The Six Values of AIESEC

Privacy Notice - GENERAL DATA PROTECTION POLICY

AIESEC in India

Data Protection Policy

Last Updated: 5th May 2019

1. Introduction

1.1. General Statement

We are required to process relevant personal data regarding members/employees, volunteers, applicants, alumni and customers as part of our operations: thus, we shall take all reasonable steps to do so in accordance with this policy. It is important that personal data is processed lawfully and appropriately, in accordance with the requirements of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and abiding by the appropriate local/national laws regarding privacy.Personal data is any information relating to an identified or identifiable individual, such as members/employees, volunteers, applicants, alumni, customers and anyone else with whom we do business. Personal data is an important and valuable asset, and the way we handle this data should demonstrate respect, promote trust and avoid security incidents. In many cases, there are laws that govern how we collect, use and dispose of personal data: for these reasons, we must follow the law and the internal policies/guidelines for handling personal data.We respect the confidentiality of personal data, in both paper and electronic form: information shall not be used/disclosed improperly and/or used by someone who is not authorised to do so. Furthermore, we are committed to protecting and respecting the privacy of our stakeholders, because we respect the trust that is being placed in us to use personal information appropriately and responsibly: therefore, we have to take our data protection duties seriously.

1.2. About this Policy

This policy and any other documents referred to in it clarify the basis on which we will deal with any personal data we collect and/or process: thus, this policy is applicable to every data processing activity carried out by us. Please note that this policy is not part of the agreement/contract signed by our members/employees, so it can be amended at any time and its provisions shall be respected by all those who participate in our processing activities.Every director, member/employee, contractor and third party – including the ones related to the local committees – working for or acting on behalf of AIESEC in India, including AIESEC in Ahmedabad, AIESEC in Bangalore, AIESEC in Baroda, AIESEC in Bhubaneswar, AIESEC in Chandigarh, AIESEC in Chennai, AIESEC in Dehradun, AIESEC in Delhi IIT, AIESEC in Delhi University, AIESEC in Hyderabad, IIT ISM Dhanbad, AIESEC in IIT KGP, AIESEC in Indore, AIESEC in Jaipur, AIESEC in Jalandhar, AIESEC in Jodhpur, AIESEC in Kolkata, AIESEC in Ludhiana, AIESEC in M.AH.E, AIESEC in Mumbai, AIESEC in Nagpur, AIESEC in Nashik, AIESEC in Navi Mumbai, AIESEC in NIT Trichy, AIESEC in NMIMS Shirpur, AIESEC in Patiala, AIESEC in Pune, AIESEC in Shillong, AIESEC in South Mumbai, AIESEC in Surat, AIESEC in Visakhapatnam, and AIESEC in VIT must be aware of and follow this policy.Our Data Protection Officer is responsible for ensuring compliance with the data protection requirements and with this policy (*please refer to point 5., “Data Protection Officer”). Any questions about the operation of this policy and/or any concerns that this policy is not being followed should be referred to the Data Protection Officer.

1.3. Main Definitions

Expressions mentioned in this policy shall have the same meaning provided by the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the appropriate laws. For basic understanding of this policy, the main concepts are:

Personal data (whether stored electronically or paper based) means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Right to access | You have the right to access your own personal data and the right to receiverelevant information regarding the processing of your personal data. Thus, you can ask us for acopy of the personal data we hold about you so that you can know if and what kind of personaldata is being processed, why it is being processed and who is processing it, being able to enforceyourrights. You can contact us so as to exercise this Right.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Special categories of personal data is an expression which refers to sensitive categories of personal data, such as the ones regarding a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sexual orientation or sexual life. In general, it is forbidden to process sensitive personal data; in case it is processed, conditions must be met. Please note that data about criminal offences or convictions are another “special” category and we do not process such data.

2. Data Processing Principles

Anyone processing personal data must ensure that activities respect the provisions of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), ensuring that data is:

processed lawfully, fairly and in a transparent manner in relation to the data subject;
processed for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
accurate and, where necessary, kept up-to-date;
not kept for longer than necessary for the intended purposes;
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lastly, we must be able to demonstrate compliance with all the principles mentioned above – and, of course, respect the rights of the data subjects. In this way, we must keep a register of data processing activities, which must be updated periodically and reflect/regulate the way we use personal data.

2.1. Lawfulness, Fairness and Transparency

Processing must be done fairly and without adversely affecting the rights of the individual: thus, in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), we will only process personal data where it is in line with a lawful ground – which, according to the relevant provisions of the Article 6 (1) of such regulation, are:

the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Please note that when sensitive personal data is being processed, additional conditions must be met. Furthermore, all processing activities must be recorded in the appropriate register.

2.1.1. Consent

Whenever consent is the lawful basis for processing, it must be:

recorded, so that we can demonstrate that the data subject has consented to the processing of his/her personal data;
given in a free, specific, explicit, informed and unambiguous manner. If consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language;
easy to be revoked at any time.

If communications (including direct marketing) are sent to individuals based on their consent, the option for the individual to revoke consent must be clearly available and systems should be in place to ensure such revocation is reflected effectively.

2.2. Purpose Limitation

We may collect and process the personal data we receive directly from a data subject (for example, when he/she completes forms and/or sends information via mail, phone or email) and data we receive from other sources (including, for example, location data, business partners, payment/delivery services and others).We will only process personal data for specific purposes or for any other purposes specifically permitted by the data protection laws. We must notify the purposes to the data subject when we first collect the data (in case data was provided directly to us) or as soon as practicable (where data was received from a third party).

2.2.1. Information to Individuals

Whenever we process personal data relating to an individual, we will inform the data subject about:

the purpose(s) for which we intend to process that personal data, as well as the legal basis for the processing;
where we rely upon the legitimate interests of the business to process personal data, the legitimate interests pursued;
the recipients or categories of recipients of the personal data, if any;
the fact that we intend to transfer personal data to a country or international organisation outside the European Union/European Economic Area and the appropriate and suitable safeguards in place;
the existence of each of the rights of the data subject and their respective explanation, paying special attention to:
- the right to request from us (*considering that we are the “data controller”) access to and rectification or erasure of personal data or restriction of processing;
- the right to object to processing and the right to data portability.
information about the period that the information will be stored or the criteria used to determine that period;
the right to withdraw consent at any time (if consent was given) without affecting the lawfulness of the processing before the consent was withdrawn. This right must be indicated at the moment the consent of the data subject is requested and/or in the appropriate privacy notice;
the right to lodge a complaint with the appropriate supervisory authority;
the existence of automated decision-making (including profiling) and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual;
our identity and contact details (*considering that we are the “data controller”), of our Data Protection Officer and, where applicable, of our representative.

Data subjects shall also be able to understand how to exercise their rights: in order to comply with these points (from the details regarding information to the enforcement of the rights), we shall have in place a easily accessible privacy notice.Regarding the deadlines for providing such information, it is important to consider the source of the personal data and remind that:

if personal data was obtained directly from the individual, we must inform him/her about the points mentioned above at the time when data is obtained. In addition, he/she must also be provided with the following:
- whether the provision of the personal data is a statutory or contractual requirement/obligation, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and any possible consequences of failing to provide the data.
if personal data was obtained from other sources, we must provide him/her with this information as soon as practicable, but within one month of obtaining it. The individual must also be provided with:
- the types or categories of personal data which are to be processed;
- the source the personal data originates from and whether it came from publicly accessible sources.

