This Privacy Statement applies to all personal data that The International Partnership for Microbicides, Inc. and its affiliated entities—IPM Belgium AISBL and IPM South Africa NPC (collectively referred to as “IPM”)—process during the execution of business activities, including the personal data of visitors to our websites. This policy includes privacy regulations under GDPR and POPIA.
The General Data Protection Regulation (GDPR) is Europe's data privacy and security law. The purpose of the regulation is to give European Union (EU) citizens more control over their personal data. More information about GDPR can be found on the GDPR website.
The Protection of Personal Information Act (POPIA) is South Africa’s data protection law. The purpose of the POPIA is to protect people from harm by protecting their personal information.
Who is collecting your personal data?
IPM is committed to ensuring the privacy of individuals with whom we do business as well as visitors to our website. This policy represents our commitment to your right to privacy, giving you a clear explanation about how we use your information and your rights over that information.
By engaging in our business activities and/or using the website, you have agreed to abide by the terms described herein, including the transfer, processing and maintenance of your personal information in the US, South Africa, Europe and the United Kingdom (UK).
IPM is the data controller to which the policy refers. References to” we”, “us” and ”our” are to IPM and its affiliated entities: IPM Belgium AISBL and IPM South Africa NPC.
This policy was last updated on December 14, 2021 and is reviewed annually.
Personal Data: “Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art.4 §1 GDPR).
Sensitive Personal Data: A subset of data for which even greater care should be taken, such as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation” (Art. 9 §1 GDPR).
Processing Data: Any set of operations that is performed on personal data or sets of personal data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art.4 §2 GDPR).
Data Subject: Individuals who are identifiable or identified by the processed personal data (Art.4 §1 GDPR). Any operation or activity concerning personal information (POPIA).
Data Controller: The Data Controller decides how and why data is processed and ensures that legal obligations are met (Art.4 §7 GDPR). A person whom personal information relates (POPIA).
Data Processor: An entity processing data on behalf of the Data Controller (Art.4 §8 GDPR).
Responsible Party: A public or private body or any other person who determines the purpose of and means for processing personal information (POPIA).
Operator: A person who processes personal information on behalf of the responsible party (POPIA).
Third Party: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, is authorized to process personal data (Art.4 §10 GDPR).
What personal data do we collect?
Personal data of data subjects that IPM processes may include:
- IP addresses and website visit information. When you visit our website, you do so anonymously. However, like most website operators, IPM collects information that is not personally identifiable and that web browsers and servers typically make available, such as the browser type, language preference, referring site and the date and time of each visitor request. IPM’s purpose in collecting non-personally identifying information is to better understand how our visitors use the website, so we can improve the experience for everyone.
- Engagements entered or interactions through the execution of our business activities. Contact information that you provide us, such as name, company name, title, email address, mailing and business address, phone number and banking information.
How do we use the information collected?
IPM may process personal data:
- To undertake email actions
- To send you newsletters, if you choose to subscribe
- To ask you to donate or get involved in our campaigns
- To process donations that we receive from you
- To administer your application for employment
- To improve our website in consultation with IPM contractors, under confidentiality agreements
- To fulfill any legal obligations or to comply with the law
To conduct budgeting and financial audits
To establish contractual or other business engagements
To develop safety reports for clinical trials
Legal basis for processing
IPM does not ask for personal data unless it is necessary. Depending on the type of data provided, we may process your personal data based on:
Your consent. When a data subject chooses to provide personal data, IPM uses that data solely for the purposes for which it was provided. IPM does not use personal information to facilitate unsolicited marketing or to share it with or sell it to third parties.
- When you sign up for our email updates, you will receive a request to confirm your consent. We will process your data only if you confirm your consent. Should you wish to unsubscribe, you may do so at any time by following the “unsubscribe” link in our email updates.
- If you apply for a job with us, we will collect, process and/or store your personal data only as it is necessary to consider your application.
Consent to obtain and process personal data is obtained by IPM through:
- Website forms
- Contracts (employment contracts, vendor and donor agreements, confidentiality agreements, etc.)
- Face-to-face (during conferences)
- Third parties, after consent is provided
- Informed Consent Form (upon joining trials)
- Verbal consent during virtual meetings
Legitimate interest. We may process your personal data to fulfill our legitimate interest in achieving our mission.
To fulfill a contractual obligation. If you donate to us, we will process the personal data you provided solely to process that donation, or if you engage with us, we will process the personal data you provided solely for the execution of the business activities associated with the engagement.
Legal obligation. IPM will not sell or share any personal information provided by data subjects to third parties. Notwithstanding the aforementioned, IPM may disclose personal information under the following circumstances: in response to subpoenas, court orders or other legal process, to establish, exercise or defend our legal rights and to process the registered user’s request.
Security. The transmission of information over the internet is never completely secure. However, we take appropriate measures, such as encryption, to keep your information as safe as possible, including keeping our website secure. IPM does not store any credit card information for any reason.
Is your data shared with third parties?
Third Party Websites. Our website contains links to third party websites. These linked websites are not under the control of IPM, and IPM is not responsible for the content of any linked website, or any link contained in a linked website. IPM provides these links only as a convenience, and the inclusion of a link does not imply endorsement of or affiliation with the linked website by IPM.
Please note that third-party websites may collect information about you, through cookies or other technologies, when you link to their websites from IPMglobal.org. IPM does not monitor or control the information collection or privacy practices of these or any third parties and is not responsible for the practices or the content of their websites. You should review the privacy policies of such third parties to understand how they collect and use information before providing any personal information to those third-party websites.
