DATA PROTECTION NOTICE
Sunflower Seeds ASBL
Association sans but lucratif
Registered office: 5, rue Jean Bertels, L-1230 Luxembourg
Grand Duchy of Luxembourg
R.C.S. Luxembourg F13965
(the “Organisation”)
Luxembourg, 8 January 2024
The Organisation (hereafter referred to as “or “we” or “us”) understands the importance of keeping your Personal Data safe. This data protection notice (the “Notice”) describes how we treat the information collected or provided during the course of our activities, how it is stored, processed, secured, and what are the rights of the Data Subjects (as defined below) in relation to these Personal Data.
Your Personal Data (as defined below) may be collected, recorded, stored in digital form or otherwise, adapted, transferred or otherwise processed and used in accordance with the European Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and any other European Union or national legislation which implements or supplements the foregoing.
This Notice applies to any identified and identifiable natural person (“Data Subject”) whose Personal Data (as defined below) is provided to us directly by the Data Subject or indirectly through another natural or legal person, public authority, agency or another body in connection with our relationship with the Data Subject where we act as data controller within the meaning of the General Data Protection Regulation.
Please ensure that a copy of this Notice is provided to any third parties whose Personal Data (as defined below) you provide to us. We may update this Notice from time to time and we will notify you in writing of any changes we make.
You, as a Data Subject, remain responsible to inform any of your potential authorised representatives or beneficial owners about the existence and content of this Notice.
Which categories of Personal Data are concerned?
The main categories of personal data processed by the Organisation (the “Personal Data”) includes (inter alia):
-
name, title, address (including proofs of name and address), e-mail address, phone number, any other contact details;
-
CVs, date and place of birth;
-
nationality, gender, copies of identity documents;
-
fiscal domicile, bank account details, tax number;
-
IP addresses or other visitor origin profiles maybe traceable from visiting our website or social
-
media profiles;
-
pictures from events organized by the Organisation.
For the avoidance of doubt, in case of corporates, Personal Data includes personal data of individuals linked to such corporates.
Where do we obtain Personal Data about you?
Personal Data may be collected, used and stored by us or other parties who process your Personal Data in connection with the performance of their respective tasks from the following sources:
-
information provided verbally, electronically or in writing, including information provided on donation forms, questionnaires, contact form on our website, and other forms provided by you or your organisation;
-
information that is generated by the Organisation in the course of its relationship with you;
-
the performance of the agreement that you or your organisation have entered into with us or other parties from time to time;
-
Third-parties or publicly available sources (e.g. publicly available websites, and other public data);
-
the use of services and your relationship with us, as well as with our service providers.
Why do we process your Personal Data?
The Personal Data will be processed by us or on our behalf if necessary for the purposes of:
-
“performance of contract” (Article 6.1.b) of GDPR), including:
-
collecting and administering donations;
-
maintaining the register of donors of the Organisation;
-
informing donors about ongoing projects and events of the Organisation;
-
providing mentoring or training workshops;
-
cash movements for donations settlement purposes; and
-
marketing and handling of the events of the Organisation.
-
-
“compliance with the applicable legal and regulatory obligations” which the Organisation is subject to (Article 6.1.c) of GDPR), such as:
-
anti-money laundering and terrorism financing identification;
-
know your client (KYC) obligation;
-
tax identification in accordance with applicable legal obligations,; and
-
any other legal requirements.
-
-
the legitimate interest of the Organisation for:
-
providing services covered by its objective;
-
the processing purposes described in points (i) and (ii) above;
-
meeting and complying with the Organisation’s accountability requirements and regulatory obligations globally; and
-
exercising the business of the Organisation in accordance with reasonable market standards.
In assessing our legitimate interests, we consider that the processing of your Personal Data in furtherance of these objectives does not prejudice your interests, fundamental rights or freedoms as a Data Subject.
Certain Personal Data, such as business cards and photographs the Organisation may have of Data Subjects from events, or IP address (for website users), is processed based on consent or to pursue legitimate interest, such as internal communication, business administration.
For the processing of Personal Data that is based on the Data Subject’s consent, Data Subjects have the right to withdraw their consent at any time and request that the Organisation stops processing and to delete such Personal Data at any time.
To whom do we disclose your Personal Data?
