Privacy Notice

The Foundation in Support of the World Health Organization (the Foundation), also known as the WHO Foundation, is a Swiss Foundation with a vision of a world in which all people attain the highest level of health. To achieve its vision the Foundation works with individuals around the world to mobilize resources, build partnerships and invest in programs. In all the Foundation’s work, it profoundly values privacy and personal data protection for everyone.

The Foundation wants you to know and understand if, when, how and why the Foundation processes your personal data. You will find relevant information below. If the Foundation has missed something or you have a question, feel free to contact the Foundation using the details in Section 1 below.

The Foundation’s Privacy Notice[1] is, and will remain, available to you at all times on the Foundation’s website. The Foundation will amend and update it, if necessary, and may do so without any specific notification to you.

1. What is personal data?

Personal data is any information relating to an (directly) identifiable individual or from which an individual can be (indirectly) identified.

2. Who controls and is processing your personal data?

The Foundation is processing your personal data; it determines the purposes and means of said processing and is referred to as the “Controller” or “Data Controller”. You can contact the Foundation at:

3. Who does this Privacy Notice apply to?

This Privacy Notice relates to you, as an external person who interacts with the Foundation, and your related persons.

This includes, where applicable law includes these parties, donors and partners and their employees, prospective donors and partners, impact investing stakeholders, service providers, fiduciary partners, event attendees, users of the Foundation’s website, and organizations the Foundation funds. Your “related persons” includes an individual or entity whose information you or a third party provides to the Foundation and/or information that the Foundation becomes aware of in connection with your relationship with the Foundation.

4. What categories of personal data does the Foundation process?

The Foundation collects, stores and uses personal data relating to contact details, financial and fundraising-related information, information gathered conducting due diligence, transaction information, professional information, impact stories, and information about diversity, equity, and inclusion markers.

The Foundation processes each category when it is relevant to your relationship with the Foundation and the related task the Foundation is carrying out.

Some of this personal data might be combined to give the Foundation a deeper understanding of your profile. For example, from your personal data the Foundation may infer your preferences in relation to fundraising activities and may act upon it to send you information related to campaigns most relevant to you. This is more complete than stand-alone personal data, but does not amount to sensitive personal data.

5. Does the Foundation collect sensitive personal data?

Sensitive personal data includes specific types of personal data and may include, depending on the particular jurisdiction, information that relates to an identifiable person about their race, ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, sex life, genetic data, biometric data for the purpose of uniquely identifying a natural person, health-related data, trade union membership, personal data of a child, precise geolocation data, citizenship or immigration status and/or an individual’s status as a victim of a crime.

Presently, the Foundation processes certain information relating to diversity and inclusion markers, such as race or ethnic origin, in connection with suppliers and other entities with whom the Foundation interacts. This is to ensure that as an organization the Foundation is embedding diversity, equity, and inclusion into its operations. The Foundation will always highlight when it may be collecting this information and will always offer a clear option to opt in to this process.

6. Where does the Foundation collect your personal data?

The Foundation primarily collects your personal data from you, in the context of your relationship and engagement with the Foundation. The Foundation may also gather some data indirectly from third parties, from publicly available sources, and online tools to provide background and due diligence information. The personal data may be collected as follows:

Supporters and donors: information you provide to the Foundation when you make a donation, sign up to the Foundation’s newsletter, sign up to attend an event, or communicate with the Foundation. If you are giving via a Donor Advised Fund or other entity, if you agree, and their data privacy policy allows, they may provide your information to the Foundation.

  • Event attendees: information you provide when you sign up to attend an event, information you provide when you communicate with the Foundation, or by the Foundation recording an event or taking photographs at an event.
  • Website users: in certain circumstances, when you agree to the use of cookies (please refer to the Foundation’s Cookie Policy for additional details) or when you provide your email address to receive the Foundation’s newsletter.
  • Partners and their employees: information you provide when you communicate with the Foundation, information you provide to enter into an agreement, and information from the Foundation’s networks.
  • Prospective donors and partners: information from the Foundation’s networks, publicly available sources, and online tools providing background and due diligence information.
  • Service providers: publicly available resources, information you provide when you communicate with the Foundation, and information you provide to enter into an agreement.
  • Organizations funded by the Foundation: information you provide when you communicate with the Foundation, information you provide to enter into an agreement, and information from the Foundation’s networks.
  • Impact investment stakeholders: information you provide when you communicate with the Foundation, information you provide to enter into an agreement, and information from the Foundation’s networks.

