TDF/Privacy Mission Statement

=Privacy Mission Statement=

Definitions
“Team”: TDF as a community body with facilitators comprises of all employees, freelancers, officers, and volunteers.

1. Principles
The protection of personal data is important to us. Therefore we process the personal information of our team, curators, bodies, committees, users, and partners in accordance with applicable personal data protection and data security legislation.

The Privacy Policy describes the types of personal information we collect, how we use that information, to whom it is transmitted, and what choices and rights individuals have regarding our processing of the data. In addition, we describe the measures that we take to ensure data security, and how data subjects can contact us if they have questions about our privacy practices.

These guidelines regulate information processing conforming to privacy protection, and the responsibilities at TDF. All team members are required to comply with the policy.

They are aimed at:


 * the people that make decisions on the use or provision of an application system;
 * the people who decide how a system is used for their work;
 * users, i.e. those who use the provided system for the execution of their tasks relating to their activities for TDF (if personal data is stored on a workstation, the individual user may also decide on the processes carried out by the system and therefore the programs used).

The following principles apply:


 * the data processing hardware and software is to be used for activities for TDF, for their intended purpose, and secured against data loss and manipulation;
 * each team-member is responsible for implementing the policy within their area of responsibility. They must regularly monitor compliance;
 * those responsible for managing the systems in use ensure that their users are informed about this policy; this also applies to temporary team members.

2. Procurement of hardware and software
2.1 The procurement of hardware and software occurs principally at the request of the person responsible for data processing. The principle of guaranteeing data protection from the design of systems and by privacy-friendly defaults is already considered as the main criterion when selecting hardware and software.

2.2 If a new procedure for processing personal data is to be introduced with procurement, the Executive Director and the Board of Directors responsible for privacy must be informed well in advance by the requesting body (for details, see point 5.2). Procurement will only take place after approval from these.

2.3 Private hardware and software may only be used within the scope of the operating procedures for telecommuting/home office for the processing of personal data.

2.4 In case of suspected theft of hardware and software, unauthorized access to personal data, sabotage, etc., Infrastructure, the Executive Director and the Board of Directors must be informed immediately. For details, see the procedure “Measures to take in case of a data breach.”

3. Responsibility/training of team members
3.1 Any team member handling personal data must be committed to handling the data confidentially, and must be compliant with the policy.

3.2 This responsibility is carried out using the form provided for this purpose and using the leaflet that is distributed.

3.3 Team members who are subject to special secrecy obligations (e.g. telecommunications secrecy according to § 88 TKG (German telecommunications law)) are additionally committed by their superiors in writing. The declaration of obligations is to be added to the team members’ personnel files.

4. Transparency of data processing
4.1 For procedures which concern the handling of personal data, the Board of Directors or Executive Director, bound by instructions, keeps a list of processes according to Article 30 of the GDPR. The person responsible for the procedure notifies this promptly in accordance with the specifications. The same applies to changes.

4.2 The Board of Directors and the Executive Director are to be informed when planning the introduction of new procedures or modifications to existing procedures, regarding the purpose and content of the application and the fulfilment of the commitment to notify (see section 5.2).

4.3 If the Executive Director determines that the intended procedure is subject to a data protection impact assessment, he/she shall immediately inform about it. The procedure may only be carried out with the consent of the Executive Director. In case of doubt, the Board of Directors decides.

4.4 If an interested party makes use of his/her right to obtain information pursuant to Article 15 of the GDPR, or his/her right to correct or object pursuant to Articles 16 and Articles 21 of the GDPR, the central processing is to be carried out by the Executive Director, bound by instructions. Information and inspection rights of team members are fulfilled by the Executive Director. It must be ensured that the data subject can be provided with the data in a structured, common, and machine-readable format. The standard that meets these requirements must be defined in advance by mutual agreement by the Executive Director.

5. Collection/processing of personal data
5.1 The collection and processing of personal data may only take place to the extent permitted by law. The special conditions for the collection and processing of sensitive data pursuant to Article 9 (1) of the GDPR must also be taken into account. In principle, only such information may be processed and used as is necessary to perform the statutory duties and which is directly related to the processing purpose.

5.2 Prior to the introduction of new types of surveys, the intended use of the data must be documented in writing by the person responsible for the application. In principle, a change of purpose is permissible only if the procedure is compatible with those purposes for which the data were originally collected. The consideration criteria used throughout the change of purpose are to be checked individually, and the considerations and the result of the test are to be documented.

A change of purpose is also permissible if the data subject’s consent is obtained by the responsible person. At the same time, the responsible person has to specify in writing, before the collection or storage of data, whether and in what manner the statutory notification obligation of the data subject is to be met.

5.3 If other entities request information about data subjects, they may only be given information without the data subject’s consent if there is a legal obligation or a legitimate interest of TDF that justifies disclosure, and the identity of the requestor is unequivocally established. In case of doubt, the Executive Director should be contacted.

6. External service providers/order processing/maintenance
6.1 If external service providers are commissioned for the first time to process personal data, or perform individual processing steps (e.g. collection or deletion/disposal) or activities (e.g. maintenance or repair) in which they have the possibility of accessing personal data, then the Executive Director informs the contractor on presentation of the draft contract, satisfying the requirements of Article 28 of the GDPR (order processor) and the criteria for the order supervision to be carried out or subsequently scheduled.

6.2 The same applies if TDF wants to perform corresponding activities on behalf of third parties.

7. Security of processing
7.1 For each process, a documented security requirement assessment and an analysis regarding possible risks for data subjects are to be created. These are determined by the nature, scope, circumstances and purposes of the process, and the likelihood of such a risk occurring.

7.2 To ensure the availability, confidentiality, and integrity of the data as well as the resilience of the data processing systems, a general security concept must be established. The concept is based on the previously established security requirement assessment and the risk analysis. This concept is decisive in all further procedures.

7.3 In addition to these guidelines, there are supplementary regulations which relate in particular to the implementation of the data protection requirements of Article 32 of the GDPR. These include, among others:


 * work instructions for telecommuting/home-office;
 * work instructions for data protection-compliant transfer of media, and for the encryption of data;
 * work instructions “behavioral measures in the event of a data breach”;
 * leaflet “Responsibility/training of team members.”

8. Accountability and documentation
Compliance with the requirements specified in these guidelines must be demonstrable at all times ("Accountability"). In particular, proof must be provided by conclusive and comprehensible written documentation with regard to measures taken and any corresponding considerations.