2.3. Data Minimisation

We must process data in an adequate, relevant and non-excessive manner: thus, we will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject.

2.4. Accuracy

We will ensure that personal data we hold is accurate and kept up-to-date.In order to comply with such principle, we will check the accuracy of any personal data at the point of collection and at regular intervals subsequently, taking all reasonable steps to destroy/correct inaccurate or out-of-date data and giving individuals the opportunity to enforce their right to rectify data concerning them.

2.5. Storage Limitation

We will not keep personal data longer than is necessary for the purpose(s) for which it was collected. We will take all reasonable steps to erase/anonymise or archive from our systems all data which is no longer required, following our internal retention policies.

2.6. Integrity and Confidentiality

We must process data in accordance with the rights of the data subjects and in a manner that ensures security, integrity and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.Personal data shall not be transferred to people/organisations situated in countries without adequate protection safeguards or in situations which do not meet the appropriate circumstances mentioned in the Articles 44–49 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Please note that the individual must be informed of the transfer.

2.6.1. Data Security

We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.We will put in place technical and organisational measures to maintain the security of all personal data under our responsibility, during the whole flow. In this way, personal data will only be transferred to data processors if they agree to comply with the procedures and policies and/or if they put in place adequate measures.Our processing activities will be guided by the concepts of confidentiality and integrity of the personal data, as specified below:

confidentiality, applying measures which guarantee that data is protected against unauthorised or accidental use or disclosure – and, therefore, accessed only by people who are authorised to use the data and who are needed for the achievement of the purposes;
integrity, applying measures which guarantee that data is protected against unauthorised or accidental loss, destruction or alteration and guaranteeing that it is accurate and suitable for the purpose(s).

Our security procedures include:

secure offices and workplaces, guaranteeing that the files are stored in buildings which count on appropriate safeguards (such as locks, security systems, etc.) and on furniture which allows extra protection (e.g.: locked drawers, etc). Personal information is always considered confidential and should be kept in a secure place where unauthorised people cannot see it;
data minimisation, requesting only the appropriate data for our purpose(s);
internal policies/guidelines which consider the principles/rights in the development of future projects and in the assessment of current practices;
equipment safety, making regular backups, installing anti-virus softwares in platforms/devices and inserting passwords in every system/platform/device. Furthermore, members/employees must ensure that confidential information is not shown to passers-by and that they log off from systems/platforms/devices whenever they are left unattended;
usage of modern and secure softwares which are kept-up-to-date;
review and update of data which is out-of-date, taking every opportunity to ensure data is up-to-date;
storage of data in as few places as necessary, without creating unnecessary additional data sets;
methods of disposal, such as shredding papers and/or anonymising/erasing virtual data whenever it must be destroyed;

Our staff should also pay attention to further guidelines:

the only people able to access the data covered by the policy shall be those who need it for their work and for the achievement of the purpose(s) informed to the data subject;
data shall not be shared – formally or informally – to individuals outside our organisation except where it is necessary to do so in order to facilitate an exchange experience ;
our staff should participate in the trainings/activities regarding data protection, read the appropriate materials and get to know the appropriate laws;
members/employees shall keep all data secure, by taking sensible and reasonable precautions. Thus, it is advised that they:
- use strong passwords in systems/platforms/devices;
- never share passwords;
- never disclose personal data to unauthorised individuals, either within the organisation or outside it;
- never leave personal data unattended and/or where unauthorised people could see it;
- use only appropriate services/platforms/systems and secure devices;
- request help to the appropriate managers/Data Protection Officer in case they are unsure about any aspect of data protection.

2.6.2. Data Transfers

As a general rule, personal data may be transferred outside the European Union/European Economic Area or to an international organisation only if the country to which the personal data is transferred ensures an adequate level of protection for the rights and freedoms of data subjects.Personal data may also be transferred based on appropriate safeguards or in case one of the derogations of the Article 49 (1) of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is met, especially:

the data subject has given his/her explicit consent, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
the transfer is necessary to protect the vital interests of the data subject or of other persons;
the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.

Subject to the requirements mentioned above, personal data we hold may be processed by staff operating outside the European Union/European Economic Area who work for us: such staff may be engaged in, among other things, the fulfilment of contracts with the data subject, the provision of support services, etc.

2.6.3. Disclosure of Personal Data

Personal data shall not be transferred to external individuals and/or organisations except where it is necessary to do so in order to facilitate an exchange experience. Internally, data may be processed by the individuals acting under the power of AIESEC in India.Personal data may also be disclosed to the appropriate agencies in accordance with the law.

2.6.3.1 Rights of the Data Subject

Anyone processing personal data must ensure that activities respect the provisions of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), guaranteeing that the rights of the data subjects are respected, in particular:

- right to be informed, receiving proper details on how data is going to be processed (*please refer to point 2.2.1., “Information to Individuals”);
- right to access, being able to receive a confirmation as to whether or not personal data concerning him/her is being processed and access any data held about him/her by the data controller, following the provisions of the Article 15 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
- right to rectification, being able to request rectification or completion of data concerning him/her;
- right to object, being able to express that he/she does not – or no longer – agree with the processing and, therefore, asks the data controller to stop processing activities regarding a particular situation. This right applies to direct marketing: thus, please note that the right to object to direct marketing is absolute and we must not challenge the decision of the individual, stopping such processing activities immediately;

right to erasure, being able to request the erasure of personal data where there is no compelling reason for its continued processing. Please note that this right is subject to some specific circumstances, which are mentioned in the Articles 17 and 19 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
right to restriction of processing, obligating the data controller to suspend/pause the processing of personal data, either because of a request of the data subject or because of a situation which demands it to do so;
right to data portability, being able to obtain his/her data from the controller so as to transfer it to another system;
rights regarding automated decision-making, including:
the primary right not to be subject to activities only based on automated processing and whose decisions have legal or relevant effects on him/her;
the secondary rights – whenever automated decision-making is carried out either because of a contract or because of the consent of the data subject – to be informed (*about the existence of automated decision-making, its logics/criteria and consequences), express his/her point of view, challenge the decision and obtain human intervention.
right to compensation and liability, as well as the right to lodge a complaint with a supervisory authority.

We shall inform data subjects of their rights and we shall also make it easy for data subjects to enforce their rights, using the respective appendix according to the type of contract for information, while using the email address of the Data Protection Officer to enforce their rights. Personal data shall be easily accessible to the appropriate individuals within our organisation and, where possible, data subjects should have access to their data via a secure self-service (*please refer to point 4., “Subject Access Requests”).

