Data Protection

We value your privacy
Data Protection Organisation Policy
"It is our mission to ensure the integrity of your data and to guarantee smooth, secure and, above all, legally compliant processing and storage."

Anna Zeller
Head of Data Protection
1. Principles
The protection of personal data is important to us. Therefore, we process the personal data of our volunteer's, donors and members in accordance with applicable laws regarding protection of personal data and data security.

This privacy policy describes the types of personal information we collect, how that information is used, to whom it is transferred, and the choices and rights of data subjects in connection with our processing of that information. We also describe how we safeguard the security of the data and how data subjects can contact us if they have questions about our privacy practices.

This policy governs the processing of information in accordance with data protection regulations and our existing responsibilities in this respect. All volunteers are required to comply with this policy.

It is addressed at:
- Person or department who decides on the use/provision of an application system;
- Person who decides on the use of the system for their tasks;
- Users, i.e. those who use the provided system to perform tasks specific to the association (if personal data is stored on a workstation, the individual user may also decide on the processing carried out in the system and the programs used for this purpose);
- Data protection officer, who is responsible for advising and monitoring their implementation and for performing the tasks specifically assigned to him.

The following principles apply:

The IT hardware and software shall be used for organizational tasks, namely for the intended purposes, and shall be secured against loss and manipulation. Use for private purposes requires the express permission of the data protection officer.

Every volunteer is responsible for the implementation of the directive in his or her area of responsibility. Compliance must be monitored regularly.

Those responsible for the processing of the systems used shall ensure that their employees (users) are informed of this policy; this also applies to volunteers and temporary contributors. The data protection officer advises on the implementation of the directive and checks compliance with it. In this respect, all addressees of the directive are obliged to provide the data protection officer with information.
2. Data Protection Officer/Data Protection Coordinator
2.1 In accordance with Art. 37 GDPR, the Association has appointed an internal data protection officer (hereinafter referred to as "DPO") and an absence representative.

The contact details of the data protection officer are as follows:
Name: Anna Magdalena Zeller
Address: Hugo-Wolf-Gasse 10/8/32
Phone number/E-Mail address: +43 677 61709980 / anna.zeller@starsforafrica.com

The contact details of the absence representative are as follows:
Name: Emil Nigmatullin
Address: Schererstraße 33b
Phone number/E-Mail address: +436601699980/ emil.nigmatullin@starsforafrica.com

The DPO shall perform the duties assigned to him by law and under this Policy, applying his expert knowledge. The DPO is not subject to any instructions.

2.2 The DPO shall inform and advise the board of the Association and the volunteers with regard to their data protection obligations. The DPO is responsible for monitoring compliance with data protection regulations and for the strategies of the person responsible for the protection of personal data, including the allocation of responsibilities and training of employees.
In the case of high-risk data processing, the DPO assists the person responsible in an advisory capacity in assessing the risk.

2.3 The DPO shall report directly to the board of the Association.

2.4 The DPO shall be involved in all data protection issues at an early stage and shall be supported by both the Board of Directors and the volunteers in the performance of their duties.
2.5 Insofar as this proves necessary due to organizational circumstances, in any case at all events when processing data outside the European Union, the board shall appoint a data protection coordinator in agreement with the DPO.

In this respect, the data protection coordinator is therefore a volunteer employee assigned to the DPO for the purpose of complying with the data protection regulations applicable to the association. He informs the DPO about data protection issues that have arisen on site. He collects the information on procedures used separately in his area of responsibility and forwards the report to the DPO.

2.6 The Association shall keep a register of the processing operations. In each department, at least one person will assume responsibility for collecting the necessary information on the procedures of the respective department within one month after the start of their activity and documenting it in accordance with the requirements of Art. 30 GDPR. For this purpose, the DPO provides the individual departments with ready-made checklists. Subsequently, the person in charge of the department is obliged to provide the DPO with information regarding any changes in the data processing area of his respective department. The DPO may be consulted for advice in the event of uncertainties regarding the documentation required by law. A copy of the processing directory must be handed over to the DPO.

