Privacy policy for Världsnaturfonden WWF

PRIVACY POLICY FOR VÄRLDSNATURFONDEN WWF

Guidelines for handling personal integrity according to GDPR

Access Privacy Policy in Swedish

Introduction

The foundation Världsnaturfonden WWF (WWF Sweden) protects the privacy of individuals and is keen for individuals to feel safe in all contacts with us. This privacy policy has been prepared in accordance with the legal requirements set in accordance with, among other things, the General Data Protection Regulation1 (also known as GDPR)2, but also in accordance with the guidelines for personal data management that our industry organization Giva Sweden issues to its members. WWF Sweden’s starting point is that the organization should be able to report in a fair, open, clear and unambiguous way what personal data is collected, why and with what legal basis. WWF Sweden protects data in the best possible way.

1. Purpose and scope

This privacy policy describes what data WWF Sweden collects, for what purpose it is collected, and in what way the individual can have control over their data, as well as how to contact WWF Sweden.

It applies in all contexts when the individual participates in WWF Sweden’s activities, visits the website, uses one of WWF Sweden’s services, when the individual is active on WWF Sweden’s social media or comes into contact with WWF Sweden in some other way via, for example, e-mail or an application that WWF Sweden is behind, information received by phone, post or if information is provided in some other way.

The privacy policy applies regardless of whether the individual comes into contact with WWF Sweden as a donor, participant or as interested in our activities. It also applies to the individual who comes into contact with WWF Sweden in their professional role or as an employee of WWF Sweden. The policy also describes the individual’s rights vis-à-vis WWF Sweden and how individuals can assert their rights. The policy also applies to information that WWF Sweden receives by telephone, mail or if the individual provides information to WWF Sweden in some other way, as well as personal data that WWF Sweden receives via a third party.

GDPR and the privacy policy do not apply to deceased persons, but WWF Sweden handles the deceased’s data with respect for the deceased and their relatives. The deceased’s information is deleted and archived when the estate has been wound up.

2. Roles and responsibilities

The General Counsel at WWF Sweden is responsible for ensuring that documentation is updated and procedures are created, and that WWF Sweden is kept informed of developments in relation to the General Data Protection Regulation. In addition, there is a working group, the GDPR group3, within WWF Sweden with representatives from different parts of the business that will ensure that the entire organization continuously monitors and adapts the processing of personal data in a correct way. The processing of personal data can be carried out by different people within the business.

3. Concepts

Personal data is information that can be directly or indirectly linked to a living person. For example, names and social security numbers, but information such as the individual’s IP address or recorded voice is also personal data that can be linked to the individual.
Data Controller is the person who decides for what purposes the data is to be processed and how the processing is to be carried out.
Data Processor is the person who processes personal data on behalf of the controller.
The data subject the individual whose personal data is being processed.
Treatment includes everything that can be done with personal data. For example, collection, recording, organization, storage, processing, or modification.

4. WWF Sweden collects personal data

WWF Sweden primarily receives personal data directly from the data subject. Since the individual can come into contact with WWF Sweden in different ways, the need to collect personal data may be different. Examples of personal data collected are names and other contact details such as mobile phone number, e-mail address, physical address, account number or social security number. WWF Sweden may use personal identity numbers to update the data subject’s information from other public registers, if this is necessary to maintain good register management. WWF Sweden can also use a mobile phone number to retrieve the name or otherwise supplement the data subject’s information. If data is received from someone other than the data subject, they are initially informed of the source of the personal data.

WWF Sweden collects personal data in connection with the data subject:

• enters into an agreement with WWF Sweden
• donate via various analogue and digital communication channels
• sign up as a WWF Friend or member of the Panda Club
• sign up as a sponsor/monthly donor
• sign up as a newsletter recipient
• register for events organised by WWF Sweden
• accepts assignments as a member of the Board of Directors or the Board of Trustees
• start employment or traineeship
• contact WWF Sweden via email, post, phone, our websites or social media
• visit one of WWF Sweden’s domains.

