Introduction

FAO is committed to process data fairly, with integrity, responsibility, security, and transparency. We collect and process data – personal data and sensitive non-personal data – solely in accordance with our internal data protection rules and procedures, to the exclusion of any single national or regional system of law. This means we handle information in line with FAO’s own Data Protection Policy (DPP) and not under any national, regional jurisdiction. We process data only for legitimate purposes related to the mandate of the Organization, and we apply the highest standards to safeguard your privacy.

FAO may provide this Notice in different formats. In situations where data is collected offline or verbally (for instance, via phone or in person during field projects), we will inform you of the key points of this Notice and let you know how to access the full text for more details. Regardless of how we collect your data, we handle it according to the principles in this Notice.

Scope

This Notice applies to all personal data that FAO collects in the below contexts. It covers the data of:

• Website Users: individuals visiting FAO websites (within the “fao.org” domain or other official FAO domains), and users interacting with FAO’s official pages on social media platforms.
• Event Participants: individuals registering to and/or attending FAO events, conferences, webinars, workshops, or training sessions (including virtual events).
• Visitors to FAO Premises: individuals (personnel and guests) entering FAO premises, offices or facilities, such as guests, meeting attendees, or contractors (whose data may be collected for security and access management).
• Newsletter Subscribers: individuals subscribing to FAO newsletters, email updates, or mailing lists.
• Platform/Database Users: individuals creating accounts to access FAO knowledge repositories, databases, forums, or other online systems managed by FAO.
• Contest or Survey Respondents: individuals participating in FAO-organized contests, competitions, or responding to FAO surveys and questionnaires.
• Media Subjects: individuals whose images, video, audio or voice are captured by FAO during FAO activities.
• Project Beneficiaries: individuals whose personal data is collected in the context of FAO’s field projects or programmes. This includes persons benefiting from FAO assistance (e.g. recipients of aid, training participants in the field).
• Project Partners: if an individual’s personal data is collected by an FAO implementing partner or service provider (and not directly by FAO), generally the partner’s own privacy notice will apply to that data. However, if that partner is processing such data on FAO’s behalf – i.e. under an FAO Letter of Agreement (LoA) with a Data Processing Appendix (DPA) – then the data is handled according to FAO’s instructions and this FAO Data Protection and Privacy Notice applies. In those cases, the partner must follow FAO’s Data Protection Policy and the terms of our agreement to protect the data.

FAO’s services and websites are not directed to minors. We do not knowingly collect personal data from children without consent from a parent or guardian. If you are a minor, please do not provide your data without your guardian’s permission.

This Notice also applies when FAO obtains personal data about individuals from third-party sources (not directly from the individual); in such cases, FAO will inform those individuals of the data processing where required, consistent with this Notice.

In addition to being governed by the FAO Terms and Conditions (which set forth the conditions for use of FAO websites and online services), specific FAO platforms or tools may present additional terms of use or privacy information. In case of any conflict, this Notice will apply for data protection matters. For processing activities using FAO apps, please refer to the FAO Privacy Policy for the use of FAO Apps (which describes data processing in FAO’s mobile applications). For matters related to intellectual property of content or data provided through FAO platforms, please refer to the FAO Terms and Conditions.

FAO websites may contain links to third-party sites or services (for example, an external social media page). If you follow those links, be aware that any personal data you provide on those external platforms is subject to the third parties’ privacy policies, not FAO’s, as FAO has no control over those sites.

This Notice concerns how we handle personal data about individuals. While FAO also protects internal sensitive non-personal data under the same principles, such data is not about identifiable persons and thus is outside the scope of individual privacy outlined here.