Third party data processors. Our websites, email updates and social media channels are hosted, maintained and/or analyzed by third party service providers, as follows:
- Websites: Pantheon, Wordpress and Google Analytics
- Email updates: Mailchimp
- Social media: Facebook, LinkedIn, Twitter
The following applications and third parties collect, process and/or store data pertaining to employees, vendors, donors, and partners:
- Business World
- Payroll and benefits applications
- Donor grant agreements
- Microsoft OneDrive
- Documents Warehouse
- Tecro Research (Pty) Ltd
- LEBASI Pharmaceuticals CC
- DI Regulatory Consultants
- BARC SA Clinical Trials Laboratory
- Arriello Ireland Limited
GDPR International Data Transfer
Under certain circumstances, data may be transferred to international organizations (outside of the EU). Under those circumstances, IPM develops and implements appropriate measures and safeguards to protect the data during transfer and for the duration it is processed and/or stored with the third country or international organization.
Such measures include ensuring that the rights of data subjects can be carried out and enforced, and that those effective legal remedies for data subjects are available. According to GDPR Chapter 5, the appropriate safeguards can be provided without Supervisory Authority authorization by:
- A legally binding and enforceable instrument between public authorities or bodies
- Binding corporate rules
- Standard data protection clauses adopted by the Commission
- Standard data protection clauses adopted by a Supervisory Authority and approved by the Commission
- An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as they regard data subjects' rights
- An approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as they regard data subjects' rights
With authorization from the Supervisory Authority, the appropriate safeguards may also be provided for by:
- Contractual clauses between IPM and the controller, processor or the recipient of the personal data in the third country or international organization
- Provisions to be inserted into administrative arrangements between public authorities or bodies that include enforceable and effective data subject rights
IPM does not transfer personal data to any third country or international organization without one or more of the above safeguards being in place or without the authorization of the Supervisory Authority, where applicable. We verify that any safeguards adhere to the GDPR Principles, enforce the rights of the data subject and protect personal information in accordance with the Regulation.
How long will your data be stored for?
We hold your personal information in our systems only for as long as is necessary for the purposes outlined above. We remove personal data from our systems once it is no longer required, in line with our guidelines on how long important information must remain accessible for future use or reference, as well as when and how data can be destroyed when it is no longer needed.
The length of time each category of data will be retained will vary depending on the length of time required to process it, the reason it was collected and to align with any statutory requirements. After this time, the data will either be deleted or we may retain a secure anonymized record for research and analytical purposes.
What data privacy rights do you have?
Under GDPR, you have the right, subject to applicable local data protection legislation, to:
- request access to, and receive a copy of the personal data we hold (Art. 15 GDPR);
- if appropriate, request rectification or erasure of the personal data that are inaccurate (Art. 16 GDPR);
- request the erasure of the personal data, subject, however, to applicable retention periods (Art. 17 GDPR)
- request a restriction of Processing of personal data where the accuracy of the personal data is contested, the Processing is unlawful, or if the Data Subjects have objected to the Processing (Art. 18 GDPR);
- object to the Processing of personal data, in which case we will no longer process the personal data (Art. 21);
- receive the personal data in structured, commonly used and machine-readable format (Art. 20).
Even if a Data Subject objects to the Processing of personal data, we are nevertheless allowed to continue the same if the Processing is (i) legally mandatory, (ii) necessary for the performance of a contract to which the Data Subject is a party, (iii) necessary for the performance of a task carried out in the public interest, or (iv) necessary for the purposes of the legitimate interests we follow, including the establishment, exercise or defense of legal claims.
Under POPIA, Data Subjects have the right to have their or its personal information processed in accordance with the conductions for the lawful processing of personal information, including the right-
- to be notified that—
- personal information about him, her or it is being collected as provided for in terms of section 18; or
- his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
- to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
- to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
- to object, on reasonable grounds, relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
- to object to the processing of his, her or its personal information—
- at any time for purposes of direct marketing in terms of section 11(3)(b); or
- in terms of section 69(3)(c);
- not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
- not to be subject, under certain circumstances, to a decision that is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
- to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
- to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99
Subject to the limitations set forth herein and/or in applicable local data protection laws, you can exercise the above rights free of charge by contacting IPM.
How to invoke your data rights
Per GDPR regulations
Please direct all GDPR-related requests and inquiries to: firstname.lastname@example.org.
- Please be sure to provide the following information when contacting us: First & Last Name/ Business Name, and Email Address
IPM, which processes the personal data of individuals in the European Union, European Area and/or UK, in either the role of ‘data controller’ or ‘data processor,’ has appointed DataRep as its Data Protection Representative for the purposes of GDPR in the EU/EEA and The Data Protection Act 2018 (as amended) in the UK.
If you want to raise a question to IPM, or otherwise exercise your rights in respect of your personal data, you may do so by:
- Sending an email to DataRep at email@example.com quoting <International Partnership for Microbicides and affiliates> in the subject line,
- Contacting them on their online webform at www.datarep.com/data-request, or
- Mailing your inquiry to DataRep at the most convenient of the postal addresses listed here
PLEASE NOTE: when mailing inquiries through postal delivery, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘International Partnership for Microbicides and affiliates’, or your inquiry may not reach them. In the body of your letter, please clearly address your inquiry to ‘International Partnership for Microbicides and affiliates.’ On receiving your letter, IPM is likely to request evidence of your identity to ensure your personal data and information connected with it is not provided to anyone other than you.
If you have any concerns over how DataRep will handle the personal data, they will require to undertake our services, please refer to their privacy notice at www.datarep.com/privacy-policy.
Per POPIA regulations
Please direct all POPIA-related requests to: firstname.lastname@example.org.
If you believe we are using your information unlawfully, you may lodge a complaint to the Information Officer using the same email listed above.
- Please be sure to provide the following information when contacting us: First & Last Name/ Business Name, and Email Address
If you have any questions or concerns about these policies or the website, please feel free to contact us.