Privacy Policy

Preliminary remarks

Associazione ActionAid Switzerland (hereinafter also referred to as "the Organization" or "AA" or "ActionAid") is aware of the importance of protecting the privacy and rights of individuals. Since the Internet is a potentially strong tool for the circulation of personal data, AA has made a serious commitment to comply with rules of conduct - in line with European Regulation 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR") - that guarantee a safe, controlled and confidential internet browsing experience.

This policy for the protection of the confidentiality of information may change over time, also as a result of additions and changes in legislation and regulations or for our institutional decisions. Therefore, we invite you to periodically consult this section of our website.

We therefore invite you to read the rules that our association has established to collect and process personal data and to always provide a satisfactory service to our users.

This privacy policy applies only to this website and is not intended for other websites reachable through hyperlinks or websites that have their own privacy policy.

Basic principles of ActionAid's privacy policy

  1. process (art. 4, paragraph 2, GDPR: "any operation or set of operations, performed with or without the support of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or any other form of disclosure, comparison or interconnection, limitation, deletion or destruction") of personal data (art.4, paragraph 1, GDPR: "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is considered to be the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more details related to their physical, physiological, genetic, psychic, economic, cultural or social identity") exclusively for the purposes and in the manner illustrated in the information to be provided to users each time they access a section of the website where they need to provide personal data, directly or indirectly;
  2. only use data that has been provided spontaneously by the user;
  3. use technical cookies to facilitate navigation of the website and analytical cookies for statistical purposes;
  4. transmit data to third parties (data processors - art. 4, paragraph 8, GDPR: "art. 4, paragraph 8, GDPR: "the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller") exclusively for instrumental purposes as expressly requested and carefully selected by us;
  5. send promotional communications on our projects, activities, surveys and research, also in a customized way, by cross-referencing information on the characteristics and interests of the user;
  6. communicate data to third parties for activities of interest or when this is required by EU regulations or legislations;
  7. respond to requests to access, rectify or cancel personal data, to exercise the right to erasure, to limit the processing or to exercise the right to object to data processing. Ensure the exercise of the right to data portability and the right to oppose the processing of data for purposes of information communications on our projects and requests for financial contributions to support our institutional activities;
  8. ensure a correct and lawful processing of personal data, safeguard the confidentiality of such data, and apply appropriate security measures to protect the confidentiality, integrity and availability of such data.

Information to be provided pursuant to Art. 13, GDPR and notes on the criteria used to determine the limits of data storage

This information is explained more thoroughly in all website sections where users can subscribe to services by providing their personal data. The data provided is used to process inquiries and requests specifically made by the user. All activities of collection - and subsequent processing - of data are aimed at pursuing the institutional purposes of ActionAid and, specifically:

  1. provide information on our projects. This information may be solicited by filling in the relevant contact form or by contacting us directly by e-mail, telephone or mail
  2. allow the user to access our social channels
  3. inform users - by email or any other communication tool determined by the user - about projects and activities, events and awareness campaigns
  4. carry out profiling activities, based on characteristics, behaviors and actions that are derived from the single inquiries and requests. Profiling is used to personalise communications on our projects, activities, surveys and research.

When filling in forms - online or downloadable – users are required to provide both mandatory data (i.e. data necessary to subscribe to services or without which the request cannot be processed) and optional data. Therefore, the user is free to provide personal data in the request forms or in their communications with the Organization to request information. Failure to provide mandatory data may prevent the request from being processed.

Users’ data include identification data, e-mail addresses and other contact information or other information contained in messages/requests for information on projects of interest.

The selection of data to be submitted as mandatory to subscribe to individual projects or initiatives or to submit requests was made in accordance with the provisions of Art. 25, GDPR ("Data protection by design and by default"), which require the prior assessment of appropriate technical and organisational measures, such as "pseudonymisation" (art. 4, paragraph 5, GDPR: "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person"), aimed at effectively implementing data protection principles, such as minimizing, and to integrate into the processing the necessary safeguards in order to meet the requirements of the GDPR and protect the rights of the individuals concerned. In addition, AA has put in place adequate technical and organizational measures to ensure that, by default, only personal data necessary for the specific purpose of processing resulting from the project to which the data subject has voluntarily subscribed is processed.

All processing on this website will be carried out using paper, electronic or telematic tools, strictly related to the purposes for which the data are collected and in compliance with current security regulations, for the purposes specified in disclaimers to be provided pursuant to art. 13, GDPR.

ActionAid will not use the data provided for purposes other than those related to the service to which the user has subscribed, and, in any case, only within the limits indicated in disclaimers to be provided pursuant to art. 13, GDPR.

