Who is collecting your personal data?
Concept Foundation is committed to ensuring the privacy of all individuals from whom we collect and process personal data. This policy represents our commitment as a foundation to your right to privacy, giving you a clear explanation about how we use your information and your rights over that information. In specific circumstances, some other policy statement could be applicable such as General Terms and Conditions, Conditions of Participation or similar documents.
References to ‘we’,‘ us’ and ‘our’ are to Concept Foundation, registered as a foundation in Switzerland (CHE-115.071.423).
Concept Foundation is the registered data controller to which the policy refers. Our full details can be found at the end of this policy and please feel free to contact us with any questions related to it. This policy was last updated on 11.09.2018 and is reviewed every 12 months.
Personal Data: This term covers “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art.4 §1 GDPR).
Sensitive Personal Data: This term covers a subset of data for which even greater care should be taken, such as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” (Art. 9 §1 GDPR).
Processing Data: This term means any set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art.4 §2 GDPR).
Data Subject: This term covers individuals that are identifiable or identified by the processed personal data (Art.4 §1 GDPR).
Data Controller: The Data Controller decides how and why data is processed and ensures that legal obligations are met (Art.4 §7 GDPR).
Data Processor: Anyone processing data on behalf of the Data Controller (Art.4 §8 GDPR).
Third Party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data (Art.4 §10 GDPR).
What personal data do we collect?
Personal data of data subjects that Concept Foundation process may include, depending on your relationship with the foundation: (see legal basis for processing below)
• Identification data: names, addresses, telephone numbers, email addresses, business contact information;
• Personal characteristics: date of birth, country of birth;
• Professional information: employment and job history, title, representation authorities;
• Identifiers issued by public bodies: passport, identification card, tax identification number, national insurance number, social security number;
• Financial information: bank details;
• Multimedia data: video; image and voice recording from interviews;
• Cookie information: cookies and similar technologies on websites and in emails.
How do we use the information collected?
In accordance with Art.6 of the GDPR, Concept Foundation will process personal data:
• To conduct market and opinion research related to the Foundation’s vision, mission and goals;
• To administer and process your applications for employment or volunteering opportunities with us;
• To process donations that we receive from you;
• To share your data with Concept Foundation Bangkok or with trusted third parties (further details below);
• To improve our website;
• To fulfill any legal obligations;
Legal basis for processing
Data protection law requires us to have a legal justification to process your personal information. We use the following depending on the type of data and the type of processing:
Consent We require your consent to send you our communications for example to send you emails to update you on our work and our campaigns and to request donations. We will only process your information in this way if you consent. If you apply for a job with us and provide us with sensitive personal information (including details of your race, ethnicity, gender) we will only process that information with your consent.
We sometimes share your personal information between Concept Foundation in Bangkok and Geneva (see below). This is done to fulfill our legitimate interest in reaching our Foundation’s mission as effectively as possible.
To fulfill a contractual obligation
If you donate to our foundation we will process the personal data you provided to process that donation.
We will process your personal information to fulfill any legal obligations placed upon us, such as the prevention of fraud or money-laundering. We will also process your personal information if lawfully required to do so by a legal authority or a court of law.
For example where you are applying for an employment or volunteering opportunity with us, processing certain information is necessary for employment purposes.
We take appropriate security measures to ensure that we keep your information secure, accurate and up to date. However, the transmission of information over the Internet is never completely secure, so while we do our best to protect personal information, we cannot guarantee the security of information transmitted to our websites.
Is your data shared with third parties?
Third Party Websites
On our website we sometimes have links to third party websites or applications. This policy does not apply to such pages or applications hosted or operated by other organisations. This includes the websites or applications of Concept Foundation sections or related organisations or third-party sites. These other sites may have their own privacy policies which apply to them.
Sharing of your personal data
Depending on your relationship with us, information is shared between Concept Foundation in Bangkok and Geneva to pursue our daily business operations.
Multimedia data collected during interviews are shared with media and donors with your consent only.
Hosting and processing arrangements
Our website is hosted by third party service providers and therefore any personal details you submit through them may be processed by that third party service provider.
We also use other third parties to process your employment information in relation to your employment contract.
All third party services providers process your personal information only on Concept Foundation’s behalf and are bound by contractual terms that are compliant with data protection law.
We may also share your personal information with your permission, or if we are legally required to disclose your information in circumstances where this cannot be reasonably resisted.
A cookies is a text-only piece of information that a website transfers to your computer’s hard disk so that the website can remember who you are. A cookie will normally contain the name of the Internet domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number.
We also use plug-ins from social networks such as Facebook and Twitter, visible to you on our website. These elements are disabled by default. Clicking on those elements activates them and operators of social networks might process your personal data in accordance with their privacy policies. We don’t receive any information about you from the respective operators.
How long will your data be stored for?
We only hold your personal information on our systems for as long as is necessary for the purposes outlined above. We remove personal data from our systems once it is no longer required, in line with our guidelines on how long important information must remain accessible for future use or reference, as well as when and how data can be destroyed when it is no longer needed.
The length of time each category of data will be retained will vary depending on how long we need to process it for, the reason it was collected and in line with any statutory requirements. After this time the data will either be deleted or we may retain a secure anonymised record for research and analytical purposes.
What data privacy rights do you have?
You have the right, subject to applicable local data protection legislation, to:
• request access to, and receive a copy of, the personal data we hold (‘Right to access’, Art. 15 GDPR);
• if appropriate, request rectification or erasure of the personal data that are inaccurate (‘Right to rectification’, (Art. 16 GDPR);
• request the erasure of the personal data, subject however to applicable retention periods (‘Right to be forgotten’, Art. 17 GDPR)
• request a restriction of Processing of personal data where the accuracy of the personal data is contested, the Processing is unlawful, or if the Data Subjects have objected to the Processing (‘Right to restriction of processing’, (Art. 18 GDPR);
• object to the Processing of personal data, in which case we will no longer process the personal data (‘Right to object’, Art. 21);
• receive the personal data in structured, commonly used and machine-readable format (‘Right to data portability’, Art. 20);
Even if a Data Subject objects to the Processing of personal data, we are nevertheless allowed to continue the same if the Processing is (i) legally mandatory, (ii) necessary for the performance of a contract to which the Data Subject is a party, (iii) necessary for the performance of a task carried out in the public interest, or (iv) necessary for the purposes of the legitimate interests we follow, including the establishment, exercise or defence of legal claims. We will not, however, use the Data Subject’s personal data for direct marketing purposes if the Data Subject asks us not to do so.
Subject to the limitations set forth herein and/or in applicable local data protection laws, you can exercise the above rights free of charge by contacting Concept Foundation.
How can you raise a complaint?
For any questions you may have in relation to this privacy notice or more generally the processing of your personal data, you may contact Concept Foundation at:
Avenue de Sécheron 15
If you wish to lodge a complaint about our handling of your personal data please get in touch with us on the details above with the details of your complaint; we aim to respond to all complaints within 30 days.