PERSONAL DATA PROTECTION POLICY
This Personal Data Protection Policy (hereinafter referred to as the “Data Protection Policy”), was developed by Maître Pascal ALIX, of the law firm VIRTUALEGIS AARPI. This documentaims to inform you of the context and methods of processing your personal data, specifically in relation to the management of Member and prospective Member files as well as in the actions relating to the operation of the Platform, which is accessible at https://ConnectAID.com (hereinafter known as “the Platform”).
1. THE DATA CONTROLLER
ConnectAID is a swiss association. ConnectAID is, in this Data Protection Policy, considered as the controller of the data processing within the meaning of EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (RGPD in French, hereinafter called “GDPR”). You can read all legal information about ConnectAID on the Legal Mentions.
2. CATEGORIES OF DATA COLLECTED AND METHODS OF COLLECTION
2.1. The Data We Collect Directly from You
ConnectAID collects a variety of information about you when you first contact us. This information is collected in particular by means of forms you fill in when creating a profile on the Platform.
The data collected directly from you is as follows:
- Identification data (first name, surname, title, date of birth, country of residence, etc.);
- Contact data (postal address, email address, etc.);
- Identifying data (login credentials, such as a username and password);
- Any other information you wish to bring to our attention (optional information).
2.2. The Data We Collect When You Participate in the Platform’s Activity
We also collect other data on the occasion of one-off donations, monthly donation commitments or as part of your participation in the Platform’s activities. The type of data we collect is outlined below:
– Information on the history of your donations (dates of donations, amounts, projects funded, etc.);
– Your participation in events proposed via the Platform;
– The requests you have made to our services regarding the Platform’s functioning, donations or different projects;
– Your preferences regarding the projects published on the Platform.
The categories of cookies and other tracers (tags, pixels, etc.) that are integrated in your browser when using the Platform are defined more precisely in ConnectAID’s Cookie management notice.
2.3 Data supplied by others
Besides information supplied by you, we also receive information regarding you from other persons. This includes other social media, as it is possible to use other social media login information (for example Facebook login details or Google account number) to create a Member account or login to the platform’s Services. By chosing to do so, you do not have to memorize an additional user name and password.
3. PERSONAL DATA RELATING TO MINORS
The services offered by the Platform are aimed at adults who are capable of entering into contracts under the applicable national legislation. Pursuant to Article 8.1 of the GDPR, a minor may consent alone to the processing of personal data for the direct provision of information on society services from 16 years of age. A minor may consent to the processing of personal datathrough use ofthe Platform at a lower age if national legislation so permits (i.e. 15 years of age, as specified under French law). Where the minor is under the age required by national law, processing is only lawful if consent is given jointly by said minor and their respective parental guardians.
Processing operations relating to donations shall be subject to the Donor’s confirmation that he/she is an individual who has reached the age of online consent for data processing, subject to the legislation of their country of residence.
4. LEGAL BASES FOR PROCESSING PERSONAL DATA
The main purposes for which the data referred to in Article 2 is processed include the following:
4.1 Legitimate Interests
Processing data is necessary for the provision of services, including the following:
- To benefit from the functionalities reserved for registered members;
- To review and execute your donation;
- To receive newsletters and/or email alerts;
- When using Member Services to ask a question or make a complaint;
- To send information on the modification or evolution of the Platform’s services;
- When dealing with the management of your subject access rights.
4.2 Processing Required for Marketing and ProspectiveOperations
- Personalized loyalty (scheme/cards) or personalized commercial actions;
- Implementation of promotional activities;
- Development of statistics.
4.3. Processing Required for The Establishment and Implementation of Partnerships
– Sharing, exchange or rental of files with Partners in compliance with the regulations in force and all relevant security requirements;
– Sending marketing, advertising and promotional messages relating to Partner services by post, email, on social networks or any other communication medium;
– Setting up promotional or event operations with Partners.
5. DATA RETENTION PERIODS
ConnectAID stores your personal data for the duration of the contractual relationshipbetween yourself and ConnectAID. When the contract is terminated, your personal data will be irreversibly deleted or anonymized, with the exception of certain data that may need to be kept, particularly to be able to defend or exercise legal rights, if necessary.
