Why Not? Privacy Policy: Your Data, Your Rights
Welcome to the Stichting Why Not Privacy Policy!
We’re here to make sure you understand how we handle your personal data and why it matters to you, whether you’re in Europe, Africa, or anywhere else in the world. We want you to feel confident and empowered when it comes to your privacy.
1. Why We Care About Your Data
At WHY NOT? FOUNDATION, we believe your personal data is precious. It helps us connect with you, understand your needs, and make a positive impact in your life and the lives of others. Whether you’re a young supporter in Europe or Africa, your privacy matters to us.
2. What Data Means to Us
We collect only the information we need to serve you better. Your name, contact details, and other details you share help us tailor our services to meet your needs. We promise to use your data responsibly and only for purposes you agree to.
3. Personal Data: What’s That?
Ever wondered what personal data is? It’s all about you – your name, email, address, and more. Learn more about what personal data means to us in Section 1.2 of our policy.
4. Our Promise to You
Trust is everything. That’s why we follow strict principles to protect your data. From transparency to accountability, we’ve got your back. Find out more about our commitment in Section 1.4.
5. Keeping Your Data Safe
Your data’s security is our top priority. We use the latest technology and best practices to keep it safe from unauthorized access or misuse. Discover how we safeguard your information in Section 5.5.
6. Your Data, Your Control
You’re in charge of your data. Want to access, correct, or delete it? No problem! Learn how you can take control of your information in Sections 5.7, 6, and 7.
7. Sharing Data Responsibly
Sometimes, we need to share data with trusted partners to fulfil our mission. Rest assured, we only do this when necessary and with strict privacy safeguards in place. Discover more about data sharing in Section 8.
8. Handling Emergencies with Care
In times of crisis, your privacy remains a priority. Learn how we handle your data with sensitivity and care in Section 10, especially in emergency contexts.
9. What Happens if Something Goes Wrong?
Mistakes can happen, but we’re prepared. Find out how we handle data breaches and what steps we take to protect your rights in Section 9.
10. Your Feedback Matters
We’re here to serve you better. If you have any questions, concerns, or feedback about our privacy practices, don’t hesitate to reach out. Your voice matters to us!
Your privacy matters, whether you’re in Europe, Africa, or beyond. Thank you for trusting us with your data. Together, we can make a difference while keeping your information safe and secure.
Index
1. Why We Care About Your Data
1.1 Data Usage and Purposes
1.2 What is Personal Data for us.
1.3 Technological Considerations
1.4 Policy Principles
2..Technical Terminology
3. Where it Applies
3.1 Policy Applicability
3.2 Policy non-Applicability
4. Policy Statements
4.1 Data Subject’s Best Interests First
4.2 Special Care for Vulnerable Data Subjects
4.3 Sensitive Data Needs Extra Protection
4.4 Clear Roles and Responsibilities
4.4.1 Controller Responsibilities
4.4.2 Processor Responsibilities
4.5 Managing Risks
5. Policy Elements
5.1 Personal Data Protection Principles
5.1.1 Legitimate Reasons for Using Personal Data
5.1.2 Preferable Basis: Consent
5.1.3 Transparency
5.2 Purpose Specification
5.2.1 Clear Purposes
5.2.2 Changes in Purpose
5.3 Necessity and Proportionality
5.4 Accuracy
5.5 Security
5.5.1 Protecting Data
5.6 Limited Retention – How Long We Keep Data
5.6.1 Permanently
5.6.2 For as long as needed.
5.7 Notice of Personal Data processing – Telling You How We Use Data
5.7.1 Information for Data Subjects
5.7.2 When We get Data from Other Sources
5.7.3 Data Subject Requests to Interact with Their Data
5.7.4 Limitations on Requests
5.7.5 Unstructured Data
5.7.6 How We Handle Requests
5.8 Access
5.8.1 Access to Archives
6. Correction
6.1 Updating Personal Data
6.2 Noting Corrections
7. Deletion
7.1 When Deletion is Allowed
7.2 When We Can Not Delete
7.3 Preservation of Archives
7.4 Objection and Restriction of Processing
8. Personal Data Transfers
8.1 Legitimate Bases for Transfers
8.2 Consistency in Principles
9. Policy Implementation
9.1 Raising Awareness
9.2 Planning
9.3 Data Protection Impact Assessment (DPIA)
9.4 Monitoring
9.4.1 Key measures taken to implement this policy.
9.4.2 Stichting Why Not’s filing and storage systems containing personal data.
9.4.3 Personal data breaches and the nature of any data subject notifications resulting from those breaches.
9.5 Personal Data Breach Regulation
9.6 Accountability
Roles and Responsibilities
9.7 Implementation Structures
10. Special Considerations in Emergency Contexts
10.1 Emergency Situations
10.2 Exception for Authorized Stichting Why Not Offices
10.3 Transitional Measures
ANNEX 1: Definitions
ANNEX 2: Requests of Identified Data Subjects to Interact with Their Personal Data
This index provides a structured overview of the document, allowing for easy reference to specific sections or topics.
