The Meliore Foundation (hereinafter “we”, “us” or “Meliore”), with its office at Rue aux Laines, 70, 1000 Brussels, Belgium, is committed to protecting and respecting your privacy.

This Global Privacy Notice (hereinafter “the Notice”) explains how, as a Data controller, Meliore processes Personal data collected directly from you or third parties (in the context of a service) will be processed by us.

This Notice must be read together with any other notices we may provide on specific occasions when we are collecting or processing your Personal data, so that you are fully aware of how and why we use your Personal Data. The Notice supplements any other notices and is not intended to override them.

The Notice will be available on our Website and you can request a copy of this Notice at any time by contacting us at [email protected].

What information do we collect about you, for what purpose?

General

We collect, use, store and transfer different kinds of Personal data, directly from you or from third parties (in the context of a service).

We only collect the Personal data necessary to carry out our mission and the Processing of your Personal data will be systematically based on the following legal basis:

- You have given consent to the Processing of your Personal data (Article 6(1)(a) of the GDPR);

- Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract (Article 6(1)(b) of the GDPR);

- Processing is necessary for compliance with a legal obligation to which Meliore is subject (Article 6(1)(c) of the GDPR); or

- Processing is necessary for our legitimate interests (article 6.1.f of the GDPR).

Website

When you make use of our website, we use cookies to collect standard internet log information and details of visitor behaviour patterns. You can read more about how and why we use cookies in Section 9.

When you contact us through the contact form on this website, we collect the following types of personal data about you:

Name, first name and email address.

This Processing is based on your consent. We do not retain those contact details for longer than necessary to answer your request.

The recipients of the Personal data above mentioned will be, internally, the IT Team and the department your request concerns (Section 6).

Recruitment

When you apply to join Meliore, we collect your Personal data to process your application.

You can read more in this respect by reading the dedicated Privacy Notice for candidates in https://careers.meliorefoundation.org/privacy-policy.

Staff

When you join Meliore as an employee or a consultant (Team consultant or EOR employees), we will collect and process your Personal data for performing our rights and obligations.

You will be provided with a dedicated Privacy Notice for Staff members when joining.

Grant Management Process

When you apply for Grants or before granting to an organisation, we collect the following Personal data of your contact person(s) to issue Grants:

1. Professional email addresses;

2. Telephone numbers;

3. Name of contact and authorised person;

4. When grantees are natural persons: bank details.

All the Personal data above mentioned are necessary to enter into the Grant agreement and manage the performance of the Grant agreement. We retain your information for seven years after the end of the last contract between us due to financial audit requirements.

The recipients of the Personal data above mentioned will be, internally, the Global Operations Team (Section 6).

Contracting - Procurement

When we enter into a contract with you, as a service provider or a consultant we collect the following Personal data:

1. Private or professional email address;

2. Telephone number;

3. Name;

4. Address (when your professional and personal address are the same);

5. Names of authorised persons;

6. For individual consultants: Bank details;

7. Copies of your identity document.

All the Personal data above-mentioned are necessary to enter into an agreement and manage the performance of this agreement. We retain your information for seven years after the end of the last contract between us due to financial audit requirements.

The recipients of the Personal data above-mentioned will be internally, the Global Operations Team.

When we enter into a contract with you as an external consultant through an agency, we collect the following Personal data:

1. Name, Surname;

2. Position or Project title;

3. Reporting lines through the organisation chart and if it is provided to us by your agency:

4. Phone number or personal email address;

5. Payment amount;

6. Contract dates (start date, suspension dates if any and end date).

All the Personal data above-mentioned are necessary to enter into an agreement and manage the performance of this agreement. We retain your information for seven years after the end of the last contract between us due to financial audit requirements.

The recipients of the Personal data above-mentioned will be internally, the Global Operations Team.

When you are a third party with which we are about to enter into a contract (service provider, freelancer or grantee), we might make you enter into a non-disclosure agreement (hereinafter “NDA”) with us.

In this context, we collect the following personal information of the signatory of the non-disclosure agreement:

1. Address;

2. Name of the signatory and authorised persons;

3. Professional email;

All the Personal data above-mentioned are necessary to enter into an agreement and manage the performance of this agreement. We retain your information for one year after the end of the NDA.

The recipients of the Personal data above-mentioned will be, internally, the Global Operations Team and external service providers acting as processors (Section 6).

Due Diligence

When we enter any type of agreement with you, grant or contract, we also collect the following Personal data to assess our risk towards anti-money laundering regulations:

1. Names

2. Address

3. Dates of birth (for individuals).

All the Personal data above-mentioned are processed to meet a legal obligation. We retain your information for seven years after the end of the last contract between us due to financial audit requirements.

The recipients of the Personal data above-mentioned will be:

- internally the, Global Operations Team; and

- external service providers acting as processors (Section 6).

Donors

To manage Meliore’s relations with its donors in an effective and timely fashion we collect the following Personal data:

1. Names of relevant contact points;

2. Professional email addresses.

All the Personal data abovementioned are necessary to enter into an agreement and manage the performance of this agreement. We retain your information for seven years after the end of the last grant agreement due to financial audit requirements.

The recipients of the Personal data abovementioned will be, internally, the Global Operations Team.

To comply with our legal obligation of due diligence relating to donors, we collect the following Personal data from our donors:

Names of Board Members and Directors.

These Personal data are processed to meet a legal obligation. We retain your information for seven years after the end of the last donation between us due to financial audit requirements.

The recipients of the Personal data above-mentioned will be:

- internally, the Global Operations Team; and

- external service providers acting as processors (Section 6).

