This Data Protection Policy (hereinafter referred to as the “Policy“) describes how the Foundation in support of WHO (hereinafter referred to as the “Foundation“) as data controller, collects, manages, uses and protects Personal Data received in compliance with applicable privacy laws and regulations, including the EU General Data Protection Regulation and the Swiss Federal Act on Data Protection and its ordinance. The regulations cover all aspects of Personal Data and the obligations on the Foundation to clearly identify what Personal Data the Foundation has, where it is obtained, why the Foundation has it, how the Foundation may use it, how Personal Data is stored and with whom it may be shared and under what circumstances.
Personal Data types
In essence, “Personal Data” is any information relating to an identifiable individual or from which an individual can be identified. The Foundation collects Personal Data that is limited to the kind of information that is necessary as part of the Foundation activities such as for example but not exclusively, name, gender, date and place of birth, nationality, postal address, email address, phone number, relevant charitable foundation or private office contact details, source of fortune, main company ownership and affiliation, professional information, wealth information, philanthropy information, reason for selection, current directorships, current trusteeships.
Sources of Personal Data
Personal Data of third parties
If you provide Personal Data to the Foundation about someone else, you must ensure that you are entitled to disclose that Personal Data to the Foundation and that the Foundation can legally process such Personal Data without having to take any further steps.
Purpose of the processing of Personal Data
The Foundation processes Personal Data in the conduct of its activities as a foundation as described in its Statutes and for the achievement of its statutory purpose.
Safeguards of Personal Data
Personal Data is stored on a Foundation server in Switzerland. Personal Data held by the Foundation is kept on hard copy files and in password protected electronic files and record systems. Access at the Foundation is restricted to a “need-to-know” basis and for the above mentioned purposes exclusively. The concerned Foundation’s staff have been made aware of the importance of Personal Data and the Foundation’s obligations under relevant data protection legislation. These obligations mean that Personal Data is always securely processed and transmitted, protected against unlawful processing and accidental loss and uncontrolled change, amongst other requirements.
Collection of personal data
Personal Data sharing
Unless disclosure of your Personal Data is required by applicable law or a competent authority, your Personal Data is held in confidence and is never provided to any third party outside of the Foundation, with the exception, where applicable, of the World Health Organisation or COVAX AMC implementing partners that may require access to Personal Data to ensure compliance with their donation mechanism.
Should the Foundation provide a third party with any of your Personal Data, the Foundation will conclude written agreements with any such third party imposing data protection obligations in order to ensure an adequate level of protection for your Personal Data and compliance with the legal requirements.
The Foundation trusted partner in each jurisdiction that may be responsible for receiving your donation will also collect your Personal Data. Their data policy will be applicable in addition to this one if your donation goes through one of our trusted partners.
CAF UK, our trusted UK partner, will collect your title, residential address, first name and surname for identification purposes and Gift Aid claim, as well as your email address for further information if necessary according to their internal policies. The deletion of your data within their system is to be made according to CAF UK Privacy Notice available on their website.
Personal Data transfers outside the EU
This section shall apply to any Personal Data collected by the Foundation from EU and Swiss residents.
If the Foundation transfers your Personal Data to a State which is not a Member State of either the European Union or the EEA, or deemed adequate by the European Commission and/or the Swiss Federal Data Protection and Information Commissioner, for example to Members of the Foundation Board located in such State, the Foundation will only conduct such transfer if there are suitable safeguards in place, such as binding corporate rules, standard contractual clauses, approved Codes of Conduct, or approved certification mechanism.
Retention period of Personal Data
As an organisation operating and governed by Swiss Law, the Foundation is obliged to keep a record of all operational relevant information for a period of ten (10) years. The Foundation will therefore keep your Personal Data for a period of ten (10) years from the time your Personal Data is no longer useful for the performance of its activities, subject to any potential proceedings, requests or investigations that may extend beyond that period. The Foundation will however process your Personal Data exclusively for the above mentioned purposes.
Personal Data owner’s rights and preferences
In addition to the right to be informed about the Personal Data the Foundation holds and the use the Foundation makes of it (as described in this Policy) you are also entitled to:
● access your Personal Data;
● rectify inaccurate or incomplete Personal Data;
● request deletion of your Personal Data (subject to the below mentioned limitation);
● restrict processing of your Personal Data (subject to the below mentioned limitations);
● obtain and reuse your Personal Data;
● object to particular processing(s) of your Personal Data subject to the below mentioned limitations).
For further information on these rights, please contact us (see contact details below).
Please note that your objection or restriction to the processing of your Personal Data could prevent the Foundation from performing the actions necessary to achieve the purposes set out above. Please also note that the above rights can be limited. For example, the Foundation may need your Personal Data to comply with the law (e.g. see the “Retention period of Personal Data” section above) or assert or defend against legal claims. The Foundation may therefore be able to continue processing your Personal Data even after you have requested, for example, the deletion of your Personal Data, to the extent required or permitted by law.
Any modifications made to the present data protection policy will be published on the Foundation website. The published data protection policy on the Foundation’s website is the applicable and most up-to-date data protection policy.
Questions, concerns or complaints
If you have any questions, concerns, or complaints about the Foundation’s Personal Data practices or this Policy, we encourage you to get in touch with the Foundation by using the contact information below. Also, if you believe you have suffered harm due to a breach of your rights by the Foundation under this Policy, and the Foundation has not handled your complaint in a reasonably sufficient manner, any EU resident may also file a complaint with the competent supervisory authority.