Personal Data Protection and Privacy Policy
The purpose of the Stichting Why Not Personal Data Protection and Privacy Policy is to provide guidance for the implementation of projects and programs that involve handling data. This policy should be integrated into all stages of the data lifecycle to ensure that Stichting Why Not adheres to the highest ethical standards for data protection and privacy. Protecting personal data is crucial for upholding fundamental privacy rights and complying with the Dutch/ European Union(EU) and Kenya principles on personal data protection and privacy.
Having robust policies in place for personal data protection and privacy, as well as for information handling and classification, is essential for the efficient operation of Stichting Why Not. These policies consider the opportunities and risks associated with the use of personal data, especially in the context of evolving technologies.
1. Why We Care About Your Data
1.1 Data Usage and Purposes
Here at the Stichting Why Not, we deal with personal data every data whether it’s referring to children, parents, partners, donors, or our own team members. We use this data for various purposes, like understanding how policies affect the desire progress on the healthcare and social integration of the children and their families, running projects, or managing our resources efficiently.
1.2 What is Personal Data for us.
Personal data can be as simple as a name or date of birth, or it can be a mix of info like demographics and locations that can identify someone. What counts as personal data depends on the situation, and sometimes, it’s the combination of data from various sources that can make a person identifiable. So, we need to be mindful of that.
1.3 Technological Considerations
We also need to think about the risks and opportunities that come with new technologies, like social media and artificial intelligence, when we handle personal data. Protecting this data is crucial to respecting privacy rights and fully comply with the legal obligations under Kenya’s Data Protection Regulations and Data Protection in the Netherlands/EU
1.4 Policy Principles
This policy implements Stichting Why Not Data Principles. It guides how we collect, store, analyse, transfer, delete, process, and publish personal data. Under this Stichting Why Not Data Protection policy, we commit to handle personal data in ways that are:
I) Justified; We won’t use your data without a good reason.
II) Used for defined purposes; We’ll only use it for reasons we’ve clearly informed you about.
III) Limited ; We’ll only use the data we really need for specified reasons.
IV) Accurate and actual; Your data will be kept accurate and up to date.
V) Secure and confidential; We’ll keep it safe and secret.
VI) Not kept longer than necessary; We won’t keep your data forever, only for as long as we need it to best perform our services.
VII) Transparency to the persons the data is about; we allow them to access, change, delete, or limit its use.
VIII) Safeguarded when shared with others. If we need to transfer your data, we’ll make sure it’s safe.
2. Technical Terminology
This policy uses some technical terms like “personal data,” “data subjects,” “processing,” “data controller,” and “data processor.” and other terms, you can find what they mean in Annex 1.
3. Where our Privacy Policy Applies?
This policy only covers the personal data of living individuals.
3.1 Policy Applicability
This policy only applies to the personal data of living individuals, to personal data that we collect and process it through our filing and storage systems. We make sure we protect the data according to how sensitive and risky it is.
3.2 Policy non-Applicability
This policy does not apply:
a) Info that is anonymous or made anonymous for statistics and research;
b) Data that tells us about a group or community but not a single person’s exact location.
c) Personal Data from a person who are deceased;
d) Confidential Data that is not personal data.
This policy works together with our other rules about data or information, like our Information Disclosure Policy, Record Retention, Data Security, and Contingency Policy. Why Not? Foundations always follow this policy and procedures unless some specific situation requires that we must follow other procedures that overrule ours by law.
4. Policy Statements
4.1 Data Subject’s Best Interests First
When it comes to personal data, our top consideration is the best interest of the data subject. Our aim is to handle their data in a way that does not harm their rights.
4.2 Special Care for Vulnerable Data Subjects
We are extra cautious when dealing with personal data of vulnerable individuals. Our team members take extra care in handling their information.
