1.1. Raining Vegetables is committed to implementing Data Protection measures aimed at safeguarding all stakeholder data. We believe user privacy and data protection are human rights.
1.2. To this end Raining Vegetables aims to be compliant with all relevant Laws and Regulations, including, but not limited to:
1.2.1. Data Protection and Privacy Act, 2019 - Uganda
1.2.2. Data Protection and Privacy Regulation 2020 - Uganda
1.2.3. Data Protection and Privacy Regulations March 2021 – Uganda
1.2.4. Data Protection Act 2018 – UK
1.2.5. Law 058/2021 Protection of Personal Data and Privacy 2021 – Rwanda
1.2.6. Data Protection Laws and Regulations 2021 – DRC
1.2.7. Data Protection Act 2017 – Mauritius
1.2.8. General Data Protection Regulation 2018 - EU.
2.1. Raining Vegetables' Data Protection Policy applies to all sets of personal data, currently stored, maintained and handled by Raining Vegetables, and more specifically to the following identified sets of personal data.
2.2 Raining Vegetables' personnel, including national and international staff, interns and volunteers
2.3 Raining Vegetables’ direct and indirect beneficiaries, including interviewees
2.4 Raining Vegetables' individual donors and sympathisers
2.5 Raining Vegetables' contractors, suppliers, consultants, implementing partners currently under contract with Raining Vegetables
2.6 Personal data herein referred to, means any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. This can include in particular:
2.6.1 Names of individuals
2.6.2 Postal or living addresses
2.6.3 Email addresses
2.6.4 Telephone numbers
2.6.5 Identity card and passport
2.6.6 Date and place of birth
2.6.7 Identification of relatives
2.6.8 Fingerprints
2.6.9 Business reference
2.6.10 Geo-referencing
3.1. This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. .
3.2 The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation.
3.3. The reporting requirements for data processing under national laws must be observed. Each entity of Raining Vegetables, including network and branch offices is responsible for compliance with this Data Protection Policy and the legal obligations.
3.4 At the same time, Raining Vegetables has rules and standards that seek to create a consistent approach and which, in some cases, may be stricter than national or local laws. This Policy must, therefore, be followed in addition to the relevant national and local laws on data protection.
3.5 In the event of conflicts between national legislation and the Data Protection Policy, Raining Vegetables will work with the relevant country offices to find a practical solution that meets the purpose of the Data ProtectionPolicy.
3.6 The purpose of the policy is aimed at guiding Raining Vegetables staff and must be considered together with: Raining Vegetables' Safeguarding Policy and Raining Vegetables' Code of Conduct and policies that are annexed to it.
4.1. Individual and corporate data can be collected, processed, stored and shared in a lawful manner, fairly and in a transparent manner.
4.2. Data will be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.3. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
4.4 Data should be adequate and relevant.
4.5. Data should be limited to what is necessary in relation to the purposes for which it is processed.
4.6. Data should be accurate and, where necessary, kept up to date.
4.7. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.
4.8. Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures.
4.9. Data may be collected and kept in hardcopy, paper, original or copy, electronic or biometric forms.
4.10. Raining Vegetables will not divulge personal data to staff who are not directly involved in the capture, process and storage of the data. Raining Vegetables will endeavour to keep personal data as confidential as possible from staff and other parties and will not share or otherwise divulge any data except where required by Law.
4.11. Raining Vegetables will ensure that data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5.1. This policy applies to all personal data processed by Raining Vegetables.
5.2 The Responsible Person shall be the Chief Technical Officer and shall take responsibility for the Raining Vegetables’s ongoing compliance with this policy.
5.3 This policy shall be reviewed at bi-annually.
5.4 Raining Vegetables shall register with the Personal Data Protection Office as an organisation that processes personal data.
6.1. To ensure its processing of data is lawful, fair and transparent, Raining Vegetables shall maintain a Register of Systems.
6.2.The Register of Systems shall be reviewed at least annually.
6.3. Individuals have the right to access their personal data and any such requests made to Raining Vegetables shall be dealt with in a timely manner.
All personal data processed by the Raining Vegetables must be done on one of the following lawful bases as per Articles 3 and
4 of the GDPR: consent, contract, legal obligation, vital interests, public task or legitimate interests as
per the provisions of the applicable laws. These rights include;
7.1.1 The right of access – all staff, clients and stakeholder partners have the right to access their own
personal data held by the Company as and when it is requested.
7.1.2 The right to be informed – where personal data is collected by Raining Vegetables, the subject of the date collected,
shall at all times have access to information relating to contact details of the data collection officer,
info relating to purpose of processing the data and the recipients of the data.
7.1.3 The right to Rectification - the data subject has at all times, the right to request Raining Vegetables to rectify
inaccurate personal data concerning them.
7.1.4 The right to erasure – The data collector may at any time, request Raining Vegetables to erase any information
collected from them where they deem it no longer necessary for the purposes it was collected, where consent
has been withdrawn, where personal data was unlawfully processed or any other reasonable cause as may be.
7.1.5 The right to data portability - The data subject shall have the right to receive the personal data
concerning him or her, which he or she has provided to Raining Vegetables, in a structured, commonly used and
machine-readable format and have the right to transmit the data to another controller without hindrance from
Raining Vegetables.
7.1.6 The right to restrict processing - The data subject shall have the right to obtain Raining Vegetables restriction of
processing where the data subject contests the accuracy of the data, processing of said data is considered
unlawful and Raining Vegetables no longer needs the personal data for the purposes for which it was collected.
