PRIVACY POLICY
Preliminary remarks
Associazione ActionAid Switzerland (hereinafter also referred to as "the Organization" or "AA" or "ActionAid") is aware of the importance of protecting the privacy and rights of individuals. Since the Internet is a potentially strong tool for the circulation of personal data, AA has made a serious commitment to comply with rules of conduct - in line with European Regulation 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR") - that guarantee a safe, controlled and confidential internet browsing experience.
This policy for the protection of the confidentiality of information may change over time, also as a result of additions and changes in legislation and regulations or for our institutional decisions. Therefore, we invite you to periodically consult this section of our website.
We therefore invite you to read the rules that our association has established to collect and process personal data and to always provide a satisfactory service to our users.
This privacy policy applies only to this website and is not intended for other websites reachable through hyperlinks or websites that have their own privacy policy.
Basic principles of ActionAid's privacy policy
Information to be provided pursuant to Art. 13, GDPR and notes on the criteria used to determine the limits of data storage
This information is explained more thoroughly in all website sections where users can subscribe to services by providing their personal data. The data provided is used to process inquiries and requests specifically made by the user. All activities of collection - and subsequent processing - of data are aimed at pursuing the institutional purposes of ActionAid and, specifically:
When filling in forms - online or downloadable – users are required to provide both mandatory data (i.e. data necessary to subscribe to services or without which the request cannot be processed) and optional data. Therefore, the user is free to provide personal data in the request forms or in their communications with the Organization to request information. Failure to provide mandatory data may prevent the request from being processed.
Users’ data include identification data, e-mail addresses and other contact information or other information contained in messages/requests for information on projects of interest.
The selection of data to be submitted as mandatory to subscribe to individual projects or initiatives or to submit requests was made in accordance with the provisions of Art. 25, GDPR ("Data protection by design and by default"), which require the prior assessment of appropriate technical and organisational measures, such as "pseudonymisation" (art. 4, paragraph 5, GDPR: "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person"), aimed at effectively implementing data protection principles, such as minimizing, and to integrate into the processing the necessary safeguards in order to meet the requirements of the GDPR and protect the rights of the individuals concerned. In addition, AA has put in place adequate technical and organizational measures to ensure that, by default, only personal data necessary for the specific purpose of processing resulting from the project to which the data subject has voluntarily subscribed is processed.
All processing on this website will be carried out using paper, electronic or telematic tools, strictly related to the purposes for which the data are collected and in compliance with current security regulations, for the purposes specified in disclaimers to be provided pursuant to art. 13, GDPR.
ActionAid will not use the data provided for purposes other than those related to the service to which the user has subscribed, and, in any case, only within the limits indicated in disclaimers to be provided pursuant to art. 13, GDPR.
To provide a service to which a user has subscribed (or whenever this is necessary to comply with laws or regulations), data may be disclosed to third parties, who will act as independent data controllers and provide services aimed at meeting the user's request.
The legal basis for the purpose mentioned in paragraph 1. is the fulfillment of obligations assumed towards the person concerned (art. 6, paragraph 1, letter b), GDPR). The retention of data is limited to the period necessary to process the request, which may also involve multiple contacts if not settled immediately or if the person concerned provides additional information or makes further inquiries.
The legal basis for the purpose mentioned in point 2. is the "legitimate interest" (art. 6, paragraph 1, letter f), GDPR, recital C47, GDPR and Opinion 6 of April 09, 2014 of the Working Party 29, paragraph 3.III) of AA to maintain a constant relationship with individuals who have interacted with AA in various manners and have shown interest in our principles and reasonably expect to receive information from AA regarding proposals for financial support or involvement in initiatives and awareness raising campaigns. For this purpose, therefore, the data will be stored in our archives for the period of time necessary to provide these information services, estimating this period according to the expectation of how long these persons will be interested in and share the mission of AA. Obviously, this retention period is extended as long as the person concerned shows interest in staying in touch with AA: if they no longer have an interest, it is sufficient to notify AA by the means explained below and AA will adopt the appropriate technical and logistical measures so as not to disturb these individuals any longer.
