The FOUNDATION in Support of WHO Data Protection Policy [1]


This Data Protection Policy (hereinafter referred to as the “Policy”) describes how the Foundation in support of WHO (hereinafter referred to as the “Foundation”) as data controller, collects, manages, uses and protects Personal Data received in compliance with applicable privacy laws and regulations, including the EU General Data Protection Regulation and the Swiss Federal Act on Data Protection and its ordinance. The regulations cover all aspects of Personal Data and the obligations on the Foundation to clearly identify what Personal Data the Foundation has, where it is obtained, why the Foundation has it, how the Foundation may use it, how Personal Data is stored and with whom it may be shared and under what circumstances.

Personal Data Types

In essence, “Personal Data” is any information relating to an identifiable individual or from which an individual can be identified. The Foundation collects Personal Data that is limited to the kind of information that is necessary as part of the Foundation activities such as for example but not exclusively, name, gender, date and place of birth, nationality, postal address, email address, phone number, relevant charitable foundation or private office contact details, source of fortune, main company ownership and affiliation, professional information, wealth information, philanthropy information, reason for selection, current directorships, current trusteeships.

Sources of Personal Data

The Foundation processes Personal Data that is voluntarily or upon request provided to the Foundation in the course of a recruitment process, employment, donations, an agreement for the performance of work or any other contract.In some instances, the Personal Data will be supplemented by information retrieved from public sources, such as online media and certain Personal Data may be automatically recorded, notably through the use of Cookies, for system administration, statistical, storage and security reasons, when an individual visits the Foundation’s website or a website hosted by the Foundation, without opting-out.

Personal Data of Third Parties

If you provide Personal Data to the Foundation about someone else, you must ensure that you are entitled to disclose that Personal Data to the Foundation and that the Foundation can legally process such Personal Data without having to take any further steps.

Purpose of the Processing of Personal Data

The Foundation processes Personal Data in the conduct of its activities as a foundation as described in its Statutes and for the achievement of its statutory purpose.

Safeguards of Personal Data

Personal Data is stored on a Foundation server in Switzerland. Personal Data held by the Foundation is kept on hard copy files and in password protected electronic files and record systems. Access at the Foundation is restricted to a “need-to-know” basis and for the above mentioned purposes exclusively. The concerned Foundation’s staff have been made aware of the importance of Personal Data and the Foundation’s obligations under relevant data protection legislation. These obligations mean that Personal Data is always securely processed and transmitted, protected against unlawful processing and accidental loss and uncontrolled change, amongst other requirements.

Collection of Personal Data

For the purpose of campaigns launched by the Foundation, Personal Data of donors (individual or corporate) may be collected by the Foundation’s service providers that host or provide the campaign website or other fundraising tools (FundraiseUp, Facebook, Benevity, etc.). These service providers may be located outside of Switzerland or countries compliant with the EU General Data Protection Regulation. Personal Data will be transferred from the Foundation’s service providers to the Foundation. The Foundation has concluded contracts to ensure, to the best of its ability, that appropriate safeguards are in place with its service providers, when data is collected, transferred to the Foundation and deleted from our service providers servers but by using these tools donors agree to be submitted to the Foundation’s service providers privacy policy and regulations. 

Online Payments

If a payment is made through one of the Foundation online tools, a third party provider, such as, will process Personal Data for the purpose of the payment. The third party provider shall be the only party responsible, if its services or system are located within the United States or other countries outside Switzerland, for implementing appropriate safeguards mechanisms for such transfer. Therefore, the present data privacy policy may not apply to information that you may submit to us offline or to websites maintained by other companies or organizations to which we may link. In addition, the Foundation will not collect, acces, store or process any credit card or other payment system information.

Personal Data Sharing

Unless disclosure of your Personal Data is required by applicable law or a competent authority, your Personal Data is held in confidence and is never provided to any third party outside of the Foundation, with the exception, where applicable, of the World Health Organisation that may require access to Personal Data to ensure compliance with their donation mechanism.

Should the Foundation provide a third party with any of your Personal Data, the Foundation will conclude written agreements with any such third party imposing data protection obligations in order to ensure an adequate level of protection for your Personal Data and compliance with the legal requirements. 

The Foundation trusted partner in each jurisdiction that may be responsible for receiving your donation will also collect your Personal Data. Their data policy will be applicable in addition to this one if your donation goes through one of our trusted partners.  

Personal Data Transfers Outside the EU

This section shall apply to any Personal Data collected by the Foundation from EU and Swiss residents.

If the Foundation transfers your Personal Data to a State which is not a Member State of either the European Union or the EEA, or deemed adequate by the European Commission and/or the Swiss Federal Data Protection and Information Commissioner, for example to Members of the Foundation Board located in such State, the Foundation will only conduct such transfer if there are suitable safeguards in place, such as binding corporate rules, standard contractual clauses, approved Codes of Conduct, or approved certification mechanism.

Retention Period of Personal Data

As an organisation operating and governed by Swiss Law, the Foundation is obliged to keep a record of all operational relevant information for a period of ten (10) years. The Foundation will therefore keep your Personal Data for a period of ten (10) years from the time your Personal Data is no longer useful for the performance of its activities, subject to any potential proceedings, requests or investigations that may extend beyond that period. The Foundation will however process your Personal Data exclusively for the above mentioned purposes.

Personal Data Owner’s Rights and Preferences

In addition to the right to be informed about the Personal Data the Foundation holds and the use the Foundation makes of it (as described in this Policy) you are also entitled to:

● access your Personal Data;

● rectify inaccurate or incomplete Personal Data;

● request deletion of your Personal Data (subject to the below mentioned limitation);

● restrict processing of your Personal Data (subject to the below mentioned limitations);

● obtain and reuse your Personal Data;

● object to particular processing(s) of your Personal Data subject to the below mentioned limitations).

For further information on these rights, please contact us (see contact details below).

Please note that your objection or restriction to the processing of your Personal Data could prevent the Foundation from performing the actions necessary to achieve the purposes set out above. Please also note that the above rights can be limited. For example, the Foundation may need your Personal Data to comply with the law (e.g. see the “Retention period of Personal Data” section above) or assert or defend against legal claims. The Foundation may therefore be able to continue processing your Personal Data even after you have requested, for example, the deletion of your Personal Data, to the extent required or permitted by law.


Any modifications made to the present data protection policy will be published on the Foundation website. The published data protection policy on the Foundation’s website is the applicable and most up-to-date data protection policy.

Questions, Concerns or Complaints

If you have any questions, concerns, or complaints about the Foundation’s Personal Data practices or this Policy, we encourage you to get in touch with the Foundation by using the contact information below. Also, if you believe you have suffered harm due to a breach of your rights by the Foundation under this Policy, and the Foundation has not handled your complaint in a reasonably sufficient manner, any EU resident may also file a complaint with the competent supervisory authority.

Contact information:

[1] 08 February 2023