What data we collect and how

The type of information we collect depends on your interaction with FAO. We only ask for information that is relevant and necessary for the purpose stated. In general, you may directly provide us with personal details and contact information; your full name, title, affiliation or organization, postal address, email address, telephone number, and country, are typically requested when you fill out a form or register to an FAO service. For example:

• If you contact FAO with an inquiry (through ServiceNow, our website “Contact us” form or by email), we will ask for your name and email and any details that help us respond to you.
• If you subscribe to a newsletter or mailing list, we will collect your email address (and possibly your name) to send you the updates you requested.
• If you register to an FAO event or training, we may ask for your name, contact details, job title, organization, and any other information needed to manage your participation (e.g. preferences, or, for in-person events, perhaps identification details for security).

Account information: if you create an account on an FAO system (for example, to access a restricted database, forum, or to use an FAO mobile application), we will collect the credentials and information necessary to set up and maintain your user account (such as username, email, password). This may also include profile information you choose to provide in such systems.

Survey or contest responses: if you take part in a survey, consultation, or contest, we will collect your responses and any personal data you include in them. This could range from opinions and feedback to contact information for contest winners. Participation in these is voluntary, and you will be told what data is being collected when you enter.

Media (photographs, videos, audio, voice): if you engage in an FAO project or event where photographs or recordings are taken, and you have given consent for this, we may collect your image, video, audio or voice. Providing personal media is entirely optional and done with your permission. We will ask you to fill out a dedicated Consent & Release Form.

Professional or background information: in certain cases, FAO may ask for information about your professional qualifications or background – for instance, if you are contributing expertise to a technical forum or collaborating as a partner. This might include your CV, areas of expertise, or publications. Such data is usually provided directly by you in a professional context.

Project beneficiaries: if you are participating in an FAO project (for example, as a beneficiary receiving agricultural assistance or cash transfers), we may collect personal information needed to carry out that project. This could include your name, contact details, and information relevant to determine eligibility or deliver support (e.g. your occupation, household size, or areas of need). We will inform you at the time of collection what data is required and why. In some cases, we might collect this information through our partners on the ground but rest assured your data is handled with the same care as under this Notice.

When you visit FAO premises, certain personal data may be collected for security purposes. For example, you may be asked to provide identification details at the entrance, and your image may be captured by Closed-Circuit Television (CCTV) cameras on FAO premises for safety and security monitoring.

Automatically Collected Data: When you use our websites or online platforms, we also collect some data automatically to ensure the sites function properly and to help us improve them. This includes, for example, technical information like your IP address, browser type, operating system, referring website, pages accessed, and the dates/times of access. We use cookies and similar technologies (as described in FAO’s website Terms and Conditions) to gather some of this information. This usage data is generally analysed in aggregate form and is not used to identify you as an individual. By using our websites, you agree to FAO’s use of cookies and analytics for these purposes. You have the option to disable cookies in your browser settings, though some features of our sites may not function fully without them.

Data from Other Sources: In some situations, FAO may receive information about you from a third party instead of directly from you. For example, we might partner with another organization that shares participant lists for a jointly organized event, or we could receive beneficiary data from a government or NGO in the context of an aid project. If we obtain your personal data from someone else, we will treat that data in accordance with this Notice and our data protection policy. We will also ensure that the original collector had the authority or your consent to share your data with us. If required (and feasible), FAO will inform you that we have received your data from another source and the purpose for which we will use it.

Why we collect your data

FAO collects and uses data only for purposes that align with our mandate and the expectations of the provided service. The main purposes include:

