African Enterprise (AE) is committed to safeguarding your privacy. Contact us at [email protected] if you have any questions or problems regarding the use of your Personal Data and we will gladly assist you.

By using this site or/and our services, you consent to the Processing of your Personal Data as described in this Privacy Policy.

How much better to get wisdom than gold!  To get understanding is to be chosen rather than silver.
PROVERBS 16:16

Table of Contents


A.        PURPOSE

Technology is the most powerful communication and information tool that the world has for interaction with one another on every level and Information and Communications Technology (ICT) has become an intrinsic part in the daily working environment. Whilst information technology should be at the service of every citizen African Enterprise (AE) is mindful that it must not violate human identity, human rights, privacy, or individual or public liberties.

As AE endeavors to achieve its vision of evangelizing cities in Africa, proper adoption, use and management of ICT and Data Protection is vital.

It is the global policy of AE to exercise a high standard of care in its administration of the personal information it collects, processes, and uses. AE maintains appropriate policies and processes throughout the organization to enhance the protection of personal data and ensure compliance with applicable laws and regulations.

AE is committed to international compliance with data protection and information and communications technology laws.

This Data Protection and Information & Communications Technology (ICT) Policy:

  • Ensures that data protection is the foundation of trustworthy relationships and protects the reputation of AE as a credible organization;
  • Is based on globally accepted, basic principles on data protection;
  • Ensures the adequate level of data protection as prescribed by relevant legal frameworks, including in countries that do not yet have adequate data protection laws.
  • Is meant to be a practical and easy to understand document to which all AE departments, stakeholders and partners can refer to.

This document sets out how, when and why AE collects data and what the information is used for.


B.        SCOPE

This Policy applies to:

  • The global family of African Enterprise, the Teams across Africa and international support offices and all entities of AE;
  • All staff and governance members;
  • Any person employed by an entity that carries out missions for AE; implementing partners, suppliers, sub-grantees, stakeholders and other associated entities;
  • All personal data that AE holds relating to identifiable individuals, meaning any information relating to an identified or identifiable individual.
 

C.        DATA DEFINITIONS

AE’s Data Protection & ICT Policy applies to all sets of personal data, currently stored, maintained and handled by AE, and more specifically to the following identified sets of personal data:

  1. Personnel, including national and international staff, interns and volunteers;
  2. Direct and indirect beneficiaries, including interviewees;
  3. Individual donors and supporters,
  4. Contractors, Suppliers, Consultants, Implementing partners currently under contract with AE;

Personal data means any information relating to a natural person (hereinafter referred to as an individual or data subject) who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

This can include in particular:

  • Names of individuals
  • Postal or living addresses
  • Email addresses
  • Telephone numbers
  • Identity card and passport
  • Business reference

Processing of personal data means any operation or set of operations in relation to such data, whatever the mechanism used, especially the obtaining, recording, organisation, retention, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction.

                                                                                                                    

D.       GUIDING PRINCIPLES

This Policy seeks to align with global privacy and security standards based on an ethical framework which includes the values of preventing harm, ensuring privacy, maintaining confidentiality during disclosure, and ensuring that the benefits of data collection outweigh the risks.

The principles adopted are as follows:

1.   An individual must be notified of privacy practices before data is collected.

2.   Consent to the specific use of the data being collected must be given by the individual, and consent may be given or removed at any point; removal of consent will automatically result in the deletion of the data subject’s personal information from AE’s records.

3.   The individual must be able to view and correct their data at any time.

4.   Data integrity must be kept and maintained; security measures and safeguards must be present.

5.   A system must be in place to enforce compliance to the above standards.

6.   A process must be in place that allows an individual to cite grievances against the admnistration of their personal data.

