Effective Date: January 15, 2025
Last Updated: October 13, 2025

Embark Project PRIVACY POLICY

Embark Project is implemented by Mikado Impact

Introduction

At Mikado Impact BV, we place the highest importance on protecting the personal data of all individuals who interact with our organization, including program participants, business partners, employees, and visitors to our website. This Privacy Policy explains how personal data is collected, used, shared, and protected in accordance with the European Union General Data Protection Regulation (GDPR) 2016/679.

Our Corporate Identity

Mikado Impact BV is a social impact organization headquartered in the Netherlands, operating in the fields of sustainability, inclusivity, and capacity development. Through programs such as the Embark Project, we contribute to meaningful social change across communities.

Our registered office address: Fluwelen Burgwal 582511 CJ Den Haag, Netherlands

For inquiries regarding data protection, you may contact our Data Protection Officer through the following channels:

Email:privacy@mikadoimpact.com

Scope and Applicability

This Privacy Policy applies exclusively to the personal data of natural persons with whom Mikado Impact BV engages in direct interaction, such as individual participants, applicants, employees, and visitors. It does not extend to legal entities or anonymized or aggregated data. Data processed in the context of contractual relationships with organizations is excluded from this policy unless otherwise stated.

For the purposes of this policy, “data subject” shall exclusively refer to identifiable natural persons with whom Mikado Impact BV has an active and verifiable relationship. General public inquiries, media actors, or anonymous individuals are not considered data subjects unless a clear basis for processing exists.

Categories of Personal Data Collected

In the course of our activities, we collect personal data in the following categories:

  • Identity information (name, surname, date of birth)
  • Contact details (email address, telephone number, postal address)
  • Demographic information (age, gender, nationality, languages spoken)
  • Program participation data (application forms, workshop attendance records, evaluation results, professional and personal development results related to program participation)
  • Audio-visual materials (photographs, videos, participant testimonials – collected with consent)
  • Education and professional background
  • Digital interaction data (IP address, browser information, cookie records)

Purposes of Data Processing

Your personal data is processed for the following purposes:

  • Planning, conducting, and evaluating mentorship, professional and personal development and workshop programs
  • Assessing program applications and facilitating participant matching for mentorship and related activities
  • Documenting program impact and sharing success stories
  • Reporting to funding bodies such as European Union institutions and private foundations
  • Fulfilling our legal obligations and meeting audit requirements
  • Enhancing service quality and improving user experience
  • Conducting statistical analyses and research activities

Where appropriate and in accordance with Article 6(4) GDPR, Mikado Impact BV may process personal data for purposes compatible with those originally stated, including research, impact measurement, archival, monitoring, or future program development purposes. In such cases, the data will be pseudonymized or anonymized where feasible, and any further use will remain in line with data minimization and purpose limitation principles.

Data processing activities within Mikado Impact BV projects, including those funded by third parties, are carried out in accordance with Mikado’s internal data protection framework. Unless a formal joint controller agreement exists, funders or donors do not influence the processing conditions or purposes.

For the purposes of this Policy, “anonymized data” refers to data that has been processed using industry-standard techniques such as irreversible aggregation, ensuring that no individual can be identified. Such data falls outside the scope of the GDPR as per Recital 26.

Legal Bases for Processing

We process your personal data based on the following legal grounds:

  • Explicit Consent (GDPR Article 6(1)(a)):Particularly for sensitive data and marketing activities
  • Performance of Contract (GDPR Article 6(1)(b)):For program participation and service delivery
  • Legal Obligation (GDPR Article 6(1)(c)):For tax and accounting records
  • Legitimate Interest (GDPR Article 6(1)(f)):For security and service improvement purposes

Mikado Impact BV has conducted a Legitimate Interest Assessment (LIA) to ensure that the processing activities based on Article 6(1)(f) do not override the fundamental rights and freedoms of data subjects. The results of such assessments are documented and reviewed periodically.

