FISU Privacy Notice - Healthy Campus platform
- HOW TO READ THIS DOCUMENT
- 1. OUR COMMITTMENT
We take your privacy and confidentiality seriously. We implement best market practices for protecting your data and ensuring that you can access and control them at any time. This notice provides you with more information about what we do and how we process your personal data.
If the uses of your information change, we will provide you with more information when we are in contact with you, for example, through the Platform, by e-mail, in our information materials. Where necessary, we would do that by updating our privacy notice so that you can check it when you visit the Platform or our regular website at https://www.fisu.net/.
- 2. WHO WE ARE
The International University Sports Federation (“Fédération Internationale du Sport Universitaire“, « FISU », “we“, “us“ or “our“), is an association that operates under the laws of Switzerland with number CHE-114.655.343 and having its registered offices located at Quartier UNIL-Centre, Bâtiment Synathlon, CH-1015 Lausanne, Switzerland.
FISU aims at contributing to the sustainable development and promotion of university sport and physical and sports education for students around the world.
FISU owns and manages a web-based platform https://www.fisuhealthycampus.sport (the “Platform”), which we use to allow Universities and similar institutions around the world to apply to a FISU certification scheme. When handling personal information about you and your institution, FISU will act as the data controller. If you have any questions related to handling of your personal information by FISU or to exercise your rights to privacy (section 12) you can contact us at firstname.lastname@example.org.
- 3. WHAT INFORMATION WE COLLECT ABOUT YOU AND FOR WHAT PURPOSE
When navigating on our Platform, we will collect information about you via different means and for various purposes, such as when you navigate on our Platform, when subscribing to our newsletters or when registering and applying to our certification scheme and uploading documentation. When doing so, we will only process information that relates to you and your institution for the purposes as set out in, and in accordance with, this privacy notice.
Information that we collect automatically
When you access and browse our Platform, we may collect and use certain information about your device and your use of the Platform. The information we collect may include your IP address, unique identifiers of your device, location data, information about cookies we may have stored on your device, which may contain personal data, and information about the pages visited, search terms entered or links clicked within the Platform.
Information we obtain indirectly from you / via third parties
In general, the Platform does not collect any data about you indirectly, i.e. from third parties. However, in certain limited circumstances, FISU may request information from third parties in the context of the contractual or pre-contractual relationship, such as to review your application to the FISU certification scheme, to review the FISU certification criteria and grant or deny your application.
What categories of personal information do we collect?
When connecting to our Platform and using the Application via your user account, we will collect personal information about you, including:
- University or institution contact data, such as: Campus name, address and location, phone number;
- User contact data, such as name, position, titles, professional phone number and e-mail address of the person in charge to communicate with FISU or other Universities or institutions;
- Contact forms:we may collect information about you when you send us queries via our general online contact form, such as your full name, e-mail and physical personal or your professional address;
- Aggregate information and statistics data, such as date of foundation, number of students, number of employees or, where applicable, through the use of tracking technologies. When placing optional cookies or similar tracking technologies that are non-essential on your device or to operate the website, we will do so on the basis of your prior permission, unless all applicable data protection laws permits us;
- Media content, such as images or videos, which may contain images with students, University staff or third parties who attend sport activities. Your institution remains responsible for the provision of such information and shall, unless legally permitted, ensure to either inform or collect prior consent from the data subjects prior to sharing this with us to respect their image rights;
- Instant messaging data, such as any information that you may share with FISU or, where available on the Platform, with other Universities, institutions, or auditors.
When do we collect personal information about you?
a) When Registering and applying to the certification scheme
When registering and requesting your access to the Application, we will collect information from you and your institution, which may include information when you:
- register on the Platform
- create your customer account, to submit information to us in connection with a contract request or your membership application to FISU;
- enter into a contractual relationship with us;
- contact us for additional information related to your registration or application for certification;
- submit questions and queries to us in relation to the use of the Platform or for questions related to your privacy;
- subscribe to our newsletters.
In the cases mentioned above, the information we collect and use is normally apparent from the context in which you provide it to us.
b) Upon creation of your user account – categories of personal data
After successfully submitted information about your institution to FISU to apply to the certification, you will receive login details in order to log into your University user account, upload information to the secured portal, interact with us and use other features available on our Platform.
