The purpose of this privacy statement is to explain to you what information Save the Children collects during your visit to this website and how this information will be used. Personal data is considered to be all data that refers to an identified or identifiable person. This includes, for example, your name, address, date of birth, email address and your user behaviour (hereinafter “data”).
Save the Children
+41 44 267 74 70
2. Data processing by the savethechildren.ch website
2.1. Visiting our website
Our server temporarily records every visit to our website in a log file. Until the log file is automatically deleted, it records, among other things, the IP address from which you visited our site, the date and time of your visit, the name and URL of the file you viewed, the website from which you came (referrer URL), your computer’s operating system, the type and version of your browser as well as the country from which you visited our website.
These data are generally collected and processed in anonymised form and without personal reference for the purpose of enabling you to visit our website (connection establishment), ensuring sustained security and stability of the system and optimising our online service as well as for internal statistical purposes. The above-mentioned information is neither linked nor stored together with personal data.
It is only in the event of an attack on our network’s infrastructure or if we suspect any other prohibited or improper use of our website that a users’ IP addresses may be analysed for intelligence and defence purposes and, if necessary, used in criminal proceedings for identification as well as for civil and criminal actions against the users in question.
Our legitimate interest lies in the above-mentioned purposes according to Art. 6 Para. 1 lit. f) GDPR.
If you contact us (e.g. via the contact form, email or social media), your user data are used to process your contact request according to Art. 6 Para. 1 lit. b) (contractual or precontractual relationships) and Art. 6 Para. 1 lit. f) (other requests) GDPR. User data may be stored in a customer relationship management system (CRM system) or a comparable request management system. We delete all requests once they have ceased to be required. We check whether requests are still required every other year. Furthermore, the statutory storage obligations apply.
2.3. Donations and sponsorships
You can make donations to various projects or become a sponsor directly on our website. We collect data to process your request.
We use these data to process your donation or the sponsorship you have chosen. Our legal basis for this is the performance of a contract you wished to enter or the provision of a service you requested according to Art. 6 Para. 1 lit. b) GDPR.
2.4. Buying from our shop
You can buy products online in the online shop on our website. We collect data to process your request. So that we may process your orders in our online shop and/or provide the services you have requested, we collect, store and process the following additional data:
• Information on the products you ordered
• Information on the services you ordered
• Data on your ordering, shopping and payment behaviour
Unless otherwise stated in this privacy statement, or unless you have given your separate consent, we will only use the above-mentioned data to process the contract, that is, to deliver the services you requested, to process and deliver your orders and to ensure correct payment. Our legal basis for this is the performance of a contract you wished to enter and/or the provision of a service you requested, according to Art. 6 Para. 1 lit. b) GDPR.
If you do not wish to have cookies stored on your device, you can deactivate the corresponding setting options in your browser’s system settings. Stored cookies can also be deleted in your browser’s system settings. If you prevent or restrict the installation of cookies, not all of the functions on our site may be fully usable.
2.6.1. Newsletter dispatch
The information below refers to the content of our newsletter, the procedures for subscription, dispatch and statistical analysis as well as your right to object. By subscribing to our newsletter, you agree to receiving the newsletter and to the procedure described below. We dispatch newsletters, emails and other electronic messages containing advertisement information (hereinafter “newsletter”) only with your explicit consent or with legal permission. If the content of the newsletter is explicitly described in the subscription process, it is relevant for your consent. Furthermore, our newsletters contain information about our services and about us. Subscribing to our newsletter requires a so-called double opt-in procedure. This means that upon subscription, you will receive an email in which you are asked to confirm your subscription. This confirmation is necessary to avoid people subscribing with other people’s email addresses. Subscriptions to our newsletter are logged so that we can prove that the subscription process was carried out according to the legal provisions. This includes storage of the subscription and confirmation emails as well as your IP address. Furthermore, changes to your data stored with the shipping provider are logged. To subscribe to our newsletter, you only need to provide your email address. You also have the option to provide a name so that we can address you personally in our newsletter. Dispatch of our newsletter and the corresponding performance measurement are executed on the basis of your consent according to Art. 6 Para. 1 lit. a) and Art. 7 GDPR. The subscription procedure is logged on the basis of our legitimate interest according to Art. 6 Para. 1 lit. f) GDPR. Our interest is focused on employing a user-friendly and secure newsletter system which serves our business interest whilst also complying with your expectations and allowing us to prove your consent. You can unsubscribe from our newsletter, that is, revoke your consent, at any time. There is a link for unsubscribing from the newsletter at the end of every newsletter. On the basis of our legitimate interest, we may store unsubscribed email addresses for up to three years before deleting them, in order to be able to prove a formerly given consent. Processing of these data is restricted to potential defence against claims. It is possible to make an individual deletion request if you confirm that consent had previously been given.
