CITY HARVEST COMMUNITY SERVICES ASSOCIATION Data Protection Policy

1.    Introduction

1.1    City Harvest Community Services Association (“CHCSA”, “we”, “us” or “our”) takes the protection and proper use of your Personal Data seriously and are committed to protecting your Personal Data in our possession. We collect and process Personal Data in compliance with the Personal Data Protection Act (Act 26 of 2012) (the “PDPA”). The latest version of the PDPA is publicly accessible at the following URL: https://sso.agc.gov.sg/Act/PDPA2012.

1.2    This Policy applies to CHCSA, our initiatives and organisations that we may work with, both in official and unofficial capacities, in relation to the provision of services to you (our “Affiliated Organisations”), and sets out the processes and procedures in the handling of Personal Data (as defined under the PDPA) that we collect and hold, relating to our stakeholders, be it our members, clients, beneficiaries, volunteers, and all others who come into contact with us.

1.3    The following Policy is applicable to the use of the CHCSA website which may be accessed at the following URL: http://www.chcsa.org.sg/ (the “Website”).

2.     Personal Data

2.1    For the purposes of this Policy, “Personal Data” refers to all and any information relating to you and obtained by us, which we can use to identify or contact you, such as your name (first and last), home address, telephone number, religion, gender, race, language(s) spoken, emergency contact information, personal email address, date of birth, identification number (where required or allowed by law, or necessary), marital status, or the Personal Data of your family members, and any other information necessary to our purposes, which is voluntarily disclosed in the course of dealing with us. “Person” means an individual who (a) as contacted us through any means to find out more about any goods or services we provide, or (b) may enter or has entered into a contract with us for the supply of any products or services by us, or (c) has submitted a job or internship application with us.

2.2   We will treat your Personal Data as confidential and will accord the required level of care in accordance with our Policy and with the PDPA. Other terms used in this Notice shall have the meanings given to them in the PDPA where the context so permits.

2.3    All your Personal Data will be stored on our servers in Singapore, or the servers of internet-based cloud service providers. We will not store or transmit your personal data overseas or to such cloud service providers unless the recipient is legally bound to protect your personal data by a standard at least as onerous as the standard prescribed by the PDPA.

3.     Information we collect

3.1    As a general rule, we will collect Personal Data directly or indirectly from you or your authorised representative with the appropriate consent from you, as required under the PDPA. We may collect personal data from our members, volunteers, employees and other individuals such as job applicants. We would only collect data that has been provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”) after (i) you (or your authorised representative) have been notified of the purposes for which data is collected, and (ii) you (or your authorised representative) have provided written consent to the collection and usage of your personal data for those purposes, or (b) collection and use of personal data without consent is permitted or required by the PDPA or other laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law).

3.2    The ways we collect information from you or your authorised representative include, but are not limited to the following:

• - When you sign up for or use our services.

• - When you are registered as a beneficiary/member with us.

• - When you are the Next-Of-Kin (NOK) or emergency contact of our beneficiary/member.

• - When you make a donation to us.

• - When you volunteer with us.

• - When you visit our premises.

• - When you contact us with your queries, requests or feedback.

• - When you attend an event organised by us (e.g. via registration for the event, or where photos and videos may be taken of you during the event).

• - When you apply for membership.

• - When you sign-up for newsletters or other communications with us.

• - When you submit your personal data for any other reason on your own initiative.

• - When you respond to our requests for Personal Data or otherwise.

3.3    From Cookies: A cookie is a small data file sent from a website to your browser that is stored on your device. Each website can send its own cookie to your browser if your browser's preferences allow it, but to protect your privacy your browser only permits a website to access the cookies it has already sent to you, and not the cookies sent to you by other sites. You can configure your browser to accept all cookies, reject all cookies, or notify you when a cookie is sent. (Each browser is different, so please check the "Help" menu of your browser to learn how to change your cookie preferences.)

3.4    Information Collected by and From Affiliated Organisations: From time to time, we may collaborate with or utilise the services of our Affiliated Organisations in the provision of our services and may also receive Personal Data collected by those Affiliated Organisations in the course of the collaboration or performance of their services for us or otherwise. Where this is the case, we will select reliable third-parties and processing will be subject to written agreements between us and the third-parties processing the data. These written agreements specify the rights and obligations of each party and will provide that the third party has adequate security measures in place and will only process Personal Data with our specific written instructions. 

3.5    In the event that you provide us with any information relating to a third party (e.g. information of your spouse, children, parents, and/or employees), you represent and warrant to us that you have sought for and obtained the consent of the relevant third party to provide us with their information for the respective purposes.

3.6    We reserve the right to collect your Personal Data without your consent only in accordance with the Second Schedule of the PDPA.

4.     How we use the information we collect

4.1    Depending on your relationship with us, we will generally use and/or process your Personal Data for various purposes, which include but are not limited to:

• - Verifying your identity and updating our records.

• - Developing, operating, improving, delivering and maintaining our services.

• - Providing a range of services (e.g. educational, medical, social) to you or to link you to our Affiliated Organisations or other service providers.

• - Conducting research and surveys in a community setting.

