Privacy Policy

Categories of Personal Data Processed
PHID may process the following categories of personal data, depending on the context of engagement:
 

• Identification data, including full name, email address, telephone number, country of residence, and institutional affiliation.

• Professional data, including curriculum vitae, academic and professional history, areas of expertise, and project involvement.

• Research participation data, including interview transcripts, survey responses, workshop participation records, consultation inputs, and co-creation contributions.

• Technical data, including IP address, browser type, device information, and website interaction data collected through cookies or analytics tools.

• Financial and contractual data, including donation records, payment confirmations, and contractual information related to services.
   

In specific research or inclusion-related contexts, PHID may process special categories of personal data within the meaning of Article 9 GDPR, such as racial or ethnic origin, health data, gender identity, or political opinions. Such processing occurs only where explicit consent has been obtained, or where processing is necessary for scientific research purposes subject to appropriate safeguards, and always in accordance with applicable legal provisions.

Purposes and Legal Bases for Processing
Personal data is processed strictly for specified, explicit, and legitimate purposes. PHID processes personal data for research and policy innovation initiatives, advisory and consulting services, recruitment and institutional management, fellowship and volunteer coordination, contractual administration, compliance with legal obligations, and communication activities.

Processing is based on one or more lawful bases under Article 6 GDPR, including consent, performance of a contract or pre-contractual measures, compliance with a legal obligation, legitimate interests, public interest, or scientific research purposes. Where processing is based on legitimate interests pursuant to Article 6(1)(f) GDPR, PHID conducts a balancing assessment to ensure that such interests do not override the fundamental rights and freedoms of data subjects. Processing of special categories of data is conducted in accordance with Article 9 GDPR and corresponding provisions under LGPD.

Data Protection by Design and by Default
In accordance with Article 25 GDPR, PHID implements appropriate technical and organizational measures to ensure that data protection principles are integrated into all processing activities.This includes limiting data collection to what is necessary for the intended purpose, restricting access based on role and necessity, implementing pseudonymization or anonymization where appropriate, and assessing risks prior to initiating high-risk processing activities.
Privacy considerations are embedded into research design, digital platforms, advisory methodologies, and institutional governance structures.

Data Retention
Personal data is retained only for the period necessary to fulfill the purposes for which it was collected, to comply with legal obligations, to exercise or defend legal claims, or to maintain justified institutional records. Where possible, personal data used for research or archival purposes is anonymized in accordance with Article 89 GDPR and applicable safeguards.
Retention periods are reviewed periodically to ensure compliance with the storage limitation principle.

Recipients of Personal Data
Personal data may be disclosed to carefully selected third parties where necessary and lawful.
Such recipients may include contracted service providers (including IT infrastructure and communication platforms), institutional partners engaged in collaborative initiatives, and regulatory authorities where disclosure is required by law.
All processors engaged by PHID are subject to contractual agreements compliant with Article 28 GDPR, ensuring confidentiality, security, and lawful processing.

International Transfers
Given PHID’s international activities, personal data may be transferred outside the European Economic Area. Where such transfers occur, PHID implements appropriate safeguards in accordance with Chapter V GDPR. These may include the use of Standard Contractual Clauses, reliance on adequacy decisions where applicable, supplementary technical measures, and, where required, transfer impact assessments.
Transfers are conducted only where an appropriate level of protection is ensured.
 
Security of Processing
In accordance with Article 32 GDPR, PHID implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include secure cloud infrastructure, encryption where appropriate, role-based access controls, confidentiality agreements, regular internal data protection training, and incident detection and response mechanisms.
Security measures are reviewed periodically and adjusted based on evolving risk assessments.

Personal Data Breach Procedures
In the event of a personal data breach, PHID follows procedures aligned with Articles 33 and 34 GDPR.
Where required, the competent supervisory authority will be notified within seventy-two hours of becoming aware of the breach. Where the breach is likely to result in high risk to individuals’ rights and freedoms, affected data subjects will be informed without undue delay.
Corrective and mitigation measures are implemented promptly to limit potential impact.

Rights of Data Subjects
Under GDPR and LGPD, data subjects have the right to obtain confirmation of processing, access their personal data, request rectification of inaccurate or incomplete data, request erasure, restrict processing, request data portability, object to processing, withdraw consent at any time where processing is based on consent, and request review of decisions based solely on automated processing where applicable.

Requests to exercise these rights may be submitted using the contact details provided below.
PHID responds to such requests within the timeframes established by applicable law.

Automated Decision-Making
PHID does not engage in solely automated decision-making, including profiling, that produces legal or similarly significant effects without meaningful human involvement.
 
Accountability and Governance
PHID maintains internal accountability mechanisms to ensure compliance with data protection obligations.
These include maintaining appropriate records of processing activities where required, conducting risk assessments for high-risk processing, implementing contractual safeguards with processors, and periodically reviewing data protection practices.

Supervisory Authorities
Data subjects located within the European Union have the right to lodge a complaint with a competent supervisory authority in their Member State of residence, place of work, or place of alleged infringement.
Data subjects located in Brazil may submit complaints to the Autoridade Nacional de Proteção de Dados (ANPD).
 
Changes to our privacy policy
PHID keeps its privacy policy under regular review and places any updates on this web page.
This privacy policy was last updated on 21 May 2026.

Contact information
For inquiries regarding this privacy and data protection policy or to exercise data subject rights, please contact: info@phid.org