GCSP PRIVACY NOTICE

Last updates February 2021

 

What is this Privacy Notice about?

The Geneva Centre for Security Policy (“GCSP”) and its associated entities (we or us) are committed to maintaining the privacy and confidentiality of information you provide to us. This Privacy Notice describes our current policies and practices with regard to your personal data which we collect from you directly and/or through your use of our website and/or through our business dealings with or in relation to you.

Personal data, or personal information, means any information about you from which you can be identified, directly or indirectly. Personal data includes special categories of personal data (as defined by law and further described below).

This Privacy Notice applies to everyone about whom we hold personal data who is not a current - or former - member, employee, worker or individual contractor (such as “fellow”) of ours or someone who has applied for a job with us.

The people to whom this Privacy Notice applies therefore include:

  • our clients and customers
  • our suppliers and contractors
  • other educational bodies, associations, experts and other people instructed by us in the course of our work for our clients
  • individuals who use our website
  • journalists and individuals who visit our offices or attend any of our events
  • individuals who email, call or otherwise contact us for any purpose. Here are some examples of such purposes:
      • services to be provided by us
      • services to be provided to us
      • requests for press or media content
      • individuals contacting us in the performance of their employment or other role for another entity
  • individuals whose contact details have been made available to us for marketing purposes or for the purposes of future communication (e.g. the exchange of business cards at an event)
  • individuals whose personal data is provided to us by a third party. For example, a partner organization which has shared a list of course prospects, participant-list of an event, etc.
  • individuals with whom we deal or whose personal data is provided to us as part of our pro bono and corporate social responsibility programs and activities. For example, attendants of a GCSP event that is open to the public, observers at a student competition, etc.

This Privacy Notice does not form part of any contract we have with you and we may amend it from time to time.

We are continually improving our methods of communication and adding new functionality and features to our website, to our existing services and to administrative processes.

Because of these ongoing changes, changes in the law and the changing nature of technology our data protection practices will change from time to time. We encourage you to check this page frequently.

If you have any questions about this policy, please contact Privacy@gcsp.ch.

 

What is the legal basis for processing personal data?

The GDPR, Article 6 lists six (6) scenarios in which processing personal data is legally permitted.

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  3. processing is necessary for compliance with a legal obligation to which the controller is subject
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

What information do we hold about you?

Personal data, or personal information, means any information about an individual from which that person can be identified (directly or indirectly).

We may collect, store, and use some or all of the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, telephone numbers, email addresses and business contact information
  • Date of birth
  • Gender
  • Marital status and dependents
  • Bank account details
  • Any other personal information required by us to verify your identity for our “know your client” compliance. This may include anti-money laundering checks. Such processes could include identification documentation (e.g. passport, driving license, identity card).
  • Information included on invoices provided by contractors and suppliers.
  • Information about your use of our information and communications systems. This includes information about your personal devices if you use our systems. For example, our wifi, website or portals.
  • Photographs if you attend any of our events.
  • Records of your attendance at any of our offices (which may include CCTV records that our building managers could share with us).
  • Any other information provided by you, or any third party, to us, in connection with our business activity. For example, you (or any of our clients, employees, consultants, experts or affiliates) have asked the GCSP to advise, be part of an event, create a training module, etc.

 

We may also collect, store and use special categories of sensitive personal information (Special Categories). For example:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
  • Trade union membership.
  • Information about your health, including any medical condition, allergies, health and sickness records.
  • Information about criminal convictions and offences.

 

How is this information collected?

We collect personal information about you through various channels.

  • information which you provide directly to us
  • information collected automatically through our website or our client or affiliates’ portals
  • information provided to us by third parties. Such third parties include our clients, other people with whom we are communicating in order to conduct our business, PR agencies and databases to which we subscribe, etc.

 

How do we use this information?

Our legal bases for using your personal information

The GDPR’s legal bases for processing personal data is listed and referenced below.

Therefore, we process your personal information in order to:

  • fulfill a contract with you
  • comply with legal obligations
  • pursue legitimate interests of our own (for example, in further developing our own business)
  • pursue legitimate interests of third parties (e.g. of our partners)

We may also use your personal information in the following situations:

  • Where we need to protect your interests (or someone else’s interests)
  • Where the information is needed in the public interest or for any official purposes
  • When you have given us your consent

Note that at least one of these scenarios will apply.

 

How we may use your personal information

The types of situations in which we may process your personal information depend on the nature of your relationship with us. Some of the grounds for processing in the list will overlap. There may also be several grounds which justify our use of your personal information.

For example, we will need your personal information when you register for a course – which is a service we provide to you. We may use this information to advise you of additional courses that may interest you (i.e., informing you of additional services, furthering our business). We may also seek out your feedback to rate our course, conduct a “performance review” in order to improve our services and gauge your satisfaction. We may also keep certain records of your certification (beyond the legal record keeping time requirements) for a considered period in order to be able to provide you - for example - with duplicate certificates.

