.
  

Contracts, which incorporate the principles of good data management and data protection, are concluded with these processors.

1.4.3. Local authorities, non-profits, etc as partners and platform administrators

Local authorities, non-profits, etc who act as partner and administrator of a local platform have in principle access to all data on the local platform, including the personal data of volunteers and representatives and employees of organizations. In addition, they can process the data in accordance with their role as local platform administrator defined in annex 1 (e.g. matching between requests for help and offers to help).

1.4.4. Public

The public, i.e. the visitors of the Impactdays.co platform, cannot receive any personal data from you directly, except after matching by the Platform Administrator between help requests and help offers after your consent.

1.5. Updates to this policy

Give a Day will periodically (at least every year) review whether changes in its organization and processes and / or its environment (such as the legal framework, technology, ...) require this statement to be amended. If necessary Give a Day will then amend this statement.

As a rule, Give a Day will not actively notify you of the change. This is also the case when the modifications do not require your consent, e.g. changes to Give a Day's registered office, changes to the layout, changes resulting from a legal obligation, etc. Nevertheless, Give a Day will try to alert you about the change, if possible without any particular additional cost (e.g. via a pop-up or an email).

2. YOUR RELATION WITH GIVE A DAY

In this section, we describe in a little more detail which data will be processed and how, depending on the role that you have with regard to the website or platform. Several roles may apply, e.g. website visitor and request for help. In such a case, both sections apply.

2.1. Visitor (cookies)

Data controller: Give a Day

If you are just a visitor of the Impactdays.co platform, then the only (personal) data that we may process about you is the data that we receive from the cookies.

For this, we refer to the cookie policy.

2.2. Contact form

Data controller: Give a Day

You can contact Give a Day via our contact form. In order to be able to help you further, we ask for the following information: your first name, your last name, your email address and your phone number. If you have filled in the contact form (e.g. https://www.impactdays.co), Give a Day will only use these details to contact you and answer your question.

This data will not be kept longer than necessary to process your request.

2.3. Person seeking help

Data controller: Give a Day and the Platform Administrator

When made available by the Platform Administrator, a request for help can be submitted via the Impact Days help form (www.impactdays.co/assistance/). The following information is collected in the form: first name, last name, address, age, email address or phone number and languages spoken. The person seeking help can fill in additional information in the form such as his or her availability. A unique ID is also created to correctly identify the person asking for help.

If the Impact Days assistance form is not made available by the Local Platform Administrator, the person seeking assistance can communicate his/her request to the Local Platform Administrator through the channels chosen by the Local Platform Administrator, such as an email address, a phone number or any other form. What data is collected through these channels is determined by the Local Platform Administrator and Give a Day has no access to this data. In this case, the Local Platform Administrator is the only data controller.

The personal details of the person seeking help will be used by Give a Day or the Local Platform Administrator to search for a suitable volunteer in the area, to inform the person seeking help and to put the person offering help in contact with the person seeking help.

If necessary, Give a Day or the Local Platform Administrator will use the contact details of the person seeking help to send service messages to the person seeking help (e.g. to inform you about an update of the Terms of Use).

These data will be deleted at the request of the person seeking help or when the Local Platform Administrator closes the dedicated platform and in any case the data will never be kept for longer than 5 years.

2.4. Volunteer

Data controller: Give a Day and the Platform Administrator

The volunteer can register for one or more specific vacancies via a form. The following information is collected in the form: first name, last name, address, age, email address, phone number and languages spoken. The volunteer may enter additional information in the form such as his or her availability. The Local Platform Administrator may add other relevant fields to the form (e.g., neighbourhood, whether the volunteer is a citizen or an organization, etc.). A unique ID is also created to correctly identify the volunteer.

Give a Day or the Local Platform Administrator may contact you after your registration as a volunteer or request for matching, contact you in connection with matching for this or other volunteering vacancies, and inform you about the matters for which you have registered. Contact details will be shared with a request for help by the Local Platform Administrator to put you in touch. The address ensures that the volunteer is matched with someone from the same neighbourhood and the age is used to check whether the volunteer meets the (age) criteria for volunteering.

