RECOFTC is committed to meeting international laws, standards and expectations for managing and protecting the personal data and privacy of natural persons. A natural person is a real human being as distinct from corporations and other organizations, which are recognized as persons in some legal systems.
The purpose of this policy is to ensure that RECOFTC meets or exceeds all statutory provisions governing management of personal data. Our aim is to ensure the privacy of individuals and to reduce the risks of mismanaging personal data and avoid the consequences that result when personal data is mismanaged.
Risks of mismanaging data include betrayal of the trust of our stakeholders, violation of legal rights and laws, loss and theft of data, and serious personal and financial harm. The consequences for RECOFTC include reputational damage, lawsuits and responsibility for paying damages.
This policy sets out a corporate policy for managing these risks. All RECOFTC staff members, Board of Trustee members, interns, grantees and partners must follow this policy.
This policy defines data as a representation of facts or concepts in a formalized manner. Data can be organized as information to yield order and meaning and support decision making. It is processed by humans and machines for computation, communication and interpretation. In practice, data is stored in physical documents or in digital format on a computer, server or other device.
This policy defines personal data according to the European Union’s General Data Protection Regulation (GDPR) definition (Ch1 Art 4). The GDR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This policy also defines personal data according to the Personal Data Protection Act (PDPA) of Thailand definition (Section 6) of personal data, which is considered to be consistent with the GDPR. The PDPA defines personal data as “any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular.”
Spatial data is any type of data that refers to a specific geographical area or location. Spatial data normally includes location names, coordinates and imagery. It can be linked to personal data.
Information is a set of concepts or facts. In the context of digital systems and data protection, data is information that has been translated into a form that is efficient for movement or processing.
RECOFTC works in many different countries and receives funding from many different donors. These donors operate under their own countries’ laws, regulations, requirements, standards and expectations regarding the management of personal data. To ensure compliance with our donors expectations, RECOFTC complies with the highest international standard, the GDPR, and the PDPA of Thailand, RECOFTC’s host country. Thailand’s PDPA became law in Thailand on 28 May 2019. Data controllers are permitted to continue to process personal data collected before 1 June 2021 if the purpose for which the personal data was collected remains the same.
4. Types of data collected
RECOFTC routinely collects data from employees, consultants, contractors, partners, community members, other stakeholders, people who visit our websites and social media channels, and people who subscribe to our newsletters, e-courses, surveys and other tools for sharing information and engaging audiences.
Categories of data collected by RECOFTC include:
Human resources records of staff and job applicants
Consultant and contractor records
Website and social media activity records
Depending on the intended use, personal data collected can include:
Country of birth
Country of residence
Number and gender of children
Volunteer, formal and informal positions
Earnings and income
Performance as an employee
Performance as a contractor
RECOFTC collects, processes and uses data according to the law (Article 6, section 1, subsection 1, letters b and a of the GDPR and Section 24 subsection 3 and Section 19 of the PDPA). RECOFTC exercises the utmost care in ensuring compliance with the stipulations and formal requirements for proper consent (Article 7 of the GDPR).
RECOFTC requests consent from individuals, contractors and organizations to collect, store and use data. They can revoke the contents of their declarations of consent at any time. In addition, they can withdraw their consent to the processing and use of data at any time (Article 7, section 3 of the GDPR). This also applies to the withdrawal of a declaration of consent that users issued to RECOFTC before 25 May 2018, the date the GDPR entered into force.
RECOFTC only shares data with third parties if obligated to do so, or when individuals have provided consent to do so.
When RECOFTC engages service providers to provide support, it only shares data in accordance with the provisions that apply to contract data processing (Article 28 of the GDPR).
6. Collection and use
RECOFTC collects and uses personal data in the following operations and activities:
Achieving free, prior and informed consent (FPIC) when engaging with communities and individuals within the communities RECOFTC works with
Communicating and engaging with stakeholders
Assessing the capacity building and other development needs of community members and other stakeholders
Planning and implementing projects, programs, events, workshops, e-learning courses, and training and capacity-building activities
Processing applications for grants, fellowships, and scholarships
Conducting scientific research
Generating data products and services, including spatial data
Managing consultants and contractors
Preparing and submitting proposals for business development and resource mobilization
GDPR Article 22(1) states: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” RECOFTC does not implement any software algorithms that use personal data collected to make an automated assessment or determine a decision-making outcome for an individual.