7.   Periodic review and updating of this Policy in keeping with legislative development.


E.        LEGAL FRAMEWORK

  • As AE is an international organisation it maintains a Data Protection & ICT Policy and data protection practices that are consistent with accepted international data privacy principles.
  • The normative standards upon which this Policy is informed are ISO27001, ITIL (Information Technology Infrastructure Library) and COBIT (Control Objectives for Information and Related Technology)
  • AE’s Data Protection Policy and practices supplement national data privacy laws.
  • Any national data privacy law takes precedent in the event it conflicts with AE’s data protection policy and practices and/or has stricter requirements than this Policy. In the event of conflicts between national legislation and this Data Protection Policy, AE will work with the relevant country offices to find a practical solution that meets the purpose of the Data Protection Policy.
  • The reporting requirements for data processing under national laws must be observed.
  • AE has rules and standards that seek to create a consistent approach which, in some cases, may be stricter than national or local laws. This Policy must, therefore, be followed in addition to the relevant national and local laws on data protection.
  • The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation.
  • Each Team and Support Office, including network and branch offices, is responsible for compliance with this Data Protection Policy and the legal obligations.

This Policy is to be considered together with:

•    AE’s Child Protection Policy;

•    AE’s Code of Conduct and policies related thereto;

•    AE’s international manuals and guidelines.


F.        DATA COLLECTION & PROCESSING

1.       How AE gathers Personal Information

    • Personal interactions

The ministry of AE is largely characterized by relationships between individuals connecting through AE events and activities.

    • Direct Requests

AE has the personal information of individuals who have:

    • Reached out to AE of their own accord;
    • Registered or participated in an AE activity or event;
    • Subscribed to AE email communications;
    • Made a donation.
    • Job applications
    • When you visit an AE website

AE may collect personal data about people who visit its website(s). That means things like cookies and IP addresses – which indicate, for example, the places from where people are logging on, the pages people visit and which files they download. This type of data provides feedback on the efficacy of the AE websites and aids development thereof.

Cookies collect information in a way that does not directly identify you. For more information on how these cookies work, please see the section on cookies below.

    • Publicly available data

AE may also collect publicly available information from articles, newspapers or blogs.

2.       Types of Personal Information gathered

AE collects the following types of personal information:

    • Contact information:

Includes phone number, physical address, SMS, email address, telephone number, social media profile details.

    • Demographics:

Includes information about who an individual is, where they live, and what AE programs and activities may be of interest to them.

    • Financial History:

Includes historical information on donations to AE and other financial transactions such as registration fees for AE activities and events.

    • Identity Data:

Includes name, date of birth, gender, organizational affiliations, position/titles and level of influence at those organizations.

    • Payment Information:

Pertinent financial details for AE activities which individuals directly provide to any third party payment gateway providers.

    • Requests and Preferences:

Includes an individual’s preferences for how the AE will communicate with them and the types of optional communications they wish to receive from AE, where such options exist.

    • Travel information:

Includes requests, passport information, dietary needs or restrictions related to the travel or attendance of an individual at AE events.

    • Engagement information:

Includes information on an individual’s history and engagement with AE.

    • Partnerships

AE may collect further information from an individual who may be in a position to partner in a greater capacity with the ministry of AE, based on legitimate interest.

    • Sensitive data

Subject to the consent of the individual concerned AE may retain sensitive information about individuals, for example about religious beliefs, physical or mental health. As a Christian organisation AE may process personal data relating to where an individual worships, their role within the church. Such information is retained only if it is relevant to the individual’s interaction with AE.

3.       Principles for Processing Personal Data

1. Fairness and Lawfulness

    • When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
    • Collected data shall be adequate, relevant and not excessive in relation to the purposes for which they are obtained and their further processing.
    • Individual data can be processed upon voluntary consent of the person concerned.

2. Restriction to a specific purpose

    • Personal data can be processed only for the purpose that was defined before the data was collected.
    • Personal data shall be obtained for specified, explicit and legitimate purposes, and shall not subsequently be processed in a manner that is incompatible with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require justification.
    • However, further data processing for statistical, scientific and historical purposes shall be considered compatible with the initial purposes of the data collection, if it is not used to take decisions with respect to the data subjects.