2.6.2 Newsletter dispatch provider
The newsletter is sent with the help of email marketing provider Inxmail via Getunik Ag, Hardturmstrasse 101, 8005 Zurich. You can find the provider’s data protection regulations here: https://www.inxmail.de/datenschutz. The email marketing provider is employed on the basis of our legitimate interest according to. Art. 6 Para. 1 lit. f) GDPR and a processing contract according to Art. 28 Para. 3 (1) GDPR. The email marketing provider may use your data in pseudonymised form, i.e. without allocation to a user, in order to optimise or improve its own service, e.g. for technical improvements to the dispatch process and the newsletter’s display or for statistical purposes. The email marketing provider does not, however, use the data of our newsletter recipients to contact them itself or to pass the data on to third parties.
2.6.3 Newsletter performance measurement
Our newsletters contain a so-called web beacon, which is a file the size of one pixel that is retrieved by our server, or by our email marketing provider’s server if we use an email marketing provider, once you open the newsletter. By retrieving this file, technical information is obtained, such as information on your browser and system as well as your IP address and the time you opened the newsletter. This information is used for technical improvement of the services, that is, for adjusting the services to the technical data or to the target groups and their reading behaviour in terms of the place of access (which can be retrieved with the help of the IP address) or the time at which the newsletter is accessed. The statistical surveys also include determining whether the newsletter is opened at all, at what time it is opened, and which links are accessed. This information can be attributed to the individual newsletter recipients for technical reasons. However, neither we nor our email marketing provider, if employed, intend to monitor individual users. These analyses solely help us to identify our users’ reading habits and to adjust our content accordingly or to distribute different content according to their interests. It is, unfortunately, not possible to revoke the performance measurement separately; you can only revoke performance measurement if you cancel your entire newsletter subscription.
2.7 Hosting and email dispatch: Getunik / RaiseNow
The hosting services we use provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services as well as technical maintenance services, which we use to operate this online service. We and/or our hosting service provider process inventory data, contact data, content data, contractual data, usage data, meta and communication data of clients, interested parties and visitors to this online service on the basis of our legitimate interest in efficient and safe provision of this online service, according to Art. 6 Para 1 lit. f) GDPR, in conjunction with Art. 28 GDPR (conclusion of processing contract).
2.8 Collection of access data and log files
On the basis of our legitimate interest according to Art. 6 Para.1 lit. f) GDPR, we and/or our hosting service provider collect data on every access to the server on which this service is hosted (so-called server log files). The access data include the name of the accessed website, the file, the date and time at which you accessed the site, the data volume transmitted, a notification about successful access, the type and version of your browser, your computer’s operating system, the referrer URL (the website from which you came), your IP address and the provider from which you visited our site. Log file information is stored for a maximum of 7 days for security reasons (e.g. to investigate misuse or fraud) and is deleted afterwards. Data which need to be stored for a longer period of time for evidence purposes are exempt from deletion until the incident has been conclusively clarified.
2.9 Integration of third-party services and contents
On the basis of our legitimate interest (i.e. interest in the analysis, optimisation and economical operation of our online service according to Art. 6 Para. 1 lit. f) GDPR), we access third-party content or service offers within our online service to integrate their content and services, e.g. videos or fonts (hereinafter collectively referred to as “content”). This requires that the third-party providers of such content read your IP address, since they cannot send content to your browser without the IP address. Your IP address is thus required to display such content. We endeavour only to use content of providers which use your IP address merely to deliver said content. Third-party providers may also use so-called pixel tags (invisible graphics, also called web beacons) for statistical or marketing purposes. By using pixel tags, the providers can analyse information such as visitor traffic on the pages of this website. This pseudonymised information may also be recorded in cookies on your device and may contain, inter alia, technical information on your browser and operating system, referring websites, time of access as well as further information on your use of our online service, and may also be linked to information of this sort from other sources.
2.9.1 Google Tag Manager
Google Tag Manager is a solution which provides us with an interface to manage so-called website tags (and thus to integrate, for instance, Google Analytics and other Google marketing services in our online service). The Tag Manager itself (which implements the tags) does not process any personal data of the users. With regard to processing personal data, we refer to the following information about services by Google. Usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.
2.9.2 Google Analytics
2.9.3 Google Universal Analytics
We use Google Analytics in the Universal Analytics version. Universal Analytics is a version of Google Analytics which conducts user analysis on the basis of pseudonymised user IDs and thus creates a pseudonymised user profile with information from your use of different devices (so-called cross-device tracking).
2.9.4 Audience targeting with Google Analytics
We use Google Analytics to display the ads we place through web services provided by Google and its partners only to those users who have shown interest in our online services or whose profiles have certain characteristics (e.g. interest in certain topics or products, which is deduced from the websites they visited), which we transmit to Google (so-called Remarketing Audiences or Google Analytics Audiences). With the help of Remarketing Audiences, we would also like to ensure that our ads correspond to your potential interests.