RECOFTC may invite people to identify their gender and membership in one or more categories of Indigenous Peoples and local communities in an effort to identify and ensure segments of a group are represented in FPIC processes. Other information that may be collected during FPIC processes includes information about people’s land and forest tenure and traditional knowledge.
RECOFTC understands the importance of providing sufficient information to stakeholders who are part of an FPIC process so they understand how data will be collected and used. RECOFTC only collects and uses data when Indigenous Peoples and local communities give explicit consent. In some cases, RECOFTC validates FPIC processes retroactively to assess whether participants had a clear and correct understanding about what they have given consent to.
Communicating and engaging with stakeholders
RECOFTC aims to ensure an excellent user experience for people who seek information, knowledge and services through RECOFTC websites, newsletters, social media, apps and other communication channels. RECOFTC collects personal information and tracks whether or not and when an individual attends an event, participates in a program, subscribes to a course or service, participates in a course, requests information, and downloads content from our website and other channels.
RECOFTC collects data required to understand website behaviour in relation to:
Web pages visited
Date and time website is accessed
Data volume sent in bytes
Source or referrer URL from where a web page is accessed
Web browser used
Operating system used
RECOFTC uses the data to:
Improve the user experience when using or returning to our website
Provide personalized content and information to users
Provide information, updates or services requested by users
Announce events or conferences
Provide customer support
Monitor traffic and demographic patterns for statistical purposes
RECOFTC uses session cookies, which are temporary and expire once the web browser is closed or the session ends. RECOFTC also uses persistent cookies, which remain on a user’s hard drive until they are erased. The corresponding cookie identification allows a website to recognize the device of a user and store some information about the user’s preferences or past actions between website visits.
Strictly necessary cookies for ensuring a complete user experience when browsing RECOfTC websites, such as when accessing secure areas of the site
Preference or functionality cookies for recording particular user choices, such as language or regional settings
Statistics or performance cookies for collecting information about site usage in an aggregated and anonymized fashion for functional improvement, such as pages visited and links clicked, and when relying on third-party analytics services such as Google Analytics
RECOFTC uses various tools for newsletters. RECOFTC currently uses a third-party provider, MailChimp, to manage internal and external newsletters as well as other bulk email messages. RECOFTC gathers statistics regarding email openings and clicks using industry standard technologies to monitor and guide performance improvements.
RECOFTC uses various tools for stakeholder surveys and research including Survey Monkey and Google Forms.
RECOFTC uses social media channels to inform about RECOFTC’s work, engage in a dialogue with the public and receive feedback. At this time, RECOFTC uses the following social media channels.
RECOFTC’s Facebook sites are managed by the RECOFTC Main Office and country offices. They are available at:
Assessing the capacity building and other development needs of stakeholders
RECOFTC collects personal data when it conducts Capacity Development Needs Assessments (CDNAs). A CDNA is a process for evaluating gaps within communities and groups in knowledge, skills, strengths, opportunities, assets and other factors required for them to achieve an objective.
Depending on the context and the initiative, RECOFTC conducts CDNAs with communities in the field, through digital surveys and with telephone interviews. RECOFTC uses the data to design capacity building initiatives. Sometimes, RECOFTC shares the results of a CDNA with partners. It does not share personal data with partners without the explicit consent of the individuals involved in the CDNA.
Planning and implementing projects, programs, events, workshops, e-learning, training and capacity building activities
In the delivery of its projects, RECOFTC collects personal data and maintains it in secure databases in order to achieve project objectives. It collects data only with the explicit consent of individuals.
Processing applications for grants, fellowships and scholarships
RECOFTC collects personal data to process applications for grants, fellowships, scholarships and other application-driven activities such as requests for internships or volunteer assignments. RECOFTC collects this data in response to an application or request, and only uses the data for the specific purpose related to the application or inquiry.
Conducting scientific research
RECOFTC conducts research and publishes the results. It also hosts the Explore research network dedicated to improving forest landscape governance in Southeast Asia. The Sida-funded research must follow Explore principles of ethical research. RECOFTC research also subscribes to Explore principles. RECOFTC and Explore researchers ensure that people are informed and that necessary approvals and permissions are obtained prior to conducting research. The reseachers ensure that all data is treated with confidentiality and anonymity, and practice appropriate measures to ensure data protection and security.
Generating data products and services including spatial data
RECOTFC collects community forestry data that includes geospatial components such as location coordinates and spatial imagery. RECOFTC uses spatial data to create knowledge products such as maps and interactive data products composed of web services or spatial data APIs. Sometimes personal data is linked to spatial data. RECOFTC only collect spatial data that is connected to personal data with the explicit consent of the individual for the intended use. RECOFTC undertakes reasonable measures to ensure that appropriate spatial anonymization techniques are applied to data to prevent identification of individuals in products or services delivered.