7. Why does the Foundation process your personal data?

The Foundation processes personal data to carry its activities as a foundation to support global public health needs, which includes processing certain personal data to provide services to you, including to allow you to access and use our services; providing updates regarding our services; to contact you, when you have opted in to receive newsletters or other email messaging; to contact you, when you have enrolled in any of the Foundation’s events and for other general business purposes as permitted by applicable law such as conducting audits, financial calculations and tax reporting, administering the Foundation’s business and operations, evaluating and maintaining the Foundation’s systems, security and fraud prevention and monitoring.

In addition, the Foundation strives to improve the Foundation’s offerings and effectiveness, and in order to do so, the Foundation analyzes interactions with its services and the Foundation’s marketing, reactions, other history and user behavior. The Foundation may use a range of tools available, including spreadsheets and databases, algorithms, and technologies like artificial intelligence and machine learning.

More specifically, the Foundation may process your data for the following purposes:

  • Supporters & donors: processing and accounting your payment, sending you information about the impact of your gift, events, updates regarding campaigns you have donated to and new campaigns, sending you a tax certificate for any donations you have made, contacting you if your donation was not completed, carrying out due diligence for donations over USD 10,000 to ensure the Foundation can accept your gift in reference to the Foundation’s Gift Acceptance Policy, and, for donations over USD 100,000, to include your details in the Foundation’s transparency report.
  • Event attendees: sending information about the event, sending marketing materials about future events, the Foundation’s impact and campaigns, recording online events, editing short videos, and sending a follow up email about the event if you did or did not attend.
  • Website users: when you agree to the Foundation’s Cookie Policy your IP address is temporarily saved to improve your browsing experience and when you provide your email address the Foundation uses it to send the Foundation’s newsletter and updates.
  • Partners and their employees: sending information about any agreement you are entering into with the Foundation, sending marketing materials about future events, the Foundation’s impact and campaigns or editing short films.
  • Prospective donors and partners: identifying and providing information that might be of interest to you.
  • Service providers: agreeing and sending a contract for the services provided.
  • Organizations funded by the Foundation: sending your team members[2] information about the Foundation’s impact, agreeing, and sending a grant agreement.
  • Impact investment stakeholders: sending you information about the Foundation’s engagement in impact investment activities, or to invite you to events.

Under certain circumstances, your objection or restriction to the processing of your personal data could prevent the Foundation from performing the actions necessary to achieve the purposes set out above for your benefit.

8. Does the Foundation also (in addition to Section 7) send marketing material? Can you change your mind and stop receiving it?

The Foundation may use your personal data to send you marketing information, in an electronic or paper format, in relation to your relationship with the Foundation. The Foundation will give you an easy way to change your mind and stop receiving any such information.

9. What security measures does the Foundation apply when processing your personal data?

The Foundation keeps personal data on hard copy files and in password protected electronic files and record systems. Our processes and systems are intended and designed to restrict access to personal data at the Foundation to the above mentioned purposes. These access rights are periodically reviewed. The Foundation has an IT Acceptable Use Policy setting out how IT tools and data should be used. The Foundation’s Team Members also receive IT security training and have access to a channel to immediately report any issues they may encounter. Relevant Team Members have been made aware of the importance of personal data and the Foundation’s obligations under relevant data protection legislation through data protection training and ongoing awareness raising.

10. What happens to your personal data when you click on a third-party link on the Foundation’s website?

If you click on a third-party link on the Foundation’s website, for example, to make a donation through a third-party service provider, such as FundraiseUp or Benevity, for the purpose of campaigns launched by the Foundation, some of your personal data may be collected by those service providers.

Those third-party websites and services are not operated or controlled by the Foundation.  These service providers process your personal data, if and to the extent required, to provide their services and as otherwise provided in their privacy notices. You will need to read their privacy notices to understand precisely how they treat your personal data. Some of these service providers may be located outside of Switzerland or the European Union (EU) in jurisdictions that may not necessarily offer an equivalent level of personal data protection.

11. Does the Foundation provide your personal data to other parties?

The Foundation processes your personal data internally and also works with other parties, including service providers and its affiliates, who process your personal data.

Affiliates. The Foundation may disclose certain personal data to the Foundation’s affiliates that are involved in the delivery of services or the Foundation’s overall operations.