Please note: Ensure that no confidential, nor sensitive personal data is shared nor transmitted via our Platform, (including via instant messaging), unless you are authorized to do so. You may have to request your institution prior approval, data subjects’ prior explicit consent, except where strictly necessary to apply for the certification and, where required, you have duly informed data subjects about the processing of their personal data.
- 4. WHY AND HOW DO WE USE INFORMATION ABOUT YOU
In general, we use personal information about you only:
- for the necessity and the management of the contractual relationship that binds you to FISU with contact information;
- according to our legitimate interest when you visit our Platform or website or, where permitted, for statistics, administrative and billing purposes;
- where necessary, to comply with our legal obligations for transmission to competent authorities.
- where required by law upon data subject’s prior consent, such as subscribing to our newsletters.
We collect and use information about you in accordance with applicable data protection laws, in particular with the Swiss Federal Act on Data Protection and its Federal Ordinance (“DPA” and “DPO”).
For visitors of the Platform
Navigation and browser data concerning you (IP address, cookies, etc.) are only collected for statistical purposes and, to this end, they are anonymised. Where this data is not anonymised, we process it in accordance with our legitimate or private interest in providing you with the service via our Platform and in accordance with applicable data protection law.
For authorized users of the Application
We process your personal information on the basis of the pre-contractual or contractual relationship that we will enter into with your institution and our legitimate interest. Such processing activities are listed below. In some cases, we do so for other reasons which are indicated to you in this section. None of your data is disclosed to third parties without guaranteeing their confidentiality and security or, where required by applicable law, your prior consent.
Table for data retention, legal basis and purpose for each category of personal data
Categories of personal data Purpose and legal basis for the processing Retention period Account data
- contact and login data
- your contact details
Contractual relationship with the FISU and management of the Platform and accounts Duration of the contractual relationship and thereafter 30 days. Account data
- contact and login data
- your contact details
The same data may be processed on the basis of our legitimate interest when sending you reminders or in the event of non-payment of invoices. Duration of the contractual relationship and thereafter 30 days. Contact data
Including your professional e-mail address, postal address and, where applicable, telephone number, position and of your staff
In order to contact you for further information or in the event of a problem with the Platform in the context of your membership application and to obtain the documentation necessary to evaluate your certification. Duration of the contractual relationship and thereafter 30 days. E-mail address for marketing We may either use your information on the basis of: (a) our legitimate interest in the context of the contract, or (b) your prior consent. We will review and if required refresh consent from time to time. You will no longer receive newsletters after you unsubscribe. However, we keep your e-mail as long as you use the Application. Confidential data transmitted via the Platform (video, pictures, audio, files, etc.).
This includes any information that can be uploaded on the portal of the Platform, which may include personal information of your institution staff and directors, tax reports and accountings, and any other relevant evidence
Once the customer meets some criteria and the credentials are sent, an account is created so that the institution can start uploading evidence and apply to the FISU certification scheme.
The purpose of such processing activity is for the FISU to evaluate the certification scheme and comply with the terms of your contract with us.
Duration of the contractual relationship Instant messaging dataAny information that relates to the messages exchanges either with FISU or with another institution. We process such data bases on:
- the contractual relationship in order to respond to your queries; and
- legitimate interest and contractual relationship where the service is provided as a feature of the subscription / membership to offer direct contacts between institutions
We will retain instant messaging data as long as your account remains in effect. Aggregate data for statistics purposes and analytics We will use our legitimate interest to improve our service and for essential cookies that are not persistent.
Where information does not constitute personal data, we may require your consent.
No longer than for the session, for our purposes nor than permitted by law.
- 5. WITH WHOM DO WE SHARE INFORMATION ABOUT YOU
Who can access your personal data?
Only limited individuals can access your personal data, which may include the following:
- our duly authorised employees, consultants or workers;
- approved third parties, such as IT service providers or auditors;
- other users of the Platform either: (a) on a voluntary basis; or (b) where a feature of the Platform allows other users to access information that is already publicly available or that you decide to transmit to us in compliance with applicable data protection laws.