On request, the Association shall make the directory available to the supervisory authority. In agreement with the Executive Board, the DSSB is responsible for this and cooperates with the supervisory authority.

2.7 Each volunteer may contact the DPO directly and provide suggestions and complaints, whereby absolute confidentiality shall be maintained upon request.

2.8 The DPO shall report annually to the Executive Board in an activity report on audits that have taken place, complaints and any organizational deficiencies that still need to be remedied.
3. Hardware and Software
3.1 The procurement of hardware and software shall always be carried out by the central IT procurement department at the request of the person/department deciding on the processing. The principle of guaranteeing data protection through technology design and data protection-friendly pre-settings is taken into account as a fundamental criterion when selecting the hardware and software. The procedural instruction "Checklist for compliance with requirements for privacy by design/privacy by default" is authoritative.

3.2 If a new procedure for processing personal data is to be introduced with the procurement, the DPO shall be informed in good time in advance by the requesting authority.
The procurement takes place only after the DPO provides a statement. The DPO shall advise whether a data protection impact assessment is necessary. The performance of a data protection impact assessment is based on the procedural instruction "Risk minimization through data protection impact assessment".

3.3 If the theft of hardware and software, unauthorized access to personal data, sabotage, etc. is suspected, the IT departments, if any, and the DPO must be informed immediately.
4. Obligation to train the volunteers
4.1 Every volunteer shall processes personal data confidentially and comply with this Policy.

4.2 The commitment shall be made using the form provided for this purpose and by providing the volunteers with an information sheet designed by the DPO.
4.3 The DPO shall be informed of the responsibilities of the volunteers for the purpose of further training to be carried out by the DPO and monitoring.

4.4 The volunteers concerned shall be released from their duties for the particular training dates scheduled in consultation with the respective department heads.
5. Transparency of data-processing
5.1 The DPO shall keep a register of processing operations in accordance with Art. 30 GDPR concerning procedures related to the processing of personal data. The person responsible for the processing in their department or the data protection coordinator responsible shall notify the DPO of the processing in a timely manner in accordance with the specifications defined by the DPO. The same applies to change requests.

5.2 Irrespective of this notification, the DPO shall be informed about the purpose and content of the application and the fulfilment of the notification obligation when planning the introduction of new processing operations or changes to existing procedures. In the case of standardized surveys (questionnaires, competitions, input fields on the internal homepage etc.), the survey form shall be submitted to the DPO for approval.
5.3 If the DPO determines that the intended processing is subject to a data protection impact assessment, she shall inform the board immediately. The procedure may only be carried out after approval by the DPO. In case of doubt, the board will decide.

5.4 If a data subject exercises his right to information pursuant to Art 15 GDPR or his right to rectification or objection pursuant to Art 16 and Art 21 GDPR, the central processing shall be carried out by the DPO.

5.5 The information rights of volunteers are fulfilled by the board. It must be ensured that the data concerned can be made available in a structured, common and machine-readable format upon request. For this purpose, standards shall be determined in advance by the DPO.
6. Collection and processing of personal data
6.1 The collection and processing of personal data may only take place within the framework of what is legally permissible. The special requirements for the collection and processing of sensitive data pursuant to Art. 10 para. 1 GDPR shall also be observed. In principle, only such information may be processed and used which is necessary for compliance with statutory obligations and which is directly related to the purpose of processing or which can be based on other permitted circumstances which validate the processing of personal data in the Association.

6.2 It shall be ensured that data subjects are not subjected to decisions which are based exclusively on automated processing and which at the same time have a legal effect on the data subjects or which similarly significantly impair them (e.g. profiling).

6.3 Before new types of surveys are introduced, the purpose of the data, which determines their admissibility, must be documented in writing by the person responsible for their application.
In principle, a change of purpose is only permissible if the processing is compatible with the purposes for which the data were originally collected. The balancing criteria used within the scope of the change of purpose must be examined individually.