• To respond to your inquiries or requests: If you contact us for information or assistance, we use your contact details and any info you provided, to communicate with you and address your needs (for example, answering a question about FAO’s work or resolving an issue you reported).
• To facilitate your participation in FAO events and activities: We process registration information to confirm your attendance, prepare necessary arrangements, provide updates, and follow up after events such as conferences, trainings, webinars, campaigns or meetings that you attend. For instance, if you sign up for a workshop, we’ll use your details to send you logistical information, materials, and post-event feedback forms.
• To allow access to FAO platforms and services: We use personal data to create or manage your user account on our systems (e.g., FAO data portals, e-learning platforms, discussion forums). This ensures authorized access and personalized experience. We might also use your information to provide you with specific services you requested, such as downloading certain publications or datasets that require user identification.
• To send you newsletters, updates or announcements: If you subscribe to newsletters or mailing lists, we use your email (and name, if provided) to deliver the content you subscribed to – for example, FAO project updates, press releases, or topic-specific newsletters. You can unsubscribe at any time (each message we send includes an unsubscribe option).
• To deliver humanitarian or development assistance and manage FAO projects: For instance, using your information to provide services or benefits you signed up for as part of an FAO programme, to monitor the progress of a project you are involved in, or to follow up with you for feedback on the assistance provided.
• To conduct surveys, contests, or gather feedback: When we run voluntary surveys or contests, we process the data you provide to record your responses or entries, analyse results, announce winners, etc. For example, your opinions in a survey help shape our programs (aggregated analysis), and your contact info might be used to follow up on survey outcomes or to send a prize in a contest.
• To promote FAO’s mission and share impact stories: With consent, we use testimonials, success stories, photos or videos featuring individuals to highlight the impact of our work. For instance, we might publish a story on our website or social media about a project beneficiary (with their permission) to illustrate how FAO projects are making a difference. Any such use of personal media will always respect the consent given.
• To analyse and improve our website and services: We use data like website usage statistics and feedback to understand how our online content is performing and how users engage with us. This helps us improve navigation, content quality, and user experience on our digital platforms. (This purpose involves aggregated data analysis and does not focus on individual personal profiles).
• Other mission-related purposes: We may process data for additional purposes that are still within the scope of FAO’s mandate and your expectations. For example, if you are a subject matter expert collaborating with us, we might use your information to facilitate that collaboration. We will always inform you of such purposes at the time of data collection.
• To ensure the security of FAO premises and systems (for example, managing access controls and CCTV surveillance).

FAO will not use your personal data for any purpose that is incompatible with the original reasons we collected it. We do not engage in profiling or automated decision-making that could significantly affect you. If for some reason we ever need to process your data for a new purpose not covered above, we will inform you and, if necessary, seek your consent before doing so. Furthermore, we do not use your data for commercial marketing to you, nor do we sell your personal data to third parties.

Who has access to your data and how we share it

Within FAO: Access to your personal data is restricted to authorized FAO personnel who need that information to perform their duties in line with the purposes described. All FAO employees and collaborators are bound by confidentiality obligations and are required to protect personal data as part of their official responsibilities. FAO implements internal access controls to ensure that only the appropriate people can see your information.

Because FAO is a global organization, your data may be stored or processed on servers in different countries. Regardless of location, all FAO data facilities and service providers are subject to the same security standards and FAO’s legal protections (privileges and immunities).

Third-Party Partners and Service Providers: FAO may need to share some of your personal data with outside parties in certain scenarios, but only for the purposes explained in this Notice and only with entities we trust. Examples include:

• An implementing partner or service provider assisting in an FAO project, who needs certain information to deliver assistance or services to you on FAO’s behalf (for example, a local NGO helping us distribute farming tools to beneficiaries).
• An event co-organizer or sponsor that needs a list of participants for venue security or catering arrangements.
• A mailing service provider that distributes our newsletter on our behalf.
• A research partner assisting in analysing survey results.
• An IT service provider or cloud platform that hosts FAO’s databases or websites.

In all cases, FAO does not permit any third party to use your information for their own purposes, such parties are only given the information necessary for their task. When we share data, it is solely to carry out tasks on FAO’s instructions. We make every effort to ensure that any third party we work with affords a level of data protection and security safeguard that is equal to or comparable to FAO’s standards. This is typically enforced through contractual agreements. These partners or contractors are obligated to handle your data confidentially and securely, and to use it only for the specified purpose we’ve agreed upon.

FAO does not sell, rent, or trade your personal information to any external organization. We also do not share your data with advertisers or for any commercial promotion unrelated to FAO’s humanitarian and development objectives. Any sharing of data is rooted in FAO’s mandate and is done with respect for your privacy.