• - Sending you materials or updates relating to our events, activities or any services provided by us or our Affiliated Organisations.

• - Asking for and receiving payment from you.

• - Responding to your questions and resolving your complaints.

• - Publicising and promoting our events, activities, and services to the public-at-large by publishing on the Website or other promotional materials photographs and/ or videos that may be taken of you during events or activities organised by us or our Affiliated Organisations, or services delivered by us or our Affiliated Organisations.

• - Developing and training our staff, volunteers, and employees, and those of our Affiliated Organisations.

• - Carrying out polls, surveys, analysis, and research as well as soliciting feedback on how our services are being used and how we can improve them.

• - Furthering our services or those provided by our Affiliated Organisations by disclosing some but not all of your personal data (such as your name and email) (whether for no consideration or otherwise) to third-parties including government or public agencies, ministries, regulators, statutory boards, or similar authorities/agencies authorised to carry out specific government services or duties.

• - Performing such other functions or services as otherwise notified to you at the time.

4.2    We reserve the right to use your Personal Data without your consent only in accordance with the Third Schedule of the PDPA.

5.     Who we disclose your information to

5.1    We will not sell, trade or market your Personal Data with any other entity, or send mailings to you on behalf of other organisations unless you have given us specific permission to do so.

5.2    We may from time to time disclose your Personal Data to our Affiliated Organisations or other service providers as we deem necessary for the provision of smooth and effective provision of services to you. Notwithstanding the foregoing, we will not disclose your Personal Data to any other third-parties without first obtaining your consent except as otherwise required to facilitate your care or permitted by law, such as in the following circumstances:

• - In an emergency situation;

• - Where your Personal Data is publicly available data;

• - For the purposes of contacting the Next-Of-Kin or emergency contact of any injured, ill, or deceased individual; .

• - With your consent, where such disclosure is required for performing obligations in the course of or in connection with our provision of the goods or services requested by you; 

• - To comply with applicable laws, regulations, code of practice, guidelines or rules (e.g. in an emergency or when we receive a subpoena to disclose your personal data); or 

• - With your consent, to third party service providers, agents and other organisations we have engaged to perform any of the functions listed in Section 4 above for us. Any third parties engaged by us will be contractually bound to keep all personal data confidential.

5.3 You have the right of choice regarding the collection, usage and/or disclosure of your personal data. If you choose not to provide us with the personal data described in this Policy, we may not be able to perform our obligations as stated in this Policy. You have the right to object to the processing of your personal data and withdraw your consent in the manner described below. 

5.4 If you choose not to provide us with your personal data for the purposes listed in Section 4, you may submit a request in writing or via email to our Data Protection Officer at Section 17 or indicate in the personal data collection form submitted to us (if any). By choosing not to provide us with your personal data, depending on our relationship, we may not be able to provide services to you or process your job application. Depending on the complexity of the request and its impact to our relationship with you, we will not collect or, within thirty (30) days of our receipt of your request, cease using and/or disclosing your personal data in accordance with your request.

5.5 The purposes listed in Section 4 may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with you). 

5.6 In the case where we receive unsolicited personal data via email or any other communication channels, the unsolicited personal data will not be retained and will be securely disposed of immediately. 

6.     Disclosure and transfer of information

6.1    By registering with us and/or using our services, you authorise us to use and disclose your information in Singapore, and transfer any of such information out of Singapore to other countries where we or our Affiliated Organisations or our/their respective service providers (including data storage service providers) operate for the purposes mentioned above in Section 4. We will at all times ensure that your information is transferred in accordance with this Policy and protected in accordance with any applicable laws on personal data protection (including, but not limited to, the PDPA).

7.     Protecting your Personal Data

7.1    The security of your information is of utmost importance to us. In connection with this, we have put in place security measures to protect your Personal Data from unauthorised access, use or disclosure and alteration of information under our control. 

7.2    Some of the measures we take to protect your Personal Data include:

• - Maintaining physical security over physical documents containing Personal Data such as by storing such physical documents in locked file cabinet systems.

• - Ensuring that any online documents are stored and secured on trusted third-party hosts.

• - Protecting our websites and other web applications which may be connected to any databases which contain your Personal Data.

• - Ensuring that our internal computer networks are secured by equipping them with security devices or software such as firewalls and anti-malware applications.

• - Preventing users without proper clearance from accessing the database and encrypting confidential or sensitive Personal Data.

• - Restricting employee access to physical or online documents containing Personal Data on a need-to-know basis.

• - Proper disposal of physical or online documents containing Personal Data that are no longer needed through shredding, deletion, reformatting or similar means.

• - Adhering to generally accepted industry standards to protect the information transmitted to us over the internet, both during transmission and upon receipt.

7.3 However, please note that no method of transmission over the internet, and/or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your information, we are unable to guarantee its absolute security. In the event of a personal data breach, we will endeavour to notify the affected parties no later than within 3 calendar day from when we become aware of the breach. 

7.4 If there is a need to disclose your Personal Data to third parties in line with the purposes mentioned in Section 5, we will ensure that they provide sufficient guarantees to us to have implemented the necessary security measures to protect your Personal Data. 

