EEA PRIVACY POLICY
The Children’s Tumor Foundation Europe and the Children’s Tumor Foundation US (also referred to as “we”, “our”, “us”) maintain the highest level of respect for the privacy and data protection of our donors and website visitors. Further information on specific aspects of our commitment to protecting your personal data is provided below.
Effective date / Last modified: 17.12.2019
1. Objective and scope
1.1. This Privacy Policy sets out how we, the Children’s Tumor Foundation US, with headquarters at 697 Third Avenue, Suite 418, New York, NY 10017, US, and Children’s Tumor Foundation Europe, with its European Headquarters at Avenue Avenue du Port 86C, Box 204, 1000 Brussels, Belgium, process the personal data of our donors and prospecting donners residing in the EEA and visitors to our websites, on which a link to this Privacy Policy is available. The “EEA” stands for the European Economic Area and covers the countries of the European Union (“EU”) as well as Iceland, Lichtenstein and Norway.
1.2. For the collection and processing of personal data of donors residing in the EEA and website visitors, the Children’s Tumor Foundation Europe together with the Children’s Tumor Foundation US are joint controllers under the EU General Data Protection Regulation (GDPR). Donors can be website visitors but not necessarily.
1.3. We use partners to provide online payment processing services. Usually, privacy policies of these service providers will be presented to you on their respective websites and typically as part of your donation process. Our current partner to provide the online payment processing service is Classy. For the purposes of online payment processing only, Classy and we are joint controllers. For this reason, we have entered into a joint controllership arrangement with Classy.
2. Personal data we collect and their sources
2.1. Personal data collected directly from you
We generally collect personal data directly from you (electronically, in writing) by way of, among others, website forms, messages you address to us, and communications with us at our fundraising and promotional events and other activities. We also collect data from you when you make a donation through our Website. This information includes the following:
- 2.1.1. Donor Data, such as title, name, suffix, contact details including address, telephone number, e-mail address, company, selected Family Fund, if any, selected gift direction, if any, amount donated, donor comments, payment details and any other personal data provided. For donations by check, this information includes also the personal data visible on the check. If you pay by credit card, we do not store your credit card information, bank account numbers, or other financial account data sent directly to our online payment processing services.
- 2.1.2. Prospective Donor Data, such as the information you have provided to us at an event organized by Children’s Tumor Foundation US and / or Children’s Tumor Foundation Europe or other fundraising activities. Such information may include the information from your business card and / or other information you have provided to us such as your title, name, contact details including address, telephone number, e-mail address.
2.2. Personal data automatically collected from your device
We collect certain personal data directly from your device, when you visit our website or a CTF app downloaded to your mobile device. This information include the following:
- 2.2.1. Device and Browser Information, such as information about your computer and / or device, including device type, IP address, device identifier, and operating system.
- 2.2.2. Information and Statistics on Website and Mobile App Usage, such as information about your use of our website or app, webpages visited, including content viewed or downloaded, time spent on webpages, links clicked. To achieve these purposes, we use [cookies, web beacons, pixel tags, or other technologies]. For further details concerning the how to disable cookies, please see our Cookie Policy.
2.3. Personal data we receive from third parties
- 2.3.1. In some cases, we may receive certain personal data from third parties such as our existing Donors, who have indicated that you may be strongly interested in our organization’s mission and activities, and / or in donating to fund research, expand knowledge, and advance care for the NF community (protective donors).
- 2.3.2. To the extent you use our online tools provided by our third party providers, such as online payment service providers, they may provide us with certain personal data.
- 2.4.2 For CTF mobile app users, more information can be found here for Apple, or Android users.
3. Purposes
3.1. We set below the purposes for which we process personal data of EEA Donors, our website visitors, and, where indicated, Prospective EEA Donors.