In order to fulfil our obligations arising from a contract, or as otherwise permitted or required by law, certain Personal Data may be transmitted on a “need to know” basis to third parties or our service providers, such as our bank, our website service provider, auditors, legal advisers, or regulatory authorities.
We will require our service providers and other parties who process your Personal Data on our behalf to protect the confidentiality and privacy of your Personal Data and to use the information only for the purpose for which the disclosure is made. For this purpose, service providers and other parties who process your Personal Data on our behalf receiving Personal Data are bound by agreement with us or by regulatory requirement to keep Personal Data secure.
Where do we transfer your Personal Data?
To the extent required for the working relationships between the service providers of the Organisation and between the Organisation and its donors, processing Personal Data for the purposes mentioned above may involve the transfer of your Personal Data to parties located outside the European Union (EU).
In such cases, prior due diligence is performed to ensure that data processors or service providers only transfer data to their affiliates which are compliant data protection rules equivalent to GDPR, that the IT cloud solutions chosen has implemented GDPR compliant security measures and that the Personal Data is transferred in a secure way as per GDPR requirements on transfers to third-countries.
To the extent practicable, we avoid transferring Personal Data to non-EU countries or to countries without EU equivalent data protection rules.
How long do we keep your Personal Data?
We and other parties who process your Personal Data on our behalf in connection with the performance of their respective tasks will collect only such information that is useful and required for the performance of the services we provide or on our behalf is provided to you.
Any and all Personal Data will be held for a period of maximum ten (10) years after the termination of the relationship between the Data Subject and the Organisation, and will not be retained for longer than necessary in order to fulfil the Organisation’s obligations arising from contractual obligations or applicable laws. For avoidance of doubt, in any event, the applicable laws will prevail over the contracts.
Who is responsible for your Personal Data?
The Organisation, acting in its capacity of data controller in relation to your Personal Data, will be responsible for the lawful processing of your Personal Data.
The confidentiality, privacy and security of your Personal Data is ensured by the Organisation and other parties who process your Personal Data on behalf of the Organisation in connection with the performance of their respective tasks. Physical, electronic and procedural safeguards are maintained to protect your Personal Data. This Notice explains certain policies and practices that have been put in place to ensure the privacy of such Personal Data.
What are your rights in relation to Personal Data?
Under certain circumstances you have the right, in accordance with the General Data Protection Regulation, to:
-
request access to your Personal Data and to request a copy of your Personal Data processed by or on behalf of the Organisation free of charge or subject to an administrative charge if your request is excessive or manifestly unfounded. This enables you to receive a copy of your Personal Data and to check that we are lawfully processing it;
-
request the rectification of your Personal Data in case of inaccuracy or incompleteness. This enables you to have any incomplete or inaccurate information we hold about you corrected;
-
request the erasure of your Personal Data. This enables you to ask us to delete or remove your Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing;
-
request the restriction of the processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data, for example if you want us to establish its accuracy or the reason for processing it;
-
request the transfer (data portability) of your Personal Data to third parties without hindrance from the Organisation unless if processing is based either on your consent or on a contract;
-
lodge a complaint in relation to data protection related issues with the relevant data protection authorities in the member state of the European Economic Area where you live or work, or where the alleged infringement of the General Data Protection Regulation. In Luxembourg, the competent authority is the Luxembourg data protection authority, the Commission Nationale de la Protection des Données, the CNPD with address at 15, boulevard du Jazz, L-4370 Esch-sur-Alzette (Tel.: (+352) 26 10 60-1);
-
withdraw your consent at any time (without this withdrawal affecting the lawfulness of processing prior to the withdrawal) in cases where your Personal Data has been processed on the legal basis of consent; and
-
object to the processing of your Personal Data, at any time and free of charge, where we are relying on our legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on such ground.
To exercise the above described rights or for any other data protection queries, you can contact info@sunflowerseeds.lu.
Miscellaneous
If you choose not to provide any information in a form which is satisfactory to the Organisation, oppose to the aforementioned processing of your Personal Data or withdraw your consent to such data processing, we may not be able to fulfil your request or to maintain any relationship with you.
In case of any questions about this Notice, you can contact us by writing to info@sunflowerseeds.lu.
Sunflower Seeds ASBL - Data Protection Notice - January 2024