2.6.3.2 Subject Access Requests

Data subjects can send a request for information regarding if and what information we hold about them, why we hold such data, how to gain access to data, how to correct/update details, how we deal with data protection, etc. (*please refer to point 3., “Rights of the Data Subject). Whenever a member/employee receives a request, it shall be forwarded to Alejandro Hüsser Diaz (alejandro.husser.2@aiesec.net) immediately.Data subjects shall be informed of their right and must know that they should address their requests to the Data Protection Officer: Alejandro Hüsser Diaz, via email (alejandro.husser.2@aiesec.net).We may take reasonable steps to verify the identity of the individual who is requesting the data: personal data shall only be sent to the individual to which it is related, so it is vital to make sure that information is only given to a person who is entitled to it. Every request sent in writing must be responded within one month – and, if the request is made electronically, data shall be provided electronically (where possible).Please note that we may supply the data subject with a standard request form, but the individuals are not obligated by law to use it: all written requests must be addressed properly, even if they do not follow the “template” provided by us.

4.1. Guidance for the responsible for Subject Access Requests

It is vital that the Article 15 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is read and followed. Besides, the guidelines below shall be useful.

4.1.1. Procedures upon receipt of a Subject Access Request

Whenever we are the data controller, we shall proceed with the following steps upon receiving a Subject Access Request:

confirm whether we are the “data controller”;
verify the identity of the data subject; if necessary, request any further evidence regarding the identity of the data subject;
verify if the access request is sufficient and if the requested information is clear; if not, request additional information;
verify whether requests are unfounded or excessive (particularly if they are repetitive): if so, we may refuse to act on the request or charge a reasonable fee. We shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request;
promptly acknowledge receipt of the request and inform the data subject of any costs involving its processing. Please note that, as a general rule, the request must be handled free of change;
verify whether we process the data requested; if we do not process any data, inform the data subject accordingly;
verify whether the data requested also involves data about other data subjects and make sure this data is filtered before the requested data is supplied to the data subject.

4.1.2. Procedures to respond to a Subject Access Request

Whilst responding to a subject access request, follow the guidelines below:

make sure to respond to the request within one month after it is received:
- if the request is particularly complex, we may extend this initial period by two months, but we must communicate to the data subject in a timely manner within the first month and explain why the extension is necessary;
- if we do not take action on the request of the data subject, we must inform the data subject about the reasons for not taking action and of his/her rights to lodge complaints/seek judicial remedy at latest within one month of receipt of the request.
if a request is submitted in electronic form, information should preferably be provided in a commonly used electronic format (*e.g.: text or html). It is not forbidden to send information via email, but we must ensure that the transfer is secure;
if information is kept on paper, we can provide the data subject with a paper copy of his/her information;
if data on the data subject is processed, make sure to include at least the following information in the response:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data;
- where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the data has not been collected from the data subject, the source of such data;
- the existence of any automated decision-making (including profiling) and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
provide a copy of the personal data undergoing processing. Once again, this should be provided in a commonly used electronic form if the data subject has submitted the request electronically and if he/she does not request otherwise.
An organisation shall not provide an individual with the individual’s personal data or other information if the provision of that personal data or other information, as the case may be, could reasonably be expected to —
- threaten the safety or physical or mental health of an individual other than the individual who made the request;
- cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
- reveal personal data about another individual;
- reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or
- be contrary to the national interest.
An organisation shall not inform any individual that it has disclosed personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual.
If an organisation is able to provide the individual with the individual’s personal data and other information requested without the personal data or other information excluded, the organisation shall provide the individual with access to the personal data and other information without the personal data or other information excluded in the previous points.

4.1.2.1 Data Protection Officer

We have appointed Sauarbh Kamboj as the Data Protection Controller (DPO) who will endeavour to ensure that all personal data is processed in compliance with this policy and with the principles of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Appropriate national laws are also relevant to this policy.

4.1.2.2 Participation in Data Protection

Everyone who works for or with us has some responsibility for ensuring data is collected, stored and handled appropriately: thus, teams which handle personal data must ensure that it is processed in accordance with this policy, the data protection principles, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the appropriate laws.

4.1.2.3 Data Breaches

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, we shall promptly assess the risks to the rights and freedoms of individuals: if necessary, the breach shall be reported to the appropriate supervisory authority – and, if appropriate, the individuals affected by the incident shall be communicated. Please refer to our Data Breach Management Procedure and to the appropriate templates.

4.1.2.4 Disclaimer

This policy should be used together with other documents, which are mentioned below:

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) – officially “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”;
Data Breach Management Procedure;
Internal Retention Policies;

4.1.2.5 Alterations to this Policy

We reserve the right to change this policy at any time. Where appropriate, we will notify changes by email.

AIESEC in India Member - Retention Policy

Last Updated: 5th May 2019

Please review this document carefully regarding the collection and use of personal informationsubmitted through the AIESEC Member Recruitment Drive sign up form. By submittinginformation to the AIESEC Member Recruitment Drive sign up form indicates that you have readthis document and agree to its terms.As used herein, AIESEC is the biggest Global Youth Run Organisation which exists in 126countries and territories. AIESEC which exists in different countries and territories are legallyseparated and are independent entity even though all the processes running are the same.Please see the section below to know how your personal detail will be protected in thisorganisation, AIESEC.

PRIVACY

Any personal information you submit through the Recruitment Drive is being submitted toAIESEC in Malaysia. Unless otherwise stated at the time of collection, the personal informationrequested and the way in which it is used will be in accordance with this document and with thelaws of the General Data Protection Regulation, Regulation (EU) 2016/679.

COLLECTION OF PERSONAL INFORMATION

The Recruitment System maintains personal information that you as a candidate voluntarilysubmit and, in some cases, personal information that is submitted on your behalf. You areresponsible for ensuring that any personal information submitted by or about you to theRecruitment Drive is accurate, complete, and up-to-date. If you are providing personalinformation about an individual otherthan yourself, you must obtain the consent of the individualforthe collection and use of information as described in this document before submitting any ofhis/her personal information.

(Video) AIESEC Values

INFORMATION USE

Your personal information will be used to manage your application for AIESEC recruitmentprocesses, to contact you during yourinterview, to send you announcements, and to requestadditional information as required. Where permitted by law, your personal information may alsobe used for general statistical analysis and reporting purposes, including visitor activity anddemographic reports. To the extent any information of a sensitive nature is submitted with yourapplication (e.g., data relating to gender,race or ethnic origin,religious beliefs, physical or mentalhealth or sexual orientation), you agree that such information may be used in accordance withapplicable law and this document. The Recruitment Drive does not seek sensitive personalinformation except where it is required by the recruitment process of the Local Chapterin whichthe position you are applying for is located.Should you be accepted as a member of AIESEC, your personal information may be used inconnection with the Team Leader-Team Memberrelationship as permitted by the General DataProtection Regulation.

INFORMATION DISCLOSURE

Except as disclosed in this document, or as otherwise disclosed at the point of collection, yourpersonal information will only be made available to individuals (i) within the Local Chaptertowhich you are applying for a position and/or(ii) the AIESEC in Malaysia personnel. Your personalinformation will not be accessible by other Local Chapters. Personal information may also bedisclosed to law enforcement,regulatory, or other government agencies, orto otherthird parties,in each case to comply with legal orregulatory obligations orrequests.

