With effect from 7 March 2023

 

Overview

This Data Protection Policy (hereinafter referred to as the “Policy”) describes how the Foundation in support of WHO (hereinafter referred to as the “Foundation”) as data controller, collects, manages, uses and protects Personal Data received in compliance with applicable privacy laws and regulations, including the EU General Data Protection Regulation and the Swiss Federal Act on Data Protection and its ordinance. The regulations cover all aspects of Personal Data and the obligations on the Foundation to clearly identify what Personal Data the Foundation has, where it is obtained, why the Foundation has it, how the Foundation may use it, how Personal Data is stored and with whom it may be shared and under what circumstances.

Personal Data types

In essence, “Personal Data” is any information relating to an identifiable individual or from which an individual can be identified. The Foundation collects Personal Data that is limited to the kind of information that is necessary as part of the Foundation activities such as for example but not exclusively, name, gender, date and place of birth, nationality, postal address, email address, phone number, relevant charitable foundation or private office contact details, source of fortune, main company ownership and affiliation, professional information, wealth information, philanthropy information, reason for selection, current directorships, current trusteeships.

Sources of Personal Data

The Foundation processes Personal Data that is voluntarily or upon request provided to the Foundation in the course of a recruitment process, employment, donations, an agreement for the performance of work or any other contract. In some instances, the Personal Data will be supplemented by information retrieved from public sources, such as online media and certain Personal Data may be automatically recorded, notably through the use of Cookies, for system administration, statistical, storage and security reasons, when an individual visits the Foundation’s website or a website hosted by the Foundation, without opting-out.

Personal Data of third parties

If you provide Personal Data to the Foundation about someone else, you must ensure that you are entitled to disclose that Personal Data to the Foundation and that the Foundation can legally process such Personal Data without having to take any further steps.

Purpose of the processing of Personal Data

The Foundation processes Personal Data in the conduct of its activities as a foundation as described in its Statutes and for the achievement of its statutory purpose.

Safeguards of Personal Data

Personal Data is stored on a Foundation server in Switzerland. Personal Data held by the Foundation is kept on hard copy files and in password protected electronic files and record systems. Access at the Foundation is restricted to a “need-to-know” basis and for the above mentioned purposes exclusively. The concerned Foundation’s staff have been made aware of the importance of Personal Data and the Foundation’s obligations under relevant data protection legislation. These obligations mean that Personal Data is always securely processed and transmitted, protected against unlawful processing and accidental loss and uncontrolled change, amongst other requirements.

Collection of personal data

For the purpose of campaigns launched by the Foundation, Personal Data of donors (individual or corporate) may be collected by the Foundation’s service providers that host or provide the campaign website or other fundraising tools (FundraiseUp, Facebook, Benevity, etc.). These service providers may be located outside of Switzerland or countries compliant with the EU General Data Protection Regulation. Personal Data will be transferred from the Foundation’s service providers to the Foundation. The Foundation has concluded contracts to ensure, to the best of its ability, that appropriate safeguards are in place with its service providers, when data is collected, transferred to the Foundation and deleted from our service providers servers but by using these tools donors agree to be submitted to the Foundation’s service providers privacy policy and regulations. 

Online payments

If a payment is made through one of the Foundation online tools, a third party provider, such as stripe.com, will process Personal Data for the purpose of the payment. The third party provider shall be the only party responsible, if its services or system are located within the United States or other countries outside Switzerland, for implementing appropriate safeguards mechanisms for such transfer. Therefore, the present data privacy policy may not apply to information that you may submit to us offline or to websites maintained by other companies or organizations to which we may link. In addition, the Foundation will not collect, access, store or process any credit card or other payment system information.

Personal Data sharing

Unless disclosure of your Personal Data is required by applicable law or a competent authority, your Personal Data is held in confidence and is never provided to any third party outside of the Foundation, with the exception, where applicable, of the World Health Organisation that may require access to Personal Data to ensure compliance with their donation mechanism.

Should the Foundation provide a third party with any of your Personal Data, the Foundation will conclude written agreements with any such third party imposing data protection obligations in order to ensure an adequate level of protection for your Personal Data and compliance with the legal requirements. 

 

The Foundation trusted partner in each jurisdiction that may be responsible for receiving your donation will also collect your Personal Data. Their data policy will be applicable in addition to this one if your donation goes through one of our trusted partners.  

Personal Data transfers outside the EU

This section shall apply to any Personal Data collected by the Foundation from EU and Swiss residents.

If the Foundation transfers your Personal Data to a State which is not a Member State of either the European Union or the EEA, or deemed adequate by the European Commission and/or the Swiss Federal Data Protection and Information Commissioner, for example to Members of the Foundation Board located in such State, the Foundation will only conduct such transfer if there are suitable safeguards in place, such as binding corporate rules, standard contractual clauses, approved Codes of Conduct, or approved certification mechanism.

Retention period of Personal Data

We will retain your information for as long as needed in accordance with the purpose it was collected. We may also retain and use your information to comply with our legal obligations, resolve disputes, and prevent abuse. 

For job applicants: collection, purpose and retention

The Foundation will only collect data and information given to us through the CV and/or application you provided the Foundation with. That may include information about education, qualifications, former employers, work experience and your contact details. All the information the Foundation holds is necessary for the Foundation to progress your application and to assess your suitability for the role you have applied for, or to fulfill legal or regulatory requirements if necessary.

If you are successful, the information you provide during the application process will be retained by the Foundation as part of your employee file for the duration of your employment and any period required by law following the end of your employment. 

If you are unsuccessful at any stage of the recruitment process, the information you have provided will be retained by the Foundation for 365 days.

Personal Data owner’s rights and preferences

In addition to the right to be informed about the Personal Data the Foundation holds and the use the Foundation makes of it (as described in this Policy) you are also entitled to:

• access your Personal Data;
• rectify inaccurate or incomplete Personal Data;
• request deletion of your Personal Data (subject to the below mentioned limitation);
• restrict processing of your Personal Data (subject to the below mentioned limitations);
• obtain and reuse your Personal Data;
• object to particular processing(s) of your Personal Data subject to the below mentioned limitations).

For further information on these rights, please contact us (see contact details below).

Please note that your objection or restriction to the processing of your Personal Data could prevent the Foundation from performing the actions necessary to achieve the purposes set out above. Please also note that the above rights can be limited. For example, the Foundation may need your Personal Data to comply with the law (e.g. see the “Retention period of Personal Data” section above) or assert or defend against legal claims. The Foundation may therefore be able to continue processing your Personal Data even after you have requested, for example, the deletion of your Personal Data, to the extent required or permitted by law.

Modifications

Any modifications made to the present data protection policy will be published on the Foundation website. The published data protection policy on the Foundation’s website is the applicable and most up-to-date data protection policy.

Questions, concerns or complaints

If you have any questions, concerns, or complaints about the Foundation’s Personal Data practices or this Policy, we encourage you to get in touch with the Foundation by using the contact information below. Also, if you believe you have suffered harm due to a breach of your rights by the Foundation under this Policy, and the Foundation has not handled your complaint in a reasonably sufficient manner, any EU resident may also file a complaint with the competent supervisory authority.

Contact information: info@who.foundation