Personal Data Use and Protection Policy
Purpose:
To establish procedures to protect Personal Data and to ensure the rights of individuals who are owner of the Personal Data in accordance with applicable laws and regulations.
Definitions:
“AHF” means, as applicable, either AIDS Healthcare Foundation or an affiliated entity or division of AHF that operates in the country where this policy is being applied.
“Authorization” means prior, express, and/or informed consent of the Client to carry out use of the Client’s Personal Data.
“Consent” means any freely given, specific, informed and unambiguous indication of the Data Subject's wish which he or she, by a statement or by a clear affirmative action, signifies agreement to the collection or processing of Personal Data relating to him or her.
“Bureau” means the one of the following global regions, as indicated in any Country Annex: Africa Bureau, Asia Bureau, India Bureau, Europe Bureau, Latin America and Caribbean Bureau.
“Client” means any natural, legal, or juristic person, as applicable, including, without limitation, a patient, employee, or contractor of AHF and whose Personal Data is subject to Use.
“Data Controller” means either AHF or any authorized employee or contractor or collaborator of AHF who Uses or manages Use of Personal Data on behalf of AHF.
“Data Processor” natural person, legal person of private law or public entity that acting alone or jointly with another, performs the processing of personal data on behalf of the data controller, under a legal relationship that binds it with the latter and delimits the scope of its action. It includes whoever performs the processing without the existence of a personal databank.
“Data Protection Authority” means such governmental agency or office that has been authorized with oversight of compliance under Data Protection Laws.
“Data Protection Laws” means the applicable laws governing Personal Data in the jurisdiction where this policy is being applied as indicated in the applicable Country Annex.
“Data Recipient” means any Data Controller or Data Processor that receives Personal Data from AHF or its Data Controllers and Data Processors.
“Data Subject” means natural person to whom the personal data corresponds.
“Data User” means AHF or any authorized employee or contractor or collaborator of AHF that makes decisions with regards to Personal Data and / or the Processing of Personal Data.
“Database” means any organized set of Personal Data that is the object of Use;
“Personal Data” means any information linked or associated with one or more specific or determinable Client, which can include, without limitation, marital status, first and last name(s), date and place of birth, gender, nationality, address, email address, telephone number, professional position, IP address and any other information used to communicate with us.
“Use” means any use of or operation on Personal Data such as without limitation the collection, storage, circulation, processing, or suppression of Personal data performed by or on behalf of AHF in the applicable jurisdiction.
Scope and Applicability:
The principles contained in this policy generally apply to all Personal Data used in the operations of AHF, provided that the provisions contained in the applicable Country Annex attached hereto will apply in such country. In the event of any conflict between a Country Annex and this Policy, the Country Annex will control Use of Personal Data by AHF in that country.
Policy:
It is AHF’s policy to:
- 1. Protect and safeguard the Personal Data of Clients;
- 2. Inform Clients of their rights with regards to their Personal Data;
- 3. Maintain and update Personal Data;
- 4. Adopt and compile policies and procedures to ensure compliance with Data Protection Laws;
- 5. Process complaints and claims of Clients regarding Personal Data; and
- 6. Complying with the instructions and requirements of regulatory agencies that have jurisdiction over AHF with regards to Personal Data under the Data Protection Laws.
- 7. Where required by the Data Protection Laws, register AHF with the applicable Data Protection Authority.
AHF may collect Personal Data of Clients in situations including, without limitation:
- 1. When a Client registers on our Website,
- 2. When a Client fills in one of our forms,
- 3. When a Client signs any contract with us,
- 4. When a Client subscribes to our newsletters and announcements.
Procedures:
-
1.Each AHF Affiliate must enter into a written contract with each third party Data User or Data Processor such that:
- a.The third party’s roles, responsibilities, and obligations with respect to Personal Data are clearly identified;
- b.The third party expressly commits to safeguarding Personal Data, immediately notifying AHF of any breaches of Personal Data, and taking all necessary steps to mitigate any harm to Personal Data or to the Clients arising out of any breach of Personal Data;
- c.The third party indemnifies and holds the AHF Affiliate harmless from any failure of the third party’s obligations under the contract.