4.3 Sensitive Data Needs Extra Protection
We only process particularly sensitive personal data when it’s necessary for our Stichting Why Not mission. When we do, we make sure to use the right safeguards, both in our organization and in the technology, we use, to protect data subjects from any potential risks, particularly but not exclusively the risk of discrimination.
4.4 Clear Roles and Responsibilities
Before we collect and process personal data, we will clearly define who is doing what. This way, everyone involved knows their role and can be held accountable under this policy.
4.4.1 Controller Responsibilities
Stichting Why Not is the controller, we will only work with processors, including our associates, who commit to meeting the requirements of this policy or equivalent data protection standards. If we are joint controllers with others, we will establish a protocol in writing and inform the data subject when needed.
4.4.2 Processor Responsibilities
When Stichting Why Not is the processor; we will make sure data controllers know what we demand to protect personal data. We will not process personal data unless it was collected following this policy. We will only work with (sub-)processors, including our associates, with the controller’s consent, and they must agree to follow the same data protection rules we agreed to with the controller.
4.5 Managing Risks
We handle risks related to personal data processing following our Risk Management Policy. This includes considering how sensitive and confidential the data is.
5. Policy Elements
5.1 Personal Data Protection Principles
5.1.1 Legitimate Reasons for Using Personal Data
We can only process personal data if we have a legitimate reason to do so. Here are the legitimate bases that we use to process personal data:
(I) When the data subject or their representative agrees (“consent”).
(II) To carry out a contract with the data subject, like an employment agreement (“contract”).
(III) To protect data subject or someone’s life physical or mental integrity (“vital interests”).
(IV) To support the interests of people Stichting Why Not serves, especially those we are mandated to protect or advance to help (“Stichting Why Not legitimate interest” and “beneficiary interest”).
(V) When we’re legally required to (“legal obligation”).
(VI) For other valid reasons related to our mission and duties, such as defending legal claims or Stichting Why Not being accountable (“other legitimate interests”).
5.1.2 Preferable Basis: Consent
We prefer to use consent, often combined with other legitimate bases when processing personal data. However, there are situations where getting consent might not be possible. For instance, if the person is a minor or can’t provide reasonable consent, and there are no alternative options.
5.1.3 Transparency
We process personal data in a way that’s clear to the data subject.
5.2 Purpose Specification
5.2.1 Clear Purposes
We only use personal data for specific and limited purposes that align with Stichting Why Not ‘s mission. We determine these purposes before collecting the data.
5.2.2 Changes in Purpose
Sometimes, we might need to use personal data for different purposes than originally planned. We can do this if:
I) We obtain consent for it.
II) The new purpose is compatible with the original one, and the benefits outweigh the risks for the data subject.
III) We’re legally required for statistical, historical, or scientific reasons.
IV) To ensure accountability.
V) To handle legal claims.
5.3 Necessity and Proportionality
We Only Process What is Necessary
We process personal data that’s relevant, limited, and appropriate for the specified purposes. This means we won’t collect more data than we need, and we won’t keep it longer than necessary, as mentioned in 5.6.Limited Retention
5.4 Accuracy
We will on the best of our capacities ensure that personal data is accurate and up to date. We’ll regularly review its accuracy based on factors like how time-sensitive the data is.
5.5 Security
We’ll classify personal data based on how sensitive it is, following Stichting Why Not ‘s information security standards.
5.5.1 Protecting Data
We’ll put in place the right safeguards, both organizational and technical, to keep personal data secure. This includes preventing accidental or unauthorized destruction, loss, alteration, disclosure, access, or unavailability. We may use measures like access logs and data change tracking.
5.6 Limited Retention – How Long We Keep Data
We’ll keep personal data in our filing or storage system as follows:
5.6.1 Permanently, if it meets Stichting Why Not archiving criteria.
5.6.2 For as long as needed to achieve the original purposes. Those responsible for setting retention standards will determine:
I) How long the data is needed;
II) When it becomes outdated or no longer useful;
III) The right retention period;
IV) How to safely dispose of or archive the data when the retention period ends.
5.7 Notice of Personal Data processing – Telling You How We Use Data
5.7.1 Information for Data Subjects
Whenever we collect personal data, we’ll share the details listed in Annex 2 with the data subject.
5.7.2 When We get Data from Other Sources
When we get personal data from a source other than the data subject (as the controller), we’ll provide the information stated in Annex 2 to each person identified in the data, considering any logistical challenges we may face.
