ITS Privacy Policy

 

1. Introduction

  1. 1.1   This is the Privacy Policy of Idarat al-Ta’reef al-Shakhsi Trust which is referred to as "ITS", the "Trust", "we" or throughout this Privacy Policy. This Privacy Policy provides details of the way in which we Process Personal Data in line with our obligations under Data Protection Law.
  2. 1.2   ITS is an independent charitable trust which provides data and information related support and activities to other charitable organisations, including those affiliated to the Dawat-e-Hadiyah.
  3. 1.3   For the purpose of any relevant and applicable Data Protection Legislation the data controller is the ITS Data Co-Ordinator, ITS, Badri Mahal, Amatullah Manzil, Ground Floor, 65, Bazargate Street, Fort, Mumbai - 400001 India and can be contacted as follows post or by email at privacy@its52.com
  4. 1.4   Capitalised terms used in this Privacy Policy are defined in the Glossary in Annex I.

2. Background and Purpose

  1. 2.1   The purpose of this Privacy Policy is to explain what Personal Data We Process and how and why we Process it. In addition, this Privacy Policy outlines our duties and responsibilities regarding the protection of such Personal Data. The manner in which we Process data will evolve over time and we will update this Policy from time to time to reflect changing practices. Please read the following carefully to understand our regarding your Personal Data and how we will treat it.
  2. 2.2   In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Policy by reference into various points of data capture used by us e.g. application forms etc.

3. Information we may collect from you

  1. 3.1   We may collect Personal Data directly from your or from third parties as follows:
  1. a.  Information you provide directly to us (which in most instances is you, but may be a family member or other person acting under your instruction): Information that you provide either by filling in paper based forms or through forms onour site www.its52.com (the "Site"). We may also ask you for information when you register for specific events, such as Miqaat's with Huzurala (tus) including Ashara Mubaraka (Miqaat), or when you report aproblem with our site, or your ITS records.
  2. b.  Third parties: Information which is provided with your consent (or other lawful grounds for sharing) by third parties, such as your local Jamaat or any other official Dawat-e- Hadiyah organisation, including details of your participation in local organisations, the 12 Umoors and local Jamaat activities and events.
  3. c.  Correspondence: If you contact us, we may keep a record of that correspondence.
  4. d.  Research / Surveys: We may also ask you to complete surveys from time to time that we use for research purposes, although you do not have to respond to them. Such research is to allow the use of data for third party organisations (such as Dawat-e-Hadiyah) to target various initiatives and programs such as TaiseerunNikah or upliftment programs in a relevant and meaningful way.
  5. e.  Websites: Details of your visits to our site (or third party websites which have asked us to capture this information for them) including, but not limited to, traffic data, location data, weblogs and other communication data, and the resources that you access.

4. Minors (aged under 18 years) and "Providers of Data"

  1. 4.1  If you are a child or young adult under the age of 18 years, you must ask your parent or legal guardian to approve your provision of Personal Data before you submit your Personal Data to us. If you do not understand any of this policy, you should ask your parent or guardian to explain it to you.
  2. 4.2   Parents and guardians of children/minors are personally responsible for supervising their child's/minor's access to, and use of, our services and for providing valid approvals for their child's/minor's participation in activities conducted by us.