The legal basis for the purpose mentioned in point 3. is the consent of the data subject (Art. 6, paragraph 1, let-ter a), GDPR), expressed in an unequivocal manner. If desired, by ticking the relevant box, the data will be processed for communications tailored to the characteristics of behavior, interests and preferences with re-spect to our actions. The profiling will involve the selection of information stored by the person concerned, so that they receive communications of interest to them and in line with their preferences, thus avoiding unwel-come or uninteresting communications. The data will be kept as long as the data subject's profile is in line with the customised notifications created by cross-referencing the information available to us and, therefore, as long as AA continues to pursue its mission with projects, initiatives, actions and activities - requiring financial contributions or spreading awareness – which reflect the person’s characteristics and behaviour and are, therefore, of specific interest to them and not of disturbance. Also in this case, the data storage will cease if the data subject expresses opposition at any time to the processing of personal data carried out for profiling purposes related to direct marketing.
The personal data collected will be disclosed to persons authorized by the Organization pursuant to art. 29, GDPR that perform processing activities essential for the pursuit of the aforementioned purposes. The categories of individuals authorized to process data are specified in regular communications. In general, these are the individuals responsible for the provision of specific services, administration, management of information services, relations with current and potential donors, organizers of information campaigns on our projects and the so-called "social advertising" to support our humanitarian initiatives.
The processing related to the web services of this website takes place at the aforementioned headquarters of the Organization and is handled by specialists authorized to process data. In case of need, data may be processed by third companies responsible for IT maintenance of our website (data controller pursuant to art. 28, GDPR), at their premises.
Associazione ActionAid Switzerland - with registered office in Via Nassa 21, 6900 Lugano- is the data controller (art. 4, paragraph 7, GDPR: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"), pursuant to and for the purposes of GDPR. AA decides how and for what reasons (specified in communications to data subjects) personal data provided by users shall be collected and used, what tools shall be used to process this data and what security procedures shall be implemented to ensure integrity, confidentiality and availability, subject to the obligations and responsibilities provided for in Article. 24, GDPR.
We guarantee the right to cancel, modify or supplement data already spontaneously provided, to block or anonymise data, and to oppose its processing for legitimate reasons or whenever the user does not wish to receive "social advertising", including with "profiling". The user may also limit the data processing and exercise their right to data portability. Supervisory authorities may be contacted if needed. By exercising these rights, users are able to control the use of their data even after they have been provided.
Rights of data subjects
It is possible to exercise, at any time, the following rights pursuant to articles 15-22, GDPR, by sending an email to sostenitori.ch@actionaid.org or foerderer.ch@actionaid.org (alternatively, by writing to ActionAid Switzerland Association - Via Nassa 21, 6900 Lugano):
Right of access (Article 15, GDPR)
The user has the right to ask if their personal data is being processed and, therefore, has the right to access information on themselves and about:
Right of rectification (Article 16, GDPR)
The user has the right to the rectification of inaccurate personal data concerning them without undue delay. Considering the purposes of the processing, the person has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.
Right to erasure ("right to be forgotten") (Article 17, GDPR)
The user has the right to obtain the erasure of their personal data, without undue delay, for one of the following reasons:
Right to Restriction of Processing (Article 18, GDPR)
The person has the right to obtain the restriction of the processing of his or her personal data if any of the following conditions applies:
Notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19, GDPR)
The person has the right to request that the rectification or erasure of data or restriction of processing is notified by AA to other persons to whom the data may have been disclosed. AA may not comply with the request if the means to be used are disproportionate to the right to confidentiality invoked by the person.
Right to data portability (Article 20, GDPR)
he data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. This right may be exercised in the following cases
The person has the right to have their data transferred directly from one person to another (from the person to whom they have given it to the person to whom he or she wishes it to be transmitted), if technically possible.
Right to object (Article 21, GDPR)
The person has the right to object to the processing of their data for the legitimate interest of AA or the interest of third parties, provided that the interests or fundamental rights and freedoms of the person requiring the protection of personal data, including for profiling purposes, do not prevail.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Automated individual decision-making, including profiling (Article 22, GDPR)
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. In particular, they have the right to object to profiling by means of automated processes.
This right shall not be exercised if the decision:
The data subject has the right to express their opinion and to challenge AA’s decision.