5.7.3 Data Subject Requests to Interact with Their Data
Requesting Access, Correction, Deletion, Objection, and Restriction
Any person who can prove they are the data subject can request to access, correct, delete, object to, or restrict the processing of their personal data, under the conditions below.
5.7.4 Limitations on Requests
These requests only apply to personal data that directly identifies the data subject, not data that might indirectly identify them.
5.7.5 Unstructured Data
If the requested data is in an unstructured format, like written reports, and it’s not feasible to extract the personal data using available resources, we may decline the request, unless there’s a compelling reason, like protecting the data subject’s best interests or fundamental rights and freedoms.
5.7.6 How We Handle Requests
We’ll handle data subject requests following the process outlined in Annex 2.
5.8 Access
Confirming Data Processing
Upon request, we’ll confirm whether we’re processing personal data related to the data subject and provide information about the categories of personal data we have.
5.8.1 Access to Archives
Access to data in Stichting Why Not archives will follow specific policies and procedures related to archives.
6. Correction of the Data
6.1 Updating Personal Data
We’ll grant requests from data subjects to update or correct their personal data unless the requested change is inaccurate, or the data is part of a record in Stichting Why Not archives.
6.2 Noting Corrections
To maintain the integrity of our archives, we may include a note in the relevant archival file to indicate that a correction request has been made.
7. Deletion of the Data
7.1 When Deletion is Allowed
We’ll grant data subject requests to delete personal data from our filing system when:
I) We didn’t process the data following this policy;
II) Keeping the data doesn’t align with this policy;
III) In cases where consent is the only legitimate basis for processing, the data subject withdraws their consent;
IV) A request has been approved to fully restrict processing
7.2 When We Can Not Delete.
We won’t delete personal data in the following situations:
I) If there are overriding vital interests, beneficiary interests, or other legitimate interests,
II) When we’re required to process further for statistical, historical, or scientific purposes.
7.3 Preservation of Archives
We won’t delete records held in Stichting Why Not archives to maintain the integrity of our records.
7.4 Objection and Restriction of Processing
Data subjects can object to or request restrictions on the processing of their personal data at any time if:
I) The processing doesn’t align with this policy;
II) In cases where consent is the only legitimate basis for processing,
III) the data subject withdraws their consent
IV) There are compelling reasons related to their specific situation. We may grant the request unless there are overriding vital interests, beneficiary interests, or other legitimate interests as provided in section 9.
8. Personal Data Transfers
8.1 Legitimate Bases for Transfers
We can only transfer personal data when there’s a legitimate reason for both the transfer and the processing, according to the personal Data protection Principles, legitimately and fairly processing. These legitimate bases apply to both data processing and data transfers.
8.2 Consistency in Principles
Each of the principles and sections of this policy applies equally to both data processing and data transfers. Transfers can only happen when they meet the conditions outlined in clear roles and responsibilities.
9. Policy Implementation
9.1 Raising Awareness
We’ll provide training and take appropriate actions to make sure our team members are aware of and effectively implement this policy, considering our available resources and logistical constraints.
9.2 Planning
When we act as a controller and decide how to process personal data, including when creating databases, we’ll integrate data privacy by design and by default into our planning, development, and decision-making processes. We’ll also use appropriate technical and organizational measures like data minimization and pseudonymization when necessary.
9.3 Data Protection Impact Assessment (DPIA)
If processing personal data as a controller is likely to pose high risks to data subjects’ rights and freedoms, especially when using new technologies, we may conduct a data protection impact assessment (DPIA) before processing. This assessment identifies risks, suggests mitigating measures, and helps us decide whether to proceed with the processing.
9.4 Monitoring
We’ll take practical steps to monitor compliance with this policy, including the development and maintenance of centralized registers of:
9.4.1 Key measures taken to implement this policy.
9.4.2 Stichting Why Nots’ filing and storage systems containing personal data, including details like contact information, processing purposes, data subject categories, data sources, types of personal data concerned, categories of recipient to whom the personal data have been or can been disclosed, default retention periods, and, where possible, a general description of the technical and organizational security measures.
9.4.3 Personal data breaches and the nature of any data subject notifications resulting from those breaches.
9.5 Personal Data Breach Regulation
We’ll follow the established regulations in place in Kenya and Netherlands for handling personal data breaches, including reporting channels, incident review or investigation procedures, technical responses, and notifications to data subjects and others.