The purpose of the processing may also be changed if the data subject's consent is obtained from the person responsible. At the same time, prior to the collection or storage of data, the data controller must determine in writing whether and in which manner the data subject's statutory obligation to notify is to be complied with.

6.4 If other bodies request information regarding data subjects, such information may only be given without the consent of the data subject if there is a legal obligation to do so or a legitimate interest of the Association justifying the disclosure and the identity of the person making the request validates that act. In case of doubt, the DPO must be contacted.
7. Data storage and retention/shipping/erasure
7.1 The storage of data shall always take place on the network drives made available for this purpose. The storage of data shall be centrally managed and stored by the DPO.

7.2 If a different storage location is required for technical reasons (e.g. notebook, desktop PC), the respective user is responsible for carrying out the data backup himself. If network access is possible (e.g. for notebooks with WLAN, tablets), the current data must be transferred to the network drive reserved for the user at least once a week.
The selected data backup measures shall be documented in the procedure directory.

7.3 Legal retention periods and erasure dates shall be observed by the person who decides on the processing of the data in his responsibility. The DPO shall be informed of compliance with the deadlines, in particular with regard to the deletion of personal data in backup copies.

7.4 When passing on or returning IT components that are no longer required, the user is obliged to ensure that all data has been effectively deleted beforehand.
8. External Service Providers/Order Processing/Maintenance
8.1 If external service providers are assigned to process personal data of the Association or individual processing steps of the Association (e.g. collection, deletion = disposal), the DPO must be informed prior to the commissioning by submitting the draft contract of a contract processor agreement that satisfies the requirements of Art. 28 GDPR and the criteria of the contract processing control that has been carried out or is subsequently planned.
8.2 The same applies if Stars for Africa wishes to carry out corresponding activities on behalf of third parties.
9. Security of Processing
9.1 Documented assessment of the need for protection and analysis of the possible risks for the person concerned shall be prepared for each procedure. This depends on the nature, extent, circumstances and purposes of the processing as well as the probability of the occurrence of such a risk.
9.2 A general security concept shall be drawn up to ensure the availability, confidentiality and integrity of the data and the resilience of the data processing systems.

WE PROTECT YOUR DATA
Data Protection Statement
Stars for Africa – Building Brighter Futures. Verein zur Förderung von Bildungseinrichtungen in Afrika.

Data Protection Officer: Anna Zeller
Absence replacement: Emil Nigmatullin
E-Mail: legal@starsforafrica.com
Stars for Africa is committed to protecting your privacy in accordance with the European Data Protection Directive EU 2016/679 ("GDPR"). In line with our commitment to transparency, we would like to inform you how we process your personal data and for which purpose.

1. Legal Basis
The EU Data Protection Directive and the Data Protection Act 2018 (Austria) implement the right to protection of personal data. We process your data exclusively on the basis of these legal regulations.

2. How do you obtain information about the use of your data?
If you have any questions regarding the collection, processing or use of your personal data, for information, correction, blocking or deletion of data as well as revocation of any consent given or objection to a specific use of data, please contact our data protection officer Anna Zeller (legal@starsforafrica.com).
You can revoke your consent to the provision of information about Stars for Africa at any time by e-mail to legal@starsforafrica.com and/or request the deletion of your data.

3. Which data will be processed when contacting Stars for Africa?
If you contact us via our e-mail address info@starsforafrica.com with a question regarding our projects, we will use the personal data you provide us with exclusively for the purpose of processing your enquiry. In doing so, we rely on our legitimate interests (Article 6 (1) lit f GDPR). Without processing your personal data we would not be able to answer your request.

4. Which data is processed when you visit the Stars for Africa website?
Stars for Africa is responsible for the content of the website and is both media owner and publisher. When visiting our website we will collect the following information:
- The date and time of your visit to our website
- Your IP address
- Name and version of your web browser
- And the information you provide yourself by filling out the contact form or registering for our newsletter.