INFORMATION RETENTION

Your personal information will be retained forthe period necessary to complete the recruitmentprocess orfor maximum of 5 years to meetregulatory obligations, or as may be necessary tofacilitate any ongoing relationship. Where permitted by law, your personal information may alsobe retained to consider you for other opportunities provided by AIESEC for which you may bequalified.

INFORMATION SECURITY

The Recruitment System covered by this document has in place reasonable commercial standardsof technology and operational security to protect all information from unauthorized access,disclosure, alteration, or destruction.Your use of the recruitment system is at your own risk, and you assume fullresponsibility and riskof loss resulting from your usage. no aiesec entity will be liable for any direct, indirect, special,incidental, expectancy, exemplary, consequential, or punitive damages or any other damageswhatsoever, whetherin an action of contract, statute, tort (including, without limitation,negligence), or otherwise,relating to the use of orreliance upon the recruitment system.The above disclaimers and limitations of liability are applicable to the fullest extent permitted bylaw, whetherin contract, statute, tort (including, without limitation, negligence) or otherwise. ifany portion of the foregoing is not fully enforceable for any reason, the remainder shallnonetheless continue to apply.

Privacy Notice - GENERAL DATA PROTECTION POLICY

AIESEC in India

GDPR COMPLIANCE

Data Breach Management Procedure

Introduction

Reference: Breach ProcedureType: ProcedureStatus: Approved by AIESEC InternationalCreator: Saurabh Kamboj – DPO of AIESEC in IndiaReview Period: AnnualVersion and Date: Last Updated on 5th May 2019

1. Scope, Purpose and Users

This Data Breach Management Procedure provides general principles and a model to respond toand mitigate personal data breaches, especially if one (or both) of the circumstances mentionedbelow are applicable:

The controller/processor is established in the European Union/European Economic Area(EU/EEA), regardless of whether the processing takes place in the EuropeanUnion/European Economic Area (EU/EEA) or not;
The controller/processor processes data of individuals who are in the EuropeanUnion/European Economic Area (EU/EEA) and the processing activities relate to theoffering of goods or services to those individuals in the European Union/EuropeanEconomic Area (EU/EEA) or to the monitoring of these individuals' behaviour within theEuropean Union/European Economic Area (EU/EEA).

This Data Breach Management Procedure sets the general principles and actions for managingthe response to a data breach and fulfils the obligations regarding the notification to supervisoryauthorities and individuals, as mentioned in the General Data Protection Regulation (GDPR)(Regulation (EU) 2016/679).All members/employees, contractors and third parties working for or acting on behalf of AIESECin India must be aware of and follow this Data Breach Management Procedure in the event of apersonal data breach. Furthermore, please note that all members/employees, contractors andthird parties working for or acting on behalf of AIESEC in India are responsible forreporting anypersonal data breach to the Data Protection Officer(DPO) of AIESEC in India.The response to any breach of personal data (as defined by the legislation) can have a seriousimpact on the reputation of an organisation: therefore, exceptional care must be taken whenresponding to data breaches. Not all data protection incidents result in data breaches – and not alldata breaches require notification –, so this procedure shall assist staff in developing anappropriate response to a data breach based on the specific characteristics of the incident.

Reference

This Data Breach Management Procedure should be used together with other documents, whichare mentioned below:

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) – officially"Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 onthe protection of natural persons with regard to the processing of personal data and on the freemovement of such data, and repealing Directive 95/46/EC (General Data ProtectionRegulation)";
Data Protection Policy;

Definitions

This Data Breach Management Procedure may use some technical terms: thus, please find belowtheir definitions, based on the Article 4 of the General Data Protection Regulation (GDPR)(Regulation (EU) 2016/679). Expressions mentioned in this procedure shall have the samemeaning provided by the General Data Protection Regulation (GDPR) (Regulation (EU)2016/679) and the appropriate laws.

Personal data (whether stored electronically or paper based) means any informationrelating to an identified or identifiable natural person ("data subject"); an identifiablenatural person is one who can be identified, directly or indirectly, in particular byreference to an identifier such as a name, an identification number, location data, anonline identifier or to one or more factors specific to the physical, physiological, genetic,mental, economic, cultural or social identity of that natural person;
Processing means any operation or set of operations which is performed on personal dataor on sets of personal data, whether or not by automated means, such as collection,recording, organisation, structuring, storage, adaptation or alteration, retrieval,consultation, use, disclosure by transmission, dissemination or otherwise makingavailable, alignment or combination,restriction, erasure or destruction;
Controller means the natural orlegal person, public authority, agency or other body which,alone or jointly with others, determines the purposes and means of the processing ofpersonal data; where the purposes and means of such processing are determined byUnion or Member State law, the controller or the specific criteria for its nomination maybe provided for by Union or Member State law;
Processor means a natural or legal person, public authority, agency or other body whichprocesses personal data on behalf of the controller;
Recipient means a natural or legal person, public authority, agency or another body, towhich the personal data are disclosed, whether a third party or not. However, publicauthorities which may receive personal data in the framework of a particular inquiry inaccordance with Union or Member State law shall not be regarded as recipients; theprocessing of those data by those public authorities shall be in compliance with theapplicable data protection rules according to the purposes of the processing;
Third party means a natural or legal person, public authority, agency or body other thanthe data subject, controller, processor and persons who, underthe direct authority of thecontroller or processor, are authorised to process personal data;
Personal data breach means a breach of security leading to the accidental or unlawfuldestruction, loss, alteration, unauthorised disclosure of, or access to, personal datatransmitted, stored or otherwise processed.

Procedures

4.1. General Actions

4.1.1. Containment and Recovery

The first steps regarding personal data breaches should be taken:

identify/contact the responsible forinvestigating and managing the breach;
establish who should be aware of the breach (*i.e., who are the individuals thatcould assist the organisation – such as lawyers, MCVPs in charge of externalrelations, PR support, etc. – and, if appropriate, the individuals affected by thebreach and/orthe supervisory authority);
identify and implement any steps required to contain the breach;
identify and implement any steps required to recover any losses and limit thedamage of the breach;
if appropriate, inform police, insurance company, press and/or other bodies.

4.1.1.2. Contact Person

The Data Protection Officer of AIESEC in India and the response team shall be responsible forinvestigating/managing incidents. In case a personal data breach has beendetected or is suspected, he/she must be contacted immediately via theappropriate lines:it@aiesec.inData Protection Representative : Mr. Saurabh Kamboj303, Tanishka commercial building, Akurli Road,Kandivali East Mumbai, Maharashtra, 400101

4.1.2. Assessment

Personal data breaches must be managed according to their risk, so the risks associated with thebreach should be assessed in order to identify an appropriate response as soon as theimmediate containment of the incident happens.

4.1.3. Notification

Depending on the nature of the personal data breach, individuals and/or supervisory authoritiesmust be notified: thus, the full extent of the breach should understood so thatcommunications are clear and complete.The MCVP Partnerships Development should be notified whenever communications to thepublic are expected to happen and the Data Protection Officer of AIESEC in India shall be the final responsible for communicating with stakeholders (including, especially, thesupervisory authority).