Please note that we may process your personal information without your knowledge or consent where this is required or permitted by law.

The below list shows in what situations / activities we use your personal data. This helps put the principles of the GDPR into a specific context.

  • to provide you with our services and other information, including your use of our website
  • to issue invoices, manage accounts and records, collect payments and debts or administer payments to you
  • to provide our services to our clients
  • to facilitate you providing your services to us
  • to contact you to inform you of our services or events and to send you updates on issues we think will be of interest to you and in relation to or arising from our events and publications
  • to respond to any query you have made of us. This includes providing information about our people and services where you have made a website inquiry
  • for marketing purposes and market research
  • to administer our website and help us improve our services
  • for press releases, invitations to meet our staff and experts, press events, to highlight any spokespersons
  • to comply with our legal obligations
  • to determine the terms on which we work with our clients and suppliers
  • to undertake checks as to your identity, credit, immigration status and similar if we will be working together, or if you are our client
  • to manage and plan our business, including accounting and auditing, and otherwise in further developing our business
  • to conduct reviews of our relationship, including managing performance and expectations on either side
  • to gather evidence and investigate any matter related to a concern or dispute, including conducting mediation, arbitration or litigation process
  • to make arrangements for the extension, re-contracting or termination of our working relationship
  • to prevent fraud
  • to ensure network and information security. This includes preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution
  • to conduct data analytics studies relating to your use of our website
  • to comply with our obligations in respect of regulatory (including foreign regulatory) requirements
  • to promote and develop our pro bono and corporate social responsibility initiatives, which we consider to be core elements of our business
  • in our emergency contact and business continuity procedures
  • to comply with any request that you make

 

Special Categories of personal information

When we can use it

Special Categories of personal information require higher levels of protection throughout the life-cycle of the data.

We may process such information in the following circumstances:

  • with your explicit written consent
  • when processing is necessary for the purpose of, or in connection with:
    • any legal proceedings (including prospective legal proceedings)
    • obtaining legal advice
    • establishing, exercising or defending legal claims
  • when processing is necessary for reasons of substantial public interest
  • when processing is necessary for the purposes of preventive or occupational medicine
  • when processing is necessary in order to assess working capacity
  • when processing is needed in order to protect your interests and you are not capable of giving your consent
  • when you have already made the information public

 

How we may use it

We may use Special Categories of personal information in the following ways:

  • to provide our services and other information, including your use of our website, to you
  • to provide our services to one of our clients
  • to facilitate you providing your services to us
  • to respond to any query you have made to us. This includes providing you with information about our people and services, in response to your inquiry (such as via our website, email, social network platforms, etc.)
  • to comply with our legal obligations
  • when we gather evidence, or in the course of an investigation, or in any matter related to a concern or dispute. For example: mediation, arbitration or litigation process
  • in order to comply with our obligations in respect of the Federal Data Protection and Information Commissioner (FDPIC) and related regulatory (including foreign regulatory) requirements
  • when we develop and market our pro bono and corporate social responsibility initiatives, which we consider to be core elements of our business
  • to comply with any request that you make us

 

                        

Consent

As mentioned above, the GDPR, Article 6 lists six (6) scenarios in which data processing is legally permitted. One of these is indeed consent.

As we described previously, in the course of our relationship, we collect, process, and store your personal information without asking for your consent. This means that we have at least one other legal basis for processing your data.

However, if we do need to seek your consent to processing, we will provide you with details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.

It is important to note that any contract you have with us does not require your consent. We seek your consent only for specific matters when there is no other legal basis for processing your personal data.

 

What is legally binding consent under the GDPR? What is a valid consent request?

Your consent must be freely given, specific, informed and an unambiguous indication of your wishes. You, via a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to you.

In other words, any request for consent will be:

  • Unbundled: consent requests are separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
  • Granular: we will give a thorough explanation, in clear language, of options to consent to different types of processing wherever appropriate.
  • Named: we will name which organization and third parties will be relying on your consent (GDPR does NOT accept even precisely defined categories of third-party organizations – they must be clearly identified).
  • Documented: we keep records to demonstrate what you have consented to, including what you were told, and when and how you consented.
  • Easy to withdraw: you have the right to withdraw your consent at any time, and we make sure it is as easy to withdraw as it was to give consent. This means that we have simple and effective withdrawal mechanisms in place. By the way, it also means that activity / services that relied on this specific consent will be terminated.
  • Without an imbalance in the relationship: consent must be freely given. This means that there cannot be any negative consequences (not relating to the purpose of the consent) of not agreeing to the terms.

Furthermore, consent must be given with a clear affirmative action. This means that you will have to take a clear, deliberate, positive action in order to opt in.