2.9.5 Google Ads and Conversion Tracking
2.9.6 Facebook Pixel, Custom Audiences and Facebook Conversion
Based on our legitimate interest in and for the purpose of analysis, optimisation and economical operation of our online service, we employ within our online service the so-called Facebook pixel of the social network Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are resident in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Facebook”). Facebook is certified under the Privacy Shield Framework and thus guarantees compliance with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). With the help of the Facebook pixel, Facebook can add the visitors of our online service to certain target groups for ad display (so-called Facebook Ads). Accordingly, we use the Facebook pixel to display our Facebook ads only to those Facebook users who have shown interest in our online service or whose profiles have certain characteristics (e.g. interest in certain topics or products, as deduced from the websites they visited), which we transmit to Facebook (so-called Custom Audiences). With the help of the Facebook pixel, we would also like to ensure that our Facebook ads correspond to your potential interests and do not annoy you. The Facebook pixel furthermore helps us to trace the effect of Facebook ads for statistical and market analysis purposes by telling us whether you were referred to our website after clicking on a Facebook ad (so-called Conversion). Data processing by Facebook is based on Facebook’s data policy. You can find the corresponding general information about the display of Facebook ads in Facebook’s data policy: https://www.facebook.com/policy.php. Detailed information on the Facebook pixel and its function is available in Facebook’s help section: https://www.facebook.com/business/help/651294705016616. You can refuse data collection by the Facebook pixel and use of your data for the display of Facebook ads. To set your preferences regarding the types of ads displayed within Facebook, you can go to the Facebook settings site and follow the instructions on setting your preferences for usage-based ads: https://www.facebook.com/settings?tab=ads. These preferences are set independently of the platform used, i.e. they are adopted for all your devices such as desktop computers and mobile devices.
2.9.8 Facebook social plugins
3. Business-related data processing outside our website
In addition, we process:
– Contractual data (e.g. contractual object, term, client category),
– payment data (e.g. bank details, payment history)
of our clients, interested parties and business partners, for the purpose of performing contractual services, service and customer care, marketing, advertising and market analysis.
3.1 External payment service providers
American Express (https://www.americanexpress.com/de/content/privacy-policy-statement.html).
We employ the payment service providers on the basis of Art. 6 Para. 1 lit. b) GDPR as part of the performance of contracts. We furthermore use external payment service providers based on our legitimate interest according to Art. 6 Para. 1 lit. f) GDPR to offer our users effective and secure payment options.
The data processed by the payment service providers include inventory data, e.g. your name and address, bank data, e.g. your account number or credit card number, passwords, TANs and verifications codes, as well as information relating to the contract, amount and recipient. This information is required to carry out the transactions. The data you enter are, however, processed and recorded only by the payment service provider. This means that we do not receive any information relating to your bank account or credit card; we only receive a confirmation or disconfirmation of your payment. It is possible that your data are transmitted to credit agencies by the payment service provider. This is done for identity and credit checking purposes. For more information on this procedure, we refer you to the terms and conditions of the respective payment service provider. The payment transactions are subject to the respective payment service provider’s terms and conditions available on the corresponding websites or transaction applications. We also refer you to said terms and conditions for further information and for asserting your right of revocation, right to information and other data subject rights.
3.2 Administration, accounting, office organisation, contact management
Accounting and compliance with statutory duties such as archiving. Here we process the same data as for the performance of our contractual duties. Data processing is based on Art. 6 Para. 1 lit. c) and Art. 6 Para. 1 lit. f) GDPR. Data processing relates to our clients, interested parties, business partners and visitors to our website. The purpose of and interest in processing these data lie in administration, accounting, office organisation, data storage, i.e. processes that contribute to maintaining our business activities, performing our duties and providing our services. We delete the data relating to contractual services and contractual communication as per the information given for these processing activities. We disclose or transmit data to fiscal authorities, consultants such as accountants or auditors as well as further payment authorities and payment service providers. We furthermore store information on suppliers, event organisers and other business partners on the basis of business interests, for example, in order to contact them later on. We generally store these predominantly company-related data on a permanent basis.
3.3 Business and market analyses
In order to operate our business economically and to comprehend market tendencies as well as our contractual partners’ and users’ wishes, we analyse the data available to us relating to business transactions, contracts, inquiries etc. We process inventory data, communication data, contractual data, payment data, usage data and meta data for this, on the basis of Art. 6 Para. 1 lit. f) GDPR; the persons affected include contractual partners, interested parties, clients, visitors and users of our online service. The purpose of these analyses is business assessment, marketing and market analysis. We can use recorded user profiles for this, extracting information on the services obtained, for instance. These analyses help us to improve the user-friendliness of our service, and to optimise our service and its economic efficiency. These analyses are only used by us and are not disclosed to third parties unless the analyses are anonymous and merely contain condensed values. If these analyses or profiles are person-related, they are deleted or anonymised upon the user’s cancellation or else two years after conclusion of the contract. In general, overall business assessments and analyses of general trends are carried out on an anonymous basis if possible.
