meCash

DATA PROTECTION POLICY

Article 1 – Aim of the Data Protection Policy

meCash acknowledges that information technology should be at the service of every citizen. Information technology development shall take place in the context of international co-operation. Information technology shall not violate human identity, human rights, privacy, or individual or public liberties. meCash acknowledges that information technology should be at the service of every citizen. Information technology development shall take place in the context of international co-operation. Information technology shall not violate human identity, human rights, privacy, or individual or public liberties.

meCash is committed to international compliance with data protection laws. This Data Protection Policy applies worldwide to meCash and is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation of trustworthy relationships and the reputation of meCash as a credible organization. meCash is committed to international compliance with data protection laws. This Data Protection Policy applies worldwide to meCash and is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation of trustworthy relationships and the reputation of meCash as a credible organization.

The Data Protection Policy ensures the adequate level of data protection as prescribed by relevant legal frameworks, including in countries that do not yet have adequate data protection laws. The Data Protection Policy ensures the adequate level of data protection as prescribed by relevant legal frameworks, including in countries that do not yet have adequate data protection laws.

meCash data protection policy is meant to be a practical and easy to understand document to which all meCash departments, stakeholders and partners can refer to. meCash data protection policy is meant to be a practical and easy to understand document to which all meCash departments, stakeholders and partners can refer to.

Article 2 – Scope of the Data Protection Policy

This Data Protection Policy applies to all entities of meCash, including network and branch offices in all countries of operation. This Data Protection Policy applies to all entities of meCash, including network and branch offices in all countries of operation.

  • The policy applies to all meCash staff and governance members.
  • The policy applies to all meCash staff and governance members.
  • The provision of this policy may also be applied to any person employed by an entity that carries out missions for meCash. The provision of this policy may also be applied to any person employed by an entity that carries out missions for meCash.
  • In particular, this policy applies to implementing partners, suppliers, sub-grantees, stakeholders, and other associated entities. In particular, this policy applies to implementing partners, suppliers, sub-grantees, stakeholders, and other associated entities.

meCash’s Data Protection Policy applies to all personal data that meCash holds relating to identifiable individuals, meaning any information relating to an identified or identifiable individual. meCash’s Data Protection Policy applies to all personal data that meCash holds relating to identifiable individuals, meaning any information relating to an identified or identifiable individual.

Article 3 – meCash’s sets of data and definitions

meCash’s Data Protection Policy applies to all sets of personal data, currently stored, maintained and handled by meCash, and more specifically to the following identified sets of personal data: meCash’s Data Protection Policy applies to all sets of personal data, currently stored, maintained and handled by meCash, and more specifically to the following identified sets of personal data:

  • meCash’s personnel, including national and international staff, interns and volunteers meCash’s personnel, including national and international staff, interns and volunteers
  • meCash’s direct and indirect beneficiaries, including interviewees
  • meCash’s direct and indirect beneficiaries, including interviewees
  • meCash’s contractors, suppliers, consultants, implementing partners currently under contract with meCash meCash’s contractors, suppliers, consultants, implementing partners currently under contract with meCash

Personal data herein referred to, means any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. This can include in particular: Personal data herein referred to, means any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. This can include in particular:

  • Names of individuals
  • Postal or living addresses
  • Email addresses
  • Telephone numbers
  • Identity card and passport
  • Date and place of birth
  • Identification of relatives
  • Fingerprints
  • Business reference
  • Geo-referencing

Processing of personal data means any operation or set of operations in relation to such data, whatever the mechanism used, especially the obtaining, recording, organization, retention, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction. Processing of personal data means any operation or set of operations in relation to such data, whatever the mechanism used, especially the obtaining, recording, organization, retention, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction.

Article 4 - Application of National Laws and sources of authority

meCash is headquartered in England and observes the General Data Protection Regulations (GDPR). It has operations in other countries. meCash Country Operations observe the data protection laws of their country. meCash is headquartered in England and observes the General Data Protection Regulations (GDPR). It has operations in other countries. meCash Country Operations observe the data protection laws of their country.

This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed. Each entity of meCash, including network and branch offices is responsible for compliance with this Data Protection Policy and the legal obligations. This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed. Each entity of meCash, including network and branch offices is responsible for compliance with this Data Protection Policy and the legal obligations.

At the same time, meCash has rules and standards that seek to create a consistent approach and which, in some cases, may be stricter than national laws. This Policy must, therefore, be followed in addition to the relevant national laws on data At the same time, meCash has rules and standards that seek to create a consistent approach and which, in some cases, may be stricter than national laws. This Policy must, therefore, be followed in addition to the relevant national laws on data protection

In the event of conflicts between national legislation and the Data Protection Policy, meCash will work with the relevant country offices to find a practical solution that meets the purpose of the Data Protection Policy. In the event of conflicts between national legislation and the Data Protection Policy, meCash will work with the relevant country offices to find a practical solution that meets the purpose of the Data Protection Policy.