3. Transparency

    • The data subject must be informed of how the data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be made aware of, or informed of:
    • The purpose of data processing;
    • Categories of third parties to whom the data might be transmitted

    • Personal data may only be processed if consented to by the data subject or if it meets one of the following conditions:

–     Compliance with any legal obligation to which AE is subject;

–     The protection of the data subject’s life;

–     The performance of a public service mission entrusted to AE.

4. Confidentiality and Data Security

    • Personal data is subject to data secrecy. It must be treated as confidential on a personal level.
    • Personal data must be secured with suitable organisational and technical measures to prevent unauthorised access, illegal processing or distribution, as well as accidental loss, modification or destruction.

5. Deletion

    • Personal data shall be retained in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which they are obtained and processed.
    • There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.

6. Factual Accuracy and Currency of Data

    • Personal data retained on file must be correct, complete, and maintained up to date.
    • Suitable steps must be taken to ensure that inaccurate or incomplete data is deleted, corrected, supplemented or updated.

4.       Processing Personal Data

1. Consent to Data Processing

    • Individual data can be processed upon consent of the person concerned.
    • Declarations of consent must be submitted voluntarily.
    • In certain exceptional circumstances, consent may be given verbally.

2. Data processing Pursuant to Legitimate Interest

    • Personal data can also be processed if it is necessary to enforce a legitimate interest of AE.
    • Legitimate interests are generally of a legal, audit or financial nature (such as filing, enforcing or defending against legal claims).
    • Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the individual merit protection.
    • Before data is processed, it must be determined whether there are interests that merit protection.
    • Control measures that require processing of personal data can be taken only if there is a legal obligation to do so or there is a legitimate reason.
    • Even if there is a legitimate reason, the justifiable interests of the organisation must be weighed against any interests meriting protection that the data subject: the control measure cannot be performed unless appropriate.

3. Telecommunications and Internet

    • Telephone equipment, e-mail addresses, intranet and internet, along with any internal social networks are provided by AE primarily for work-related assignments.
    • These are organisational tools and resources which can be used within the applicable legal regulations and internal AE communication policies.
    • In the event of authorised use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.
    • There will be no general monitoring of telephone and e-mail communications or intranet/internet use.
    • To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the network used by AE that block technically harmful content or that analyse the attack patterns.
    • For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be blocked for a temporary period.
    • The relevant national laws must be observed in the same manner as the AE regulations.

4. Rights of the Data Subject

All individuals who are the subject of personal data held by AE are entitled:

    • To request information on which personal data relating to the data subject has been stored, how the data was collected, and the intended purpose for which it was collected.
    • If there are further rights to view the Employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected.
    • If personal data is transmitted to third parties, individuals should be informed of such a possibility.
    • If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
    • To request the deletion of their data if the processing of such data has no legal basis, or if the legal basis has ceased to apply.
    • The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons.
    • Existing retention periods and conflicting interests meriting protection must be observed.
    • To object to the processing of their data should the protection of the data subject’s interests take precedence over the interests of AE due to a particular personal situation.

–      This does not apply if a legal provision requires the data to be processed.

5. Confidentiality of Processing

    • Personal data is subject to data secrecy and any unauthorised collection, processing, or use of such data by employees is prohibited.
    • Any data processing which an employee of AE has not been authorised to carry out as part of their legitimate duties is deemed to be unauthorised. The “need to know” principle applies.
    • Duly-authorised employees may have access to personal information only as is appropriate for the type and scope of the task in question.
    • This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
    • Employees are forbidden to:

–       Use personal data for private or commercial purposes;

    • To disclose it to unauthorised persons; or
    • To make it available in any other way.
    • Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy.

This obligation shall remain in force even after employment has ended.

