I. General information
1. Introductory remarks
2. Person responsible for data protection matters
3. EU data protection representative
For natural persons with a simple residence in countries of the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein as well as for the country-specific supervisory authorities provided for in the GDPR (DSGVO), we designate the following person as EU data protection representative in accordance with Art. 27 GDPR (DSGVO):
Deputy Secretary of the Board of Trustees
80333 Munich, Germany
Phone: +49 89 / 7805 - 31536
By way of introduction, we would like to clarify the most important terms used below for better understanding. In this respect, we generally adhere to the definitions of terms from the Swiss Data Protection Act.
- Personal data (GDPR: personal data): all information relating to an identified or identifiable natural person
- Data subjects: natural persons about whom personal data is processed;
- Processing: any handling of personal data, regardless of the means and procedures used, in particular the collection, storage, retention, use, modification, disclosure, archiving, erasure or destruction of data.
- Controller: private person or federal body that decides, alone or together with others, on the purpose and means of processing.
- Processor: private person or federal body that processes personal data on behalf of the controller.
5. Legal basis for data processing
We comply with the applicable data protection regulations when processing personal data.
The processing of personal data must not unlawfully violate the personality of the persons concerned. For this reason, such data processing must comply with the processing principles of data protection law and/or must be legitimized by a justification. In particular, we are legitimized to process personal data if the processing…
- is based on a legal basis (Art. 6 para. 1 lit. c GDPR). The processing of personal data may be required or legitimized by law (e.g. statutory retention obligations)
- is necessary for the performance of a contract with the data subject or for pre-contractual measures (Art. 6 para. 1 lit. b GDPR). The main part of the processing of personal data in our foundation takes place in the context of the fulfillment of statutory and contractual obligations (e.g. awarding prizes, realization of funding projects)
- is necessary for the purposes of the legitimate interests pursued by us or by third parties (Art. 6 para. 1 lit. f GDPR)
- A legitimate interest on our part exists in particular if the processing of personal data takes place within the scope of the purposes mentioned in section 8 as well as the disclosure of data in accordance with section 10 and the associated objectives.
- is based on consent (Art. 6 para. 1 lit. a GDPR). If the processing of personal data is based on your consent, we will inform you of this separately and transparently. You can revoke your consent with effect for the future at any time using the functions provided for this purpose or by notifying us in writing (see contact points in sections 2 and 3 above). After receiving your revocation, we will cease the data processing affected by this, unless we can base the processing on another justification.
- is necessary for compliance with domestic and foreign legal provisions.
6. Categories of personal data
Depending on the services you use and the respective relationship between you and us, we process the following categories of personal data in particular:
- Master data: e.g.: Title, surname, first name, address and contact data such as address, telephone numbers, e-mail addresses, company for which you work (incl. contact information and contact person), CVs, language, project numbers, financial information, AHV numbers.
- Contract data: e.g. information regarding the initiation, conclusion, processing, administration and termination of contracts between you and us (in particular in connection with the processing of funding projects and their public publication), information in connection with applications [see also section 17 below], interaction history, financial and payment information, information in connection with the enforcement of claims, bank details.
- Communication data: e.g: Communication content from written, electronic and verbal correspondence, details from surveys and events, information on time, place, type etc. of communication, proof of identity, marginal data.
- Behavioral and transactional data: e.g. in connection with the use of our website, participation in events, competitions and surveys, the use of electronic communication channels.
- Technical data: e.g. IP addresses, device IDs, details of the devices and applications you use and their settings, the internet provider you use, user names, passwords [as hash values], information in connection with 2-factor authentication, log data, time and, if applicable, approximate location in connection with the use of our products and services.
- Marketing and PR data: e.g. information on personal preferences and interests, subscriptions and unsubscriptions to invitation mailing lists and newsletters, content of marketing correspondence).
- Image and sound recordings: e.g. recordings of telephone and video conference calls [only made with prior notice and with your consent], photos (e.g. portraits), recordings in connection with awards and sponsorship events, recordings of essays, conversations, etc.
7. Origin of the data
We may also collect personal data about you ourselves or automatically or derive it from existing data. This includes, in particular, behavioral and transaction data as well as technical data.