Data Sharing and Transfers

Your personal data may be shared, to the extent required by our activities and within legal boundaries, with the following parties:

  • Service Providers We work with third-party service providers under data processing agreements. These collaborations are conducted under strict protocols that ensure the security of your data.
  • Business Partners Data necessary for project implementation is shared with our project partners, including Mikado Consulting and local non-governmental organizations, solely within the scope of project delivery.
  • Funding Organizations Reports to funding bodies are typically provided in anonymized or aggregated format.
  • Legal Authorities In cases of legal obligation, data may be shared with competent public institutions and regulatory authorities. Your data is not transferred outside the European Economic Area. Should such a transfer become necessary, appropriate safeguards will be implemented. Mikado Impact BV may collaborate with external stakeholders such as implementing partners, funders, mentors, evaluators, or cloud service providers. Each party remains independently responsible for their own data processing practices. Mikado does not assume liability for the processing of personal data by such stakeholders unless acting as a joint controller under Article 26 GDPR, in which case a specific joint controller agreement will be concluded in accordance with Article 26 GDPR, and transparency obligations will be fulfilled jointly by the parties involved. Where data transfer outside the European Economic Area becomes necessary, Mikado ensures the implementation of appropriate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or adequacy decisions under Article 45 of the GDPR. Transfers shall only occur when the receiving party provides sufficient guarantees to uphold EU-level data protection standards.
  • Responsibility After Transfer Once personal data is lawfully transferred to an authorized third party (e.g. implementing partner, data processor, funding body), Mikado Impact BV shall not be held responsible for any subsequent unauthorized use or breach by that party, unless such breach was directly caused by Mikado’s failure to implement appropriate safeguards.

Data Retention Periods

Your personal data is retained only for the period necessary for processing purposes:

  • Unsuccessful program applicants: 12 months
  • Program participants: Up to 10 years
  • Audio-visual materials: Up to 10 years with consent
  • Compliance documents: 7-10 years (in accordance with legal requirements)
  • Website interaction data: 2 years

Upon expiration of retention periods, your data is securely deleted or irreversibly anonymized.

Once personal data has been deleted or irreversibly anonymized upon expiration of its retention period, Mikado Impact BV is no longer able to fulfill any data subject rights concerning that data. This includes rights of access, rectification, and erasure.

Consent for the use of photographs and video materials is obtained through a signed or digital release form that clearly states the scope, purpose, and duration of use. Individuals may withdraw such consent at any time by contacting privacy@mikadoimpact.com, after which the relevant materials will be withdrawn from future publications and uses within Mikado’s direct control, unless required for legal archiving. Please note that complete removal from publicly distributed materials or third-party platforms may not always be technically feasible. Mikado will make reasonable efforts to remove such materials from future use and official Mikado platforms. Complete deletion from third-party systems or publicly distributed channels (e.g. shared media or publications) may not be possible.

Rights of Data Subjects

Under the GDPR, you have the following rights:

  • Right to Information:To know whether your personal data is being processed
  • Right of Access:To request access to your processed data
  • Right to Rectification:To request correction of inaccurate or incomplete data
  • Right to Erasure:To request deletion of your data under certain conditions
  • Right to Restriction:To request limitation of data processing
  • Right to Object:To object to processing based on legitimate interest
  • Right to Data Portability:To receive your data in a structured format
  • Right to Withdraw Consent:To withdraw your consent at any time
  • Right to Lodge a Complaint:To file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

To exercise your rights, you may contact us at privacy@mikadoimpact.com. Your requests will be evaluated and responded to without undue delay and, in any event, within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, in accordance with Article 12(3) GDPR.

Withdrawal Consequences
Please note that withdrawing your consent may result in the inability to participate in ongoing or future programs or to receive certain services, depending on the nature of the processing activity that relies on your consent.

Request Handling Limitations
Mikado Impact BV reserves the right to reject requests that are manifestly unfounded, excessive, or repetitive in nature, as permitted under Article 12(5) GDPR. In such cases, we may also charge a reasonable administrative fee.

Mikado Impact BV only processes requests submitted directly by the data subject or by a legal representative duly authorized through verifiable documentation. Requests submitted by third parties without legal authority will not be processed.

Before lodging a formal complaint with the Dutch Data Protection Authority, verified data subjects are encouraged to contact Mikado’s Data Protection Officer prior to filing a complaint with the supervisory authority. Mikado only accepts and processes complaints submitted by or on behalf of individuals whose identity and data subject status can be reasonably established.