4.1.3.1. Notification to the Supervisory Authority

It is important to consider the possibility of having to inform the appropriate supervisoryauthority of the data breach, paying attention to the points below and to thetemplates developed forthe event of a personal data breach:

AIESEC in India – as data controller – is responsible for assessing whetherthe supervisory authority should be notified in the event of a personaldata breach;
If the personal data breach is likely to result in a risk to the rights andfreedoms of natural persons, the personal data breach must be notified tothe supervisory authority;
If the assessment carried out by AIESEC in India indicates that thepersonal data breach must be informed to the supervisory authority,AIESEC in India – as data controller – shall proceed with the notificationwithout undue delay, and, where feasible, not later than 72 hours afterhaving become aware of it;
If AIESEC in India does not notify the supervisory authority within 72hours, the notification shall be accompanied by the reasons forthe delay;
If AIESEC in India cannot provide all the information at the same time, theinformation may be provided in phases without undue further delay;
According to the Article 33 (3) of the General Data Protection Regulation(GDPR) (Regulation (EU) 2016/679), the notification of the personal databreach to the relevant supervisory authority must present, at least, thefollowing information:
- the nature of the personal data breach – including, where possible,the categories and approximate number of data subjectsconcerned and the categories and approximate number ofpersonal data records concerned;
- the name and contact details of the Data Protection Officer orother contact point where more information can be obtained;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller toaddress the personal data breach, including, where appropriate,measures to mitigate its possible adverse effects.
The Data Protection Officer of AIESEC in India shall be responsible forreporting the personal data breach to the appropriate supervisoryauthority and for cooperating with it;
It is highly recommended that the templates developed for reporting apersonal data breach to the appropriate supervisory authority are used inthe event of an incident.

4.1.3.2. Communication to Individuals

Depending on the nature of the personal data breach, individuals should be informed based on the guidelines below:

If the personal data breach is likely to result in a high risk to the rights andfreedoms of natural persons, the controller shall communicate thepersonal data breach to the data subject(s) immediately;
The communication to the data subject(s) affected by the personal databreach must describe in clear and plain language the nature of thepersonal data breach and contain, at least, the following information:
- the name and contact details of the Data Protection Officer orother contact point where more information can be obtained;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller toaddress the personal data breach, including, where appropriate,measures to mitigate its possible adverse effects.
The communication to the data subject(s) should count on the advice ofthe appropriate marketing/public relations team. Furthermore, besidesthe basic points mentioned in the sub-point above, it is recommended thatthe message should present:
- details regarding the breach (*e.g.: what happened, when thebreach occurred, what types of data were involved in the breach,etc.);
- advice on how people can protect their personal data;
- information about how AIESEC in India is working so that similarevents do not occurin the future;
- How the data subject(s) will be informed of updates.
The communication to the data subject(s) shall not be required if any ofthe following conditions are met:
- AIESEC in India – as data controller – has implementedappropriate technical and organisational protection measures, andthose measures were applied to the personal data affected by thepersonal data breach, in particular those that renderthe personaldata unintelligible to any person who is not authorised to access it,such as encryption;
- AIESEC in India – as data controller – has taken subsequentmeasures which ensure that the high risk to the rights andfreedoms of data subjects is no longerlikely to materialise;
- The communication would involve disproportionate effort. In sucha case, there shall instead be a public communication or similarmeasure whereby the data subjects are informed in an equallyeffective manner.
If AIESEC in India – as data controller – has not already communicated thepersonal data breach to the data subject(s), the supervisory authority,having considered the likelihood of the personal data breach resulting in ahigh risk, may require it to do so or may decide that any of the conditionsreferred to in the Article 34 (3) of the General Data Protection Regulation(GDPR) (Regulation (EU) 2016/679) are met.
It is highly recommended that the templates developed forcommunicating a personal data breach to data subject(s) are used in theevent of an incident.

4.1.4. Evaluation and Response

A brief report regarding the breach (including its details, the way it was handled,recommendations on how to prevent similar events/risks, etc.) should be written andattached to the official Records of Data Breaches. All reports regarding personal databreaches must be issued by the Data Protection Officer and the response team of AIESECin India

4.1.4.1. Records of Data Breaches

AIESEC in India – as data controller – shall document any personal databreaches – including the ones which have not been reported to thesupervisory authority –, comprising the facts relating to the personal databreach, its effects and the remedial action taken (*please refer to thesub-point 6. of the point 4.1.3.1, "Notification to the Supervisory Authority");
In case the supervisory authority requests access to the Records of DataBreaches, AIESEC in India must provide the appropriate documentation,enabling the Supervisory Authority to verify compliance with the Article 33 (5) of the General Data Protection Regulation (GDPR) (Regulation(EU) 2016/679);
Data breaches must be recorded in a central place and managed by theData Protection Officer, who will have the duty to keep it up-to-date anddocument every aspect of the breach. The Records of Data Breaches andthe details/documents related to it (such as reports, decisions andnotifications) must be stored permanently.

Alterations to this Procedure

This document is valid from 05.05.2019. The incumbent Data Protection Officer is the finalresponsible for this document. AIESEC in India reserve the right to change this procedure at anytime: where appropriate, the entity will notify changes by mail or email.

Questionnaire

This Appendix to the Data Breach Management Procedure provides a list of question which shallbe useful during the assessment of the personal data breach.

What happened? Please provide a description of the nature of the breach, including asmuch detail as possible.
Where did the breach happen?
When did the breach happen?
Who detected the breach?
When was the breach detected?
How did the breach happen?
What was the cause of the breach?
What kind of data was affected by the breach? (Please note: all individual types of data should be identified – e.g.: name, address, bank account number, CVs, etc.)
How many individuals and/orrecords were affected by the breach?
What categories of individuals were affected by the breach? (Please note: all individual categories of data subjects should be identified – e.g.: customers, members,employees, etc.)
What happened to the data?
Were there any protections in place?
What are the potential consequences and adverse effects forindividuals? How serious orsubstantial are they and how likely are they to occur? (*Please refer to the Recital 85 of theGeneral Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)).
- What could the data tell a third party about an individual?
- What effects could this cause?
- What value does the information have?
What processes/systems were affected and how? (Please note: mention all process/systems – e.g.: website is off-line, system is inaccessible, etc.)

Privacy Notice - Customers

AIESEC in India

Privacy Notice

Last Update: [3rd July, 2021]

BASICS ABOUT US

We are AIESEC in India, a youth leadership movement which is passionately driven by one cause: peace and fulfilment of humankind's potential. We are registered in the official bodies of India under the number 45624/2003 under the Societies Regulation Act of 1860. Our registered address is F.26, First Floor Connaught Place, New Delhi. We comprise AIESEC in India and also the 23 local committees across India.

We are committed to protecting and respecting the privacy of our respondents who fill this form/document. This policy explains how we process information that can be used to directly or indirectly identify an individual (“personal data”): thus, this policy applies to the situations in which we act as data controller of personal data and explains when and why we collect personal information about individuals, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

COLLECTION AND USAGE OF PERSONAL DATA ABOUT YOU

The purposes of processing your personal data are having a way of contacting the customer, do a better market segmentation, comply with the national and local laws of India and having a way of contacting the customer’s family in case of an emergency and the legal basis for such activities is legitimate interest, legal obligation and vital interest. Personal data we process may include First Name, Surname, Phone Number, Email, Nationality, Background/Skills, College, Course/Year of study, Aadhar/PAN/Passport Scan, VISA, Permanent Address, Signature and Emergency Contact Details (Name, Surname, Phone Number, Relationship).