9.6 Accountability
Roles and Responsibilities
Roles and responsibilities for implementing this policy are listed in Annex 3. Failure to comply with the policy may be considered misconduct if it results from gross negligence, recklessness, or deliberate actions.
9.7 Implementation Structures
We’ll define additional requirements and structures, such as procedures, standards, and guidance, to make this policy operational and ensure its monitoring. We’ll also establish an appropriate oversight structure to interpret the policy, especially when handling data subject requests.
10. Special Considerations in Emergency Contexts
10.1 Emergency Situations
In designated emergencies or when national public authorities, like the Office of The Data Protection Commissioner in Kenya or the Autoriteit Persoonsgegevens in Netherlands, request data that is otherwise protected, derogations from data protection regulations may be exceptionally allowed by the Data Officer. This will be done after consultation with the Information Security Officer, Stichting Why Not Country Representative, and in line with other applicable policies. These derogations might address various aspects of data protection, like choosing legitimate bases, assessing necessity and proportionality, ensuring accuracy, security and retention measures, notifying data subjects about data processing, assessing the adequacy of safeguards for transfers, conducting data protection impact assessments, and responding to data subject requests and registering filing systems.
10.2 Exception for Authorized Stichting Why Not Offices
The above doesn’t affect authorized Stichting Why Not offices when they act within their official functions and follow their mandate’s needs.
10.3 Transitional Measures
Gradual Implementation
This policy will be gradually implemented. There will be a 12-month transitional period from the effective date mentioned above for full adherence to the policy document. During this period, we’ll roll out a comprehensive implementation plan. Successfully implementing the plan will require cooperation at the local and country levels for key activities like compiling personal data inventories, conducting data risk assessments, drafting guidance and notice documents, and providing data protection training (e.g., train-the-trainer activities, etc.). Requests for implementation delays or exemptions from specific provisions may be granted by the Data Officer after consulting with the Information Security Officer, following a risk assessment. Any such exemptions will be documented in relevant information notices.
ANNEX 1: DEFINITIONS
- Archives
Archives can be either physical or electronic recorded information that has been deemed of sufficient administrative, fiscal, legal, historical, or informational value to warrant permanent retention under relevant Stichting Why Not regulations. Archives can also refer to designated facilities containing such information objects.
- Anonymous or Anonymized Information
This term refers to information about a person whose identity cannot be determined.
- Consent
Consent is the freely given, specific, and informed agreement of a data subject or the representative of a vulnerable data subject (e.g., children) to the processing of their personal data. In cases involving vulnerable data subjects, consent will be provided by their representative (e.g., parents or legal family members) with due consideration for the best interest of the data subject (e.g., children). Consent provides the data subject with agency over the collection and processing of their data. It may also be supported by other legitimate bases for data processing, such as Stichting Why Not legitimate interest, beneficiary interest, vital interest, or contract. Requests from data subjects or their representatives to withdraw or alter consent will be reviewed and acted upon with due consideration for the data subject’s best interest and the legitimate bases relied upon for collecting and processing personal data.
- Controller
A controller is an entity or individual, including public authorities, agencies, or other bodies, who alone or jointly with others, determines the purposes and means of processing personal data.
- Data Protection Impact Assessment (DPIA)
A DPIA is a standardized assessment based on the General Data Protection and Kenya Privacy Act Principles and other recognized international data protection principles. It assesses the impact of planned processing activities on the protection of personal data and the rights and freedoms of data subjects. A DPIA aims to identify mitigating measures, if any, to avoid or minimize such impact.
- Data Subject
A data subject is an individual whose personal data is subject to processing under this Policy, regardless of how the data was obtained. This term includes past, potential, or current beneficiaries, individual donors, supporters, suppliers, individuals in other Stichting Why Not associate organizations, and personnel.
- Particularly Sensitive Personal Data
Particularly sensitive personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data capable of uniquely identifying a natural person, data concerning health, or data concerning an individual’s sex life or sexual orientation.
- Personal Data
Personal data refers to any information related to an identified or identifiable individual (data subject). An identifiable individual is someone who can be directly or indirectly identified, especially by reference to an identifier like a name, identification number, phone number, audiovisual materials, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. This definition is contextual and expands with advancements in technology and identification methods.
- Personal Data Breach
A personal data breach is a breach of security resulting in the accidental or unauthorized destruction, loss, alteration, disclosure, access, or unplanned loss of availability of unencrypted personal data. It is not considered a breach when access is consistent with official functions.