Automated Decision-Making and Profiling

Mikado Impact BV does not engage in fully automated decision-making, including profiling, that produces legal or similarly significant effects as defined in Article 22 of the GDPR. While program applications and participant matching may involve categorization based on submitted data, all such processes are subject to human oversight and review.

Key decisions regarding program eligibility, participant matching, or evaluation are made by qualified personnel and include appropriate levels of human review.

Data Security Measures

Comprehensive technical and administrative measures are implemented to ensure the security of your personal data:

Technical Security Measures

  • Encrypted data storage
  • Secure data transmission using SSL/TLS protocols
  • Regular security updates and patch management
  • Firewall and intrusion detection systems
  • Regular backup and disaster recovery procedures

Administrative Security Measures

  • Role-based access controls and authorization
  • Employee privacy training and awareness programs
  • Regular auditing of data processing activities
  • Confidentiality agreements with third-party service providers
  • Data minimization and anonymization protocols

Mikado Impact BV aims to conduct annual internal data protection audits, subject to operational feasibility, to ensure compliance with GDPR Articles 24 and 32. These audits are supervised by the Data Protection Officer, and findings are incorporated into ongoing risk management procedures.

Cookies and Website Usage

Our website uses cookies to enhance user experience and analyze site traffic. Cookies are small text files placed on your browser and are used for the following purposes:

  • Session management and remembering user preferences
  • Monitoring and improving site performance
  • Collecting visitor statistics
  • Ensuring security controls

You can manage or reject cookies through your browser settings. However, disabling cookies may prevent some features of our website from functioning properly.

Data Breach Notification

In the event of a data breach, we act in accordance with our established procedures. Breaches that pose a risk to individuals’ rights and freedoms are reported to the Dutch Data Protection Authority within 72 hours of detection. In high-risk situations, affected individuals are also notified without undue delay.

Breach notification includes:

  • Nature and scope of the breach
  • Categories of affected data and estimated number of individuals
  • Likely consequences and risks
  • Measures taken or planned to be taken

Children’s Personal Data

Personal data of children under 16 years of age is processed only with parental or legal guardian consent. In our programs directed at children, the principle of data minimization is rigorously applied, and only absolutely necessary data is collected.

Policy Updates 

This Privacy Policy is reviewed at least annually in light of changes in legal regulations or significant changes in our data processing activities. Updates are published on our website, and registered users are notified by email of significant changes.

Before changes to the policy take effect, our users are given a reasonable period for review and evaluation.

Continued use of our services or participation in our programs after the effective date of policy updates shall be deemed acceptance of the updated terms, unless you explicitly notify us of your objection in writing within a reasonable time period.

For material changes that introduce new data processing activities based on consent, Mikado will seek renewed explicit consent only where legally required, in accordance with GDPR principles.

Disclaimer of Liability

While Mikado Impact BV implements industry-standard security measures to protect your data, it does not guarantee absolute security. In cases of data breaches resulting from cyberattacks, force majeure events, or third-party misconduct beyond Mikado’s reasonable control, Mikado shall not be held liable for any consequential, incidental, or indirect damages.

Governing Language

In the event of any discrepancy between different language versions of this Privacy Policy, the English version shall prevail as the sole and authoritative version for interpretation purposes.

Governing Law and Jurisdiction

This Privacy Policy and any dispute or claim arising out of or in connection with it shall be governed by the laws of the Netherlands. Exclusive jurisdiction is vested in the competent courts of Amsterdam, the Netherlands.

This Privacy Policy does not create any rights or obligations enforceable by any person or entity other than Mikado Impact BV and the individual data subjects to whom it applies. No third party shall have any right to enforce any term of this Policy.

Interpretation

This Privacy Policy shall be interpreted in good faith, in light of its stated purpose to protect personal data in accordance with GDPR principles, and not in a manner that extends Mikado Impact BV’s responsibilities or obligations beyond those expressly set forth herein.

Contact Information

Mikado Impact BV
Fluwelen Burgwal 582511 CJ Den Haag
Netherlands

Data Protection Officer:
Email: privacy@mikadoimpact.com

Dutch Data Protection Authority:
Autoriteit Persoonsgegevens
Web: www.autoriteitpersoonsgegevens.nl
Phone: 0900-2001201