Finally, we also collect personal data from third parties insofar as this is permitted by law. Such third parties include, in particular, persons from your environment, business partners, cooperation partners, employers, insurance companies, banks, authorities, official bodies, courts, parties and their legal representatives in the context of legal disputes, etc. We may also collect personal data from public sources (e.g. credit agencies, social media).
8. Purpose of data processing
We process the data collected in order to fulfill our legal, statutory and contractual obligations towards you and third parties. This includes in particular the initiation (including contact requests), administration and processing of contractual relationships regarding the organization of awarding of prizes, workshops, concerts and other events. In addition, the support and announcement/publication of sponsored projects and prize winners.
We also process the data collected in order to ensure communication with you, to provide and improve the services (e.g. funding processes) and information you have requested, to manage your use of and access to our services and information, to maintain our business relationship with you, to carry out advertising and marketing measures (insofar as we are authorized to do so, e.g. by obtaining your consent), to monitor and improve the performance of our services, to enforce legal claims or to defend ourselves against such claims, and to ensure that our services are available to you. to recognize, prevent or clarify illegal activities, to ensure compliance with laws and recommendations of domestic and foreign authorities as well as internal regulations ("compliance") and risk management, to generally guarantee our operations (in particular IT, website, etc.) and to ensure administrative processes (e.g. data archiving, accounting, master data maintenance, quality assurance).
9. Processing duration of personal data
We process your personal data for as long as we are legally obliged to do so (e.g. retention and archiving obligations) or our legitimate business interests require this (e.g. enforcement of or defense against claims, ensuring IT security) or as long as the purpose of collecting your data makes it necessary or the retention is technically required. In the case of contracts, data is generally stored for the duration of the contractual relationship and the statutory retention periods beyond this (usually 10 years).
This may mean that your personal data or extracts thereof must be stored for several years after the end of the contractual relationship between you and us. If your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymized as far as possible.
In certain cases, we may retain your personal data for longer based on your consent.
10. Disclosure of personal data to third parties
Where legally permissible and necessary, we may also disclose certain personal data to third parties as part of our business activities. These third parties process your personal data either on our behalf (processors), in joint responsibility with us or on their own responsibility. These include, among others
- our service providers, such as designers, banks, insurance companies, IT providers, debt collection companies, credit agencies, cleaning companies, advertising service providers, lawyers, external consultants, auditors, direct mailers, etc.
- business partners, cooperation partners, applicants
- domestic and foreign authorities, official bodies and courts
- other parties in the context of administrative and court proceedings
- other third parties who are necessary to achieve the purpose of the respective data processing.
Where necessary, we have concluded corresponding contracts with these third parties. If contract processors are involved, they undertake to comply with data protection and data security regulations. Furthermore, they may only process personal data in accordance with our instructions. They also grant us comprehensive rights of inspection and control as well as rights of access, rectification and erasure.
11. Disclosure of personal data abroad
As a rule, we process and store personal data in Switzerland and in the European Union (EU) or the European Economic Area (EEA). In certain cases, however, we may also disclose personal data to service providers and recipients located outside this area or process personal data outside this area, in principle in any country in the world. In particular, you must expect personal data to be disclosed to all countries in which the service providers we use and their subcontractors (in particular the USA) and group companies are located.
By taking appropriate measures, we ensure compliance with the legal requirements. Specifically, there is an adequacy decision by the competent authority. In the absence of such a decision, the transfer of personal data takes place on the basis of suitable guarantees (in particular standard contractual clauses approved by the European Commission and the Federal Data Protection and Information Commissioner [FDPIC]) or there are exceptions for certain situations (contract processing, legal enforcement abroad, etc.) or we obtain your express consent.
12. Data security
To secure your data, we maintain technical and organizational security measures in accordance with the current state of the art.
Communication via our website is encrypted using the SSL/TLS encryption protocol. However, we would like to point out that even encrypted data transmission on the Internet always involves security risks. Complete protection of data against access by third parties cannot be guaranteed.
13. Profiling and automated individual decisions
We do not carry out any fully or partially automated data processing with the aim of evaluating certain personal aspects of you (profiling).
