Privacy Policy of the ISREC Foundation

This privacy policy (the "Privacy Policy") is issued by the ISREC Foundation (the "Foundation"). This Privacy Policy describes the lifecycle of Personal Data (as defined below) at the Foundation and the rights of the data subjects.


1. What does the term "Personal Data" comprise?

Personal data are any information relating to an identified or identifiable natural person. In the context of this Privacy Policy, the term "Personal Data" means in relation to a natural person:

  • static information, such as name, first name and the contact information (such as postal address, e-mail address and phone number);
  • financial information, such as bank account details and donation amounts;
  • background information, which the Foundation collects as part of the review and selection process of potential beneficiaries (including information contained in applicants' curriculum vitae);
  • any other information of a personal nature provided to the Foundation by its donors, recipients of funds from the Foundation and any other natural person coming into contact with the Foundation; and
  • cookies information.

The Foundation never asks for sensitive data (i.e., personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, privacy, genetic data, biometric data uniquely identifying a natural person, data on criminal and administrative proceedings or sanctions and data on social welfare measures) unless it is required by law. If the Foundation needs to process sensitive data for other purposes, it will inform you and obtain your explicit prior consent.


2. Who is the data controller of the Personal Data?

The Foundation is the data controller of Personal Data referred to in this Privacy Policy. Its registered office is at rue du Bugnon 25A, 1005 Lausanne, Switzerland.


3. What are the purposes of the processing of Personal Data by the Foundation?

The Foundation processes Personal Data for the following purposes:

  • the provision of information on the Foundation's activities and the projects supported;
  • the preparation and transmission of the Foundation's annual reports;
  • fundraising from potential donors;
  • the review of research projects submitted for application;
  • the management of the donations made to the Foundation;
  • the preparation and provision of the tax documentation to the Foundation's donors;
  • compliance with legal and regulatory requirements applicable to the Foundation.

Where consent is obtained, the Foundation may process Personal Data for additional purposes. Consent may be withdrawn at any time by sending an email to info@isrec.ch.The Foundation does not sell or rent the Personal Data it collects to anyone.


4. Who has access to your Personal Data?

The Personal Data collected by the Foundation is made available to the following persons:

  • Foundation's staff: Personal Data is accessible by the Foundation's staff to the extent necessary to achieve the purpose for which the data was collected.
  • third parties: The Foundation may communicate Personal Data to external persons and companies who provide services to the Foundation as subcontractors (e.g., IT hosting services) or other services related to the Foundation's activities (e.g., banking service providers, auditors or legal advisors). These third parties are subject to an obligation of confidentiality and may only use the Personal Data in accordance with this Privacy Policy and instructions received from the Foundation.
  • competent authorities: If required by law, the Personal Data of the person concerned may be communicated to governmental, judicial or administrative authorities.


5. What is the lifecycle of Personal Data within the Foundation?

The lifecycle of Personal Data at the Foundation is primarily composed of the following three steps:

Step 1 – Collection of Personal Data

The Foundation collects Personal Data:

  • when a person browses on the website of the Foundation through cookies;
  • when a person donates to the Foundation;
  • when a person communicates with the Foundation, in particular through its website;
  • when a person attends an event organized by the Foundation.

Generally speaking, the data subjects provide the Personal Data to the Foundation. That being said, in certain circumstances, the Foundation may collect Personal Data from third party sources, such as public records or third-party service providers.

Step 2 – processing of Personal Data

The Foundation takes technical and organizational measures against unauthorized access to, or processing of, Personal Data and accidental loss or destruction of Personal Data, in accordance with the Foundation's internal security procedures.

Subject to its regulatory obligations, the Foundation may have to transfer Personal Data to third parties, including third parties based outside of Switzerland, for example (but not limited to) sub-contractors. Where the Foundation transfers Personal Data to third parties, the Foundation does so in accordance with applicable data protection rules and takes appropriate safeguards to ensure the protection of the Personal Data. The conditions applicable to the transfer of Personal Data abroad are described in Section 6 below. 

Step 3 – Retention of Personal Data

The Foundation retains Personal Data for as long as reasonably necessary for the Foundation (i) to fulfill the purposes mentioned above or (ii) until the data subject withdraws his/her consent, provided that the Foundation is not permitted to continue to hold such Personal Data for another reason (e.g., to exercise and/or defend legal claims or for purposes of an investigation). Destruction of Personal Data takes place in accordance with the terms of the Foundation's internal data backup procedures.


6. Are Personal Data transferred outside of Switzerland?

In certain circumstances, the Foundation may transfer Personal Data outside of Switzerland.

In case of international transfers, Personal Data may be transferred to a country whose legislation provides an adequate level of data protection.

In case of transfer to a country where the level of personal data protection has not been recognized as adequate by the competent authority, the Foundation shall rely on a derogation applicable to the specific situation (e.g., express consent of the data subject) or shall implement appropriate safeguards to ensure the protection of the Personal Data (such as standard contractual clauses). To obtain details on the applicable safeguards, the data subject may contact the Foundation at the address provided under Section 9 below.


7. What are the rights of a data subject in connection with his/her Personal Data?

Subject to applicable regulations, the data subject has the following rights:

  • right to access: access and obtain a copy of his/her Personal Data;
  • right to rectification:request the rectification of his/her Personal Data when they are inaccurate or incomplete;
  • right to be forgotten: request the erasure of his/her Personal Data, e.g., when they are no longer necessary for the purposes for which they were collected or processed;
  • right to withdraw consent: withdraw at any time the consent given by the data subject for the processing of his/her Personal Data (subject to Section 5 – Step 3 above);
  • right to object:object on legitimate grounds to the processing of his/her Personal Data;
  • right to restrict processing:request the restriction of the processing of his/her Personal Data;
  • right to information: receive information on the safeguards which the Foundation may have implemented for transferring Personal Data to jurisdictions which do not ensure an adequate level of data protection (if applicable);
  • right to data portability: to the extent permitted by law, request to have his/her Personal Data be returned in electronic format to him/her or, where technically feasible, transferred to another data controller; and
  • right to denounce: file a complaint with the competent supervisory authority for personal data protection, such as the Federal Data Protection and Information Commissioner (FDPIC).

The data subject may also, at any time and without justification, object to the processing, by the Foundation, of his/her Personal Data for marketing purposes.


8. May this Privacy Policy be amended?

The Foundation may need to amend this Privacy Policy. Any changes or new versions of the Privacy Policy will be published on the Foundation's website. We therefore invite you to consult this page regularly to take note of any changes or updates. The date of the latest version of the Privacy Policy is shown at the bottom of the page.


9. To whom can I address my questions concerning this Privacy Policy or, more generally, the processing of Personal Data by the Foundation?

Any question regarding the processing of Personal Data by the Foundation may be sent to info@isrec.ch.

 

Version: May 2021