ConnectAID will only keep your personal data for as long as necessary for the purposes of processing, for the fulfilment of its legal obligations or in order to be able to defend legal claims:
Categories of Data
Personal Data File
Creation and management of the prospect file.
For the duration of 3 years from the exercise of the right of opposition or fromthe time of the last contact with the User.
Data from Non-Donor Members’ file
Contact data and identification data.
Management of the file of non-donor Members.
For the duration of the contractual relationship and then 3 years from the last contact with the former Member.
Data from Donor Members’ file
Contact data and identification data.
Management of the Donor Members file.
For the duration of the contractual relationship as well as 3 years afterthe last donation was made, or the last contact with the former Member occurred.
Data Relating to the Management of Members’ Accounts
All data(identification data, data relating to acceptance of the general terms and conditions, etc.).
Probationaryfunction (defending rights in court)
For the duration of the contractual relationship and then 5 years from the last contact with the former Member.
Data Generated by Cookies
Data related to your browsing of online services.
Operation and optimization of services.
Personalization of content and advertising.
A maximum period of 13 months.
Data Processed Under Anti-Money Laundering and Anti-Terrorist Financing Obligations
Identification data, donation related data, etc.
Combating money laundering and the financing of terrorism.
For the duration of 5 years.
Data Processed in Connection with the Exercise of Rights
Identification data, application and processing data.
Exercise of rights.
1 year for the copy of identity document(s) and 3 years for other documents and data.
6. RECIPIENTS OF THE COLLECTED DATA
6.1. Transmission to ConnectAID’s Enabled Services
Collaborators in services relating to Members, Administration, Accounting, IT, Marketing and Sales departments may have access to the data they need to perform their contractual dutiesAccess to said data gives rise to individual and limited forms of access authorisations.
6.2. Transmission to the Competent Authorities
ConnectAID may be required to transmit personal data to competent authorities, such as public authorities and administrative authorities, or anti-money laundering and anti-terrorist financing bodies and more generally in all situations where it is required by law, regulation or an administrative or judicial decision.
6.3. Transmission of Data to ConnectAID’s Subcontractors
In order to provide the service requested, ConnectAID uses subcontractors within the meaning of the GDPR (including but not limited to information system hosting, facilities management, maintenance, email management, etc.). Subcontractors employed/recruited by ConnectAID to carry out the task of processing collected data do so only on ConnectAID’s instruction. In the absence of the explicit and freely given consent of the Registered Members, the subcontractors cannot re-use personal data for other purposes.
In application of Article 28 of the GDPR, ConnectAID requires all subcontractors to respect the obligations of security and confidentiality, and to implement appropriate technical and organizational measures to ensure the protection of your rights.
Below is a list of the categories of professionals potentially involved in the processing of your data:
– Payment service providers
– Data hosting providers.
6.4. Data Transmission to the nonprofit partner organisation and their PSP
The management of payments made through the Platform accessible at https://ConnectAID.com is carried out by the Payment Service Providers (PSPs) selected by each nonprofit partner. This service is implemented in accordance with the PSPs Platforms General Terms and Conditions and in particular their “Financial Services Terms” (for ex: https://stripe.com/fr/legal#section_a)
6.5. Transmission to Other Partners
We may share some of your personal information with our partners, such as organizations receiving your donations or other partners who may offer you the opportunity to participate in projects that are compatible with ConnectAID’s projects or, where appropriate, other related services.
7. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)
Your personal data is mainly processed within the European Economic Area (EEA), without being exported to third-party countries.However, it is possible that data collected as part of the services we provide may be transferred from time to time to subcontractors or Partners located in third-party countries with, in certain circumstances, less protective personal data protection legislation than that of the EEA. In the event of transfer to a third-party country, the processing is carried out in accordance with this Data Protection Policy and is based on one of the instruments provided for in Articles 45 of the GDPR, so that the level of protection guaranteed by the GDPR is not compromised.