We also do not make any decisions that are based exclusively on automated processing and that have legal consequences for you or significantly affect you (automated individual decision).
14. Your rights as a data subject
Insofar as the requirements of the applicable data protection law are met and no statutory exceptions apply, you have the following rights in connection with the processing of your personal data:
- to request information about whether and, if so, which personal data we process about you
- to have incorrect or incomplete personal data corrected
- to erasure or anonymization of your personal data
- to data portability
- to withdraw your consent to the processing of your personal data with effect for the future
- to object to the processing of your personal data (in particular with regard to direct marketing).
Please note that these rights may be restricted or excluded in specific individual cases (e.g. to protect third parties or business secrets).
If you believe that your data has been processed unlawfully, we would be grateful if you could contact us directly. Alternatively, you can lodge a complaint with the supervisory authority responsible for you. The supervisory authority for data protection in Switzerland is the Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte (EDÖB). In the EU, the complaint must be submitted to the respective national data protection authority.
II. Supplementary information in connection with selected data processing
16. Data processing in connection with the use of our website
16.1 Hosting and log files
We host our website with a German hosting provider based in Germany. Each time you visit our website, the hosting provider automatically collects and stores the following information (server log files), which your browser transmits:
(1) Information about the browser type and version used
(2) The user's operating system
(3) The user's internet service provider
(4) The IP address of the user
(5) Date and time of access
This data is not stored together with other personal data of the user, nor is it analyzed for marketing purposes. This data is automatically deleted no later than seven days after it is collected.
We process the aforementioned data for the following purposes:
- Ensuring a smooth connection to the website,
- Ensuring convenient use of our website,
- Further development of our offer
- evaluating system security and stability and
- for other administrative purposes and in the event of unlawful use of our website or our services.
We have concluded an order processing contract with the hosting provider.
Within the scope of the GDPR, this data is processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in accordance with the purposes listed above.
16.3 Google tools and tracking
Our website uses Google Maps from Google Inc. For the European area, the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services (hereinafter "Google").
In addition to the following explanations, you will find further information on data protection at Google in the Google data protection declaration: policies.google.com/privacy.
We have concluded a data processing agreement with Google.
Within the scope of the GDPR, this data is processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in an appealing website and in increasing our reach or based on your consent (Art. 6 para. 1 lit. a GDPR). Consent can be revoked at any time with effect for the future.
We use Google Maps on our website to display interactive maps and to create directions. When you access a web page on our website that has integrated Google Maps, your browser establishes a connection with the Google servers. In addition, Google Maps sets cookies (see above under section 16.2). By using Google Maps, various information (e.g. IP address, addresses entered, date and time of the website visit) can be transmitted to Google servers in the USA.
You can find more information about data processing by Google here: policies.google.com/privacy?hl=de. You can also change your personal data protection settings there in the data protection center.
General information about Google Maps can be found at: google.com/intl/de/maps/about/#!/.
We operate a YouTube channel and embed videos from the YouTube platform on our website. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
If you start a YouTube video on our website, a connection is established to the YouTube servers (possibly also in the USA). In this context, YouTube learns which of our pages you have visited. If you are logged into your YouTube account, you also enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, YouTube can store various cookies on your end device after starting a video or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about you. According to YouTube, this serves, among other things, to record video statistics, improve user-friendliness and prevent abusive behavior.
If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no influence.
We have concluded an order processing contract with Google. You can find more information here: youtube.com/t/terms_dataprocessing.
16.5 Online application system
You have the option of submitting applications for funding projects on our website (hereinafter "online application system"). To do so, you must first register on the online application system. You can then enter your application and submit it electronically.
The following personal data is collected when using the online application system:
- Surname, first name of the applicant, the person responsible for press and public relations such as the commercial director , address of the institution, country
- Contact details of the above-mentioned persons such as telephone number, mobile number, e-mail
- Surname, first name of project participants
- Bank details of the respective institution
- Documents and information submitted by you (e.g. budget plan, CVs, project information)
- Confirmation of receipt (will be sent automatically after submission of the application)
Please also note the applicable funding conditions.
The processing of the above-mentioned personal data is necessary in order to be able to receive and process the funding application, which also includes an assessment of the entitlement to funding. Applications that have not been sent will be deleted from the system after the respective deadline (March 1st or September 15th of each year).