Complaint to a Supervisory Authority
The data subject has the right to lodge a complaint with a Supervisory Authority in order to assert their rights. To do so, they may apply to the supervisory authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
Criteria used to determine the limitation of data retention
The data will be kept in our archives (art. 4, paragraph 6, GDPR: "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis") under criteria which vary depending on the data category, and the nature and purposes of processing. The criteria or the precise storage limit are described in the information to be provided pursuant to Art. 13, GDPR at the time of the provision of personal data.
In principle, the following assessments by AA apply to establish the data retention criteria:
Once the above periods have elapsed, the identification data shall be transformed into an anonymous form and used only for statistical reports. This anonymous form prevents data subjects from being identified and is useful to adapt projects, initiatives and actions for the implementation and achievement of the statutory and institutional objectives of AA. Personal details will therefore be destroyed.
Data Processors
Personal data may be processed, either manually, electronically or telematically, either directly by AA or by third parties who, with experience, technical skills, professionalism and reliability, carry out processing operations on behalf of our association, while respecting the security and confidentiality of information and constantly monitored by us in their work. The data processor is "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller" (art. 4, paragraph 8, GDPR) and is contractually bound by AA. This contract shall define operational limits on the data, the data that may be processed, the categories of data subjects, and the prohibition to use them for any purpose other than those specified in the contract. If formally authorized by AA, the data processor may avail itself of the services of other parties who are contractually bound by the party directly appointed by AA: violations committed by these parties fall under the responsibility of the data processor and not of AA.
The complete and updated list of the data processors (and, if applicable, any other data processors appointed by the first data processor, subject to the authorization of AA) can be requested per e-mail to sostenitori.ch@actionaid.org (alternatively, by writing to Associazione ActionAid Switzerland - Via Nassa 21, 6900 Lugano).
Third parties to whom data is disclosed
Personal data may be disclosed to third parties, independent data controllers, for purposes connected with the provision of services of interest or in compliance with the provisions of the law and regulations that provide for their disclosure, as well as to supervisory bodies. The communication of data to third parties for marketing and/or profiling purposes, as well as any dissemination may take place with the consent of the person concerned as stated in the chapter "Information to be provided pursuant to art. 13, GDPR" of this privacy policy.
What are cookies and how does ActionAid use them
Cookies are information stored on the hard drive of one' s computer which is sent from one's browser to a web server and contains details on one's use of the internet. As a result, they allow users to find out about services and websites used, and all preferences expressed when surfing the web.
This information is, therefore, not provided spontaneously and directly, but leaves a trace. The data collected through cookies will be used for technical purposes, to ensure easier, quicker and more immediate access to the website and its services.
Profiling cookies may also be used, with the user's consent, to create user profiles based on the sections of the website or the actions carried out by the user on this website or surfing the web.
The use of the so-called “session cookies” (which are not permanently stored on the user's computer and are automatically deleted when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary for a safe and efficient exploration of the website. Session cookies that are used in this website avoid the use of other IT techniques that could potentially compromise the confidentiality of user navigation and do not allow for the acquisition of personal identification data of users. In any case, users may configure their browser to be notified when a cookie is received and decide whether to accept it or not.
You will find more information on our cookies and third-party cookies policies here.
Browsing data
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified users, but by its very nature it may lead, through processing and association with data held by third parties, to the identification of users. This category of data includes IP addresses or domain names of computers used by users connecting to the website, URI (Uniform Resource Identifier) of requested resources, the time of these requests, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error or similar) and other parameters relating to the operating system and computer environment of the user. This data is only used to obtain anonymous statistical information on the use of the website and to check its correct functioning and is deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the website.
Security of personal data
ActionAid takes appropriate and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of personal data. As established by the relevant regulations on security of personal data, technical, logistical and organizational measures are developed to prevent damage, loss (including accidental), alteration, inappropriate and unauthorised use of personal data.
AA has put in place adequate technical and organizational measures to ensure a level of security that safeguards the rights and freedoms - including privacy and confidentiality - of individuals. AA adopts strict security criteria, which include:
Similar preventive security measures are adopted by third parties (data processors) to whom the Organization has entrusted operations to process personal data on its behalf.
The Organization is not responsible for untruthful information sent directly by the user (e.g. incorrect e-mail or mail addresses) or for information related to users which is provided by third parties, even fraudulently.