PRIVACY POLICY
This privacy policy informs you about how we handle your personal data and your rights under the European General Data Protection Regulation (GDPR). L’Association sans but lucratif (ASBL) What Water (hereinafter referred to as “we” or “us”) is responsible for personal data processing.
Our privacy policy consists of two parts. Part A provides general information about personal data protection at L’Association sans but lucratif (ASBL) What Water, including information about your rights and where you can exercise them. Part B explains the different purposes for which we process your personal data. For each purpose, we explain in detail what personal data we collect and how we use it. These purposes include:
- When you visit our website
- When you message us
- When you sign up to our newsletter
- When you donate or become a member
Part A: General information
Our contact details :
If you have any questions or suggestions regarding this information or would like to contact us to assert your rights, please send your request to dpo@whatwater.org
On what basis do we process your personal data?
The term “personal data” in data protection law refers to any information that can identify or relate to a person. We process personal data in compliance with the relevant data protection regulations, in particular the GDPR. We only process personal data for the purposes described in Part B and based on the legal basis provided in Article 6 of the GDPR.
We process personal data only on the following basis:
- with your consent (Art. 6 (1) (a) GDPR)
- to fulfill a contract to which you are a party or at your request to take steps prior to entering into a contract (Art. 6 (1) (b) GDPR)
- to fulfill a legal obligation (Art. 6 (1) (c) GDPR) ; or
- if processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms which require the protection of personal data prevail (Art. 6 (1) (f) GDPR).
What are your rights?
As a data subject, you therefore have the right to assert your data subject rights against us. You have the following rights under GDPR and other relevant data protection laws:
Your Right (GDPR Article) | What It Means |
Right of Access (Art. 15) | You can request information about whether and to what extent we process your personal data. |
Right to Rectification (Art. 16) | You can request that we correct inaccurate or incomplete personal data. |
Right to Erasure (Art. 17) | This is also known as the ‘right to be forgotten’. You can request the deletion of your personal data. |
Right to Restriction of Processing (Art. 18) | You can request that we restrict the processing of your personal data. |
Right to Data Portability (Art. 20) | You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller. |
Right to Object (Art. 21) | You can object to processing based on the legal basis of Art. 6 (1) (e) or (f) GDPR for reasons related to your particular situation. You can also object at any time to your personal data being used for direct marketing. |
Right to Withdraw Consent (Art. 7(3)) | If you have given consent, you can withdraw it at any time. This does not affect the lawfulness of processing carried out before the withdrawal. |
Right to Lodge a Complaint (Art. 77) | You have the right to file a complaint with a supervisory authority if you believe your personal data is being processed in violation of the GDPR. |
If you exercise your rights under Articles 15 to 22 of the GDPR, we will process your personal data to help you exercise these rights and to keep evidence of this. Personal data stored for this purpose will only be used to provide information and for data protection monitoring. Otherwise, we will restrict processing in accordance with Article 18 of the GDPR.
This processing is based on the legal basis of Art. 6 (1) (c) GDPR in conjunction with Art. 15 to 22 GDPR.
How long do we keep your data?
Unless stated otherwise, we will only store your personal data for as long as necessary to achieve the processing purpose or to fulfill our contractual or legal obligations. This includes any required retention periods under commercial or tax laws. Furthermore, we will retain data related to consents that require proof, as well as complaints and claims, for the duration allowed by law. We will delete your personal data stored for advertising purposes if you object to processing for this purpose.
How do we handle cross-border data transfers?
Sometimes, we may need to transfer your personal data to countries, where GDPR does not apply. Such transfers are only allowed if:
(a) The European Commission says the country provides an adequate level of data protection. You can see the list of such countries here: Adequacy Decisions
(b) if there is no adequacy decision, we will only transfer your data if:
- We have appropriate safeguards in place (like EU Standard Contractual Clauses), or
- One of the special exceptions under Article 49 of the GDPR applies (for example, if you give us your consent).
Unless stated otherwise, we use the EU Standard Contractual Clauses to ensure your data is protected. You can request a copy of these clauses or ask to see them by contacting us.
If you consent to us transferring your data to a third country, we will rely on Article 49(1)(a) GDPR as the legal basis for that transfer.
To whom and why do we share your personal data?
In order to provide our services and operate as an organization, we use various external companies to whom we sometimes transfer personal data. If additional specific recipients contain personal data for certain data subjects, we will inform you about this in Part B.
Recipient | Reason for sharing |
Hosting provider | We do not have our own servers, but commission certified service providers to host our systems and platforms. |
Authorities | To comply with legal requirements or to respond to court orders or other similar government requests. |
Payment Service Provider | To process payments and donations, we pass on your personal data to payment providers and banks who process your personal data as controllers and/or processors. |
Third-Party Service providers | We use the services of various service providers who, as processors, help us to provide you with our services and products and to implement our projects together with you. |
Affiliated companies, associations, foundations and other non-profit organizations | We are a globally active organization with teams across national borders and companies. Therefore, we cannot rule out the possibility of data being transferred to affiliated companies, associations, foundations, and other non-profit organizations. |
How do we use cookies and other tracking technologies?
We use cookies and similar technologies on our website. You can find more information about how we use these technologies in our Cookie Policy . There, you will also find a list of the cookies we use and how to opt out of certain types of cookies.
Third Parties Sites
Our website may contain links to other websites or services operates by third parties. Please note that this Privacy Policy applies only to our website and we cannot be responsible for personal information that third parties may collect, store, and use through their website. You should always read the privacy policy of each website you visit carefully.
How can you contact our data protection officer?
You can reach our data protection officer at the following contact details:
Email: dpo@whatwater.org
L’Association sans but lucratif (ASBL) What Water
202b rue de Hamm L-1713 Hamm Luxembourg
Part B: Why and how we process your personal data
a) When you visit our website
Why and how we process your personal data | What data do we collect? | Legal Basis |
· Provide you with this website. · Make sure our website is secure, work properly, and remain stable. · Get an anonymous statistic to see if we succeeded in doing so. | Pseudonymous information about the device and browser you use, server log files, your network connection and your IP address. | Our legitimate interests (We process personal information, including IP addresses, to keep our website secure and fulfill our legal obligation to maintain its security.) Art. 6 (1) (f) GDPR |
b) When you message us
Why and how we process your personal data | What data do we collect? | Legal Basis |
Respond to your request and provide support. | Personal data that you provide to us about yourself when you get in touch with us, such as your name, email address and telephone number. | · Your consent when sending us a message (“affirmative action” when sending a message/email to recipient) Art. 6 (1) (a) GDPR · in certain cases, our legitimate interest or legal duty to keep communication as evidence. Art. 6 (1) (f) GDPR |
c) When you sign up to our newsletters
Why and how we process your personal data | What data do we collect? | Legal Basis |
· Sending you our newsletter. · Measuring the success and optimizing our content. | · Your email that you provide when you sign up for our newsletter. · Pseudonymous information about how we use our newsletter (click behavior, opening rate and time, length of stay, link tracking). | Your consent for sending emails. Art. 6 (1) (a) GDPR |
d) When you donate or become a member
Why and how we process your personal data | What data do we collect? | Legal Basis |
· Processing and managing your donation or supporting membership and issuing and sending your donation receipt · fulfilling statutory retention obligations or defending against legal claims. | Your personal data that you provide when making donations or becoming a supporting member. | · In order to enter into and continue performing the contract between our members and us, legal obligations resulting from your membership. Art. 6 (1) (c) GDPR · our legitimate interests (We process personal information (such as IP addresses) to prevent fraud and may use personal data in legal disputes related to membership.) Art. 6 (1) (f) GDPR |