VšĮ “Our House Centre for Human Rights and Relief” (Lithuania)
Approved by: National Board
Updated: 2025-09-01
Review cycle: Annual (or earlier if legislation or practice changes)
Policy owner: Executive Director / Data Protection Officer (DPO)
Related policies: Code of Conduct; Whistleblowing & Complaints; Data Retention & Records Management; Information Security/IT; Procurement & Ethical Purchasing; Child Protection & Safeguarding; SEA Prevention & Response; Non‑Discrimination & DEI; Financial Policy; Fraud Response Plan.
1) Introduction & Controller Information
This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you interact with us—e.g., donate, subscribe to our newsletters, participate in our programmes, contact us, or use our websites (including ndbelarus.com).
Controller: VšĮ “Our House Centre for Human Rights and Relief” (Lithuania).
Contact for privacy matters: privacy@ndbelarus.com (or DPO below).
Registered address: Vilnius, Lithuania
DPO (to fill): Name, phone, email
We process personal data in line with the EU General Data Protection Regulation (GDPR) and applicable Lithuanian law.
2) What Data We Collect (Categories)
Depending on your interaction, we may process:
- Identity & contact data: name, surname, email, phone, postal/billing address.
- Donation & payment metadata: donation amount, currency, date/time, method, transaction status, donation intent (campaign). We do not store full card or bank credentials.
- Communication preferences: newsletter opt‑ins/opt‑outs, topics, language.
- Technical data: IP address, device/browser type, pages viewed, cookies/analytics events (see §10 Cookies & Analytics).
- Programme participation data: event registrations, accessibility/accommodation needs (where provided), feedback forms.
- Children’s data (limited): only where necessary for safeguarding/programme delivery and in accordance with law and our Safeguarding Policies.
- Special category data: not intentionally collected unless strictly necessary (e.g., accessibility needs) and processed with an appropriate lawful basis and safeguards.
3) Purposes & Legal Bases
We process personal data for the following purposes and legal bases under GDPR Art. 6 (and Art. 9 where applicable):
- Process donations and issue receipts; manage recurring gifts; acknowledge support.
Legal bases: contract/performance, legal obligation (accounting/tax), legitimate interests (supporter stewardship, fraud prevention). - Operate newsletters and updates you choose to receive; manage preferences.
Legal bases: consent; legitimate interests (where permitted) for essential service emails. - Programme/event administration, including registrations and accessibility arrangements.
Legal bases: contract/performance, legitimate interests, consent (for specific accommodations). - Respond to enquiries and complaints; measure service quality.
Legal bases: legitimate interests. - Compliance, audit, and fraud prevention (e.g., unusual activity screening).
Legal bases: legal obligation, legitimate interests. - Website operation, security, and analytics.
Legal bases: legitimate interests (security, essential analytics) and consent (for non‑essential cookies/analytics/marketing).
We do not engage in automated decision‑making producing legal or similarly significant effects.
4) Payment Processing (Processors)
We use trusted third‑party payment processors for secure transactions, such as Stripe and PayPal, and a donation management plugin (e.g., GiveWP) integrated with those processors. These providers act as processors (or independent controllers for certain activities) and handle your payment credentials directly under their own privacy terms. We receive transaction metadata (amount, date, status) but no full card/bank details.
5) Data Sharing & Recipients
We do not sell or rent personal data. We may share data with:
- Service providers/processors acting on our instructions (e.g., payment, email/newsletter, IT hosting, analytics, event tools) under data‑processing agreements.
- Professional advisors/insurers (legal, audit) under confidentiality.
- Public authorities/regulators where required by law or to protect rights/safety.
- Partner organizations strictly for joint activities you choose to join, with transparency and appropriate safeguards.
6) International Data Transfers
Some processors may process data outside the EU/EEA (e.g., the United States). Where such transfers occur, we rely on an applicable transfer mechanism (e.g., EU–US Data Privacy Framework participation, Standard Contractual Clauses, and supplementary measures as needed).
7) Data Retention
We keep personal data only as long as necessary for the purpose, legal requirements, and our legitimate interests:
- Donations/transactions: typically 10 years (accounting/tax rules).
- Newsletter records: until you unsubscribe or your account becomes inactive for a defined period.
- Supporter enquiries: typically 3 years after closure.