5. The Trust as a Data Controller

  1. 5.1   The Trust will act as a Data Controller in respect of Personal Data provided to us by various individuals in connection with the operation and administration of Trust. Such individuals will generally include the following:
    1. a. members and prospective members;
    2. b. website visitors and service users;
    3. c. employees;
    4. d. volunteers and other office bearers; and
    5. e. recipients of services from the Trust and its affiliates.
  2. 5.2   Personal Data is processed by Trust for the following purposes:
    PURPOSE OF PROCESSING LAWFUL BASIS FOR PROCESSING
    To provide data analytics and data management activities for the for the benefit of the individual and the Dawoodi Bohra community, directly or through third party organisations. a) Consent of the individual when they become a member and in the legitimate interests of the Trust and its members.
    Provision of services and information to data subjects e.g. pastoral care services and via the Sites Such processing is necessary for the legitimate interests pursued by Dawat-e-Hadiyah and based on the individual's consent where they request such information or services.
    Provision of ITS cards to members, issued with your name and photograph displayed on the card, together with basic personal details (the "Card"). This information may be accessible by ITS through the use of secure encrypted RFID technology. Your Card may also be used for registration, admission and other similar purposes at any Miqaat which your attend. You should contact ITS immediately if your Card is lost or stolen, so that your existing Card canbe cancelled and new Card issued. Such processing is necessary for the legitimate interests pursued by Dawat-e-Hadiyah.
    Maintaining accounts and records ofcontacts and members of the Dawoodi Bohra Community. Such processing is necessary: (a) forthe performance of a contract between the Trust and its members or prospective members; and (b) as necessary for the performance of Dawat-e-Hadiyah legitimate interests.
    To help identify any assistance and services which you may require from the Trust, or any third party organisations who utilise Trust assistance, including obtaining relevant visas, for any official Miqaat. Such processing is only undertaken where there is consent of the data subject through the provision of the relevant information to the Trust for the purposes of such services.
    General correspondence with data subjects Such processing is necessary: (a) forthe performance of a contract between the Trust and competition entrants in accordance with the competition terms and conditions; and (b) based on entrants' consent.
    Processing of personal data for website purposes such as technical information, information about your website visit and cookies. Such processing is necessary for the legitimate interests pursued by the Trust including for troubleshooting, data analysis, testing, research, statistical and survey purposes.
    To assist the Trust with research into the Dawoodi Bohra community and its demographics, and the administration of community based initiatives, programs and administration Such processing is necessary for the legitimate interests pursued by Dawat-e-Hadiyah.
    To assist Trust with administration of education and tal'eem programs within the Dawoodi Bohra community, including asbaaq, online education, tahfeez of Al Quran Majeed, madressas and matters relating to attendance at Jamea As Saifyah for courses and examinations Such processing is necessary for the legitimate interests pursued by the Trust including for promoting religious education amongst the Dawoodi Bohra community at all age groups in formal and informal settings.
    To allow the administration of local programmes and initiatives such as Faiz-e- Mawaid-Burhaniyah scheme around providing households with meals Such processing is necessary for the legitimate interests in securing your participation in any local Faiz-e- Mawaid Burhaniyah scheme including payment of any dues, any special dietary requirements and associated health requirements, and delivery schedules for meals.
    For the purposes maintaining a database of member blood types. Such collection and processing personal data, is undertaken based on the explicit consent of the data subjects and the consent is captured prior to the processing of such data.

6. The Trust and Data Processors

  1. The Trust will engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of Trust and gives rise to a Data Controller and Data Processor relationship, Trust will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.

7. Record Keeping

  1. 7.1   As part of our record keeping obligations, Trust retains a record of the Processing activities under its responsibility. This comprises the following:
  2. REQUIREMENT THE TRUST'S RECORD
    Name and contact details of the Controller Data Privacy Office:
    shabbir.h@its52.com +353879195237
    huzeifa.b@its52.com +353857108815
    The purposes of the processing See Section 3 of this Privacy Policy.
    Description of the categories of data subjects and of the categories of personal data. See Annex II of this Privacy Policy.
    Where applicable, transfers of personal data to a third country outside of the EEA. See Section 9 of this Privacy Policy
    Where possible, the envisaged time limits for erasure of the different categories of data See Section 10 of this Privacy Policy
    Where possible, a general description of the technical and organisational security measures See Annex III of this Privacy Policy.

8. Special Categories of Data

  1. 8.1   The Trust Processes Special Categories of Data ("SCD") in certain circumstances, such as the ordinary course of employee administration. The Trust Shall Process such SCD in accordance with Data Protection Law.
  2. 8.2   Dawat-e-Hadiyah processes Special Categories of Data ("SCD") in certain circumstances, typically related to the ordinary course of member and employee administration and the provision of charitable support and development services.
  3. 8.3   It is lawful to process any SCD where it is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on thecontroller or the data subject in connection with employment or social welfarelaw. As required by Data Protection Law, Dawat-e-Hadiyah applies suitable andspecific measures in respect of such Processing of SCD.