In accordance with applicable law, we process Donor Data and, where indicated, Prospective Donor Data, for the following purposes:
- 3.1.1. To process payments and donations, including to distribute receipts and acknowledge donations;
- 3.1.2. To enable our service providers to carry out certain functions on our behalf, including payment processing, verification, technical functions, security and / or integrity protection of our activities, including our databases and systems, and for business continuity reasons, as well as other functions, as may be required, in order to process your donation;
- 3.1.3. To build a Donor and Prospective Donor Registry in order to keep records of Donors’ donations, and a database of Donors and Prospective Donors;
- 3.1.4. To send you marketing communications, including to inform Donors and Prospective Donors about upcoming fundraising and other activities of the Children’s Tumor Foundation Europe and, where relevant, of the Children’s Tumor Foundation US, which we consider may be of interest to you. We will not send you such marketing materials if you have opted out from this option. You may unsubscribe via the unsubscribe button included in each marketing email we send to you;
- 3.1.5. To conduct the operations of the Children’s Tumor Foundation US and of the Children’s Tumor Foundation Europe, including to provide fundraising and patient support, and to carry out internal analysis, such as research and analytics of donations in order to determine a fundraising strategy, and surveys, metrics, and other analytical purposes;
- 3.1.6. To respond to your questions and various communications with you, for example your inquiries sent to the email address indicated on our website, i.e. info@ctf.org;
- 3.1.7. To comply with applicable law, for example, in response to a request from a court or a regulatory body, where such request has been made in accordance with the law. In accordance with applicable law, we process information of website visitors for the following purposes:
- 3.1.8. To analyze our website traffic;
- 3.1.9. To ensure security of our website; and
- 3.1.10. To improve functionality of our website.
3.2. The bases for the processing of personal data for the purposes described above will include:
- 3.2.1. Fulfilling a contract of donation we have with you, or will have with you at your request;
- 3.2.2. Our legitimate interests, as outlined in paragraphs
- 3.1.2 to 3.1.10 above;
- 3.2.3. Consent that you have granted to us;
- 3.2.4. Establishment, exercise or defense of legal claims; or
- 3.2.5. Compliance with a legal obligation to which we are subject.
3.3. In the event that we use your personal data for purposes not specified above, we will inform you about such purposes for processing your personal data and, when required, of our legal basis for doing.
4. Disclosure of your information
We share your personal data internally between Children’s Tumor Foundation US and the Children’s Tumor Foundation Europe for the purposes described in Section 3. Additionally, in some circumstances, when we wish to or are compelled to disclose your personal data to third parties. Such disclosure will only take place in accordance with the relevant applicable laws and for the purposes listed above. These scenarios may include disclosure:
4.1. To our outsourced service providers, such as hosting service providers, IT providers, server security services, IT system administrators and support services, and providers of fundraising strategies.
4.2. To our outsourced online payment service providers; currently such provider is Classy, with whom we act as joint controllers for the purpose of online payments;
4.3. To public authorities where we are required by law to do so and to defend or enforce our rights, protect our property, assets or safety of others.
4.4. Some links in our website will take you to third party websites or our social media pages located on social media sites such as LinkedIn. These are governed by privacy policies of companies operating such websites, which are available thereon.
5. International transfer of personal data
5.1. As Children’s Tumor Foundation US is a joint data controller together with the Children’s Tumor Foundation Europe, personal data of EEA Donors and of website visitors can be transferred to the US where the Children’s Tumor Foundation US is located. To ensure appropriate protection of data transfers outside the EEA, the two entities rely on one of the measures listed in paragraph 5.3 below for the purposes of such transfers. If you want to know more, please contact us.
5.2. In addition, we may transfer your personal data to outsourced service providers in countries outside the EEA for processing in accordance with the purposes set out in Section 3 above.
5.3. In circumstances where your personal data is transferred within the CTF or to our outsourced service providers located outside the EEA, we will, where required by applicable law, ensure that your privacy rights are adequately protected. Among the measures to protect your personal data, we may rely on European Commission adequacy decisions about certain countries, as applicable (see here). We may also rely on standard contractual clauses approved by the European Commission (see here) in our contracts with third parties that receive information outside the EEA or using other acceptable data transfer mechanisms, such as EU-US Privacy Shield for transfers to self-certified US organizations (see here), Binding Corporate Rules (see here), approved Codes of Conduct and Certifications or, in exceptional circumstances, on the basis of permissible statutory derogations.
