Winrock is dedicated to protecting the personal data of our donors, beneficiaries, employees, partners, vendors and service providers from unauthorized access, use, disclosure, modification or loss. Personal data is any information that identifies or can be used to identify an individual, or that relates to an identifiable individual. It includes the name of an individual or organization (whether an employee, funder, beneficiary, contractor, or other) together with any of the following: 

Collection, Notice, and Choice  

When Winrock collects personal data, it is our policy to provide notice to the individual from whom it is collected and to describe the types of data collected, how we may collect it, how we will use it and with or to whom we share or disclose it. Winrock seeks to collect only the minimum amount of personal data reasonably necessary to accomplish the purpose(s) for which it was collected, as described in the applicable notice to the individual from whom it was collected. 

We provide to individuals choices regarding our collection, use and disclosure of their personal data and explain such choices in the privacy notice provided—or otherwise made available to such individuals and/or additional statements describing the collection, use and disclosure of their personal data. In some instances, the collection, use or disclosure of personal data may require express, opt-in consent. 

Data Integrity and Access

Winrock relies on individuals to provide accurate, complete and current personal data to us. We take reasonable steps to maintain accurate, complete and current personal data as required to accomplish the purpose(s) for which such it was collected, including reviewing and updating Winrock’s personal data controls. We allow individuals reasonable access to their personal data to verify and correct it where it is inaccurate. In some instances, Winrock may refuse access to personal data or certain requests with respect to it, consistent with applicable law. 

Use and Disclosure 

Personal data is processed only for the purpose(s) for which it was collected. 

Winrock uses technical and organizational security measures to limit access to and processing of personal data to authorized Winrock personnel, partners, vendors and service providers who require access for the performance of their obligations to us and in accordance with the purpose(s) for which it was collected.  

Personal data is disclosed only to those third parties (including our partners, vendors and service providers) who agree to: (a) comply with applicable data protection and privacy laws; (b) implement and maintain appropriate technical and organizational security measures to safeguard such personal data; and (c) collect, use and disclose such personal data solely in accordance with practices substantially equivalent to those described in our internal and external privacy and information systems and security policies and procedures. We disclose personal data when we believe it is necessary to protect Winrock, such as to investigate, prevent or take action regarding illegal activity, suspected fraud or other wrongdoing and as necessary or appropriate (a) under applicable law; (b) to comply with legal process; (c) to respond to requests from public and government authorities.  

When transferring personal data, either internally among our employees/within our networks or externally to third parties, Winrock transfers such data in compliance with applicable laws and will utilize data transfer agreements when required and appropriate technical and organizational security measures to safeguard the personal data.

Retention and Disclosure 

In accordance with the Records Management Policy, personal data is retained only as long as is necessary for the purpose(s) for which it was collected, unless otherwise required by the Records Management Policy or by law.  Personal data is destroyed in accordance with the Records Management Policy and contractual/legal requirements.

Winrock protects personal data by implementing appropriate administrative, technical, physical and contractual safeguards to prevent unauthorized access to, or use or disclosure of, personal data. Vendors and service providers who process personal data on our behalf agree to contractual terms that require them to implement appropriate security measures to safeguard this data.  

Such controls and security measures are designed to: 

IT and other appropriate Winrock staff will respond to reports of incidents in accordance with Winrock’s incident response plan.  

Table of Contents