-
2.AHF and its Data Recipients shall have the same obligations with regards to Personal Data. For this purpose, AHF will:
- a.Ensure that Personal Data provided to Data Recipients are correct;
- b.Communicate updates regarding Personal Data to Data Recipients;
- c.Require that Data Recipients protect Personal Data;
- d.Process queries and claims;
- e.Inform the Data Recipients when any Personal Data of a Client is under discussion;
- f.Provide to Data Recipients only the Personal Data whose Use is authorized;
- g.Inform Clients of their rights and about the Use of their Personal Data; and
- h.Inform applicable Data Protection Authority of violations of safeguards that are intended to protect Personal Data and any risks in information management that endanger Personal Data.
-
3.Additionally, AHF will:
-
a.at the time it requests authorization from the Client, clearly and expressly inform the Client of the following:
- i.The Use to which the Client’s Personal Data will be subjected to and the purpose of the Use and any possible third-party users or types of uses;
- ii.Whether the responding to the requested information is mandatory or optional; whether the any request information containing sensitive data of children and adolescents are optional; and the consequences of refusing to provide information or providing false information
- iii.The rights that assist the Client and the mechanism to exercise those rights; and the possibility to file a complaint before the data protection authority of the country of residence of the data subject.
- iv.The identification (i.e. physical or electronic address and telephone number) of AHF.
- b. keep proof of compliance with the provisions of Data Protection Laws and when requested by the Client, provide a copy of such proof;
- c. guarantee the Clients, at all times, the full and effective exercise of the rights with regards to their Personal Data;
- d. request and keep a copy of the respective authorization granted by the Client in accordance with the Data Protection Laws;
- e. duly inform Clients about the purpose of Personal Data collection and their rights with regards to any authorization granted to AHF;
- f. keep all Personal Data under the necessary security conditions in order to prevent the adulteration, loss, query, or fraudulent or unauthorized use or access;
- g. ensure that Personal Data provided to any Data Controller is true, complete, accurate, updated, verifiable, and understandable;
- h. update Personal Data, timely communicate to all Data Controllers any amendments to Personal Data provided by Clients, and take other necessary measures to maintain and update Personal Data;
- i. amend and correct Personal Data when it is incorrect, and communicate the pertinent corrections and amendments to each affected Data Controller;
- j. provide to the Data Controllers only the Personal Data whose Use is authorized by Data Protection Laws;
- k. require the Data Controllers to respect the security and privacy conditions of the Client’s Personal Data at all times;
- l. process all queries and claims related to Personal Data in accordance with the Data Protection Laws;
- m. implement internal procedures for inquiries and complaints related to Personal Data;
- n.inform each Data Controller when certain Personal Data is under discussion by the Client, once a claim has been filed and the respective claim procedure has not been followed;
- o.inform the Client, at the Client’s request, about the Use of Client’s data;
- p.inform the appropriate Data Protection Authority of any breaches of security or other risks to Personal Data;
- q.comply with the instructions and requirements issued by the Data Protection Authority.
-
4.Each third-party Data Controller must contractually agree to:
- a.guarantee the Client, at all times, the full and effective exercise of Client’s rights with regards to Personal Data;
- b.keep Personal Data under the necessary security conditions in order to prevent the adulteration, loss, query, or fraudulent or unauthorized use or access;
- c.timely update, rectify, or delete Personal Data in accordance with the terms of the Data Protection Laws;
- d.update Personal Data reported by AHF within 5 business days from its receipt;
- e.process the queries and claims made by the Clients in accordance with the Data Protection Laws;
- f.adopt an internal manual of policies and procedures to ensure adequate compliance with the Data Protection Laws, paying special attention to inquiries and complaints by the Clients;
- g.record in Personal Database the legend, “claim in process” or similar annotations in the form and manner required under the Data Protection Laws;
- h.insert in Personal Database the legend, “information in judicial discussion,” once notified by the competent authority on legal proceedings related to any Personal Data;
- i.refrain from circulating Personal Data that is being disputed by the Client and with regards to which the Data Collector has received a restriction request from the Data Protection Authority;
- j.allow access of information only to those who are authorized to access it;
- k.inform the Data Protection Authority when there are violations of security codes and risks in the administration of Personal Data of the Clients; and
- l.comply with the instructions and requirements by the Data Protection Authority.
