Amref Health Africa is strongly committed to protecting personal data. This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights in relation to personal data. It applies to personal data provided to us, both by individuals themselves or by organisations We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

1. Collection of Personal Data

As used in this privacy statement, “Amref Health Africa”, “us”, and “we” refers to the Amref Health Africa network and/or one or more of its affiliate organisations that may process your personal information. Each member organisation in the Amref Health Africa network is a separate legal entity. The data controllers of your personal information are one or more of the member organisations listed here www.amref.org. In this privacy statement, we refer to information about you or information that identifies you as “personal data” or “personal information”. We also sometimes collectively refer to handling, collecting, protecting or storing your personal information as “processing” such personal information.

2. Our legal grounds for processing your personal Data

Depending on local laws, we may need to specify the legal basis for processing your personal information in this privacy statement. When required, we may rely on one or more of the following grounds:

• our legitimate interests in the effective delivery of information and services to you and in the effective and lawful operation of our businesses and the legitimate interests of our partners in receiving services from us as part of running their organisation (provided these do not interfere with your rights);
• our legitimate interests in developing and improving our businesses, services and offerings and in developing new Amref Health Africa technologies and offerings (provided these do not interfere with your rights);
• to satisfy any requirement of law or regulation;
• to perform our obligations under a contractual arrangement with you; or
• where no other processing condition is available, if you have agreed to us processing your personal information for the relevant purpose.

3. Transfer of personal Data

• Cross-border transfers

Our processing activities of personal data involve the collection, storage, use, and sharing of personal information in accordance with applicable data protection laws. We ensure that all personal data is processed lawfully, fairly, and transparently, with specific purposes in mind. Safeguards are implemented to protect this data from unauthorized access, loss, or misuse. Furthermore, we are committed to upholding the rights of individuals, including their right to access, correct, or request the deletion of their personal information.

Your personal information may be transferred to and stored outside the country where you are located. This includes countries which have laws that provide specific protection for personal information and countries which do not have laws that provide specific protection for personal information.

• Other Amref Health Africa partners

We may share personal data with other Amref Health Africa member organisations or stakeholders where necessary in connection with the purposes described in this privacy statement. For example, when providing donor reports we may share personal information with Amref Health Africa member organisations in different territories or other stakeholders which are involved in providing funds to Amref Health Africa.

• Third party providers

We may transfer or disclose the personal data we collect to third party contractors, subcontractors, and/or their subsidiaries and affiliates. Third parties support the Amref Health Africa network in providing its services and help provide, run and manage information technology systems. Examples of third-party contractors we use are providers of website hosting and management, data analysis, data backup, security and cloud storage services. The servers powering and facilitating our information technology infrastructure is located in secure data centres around the world, and personal data may be stored in any one of them.

The third-party providers may use their own third-party subcontractors that have access to personal data (sub-processors). It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by Amref Health Africa, and to flow those same obligations down to their sub-processors.

• Other Disclosures

We may also disclose personal information under the following circumstances:

• with professional advisers, for example, law organisations, as necessary to establish, exercise or defend our legal rights and obtain advice in connection with the running of our business. Personal data may be shared with these advisers as necessary in connection with the services they have been engaged to provide;
• when explicitly requested by you;
• when required to deliver publications or reference materials requested by you;
• when required to facilitate conferences or events hosted by us or third parties;
• to law enforcement, regulatory and other government agencies and to professional bodies, as required by and/or in accordance with applicable law or regulation. Amref Health Africa may also review and use your personal information to determine whether disclosure is required or permitted.

4. Data security

We have implemented generally accepted standards of technology and operational security to protect personal information from loss, misuse, alteration or destruction. Only authorised persons are provided access to personal information; such individuals have agreed to maintain the confidentiality of this information. Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to or by us.

5. Your legal rights in relation to personal Data

You may have certain rights under your local law in relation to the personal information we hold about you. In particular, you may have a legal right to: –

• Obtain from the organisation as to whether we process personal data about you, receive a copy of your personal data and obtain certain other information about how and why we process your personal data.
• The right to request for your personal data to be amended or rectified where it is inaccurate (for example, if you change your address) and to have incomplete personal data completed.