9. Individual Data Subject Rights

  1. 9.1   Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the "Data Subject Rights"):
    1. a. The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
    2. b. The right of access to Personal Data;
    3. c. The right to rectify or erase Personal Data (right to be forgotten);
    4. d. The right to restrict Processing;
    5. e. The right of data portability
    6. f. The right of objection; and
    7. g. The right to object to automated decision making, including profiling;
  2. 9.2  These Data Subject Rights will be exercisable by you subject to limitations as provided for under Data Protection Law. You may make a request to Trust to exercise any of the Data Subject Rights by contacting the Data Privacy Officer at the address set out above. Your request will be dealt with in accordance with Data Protection Law. These rights are provided to you, regardless of whether you are resident in the European Economic Area, the United Kingdom, or in California, United States.

10. Data Security and Data Breach

  1. 10.1   We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. For more information on security measures see Annex III.
  2. 10.2   Relevant Data Protection Law obligates Data Controllers to notify the relevant Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by Trust will be dealt with in accordance with Data Protection Law and Trust's Data Breach Procedure.

11. Disclosing Personal Data

  1. 11.1   We may disclose your personal information to relevent third party organisations, where we judge such disclosure helps further assist or serve the Dawoodi Bohra community, subject to the organisation providing an undertaking to treat your Personal Data in a secure and reasonable manner in accordance with Data Protection Law. Such disclosure shall only be made where it is necessary for the purposes set out in this policy, and may require the ransfer and processing of your data in locations around the world (including those outside the European Economic Area, see section 13 below).
  2. 11.2   You also acknowledge that we may disclose your Personal Data to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property, or safety of the Trust. For example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data.
  3. 11.3   From time to time, we may also disclose Personal Data to other third parties, or allow third parties to access Personal Data which we Process. We may also use your data, or permit selected third parties to use your data, to provide you with information about events, activities or community services relating to The Dawoodi Bohra community which may be of interest to you. This is based on the Trust's legitimate interests.
  4. 11.4   We may also disclose to certain third-party sites including other Al Vazarat As-Saifyah who may use ITS data for security purposes (such as website log in). Such use of ITS data is done in a secure fashion where the data remains withinITS and is not shared those third-party sites.
  5. 11.5   If you do not want us to use your data for the purposes set out in this Policy, or to pass your details on to third parties for purposes relating to additional services or events, please tick the relevant box situated on the form on which we collect your data (the registration form), or contact us at the address provided in this policy.

12. Data Retention

  1. We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data Are Processed (as described in this Privacy Policy).

13. Security and Storage

  1. 13.1   Your Personal Data will only be accessible and processed by persons designated by your local Jamaat (including any third party suppliers to the Jamaat), and will only be used for the purposes set out in this policy. It may also be processed by our Trust staff and volunteers operating outside the EEA who work for us or for one of our suppliers. By submitting your Personal Data to us, you acknowledge that the Trust will transfers, store and Process Personal Data as set out in the Policy.
  2. 13.2   We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this policy and any applicable laws, including the use of encryption technology where we deem it to be reasonably appropriate.
  3. 13.3   All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Except where prohibited by law, we are not responsible for any loss or damage caused by the unauthorised use of your password and log-in details, and also excludes all liability for any direct or indirect losses caused by any breach of this policy.
  4. 13.4   While we at the Trust implement appropriate technical and organisational measures to ensure the security of Personal Data in accordance with Data Protection Law, unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your PersonalData, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

14. Transfers of data

  1. 14.1   Our main servers are located in India and the European Economic Area (EEA). The data that we collect from you may also be transferred to, and stored at, at a destination in India where the ITS is located. Accordingly, the Trust routinely transfers Personal Data to countries which have different Data Protection Law standards and requirements. In respect of such transfers,the Trust ensures that such processing of your Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Model Contractual Clauses (as published by the European Commission) If you require more information on the means of transfer of your data or would like a copy of the relevant safeguards, please contact the Data Privacy office whose details are at Clause 7.1.
  2. 14.2   For the purposes of the any data subjects who are located in India or whose data is obtained in India (but not a data subject whose data is exported and processed in India), all references to the rights of data subjects set out in this document shall apply to the providers of data instead of the data subject, in accordance with the Indian Information Technology Act 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. All consents and obligations of individual data subjects shall be discharged by the provider of data for the relevant individual.

