Data Privacy Policy of the Haki Ni Yetu Project

1. Controller of registry

Name: KIOS Foundation
Trade registry number: 1497493-0
Postal address: Lintulahdenkatu 10, 00500, Helsinki, Finland

2. Name of registry

Haki Ni Yetu Grants Schemes

3. Contact persons for registry

Representatives of the Foundation: Visa Hytönen
Phone: 040 952 7919
Email: calls@kios.fi

4. Purpose, Legal Basis, and Types of Data

Article 5 of the General Data Protection Regulation (GDPR) establishes the framework for our data processing principles, with our primary legal bases being necessity and consent. The collected personal data serves the purposes of managing grant applications and disbursing granted funds, facilitating communication with applicants, and enhancing digital service quality. The registry includes data collected in the grant application, essential details for grant payment, and particulars submitted in grant utilization and outcome reports. The registry contains applicant contact details, along with those of potential associates, provided to us throughout the application procedure. Additionally, contact information for previous referees, as supplied by the applicant, is retained within the registry.

Furthermore, we gather grant payment details, insights into how applicants utilize the grant system, and technical data such as login credentials. Communication between registered applicants and the registry operator is also saved. The storage and processing of applicant information depend on their consent and the legitimate interest of the registry operator. Consent is also essential for registering other individuals. To facilitate the application processing, the application form must include personal data for both applicants and attached individuals. Insufficient data may result in application rejection.

5. Regular disclosures of personal data and transfers to third parties

Personal data is managed by KIOS staff (administrative staff and grants officers), referees appointed by the Haki Ni Yetu Project, the KIOS board, technical support, appointees of an accounting service provider, and accountants appointed by the European Commission. Information is disclosed only to the extent necessary for the functions of the receiving party and shared with third parties only when it is required for specific purposes, in compliance with applicable laws, and with the consent of the data subjects when necessary.

6. Principles of register protection

Our principles of register protection are in line with the KIOS Data Protection Policy, Haki Ni Yetu Data Protection Plan (to be updated in 2023) and with relevant regulations of the EU, Kenya, and Finland.

The data is stored in:

1. The Aspicore system database, which is protected by various technical measures.
   2. Servers of cloud services are located in locked and guarded facilities, to which access is
   given only to nominated persons.
   3. KIOS local drives

7. Principles of storing personal data

Grantee data and attached personal data

▪ Project and attached personal data will be archived for a minimum of 5 years but no longer than of 7 years, from the project’s end. This information will be stored in Finland in physical archives and local drive.
▪ However, the foundation removes bank account numbers and sensitive personal data related to funded applications within two years after the final report on the use of the grant has been approved.
▪ Anonymization will be used when personal data is used outside of database or KIOS archives. This would be summarising statistical reports for donors and third parties for example.

Usernames

▪ Usernames are stored, if the user has unfinished applications, which have not been marked as finished.
▪ If the username has been inactive for two years, and does not have any active applications, the username will be removed from the system.

Unfinished applications

▪ The applicant can remove any unfinished applications from the system.
▪ KIOS removes any unfinished and not granted applications within 12 months after the call for grants has closed.

Applications not funded

▪ KIOS removes or anonymizes not funded applications within two years of the decision.
▪ Anonymization removes all personal data from the application.

Messages

All messages concerning an application will be removed with the application or when they are of no more use.

8. The rights of the data subject

▪ The right to access – You have the right to request for copies of your personal data.
▪ The right to rectification – You have the right to request that KIOS correct any information you believe is inaccurate. You also have the right to request KIOS to complete the information you believe is incomplete.
▪ The right to erasure – You have the right to request that KIOS erase your personal data, under certain conditions.
▪ The right to restrict processing – You have the right to request that KIOS restrict the processing of your personal data, under certain conditions.
▪ The right to object to processing – You have the right to object to KIOS’s processing of your personal data, under certain conditions.
▪ The right to data portability – You have the right to request that KIOS to transfer the data that we have collected to another organization, or directly to you, under certain conditions.

9. Transfer of data to third parties

Any personal data included in the grant contract may be processed by the European Commission, for the porpoise of implementing, managing, and monitoring the grant contract or to protect the financial interests of the EU, including checks, audits, and investigations. The beneficiaries have the right to access, rectify or erase their own personal data and the right to restrict the processing of their personal data or, where applicable, the right to data portability or the right to object to data processing in accordance.

10. Data Breach Response

Data subjects will be informed as soon as possible in any case of data breach, that comes known to KIOS.