3.4 Performance of our statutory and commercial services
We process the data of our members, supporters, interested parties, clients or other persons according to Art. 6 Para. 1 lit. b) GDPR if we offer contractual services to these persons or if we take action within established business relationships, e.g. towards members, or if we receive services and contributions ourselves. Furthermore, we process data subjects’ data according to Art. 6 Para 1. lit f) GDPR on the basis of our legitimate interest, for example, where administrative work or public relations are concerned. The data processed in this way as well as their nature, scope, purpose and the necessity to process said data depend on the underlying contractual relationship. This generally includes inventory and master data of the persons concerned (e.g. name, address, etc.), contact details (e.g. email address, phone number etc.), contractual data (e.g. services obtained, content and information communicated, names of contact persons) and payment data (e.g. bank details, payment history etc.) where we offer paid services or products. We delete data that are no longer required for the performance of our statutory and commercial services. This is determined by the corresponding process as well as by the contractual relationship. In the case of commercial processing, we keep the data as long as they may be relevant for business processing and in view of potential guarantee or liability obligations. The necessity to store these data is checked every three years; otherwise, the statutory storage obligations apply.
4. Online presence in social media
5. Collaboration with processors and third parties
If we disclose or transmit your data to third persons and companies (processors or third parties) within our processing procedures or grant them access to your data otherwise, this is carried out solely on the basis of legal authorisation (e.g. if the transfer of data to third parties such as payment service providers is necessary for the performance of a contract according to Art. 6 Para. 1 lit b) GDPR), if you have given your consent, if a legal provision stipulates this, or on the basis of our legitimate interest (e.g. if we employ representatives, web hosts etc.). If we contract third parties to process data based on a so-called processing contract, this is based on Art. 28 GDPR.
5.1 Third-party cookies and integration of tracking: Capture Media AG Tracking
5.1.1 Tracking with fusedeck
6. Transfer to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs due to our employment of third-party services or disclosure and/or transmission of data to third parties, this only happens if it is carried out for the performance of our (pre)contractual obligations, based on your consent, due to a legal requirement or based on our legitimate interest. Subject to legal or contractual permissions, we only process data, or have them processed, in third countries if special conditions according to Art. 44 et seq. GDPR apply. This means that the data are processed, for example, on the basis of special guarantees such as the officially recognised establishment of an EU-appropriate level of data protection (e.g. for the USA by the Privacy Shield) or considering officially recognised special contractual obligations (so-called standard contractual clauses).
7. Security measures
In accordance with Art. 32 GDPR and taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of processing as well as the risks of varying likelihoods and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to provide a level of protection that is appropriate for the risk. These measures include, in particular, safeguarding confidentiality, integrity and availability of data by controlling physical access to the data as well as controlling access, input, and transfer of said data, securing data availability, and the separation of data. Moreover, we have established procedures to guarantee that data subjects can exercise their rights, that data are deleted and that we can react if data are at risk. We furthermore consider the protection of personal data already when developing or choosing hardware, software and procedures, according to the principle of data protection by technical design and by privacy-friendly default settings (Art. 25 GDPR).
8. Deletion of data
The data we process are deleted or their processing is limited in accordance with Art. 17 and Art. 18 GDPR. Unless explicitly stated otherwise in this data protection policy, we delete the data recorded once they cease to be required for their intended purpose and if no statutory storage obligations apply which contradict their deletion. If the data are not deleted because they are required for other, legally permissible purposes, their processing is restricted. This means that the data are locked and are not processed for other purposes. This applies, for instance, to data which need to be stored for commercial or fiscal reasons.
9. Rights of the data subjects
You have the right to obtain confirmation as to whether your personal data are being processed and to obtain information on these data as well as further information and a copy of the data according to Art. 15 GDPR. According to Art. 16 GDPR, you have the right to demand completion of incomplete personal data or rectification of inaccurate personal data. In accordance with Art. 17 GDPR, you have the right to obtain immediate erasure of your personal data, or alternatively, in accordance with Art. 18 GDPR, to obtain restriction of processing. You have the right to receive your personal data which you have made available to us according to Art. 20 GDPR and to demand transmission of these data to other controllers. You furthermore have the right to lodge a complaint with a supervising authority according to Art. 77 GDPR.
9.1 Withdrawal of consent
You have the right to withdraw your given consent according to Art. 7 Para. 3 GDPR, taking effect for future processing.
9.2 Right to object
You can object future processing of your personal data at any time, according to Art. 21 GDPR. In particular, you have the right to object to processing for direct marketing purposes.
Last update: December 2019