To provide a service to which a user has subscribed (or whenever this is necessary to comply with laws or regulations), data may be disclosed to third parties, who will act as independent data controllers and provide services aimed at meeting the user's request.

The legal basis for the purpose mentioned in paragraph 1. is the fulfillment of obligations assumed towards the person concerned (art. 6, paragraph 1, letter b), GDPR). The retention of data is limited to the period necessary to process the request, which may also involve multiple contacts if not settled immediately or if the person concerned provides additional information or makes further inquiries.

The legal basis for the purpose mentioned in point 2. is the "legitimate interest" (art. 6, paragraph 1, letter f), GDPR, recital C47, GDPR and Opinion 6 of April 09, 2014 of the Working Party 29, paragraph 3.III) of AA to maintain a constant relationship with individuals who have interacted with AA in various manners and have shown interest in our principles and reasonably expect to receive information from AA regarding proposals for financial support or involvement in initiatives and awareness raising campaigns. For this purpose, therefore, the data will be stored in our archives for the period of time necessary to provide these information services, estimating this period according to the expectation of how long these persons will be interested in and share the mission of AA. Obviously, this retention period is extended as long as the person concerned shows interest in staying in touch with AA: if they no longer have an interest, it is sufficient to notify AA by the means explained below and AA will adopt the appropriate technical and logistical measures so as not to disturb these individuals any longer.

The legal basis for the purpose mentioned in point 3. is the consent of the data subject (Art. 6, paragraph 1, let-ter a), GDPR), expressed in an unequivocal manner. If desired, by ticking the relevant box, the data will be processed for communications tailored to the characteristics of behavior, interests and preferences with re-spect to our actions. The profiling will involve the selection of information stored by the person concerned, so that they receive communications of interest to them and in line with their preferences, thus avoiding unwel-come or uninteresting communications. The data will be kept as long as the data subject's profile is in line with the customised notifications created by cross-referencing the information available to us and, therefore, as long as AA continues to pursue its mission with projects, initiatives, actions and activities - requiring financial contributions or spreading awareness – which reflect the person’s characteristics and behaviour and are, therefore, of specific interest to them and not of disturbance. Also in this case, the data storage will cease if the data subject expresses opposition at any time to the processing of personal data carried out for profiling purposes related to direct marketing.

The personal data collected will be disclosed to persons authorized by the Organization pursuant to art. 29, GDPR that perform processing activities essential for the pursuit of the aforementioned purposes. The categories of individuals authorized to process data are specified in regular communications. In general, these are the individuals responsible for the provision of specific services, administration, management of information services, relations with current and potential donors, organizers of information campaigns on our projects and the so-called "social advertising" to support our humanitarian initiatives.

The processing related to the web services of this website takes place at the aforementioned headquarters of the Organization and is handled by specialists authorized to process data. In case of need, data may be processed by third companies responsible for IT maintenance of our website (data controller pursuant to art. 28, GDPR), at their premises.

Associazione ActionAid Switzerland - with registered office in Via Nassa 21, 6900 Lugano- is the data controller (art. 4, paragraph 7, GDPR: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"), pursuant to and for the purposes of GDPR. AA decides how and for what reasons (specified in communications to data subjects) personal data provided by users shall be collected and used, what tools shall be used to process this data and what security procedures shall be implemented to ensure integrity, confidentiality and availability, subject to the obligations and responsibilities provided for in Article. 24, GDPR.

We guarantee the right to cancel, modify or supplement data already spontaneously provided, to block or anonymise data, and to oppose its processing for legitimate reasons or whenever the user does not wish to receive "social advertising", including with "profiling". The user may also limit the data processing and exercise their right to data portability. Supervisory authorities may be contacted if needed. By exercising these rights, users are able to control the use of their data even after they have been provided.

Rights of data subjects

It is possible to exercise, at any time, the following rights pursuant to articles 15-22, GDPR, by sending an email to sostenitori.ch@actionaid.org or foerderer.ch@actionaid.org (alternatively, by writing to ActionAid Switzerland Association - Via Nassa 21, 6900 Lugano):

Right of access (Article 15, GDPR)

The user has the right to ask if their personal data is being processed and, therefore, has the right to access information on themselves and about:

  1. the purposes of the processing (e.g. management of an inquiry);
  2. the categories of personal data; (e.g. personal details, contact details)
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, especially if they are recipients from third countries or international organizations;
  4. when possible, the expected period of retention of personal data or, if not possible, the criteria used to determine that period;
  5. the existence of the right to rectify or delete personal data or limit the processing of personal data or to object to its processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. if the data is not provided directly by the person, all available information on their source;
  8. the existence of an automated decision-making process, including profiling and meaningful information on the logic used, as well as the anticipated importance and consequences of such processing for the individual. (e.g. if this person has been assigned a profile determined by cross-referencing the information disclosed in the communications with the data controller).

