1. Purpose

This Policy outlines how The Neutrals Organization (hereafter “the Organization”) collects, uses, stores, and protects personal data of Certified Neutrals, applicants, partners, and users of its digital platforms.
It reflects the Organization’s commitment to integrity, transparency, and compliance with global privacy standards, including the EU General Data Protection Regulation (GDPR), UK Data Protection Act, and Indian Information Technology Act (Reasonable Security Practices and Procedures) Rules.2. Scope

This Policy applies to all data processing activities conducted by or on behalf of the Organization, including:

• Certification applications and evaluations;

• Maintenance of the Global Registry of Certified Neutrals;

• Communications, newsletters, and updates;

• Online events, webinars, and professional exchanges;

• Partner relations, collaborations, and contractual engagements.

3. Definitions

Personal Data means any information relating to an identified or identifiable individual (e.g., name, contact details, qualifications, photograph, etc.).
Processing includes any operation performed on personal data such as collection, storage, use, disclosure, or deletion.
Data Subject refers to any individual whose data is processed by the Organization.
Controller means The Neutrals Organization, which determines the purposes and means of processing personal data.
Processor refers to third-party service providers engaged by the Organization for operational purposes (e.g., IT hosting, email management, etc.).

4. Principles of Data Protection

The Organization upholds the following core principles:

a. Lawfulness, Fairness, and Transparency — Personal data shall be processed fairly, transparently, and in accordance with applicable laws.
b. Purpose Limitation — Data shall be collected only for legitimate organizational purposes and not further processed in a manner incompatible with those purposes.
c. Data Minimization — Only the minimum necessary personal data shall be collected and retained.
d. Accuracy — All reasonable steps shall be taken to ensure data accuracy and timely updates.
e. Storage Limitation — Data shall be retained only as long as necessary for the purposes for which it was collected.
f. Integrity and Confidentiality — Appropriate technical and organizational measures shall protect data against unauthorized access, loss, or misuse.
g. Accountability — The Organization shall demonstrate compliance through proper documentation and internal governance.

5. Types of Data Collected

The Organization may collect and process the following categories of personal data:

• Identification details (name, title, date of birth, nationality);

• Professional details (organization, designation, qualifications, experience, expertise areas);

• Contact details (email, phone number, address);

• Application materials (CVs, statements, photographs);

• Certification and evaluation data;

• Financial or billing information (for certification fee processing);

• Communications (emails, correspondence, consent forms);

• Publicity data (authorized profile listings, sectoral bench publications, podcasts, or media materials).

6. Purpose of Data Processing

Personal data is processed for the following lawful purposes:

a. To evaluate applications and manage the certification process;
b. To maintain accurate records in the Global Registry of Certified Neutrals;
c. To communicate certification status, renewal reminders, and updates;
d. To administer events, learning programs, and digital community activities;
e. To issue certificates, verification letters, and professional listings;
f. To fulfill contractual, legal, or regulatory obligations;
g. To promote transparency and professional credibility in the dispute prevention and resolution ecosystem.

7. Legal Basis for Processing

Processing of personal data is based on one or more of the following lawful grounds:

• The data subject’s explicit consent (e.g., application forms, newsletters);

• Performance of a contract (e.g., certification, participation, or partnership);

• Compliance with a legal obligation;

• Legitimate interests pursued by the Organization, such as ensuring professional integrity and maintaining a credible registry.

8. Data Retention

• Data related to certification and Registry listings is retained for the duration of the certification and for a maximum of five (5) years thereafter for audit, verification, or re-certification purposes.

• Financial data is retained for seven (7) years as per accounting and statutory requirements.

• Personal data may be anonymized for statistical or research purposes after expiry of the retention period.

9. Data Security

The Organization employs appropriate administrative, technical, and physical safeguards to protect personal data from unauthorized access, alteration, disclosure, or destruction, including:

• Secure encrypted databases and servers;

• Restricted internal access and confidentiality undertakings;

• Regular audits and password-protected systems;

• Secure third-party hosting compliant with ISO 27001 or equivalent standards.

10. Data Sharing and Third-Party Access

a. The Organization does not sell or rent personal data.
b. Data may be shared only with:

• Certification evaluators and Board members (for application review);

• Authorized IT and administrative service providers;

• Partner institutions (with prior consent);

• Legal authorities, if required by law.
  c. All third parties are bound by confidentiality and data protection agreements.

11. Rights of Data Subjects

Every individual whose data is processed by the Organization has the following rights:

1. Right to Access — To request a copy of their data held by the Organization.

2. Right to Rectification — To request correction of inaccurate or incomplete data.

3. Right to Erasure — To request deletion of data under certain circumstances.

4. Right to Restrict Processing — To limit use of data in specific contexts.

5. Right to Data Portability — To receive their data in a structured, machine-readable format.

6. Right to Withdraw Consent — To withdraw consent at any time, without affecting lawfulness of prior processing.

7. Right to Lodge a Complaint — To contact the Organization or relevant supervisory authority regarding any data protection concern.

Requests may be sent to privacy@theneutrals.org and will be addressed within thirty (30) days.

12. Cross-Border Data Transfers

Given the Organization’s global operations, personal data may be transferred to other countries with appropriate safeguards in place.
All transfers comply with applicable legal requirements, ensuring equivalent data protection standards.

13. Data Breach Notification

In the event of a data breach posing risk to individuals’ rights or freedoms:

• The Organization shall notify affected individuals and relevant authorities within seventy-two (72) hours of becoming aware of the breach.

• A corrective action plan will be implemented immediately.

14. Use of Cookies and Website Analytics

The Organization’s website may use cookies and analytics tools to improve user experience.
Users may control cookie preferences via browser settings.
Analytics data is collected anonymously and used solely for website optimization.

15. Policy Updates and Amendments

This Policy is reviewed annually and may be updated periodically.
The latest version is always available at www.theneutrals.org/privacy.
Substantive changes will be communicated to all Certified Neutrals and partners.

16. Contact

For questions, requests, or concerns regarding data privacy and protection, please contact:

The Neutrals Organization
📧 privacy@theneutrals.org
🌐 www.theneutrals.org

17. Effective Date

This Policy takes effect on 1 January 2025 and supersedes all prior data privacy provisions or statements.

Issued by:
Data Protection & Compliance Office

The Neutrals Organization
www.theneutrals.org