6. Processing Security

    • Personal data must be safeguarded from unauthorised access and unlawful processing or disclosure, as well as accidental loss, modification or destruction.
    • This applies regardless of whether data is processed electronically or in paper form.
    • Prior to the introduction of new methods of data processing, particularly new IT systems, technical and organisational measures to protect personal data must be defined and implemented.
    • These measures must be based on the:
    • State of the art;
    • Risks of processing; and
    • Need to protect the data.
    • The technical and organisational measures for protecting personal data are part of AE’s IT management and must be monitored against technical developments and organisational changes and updated accordingly.

5.       How AE uses Personal Data

    1. Processing requests and donations

AE may use personal data to:

•     Keep data subjects updated on AE news and AE ministry.

•     Request for financial support and non-financial support such as volunteering or prayer

•     Process donations received, or support fundraising initiatives undertaken on AE’s behalf.

•     Provide information or packs, for example church packs requested by data subject.

•     Provide a personalised service, such as customised website content or personalised emails.

•     Retain records of a data subject’s relationship with AE, for example questions raised, enquiries made, surveys completed or complaints lodged.

•     Facilitate a data subject’s registration and attendance at an AE and to follow up with the data subject thereafter.

•     Comply with legal reporting obligations.

    • Personalised marketing

AE may use personal data to:

•     Inform data subjects about particular ministry and partnership opportunities which have a direct bearing/impact on the data subject, such as local community ministries and events.

•     Send fundraising and emergency appeals.

•     Inform on ministry opportunities such as volunteering, praying and community fundraising.

•     Deliver digital advertising about AE’s work to data subjects via social media platforms such as Facebook, Instagram and WhatsApp.

•     Assist with AE marketing, for example, inviting data subjects to a local event or reporting on an emerging need in an area of interest to a data subject, engaging with the data subject’s local church by providing preachers, leading worship.

•     Carry out market research

    • Social media marketing

•     AE may communicate via social media platforms such as Facebook, Instagram and WhatsApp where digital contact information has been provided and consent granted for AE to market events and activities to data subjects.

•     Social media marketing provides AE with a cost effective way of reaching both existing and new supporters.

    • Applications for Employment & Volunteer work

AE will store personal information garnered from data subject’s CVs and other application forms/letters and will use this to:

•     Recruit where appropriate.

•     Perform reference, qualifications, service and criminal checks and verify information.

•     Conduct health screening and psychometric evaluation or skills tests, either in-house or using service providers.


G.       TRANSMISSION OF PERSONAL DATA

  • Transmission of personal data to recipients outside or inside AE is subject to the authorisation requirements for processing personal data and requires the consent of the data subject.
  • The data recipient must be required to use the data only for the defined purposes.
  • In the event that data is transmitted to a recipient outside AE, this recipient must agree to maintain a data protection level equivalent to this Data Protection Policy. This does not apply if transmission is based on a legal obligation.

  • The processing of personal data is also permitted if national legislation requests, requires or authorises this. The type and extent of data processing must be necessary for the legally authorised data processing activity, and must comply with the relevant statutory provisions.
  • If there is some legal flexibility, the interests of the individual that merit protection must be taken into consideration.
  • In certain circumstances, the AE Data Protection Policy allows personal data to be disclosed, based on a legal obligation, to law enforcement agencies, without the consent of the data subject.
  • In these circumstances only the duly authorised nominee of AE (usually the CEO) can validate any such disclosure in writing, ahead of the disclosure, after ensuring the request is legitimate, appropriate, necessary, and does not pose a threat or direct risk to AE.
  • Prior to approving such disclosure the AE authorised person must check that the recipient of the data uses the data for the defined purposes only, demonstrates the capacity and will to abide by such an obligation.
  • The AE authorised person may seek legal advice in cases involving direct security threats and implications or organisational risks, including reputation.

International Data Transfers

•     AE is an international organization operating in different parts of the world and may transfer data subjects’ personal information from one country to another.

•     AE will not however disclose personal information with anyone outside the organization unless legally obliged to do so.

•     Any transfer of personal information from country to country will be done with appropriate safeguards and in compliance with applicable laws.