8. SECURITY OF YOUR DATA
As the primary data controller, ConnectAID implements appropriate technical and organizational measures to ensure an appropriate level of security is applied to support the rights and freedoms of individuals and in particular:
- The establishment and implementation of a security policy for information systems, covering both automated and non-automated data processing, based on the recommendations of the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) and the National Commission for Information Technology and Civil Liberties (CNIL);
- Security monitoring by a department dedicated to information system security;
- The analysis of risks by identifying processing operations, assessing the likelihood and seriousness of impacts (illegitimate access to data, unwanted modification and disappearance of data etc.), assessingsources of risk and identifying existing or planned measures to limit them;
- The establishment of an Information Technology Charter that is binding on employees;
- The management of authorizations and access rights, with real-time monitoring of Member’s joining or leaving the Platform;
- The securing of networks and workstations;
- Raising employee awareness of information system security;
- A high degree of reflection when selecting subcontractors and partners, to be done in accordance with Article 28 of the GDPR.
9. RIGHTS OF THE PERSONS CONCERNED
9.1. Right of Access
You have the right to obtain confirmation as to whether or not your personal data is being processed and, when it is, to access said personal data, as well as various information on the specific processing operations carried out, pursuant to Article 15 of the GDPR.
9.2. Right of Rectification
You also have the right to obtain the correction of your personal data when said data is found to be inaccurate.
9.3. Right of Deletion
You also have the right to obtain the deletion of your personal data when:
- It is no longer necessary for the purposes for which they were collected;
- You object to the processing under section 21 of the GDPR;
- You are able to demonstrate that your personal data is being processed unlawfully;
- The data collected via the Platform concerns a minor.
9.4. Right to Limit Processing
You can get the controller to restrict the processing, for example by suspending it, when:
- A dispute arises as to the accuracy of the data being processed;
- A dispute arises as to the lawfulness of the processing;
- The processing is no longer necessary for the controller, but the data is still necessary for the establishment, exercise or defence of legal claims;
- You have objected to the treatment under Article 21(1) of the GDPR; but there is a dispute as to whether the legitimate grounds pursued by ConnectAID prevail over yours.
9.5. Right to Data Portability
Where the processing of your data is based on consent, on the preparation or performance of a contract, or is carried out using automated processes, you have the right to receive the data you have provided to ConnectAID, in a structured, commonly used, machinereadable format, and to pass this data on to another data controller.
9.6. Right of Opposition
You also have, under the conditions defined in Article 21 of the GDPR:
- The right to obtain confirmation that we no longer process your personal data in certain cases (Article 21.1. of the GDPR), for reasons relating to your particular situation;
- The right to object to prospection (as outlined in Article 21.2. of the GDPR).
9.7. Right to Withdraw Consent
You have the right to withdraw your consent for the processing of your data at any time wherein the collection of data is based on such consent, without prejudice to the lawfulness of the processing carried out prior to such withdrawal.
9.8. Guidelines for the Storage, Deletion and Disclosure of Your Personal Data After Your Death
Finally, you have the right to define, modify and revoke at any time Guidelines for the storage, deletion and communication of your personal data in the event of your death. These Guidelines may be general or specific.
ConnectAID can only be the custodian of the special directives concerning the data that we process. The general Guidelines may be collected and stored by a trusted digital third party certified by the Commission Nationale de l’Informatique et des Libertés (CNIL). You also have the right to designate a third party to whom data concerning you may be communicated after your death. In this case you are to inform said third party of your decision and that data enabling him/her to be unambiguously identified will be transmitted to us in the case of data transmission; you are also to communicate this Data Protection Policy to him/her.
9.9. Exercise of Rights
When you exercise your rights, we process your personal identification data as well as the data relating to your request for the purpose of managing your request. This data is kept for a period of three (3) years, with the exception of a copy of your identity document, which is kept for a maximum period of one (1) year.
You may exercise your rights by sending us a request specifyingthe right or rights you wish to exercise. This can be achieved by contacting us:
– Through the following email address: firstname.lastname@example.org, or
– At the following postal address: ConnectAID, Cité de la Solidarité Internationale, 13 avenue Emile Zola, Eco Quartier Étoile Annemasse – Geneva, 74100 Annemasse, France
If there is reasonable doubt as to the identity of the person making the request to ConnectAID, we may ask you for additional information and/or documents to verify your identity, including a copy of your ID.
You also have the right to lodge a complaint with the competent control authority.
10. CHANGES TO THE DATA PROTECTION POLICY
The original version of the Data Protection Policy in French language will prevail over any other version in another language.