RECOFTC collects the personal data of job applicants and uses it solely for the purpose of recruitment. RECOFTC does not disclose applicant’s data, personal information or application status to third parties. Should there be a need to disclose such information, RECOFTC obtains an applicant’s consent before disclosure.
With an employee’s consent, RECOFTC collects, processes, uses and discloses personal data during the course of employment with RECOFTC. Collection of personal data is limited to the purpose identified when consent is provided. RECOFTC practices security measures to prevent losses, alterations or disclosures of employees’ personal data.
Under the PDPA, RECOFTC respects the rights of employees to access their personal information, be informed about the use of their personal data, and revise, erase and withdraw consent.
RECOFTC collects, processes and uses the personal data of contractors during the period of their service to RECOFTC. RECOFTC practices security measures to prevent losses, alterations or disclosures of the personal data of contractors.
Preparing and submitting proposals for business development and resource mobilization
RECOFTC shares staff members’ curriculum vitae with some business development proposals with the explicit consent of the staff members.
RECOFTC gives access to personal data to the following people and bodies in accordance with relevant laws and regulations:
RECOFTC staff members and external experts and contractors who work on behalf of RECOFTC to maintain RECOFTC websites
Bodies engaged in monitoring, auditing or inspection tasks in application of relevant laws and regulations
Members of the public who access data of RECOFTC contractors and beneficiaries of RECOFTC’s services in accordance with relevant regulations
RECOFTC only discloses personal data to third parties when:
The individual to whom the data is associated has given explicit consent
The disclosure is necessary to execute a contract with the individual
The disclosure is necessary to comply with legal obligations
Any third-party service provider contracted to RECOFTC, who RECOFTC may share personal data with, is obliged to keep the data secure. They may use data only to fulfill the service they provide on behalf of the individual.
9. Legal grounds for processing personal data
RECOFTC’s use of personal data is necessary and lawful because RECOFTC:
Provides services based on user consent such as subscription to newsletters, news updates and event information
Ensures excellent user experience based on a legitimate interest such as general website usage
Complies with legal obligations to which RECOFTC controllers are subject
Performs contracts to which the data subject is a party, or in order to take the steps at the request of the data subject prior to entering into a contract
10. Protecting and safeguarding personal data
RECOFTC securely stores data on paper, computers, services and cloud infrastructure. Only designated persons have access. Data in paper format is stored on the premises of the competent business unit of RECOFTC. Access to and within these premises is controlled.
An Internet Protocol (IP) address is a unique address that identifies a device on the internet or a local network. RECOFTC stores IP numbers securely in log files. RECOFTC uses IP addresses only for monitoring our services. Release of personal data associated with IP numbers is not allowed outside of the server environment.
11. Data retention
RECOFTC retains personal data only as long as required to complete the intended objective of the collection, unless there is a legal obligation to retain data for a longer period. When personal data cannot be deleted due to legal obligations, RECOFTC restricts use to the original intended use.
12. Data subject rights and how to exercise them
RECOFTC would like to ensure that all individuals who share personal data with RECOFTC are aware of their rights, as follows:
The right to access: Individuals have the right to ask RECOFTC for copies of their personal data.
The right to rectification: Individuals have the right to ask RECOFTC to correct any information they believe is incorrect or incomplete.
The right to erasure: Individuals have the right to ask RECOFTC to erase their personal data.
The right to restrict processing: Individuals have the right to ask RECOFTC to restrict the processing of their personal data.
The right to object to processing: Individuals have the right to object to RECOFTC processing their personal data.
The right to data portability: Individuals have the right to ask RECOFTC to transfer the data collected directly to them or to another organization.
If an individual exercises any of their data subject rights and makes a request, RECOFTC will respond within one month.
RECOFTC regularly reviews its Data Protection and Use Policy, and reserves the right to modify it. This includes modifications based on changes to the RECOFTC website and technologies used. Any modifications are placed on RECOFTC’s website. RECOFTC recommends that people visit recoftc.org on a regular basis to learn about any changes in policies.
14. How to contact the Data Protection Officer at RECOFTC
If you would like to exercise your data rights, if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, contact the Data Protection Officer at RECOFTC. Send an email to firstname.lastname@example.org, with the subject line Data Protection Officer and RECOFTC will respond promptly.