Within the scope of application of the GDPR, this data is processed for the purpose of fulfilling pre-contractual measures or a contract with you (Art. 6 para. 1 lit. b GDPR) or on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in accordance with the purposes explained above.
16.6 Press login
Press representatives have the option of creating a press login. This login gives press representatives access to our press information.
The following personal data is collected when using the press login
- E-mail address
The processing of the above-mentioned personal data is necessary to ensure that only press representatives have access to the press releases.
Within the scope of application of the GDPR, this data is processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in accordance with the purposes explained above.
16.7 Links to other websites
Our website contains hyperlinks to third-party websites that are not operated or controlled by us. We are not responsible for their content or data protection practices. Visiting and using third-party websites is at your own risk.
17. Processing of personal data of applicants
We accept applications by e-mail. If necessary, we also work together with other external partners (e.g. job portals and recruitment agencies). Please also note the data protection notices of these partners.
We treat your data as strictly confidential. Your personal data will only be passed on within our foundation to persons who are entrusted with processing your application.
We process the personal data sent to us as part of your application and the personal data collected during the application process, insofar as this is necessary for the decision on the conclusion and execution of an employment contract. This includes
- Master data (surname, first name, address, contact details, date of birth, marital status, etc.)
- Information about your educational, professional and personal qualifications
- Information that we have collected as part of the application process (e.g. as part of assessments)
- Other information that you have provided to us in connection with your application.
We process your personal data in this regard for as long as this is necessary for the decision on your application. They will be deleted a maximum of six months after the end of the application process, unless longer storage is legally required or permitted or you have not consented to longer storage.
If an employment relationship is established following the application process, your application documents will be transferred to your personnel file.
18. Processing of personal data in the context of interaction with our social media channels
18.1 General information
We maintain the publicly accessible profiles in social networks listed below. For this purpose, we can provide linked graphics to the respective networks on our website. By clicking on a corresponding graphic, you will be redirected to the selected social network. After forwarding, the network collects and processes your information in the following context.
When you visit our profiles on the social networks, personal data about you may be collected. For example, if you are logged into your social network accounts and visit our profile at the same time, the portal operator may be able to assign this visit to your user account. However, even if you have logged out of your account or if you do not have an account with the respective portal, your personal data may be collected. Such data can be collected, for example, by setting cookies. Based on the data collected in this way, the portal operators can create user profiles and show you interest-based advertising. Further information on this can be found in the respective data protection declarations of the portal operators.
The purpose and scope of the data collection and the further processing and use of the data by the respective social network as well as your rights in this regard and setting options to protect your privacy can be found in the relevant data protection regulations of the respective social network.
Within the scope of the GDPR, social networks are used in the interest of an appealing presentation of our online offers, to increase our reach and to promote our services. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out on the basis of Art. 6 para. 1 lit. a GDPR. Consent can be withdrawn at any time with effect for the future.
We use selected tools from Facebook (e.g. Facebook fan page, Meta Business Suite). The provider of these tools is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.
With the help of these tools, we want to optimize the customer experience by displaying our services only to those people who are interested in them (e.g. potential applicants) or who are geographically close to the respective event and could have a fundamental interest in it. For this purpose, Facebook collects certain information about visitors to our website and social media platforms. Based on this, we receive analyses regarding the way in which our website, services and products are used.
You can object to receiving advertising tailored to you via this link: facebook.com/settings?tab=ads.
If you have a Facebook user account, you can interact with us via Facebook. As part of this interaction, we process the personal data you provide.
Facebook and we are considered jointly responsible for certain data processing (e.g. Facebook fan page, Page Insights, etc.). Where necessary, we have therefore entered into appropriate agreements with Facebook to regulate the rights and obligations of both parties as joint controllers (see facebook.com/legal/terms/page_controller_addendum).
Further information on data protection on Facebook can be found here: facebook.com/policy.php.
We use functions of the Instagram service. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.
If you have a user account with Instagram, you can interact with us via Instagram. As part of this interaction, we process the personal data you provide.
Further information on data protection at Instagram can be found here: instagram.com/about/legal/privacy/.