H.       DATA MANAGEMENT

1.       Storage

Resilient and secure data storage systems must be provided and utilised, whether localised (in the office) and/or in the Cloud and/or rented from a Third Party.

2.       Security

To safeguard and secure the personal information collected AE has applied appropriate physical, electronic and managerial procedures to prevent unauthorized access and maintain data accuracy.

  • Password protection is used to protect privacy and security of data subject information.
  • Passwords should:
  • Be changed regularly;
  • Comprise fifteen (15) characters or more and include special characters;
  • Preferably be a ‘pass-phrase’.
  • AE will continue to improve current security procedures and adopt new security protocols as necessary to meet the standard of care subscribed to in this Policy.
  • AE is also committed to a prompt response to any potential data breach and has instituted a Emergency Management & Recovery Plan which includes timely notices as required by applicable law.
  • Data breaches may occur in various forms e.g. hacking, computer viruses, physical theft of information both soft and hard copy
  • All employees must adopt a “clean desk” policy’ this must be actively managed.
  • Auto-lock screen, password protection, multi-factor authentication (viz. Biometric, One-Time-Pin), strong firewall and antivirus protection improve data security.
  • Transparency and efficiency in dealing with potential or actual data breaches is of paramount import to the credibility of AE, and is a legal obligation.

  • All affected data subjects must be timeously informed of a data breach, potential or otherwise.
  • AE must implement a process to deal effectively with a data breach. This process must set out inter alia which AE personnel must be immediately informed, what information is to be communicated and how, who is to authorise the release of information, to which external authorities the breach is to be reported.

3.       Retention

  • AE will retain a data subject’s personal information only for as long as required for each activity.
  • National legal and compliance obligations will impact on the retention period.
  • Retention services of in-house data is crucial
  • Move to cloud-based retention as the service provider assumes the responsibility for retention
  • Size of backup is dependent on affordability, departmental requirements and legal obligation
  • Data backups should be retained in ‘3-to-1’ sets at all times; this translating to 2 localised backups, each on separate AE hardware and one cloud-based backup.
  • Alternatively AE may elect to maintain two cloud-based backups (each on a separate cloud platform) and one local backup.
  • The integrity of the backups must be tested periodically, e.g. every six months, and the test signed off as proof.

4.       Change Management

  • All changes to configurations, systems, applications or equipment that could potentially affect the work of more than one person should follow the appropriate ICT change management procedures to minimize adverse impacts of the changes to operations and the users of ICT Services.

5.       Intellectual Property

  • All information relating to the business of AE, whether produced by staff, volunteers or service providers, is and remains the intellectual property of AE.

6.       Backup and Disaster Recovery Management

  • Every aspect of AE information technology systems must be backed up however and wherever it is appropriate to do so.

    I.          RIGHTS OF DATA SUBJECT

    The national Data Protection Laws determine the rights of data subjects in their respective jurisdictions.

    AE is determined that these rights should not be infringed; further that these rights be extended to all data subjects of AE (including personnel, individual donors and supporters, and beneficiaries) on the following basis:

    1. Right of access

    To know that AE is processing the personal information of the data subject, how AE is processing this information, and for what purposes.

    2. Right to Edit and Update Information

    To rectify inaccurate information, update personal information, and supplement incomplete information held by AE.

    AE staff should have access to their personal files and to any information on them held by AE, by simple request to Human Resources department, to be presented and corrected by a duly authorised staff member only. The consultation of any information on any other staff is strictly prohibited.

    3. Right to Delete Personal Information

    To request AE to delete personal information for the following reasons:

    1. The data is no longer necessary for the purposes it was collected.
    2. Withdrawal of previously given consent where consent is required to process the information.
    3. Objection to AE processing the data in a certain manner or form, or for certain purposes for which AE does not have legitimate grounds to continue processing the information.
    4. The personal information has been unlawfully processed.
    5. The personal information must be erased to comply with a legal obligation.