How long we keep your data

FAO will retain your personal data only for as long as it is necessary to fulfil the purposes for which it was collected, in accordance with FAO’s rules. We have internal policies and schedules that define retention periods for different categories of data. These consider the original purpose and any legal or administrative requirements. In practice:

• If you provided data for a one-time event or query, we will generally delete or anonymize that data after it is no longer needed for follow-up. For example, if you registered for a webinar, your registration data might be deleted from our active list after the webinar and any immediate follow-up, unless you opt-in to other communications.
• If you are a long-term subscriber or platform user, we retain your data while you remain subscribed or your account is active. If you unsubscribe or deactivate your account, we will remove or anonymize your personal data within a reasonable time after your request, unless retention is required for legitimate purposes.
• FAO periodically reviews the personal data we hold. When we determine that certain information is no longer required, we securely erase, destroy, or anonymize it.
  

There may be circumstances that necessitate retaining data for a longer duration, for instance:

• Legal or compliance reasons: We might keep certain records to comply with (financial) auditing rules, donor requirements, or other legal, regulatory, operational, or institutional obligations. This includes, but is not limited to, obligations related to reporting, archiving, or compliance with FAO’s internal rules and procedures, including those arising from its status as a specialized agency of the United Nations.
• Public interest archiving, research, or statistics: Occasionally, personal data (especially if aggregated or pseudonymized) could be kept for historical analysis, documenting FAO’s activities, or research purposes in line with our mandate. In such cases, FAO will ensure appropriate safeguards are in place in accordance with our Data Protection Policy.
• Protection of FAO’s rights: We may retain data to establish, exercise, or defend against potential legal claims.

Even in the above cases, data will not be kept indefinitely. It will be archived securely and purged once the necessity expires.

Importantly, if you withdraw your consent for a particular processing, or request deletion of your data, FAO will evaluate if any of the above exceptions apply. If not, we will delete your personal data. If an exception applies (for example, if we must retain certain information for an ongoing project or legal requirement), we will inform you about why we need to retain it.

FAO does not keep personal data longer than justified. We aim to ensure that your data is removed when it is no longer needed, thus reducing any privacy risks over time.

How we protect your data

FAO takes appropriate and diligent measures to safeguard your personal data. We have implemented a range of technical, physical, and organizational security measures to prevent unauthorized access, disclosure, alteration, or destruction of your information. These measures include, for example:

• Secure IT infrastructure with firewalls, encryption in transit and at rest where applicable, and regular security monitoring.
• Access control mechanisms to ensure that only authorized individuals can access personal data on a need-to-know basis. For instance, your data is stored in secure systems and only accessible by personnel or systems that require it for the intended purpose.
• Training and policies for FAO personnel and partners on data protection and confidentiality, so that everyone handling personal data is aware of their responsibilities.
• Procedures to address any suspected data security incidents, including data breach response plans.

These security measures and procedures are continually reviewed and updated in line with FAO’s rules and industry best practices, which are aligned with international standards. FAO strives to use the most effective safeguards available to protect your data.

If FAO engages external service providers (e.g., for data hosting or email distribution), we contractually require them to also implement stringent security measures to protect your data. We carefully select reputable providers and assess their security controls. Your data receives the same level of protection with these providers as it does on FAO systems.

In the unlikely event of a data breach that poses a significant risk (for example, a security incident leading to accidental or unlawful loss or disclosure of your personal data), FAO will follow its internal incident response procedures. This may include informing affected individuals and taking steps to mitigate any potential harm, in line with our obligations and commitment to accountability.