 

Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our legal and regulatory requirements, such as our anti-money laundering and anti-fraud requirements.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

 

Automated decision making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision and given you 21 days to request a reconsideration of the decision.
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

We do not currently envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

 

Data Sharing

Reasons that we may share your personal information with third parties

We may share your data with third parties, including third-party service providers, our other entities, partners and government agencies.

Under which circumstances do we share your data with third parties?

  • when and where required by law
  • when sharing the data is necessary in order to administer the working relationship with you
  • when we have another legitimate interest in doing so

If we do share data, we require third parties to take appropriate security measures, to collect only the necessary data for a specific purpose and for the minimum time necessary, process and store the data safely, and delete it in compliance with current legislation.

 

What personal information may we share with third parties? Is it safe?

We take great care to share data in accordance with the principles of data processing (Article 5 of the GDPR). We are accountable for processing your personal information and have thus extended our governance to third parties, through contractual, organizational and technical measures.

In short, if we do share data, we require third parties to take appropriate security measures, to collect only the necessary data for a specific purpose and for the minimum time necessary, process and store the data safely, and delete it in compliance with current legislation.

These principles are known as:

  • purpose limitation
  • data minimization
  • limited storage periods
  • data quality
  • data protection by design and by default
  • legal basis for processing
  • processing of special categories of personal data
  • measures to ensure data security
  • requirements in respect of onward transfers to bodies outside the scope of the GDPR

 

Which third-party service providers process your personal information?

“Third parties” includes third-party service providers (including contractors and designated agents) and our partner entities. In particular, your data is likely to be processed by other entities within our extended affiliate group which includes separate legal entities in EU, and our representatives outside the EEA.

We have implemented appropriate arrangements that require those additional group entities to protect your personal data in the same way as The Geneva Centre for Security Policy (“GCSP”) does.

We may share your personal information with the Federal Data Protection and Information Commissioner (FDPIC) and other foreign regulators for regulatory purposes. We may also share your data with other governmental or similar authorities, or as may otherwise be required by law, for example, in relation to immigration or taxation.

As part of our relationship we may also provide your personal data to third parties for other purposes. For example, the nature of our services may require us to engage with and provide your personal data (as relevant to the matter) to third parties such as NGO’s, experts, translators and data-site or other document hosting services. We may provide your personal data to third party event organizers or webinar hosts.

We may also provide your personal data to the third party service providers we use in the course of administering our business. For example: word processing services, auditors, IT systems providers, lawyers and other professional advisors, insurers, credit and identity check providers.

Your personal information may also be provided to the press and other media sources as part of any agreed press release relating to a specific business transaction between you and the GCSP.

We may also disclose any personal information to comply with legal requirements. Here are some examples:

  • in the course of a criminal investigation
  • to protect your vital interests (e.g. pandemics)
  • to protect the security or integrity of our databases (including our website)

Additionally, we may share your data in situations relating to joint ventures, collaboration, merger, etc.  

 

Transferring information outside the EU

We may transfer the personal information we collect about you to countries outside the EU in order to perform our contract with you. As set out above, your data may be processed by our other entities, including those outside of the European Union.

There is an adequacy decision by the European Commission in respect of several countries. The effect of such a decision is that personal data can flow to and from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

Follow below link for the current list of non-EU countries which are recognized as providing adequate data protection:

https://ec.europa.eu/info/law/law-topic/data-protection/international-t dimension-data-protection/adequacy-decisions_en

To ensure that your personal information does receive an adequate level of protection we have put in place contractual obligations to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects Swiss, European Union and local laws on data protection.

Please refer to section “What personal information may we share with third parties? Is it safe?” above for more information about our governance.

If you require further information about these protective measures, you can request it from the Compliance Officer.

 

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.

Technical measures: our IT and risk management teams have put in place adequate technical measures that safeguard personal data. These are tested, updated and reviewed to ensure security levels are robust, nimble, compliant and effective.

Data protection policy: our staff are required to comply with this policy. We provide training to our staff regarding their obligations in ensuring the security of your personal data. Our staff, as well as our contractors, are aware that misuse of personal data may be grounds for disciplinary action against them.

Data breach: we also have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach as required by law.

 

Data Retention

Our intention is to retain your personal information for only as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider various risk factors:

  • the amount, nature, and sensitivity of the personal data
  • the potential risk of harm from unauthorized use or disclosure of your personal data
  • the purposes for which we process your personal data and whether we can achieve those purposes through other means
  • the applicable legal requirements

We are currently undergoing a data retention review process and will be updating our Data Retention Policy as we update our systems and procedures.

 

Your rights

The GCSP takes personal data protection very seriously. Part of our governance and transparency is about informing you of your rights. Below are the eight “Rights of the Data Subject” (assembled from chapter 3 of the GDPR).