These data will be processed for the following purposes:
- to make this website available to you,
- further improve and develop this website, and
- to respond to your enquiries If you enter personal data on this website, by entering your data you give us your consent that we may use this data electronically for the stated purpose.

This data will be kept safe and will not be passed on to third parties. However, we might provide state authorities with your data, if we are legally obliged to do so. There is no obligation to actually provide the data that we ask you to provide on our website. However, if you do not do this, you will not be able to use all functions of the website.

5. Which data is processed in the context of the e-mail newsletter?
The newsletters are sent via "MailChimp", a newsletter dispatch platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The e-mail addresses of our newsletter recipients, as well as their other data described in the context of this notice, are stored on the servers of MailChimp in the USA. MailChimp uses this information to send and evaluate newsletters on our behalf. Furthermore, according to its own information, MailChimp may use this data to optimise or improve its own services, e.g. for the technical optimisation of the dispatch and presentation of the newsletter or for economic purposes in order to determine from which countries the recipients come. However, MailChimp does not use the data of our newsletter recipients to write to them or pass them on to third parties. We trust in the reliability and IT and data security of MailChimp. MailChimp is certified under the US-EU data protection agreement "Privacy Shield" and is therefore committed to complying with EU data protection regulations. In addition, we have concluded a data processing agreement with MailChimp. This is a contract in which MailChimp undertakes to protect the data of our users, to process it on our behalf in accordance with their data protection regulations and, in particular, not to pass it on to third parties: https://mailchimp.com/legal/privacy/

You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. At the same time, your consent to its dispatch via MailChimp and the statistical analyses will expire. A separate revocation of the dispatch via MailChimp or the statistical analysis is unfortunately not possible. You will find a link to cancel the newsletter at the end of each newsletter.

6. Which donor data do we collect?
If you make a donation via our website, we will use the personal data you provide exclusively for the purpose of processing your donation order. In doing so, we rely on our legitimate interests (Art. 6 (1) lit f GDPR). Without processing your personal data, we would not be able to process your donation order.

A transmission of your personal data will only take place if we call in external service providers to process the donation processes. We have concluded a contract with such external service providers for order processing in accordance with Article 28 of the Basic Data Protection Regulation. In this contract we oblige external service providers to keep your personal data confidential and to take appropriate data security measures. Furthermore, the transmission of personal data to the responsible tax authority is legally obligatory if you wish to consider the donation as a special edition (§ 18 (1) Number 7 of the Income Tax Act). Finally, it may be necessary to disclose personal data to auditing bodies (e.g. auditors) in accordance with statutory provisions.

7. Why and how do we use cookies?
We use cookies so that we can make our website user-friendly.
Cookies are small text files that are stored on your computer and enable us to analyze your use of our website. The legal basis for data processing is Art. 6 (1) lit. f GDPR (legitimate interests). You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases. You can also exclude the acceptance of cookies in certain cases or generally and activate the automatic deletion of cookies when you close your browser. If cookies are blocked, the functionality of various websites may be restricted.
There is no automated decision making such as, but not limited to, profiling.

8. How long do we store your data?
Personal data provided by you will only be stored by us for as long as is necessary for the above-mentioned purposes - for which we process the data. Due to legal documentation or retention obligations, a longer storage period may be applicable. Your personal data will be deleted after the expiration of the corresponding periods, provided that there is no other legal basis for a longer retention period according to GDPR.

9. Which external services do we use?
Web Analysis
In order to make our website user-friendly, we use web analysis services.
This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"), 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses cookies for web analysis. The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google uses this information to evaluate your use of the website, to compile reports on website activity for website operators and to provide other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Under no circumstances will Google associate your IP address with other Google data.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.
Further information on data processing within the scope of Google Analytics can be found here: https://support.google.com/analytics/answer/600424....