-
5.For each jurisdiction, and as required by applicable Data Protection Laws, AHF will:
- a.Designate a Data Protection Officer;
- b.Publish a notice of its Person Data Use practices; and,
- c.Establish and publish a policy for its Web based Use of Personal Data.
- d.Permit Clients and their successors to query the Client’s Personal Data that rests on any Database, whether from the public or private sector. For this purpose, AHF and each Data Controller must provide all of Personal Data contained in the individual record or that which is linked to the identification of the Client in accessible Databases. AHF or Data Controller may formulate the means of such query, as long as sufficient proof of the query is kept.
Local Supplement: Peru
This Local Supplement is applicable to you if you reside in the country indicated above. It contains important information about your personal rights to privacy. Whenever this Local Supplement applies it should be considered to add to the Privacy/Data Use and Protection Notice.
“AHF” means AIDS Healthcare Foundation Peru Sucursal, the Peru branch of the foreign foundation, AIDS Healthcare Foundation.
“Data Protection Law” means Personal Data Protection Law No 29,733 (“PDPL”) of June 2011 and the Supreme Decree No 003-2013-JUS-Regulation of the PDLP of March 2013 (“Regulation”).
“Data Protection Authority” means Directorate for the Protection of personal data, which is part of the General Directorate of Transparency, Access to Public Information and Protection of Personal Data (“NDPA”).
Procedures
Principles:
AHF will comply with the following principles:
- a.The processing must be based in a determine, explicit and lawful purpose.
- b.The processing should not be extended to another purpose for the one established at the time of its compilation, excluding cases of activities of historical, statistical or scientific value when a dissociation or anonymization procedure is used.
- c.The personal data to be processed must be truthful, accurate and, as far as possible, up-to-date, necessary, pertinent and adequate with respect to the purpose for which it was collected.
- d.The processing must be adequate, relevant and not excessive to the purpose of processing.
- e.The data controller must guarantee the confidentiality of the information and must be kept only for the necessary time to fulfil the purpose of the processing.
- f.The data controller and data processor must adopt the technical, organizational and legal measures, in order to guarantee the security of personal data.
Data Subject’s Rights.
AHF must comply with the of information in favor of the data subject, including in the corresponding agreements or privacy notices (per category), the following information:
- a.Identification of data controller and data processors if the case may be.
- b.Identification of the data bank where the information will be stored.
- c.Mandatory personal information and the consequences of not providing the information.
- d.Determined, explicit and lawful purpose.
- e.Data retention period.
- -Local and cross-border flows of data. In case of cross-border flows, it is also required to disclose:
- -Country of the data importer.
- -Full identification of the data importer, which includes name and taxpayer identification.
- -Purpose of the transfer.
- f.Means for the data subject to exercises the rights of information, access, cancellation, and opposition of processing. The data controller must contemplate among its processes an easy, free of charge, proceeding, in order to allow the data subject the fulfilment of any request.
Also, AHF must attend the data subject’s claims regarding the rights of access, rectification, cancellation or opposition to the processing of personal information within the following legal terms established by the Peruvian Data Protection Law:
- a.Right of access. The data controller must attend the request within twenty (20) business days from the filing. The access request empowers the data subject to request information about his/her personal data, the conditions and processing activities.
- b.Right of rectification. The data controller must attend the request within ten (10) business days from the filing. This right includes the update, inclusion, rectification and deletion of data. The data subject can request the rectification of his/her personal data when such data is partially or totally inaccurate, incomplete; if there is any omission, error or falsehood, when the data is no longer necessary or relevant to the purpose for which it has been collected, or when the processing term has expired.