If necessary, Give a Day or the Local Platform Administrator will use the volunteer's contact details to send service messages to the volunteer (e.g. to inform you about an update to the Terms of Use).

These data will be deleted at the request of the volunteer or when the Local Platform Administrator closes the dedicated platform and in any case the data will never be kept for longer than 5 years.

2.5. Employee of a Local Platform Administrator

Data controller: Give a Day

In order to create a platform, Give a Day requires at least one employee of the Local Platform Administrator to provide his/her first name, last name and email address as contact person and (main) administrator of the dedicated platform. Give a Day and the (main) Local Platform Administrator can add and remove new administrators.

Administrators of a dedicated platform can change their own password as well as the passwords of their colleagues. The password is never visible to the users or to Give a Day.

Give a Day uses the email address to contact the administrators to help them set up their dedicated platform and to send information about the latest functional and technical changes to the platform.

Administrators' email addresses can also be used to receive emails from current or potential users (people seeking or offering help), especially when it is clear that the user is trying or has tried to reach the Local Platform Administrator.

If necessary, Give a Day will use the contact details of the administrators to send service messages to the administrators (e.g. to inform about an update to administrator manuals or terms of use).

These data can be deleted by the administrator, on request or when the Local Platform Administrator closes the dedicated platform and in any case the data will never be kept for longer than 5 years.

3. IMPACTDAYS.CO AS A PLATFORM

Through the platform, we want to facilitate the matching between requests for help and offers to help for neighbourly help or volunteer work, either automatically or manually. However, on a platform you are not alone and Give a Day is not responsible for all data processing to which the platform is connected.

For example, Give a Day is not responsible for data processing outside the platform, by volunteers (e.g. from the volunteering vacancies that they receive and/or help with), by people seeking help (e.g. from the volunteers who offered their help via the platform) and by the Local Platform Administrators (e.g. to provide additional or complementary services outside the platform or to report to their management).

On the other hand, a Local Platform Administrator is appointed for each dedicated platform. This Administrator has technically similar rights to Give a Day but they are limited to the dedicated platform. This means that the Local Platform Administrator is responsible for a number of activities and is a joint data controller together with Give a Day. The necessary arrangements have been made in that regard in an agreement with the Local Platform Administrator. As regards the exercise of your data subject rights, you may exercise these by contacting Give a Day as described in 1.3. Give a Day will coordinate, where necessary, with the Local Platform Administrator.

3.1 Local Platform Administrators

For the benefit of the Local Platform Administrators, it is clarified here that the Local Platform Administrator can export data from the platform for the dedicated platform that it (co)manages. After that, Local Platform Administrators can, in fact, do anything with that data. As a rule, processing outside the platform will be limited to the following, with respect for data protection rules:

• continuing the activities outside the dedicated platform (e.g. if the dedicated platform has been closed, but not the volunteer matching)
• reporting on an aggregated basis, i.e. without identifying individuals, to the policy-making bodies of the Local Platform Administrator
  

The Local Platform Administrator will, in principle, have to further inform the data subjects for everything that falls outside this scope.

3.2 People seeking help

In the interest of the people seeking help, it is specified here that people seeking help contacted by volunteers can export data from the platform. After that, people seeking help can, in fact, do anything with the data. As a rule, processing outside the platform will be limited to, with respect for data protection rules:

• continuing the activities outside the dedicated platform (e.g. management of the volunteers, including maintaining contact with the volunteers, documenting the relationship, possibly reimbursing the volunteer, etc.)
  
• reporting on an aggregated basis, i.e. without identifying individuals, to the management of the person seeking help
  

The person seeking help will, in principle, have to further inform the data subjects for everything that falls outside this scope.

ANNEX 1: Characteristics of data processing

ANNEX 2: European Commission Privacy Statement