5. Legal basis

When the data subject submits his/her personal data to WWF Sweden, the data is registered, stored and processed for the specified purposes (see section 6 below).
As a legal basis for personal data processing, WWF Sweden will mainly refer to the fulfilment of a contract, legitimate interest, legal obligation or consent. The data subject always has the right to withdraw their consent when the processing of personal data is based on their consent. 6. Why WWF Sweden needs to process personal data (our purposes) WWF Sweden processes personal data mainly for the purposes set out below and for any additional purposes stated at the time of collection. Personal data is only collected for specified purposes and will not be used for anything that is not in line with those purposes. In addition to the following purposes, there may be additional purposes disclosed at the time the personal data is collected:

• To reach out to donors and potential donors with general and targeted marketing.
• To manage and prevent security incidents.
• To conduct donor surveys.
• To inform about WWF Sweden’s work and activities via various analogue and digital communication channels.
• To enable good service such as handling donor questions, correcting incorrect information or to thank for gifts received and inform about how collected funds are used.
• To manage participation in competitions and events organised.
• To conduct internal audits.
• To fulfill orders for prizes, gift certificates, and telegrams.
• For system administration and to be able to maintain good register management. To produce statistical data on our donors’ donor behaviour and donor patterns at an aggregate level (i.e. without identifying individuals).
• To note interest and commitment in our initiatives and networks.
• To comply with legal requirements regarding the storage of contracts.
• To comply with legal obligations.

7. Processing of children’s personal data

If WWF Sweden processes children’s personal data, for example in connection with public events where children participate, the consent of the guardian is always requested to process the child’s data.

If the child is over 16 years of age, consent is requested from the child. The data is only processed for as long as it is necessary for the purpose of the processing, after which the personal data is deleted.

8. Who may WWF Sweden share personal data with?

In most cases, WWF Sweden is the data controller for the processing of personal data. It is therefore WWF Sweden’s responsibility to protect the personal data and to inform the data subject about how the data is processed.

WWF Sweden may share information with other companies that process personal data on behalf of WWF Sweden. This is so that WWF Sweden can perform our services, such as analysis, distribution or other services that maintain and apply terms of use and delivery. However, all handling of personal data always observes a high level of security and confidentiality. WWF Sweden undertakes to have valid personal data processing agreements with all suppliers who process personal data on behalf of WWF Sweden.

Personal data may also be disclosed if it is necessary to:

• comply with any applicable law, regulation, legal process or request from an executive authority;
• safeguard WWF Sweden’s legal interests
• detect and prevent fraud, security or technical problems.

WWF Sweden will not sell, rent or rent the personal data collected. WWF Sweden only cooperates with partners who process personal data within the EU/EEA or with companies that maintain the same level of protection as within the EU/EEA.

9. Records for processing and impact assessment

In accordance with the General Data Protection Regulation, WWF Sweden must in certain cases keep registers for the processing of personal data and carry out impact assessments. A specific template for impact assessment and a form for registers for processing have been established and are used where appropriate.

10. How long is the personal data stored

The processing takes place in accordance with applicable legislation and means that personal data is not stored for a longer period than is necessary with regard to the purposes of the processing. There are internal procedures in place to ensure this. WWF Sweden will store the data subject’s personal data for as long as the data subject has a relationship with WWF Sweden, for example is a donor or contractual party, and for a period of time thereafter depending on the purpose. In practical terms, this means that data is deleted when it is no longer relevant or necessary for analysis or direct marketing for the purposes for which it was collected. Certain information can be retained for longer when required by other legislation, such as the Accounting Act. However, all handling of personal data always observes a high level of security and confidentiality.

11. Om kakor (Cookies)

When using WWF Sweden’s website and applications, data is collected via cookies. However, this is only done after a separate approval. A cookie is a text file consisting of letters and numbers that the website the individual visits saves on their device. The cookie acts as a technical support that facilitates the use of WWF Sweden’s website in various ways and consequently the information about the use and which pages the user visits is stored. When visiting our website where our services are provided, various technologies may be used to recognize the user in order to learn more about the users. This can be done directly or through the use of third-party technology. Failure to accept cookies may result in certain services not being provided

12. Rights of the data subject

According to data protection legislation, the data subject has the right to control his or her own personal data and to receive information about how WWF Sweden processes this data. Below is a description of some of these and how they can be practiced at WWF Sweden.

12.1 Information

The right to information means that the data subject must generally receive information both when the data is collected and when he or she requests it. If something happens to the data subject’s personal data that may affect them negatively, they have the right to know about it. The data subject has the right to know:

• why the personal data will be used
• in some cases, the legal basis for processing the personal data
• how long the personal data will be stored
• who will access the personal data
• their rights under the General Data Protection Regulation
• whether their data will be transferred to a so-called third country (country outside the EU/EEA)
• their right to lodge a complaint
• how they withdraw their consent, if they have given it
• the contact details of the organisation responsible for processing its data and of its data protection officer, if any.