Article 5 - Principles for Processing Personal Data

1. Fairness and Lawfulness
  • When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner. When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
  • Collected data shall be adequate, relevant, and not excessive in relation to the purposes for which they are obtained and their further processing. Collected data shall be adequate, relevant, and not excessive in relation to the purposes for which they are obtained and their further processing.
  • Individual data can be processed upon voluntary consent of the person concerned. Individual data can be processed upon voluntary consent of the person concerned.
2. Restriction to a specific purpose
2. Restriction to a specific purpose
  • Personal data can be processed only for the purpose that was defined before the data was collected. Personal data shall be obtained for specified, explicit and legitimate purposes, and shall not subsequently be processed in a manner that is incompatible [Type here] with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require justification. However, further data processing for statistical, scientific, and historical purposes shall be considered compatible with the initial purposes of the data collection, if it is not used to take decisions with respect to the data subjects. Personal data can be processed only for the purpose that was defined before the data was collected. Personal data shall be obtained for specified, explicit and legitimate purposes, and shall not subsequently be processed in a manner that is incompatible [Type here] with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require justification. However, further data processing for statistical, scientific, and historical purposes shall be considered compatible with the initial purposes of the data collection, if it is not used to take decisions with respect to the data subjects.
  • However, further data processing for statistical, scientific, and historical purposes shall be considered compatible with the initial purposes of the data collection, if it is not used to take decisions with respect to the data However, further data processing for statistical, scientific, and historical purposes shall be considered compatible with the initial purposes of the data collection, if it is not used to take decisions with respect to the data subjects.
3. Transparency

  • The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be made aware of, or informed of: The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be made aware of, or informed of:

    • The purpose of data processing;
    • Categories of third parties to whom the data might be transmitted
    • Categories of third parties to whom the data might be transmitted
  • Processing of personal data must have received the consent of the data subject or must meet one of the following conditions: compliance with any legal obligation to which meCash is subject; the protection of the data subject’s life; the performance of the objectives for which meCash was formed. Processing of personal data must have received the consent of the data subject or must meet one of the following conditions: compliance with any legal obligation to which meCash is subject; the protection of the data subject’s life; the performance of the objectives for which meCash was formed.
4. Confidentiality and Data Security
4. Confidentiality and Data Security
  • Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction. Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
5. Deletion
  • Personal data shall be retained in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which they are obtained and processed. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes. Personal data shall be retained in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which they are obtained and processed. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
6. Factual Accuracy and Up-to-datedness of Data
6. Factual Accuracy and Up-to-datedness of Data
  • Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented, or updated. Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented, or updated.

Article 6 – Data Processing

1. Consent to Data Processing
  • Individual data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. In certain exceptional circumstances, consent may be given verbally. Individual data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. In certain exceptional circumstances, consent may be given verbally.
2. Data processing Pursuant to Legitimate Interest
2. Data processing Pursuant to Legitimate Interest
  • Personal data can also be processed if it is necessary to enforce a legitimate interest of meCash. Legitimate interests are generally of a legal (such as filing, enforcing, or defending against legal claims), audit or financial nature. Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the individual merit protection. Before data is processed, it must be determined whether there are interests that merit protection. Control measures that require processing of personal data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the organization in performing the control measure (e.g. compliance with legal provisions and internal rules of the organization) must be weighed against any interests meriting protection that the individual affected by the measure may have in its exclusion, and cannot be performed unless appropriate. Personal data can also be processed if it is necessary to enforce a legitimate interest of meCash. Legitimate interests are generally of a legal (such as filing, enforcing, or defending against legal claims), audit or financial nature. Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the individual merit protection. Before data is processed, it must be determined whether there are interests that merit protection. Control measures that require processing of personal data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the organization in performing the control measure (e.g. compliance with legal provisions and internal rules of the organization) must be weighed against any interests meriting protection that the individual affected by the measure may have in its exclusion, and cannot be performed unless appropriate. Personal data can also be processed if it is necessary to enforce a legitimate interest of ME-CASH. Legitimate interests are generally of a legal (such as filing, enforcing, or defending against legal claims), audit or financial nature. Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the individual merit protection. Before data is processed, it must be determined whether there are interests that merit protection. Control measures that require processing of personal data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the organization in performing the control measure (e.g. compliance with legal provisions and internal rules of the organization) must be weighed against any interests meriting protection that the individual affected by the measure may have in its exclusion, and cannot be performed unless appropriate.
3. Telecommunications and Internet
3. Telecommunications and Internet
  • Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by meCash primarily for work-related assignments. They are a tool and an organizational resource. They can be used within the applicable legal regulations and internal meCash communication policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by meCash primarily for work-related assignments. They are a tool and an organizational resource. They can be used within the applicable legal regulations and internal meCash communication policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable
  • There will be no general monitoring of telephone and e-mail communications or intranet/ internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the network used by meCash that block technically harmful content or that analyse the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be blocked for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of policies and/or procedures of meCash. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed in the same manner as the There will be no general monitoring of telephone and e-mail communications or intranet/ internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the network used by meCash that block technically harmful content or that analyse the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be blocked for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of policies and/or procedures of meCash. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed in the same manner as the meCash regulations.
4. Rights of the Data Subject
  • To request information on which personal data relating to him/her has been stored, how the data was collected, and for what intended purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected. If personal data is transmitted to third parties, individuals should be informed of such a possibility. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented. To request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed. To object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed. To request information on which personal data relating to him/her has been stored, how the data was collected, and for what intended purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected. If personal data is transmitted to third parties, individuals should be informed of such a possibility. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented. To request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed. To object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
  • To request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed. To request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
  • To object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed To object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed

Article 7 - Transmission of Personal Data

Transmission of personal data to recipients outside or inside meCash is subject to the authorization requirements for processing personal data under Section 6 and requires the consent of the data subject. The data recipient must be required to use Transmission of personal data to recipients outside or inside meCash is subject to the authorization requirements for processing personal data under Section 6 and requires the consent of the data subject. The data recipient must be required to use the data only for the defined purposes.

In the event that data is transmitted to a recipient outside meCash, this recipient must agree to maintain a data protection level equivalent to this Data Protection Policy. This does not apply if transmission is based on a legal obligation. In the event that data is transmitted to a recipient outside meCash, this recipient must agree to maintain a data protection level equivalent to this Data Protection Policy. This does not apply if transmission is based on a legal obligation.

The processing of personal data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the individual that merit protection must be taken into consideration. The processing of personal data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the individual that merit protection must be taken into consideration.

In certain circumstances, the meCash Data Protection Policy allows personal data to be disclosed, based on a legal obligation, to law enforcement agencies, without the consent of the data subject. In certain circumstances, the meCash Data Protection Policy allows personal data to be disclosed, based on a legal obligation, to law enforcement agencies, without the consent of the data subject.

Only meCash’s Executive Director can validate any such disclosure in writing, ahead of the disclosure, after ensuring the request is legitimate, motivated by the requester, appropriate, necessary and does not pose a threat or direct risk to meCash. Only meCash’s Executive Director can validate any such disclosure in writing, ahead of the disclosure, after ensuring the request is legitimate, motivated by the requester, appropriate, necessary and does not pose a threat or direct risk to meCash.

Before approving such disclosure, meCash’s Executive Director will check that the recipient of the data uses the data for the defined purposes only, and that it demonstrates the capacity and will to abide by such an obligation. Before approving such disclosure, meCash’s Executive Director will check that the recipient of the data uses the data for the defined purposes only, and that it demonstrates the capacity and will to abide by such an obligation.

Where necessary, meCash’s Executive Director will refer to legal advisers for advice, and to meCash’s Committee for validation, notably but not only in cases involving direct security threats and implications or global organizational risks including Where necessary, meCash’s Executive Director will refer to legal advisers for advice, and to meCash’s Committee for validation, notably but not only in cases involving direct security threats and implications or global organizational risks including reputation.

Article 7 - Transmission of Personal Data

All meCash staff and external individuals can contact meCash to request rights as listed in Article 6 section 4 - Rights of the Data Subject to be applied. All meCash staff and external individuals can contact meCash to request rights as listed in Article 6 section 4 - Rights of the Data Subject to be applied.

Individual subject access requests from individuals should be addressed by email or in writing. If not in writing, the request should be taken and handled by a duly authorized meCash staff and registered in a log for reference and follow up. Individual subject access requests from individuals should be addressed by email or in writing. If not in writing, the request should be taken and handled by a duly authorized meCash staff and registered in a log for reference and follow up.

Any individual subject access request received by meCash will be duly verified before being handled, with the verification of the identity of anyone making a subject access request, before handing over any information. Any individual subject access request received by meCash will be duly verified before being handled, with the verification of the identity of anyone making a subject access request, before handing over any information.

meCash will ensure to respond to individual requests in a timely manner. meCash will ensure to respond to individual requests in a timely manner.

meCash will ensure that any data subject, including but not limited only to personnel, individuals and customers, and beneficiaries, have the means to contact meCash to verify the data meCash holds about them, and can have authorized meCash personnel update and correct personal information. Such an obligation entails the following: meCash will ensure that any data subject, including but not limited only to personnel, individuals and customers, and beneficiaries, have the means to contact meCash to verify the data meCash holds about them, and can have authorized meCash personnel update and correct personal information. Such an obligation entails the following:

  • meCash staff should have access to their personal files and to any information held by meCash on them, by simple request to Human Resources department, to be presented and corrected by a duly authorized staff only. The consultation of any meCash staff should have access to their personal files and to any information held by meCash on them, by simple request to Human Resources department, to be presented and corrected by a duly authorized staff only. The consultation of any information on any other staff is strictly prohibited.

Where necessary, meCash’s Executive Director will refer to legal advisers for advice, and to meCash’s Committee for validation, notably but not only in cases involving direct security threats and implications or global organizational risks Where necessary, meCash’s Executive Director will refer to legal advisers for advice, and to meCash’s Committee for validation, notably but not only in cases involving direct security threats and implications or global organizational risks including reputation.