Privacy notice – Protect Aid Workers

1.   Introduction

The Protect Aid Workers (PAW) mechanism provides protection, legal, psychosocial and financial assistance to humanitarian workers affected by security incidents, threats, or legal challenges due to their humanitarian work.

In this context, PAW processes personal data, including sensitive information, in high-risk environments. We are committed to ensuring that all personal data is handled following the General Data Protection Regulation (GDPR), with a strong focus on confidentiality, security, and risk mitigation.

This document explains how we process personal data, how we apply GDPR principles, and how individuals can exercise their rights.

It applies to humanitarian workers and related individuals benefiting from the PAW mechanism.

 

2.   Data Controller

The data controller is the organisation hosting the Protect Aid Workers mechanism.

All requests are handled confidentially and may be escalated, where necessary, to the designated Data Protection Officer in accordance with GDPR requirements.

 

3.   Purposes of processing

Personal data is processed for the following purposes:

  • Assessing and managing requests for assistance
  • Implementing and monitoring protection grants
  • Referring cases to specialised partner organisations (legal, MHPSS, protection, health)
  • Monitoring, evaluation and learning (MEAL), using anonymised or aggregated data where possible.
  • Ensuring accountability and donor reporting
  • Managing feedback, complaints and appeals (FCRM)

 

Each purpose is supported by a specific legal basis as described below.

 

4.   Legal Basis of the processing

Depending on the processing activity, PAW relies on the following legal bases:

  • 6(1)(e): Public interest (humanitarian protection mandate, where applicable under relevant legal frameworks)
  • 6(1)(d): Vital interests (protection of life and safety)
  • 6(1)(b): Contractual necessity (grant implementation)
  • 6(1)(c): Legal obligation (financial and reporting requirements)

For special category data (e.g. health, incident-related data):

  • 9(2)(c): Vital interests
  • 9(2)(g): Substantial public interest
  • 9(2)(a): Explicit consent (limited use)

Consent is not the primary legal basis for delivering assistance.

 

5.   Categories of Data Processed

PAW may process the following categories of data:

  • Personal identification data (name, contact details, etc.)
  • Professional information (organisation, role)
  • Incident-related information (context, risks, vulnerability)
  • Financial and administrative data (e.g. bank details)
  • Health and psychosocial information (where necessary)
  • Family or dependent information (where relevant)
  • Feedback and complaints data (FCRM)

The collection of sensitive data is strictly limited to what is necessary.

 

6.   Data Sharing

Personal data is shared strictly on a need-to-know basis, for defined purposes, and with appropriate safeguards. Recipients may include:

  • Authorised PAW staff
  • Members of the Vetting Committee (restricted access)
  • Partner organisations providing specialised support
  • External experts (e.g. medical consultants)
  • IT and service providers under contractual obligations

All service providers act as data processors under Article 28 of GDPR.

All data sharing is governed by confidentiality commitments and, where applicable, data sharing agreements.

 

7.   International Data Transfers

Personal data is primarily stored and processed within the European Union. Limited access may occur from:

  • United Kingdom
  • Switzerland

These countries benefit from GDPR adequacy decisions. Any other international transfer is strictly limited, justified, and safeguarded with appropriate guarantees, such as Standard Contractual Clauses.

 

8.   Data Retention

Personal data is retained only as long as necessary:

  • Case management data: up to 5 years after case closure
  • Financial data: retained longer where required by law.

Data is progressively restricted, anonymised, or deleted depending on operational, legal and donor requirements.

 

9.   How We Apply GDPR Principles

PAW applies the following core data protection principles:

  • Lawfulness and transparency: Processing is linked to clear humanitarian purposes.
  • Purpose limitation: Data is used only for assistance, accountability, and learning.
  • Data minimisation: Only strictly necessary data is collected.
  • Accuracy: Data is regularly reviewed and updated
  • Storage limitation: Data is not retained longer than necessary.
  • Integrity and confidentiality: Strong security measures are implemented.
  • Accountability: Internal documentation (DPIA, SOPs) ensures compliance

Given the sensitivity of the data processed, PAW applies a risk-based approach, prioritising the protection and safety of individuals.

 

10. Your Rights

Individuals have the right to:

  • Access their personal data.
  • Request correction of inaccurate data.
  • Request deletion of their data.
  • Restrict processing.
  • Data portability (where applicable)
  • Object to processing (where applicable)
  • Withdraw consent (where relevant)
  • File a complaint with a supervisory authority

 

11. How to Exercise Your Rights

Requests can be submitted:

All requests are:

  • Registered and tracked
  • Reviewed by the Data Protection Focal Point
  • Processed within legal deadlines (one month, unless complexity requires an extension)

Due to the sensitive nature of PAW activities, certain rights may be limited where necessary to protect individuals or ensure the integrity of the intervention.

 

12.        Data Security

PAW implements strong technical and organisational measures, including:

  • Role-based access control (need-to-know)
  • Secure systems (SharePoint, Baserow, encrypted communications)
  • Multi-factor authentication
  • Secure data transfers
  • Aggregation and anonymisation of data for analysis, with pseudonymisation applied where appropriate.
  • Controlled access to sensitive data

Personal data breaches are managed in accordance with GDPR notification requirements.

 

13.  Updates to this Notice

This notice may be updated to reflect changes in:

  • Legal requirements
  • Programme activities
  • Data processing practices

Updates will be published on the PAW website.

 

14. Contact

For any questions related to this notice or your personal data: meal@protectaidworkers.org