UNESCO’s Principles on Personal Data Protection and Privacy
UNESCO is committed to processing personal data in an accountable, non-discriminatory, and gender sensitive manner. As a Specialized Agency of the United Nations, and bearing in mind its Privileges and Immunities, national or regional data protection legislation is not applicable to UNESCO.
UNESCO defines ‘personal data’ as any information relating to an individual (data subject) who can be identified from that data, either directly or indirectly, by reference to this data and reasonably likely measures, and which is processed by or on behalf of UNESCO in carrying out its mandated activities. UNESCO uses the term ‘data processing’ to describe any operation or set of operations that is performed on any personal data or non-personal sensitive data, whether or not by automated means, including collection, storage, use, transfer and erasure.
Nothing in or relating to the Principles on Personal Data Protection and Privacy (hereafter, the Principles) shall constitute a waiver, express or implied, of any of the privileges and immunities of UNESCO, pursuant to the 1947 Convention on the Privileges and Immunities of the Specialized Agencies and Annex IV thereof, or otherwise.
The Principles are based on the Principles on the Protection of Personal Data and Privacy for the UN System Organizations endorsed by UNESCO and formally adopted by the High Level Committee on Management at its 36th Meeting on 11 October 2018 (https://www.unsystem.org/privacy-principles).
Fair and Legitimate Processing
UNESCO should process personal data in a fair manner, in accordance with its mandate and governing instruments and on the basis of any of the following:
- the consent of the data subject;
- the best interests of the data subject, consistent with the mandate of UNESCO; or,
- the mandate and governing instruments of UNESCO.
Personal data should be processed for specified purposes, which are consistent with the mandate of UNESCO and take into account the balancing of relevant rights, freedoms and interests. Personal data should not be processed in ways that are incompatible with such purposes.
Proportionality and Necessity
The processing of personal data should be relevant, limited and adequate to what is necessary in relation to the specified purposes of personal data processing.
Personal data should only be retained for the time that is necessary for the specified purposes.
Personal data should be accurate and, where necessary, up-to-date to fulfill the specified purposes.
Personal data should be processed with due regard to confidentiality.
Appropriate organizational, administrative, physical and technical safeguards and procedures should be implemented to protect the security of personal data, including against or from unauthorized or accidental access, damage, loss or other risks presented by data processing.
Processing of personal data should be carried out with transparency to the data subjects, as appropriate and whenever possible. This should include, for example, provision of information about the processing of their personal data as well as information on how to request access, verification, rectification, and/or deletion of that personal data, insofar as the specified purpose for which personal data is processed is not frustrated.
In carrying out its mandated activities, UNESCO may transfer personal data to a third party, provided that, under the circumstances, UNESCO satisfies itself that the third party affords appropriate protection for the personal data.
UNESCO should have adequate guidelines and mechanisms in place to adhere to these Principles.
The Executive Office, Sector for Administration and Management, is the focal point for data privacy issues, and the designated Data Protection and Privacy Officer provides advice to ensure that personal data is processed in accordance with these Principles.
Should you have any questions or concerns about the protection or processing of your personal data by UNESCO, please contact email@example.com.