Right of rectification (Article 16, GDPR)

The user has the right to the rectification of inaccurate personal data concerning them without undue delay. Considering the purposes of the processing, the person has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.

Right to erasure ("right to be forgotten") (Article 17, GDPR)

The user has the right to obtain the erasure of their personal data, without undue delay, for one of the following reasons:

  1. personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  2. the consent on which the processing is based is revoked and if there is no other legal basis for the processing (e.g. legitimate interest, legal or contractual obligations);
  3. the processing is opposed for marketing and profiling purposes and there is no overriding legitimate reason for processing;
  4. personal data has been processed unlawfully;
  5. personal data must be erased in order to comply with a legal obligation under EU or Member State law to which they are subject.

Right to Restriction of Processing (Article 18, GDPR)

The person has the right to obtain the restriction of the processing of his or her personal data if any of the following conditions applies:

  1. the person contests the accuracy of their personal data, for as long as it is necessary to verify the accuracy of such personal data;
  2. the processing is unlawful and the person objects to the deletion of their personal data and requests instead that their use be restricted; (e.g.: the person does not want the processing to be carried out for marketing purposes but only to respond to the request made)
  3. although the data is no longer needed for the purposes of processing, personal data is necessary for the person to establish, exercise or defend a right in court;
  4. the data subject has objected to the processing if the processing is based on their legitimate interests, pending verification as to whether their legitimate reasons outweigh those of the data subject.

Notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19, GDPR)

The person has the right to request that the rectification or erasure of data or restriction of processing is notified by AA to other persons to whom the data may have been disclosed. AA may not comply with the request if the means to be used are disproportionate to the right to confidentiality invoked by the person.

Right to data portability (Article 20, GDPR)

he data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. This right may be exercised in the following cases

  1. the processing is based on consent or on a contract or on pre-contractual measures required by the same person and, at the same time
  2. the processing is carried out by automated means.

The person has the right to have their data transferred directly from one person to another (from the person to whom they have given it to the person to whom he or she wishes it to be transmitted), if technically possible.

Right to object (Article 21, GDPR)

The person has the right to object to the processing of their data for the legitimate interest of AA or the interest of third parties, provided that the interests or fundamental rights and freedoms of the person requiring the protection of personal data, including for profiling purposes, do not prevail.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Automated individual decision-making, including profiling (Article 22, GDPR)

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. In particular, they have the right to object to profiling by means of automated processes.

This right shall not be exercised if the decision:

  1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or;
  3. is based on the data subject's explicit consent.

The data subject has the right to express their opinion and to challenge AA’s decision.

Complaint to a Supervisory Authority

The data subject has the right to lodge a complaint with a Supervisory Authority in order to assert their rights. To do so, they may apply to the supervisory authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

Criteria used to determine the limitation of data retention

The data will be kept in our archives (art. 4, paragraph 6, GDPR: "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis") under criteria which vary depending on the data category, and the nature and purposes of processing. The criteria or the precise storage limit are described in the information to be provided pursuant to Art. 13, GDPR at the time of the provision of personal data.

In principle, the following assessments by AA apply to establish the data retention criteria:

  1. all data disclosed to address requests for information are stored in our records until the request is fully satisfied and processed: this may also involve multiple interactions as a result of any additional requests of the data subject during the handling of the request
  2. When users contact AA for insights on projects and institutional activities, to collaborate or to know how to support us, their data used for marketing purposes are retained for the period necessary to provide the requested information. When users manifest their interest by sending inquiries, it is assumed that they share our principles. The retention period is also justified by AA's legitimate interest in maintaining a constant relationship with data subjects, keeping them informed on which projects could be financed by donors or on the awareness campaigns that AA wants to promote, and in demonstrating constant commitment to the fulfilment of its charitable and humanitarian mission. This legitimate interest is authorised under Art. 6, paragraph 1, letter f) GDPR as an alternative mechanism to the explicit consent of the person concerned. Obviously, this retention period is extended as long as the person concerned shows interest in staying in touch with AA: if they no longer have an interest, it is sufficient to notify AA by the means explained below and AA will adopt the appropriate technical and logistical measures so as not to disturb these individuals any longer.
  3. all data used for profiling marketing activities, the processing of which is authorised through the explicit consent of the data subject, shall be kept as long as the data subject's profile is in line with the customised notifications created by cross-referencing the information available to us and, therefore, as long as AA continues to pursue its mission with projects, initiatives, actions and activities - requiring financial contributions or spreading awareness – which reflect the person’s characteristics and behaviour and are, therefore, of specific interest to them and not of disturbance. Also in this case, the data storage will cease if the data subject expresses opposition at any time to the processing of personal data carried out for profiling purposes related to direct marketing.