We gather your personal data via an online/offline form, filling a physical contract, or through our websites.

RETENTION OF PERSONAL DATA ABOUT YOU

We shall retain personal data for a maximum period of 3 years. You can request us to delete your data at any point by emailing us for the same at it@aiesec.in.

RECIPIENTS OF PERSONAL DATA ABOUT YOU

We process your details internally. However, we may disclose information about you to our partners, website intermediaries, third parties so as to improve your experience with AIESEC.

We may transfer information about you to other AIESEC entities and partners for purposes connected with the ones mentioned in this privacy notice or for the management of our business.

YOUR RIGHTS

You are guaranteed several rights, which are mentioned below:

Right to be informed | You have the right to be informed about the processing of your personal data. Thus, in order to make you able to make decisions regarding your privacy and have control over your personal data, we tell you why we need your personal data, what is the legal ground for processing it and every relevant detail regarding the processing activities, as you can see in this privacy policy.
Right to access | You have the right to access your own personal data and the right to receive relevant information regarding the processing of your personal data. Thus, you can ask us for a copy of the personal data we hold about you so that you can know if and what kind of personal data is being processed, why it is being processed and who is processing it, being able to enforce your rights. You can contact us so as to exercise this right.
(Video) THE AIESEC WAY - six values
Right to rectification | You have the right to have your personal data rectified/completed in case it is inaccurate/incomplete. You can contact us so as to exercise this right.
Right to erasure | In certain circumstances, you may request the erasure of personal data where there is no compelling reason for its continued processing. You can contact us so as to exercise this right.
Right to restriction of processing | Under certain circumstances, we may suspend processing activities – and you may also ask us to pause the processing of your personal data. In other words, we will keep your data, but won't further process it – and you can contact us so as to exercise this right.
Right to data portability | You may obtain your data from us so as to transfer it to another system: thus, we will provide you with a copy in a structured, commonly used format. You can contact us so as to exercise this right.
Right to object | In some circumstances, you have the right to object (*i.e., say that you don't – or no longer – agree with the processing and ask us to stop) to the processing of your personal data regarding your particular situation. This right applies to processing based on direct marketing purposes and, usually, to some other purposes (such as some legitimate interests).
Rights regarding automated decision making | You have the primary right not to be subject to activities only based on automated processing and whose decision has legal or relevant effects on you. However, whenever we carry out automated decision making (either because of a contract or because of your consent), you shall be able to be informed, express your point of view, challenge eventual decisions and obtain human intervention. You can contact us so as to gather further information.

If you have provided consent for the processing of your data, you have – in certain circumstances – the right to withdraw that consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn.

By the way, if you want to know more about your rights, we suggest that you read the guidance provided by the Information Commissioner's Office of the United Kingdom, which is available online.

Lastly, if you are not happy with the way we are dealing with personal data, you may contact a supervisory authority: Pratham Kawrath - (+91 9840860998)

ABOUT YOUR PRIVACY

Information shall be handled based on the principle of confidentiality, so it is stored securely and accessed by authorised individuals only. We are committed to implementing and maintaining appropriate technical, security and organisational measures to protect personal data against unauthorised or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure, such as encrypt the transmission and storage of that information using industry standard encryption and transmission technologies.

We will take all reasonable steps to ensure that your data is treated securely and in accordance with this privacy notice. Please note that the transmission of information via the internet is not completely secure: even doing our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site (so any transmission is at your own risk), but, once we have received your information, we will use strict procedures and security features to prevent unauthorised access.

OUR PRIVACY MANAGER/DATA PROTECTION OFFICER

We have a Privacy Manager/Data Protection Officer who is responsible for matters regarding privacy and data protection. Thus, in case you have any questions regarding this policy and/or our privacy practices: Pratham Kawrath, NR 708 Ellora Fiesta, Gaondevi Marg, Sector 11, Sanpada, Navi Mumbai, Maharashtra, India - 400614: it@aiesec.in

FOR FURTHER INFORMATION ABOUT US

In case you want to contact us, please feel free to do so:

AIESEC in India,

708 Ellora Fiesta,

Gaondevi Marg, Sector 11,

Sanpada, Navi Mumbai,

Maharashtra, India - 400614

it@aiesec.in

Pratham Kawrath,

Head of Marketing,

AIESEC in India,

pratham.kawrath@aiesec.in

[+91 9840860998]

REVIEW OF THIS POLICYWe keep this policy under regular review, so please check this page occasionally to ensure that you’re happy with any changes. This policy was last updated on 3rd July, 2021.

Privacy Notice - Events

AIESEC in India

Privacy Notice

Last Update: 03/07/2021

BASICS ABOUT US

COLLECTION AND USAGE OF PERSONAL DATA ABOUT YOU

The purposes of processing your personal data are having a way of contacting the event attendees, having a way of contacting the attendee’s family in case of an emergency, for event analysis and to comply with National and Local laws and the legal basis for such activities is legitimate interest or legal obligation. Personal data we process may include Personal data we process may include First Name, Surname, Phone Number, Email, Nationality, Permanent/ Residential Address, D.O.B, T-Shirt size and Emergency Contact Details (Name, Surname, Phone Number, Relationship).

We gather your personal data via online/offline form, filling a physical contract, or through our websites.

RETENTION OF PERSONAL DATA ABOUT YOU

We shall retain personal data for a maximum period of 3 years. You can request us to delete your data at any point by emailing us for the same at it@aiesec.in.

(Video) THE AIESEC WAY six values

RECIPIENTS OF PERSONAL DATA ABOUT YOU

We process your details internally. However, we may disclose information about you to our partners, website intermediaries, third parties so as to improve your experience with AIESEC.

We may transfer information about you to other AIESEC entities and partners for purposes connected with the ones mentioned in this privacy notice or for the management of our business.

YOUR RIGHTS

You are guaranteed several rights, which are mentioned below:

Right to be informed | You have the right to be informed about the processing of your personal data. Thus, in order to make you able to make decisions regarding your privacy and have control over your personal data, we tell you why we need your personal data, what is the legal ground for processing it and every relevant detail regarding the processing activities, as you can see in this privacy policy.
Right to access | You have the right to access your own personal data and the right to receive relevant information regarding the processing of your personal data. Thus, you can ask us for a copy of the personal data we hold about you so that you can know if and what kind of personal data is being processed, why it is being processed and who is processing it, being able to enforce your rights. You can contact us so as to exercise this right.
Right to rectification | You have the right to have your personal data rectified/completed in case it is inaccurate/incomplete. You can contact us so as to exercise this right.
Right to erasure | In certain circumstances, you may request the erasure of personal data where there is no compelling reason for its continued processing. You can contact us so as to exercise this right.
Right to restriction of processing | Under certain circumstances, we may suspend processing activities – and you may also ask us to pause the processing of your personal data. In other words, we will keep your data, but won't further process it – and you can contact us so as to exercise this right.
Right to data portability | You may obtain your data from us so as to transfer it to another system: thus, we will provide you with a copy in a structured, commonly used format. You can contact us so as to exercise this right.
Right to object | In some circumstances, you have the right to object (*i.e., say that you don't – or no longer – agree with the processing and ask us to stop) to the processing of your personal data regarding your particular situation. This right applies to processing based on direct marketing purposes and, usually, to some other purposes (such as some legitimate interests).
Rights regarding automated decision making | You have the primary right not to be subject to activities only based on automated processing and whose decision has legal or relevant effects on you. However, whenever we carry out automated decision making (either because of a contract or because of your consent), you shall be able to be informed, express your point of view, challenge eventual decisions and obtain human intervention. You can contact us so as to gather further information.