The right to delete your personal data in the following cases:

• the personal data is no longer necessary in relation to the purposes for which they were collected and processed;
• our legal ground for processing is consent, you withdraw consent and we have no other lawful basis for the processing;
• our legal ground for processing is that the processing is necessary for legitimate interests pursued by us or a third party, you object to the processing and we do not have overriding legitimate grounds;
• you object to processing for direct marketing purposes;
• your personal data has been unlawfully processed; or
• your personal data must be erased to comply with a legal obligation to which we are subject.

The right to restrict personal data processing in the following cases:

• for a period enabling us to verify the accuracy of personal data where you contested the accuracy of the personal data;
• your personal data have been unlawfully processed and you request restriction of processing instead of deletion;
• your personal data are no longer necessary in relation to the purposes for which they were collected and processed but the personal data is required by you to establish, exercise or defend legal claims; or
• for a period enabling us to verify whether the legitimate grounds relied on by us override your interests where you have objected to processing based on it being necessary for the pursuit of a legitimate interest identified by us.

The right to object to the processing of your personal data in the following cases:

• our legal ground for processing is that the processing is necessary for a legitimate interest pursued by us or a third party; or
• our processing is for direct marketing purposes.

The right to data portability:

• The right to receive your personal data provided by you to us and the right to send the data to another organisation (or ask us to do so if technically feasible) where our lawful basis for processing the personal data is consent or necessity for the performance of our contract with you and the processing is carried out by automated means.

The right to withdraw consent

• Where we process personal data based on consent, individuals have a right to withdraw consent at any time. We do not generally process personal data based on consent (as we can usually rely on another legal basis).

6. Responsibilities of Data subject

The individual whose personal data is being processed—has certain duties and responsibilities, although these are relatively limited compared to the obligations placed on data controllers and processors. Here are the key duties and responsibilities:

• Providing accurate information: Data subjects are responsible for providing accurate and up-to-date personal data when requested, such as during registration or service use. This helps ensure that the data being processed is correct and relevant.

• Exercising their rights: Data subjects are encouraged to actively exercise their rights under GDPR and any other Data protection laws, such as the right to access their data, request corrections, or ask for data deletion. They should be aware of their rights and how to invoke them.

• Complying with legal and contractual obligations: In certain situations, data subjects may have legal or contractual obligations to provide personal data (e.g., for tax reporting, employment purposes). They should comply with these obligations to ensure that required processing can take place lawfully.

• Safeguarding personal data: Data subjects should take reasonable steps to protect their own personal data, such as by using strong passwords, being cautious with sharing personal information, and understanding the privacy settings of online platforms.

• Reporting data breaches or misuse: If a data subject becomes aware of a data breach or misuse of their personal data, they should report it to the relevant authority or the organization holding their data. This helps in taking prompt action to mitigate any harm.

7. Cookies policy

A cookie is a text-only string of information that we pass to your computer’s hard disk through your web-browser so that the website can remember who you are. Cookies cannot be used by themselves to identify you. A cookie will typically contain the name of the domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number. For more information about cookies, please see www.allaboutcookies.org.

8. Parents or guardians of minors

If you are a minor (normally this means you are under 18 years old, but this might be younger depending on your country of residence). We will get your parent or guardian’s consent before collecting, using or sharing your personal data.

9. Retention of Personal Data

For the purposes described in this privacy notice, we keep your personal data for business operational or legal reasons while you engage with us and may retain your personal data for a period of time afterwards, depending on the type of personal data, in accordance with our data retention policy standards and as required by applicable law and regulations. We will delete, anonymise, destroy and/or stop using personal data when we no longer need it.

10. Changes to this privacy statement

Amref reserves the right to amend or modify this privacy statement at any time. By continuing to use our services, you agree to be bound by the terms of any such amendments or modifications. We encourage you to periodically review this privacy statement to stay informed about any changes and how we are protecting your information. For further details, please see www.amref.org/privacy-policy.

11. Contact us

If you wish to exercise a legal right regarding your personal data, or if you have any questions or complaints about how your personal data is being handled, please submit your request or inquiry to [email protected]. Additionally, you may contact us via the postal address provided on our website at www.amref.org/contacts.