- Website logs/security data: up to 12 months unless needed longer for security/legal purposes.
- Programme/event files: typically 5 years (or as contractually required).
See Annex C – Retention Schedule for details.
8) Your Rights (GDPR)
You may have the right to access, rectify, erase, restrict, object to processing, data portability, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with the State Data Protection Inspectorate in Lithuania. We will respond to verified requests within one month (extendable where permitted).
How to exercise your rights: use Annex A – Data Subject Request (DSR) Form or email privacy@ndbelarus.com. We may need to verify your identity.
9) Security Measures
We employ appropriate technical and organizational measures: encrypted connections (TLS/SSL); strong access controls and role‑based permissions; secure configuration and backups; staff training; data minimisation; retention controls; vendor due diligence; incident response and breach procedures.
In case of a personal data breach likely to result in a risk to individuals, we will notify the supervisory authority within 72 hours and affected individuals where required by law.
10) Cookies, Analytics & Similar Technologies
We use cookies and similar technologies to operate our sites, remember preferences, measure traffic, and improve content.
- Essential cookies: required for site functionality and security.
- Analytics cookies: help us understand site usage; set only with your consent.
- Marketing/third‑party cookies: used only where applicable and only with your consent.
You can manage preferences via our Cookie Banner/Manager and your browser settings. See Annex D – Cookie Notice for details (categories, retention, providers).
11) Email, Newsletters & Communications
We send newsletters only if you opt‑in (or as otherwise permitted by law). You can unsubscribe at any time via the link in each email or by contacting us. We may send service messages (e.g., donation receipts, policy updates) that are not marketing.
12) Children’s Privacy
Our public websites and donation forms are not directed to children. We do not knowingly collect data from children without appropriate consent as required by law. Where our programmes involve children, we apply our Child Protection and SEA Policies and obtain the necessary consents from parents/guardians.
13) Links to Other Sites & Social Media
Our sites may contain links to third‑party websites or social media platforms. We are not responsible for their privacy practices. Please review their privacy notices.
14) Changes to this Policy
We may update this Policy from time to time. The “Updated” date above indicates the latest version. Significant changes will be communicated via our website or email where appropriate.
15) Contact Us
Questions or requests regarding privacy:
- Email: privacy@ndbelarus.com (or the DPO contact once designated)
- Postal: VšĮ Tarptautinis pilietinių iniciatyvų centras „Mūsų namai“, Vilnius, Lithuania
- Website: ndbelarus.com
Annexes (Templates)
Annex A — Data Subject Request (DSR) Form
- Requester name/contact; relationship to Organization; request type (access/rectify/erase/restrict/object/portability/withdraw consent); details; ID verification check; response channel; deadline (1 month); handler and decision notes.
Annex B — Processor & Recipient Register
- Service; provider; country; role (processor/controller); data categories; legal basis; transfer mechanism; DPA/SCCs; retention; security summary; last review.
Annex C — Data Retention Schedule (summary)
- Donations/transactions – 10 years;
- Newsletters – until unsubscribe/inactive;
- Enquiries/support – 3 years;
- Programme files – 5 years;
- Website logs – 12 months;
- HR/finance records – per Finance/HR policies;
- Case files (safeguarding/SEA) – per Safeguarding Policies.
Annex D — Cookie Notice
- Categories (essential/analytics/marketing); examples; default durations; how to manage consent; link to Cookie Manager; third‑party providers (analytics/email/embedded media) with purposes.
Annex E — Breach Response Checklist (72‑Hour Plan)
- Detect & assess; contain; preserve evidence; notify DPO; risk evaluation; authority notification decision; data subject notification decision; remedial actions; lessons learned; update registers.
Annex F — Privacy Notice for Donors & Supporters (short form)
- Who we are; what we collect; purposes/legal bases; sharing; transfers; retention; rights; contact/unsubscribe; link to full Policy.
Annex G — Record of Processing Activities (ROPA) Outline
- Purpose; data categories; subjects; recipients; transfers; retention; security; lawful bases; DPIA flag; controller/processor roles.
Annex H — DPIA Trigger Questions
- Large‑scale processing? Special category data? Vulnerable groups? Innovative tech? Cross‑border transfers? Systematic monitoring? If “yes”, conduct DPIA.