15. Cookies

  1. 15.1   Cookies are small text files that may be placed on your browser when you visit our website (the "Site"). Cookies are used primarily for administrative purposes, to improve your experience with our Site. For instance, when you return to the Site after logging in, cookies provide information to the Site, including personal data, so that the Site will remember who you are. Our Siteuses cookies to collect anonymous analytics about your computer, including your IP address, operating system and browser type. This includes compiling statistical information concerning, among other things, the frequency of use of our Site, the pages visited, and the length of each visit, as well asinformationabout your computer, operating system, browser, language and country.
  2. 15.2   Using the settings of your Internet browser, you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. Consult your browser Help menu to learn the correct way to modify your cookies. If you choose to turn off cookies, you may not have access to certain features of our Site. You may at any time delete any cookiesset by using the relevant option of your Internet browser or by deleting the cookies on your hard drive.
  3. 15.3   We may use the cookies to collect information about your computer, including your IP address, operating system and browser type. Any such records are keptfor the purposes of security and tracking access to the Site.

16. Third party websites

Our site may, from time to time, contain links to and from the websites of Dawat-e-Hadiyah affiliated organisations and other sites of interest. If you follow a link to any of thesewebsites, please note that these websites have their own privacy policies and that wedo not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Data to these websites.


17. Further Information/Complaints Procedure

  1. 17.1 For further information about this Privacy Policy and/or the Processing of your Personal Data by or on behalf of Trust please contact the ITS Privacy Office at the details below:
    Data Privacy Office
    shabbir.h@its52.com  M: +353879195237
    huzeifa.b@its52.com  M: +353857108815
  2. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission (as our servers are located in Ireland), we request that you contact the Trust in the first instance to give us the opportunity to address any concerns that you may have.


ANNEX I (Glossary)

In this Privacy Policy, the terms below have the following meaning:

  1. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
  2. "Data Controller" means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
  3. "Data Processor"means the party that Processes Personal Data on behalf of the Data Controller.
  4. "Data Protection Law" means the any applicable data protection legislation based on your location, and the General Data Protection Regulation (No 2016/679) ("GDPR") and the Data Protection Act 2018 (Ireland) and any other laws which apply to Trust in relation to the Processing of Personal Data.
  5. "European Economic Area or EEA" means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway.
  6. "Personal Data " is any information relating to a living individual which allows the identification of that individual. Personal Data can include:
    1. *   a name, an identification number;
    2. *   details about an individual's location; or
    3. *   any other information that is specific to that individual
  7. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. "Process" and "Processing" are interpreted accordingly.
  8. "Special Categories of Personal Data" ("SCD")" are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.


ANNEX II (Types of Personal Data)

CATEGORIES OF DATA SUBJECT TYPE OF PERSONAL DATA
Trust officers and staff (including volunteers, agents, fixed term, temporary and casual workers). agents, fixed term, temporary and casual workers) Name, address, contact details including email and phone number. Financial details such as wajebaat and qardan details. Family, next of kin and social circumstances. Education and taleem details. Past and present details around participation in miqaats including, without limitation,attendance records for Ashara Mubaraka, or other manasabaat such as misaq, ziyafaats, or nikaah. Membership details (for example, membership of any other Dawat related organisations).
Members of the Dawoodi Bohra community and, where relevant, the legal representatives of thosecommunity members Name, address, contact details including email and phone number. Membership details (for example, membership of any other Dawat related organisations).
Suppliers, service providers or other strategic business partners and their respective officers and staff Name, address, contact details including email and phone number.
Other business contacts, theirofficers and staff Name, address, contact details including email and phone number.
Correspondents, complainants, enquirers and contacts at relevant regulators Name, address, contact details including email and phone number.


ANNEX III (Technical and organisational measures to ensure security of Personal Data)

In this Privacy Policy, the terms below have the following meaning:

  1. 1.  Encryption
  2. 2.  Firewalls and anti-virus
  3. 3.  Access contro
  4. 4.  Change management
  5. 5.  Logging & data loss prevention techniques
  6. 6.  Confidentiality agreements
  7. 7.  Physical security measures
  8. 8.  Cybersecurity training
  9. 9.  Virus and malware protection
  10. 10.  Penetration testing
  11. 11.  Website blocking
  12. 12.  Trust policies
  13. 13.  Patch management
  14. 14.  Regular system maintenance
  15. 15.  Intrusion detection system
  16. 16.  Mobile device management