Privacy notice – Protect Aid Workers
1. Introduction
The Protect Aid Workers (PAW) mechanism provides protection, legal, psychosocial and financial assistance to humanitarian workers affected by security incidents, threats, or legal challenges due to their humanitarian work.
In this context, PAW processes personal data, including sensitive information, in high-risk environments. We are committed to ensuring that all personal data is handled following the General Data Protection Regulation (GDPR), with a strong focus on confidentiality, security, and risk mitigation.
This document explains how we process personal data, how we apply GDPR principles, and how individuals can exercise their rights.
It applies to humanitarian workers and related individuals benefiting from the PAW mechanism.
2. Data Controller
The data controller is the organisation hosting the Protect Aid Workers mechanism.
- General inquiries: hotline@protectaidworkers.org
- Data protection: meal@protectaidworkers.org
All requests are handled confidentially and may be escalated, where necessary, to the designated Data Protection Officer in accordance with GDPR requirements.
3. Purposes of processing
Personal data is processed for the following purposes:
- Assessing and managing requests for assistance
- Implementing and monitoring protection grants
- Referring cases to specialised partner organisations (legal, MHPSS, protection, health)
- Monitoring, evaluation and learning (MEAL), using anonymised or aggregated data where possible.
- Ensuring accountability and donor reporting
- Managing feedback, complaints and appeals (FCRM)
Each purpose is supported by a specific legal basis as described below.
4. Legal Basis of the processing
Depending on the processing activity, PAW relies on the following legal bases:
- 6(1)(e): Public interest (humanitarian protection mandate, where applicable under relevant legal frameworks)
- 6(1)(d): Vital interests (protection of life and safety)
- 6(1)(b): Contractual necessity (grant implementation)
- 6(1)(c): Legal obligation (financial and reporting requirements)
For special category data (e.g. health, incident-related data):
- 9(2)(c): Vital interests
- 9(2)(g): Substantial public interest
- 9(2)(a): Explicit consent (limited use)
Consent is not the primary legal basis for delivering assistance.
5. Categories of Data Processed
PAW may process the following categories of data:
- Personal identification data (name, contact details, etc.)
- Professional information (organisation, role)
- Incident-related information (context, risks, vulnerability)
- Financial and administrative data (e.g. bank details)
- Health and psychosocial information (where necessary)
- Family or dependent information (where relevant)
- Feedback and complaints data (FCRM)
The collection of sensitive data is strictly limited to what is necessary.
6. Data Sharing
Personal data is shared strictly on a need-to-know basis, for defined purposes, and with appropriate safeguards. Recipients may include:
- Authorised PAW staff
- Members of the Vetting Committee (restricted access)
- Partner organisations providing specialised support
- External experts (e.g. medical consultants)
- IT and service providers under contractual obligations
All service providers act as data processors under Article 28 of GDPR.
All data sharing is governed by confidentiality commitments and, where applicable, data sharing agreements.
7. International Data Transfers
Personal data is primarily stored and processed within the European Union. Limited access may occur from:
- United Kingdom
- Switzerland
These countries benefit from GDPR adequacy decisions. Any other international transfer is strictly limited, justified, and safeguarded with appropriate guarantees, such as Standard Contractual Clauses.
8. Data Retention
Personal data is retained only as long as necessary:
- Case management data: up to 5 years after case closure
- Financial data: retained longer where required by law.
Data is progressively restricted, anonymised, or deleted depending on operational, legal and donor requirements.
9. How We Apply GDPR Principles
PAW applies the following core data protection principles:
- Lawfulness and transparency: Processing is linked to clear humanitarian purposes.
- Purpose limitation: Data is used only for assistance, accountability, and learning.
- Data minimisation: Only strictly necessary data is collected.
- Accuracy: Data is regularly reviewed and updated
- Storage limitation: Data is not retained longer than necessary.
- Integrity and confidentiality: Strong security measures are implemented.
- Accountability: Internal documentation (DPIA, SOPs) ensures compliance
Given the sensitivity of the data processed, PAW applies a risk-based approach, prioritising the protection and safety of individuals.
10. Your Rights
Individuals have the right to:
- Access their personal data.
- Request correction of inaccurate data.
- Request deletion of their data.
- Restrict processing.
- Data portability (where applicable)
- Object to processing (where applicable)
- Withdraw consent (where relevant)
- File a complaint with a supervisory authority
11. How to Exercise Your Rights
Requests can be submitted:
- By email to: meal@protectaidworkers.org
- Through PAW staff (Case Manager or focal point)
All requests are:
- Registered and tracked
- Reviewed by the Data Protection Focal Point
- Processed within legal deadlines (one month, unless complexity requires an extension)
Due to the sensitive nature of PAW activities, certain rights may be limited where necessary to protect individuals or ensure the integrity of the intervention.
12. Data Security
PAW implements strong technical and organisational measures, including:
- Role-based access control (need-to-know)
- Secure systems (SharePoint, Baserow, encrypted communications)
- Multi-factor authentication
- Secure data transfers
- Aggregation and anonymisation of data for analysis, with pseudonymisation applied where appropriate.
- Controlled access to sensitive data
Personal data breaches are managed in accordance with GDPR notification requirements.
13. Updates to this Notice
This notice may be updated to reflect changes in:
- Legal requirements
- Programme activities
- Data processing practices
Updates will be published on the PAW website.
14. Contact
For any questions related to this notice or your personal data: meal@protectaidworkers.org