By the way, if you want to know more about your rights, we suggest that you read the guidance provided by the Information Commissioner's Office of the United Kingdom, which is available online.

Lastly, if you are not happy with the way we are dealing with personal data, you may contact a supervisory authority: Pratham Kawrath - (+91 9840860998)

ABOUT YOUR PRIVACY

OUR PRIVACY MANAGER/DATA PROTECTION OFFICER

FOR FURTHER INFORMATION ABOUT US

In case you want to contact us, please feel free to do so:

AIESEC in India,

708 Ellora Fiesta,

Gaondevi Marg, Sector 11,

Sanpada, Navi Mumbai,

Maharashtra, India - 400614

it@aiesec.in

Pratham Kawrath,

Head of Marketing,

AIESEC in India,

pratham.kawrath@aiesec.in

[+91 9840860998]

REVIEW OF THIS POLICYWe keep this policy under regular review, so please check this page occasionally to ensure that you’re happy with any changes. This policy was last updated on 3rd July, 2021.

Privacy Notice - Members

AIESEC in India

Privacy Notice

Last Update: 3rd July, 2021

BASICS ABOUT US

(Video) AIESEC Values [AIESEC University, Tunisia]

COLLECTION AND USAGE OF PERSONAL DATA ABOUT YOU

The purposes of processing your personal data are having a way of contacting the members, as well as knowing better our talent, for HR analysis and to comply with the national and local laws of India and the legal basis for such activities is legitimate interest, legal obligation and vital interest. Personal data we process may include First Name, Surname, Phone Number, Email, Nationality, Background/Skills, College, Course/Year of study, Aadhar/PAN/Passport Scan, Birthdate, Permanent Address, Signature and Emergency Contact Details (Name, Surname, Phone Number, Relationship)

We gather your personal data via an online/offline form, filling a physical contract, or through our websites.

RETENTION OF PERSONAL DATA ABOUT YOU

We shall retain personal data for a maximum period of 3 years. You can request us to delete your data at any point by emailing us for the same at it@aiesec.in.

RECIPIENTS OF PERSONAL DATA ABOUT YOU

We process your details internally. However, we may disclose information about you to our partners, website intermediaries, third parties so as to improve your experience with AIESEC.

We may transfer information about you to other AIESEC entities and partners for purposes connected with the ones mentioned in this privacy notice or for the management of our business.

YOUR RIGHTS

You are guaranteed several rights, which are mentioned below:

Right to be informed | You have the right to be informed about the processing of your personal data. Thus, in order to make you able to make decisions regarding your privacy and have control over your personal data, we tell you why we need your personal data, what is the legal ground for processing it and every relevant detail regarding the processing activities, as you can see in this privacy policy.
Right to access | You have the right to access your own personal data and the right to receive relevant information regarding the processing of your personal data. Thus, you can ask us for a copy of the personal data we hold about you so that you can know if and what kind of personal data is being processed, why it is being processed and who is processing it, being able to enforce your rights. You can contact us so as to exercise this right.
Right to rectification | You have the right to have your personal data rectified/completed in case it is inaccurate/incomplete. You can contact us so as to exercise this right.
Right to erasure | In certain circumstances, you may request the erasure of personal data where there is no compelling reason for its continued processing. You can contact us so as to exercise this right.
Right to restriction of processing | Under certain circumstances, we may suspend processing activities – and you may also ask us to pause the processing of your personal data. In other words, we will keep your data, but won't further process it – and you can contact us so as to exercise this right.
Right to data portability | You may obtain your data from us so as to transfer it to another system: thus, we will provide you with a copy in a structured, commonly used format. You can contact us so as to exercise this right.
Right to object | In some circumstances, you have the right to object (*i.e., say that you don't – or no longer – agree with the processing and ask us to stop) to the processing of your personal data regarding your particular situation. This right applies to processing based on direct marketing purposes and, usually, to some other purposes (such as some legitimate interests).
Rights regarding automated decision making | You have the primary right not to be subject to activities only based on automated processing and whose decision has legal or relevant effects on you. However, whenever we carry out automated decision making (either because of a contract or because of your consent), you shall be able to be informed, express your point of view, challenge eventual decisions and obtain human intervention. You can contact us so as to gather further information.

By the way, if you want to know more about your rights, we suggest that you read the guidance provided by the Information Commissioner's Office of the United Kingdom, which is available online.

Lastly, if you are not happy with the way we are dealing with personal data, you may contact a supervisory authority: Pratham Kawrath - (+91 9840860998)

ABOUT YOUR PRIVACY

OUR PRIVACY MANAGER/DATA PROTECTION OFFICER

We have a Privacy Manager/Data Protection Officer who is responsible for matters regarding privacy and data protection. Thus, in case you have any questions regarding this policy and/or our privacy practices: Pratham Kawrath, 708 Ellora Fiesta, Gaondevi Marg, Sector 11, Sanpada, Navi Mumbai, Maharashtra, India - 400614: it@aiesec.in

FOR FURTHER INFORMATION ABOUT US

In case you want to contact us, please feel free to do so:

AIESEC in India,

708 Ellora Fiesta,

Gaondevi Marg, Sector 11,

Sanpada, Navi Mumbai,

Maharashtra, India - 400614

it@aiesec.in

Pratham Kawrath,

Head of Marketing,

AIESEC in India,

pratham.kawrath@aiesec.in

[+91 9840860998]

REVIEW OF THIS POLICYWe keep this policy under regular review, so please check this page occasionally to ensure that you’re happy with any changes. This policy was last updated on 3rd July, 2021.

(Video) Our Why, How, and What | The AIESEC Way

FAQs

What is AIESEC vision and mission? ›

We enable young people to develop their leadership through learning from practical experiences in challenging environment. We do this through cross cultural exchanges and by creating these opportunities. We place our confidence in youth as the key to unlock a better future.

What is the motto of AIESEC? ›

By doing what's right over what's easy, you develop leadership that demonstrates integrity.

Get More Info ›

What does AIESEC stand for? ›

AIESEC (pronounced eye-sek) was originally an acronym for Association Internationale des Étudiants en Sciences Économiques et Commerciales. AIESEC is no longer used as an acronym but simply as the name of the organisation. Members of AIESEC are known as “AIESECers.”