- c.Right of Cancellation and Opposition. The data controller must attend the request within ten (10) business days from the filing. The data subject can object the processing activity on the basis of legitimate grounds, related to a specific personal situation. In case of legitimate opposition, the data controller (or data processor if the case may be), must proceed with the suppression of the personal data.
Special categories of processing.
Sensitive Data
AHF must obtain:
- a.A valid processing of sensitive data requires the prior, free, express and written consent of the data subject.
- b.Written consent may be granted by electronic signature, by writing that remains recorded, in such a way that it can be read and printed, through pre-established text, easily visible, legible and in plain language, that the data subject can make his/her own, or not, by means of a written, graphic or clicked response.
Data related to minors.
Processing activities of data related to minors is considered as a special category of processing. The consent of the parents or guardians is mandatory. Exceptionally, minors over fourteen (14) and under eighteen (18) years old have the right to grant their consent, provided that the data controller has provided full information of the processing in an understandable language, except in those cases where the law expressly requires the intervention of the parents or guardians.
The consent is prohibited for accessing activities related to goods or services that are restricted to adults. It is also prohibited to collect information about other members of the minor’s family group.
Registration of databanks and cross-border flows of data:
AHF will:
- a.Register all the processing categories of databanks before the National Authority for the Protection of Personal Information. Without limitation, such categories could be related to: employees, clients, providers, web page contacts, video surveillance or others. For such purposes, AHF must conduct an internal review of its data flows.
- b.Register all the cross-border flows of data. The use of cloud-based systems are considered as cross-border flows and must be register.
- c.Implement the following digital security controls:
- -The control of access to personal information including the management of access since the registry of a user, the management of the privileges of said user, the identification of the user with user name and password, use of digital certificates, tokens, among others.
- -Perform a periodic verification of the assigned privileges, which must be defined through a documented procedure in order to guarantee their suitability.
- -Generate and maintain records that provide evidence of interactions with logical data, including for the purposes of traceability, the information of user accounts with access to the system, start and end times session and relevant actions.
- -Security measures related to authorized access to data must be established through identification and authentication procedures that guarantee the security of data processing personal.
Principle obligations of data processors:
AHF’s processors must comply with the following obligations:
- a.Provide sufficient guarantees to implement appropriate security measures to ensure the protection of the rights of the data subject, and assure the confidentiality of the personal data. Regarding the security measures, the pseudonymization and encryption of personal data, or the use of digital signatures are established in the Peruvian Law. These requirements are aligned to those contained in the regulations specifically approved for the financial sector.
- b.Disclose the changes in their privacy policies, or in the conditions of the service provided to the data controller, to obtain consent if this means increasing their processing powers.
- c.Allow the data controller to limit the type of processing of the personal data.
- d.Prevent access to personal data to those who do not have access privileges.
- e.The processor shall not engage a sub-processor without the prior specific or general written authorization of the controller.
- f.Processing and sub processing activities must be governed by an agreement and must respond to documented instructions provided by the data controller, including the transfer of data.
- g.Deletion and return of the personal data to the controller after the end of the provision of services is also stipulated.
- h.Processors are enforced to perform its activities according to the guidelines of the controller and cannot give the personal information a different use of the one stated in the processing or sub-processing agreement.
Sub-processors assume the same obligations established for data processors.
Cross-border flows of data:
- a.The data controller and data processor must guarantee a sufficient level of data protection to perform a cross-border flow of data. The minimum requirements are to assure, at least, a level comparable to the provisions of the Peruvian Data Privacy Law or by the international standards in data protection.
- b.If the recipient country does not have an adequate level of protection, the issuer of the cross-border flow of personal information must guarantee that the processing of personal data is carried out in accordance with the provisions of the Peruvian Law. International standards in data protection are allowed.
- c.Cross-border flows of personal data will be possible when the recipient or importer of the personal data assumes the same obligations that correspond to the data controller who transferred the personal data as issuer or exporter.
- d.The issuer or exporter may use contractual clauses or other legal instruments that establish at least the same obligations to which the data controller is subject to; as well as the conditions in which the data subject consented to the processing of its personal information.