7.1.7 The right to object - The data subject shall have the right to object, on grounds relating to his or
her particular situation, at any time during processing of personal data concerning them.
7.1.8 Rights in relation to automated decision-making - The data subject shall have the right not to be
subject to a decision based solely on automated processing, including profiling, which produces legal
effects concerning them or similarly significantly affects them.
7.2 Raining Vegetables shall note the appropriate lawful basis in the Register of Systems.
7.3. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data. .
7.4 Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent will be clearly available and systems will be in place to ensure such revocation is reflected accurately in Raining Vegetables' systems.
8.1. Transmission of personal data to recipients outside or inside Raining Vegetables is subject to the authorisation requirements for processing personal data under Section 7 and requires the consent of the data subject. The data recipient must be required to use the data only for the defined purposes.
8.2 In the event that data is transmitted to a recipient outside Raining Vegetables, this recipient must agree to maintain a data protection level equivalent to this Data Protection Policy. This does not apply if transmission isbased on a legal obligation.
8.3. The processing of personal data is also permitted if national legislation requests, requires or authorises this. The type and extent of data processing must be necessary for the legally authorised data processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the individual that merit protection must be taken into consideration.
8.4 In certain circumstances, the Raining Vegetables Data Protection Policy allows personal data to be disclosed, based on a legal obligation, to law enforcement agencies, without the consent of the data subject.
8.5 Only Raining Vegetables' Managing Director can validate any such disclosure in writing, ahead of the disclosure, after ensuring the request is legitimate, motivated by the requester, appropriate, necessary and does not pose a threat or direct risk to Raining Vegetables.
8.6 Before approving such disclosure, Raining Vegetables' Managing Director will check that the recipient of the data uses the data for the defined purposes only, and that it demonstrates the capacity and will to abide by such an obligation.
8.7 Where necessary, Managing Director will refer to legal advisers for advice, and to Raining Vegetables' Senior Management Team for validation, notably but not only in cases involving direct security threats and implications or global organisational risks including reputation.
8.8 Raining Vegetables shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
9.1. Raining Vegetables aims to ensure that individuals are aware that their data is being processed, and that they understand: How the data is being used; How to exercise their rights;
9.2 To these ends, the current policy is shared with all Raining Vegetables staff and available on request by individuals.
9.3 A version of this Policy is also available upon request to Raining Vegetables HQ. Any subscriber or user of an electronic communication service shall be informed in a clear and comprehensive manner by Raining Vegetables, except if already previously informed, regarding: the purpose of any action intended to provide access, by means of electronic transmission, to information previously stored in their electronic connection terminal device, or to record data in this device; the means available to them to object to such action.
10.1. Raining Vegetables shall take reasonable steps to ensure personal data is accurate.
10.2 Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
11.1. To ensure that personal data is kept for no longer than necessary, Raining Vegetables shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
11.2 The archiving policy shall consider what data should/must be retained, for how long, and why.
12.1. Raining Vegetables may store data in various forms, hard copy, paper, electronic or biometric.
12.2. Raining Vegetables shall ensure that personal data, regardless of format, is stored securely.
12.3. Hard, paper copies should be stored securely, under lock in tamper proof storage with restricted access.
12.4. Electronic and biometric data must be stored using modern software that is kept-up-to-date.
12.5. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
12.6. When personal data is deleted this should be done in a controlled manner, safely such that the data is irrecoverable. A register of deleted data must be maintained which shows the date of deletion, method of deletion, the persons who deleted the data.
12.7. Appropriate back-up and disaster recovery solutions shall be in place.
12.8. Raining Vegetables will conduct training on appointment of staff and refresher training once per year for all staff to ensure they are familiar with, and agree to comply with, this policy.
12.8. The Head of Human Resources shall cause the staff training to be conducted.
13.1 Any failure to comply with the current policy or to deliberately violate the rules set in the policy will result in the launch of an appropriate investigation by Raining Vegetables.
13.2 Depending on the gravity of the suspicion or accusations, Raining Vegetables may suspend staff or relations with other stakeholder during the investigation. This will not be subject to challenge.
13.3 Depending on the outcome of the independent investigation, if it comes to light that anyone associated
with Raining Vegetables has deliberately violated the rules set in the policy for its personal profit or any other usage of
personal data, or has systematically and deliberately contravened with the principles and standards
contained in this document, Raining Vegetables will take immediate disciplinary action and any other action which may be
appropriate to the circumstances. This may mean, for example, for:
Employees - disciplinary action/dismissal;
Trustees, officers and interns - ending the relationship with the organisation;
Contractors and consultants - termination of contract.
13.4 Depending on the nature, circumstances and location of the case and violation, Raining Vegetables will also consider involving authorities such as the police to ensure the protection of personal data and victims.
13.5 The reporting of suspected or actual violations to this policy is a professional and legal obligation of all staff and partners. Failure to report information can lead to disciplinary action. 13.6 Raining Vegetables encourages its staff and stakeholders to report suspected cases which involve any Raining Vegetables staff, consultants, board members, guests or staff of Raining Vegetables' partner organisations, their board members, staff and or suppliers.
13.6 In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Raining Vegetables Managing Director shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the appropriate authority as specified in the applicable law for the country.
14.1 This policy has been approved by Raining Vegetables' Executive Director on December 2021 and comes into effect immediately. It could be reviewed regularly.
Last updated: July 1st, 2022