Once the above periods have elapsed, the identification data shall be transformed into an anonymous form and used only for statistical reports. This anonymous form prevents data subjects from being identified and is useful to adapt projects, initiatives and actions for the implementation and achievement of the statutory and institutional objectives of AA. Personal details will therefore be destroyed.

Data Processors

Personal data may be processed, either manually, electronically or telematically, either directly by AA or by third parties who, with experience, technical skills, professionalism and reliability, carry out processing operations on behalf of our association, while respecting the security and confidentiality of information and constantly monitored by us in their work. The data processor is "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller" (art. 4, paragraph 8, GDPR) and is contractually bound by AA. This contract shall define operational limits on the data, the data that may be processed, the categories of data subjects, and the prohibition to use them for any purpose other than those specified in the contract. If formally authorized by AA, the data processor may avail itself of the services of other parties who are contractually bound by the party directly appointed by AA: violations committed by these parties fall under the responsibility of the data processor and not of AA.

The complete and updated list of the data processors (and, if applicable, any other data processors appointed by the first data processor, subject to the authorization of AA) can be requested per e-mail to sostenitori.ch@actionaid.org (alternatively, by writing to Associazione ActionAid Switzerland - Via Nassa 21, 6900 Lugano).

Third parties to whom data is disclosed

Personal data may be disclosed to third parties, independent data controllers, for purposes connected with the provision of services of interest or in compliance with the provisions of the law and regulations that provide for their disclosure, as well as to supervisory bodies. The communication of data to third parties for marketing and/or profiling purposes, as well as any dissemination may take place with the consent of the person concerned as stated in the chapter "Information to be provided pursuant to art. 13, GDPR" of this privacy policy.

What are cookies and how does ActionAid use them

Cookies are information stored on the hard drive of one' s computer which is sent from one's browser to a web server and contains details on one's use of the internet. As a result, they allow users to find out about services and websites used, and all preferences expressed when surfing the web.

This information is, therefore, not provided spontaneously and directly, but leaves a trace. The data collected through cookies will be used for technical purposes, to ensure easier, quicker and more immediate access to the website and its services.

Profiling cookies may also be used, with the user's consent, to create user profiles based on the sections of the website or the actions carried out by the user on this website or surfing the web.

The use of the so-called “session cookies” (which are not permanently stored on the user's computer and are automatically deleted when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary for a safe and efficient exploration of the website. Session cookies that are used in this website avoid the use of other IT techniques that could potentially compromise the confidentiality of user navigation and do not allow for the acquisition of personal identification data of users. In any case, users may configure their browser to be notified when a cookie is received and decide whether to accept it or not.

You will find more information on our cookies and third-party cookies policies here.

Browsing data

The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified users, but by its very nature it may lead, through processing and association with data held by third parties, to the identification of users. This category of data includes IP addresses or domain names of computers used by users connecting to the website, URI (Uniform Resource Identifier) of requested resources, the time of these requests, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error or similar) and other parameters relating to the operating system and computer environment of the user. This data is only used to obtain anonymous statistical information on the use of the website and to check its correct functioning and is deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the website.

Security of personal data

ActionAid takes appropriate and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of personal data. As established by the relevant regulations on security of personal data, technical, logistical and organizational measures are developed to prevent damage, loss (including accidental), alteration, inappropriate and unauthorised use of personal data.

AA has put in place adequate technical and organizational measures to ensure a level of security that safeguards the rights and freedoms - including privacy and confidentiality - of individuals. AA adopts strict security criteria, which include:

  1. "pseudonymization" (art. 4, paragraph 5, GDPR: "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person") and encryption of data
  2. systems that permanently safeguard the confidentiality, integrity, availability and resilience of processing systems and services
  3. systems to promptly restore the availability and access to personal data in the event of a physical or technical incident
  4. procedures for regular testing, verification and evaluation of the effectiveness of technical and organizational measures to ensure security of processing.

Similar preventive security measures are adopted by third parties (data processors) to whom the Organization has entrusted operations to process personal data on its behalf.

The Organization is not responsible for untruthful information sent directly by the user (e.g. incorrect e-mail or mail addresses) or for information related to users which is provided by third parties, even fraudulently.

Latest news

Stories of change

Search