Discover More Details ›

What are the qualities of AIESEC? ›

There are four leadership qualities that AIESEC aims to develop in their members and future leaders. These are being Global citizens, self-awareness, solution oriented and empowering others.

See Details ›

What motivates you to join AIESEC? ›

AIESEC will provide you with a dynamic environment in which you will be able to apply your leadership abilities on a truly global scale, improve your skills, and challenge your own perspectives about yourself and the world around you. Are you looking for: A career-launching leadership experience?

Discover More ›

What are visions missions and values? ›

What is the difference between a mission, vision and values statement? Mission statements describe an organization's reason for existence, vision statements describe the ideal state that the organization wants to achieve, and values statements list the principles that guide and direct the organization and its culture.

Read The Full Story ›

What is the main goal of AIESEC? ›

AIESEC is aglobal platform for young people to develop their leadership potential through practical experiencesof many kinds, including internships, volunteering opportunities, and more. Founded in 1948, AIESEC is a non-governmental and not-for-profit organization entirely run by youth for youth.

Read On ›

Does AIESEC support Lgbtq? ›

AIESEC does not discriminate on the basis of ethnicity, gender, sexual orientation, religion or national/social origin. Since we were founded, we have engaged and developed over 1,000,000 young people through an AIESEC experience.

Get More Info ›

What are the symbols for AIESEC? ›

The company is publicly traded on the NASDAQ stock exchange under the ticker symbol CSOD.

Know More ›

What is the benefit of AIESEC? ›

AIESEC. Develop self-management and interpersonal skills through practical learning experiences to emerge as a well-rounded individual. Get an empowering & challenging environment where you can develop into a value-driven leader.

Discover More ›

Do you get paid in AIESEC? ›

Members don't get paid, but AIESEC does. The truth is that AIESEC does get paid by companies for the mediation of most of its internships.

Keep Reading ›

What are team standards in AIESEC? ›

What are Team Standards? In order for Team Standards to be delivered, there has to be a team, logical, right? By AIESEC standards (ha, get it, because we're talking about Team Standards), a team consists of 1 Team Leader and at least 2 Team Members and their experience as a team has to span for at least 2 months.

Get More Info Here ›

What is AIESEC value delivery? ›

VALUE DELIVERY refers to the third stage of the customer flow. In here, the young person transforms from being a lead to an actual customer. This is when the customer receives the value we offer which is LEADERSHIP DEVELOPMENT.

What is core AIESEC? ›

COVID-19: Current Safety Information. INT CORE. INT CORE is a company specialized in web and mobile solutions as well as digital marketing with the vision of achieving excellence and expanding their clients' online presence to connect the entire world by using their unique software technology.

Explore More ›

Why core values are important? ›

Core values are one piece of creating a repeatable, scalable system. They allow people in your organization to make good decisions on their own, by simply applying the values to new challenges that come along. Your core values will remove bottlenecks and empower individual growth across your organization.

Keep Reading ›

How do you explain core values? ›

What are core values? Core values are an individual or organization's fundamental beliefs and highest priorities that drive their behavior. You can think of core values as an internal compass of principles that drive a person's or organization's decisions.

Explore More ›

What is most important mission vision and core values? ›

Mission is the building block and vision is the fuel that drives you forward. Your core values are what keep you on track. Without adhering to a set of values, an organization runs the risk of falling apart.

Know More ›

What is the minimum age for AIESEC? ›

AIESEC programs are open to anyone from any background within the age of 18-30 years old. ARE THERE PROGRAMS AVAILABLE OUTSIDE FROM THE LISTED COUNTRIES?

Explore More ›

Does AIESEC pay for flights? ›

This is the only expense that AIESEC charges. – Visa and Flight Tickets – These are to be covered by you. You can choose the country most affordable for you according to your budget by consulting your Experience Manager.

Read On ›

Can I join AIESEC after graduation? ›

We are an independent, not-for-profit organisation run by students and recent graduates of institutions of higher education. Since we were founded in 1948, we have engaged and developed over 1,000,000 young people who have been through an AIESEC experience.

Learn More ›

What is the vision of AIESEC 2025? ›

The dream of building a leadership platform that can empower youth to become leaders, collaborate with organizations through long-term relationships to generate a positive impact on young people and society, and build a strong foundation for an AIESEC that can be truly timeless, this is what AIESEC 2025 means for us.

Explore More ›

What is the purpose of vision mission? ›

A Mission Statement is a definition of the company's business, who it serves, what it does, its objectives, and its approach to reaching those objectives. A Vision Statement is a description of the desired future state of the company. An effective vision inspires the team, showing them how success will look and feel.

Get More Info ›

What is mission vision and culture? ›

A mission statement is about the present, whereas the vision statement is about the future. A mission statement describes the organizational purpose and objectives including the quality of its products and services, whereas a vision statement is used to inspire employees to help achieve organizational goals.

Tell Me More ›

The Six Values of AIESEC - AIESEC (2023)

Privacy Notice - GENERAL DATA PROTECTION POLICY

AIESEC in India

Data Protection Policy

Last Updated: 5th May 2019

1. Introduction

1.1. General Statement

1.2. About this Policy

1.3. Main Definitions

2. Data Processing Principles

2.1. Lawfulness, Fairness and Transparency

2.1.1. Consent

2.2. Purpose Limitation

2.2.1. Information to Individuals

2.3. Data Minimisation

2.4. Accuracy

2.5. Storage Limitation

2.6. Integrity and Confidentiality

2.6.1. Data Security

2.6.2. Data Transfers

2.6.3. Disclosure of Personal Data

2.6.3.1 Rights of the Data Subject

2.6.3.2 Subject Access Requests

4.1. Guidance for the responsible for Subject Access Requests

4.1.1. Procedures upon receipt of a Subject Access Request

4.1.2. Procedures to respond to a Subject Access Request

4.1.2.1 Data Protection Officer

4.1.2.2 Participation in Data Protection

4.1.2.3 Data Breaches

4.1.2.4 Disclaimer

4.1.2.5 Alterations to this Policy

AIESEC in India Member - Retention Policy

Last Updated: 5th May 2019

PRIVACY

COLLECTION OF PERSONAL INFORMATION

INFORMATION USE

INFORMATION DISCLOSURE

INFORMATION RETENTION

INFORMATION SECURITY

Privacy Notice - GENERAL DATA PROTECTION POLICY

AIESEC in India

GDPR COMPLIANCE

Data Breach Management Procedure

Introduction

1. Scope, Purpose and Users

Reference

Definitions

Procedures

4.1. General Actions

4.1.1. Containment and Recovery

4.1.1.2. Contact Person

4.1.2. Assessment

4.1.3. Notification

4.1.3.1. Notification to the Supervisory Authority

4.1.3.2. Communication to Individuals

4.1.4. Evaluation and Response

4.1.4.1. Records of Data Breaches

Alterations to this Procedure

Questionnaire

Privacy Notice - Customers

Privacy Notice - Events

Privacy Notice - Members

FAQs

What is AIESEC vision and mission? ›

Do you get paid in AIESEC? ›

What is the vision of AIESEC 2025? ›

Videos