Our website uses the online advertising program "Google AdWords" and, within the framework of Google Ad-Words, conversion tracking for the purpose of creating conversion statistics for AdWords customers. Google Conversion Tracking is an analysis service provided by Google Inc. ("Google"). When you click on an ad placed by Google, a conversion tracking cookie is placed on your computer. These cookies have a limited validity, do not contain any personal data and are therefore not used for personal identification. If you visit certain pages on our website and the cookie has not expired, Google and we may recognize that you clicked on the ad and were directed to that page. Each Google AdWords customer receives a different cookie. As a result, there is no way that cookies can be tracked through AdWords customer websites.
Further information and Google's privacy policy can be found at: www.google.de/intl/de/policies/ .

This website uses the remarketing function of Google Inc. ("Google"). This function is used to present interest-related advertisements to visitors to the website as part of the Google advertising network. The visitor's browser stores "cookies", which are text files placed on your computer, that allow the visitor to be identified when the visitor visits websites that are part of Google's advertising network. These pages may then display advertisements to the visitor that relate to content previously viewed by the visitor on websites that use Google's remarketing feature. According to Google, it does not collect any personal data during this process. Further information about Google Remarketing can be found here: www.google.com/privacy/ads/.

Instagram
On our homepage there is a link to our page on Instagram (@starsforafrica), provider Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA.
If you follow this link while logged into your private account at Instagram, Instagram will automatically be notified that you have visited our website.
More information about Instagram can be found here: help.instagram.com/519522125107875?helpref=page_content

Facebook Pixel
A pixel from Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook") is also used within this website. These tags establish a direct connection between your browser and the Facebook server. Facebook receives the information that you have visited our site with your IP address[R8] . This allows Facebook to associate visiting our pages with your user account. We can use the information obtained in this way to display Facebook Ads. We would like to point out that, as the provider of the pages, we do not have any knowledge of the content of the data transmitted or its use by Facebook. Further information on this can be found in facebook's privacy policy at https://www.facebook.com/about/privacy/ . If you do not wish Custom Audience data to be collected, you can deactivate Custom Audiences here: https://www.facebook.com/settings/?tab=ads
The legal basis for the use of Facebook Pixel is the protection of our legitimate interest pursuant to Art. 6 (1) lit f GDPR to evaluate activities on our website.

10. Rights of affected parties
As a data subject, you have the right to information. If you believe that the data you have provided is inaccurate or incomplete, you have the right to ask for it to be rectified or supplemented. In addition, you have the right to request the deletion of any data that you consider to have been unlawfully processed (if we have no right or obligation to further process such data, we will respond to your request as soon as reasonably possible). Furthermore, you have the right to demand the restriction of the processing or to lodge an objection against the processing, as well as to lodge a complaint against the processing with the data protection authority, www.dsb.gv.at.

11. Data security
Stars for Africa uses necessary and appropriate technical and organizational security measures to protect your personal data against accidental or intentional manipulation, loss or destruction and against access by unauthorized persons. Our security measures are continuously evaluated and improved by our DPO Anna Zeller in line with technical progress.

12. External links: No liability
If our website contains links to external websites that are not maintained by the media owners of Stars for Africa, Stars for Africa assumes no liability for content found on such websites. If we become aware of any infringements by third parties, the corresponding links will be deleted as soon as reasonably possible.

13. Contact Addresses
Supervisory authority for compliance with data protection regulations in Austria:
Austrian data protection authorityWickenburggasse 8-101080 Vienna
Telephone: +43 1 531 15-202525
Fax: +43 1 531 15-202690
email: dsb@dsb.gv.at
Website: http://www.dsb.gv.at/

Stars for Africa – Building Brighter Futures. Verein zur Förderung von Bildungseinrichtungen in Afrika
ZVR-Number: 1375443989

Make a donation via bank transfer:

Stars for Africa
IBAN: AT39 3742 0000 0018 9852
BIC: RVVGAT2B420


Bank account administered at Raiffeisenlandesbank Vorarlberg

© Stars for Africa 2023
Impressum