Data subject rights

When you contact us to make use of your data subject rights, we process the following personal data:

1. Name and proof of your identity;

2. Contact details (email address).

We can also, depending on your request, collect and handle other personal data we have already collected and processed for another purpose to address your request.

These Personal data are processed to meet a legal obligation.

The recipients of the Personal data abovementioned will be, internally, dedicated persons within the Global Operations Team and to external service providers acting as processors (Section 6).

Whistleblowing

When you report or disclose Information about Breaches and make use of one of the Internal Reporting Channels described in our Whistleblowing Policy (link coming soon), we process the following Personal data:

- Name

- Contact details (email address).

These Personal data are processed to meet a legal obligation. We retain your personal data until the reported Breach is time-barred, unless otherwise required by applicable law.

The recipients of the Personal data abovementioned will be, internally, dedicated persons within the Legal Team.

Targeted Advertising

To deliver our public interest campaign messages, we use advertisement tools provided by social media platforms. These tools offer target-based advertising options including interests, geographical position, age and gender that may be of relevance to reach out to likely interested audiences. When making use of those target-based advertising options, we do not collect the data used by these ads tools. Please note that those tools are not operated by us, therefore, we strongly advise you to review the privacy policies of those websites, too, as we have no control over the content, privacy policies or practices of any third-party sites or services.

This data processing is based on our legitimate interests (article 6.1.f of the GDPR). In this regard, we have conducted a balancing test, as the law requires, and have determined that the processing performed and your reasonable expectations, our legitimate interest in conducting this processing is not overridden by your interests or fundamental rights and freedom.

How do we manage your Personal data?

Meliore takes appropriate technical and organisational measures in the process of collection, processing and use of Personal data.

We take a risk-based approach when selecting security controls to ensure the measures are suitable and adequate to protect Personal data according to their nature and category.

Confidentiality

- Physical offices with implemented access controls (either through swipe cards or other physical means)

- Remote workers are trained to be aware of their surroundings while working from home and in a public place

- Authentication to all systems requires the use of a username and a complex password, with 2FA implemented where possible

- Centrally managed antivirus software for all Meliore devices

- Data transmission via secure data transfer protocols, such as SSL

- Data at rest encrypted for cloud storage and on Meliore devices

- Information Security Policy and Data Protection Policy shared with all Staff

- Strict password requirements and staff advised to use the Meliore-provided password manager

- Centrally managed security policies implemented on all Meliore devices

- Centrally managed disk encryption on all Meliore devices

- Consultants and those using personal devices for work, are requested to abide by the Bring Your Own Device Policy

- Least privilege principle implemented as part of the Access Control Policy.

Integrity

- Where required, logging and auditing mechanisms are in place

- Data is transferred and stored using encrypted connections such as HTTPS or SFTP

- Data modification rights follow the least privilege principle.

Availability

- Antivirus on all Meliore devices.

- Software updates rolled out to all Meliore devices regularly

- Disaster Prevention and Recovery Procedure in place

- Systems selected based on acceptable uptime guarantees and security merits.

Finally, we ensure that the third parties we share your Personal data with also have adequate security measures in place and ensure that those measures are described in the agreements concluded with them, as described in Section 6.

Who are the recipients of your personal data?

To execute our contractual or reporting obligations as per the above purposes, we need to share your Personal Data with:

- Third-party processors;

- Joint controllers; or

- Government institutions or regulatory bodies in compliance with our reporting obligations.

Third-party processors

Third-party processors are service providers, who support us in the processing of your Personal data, act only on our instructions and with which we either:

- conclude a data processing agreement, subject to the requirements of Article 28(3) of the GDPR where located in the European Economic Area (“EEA”);

or

- where they are located outside the EEA, we have in place appropriate safeguards within the meaning of Article 46(2) c) of the GDPR.

Joint controllers

Joint controllers are service providers with which we collaborate and determine together the purposes and the means of the processing.

We conclude with them an agreement subject to the requirements of Article 26(1) of the GDPR.

Data retention

We only retain your Personal information for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal requirements.

To determine the appropriate retention period for Personal data, we consider the amount, nature, and sensitivity of the Personal data, the potential risk of harm from unauthorised use or disclosure of your Personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements.

Retention periods for the different types of Personal data are detailed in the Register of Processing Activity.

If you would like to know more about the retention periods we apply to your Personal data, please contact us at [email protected].

Your rights

You have rights as an individual which you can exercise in relation to the information we hold about you:

- right to request access to your data and rectification of your personal data.

- right to be forgotten in line with current legal requirements.

- where the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Withdrawing your consent means that we will not make use of your data any longer. However, use made of your data in the past remains valid.

- You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on our legitimate interests.

To exercise those rights, please send us an email to [email protected] together with a proof of your identity. Please note that you always have the right to lodge a complaint with the Data Protection Authority of the European country of your choice.

We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than one calendar month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Updates to this Privacy Notice

We have the right to modify this Notice from time to time. We will inform you, when possible, of any substantial changes to the Notice. You can consult the most recent version of the Notice on our website.

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently as well as to provide information to the owners of the site. This website does make use of analytics cookies as explained hereunder.

 
_ga Google Analytics Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

_gat Google Analytics Used by Google Analytics to throttle request rates

_gid Google Analytics Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

What are my rights?
⁠You have the right of access to your personal information and to ask for rectification, erasure or restriction of processing of your personal data. You also have the right to object at any time to processing of your personal data provided to us in the framework of the use of cookies on the present site. For more information on the use of those rights, please refer to the privacy policy of Meliore website.

This cookie policy was last updated on 29th June 2023