Requests related to your data

In accordance with FAO’s DPP you may submit certain requests with respect to personal data that we hold about you. Specifically, you may request the following:

1. Access: You can ask us to confirm whether we are processing your personal data, and if so, you can request access to that data. We will provide you with a copy of the personal data we have about you, as well as information about how we use it.
2. Correction (Rectification): If you believe that any personal data we hold about you is inaccurate or incomplete, you may request that we correct it. We encourage you to keep your information up to date and will make corrections promptly when notified.
3. Deletion (Erasure): You may request that we delete your personal data. If you no longer want FAO to use your data, and there is no necessary reason for us to keep it, you can ask us to remove it. We will evaluate such requests on a case-by-case basis in line with our retention rules and legal requirements. If the data is no longer needed for any legitimate purpose (and there’s no overriding requirement to retain it), we will delete or anonymise it and confirm that to you.
4. Objection or Withdraw Consent:
• If we have asked for your consent to process your data, you can withdraw that consent at any time. For example, if you consented to receive a newsletter, you can unsubscribe and we will stop sending it and remove your contact from the mailing list.
• In certain situations, even if you initially agreed to provide data, you may object to its continued processing. For instance, if you provided data for a research project and later change your mind, or if FAO is conducting an activity in the public interest and you have personal grounds to object, you can inform us. We will consider your objection and stop or limit processing unless we have a compelling reason not to (consistent with our DPP).
• Additionally, if you do not wish to provide data in the first place when we request it (for something non-mandatory), you have the option to refuse. Providing personal data to FAO is generally voluntary. You will not be penalized for choosing not to share certain information, though please understand that we might not be able to deliver a service or include you in an activity if we don’t have the necessary data. (For example, if you object to us keeping your email, we cannot send you email updates.)

You have control over your personal data that we hold, and we will respect and facilitate your request to access it, correct it, delete it, or object to its use, as appropriate.

These requests are subject to certain limitations under FAO’s DPP. In some cases, we may have legitimate grounds to deny a request (for example, we cannot delete records that we are required to keep, or we might not disclose data that involves others’ privacy). However, we will always respond to you and explain any refusal or limitation of your request.

FAO also applies its data protection principles outlined in this Notice to other internal sensitive non-personal data it handles, in line with its Data Protection Policy, even though such data is not subject to the individual requests described here.

How to submit a request or contact us

If you wish to submit any of the requests described above, or if you have any questions, concerns, or complaints regarding how your personal data is handled, please reach out to us. The channel to contact us about data protection matters is the ServiceNow Portal. You can submit your request or query through our online form by visiting https://fao.service-now.com/csp and selecting the “Data Privacy” option. This will ensure your request is logged and addressed by FAO’s Data Protection Unit (DPU).

To protect your privacy, we might need to verify your identity before fulfilling certain requests (for example, access or deletion requests) – this is to ensure we don’t disclose your data to someone else. We will respond to your inquiry as soon as practicable and at the latest within a reasonable timeframe in accordance with our internal procedures.

If you have made a request to access, correct, delete your data, or objected to its continued processing, we will inform you of the action taken. If for some reason we cannot fulfil your request (due to an applicable exception), we will explain the rationale to you. Rest assured, we take your requests seriously and aim to facilitate them to the fullest extent possible.

Changes to this data protection and privacy notice

FAO may update or revise this Data Protection and Privacy Notice from time to time. Such changes could reflect new legal requirements, improvements in our data protection practices, or adjustments to our operations. We encourage you to review this Notice periodically to stay informed about how we are protecting your information.

If we make significant changes, we may provide a more prominent notice (such as posting a notice on our website’s homepage or sending an email notification for major changes). However, minor updates may simply be reflected by a new effective date at the top of the Notice. Nothing in any updated Notice will reduce your rights or our commitments to protecting your data as outlined here. We will always indicate the date of the latest revision at the top of the Notice for reference.

Privileges and immunities & applicable law

Nothing in this Data Protection and Privacy Notice shall be construed as a waiver of the privileges or immunities of FAO, nor does it imply acceptance of the jurisdiction of any national courts. FAO is an international organization with its own governing rules. The processing of personal data by FAO is therefore not subject to any single national or regional data protection law. Instead, it is governed by FAO’s internal legal framework (including the FAO Data Protection Policy and related procedures) and by the general principles of international law. This Notice is provided in the spirit of transparency and accountability to inform you how we handle your data, but it does not create legal obligations for FAO under external laws.