Mastercard Foundation Logo
Login

Data Protection and Cyber-security Policy

Background

Entrepreneurship in the Digital and Gig Economy (EDGE) is a five-year program launched by the Mastercard Foundation in partnership with Hybrid Designs, the lead consortium partner,  along with R&D Group, iCog Consultancy, and Qua Qua Capitals. Hybrid Designs is responsible for providing overall strategic and technical leadership to the program, ensuring coordination and alignment across all implementing partners. Additionally, D&T Ethiopia Management Consulting PLC serves as the fund manager, ensuring effective financial management, accountability, and sustainability of the program’s investments.

The program aims to unlock over 300,000 dignified and fulfilling employment opportunities for economically disadvantaged young people by building an innovative, digitally enabled domestic outsourcing market and fostering a thriving offshore outsourcing ecosystem.

As the program drives digital employment and entrepreneurship, safeguarding participants’ digital rights becomes essential. EDGE is committed to protecting the personal and sensitive data of its participants by establishing a comprehensive data protection framework, ensuring cybersecurity, and complying with applicable laws and standards. This includes outlining clear principles, roles, and procedures to protect data collected, processed, and stored within the EDGE ecosystem, creating a secure and trusted digital environment where young people can safely engage in economic opportunities.

Scope

This EDGE Program Data Protection and Cybersecurity Policy (the “Policy”) applies to all EDGE program personnel, including employees, contractors, partners, and third-party service providers who collect, process and store personal data or access EDGE systems.

Legal and Regulatory Compliance

EDGE is committed to full compliance with the Personal Data Protection Proclamation No. 1321/2024 (the “Proclamation”) of the Federal Democratic Republic of Ethiopia, which defines personal data and establishes principles for its lawful processing.

Definitions

  1. Personal Data: Information relating to an identified or identifiable individual and participant of the EDGE program, including but not limited to name, contact information, identification numbers, physical address and location data.
  2. Sensitive Personal Data: Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, health status, medical information, physical or health condition, or data concerning a child under the age of 16.
  3. Data Subject: Any participant of the EDGE program whose personal data is collected, processed and stored by EDGE or any of its representatives.
  4. Data Controller:  The legal entity that determines the purposes and means of processing personal data. In the EDGE program, Hybrid Designs PLC (as lead consortium partner) serves as the primary data controller for centrally collected data, while other consortium members (R&D Group, iCog Consultancy, and Qua Qua Capitals) act as independent data controllers for the data they collect directly through their platforms.
  5. Data Processor:  Any organization or party that processes personal data on behalf of the Data Controller according to their instructions (e.g., third-party IT service providers, cloud storage providers, etc.).
  6. Data Protection Officer: a person assigned by the Data Controller with responsibilities of controlling data handling, administration and usage.

Data Protection Principles
Personal Data collected from Data Subjects shall be:

  • processed lawfully, fairly and in a transparent manner;
  • obtained only for one or more explicit, specified and lawful purposes and further processed that is compatible with those purposes;
  • adequate, relevant and not excessive in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary for the purposes for which the Personal Data are processed;
  • processed in a manner that ensures the integrity, confidentiality, and security of the Personal Data; and
  • processed in a manner that ensures the sovereignty of the Personal Data.

Data Subject Rights

  • The Data Controller and Data Processor shall ensure the rights under this clause for Data Subjects free of charge and without excessive delay.
  • Where Personal Data relating to a Data Subject are collected either from the Data Subject or other sources, the Data Subject shall have the right to be provided by the Data Controller with the following information:
    • The name and contact details of the Data Controller;
    • The name and contact details of the representative of the Data Controller;
    • The contact details of the Data Protection Officer of the Data Controller and his representative;
    • The purposes of the processing;
    • Whether providing answers to questions are voluntary or compulsory and the possible consequences of failure to reply;
    • The lawful basis for the processing;
    • The recipients or categories of recipients of the Personal Data;
    • The retention periods for the Personal Data;
    • The rights available to Data Subjects in respect of the processing;
    • The right to withdraw consent; and
    • Any necessary additional information in order to ensure fair and transparent processing.
  • Data Subjects can request access to their Personal Data in their preferred format (in an electronic or hard copy format).
  • If a Data Subject believes that the Personal Data is inaccurate, incomplete, misleading, not-up-to-date, or is otherwise being processed contrary to this Policy or the Proclamation, the Data Subject shall have on request the right to have the Data Controller correct the data.
  • A Data Subject can request deletion and erasure of their Personal Data, subject to legal and contractual obligations.
  • A Data Subject can request the restriction of processing of his/her Personal Data where amongst other conditions laid out in the Proclamation, the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the Personal Data.
  • A Data subject has the right to receive his/her Personal Data, that he/she has provided to a Data Controller or Data Processor, in a structured, commonly used and machine-readable format.
  • Data Subjects can object to data processing based on legitimate interests.
  • Every Data Subject shall have the right:
    • not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or significantly affects him/her;
    • to obtain human intervention on the part of the Data Controller; and
    • to express his/her views on the matter.
    • Any automated processing of Personal Data intended to evaluate certain personal aspects relating to an individual shall not be based on Sensitive Personal Data.
  • Data Subjects have the right to be informed about the details of data