- Personal Data Transfer
A personal data transfer refers to any action that makes personal data accessible or available to another party, other than the data subject, regardless of the medium and format (electronically or physically). It includes both transfers within a country and transfers from the country where the data was originally collected to another country or countries.
- Process or Processing
Processing includes any operation or set of operations performed on personal data, whether automated or manual. This can include collecting, recording, structuring, consulting, retrieving, using, transferring, disclosing, sharing, deleting, and more.
- Processor
A processor is an individual or entity, including public authorities, agencies, or other bodies, which processes personal data on behalf of the controller.
- Pseudonymization
Pseudonymization is a technical process where personal data can no longer be attributed to a specific data subject without additional information. This additional information is kept separately and subject to technical and organizational measures to ensure that the personal data cannot be linked to an identified or identifiable individual.
- Stichting Why Not’s Associate
A Stichting Why Not associate includes various kinds of entities with which Stichting Why Not has a contractual relationship or collaboration arrangement. This can include civil society partners, public health entities, Public Educational Institutions bilateral or multilateral partners, National Committees, suppliers or vendors, corporate partners, or subcontractors.
- Stichting Why Not’s Filing and/or Storage System
This term refers to any structured set of personal data accessible based on specific criteria. It can be centralized, decentralized, or dispersed on a functional or geographical basis. This includes databases, repositories of personal data, and archives administered by or on behalf of Stichting Why Not .
- Stichting Why Not’s Personnel
Stichting Why Not’s personnel include Stichting Why Not staff, individual consultants and contractors, interns, volunteers, personnel, Stichting Why Nots’ s goodwill ambassadors, individuals serving WHY NOT? Foundation, and persons working for Stichting Why Not through an employment agency or similar arrangement.
- Vulnerable Data Subject
A vulnerable data subject refers to a data subject who is reasonably unable to provide informed consent due to various vulnerabilities, which may include gender, sexual orientation, age, medical history, abusive relationships, social marginalization, or displacement. The degree of vulnerability can vary based on intersecting inequalities, conditions, and situation.
ANNEX 2: REQUESTS OF IDENTIFIED DATA SUBJECTS TO INTERACT WITH THEIR PERSONAL DATA
Provision of Information About the Processing of a Data Subject’s Personal Data
Pursuant to Notice of Personal Data processing -Telling You How We Use Data, the following information will be provided to the data subject, either in writing or orally:
a) The purposes for which their personal data will be processed;
b) Whether personal data about the data subject will be collected from other sources and the categories of such sources (which could include other UN agencies, government sources, Stichting Why Not’s associate sources, publicly available information);
c) The anticipated retention period;
d) Whether their personal data will be transferred to third parties, the categories of third parties to which their personal data will be transferred, and whether they may be outside the country in which the data subject is located;
e) The importance of data subjects providing accurate and complete personal data, as well as changes to their personal situation pursuant to principle of Accuracy established in the Policy;
f) How to request access to their personal data, correction, or deletion of it, to object to or restrict the processing of their personal data, and any further recourse that might be available.
Such information will be provided in clear and plain language and in a format adapted to the age, maturity, and vulnerability of the data subjects.
How Data Subjects Can Make Requests
Stichting Why Not will consider a request made orally or in writing by a data subject.
Stichting Why Not Responses to Requests
In assessing or responding to the request, the person responding will:
a) May ask for further detail if the request does not contain sufficient detail to enable Stichting Why Not to identify and locate the record with reasonable efforts;
b) Respond to the request within a reasonable time, either orally or in writing, and processed in a manner that is transparent to the data subject pursuant with Special considerations in Emergency Contexts;
c) Generally, limit requests to structured personal data unless overriding reasons demand otherwise. Such overriding reasons could include upholding the best interest of the data subject or essential rights and freedoms of individuals;
d) Not reveal personal data about the data subject unless there is sufficient proof that the person requesting the information is the data subject;
e) May deny the request if there are grounds for believing that the request is manifestly abusive, fraudulent, or obstructive to the purpose of processing;
f) Provide reasons if the request is denied, except when it is denied on grounds that it is manifestly abusive, fraudulent, or obstructive to the purpose of processing;
g) Provide access in a form (oral, in print, digitally, or through online access) that is reasonably practical for Stichting Why Not and the person requesting if access is granted;
h) Provide information about any available recourse or review mechanism that has been established and could be used by the data subject or vulnerable data subject.
Nederlands 
English