    AE may be required to reject a request to delete personal information for the following reasons:

    1. Exercising the right of freedom of expression and information.
    2. Compliance with a legal obligation.
    3. Reasons of public interest.
    4. Establishment, exercise or defence of legal claims.

    Requests for deletion of personal information must be made in writing with motivation.

    AE will respond within 30 days as to whether the request has been accepted or if rejected, the reason therefore.

    4. Right to Request the Limitation of Processing Personal Information

    A data subject has the right to request AE to limit processing personal information for the following reasons:

    1. The personal information is believed to be inaccurate; the limit is pending verification of the data.
    2. The processing of data is unlawful; restriction of deletion may be requested.
    3. AE does not require the information for any purposes but must retain the information for the establishment, exercise or defence of legal claims.
    4. The data subject’s objection to processing personal information is a pending determination as to whether AE’s legitimate grounds to process override the data subject’s rights.

    5. Right to Portability

    A data subject has the right to request that AE delivers personal information in a structured, commonly used, machine-readable format so that it can easily be transferred and used by a third party if:

    1. The data subject provided AE with the information.
    2. The processing of the data subject’s personal information is based on consent or required for the performance of a contract; or
    3. The processing is carried out by automated means.

    6. Right to Withdraw Consent

    AE is primarily processing a data subject’s information based on AE’s legitimate interests and other obligations. A data subject has the right to withdraw consent given to AE to process personal information. AE will consider the request and respond promptly and appropriately.

    7. Right to File a Complaint with the Data Protection Authority

    AE is intent on providing optimal service to the data subject in relation to requests and to resolve any issues of concern related to the processing of personal information.

    This notwithstanding, a data subject always has the right to contact the local data protection authority for assistance or to lodge a complaint.


    J.         VIOLATION, SANCTION AND REPORTING

    • Any failure to comply with the current policy or to deliberately violate the rules set in this Policy will result in the launch of an appropriate investigation by AE.
    • Depending on the gravity of the suspicion or accusations, AE may suspend staff or relations with other stakeholder during the investigation. This will not be subject to challenge.
    • Should the outcome of the investigation determine that anyone associated with AE has deliberately violated the rules set in the Policy for personal profit or any other usage of personal data, or has systematically and deliberately contravened with the principles and standards contained in this document, AE will take immediate disciplinary action and any other action which may be appropriate in the circumstances.

    This may mean for:

    • Employees                                                disciplinary action/dismissal;
    • Trustees, officers and interns            termination of the relationship with AE;
    • Partners                                                      withdrawal of funding/support;
    • Contractors and consultants              termination of contract.

    • Depending on the nature and circumstances of the violation, AE will also consider involving such authorities such as the police to ensure the protection of the victims and their personal data.
    • The reporting of suspected or actual violations of this policy is a professional and legal obligation of all staff and partners. Failure to report information can lead to disciplinary action.

    All reports will be treated as confidential.

    • AE will not tolerate false accusations which are designed to damage a member of staff’s reputation. Anyone found making false accusations will be subject to investigation and disciplinary action.

      K.        ADMINISTRATION

      The administration of this Policy is executed by AE International – Communications department.


      L.         RESPONSIBILITY

      AE International – Communications is responsible to ensure that the legal requirements for data protection and the requirements of this Policy for data protection, are met.

      Management staff of the International, National and International Support Offices teams are responsible for ensuring that organisational, Human Resources, and technical measures are in place so that any data processing is carried out in accordance with the provisions of this Data Protection & ICT Policy and the applicable national laws for data protection and data integrity in the jurisdiction(s) within which they operate

      The managers must ensure that their employees are sufficiently trained in data protection.

      Compliance with these requirements is the responsibility of the relevant employees.

      Click here to view our Terms and Conditions

      Congo DRC
      Ethiopia
      Ghana
      Kenya
      Rwanda
      Malawi
      South Africa
      South Sudan
      Tanzania
      Uganda
      Zimbabwe
      Zambia
      USA
      Australia
      Canada
      Europe
      Ireland
      New Zealand