GENERAL DATA PROTECTION REGULATION (GDPR) POLICY
As part of our services, Pandavolunteer.org (“Company”) collects and processes personal data relating to the USER. The organization is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations. The GDPR will apply to data from which any living individual is identified or identifiable (by anyone) whether directly or indirectly. Certain online identification will be count as personal data including online ID, cookies and IP addresses (Please refer our Privacy and Cookies Policy for more details).
The need to retain data varies widely with the type of data. Some data can be immediately deleted and some must be retained until reasonable potential for future need no longer exists. Since this can be somewhat subjective, a retention policy is important to ensure that the company’s guidelines on retention are consistently applied throughout the organization.
The purpose of this policy is to specify the company’s guidelines for retaining different types of data. This policy sets out the obligations of Pandavolunteer.org regarding data protection and the rights of USER (“data subjects”) in respect of their personal data under the General Data Protection Regulation (“the Regulation”).
- a) Personal Data: Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- b) Data subject: Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
- c) Processing: Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- d) Restriction of processing: Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
- e) Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
- f) Controller or controller responsible for the processing: Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- g) Processor: Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- h) Recipient: Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with laws and regulations shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
- i) Third party: Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
- j) Consent: Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
This policy sets out the procedures that are to be followed when dealing with personal data. The procedures and principles set out herein must be followed at all times by the Pandavolunteer.org, its employees, agents, contractors, or other parties working on behalf of the Pandavolunteer.org. Pandavolunteer.org is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
The scope of this policy also covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media. Note that the need to retain certain information can be mandated by local, industry regulations and will comply with General Data Protection Regulation GDPR and the Data Protection Act. Where this policy differs from applicable regulations, the provisions specified in the regulations will apply.
THE DATA PROTECTION PRINCIPLES
This policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. All personal data must be:
processed lawfully, fairly, and in a transparent manner in relation to the data subject;
collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject; and
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
ACCURACY OF DATA
The Company shall ensure that all personal data collected and processed is kept accurate and up-to-date. The accuracy of data shall be checked when it is collected and at regular intervals thereafter. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
CUSTOMER TESTIMONIALS AND COMMENTS
We post customer testimonials and comments on our website, which may contain Personal Information. We obtain each customer’s consent prior to posting the customer’s name and testimonial.
USE OF CREDIT CARD INFORMATION
If you give us credit card information, we use it solely to check your financial qualifications and collect payment from you. We use a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use information you provide except for the sole purpose of credit card processing on our behalf.
DATA PROCESS AND CONSENT
We need to process data to take steps at your request. We may also need to process your data to enter into an agreement with you. In some cases, we need to process data to ensure that we are complying with its legal obligations. Pandavolunteer.org has a legitimate interest in processing personal data during the service process and for keeping records of the process. Processing data allows us to manage the booking process. We may also need to process data received from user to respond to and defend against legal claims.
Pandavolunteer.org may keep your personal data on its server for any specific purpose. We will ask for your consent before we keep your data for any specific purpose and you are free to withdraw your consent at any time.
Your information may be shared internally. This includes employees involved in the service process and IT staff, if access to the data is necessary for the performance of their roles.
We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees or partners in the proper performance of their duties. If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.
In limited and necessary circumstances, your information may be transferred outside of the China or to an international organization to comply with our legal or contractual requirements. We have in place safeguards including (i) an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; and (ii) an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights, to ensure the security of your data. A copy of the further safeguards can be obtained from Data Protection Officer.
The criteria used to determine the period of storage of personal data is the respective statutory retention period. At the end of that period, or once you withdraw your consent, your data is deleted or destroyed.
As a data subject, you have a number of rights. You have:
The right to be informed including the identity and contact details of the data processor; the purpose and legal basis for processing the data, how the data is to be processed; the parties involved in processing the data and how long the data will be kept;
The right to request that any personal data held is rectified if inaccurate or incomplete;
The right to restrict processing;
The right to object or stop processing personal data, including for direct marketing purposes;
You have the right to access your personal data to see what data is held and how it is being processed;
You have the right to request for delete or remove your personal data if it’s no longer needed, consent is withdrawn, the data was unlawfully processed or to comply with a legal obligation;
You may request a copy of the data, and may also request that this data be sent to another data controller in a format they can use.
If you would like to exercise any of these rights, please contact our Data Protection Officer. If you believe that the organization has not complied with your data protection rights, you can complain to the appropriate authority.
YOUR STATUTORY OBLIGATION
You are under no statutory or contractual obligation to provide data to us during the service process. However, if you do not provide the information, we may not be able to provide our services to you properly or at all.
LINKS TO OTHER WEBSITES
From time to time, our website may contain links to and from websites of our partner networks, advertisers, social media sites etc. If you follow a link to any of these websites, please note that these websites may have their own privacy notices and that we do not accept any responsibility or liability for any such notices. Please check these notices, where available, before you submit any personal data to these websites.
This Policy shall be deemed effective as of July, 2019. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date. We may update this Policy from time to time by posting a new version online. You should check this page occasionally to review any changes in GDPR.
IDENTITY AND CONTACT DETAILS OF CONTROLLER AND DATA PROTECTION OFFICER
Controller: Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws and other provisions related to data protection is:
PANDAVOLUNTEER.ORG (powered by Chengdu Yeetour Culture Co.，Ltd.)
[Address]: No.1，1F Building 3，Qingcheng，Mount Qingcheng County，Dujiangyan，Chengdu，Sichuan, China.
[Contact] +86 138 9610 1762
[Email] : [email protected]
Data Protection Officer: If you have any concerns as to how your data is processed you can contact:
[NAME OF OFFICER] Aiden Yang
Data Protection Officer
[Contact] +86 189 0164 3105
[Email] [email protected]