Data Collection and Processing

  1. The processing of Personal Data shall be regarded as lawful when the Data Subject has given his/her consent prior to the commencement of the processing.
  2. The Data Controller and Data Processor shall obtain explicit, informed consent from Data Subjects before collecting or processing their Personal Data. For minors under 16, consent must be obtained from a parent, tutor or legal guardian.
  3. The Data Subject may withdraw his/her consent at any time. Information about withdrawal of consent shall be given prior to giving his/her consent.
  4. The Program may collect personal data necessary to enable effective participation, service delivery, monitoring, and evaluation. This may include, but is not limited to, name, contact information, demographic details, and other relevant information aligned with program objectives.
  5. Where sensitive personal data is required to meet program goals or enhance participant support, it shall be collected in compliance with the Proclamation and with the explicit, informed consent of the Data Subject.
  6. The processing of Personal Data shall meet the following conditions:
    1. The Data Controller or Data Processor shall take appropriate measures to provide any information relating to processing to the Data Subject;
    2. The information shall be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language;
    3. Processing shall not be done in a way that is unexpected or misleading to the Data Subject; or
    4. Processing shall respect the right of the Data Subject to be informed and be done in a manner which is clear, open and honest.

Data Security Measures

1. The Data Controller shall take reasonable steps to ensure the reliability of any Data Processor and its employees who have access to the personal data.

2. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to personal data. These measures will include:

    • Access Controls: Role-based access to systems and data.Multi-Factor Authentication
    • Encryption: Use of encryption for data at rest and in transit.
    • Network Security:Firewalls, Intrusion detection and prevention systems
    • Regular Audits: Periodic security audits and vulnerability assessments.
    • Incident Response Plan: Established procedures for responding to data breaches.Data breach notification protocol
    • Staff Training and Awareness: Regular training on data protection and cybersecurity and reporting breaches.
    • Secure Data Storage and Backups

Data Sovereignty

  • Data Controller and Data Processor ensure that the Personal Data collected or obtained locally within Ethiopia shall be stored on a server or data center located in Ethiopia.
  • Any transfer of Personal Data shall be as per the Proclamation.

Data Breach Notification

In the event of a Personal Data breach, the Data Controller shall notify the Ethiopian Communication Authority and affected Data Subjects within 72 hours, in accordance with the Proclamation.

In the event of a personal data breach, EDGE, as the Data Controller, will notify the relevant regulatory authority and, where necessary, the affected individuals (Data Subjects) without undue delay and no later than 72 hours after becoming aware of the breach.

Notification to Data Subjects will occur if the breach is likely to result in a high risk to their rights and freedoms. However, notification to Data Subjects may not be required if:

  • The compromised data was protected by appropriate technical and organizational measures (e.g., encryption), rendering the data unintelligible to unauthorized parties; or
  • Prompt action was taken to contain and mitigate the breach, and the risk of harm to Data Subjects has been effectively eliminated.

EDGE will assess each breach on a case-by-case basis to determine whether notification to individuals is necessary and will ensure transparency and timely communication whenever there is a significant risk to their safety or privacy.

Third-Party Processors

The Data Controller shall ensure that all third-party processors comply with data protection requirements under this Policy and the Proclamation through contractual agreements that stipulate data handling procedures, security measures, and breach notification protocols.

Data Retention and Disposal

Personal Data shall be retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Secure disposal methods shall be employed to destroy Personal Data that is no longer needed.

Review and Updates

This Policy shall be reviewed annually or as needed to reflect changes in legal requirements, organizational practices, or technological advancements.

Quick Links

Social Links

Tiktok Telegram Facebook Linkedin X-twitter Youtube

Contact Us

  • lead.comm@edge.et

Copyright © 2025 | EDGE by RIDE and It’s Affiliates