  1. The right to be informed: we need to tell you what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.
  2. The right of access: you can request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to be told about how that information has been collected and used.
  3. The right to rectification: you can ask us to correct personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  4. The right to erasure: you can request that we erase your data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes instances where you withdraw consent.
  5. The right to restrict processing: you can request that we limit the way we use your personal data. It’s an alternative to requesting the erasure of data, if we still need to retain and process the data for legal reasons, but not for other reasons.
  6. The right to data portability: you are permitted to obtain and reuse your personal data for your own purposes across different services. This right only applies to personal data that you have provided to us by way of a contract or consent.
  7. The right to object: you can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. We must stop processing your personal information unless:
  • we demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms
  • the processing is for the establishment or exercise of defending legal claims.
  1. Rights related to automated decision making including profiling: The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing. You are permitted to challenge and request a review of the processing if you believe the rules aren’t being followed.

You will not usually have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

 

How you exercise these rights

Any request in relation to any of the above rights should be directed to the Compliance Officer at Privacy@gcsp.ch.

 

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who does not have the right to receive it.

 

Unsubscribe

If you have received any email from us with information about any of our services, events or updates, you are entitled to be removed from our electronic mailing list.

You can do that by updating your preferences by clicking the link in any email that we send you or by replying to that email, or sending an email to Privacy@gcsp.ch with “email unsubscribe” in the subject heading. You may also unsubscribe by writing to our Digital Amplification Team (Marketing) Department, The Geneva Centre for Security Policy (“GCSP”), DAT@gcsp.ch.

 

Data collected through our website – cookies and similar technologies

In addition to the personal information we collect as described above, we use technology to collect anonymous information about the use of our website. For example, our web server automatically logs which pages of our website our visitors view, their IP addresses and which web browsers they use. This technology does not personally identify you – it simply enables us to compile statistics about our visitors and their use of our website.

Our website contains hyperlinks to other pages on our website. We may use technology to track how often these links are used and which pages on our website our visitors choose to view. Again, this technology does not identify you personally – it simply enables us to compile statistics about the use of these hyperlinks.

In order to collect the anonymous data described in the preceding paragraph we may use cookie technology on our website.

A cookie is a small piece of information that is sent to your browser and stored on your computer’s hard drive, mobile phone or other device. Cookies do not damage your computer.

You can set your browser to notify you when you receive a cookie. This enables you to decide if you want to accept it or not. However, some of the services and features offered through our website may not function properly if your cookies are disabled.

We use two types of cookies on our website:

 

  1. Strictly necessary cookies

    These cookies are essential in order to enable you to move around the website and use its features. Without these cookies services you have asked for cannot be provided. They are deleted when you close the browser.

     
  2. Performance cookies

    These cookies collect information in an anonymous form about how visitors use our website. They allow us to recognize and count the number of visitors and to see how visitors move around the site when they are using it.

    We may also use your IP address to help diagnose problems with our server, to administer our website and to improve the service we offer to you. An IP address is a numeric code that identifies your computer on a network, or in this case, the internet. Your IP address might also be used to gather broad demographic information.

    We may perform IP lookups to determine which domain you are coming from (e.g. aol.com, yourcompany.com) to gauge more accurately your users’ demographics.

    Information about these types of cookies and technologies or about website usage is not combined with information about you from any other source.

    None of the cookies or technologies that we use in this way personally identify you (unless, in the very rare circumstance, your domain is identical to your name).

 

Consent

To comply with current legislation we need to ask for your consent to set the performance cookies described above. When you arrive on our website a pop-up message will appear asking for your consent to place performance cookies on your device. In order to provide your consent, please click ‘continue’. Once your consent has been provided this message will not appear again when you revisit our website. If you, or another user of your computer, wish to withdraw your consent at any time, you can do so by altering your browser settings.

You can find out more information about cookies at www.allaboutcookies.org and www.youronlinechoices.com/uk/.

 

Links to other websites

This website may contain hyperlinks to websites that are not operated by us. These hyperlinks are provided for your reference and convenience only and do not imply any endorsement of the activities of such third party websites or any association with their operators. We do not control these websites and are not responsible for their personal data practices. We recommend you review any privacy notice posted on any site you visit before using the site or providing any personal data.

 

Further questions, feedback or complaints

If you have any questions or feedback about this Privacy Notice or how we handle your personal information, please contact the Privacy Officer at Privacy@gcsp.ch or by writing to the Compliance Officer, The Geneva Centre for Security Policy (“GCSP”) at M.aubonnet@gcsp.ch.

You have the right to make a complaint at any time to the Federal Data Protection and Information Commissioner (FDPIC), the Swiss supervisory authority for data protection issues or your local equivalent regulator.

 

Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time and we may also notify you in other ways from time to time about the processing of your personal information.