A request for further information can be sent to WWF Sweden via: gdpr@wwf.se

12.2 Right of access (register extract)

The right of access, i.e. to access their personal data, means that the data subject has the right to contact WWF Sweden to find out if WWF is processing their personal data. In that case, they must have access to them, a so-called register extract, and information about how they are used.

If the data subject’s personal data is processed, the data subject has the right to receive a copy of the data and information about, among other things:

• the categories of personal data that are processed
• what the personal data is used for
• how long the data will be kept
• with whom the personal data has been shared
• where the data comes from.

The right to access their personal data does not mean that the data subject has the right to obtain the actual document in which his or her personal data appears. It may often be sufficient for the data subject to receive an intelligible summary of the personal data contained in the document or otherwise being processed so that the accuracy and legality of the data can be verified.

Requests to access your personal data processed by WWF Sweden should be sent to: gdpr@wwf.se

12.3 Corrections, deletion (the ”right to be forgotten”) and restrictions

If something has gone wrong with the data subject’s personal data, they have the right to request that they be corrected. The data subject also has the right to request the erasure of their personal data, object to the processing and request the restriction of their processing. In some cases, it may be that WWF Sweden will not be able to fulfill a request due to legal obligations. In such cases, we will inform the data subject of why, and limit the processing of the personal data to only fulfilling the legal obligation. Requests for correction, deletion or restrictions of personal data processed by WWF Sweden should be sent to: gdpr@wwf.se

12.4 Data portability

The data subject has the right to receive and transfer his/her personal data from one data controller to another if and when it is technically possible. However, a prerequisite for this is that WWF Sweden processes the personal data on the basis of a consent from the data subject or to fulfil an agreement with the data subject, and this only applies to personal data that the data subject has provided to WWF Sweden.
Requests for transfer of personal data to a data controller other than WWF Sweden should be sent to: gdpr@wwf.se

13. Incident management

A personal data breach is a security event that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal information. It is irrelevant whether the breach occurred intentionally or unintentionally, in both cases it constitutes a personal data breach.

WWF Sweden is obliged to report certain types of personal data breaches to the Swedish Authority for Privacy Protection (IMY). A report must be made if it is likely that the personal data breach entails a risk to the rights and freedoms of natural persons. WWF Sweden must therefore make a careful assessment of whether the incident should be reported to IMY or not. The General Counsel at WWF Sweden is responsible for handling and investigating the incident and submitting a decision basis to the Secretary General. If the assessment concludes that the incident should be reported, it must be done without unnecessary delay. In such a case, WWF Sweden shall also inform the data subjects as soon as possible.

14. Complaints to a supervisory authority

If you have any comments on WWF Sweden’s processing of personal data, please contact the working group for GDPR issues via: gdpr@wwf.se.

The data subject also has the right to lodge a complaint with the supervisory authority. In Sweden, it is the Swedish Authority for Privacy Protection (IMY) (formerly the Swedish Data Protection Authority). More information can be found on the agency’s website: www.imy.se.

15. Safety Precautions

WWF Sweden takes the technical and organizational security measures necessary to protect personal data against unauthorized access, alteration and deletion.

Data protection is part of WWF Sweden’s procurements of new suppliers and the development of new functions and services.

16. Questions

WWF Sweden will regularly review and, if necessary, update this policy taking into account changes in law, organization and processes. If you have any questions regarding the policy, you can contact the General Counsel at WWF Sweden.

This document has been translated from its original language, i.e. Swedish. While every effort has been made to provide an accurate translation, no warranty of any kind, expressed or implied, is made as to the accuracy, reliability, or correctness of the translation. In the event of any discrepancy or inconsistency between the translated version and the original document, the original language version shall prevail. The translator assumes no responsibility for any errors, omissions, or ambiguities in the translated text. Any person or entity that relies on the translated content does so at their own risk.

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2 GDPR is an abbreviation in English that means General Data Protection Regulation.
3 A working group at WWF Sweden that ensures that the entire organization in Sweden continuously monitors that personal data is handled in accordance with applicable law.