7.5 In particular, please note that we may utilise third party software in connection with the provision of our services or our Website and are unable to bear any responsibility and/or liability for any loss, misuse and/or alteration of information which may result from the use of any such third-party software. Further, you should be aware that we have no control over the security of other sites on the internet that you may visit or interact with even when a link to any such third party site appears on our Website.

8.     Children/Minors

8.1    We are especially concerned with the privacy and safety of children/minors when they use the internet. 

8.2    Should a child or a minor below 18 years of age provide us with information, parental consent and/or legal guardian consent (as the case may be) must first be obtained before the collection of such information.

8.3    If a child or a minor provides us with information without the requisite parental consent and/or legal guardian consent, the parent or legal guardian (as the case may be) may notify us, and we will delete such information from our records. 

9.    Accessing and updating your information

9.1 The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is withdrawn by you in writing. You may withdraw your consent and request us to stop using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer.

9.2 Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within ten (10) business days of receiving. Should we require more time to give effect to a withdrawal notice, we will inform you of the time frame by which the withdrawal of consent will take effect.

9.3 Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our goods or services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described in Section 5 above. 

9.4 Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclosure without consent is permitted or required under applicable laws. 

10. Accessing and updating your information

10.1 Where you have provided Personal Data about yourself to us, the responsibility falls on you to provide us with accurate, not misleading, complete, and up-to-date information about yourself, and to update such Personal Data as and when such information becomes inaccurate, misleading, incomplete, or out-of-date.

10.2 In certain circumstances, it may be necessary for you to provide to us Personal Data about someone else. If this is the case, we rely on you to inform the said individual that you are providing his or her Personal Data to us, to obtain his or her consent to you providing us with his or her Personal Data, and to inform him or her about where he or she can find and obtain a copy of this Policy. It is important that he or she reads this Policy and agrees to the terms herein when giving his or her consent to the provision of his or her information to us.

10.3 In the event that you wish to:

1. 1. apply for a copy of the information we possess about you; or

2. 2. withdraw the consent you previously provided to us to use, collect, or disclose the information we hold about you,

Kindly contact our Personal Data Protection Officer whose contact details are set out in Section 17 below.

10.4 Please grant us a reasonable period of time to respond to any request received and to effect any requested changes. While processing your request, we may contact you to verify your identity and to ask for more information about your request. Where we are legally permitted to do so, we may refuse your request and may give you our reasons for doing so.

10.5 Where you have requested for a copy of the information we possess about you, we may charge you a reasonable administrative fee to cover the costs of responding to your request. If we decide to do so, we will provide you with a written estimate of such fee beforehand and obtain your consent to the fee before proceeding with your request.

11. Accuracy of Personal Data 

11.1 We will make every reasonable effort to ensure that personal data collected by us or on our behalf is accurate and complete. 

11.2 We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete, and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer at Section 17 below.  

12. Retention of Personal Data 

12.1 We may retain your personal data for as long as it is necessary to fulfil the purpose(s) for which it was collected, or as required or permitted by applicable laws. 

12.2 We dispose of or destroy such documents containing your personal data in a secure manner when the retention limit is reached and it is reasonable to assume that the permitted purpose is no longer being served by their retention. 

13. Cross-border Transfers of Personal Data 

13.1 Unless for business-related needs, we generally do not transfer your personal data to other jurisdictions. However, if we do so, we will obtain your consent for the transfer to be made and we will take steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA, including entering into an agreement with the receiving party to accord similar levels of data protection as those in Singapore. 

14. Data Breach Notification  

14.1 In the event of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, we shall promptly assess the impact and if appropriate, report this breach within three (3) calendar days to the Personal Data Protection Commission (PDPC). We will notify you when the data breach is likely to result in significant harm to you after our notification to PDPC. We may also notify other relevant regulatory agencies, where required.  

15.    Legal Disclaimer

15.1 We may disclose Personal Data as and when required by law or on a good faith basis that such action is necessary in order to conform to the law or comply with any legal process served on us. Although we employ security precautions that we believe to be appropriate to protect your Personal Data, we do not guarantee that our security precautions will protect against, and we expressly disclaim any liability for, any loss, misuse, or alteration of your Personal Data.

16. Changes to this Policy

16.1 We reserve the right to make changes to this Policy at any time and all changes that have been made will be published here. Please check back frequently to view any updates or changes that have been made to this Policy. 

16.2 If we are of the opinion that a proposed change to this Policy is material, we will notify you of such change by posting a notice on the Website or by way of email. Please note that it is your responsibility to review and take note of the changes which we make to this Policy. 

16.3 At all times, your continued use of our services constitutes your acceptance of the updated Policy, as the case may be.

17. Contact us

17.1 If you have any questions, complaints, concerns or comments on our Policy, we welcome you to contact us by sending an email to dpo@chcsa.org.sg or by writing to us to 12 Pine Close, #01-85, Singapore 391012. In this regard, please include an appropriate subject header indicating what is the issue you are contacting us for, as this would assist us in attending to your email speedily by passing it on to the relevant staff in our organisation. For example, you could insert the subject header as "Accessing Personal Data".