Service Providers. The Foundation provides your personal data to service providers who the Foundation engages to help operate the Foundation and provide services (e.g., transaction processing and analysis, fraud detection and identity verification, information technology and computing support, customer relations management systems (CRM), operations, managing marketing and promotions and research).

Other Parties. The Foundation may also disclose personal data to certain other parties, including:

  • Joint promotion partners, including, without limitation, partner organizations with whom the Foundation collaborates on programming.
  • Grantees to ensure compliance with any donation or funding mechanism and regulatory requirements
  • Other parties in connection with a corporate transaction, including merger, acquisition or restructuring. Personal data may be disclosed in the context of due diligence relating to the transaction and/or to the successors of the Foundation’s business or applicable parts to it.
  • Advertising and marketing partners and agencies, including digital advertising networks, publishers, and technology partners.
  • Our auditors, when required for audit purposes.
  • When required by law or if the Foundation has a good faith belief that disclosure is necessary to (i) investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (ii) enforce the Foundation’s agreements with you, (iii) investigate and defend the Foundation against any third-party claims or allegations, or (iv) protect the security or integrity of the Foundation’s website.

12. For Swiss, EU and UK residents, does the Foundation transfer your personal data abroad, including outside the EU (internationally)?

Yes, the Foundation may transfer your data outside Switzerland, the EU and the UK. This may happen as some of the Foundation’s staff or Board Members are located outside Switzerland, the EU and the UK, and connect to the Foundation’s secure work environment (see Section 9 for security measures); or when the Foundation uses service providers based outside of the EU and Switzerland.

If you are an EU or Swiss resident and the Foundation transfers your personal data to a jurisdiction that is not a Member State of either the EU or the European Economic Area, or deemed adequate by the European Commission and/or the Swiss Federal Data Protection and Information Commissioner, the Foundation ensures appropriate safeguards are in place, such as standard contractual clauses, approved Codes of Conduct, or approved certification mechanism. The Foundation may also do so with your prior explicit consent or if the transfer is necessary for the performance of the Foundation’s contract with you.

13. How long does the Foundation keep and retain your personal data?

The Foundation will retain your personal data for as long as needed in accordance with the purpose for which it was collected. The Foundation may also retain and use your information to comply with its legal obligations, resolve disputes, and prevent abuse.

When the Foundation no longer needs your personal data, it will be deleted or anonymized.

14. What are your rights?

In addition to the right to be informed about what personal data the Foundation holds and how it is used (as described in this Privacy Notice) you are also entitled to:

  • access your personal data;
  • rectify inaccurate or incomplete personal data;
  • request deletion of your personal data (subject to the below mentioned limitation);
  • restrict processing of your personal data (subject to the below mentioned limitations);
  • obtain and reuse your personal data; and
  • object to particular processing(s) of your personal data subject to the below mentioned limitations).

For further information on these rights, please contact the Foundation (see Section 1 above).

Your rights are not absolute and in certain circumstances can be limited. For example, the Foundation may have to keep processing your personal data and decline your request to delete it immediately to comply with the law (see section 13 above) or assert or defend against legal claims. The Foundation will inform you of any limitation to you exercising your rights in its response to your request.

The Foundation will not unlawfully discriminate nor retaliate against you for exercising the rights under this section.

15. How and to whom can I ask questions or file concerns or complaints?

Your privacy and personal data protection are important to the Foundation. If you have any questions, concerns, or complaints about the Foundation’s personal data practices or this Privacy Notice, you are encouraged to get in touch with the Foundation by using the contact information in Section 1 above.

If you are an E.U., Swiss or UK resident and believe you have suffered harm due to a breach of your rights by the Foundation under this Notice, and the Foundation has not handled your complaint in a reasonably sufficient manner, you may also file a complaint with the competent supervisory authority.

If you are a U.S. resident, under the laws of certain jurisdictions, you may have the right to appeal the Foundation’s decision not to act on your request to exercise certain of the rights described above. To appeal the Foundation’s decision if you are in an eligible jurisdiction, please email the Foundation at dataprotection@who.foundation with the subject line, “Individual Rights Request Appeal“.


[1] As of 18 March 2024

[2] “team members” means everyone working to achieve the Foundation’s Mission including employees, board members, consultants, interns, freelancers and volunteers.