5.4. Please contact our Data Protection Officer at dataprotection@ctf.org for a copy of the safeguards which we have put in place to protect your personal data and privacy rights in these circumstances.
6. Retention of personal data
Your personal data will be retained as long as it is reasonably necessary for the purposes listed above or as required by applicable local law. Retention periods can vary based on the type of information and how it is used. We retain personal data in accordance with the criteria that include legally mandated retention periods, e.g. for tax audit purposes, pending or potential litigation, our intellectual property or ownership rights, contract requirements, operational directives or needs, and historical archiving. Please contact us for further details of applicable retention periods.
7. Data subject rights
7.1. You may exercise the following privacy rights regarding your personal data, if you are a donor residing in the EEA or you are visiting our website from the EEA, or where the GDPR, or other applicable EU data protection laws so provide, whereby these rights are subject to the conditions and exceptions laid down in the GDPR. Should you wish to exercise your rights, please contact us (see Section 9 for contact details).
- 7.1.1. Access – You have the right to obtain from us confirmation if your personal data is being processed, certain information in this regard and a copy of the personal data undergoing said processing.
- 7.1.2. Rectification – You have the right to request that inaccurate personal data be corrected and to have incomplete data completed.
- 7.1.3. Objection – You have the right, when we process your personal data based on our or a third party’s legitimate interests, to object to the processing of your personal data for compelling and legitimate reasons relating to your particular situation, except in cases where legal provisions expressly provide for that processing. In addition, you have the right to object at any time where your personal data is processed for direct marketing purposes. (Please note that even if you object to the use of your personal data for direct marketing purposes, we will still send you responses to your questions.)
- 7.1.4. Portability – You have the right to receive a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transmit them to other data controllers. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.
- 7.1.5. Restriction – You may request that we restrict processing of your personal data if
- i. you contest the accuracy of it – for a period we need to verify your request;
- ii. the processing is unlawful and you oppose the erasure of it and request restriction instead;
- iii. we no longer need it, but you tell us you need it to establish, exercise or defend a legal claim; or
- iv. you object to processing based on public or legitimate interest – for a period we need to verify your request.
- 7.1.6. Erasure – You may request that we erase your personal data if it is no longer necessary for the purposes for which we have collected it, if you have withdrawn your consent and no other legal ground for the processing exists; if the processing is unlawful, or if erasure is required to comply with a legal obligation.
- 7.1.7. Right to lodge a complaint – You also have the right to lodge a complaint with a supervisory authority, in particular in the EEA country of your residence, or the location where the issue that is the subject of the complaint occurred.
- 7.1.8. Right to refuse or withdraw consent – In case we ask for your consent to certain processing, you are free to refuse to give consent and you can withdraw your consent at any time without any adverse negative consequences. The lawfulness of any processing of your personal data that occurred prior to the withdrawal of your consent will not be affected.
7.2. In instances where Children’s Tumor Foundation US and Children’s Tumor Foundation Europe act as joint controllers, you can exercise these rights in respect of and against each of them. Children’s Tumor Foundations US and Children’s Tumor Foundation Europe that act as joint controllers have entered into an arrangement, reflecting their respective roles and relationships. Please contact us if you want to know more about this contractual arrangement.
8. Children
Through our website, we do not knowingly collect any information, including personal data, from children under 16 years of age for the purposes identified in Section 3 above. If you believe that we have inadvertently collected personal data from a child under the age of 16 for such purposes, please contact us at the address below and we will take immediate steps to delete the information.
9. How to contact us
If you have any questions, comments or requests regarding this Privacy Policy, or you wish to exercise your data protection rights, please direct your request to our Data Protection Officer, that is:
Address:
Children’s Tumor Foundation US
697 Third Avenue
Suite 418
New York, NY 10017
US Telephone: 1-800-323-7938
E-mail address: dataprotection@ctf.org
10. Glossary
The following terms are used within this Privacy Policy and mean the following:
10.1. “controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal information;
10.2. “personal data” means any information relating to an identified or identifiable natural person (i.e., “data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; and
10.3. “processing” means any operation or set of operations performed upon personal information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.