The ICRC data protection framework

02 June 2020

The ICRC has established a data protection framework that affords individuals protection in accordance with international standards. It includes the ICRC Rules on Personal Data Protection, revised in 2020, as well as a supervisory and control mechanism overseen by the Data Protection Office and an independent commission.

1. ICRC rules on personal data protection

Data protection legislation has evolved rapidly in recent years. Now, around 120 countries have data protection laws or some kind of statutory requirement concerning privacy. As new technologies emerge and the world becomes increasingly interconnected, it is possible to process ever increasing quantities of data faster and more easily. Yet the potential for intrusion into individuals' private sphere is also becoming more significant.

The ICRC, as a trusted manager of personal data in challenging environments, applies data protection standards that preserve the integrity, confidentiality and availability of personal data, and respects the rights, freedoms and dignity of the individuals it interacts with and whose data it processes.

The ICRC Rules on Personal Data Protection were adopted in 2015. The Rules take account of relevant legislation and the specifics of the ICRC's mandate. They also ensure that the organization safeguards personal data even in the most challenging circumstances. The Rules were revised in 2019 in light of recent regulatory, social and technological developments in the field of data protection.

Download the ICRC Rules on Personal Data Protection


2. The ICRC Data Protection Office

The ICRC Data Protection Office (DPO) is the ICRC's supervisory body with regards to all personal data protection matters. It is empowered to perform its duties and exercise its functions with complete independence. The DPO is an essential component for the protection of individuals with regard to the processing of their personal data.

2.1 Responsibilities

Monitoring the application of the ICRC Rules on Personal Data Protection

- monitoring the implementation of all ICRC data protection rules and policies and contributing to their consistent application across all ICRC operations
- monitoring the implementation of all ICRC data protection rules and policies with regard to data protection by design and by default
- monitoring whether Data Protection Impact Assessments (DPIAs) are carried out in accordance with ICRC data protection rules and policies
- monitoring the compilation and regular updating of a register of processing operations involving biometric data
- assessing the adequacy of the data protection safeguards adopted by partners and service providers relating to the use of biometrics

 Reviewing and updating ICRC data protection rules and policies

- reporting on the application of ICRC data protection rules and policies
- ensuring that ICRC data protection rules and policies are regularly reviewed in light of regulatory developments and changes in ICRC activities

Advising on data protection matters, on request or at its own initiative

- providing guidance on any matters relating to the application of ICRC rules in the field and at headquarters
- advising on the processing of biometric data
- approving the creation or alteration of a database

Protecting data subjects' rights

- responding to requests, objections and complaints from data subjects concerning the processing of their personal data
- referring data protection matters to the ICRC Data Protection Commission (DPC)
- responding to access requests by data protection authorities
- coordinating actions with staff in charge in case of data breach

Training ICRC staff in order to improve data-protection literacy

- partnering with the EPFL Center for Digital Trust in Switzerland to provide tailored training programmes for humanitarian practitioners on trust-building technologies and data protection
- working on a DPO Training and Certification Programme for humanitarian organizations in partnership with the European Centre on Privacy and Cybersecurity at Maastricht University, the Netherlands.


 2.2 Composition

The DPO is led by Massimo Marelli, Head of Data Protection Office, who is seconded by a Deputy Head.

The unit also includes experienced legal advisers, based at the ICRC headquarters and in Brussels, Belgium, who act as data-protection focal points in their respective subject areas and regions.

ICRC Data Protection Office
19 Avenue de la paix
1202 Geneva
Tel: +41 22 734 60 01


3. ICRC Data Protection Commission

The ICRC Data Protection Commission (DPC) is the ICRC body responsible for checking that the organization's processing of personal data complies with its Rules on Personal Data Protection and other applicable rules, and for ruling on the rights of individuals when their cases or other data-protection cases are referred to it.

Know more about the DPC