Cross-border personal data transfer
When we receive information about you, such as for applying to the FISU Health Campus Certification, or exchanging information with us or other users, we will receive and process your personal information in Switzerland, where the Swiss DPA and DPO principles may slightly differ from your jurisdiction. However, as described below, Switzerland has a comprehensive data protection legal framework which ensures a very high standard for the protection of personal data and privacy of individuals. When you exchange information with other users, you acknowledge that personal information about you or other data subjects may leave your country of residence and Switzerland, which may require to implement appropriate or additional safeguards in accordance with applicable data protection laws. Note that all information, which includes data that constitutes confidential information and/or personal data is hosting in Switzerland as explained in section 8 and section 10.
a) Transfer within the EEA, Switzerland and approved countries
Switzerland is recognized by the EU Commission as a country with an adequate level of protection equivalent to the European privacy laws, which includes Regulation (EU) 2016/679 (GDPR). If you are located in a country of the European Economic Area (EEA) or in a country that is recognized as having an adequate legislation for the protection of personal data in your country (e.g.: Argentina, Australia, Canada, Israel, New Zealand, Uruguay), your rights to privacy are likely to rely on appropriate guarantees with regard to cross-border personal data transfer to Switzerland.
b) Transfer to third country jurisdictions
If you are located in a country, which Switzerland does not recognize as having an adequate level of protection, we will rely on appropriate safeguards with you to send personal data to your country of residence. Most of the time, you will share such personal information with us, via the Platform, on a voluntary basis, for the purpose of entering into a contract with FISU or on the basis of your consent.
This occurs for example where the processing activity relates to: (a) the registration and management of your account, (b) enter into a contract with us, and (c) the application and submission of all necessary documentation in order for us to approve and evaluate if your institution meets our certification criteria.
c) Disclosure with third parties
In certain limited cases, authorized third parties outside our organization may access your data. These may include:
- third parties who provide us with services for the administration of the Platform (such as IT services in the event of a breakdown or for the maintenance of our Platform);
- other third parties, such as auditors, data centers or other authorised third parties only when required by law or by a court decision, to defend legal claims or in case of an investigation by a supervisory authority; and
- other institutions which contact you via the Platform.
Where engaging third parties, we have entered into agreements with them for the processing of your personal data about you so that such processing is carried out in accordance with our instructions, in a confidential, secure, transparent manner, to protect your privacy rights (section 12 of this notice) and comply with the application data protection laws.
Please note: You can access the complete list of approved countries on the website of the Swiss Federal Data Protection and Information Commissioner where personal data transfers may be safe. Depending on your jurisdiction, you may still need to conduct an analysis on additional safeguards that may be required to transfer personal data to Switzerland.
- 6. WHAT COOKIES AND TRACKING TECHNOLOGIES WE USE
Cookies or similar tracking technologies may be used on the Platform to automatically collect certain information for statistical purposes only.
What are cookies and tracking technologies?
Cookies are small text files that are placed on your device when you visit a site, which are then used to identify your device for the purposes described below. Cookies set by the owner of a site are called “first party cookies”. Cookies set by other people are called “third party cookies”. Third party cookies enable the third party to provide features or functionality on or through the site (like analytics, advertising and videos). The parties that set these third party cookies can recognize your device both when it visits our site, and when it visits certain other sites.
We currently do not use any analytics tool.
Your web browser can be set to manage cookies and even to reject them. Do bear in mind that if you set your browser to automatically reject cookies, your user experience when visiting websites will not be the same: your preferences may not be remembered, some functionality may be lost and you may not be able to access certain areas or features of the sites.
- Making your experience more efficient, faster and easier: by remembering your preferences, like preferred language, display and other settings, maintaining your session, and for authentication purposes. This helps us to provide you with a better user experience. These cookies are also referred to as Session-Id cookies, authentication cookies, and user Interface customization cookies.
- Gain useful knowledge about how the site is used: by collecting information about the number of visitors and other uses. This helps us improve our sites. These cookies are also referred to as analytics cookies. For this purpose, we use services such as Google analytics which means that Google and similar suppliers will also have access to this information (including your IP address and any other equipment identifiers such as the IMEI number and the MAC address).
- Provide easy access to our social media sites. This helps us to direct you and share with you our content within sites such as Facebook, Twitter, LinkedIn, Google Plus, YouTube or Pinterest. If we use any ‘social media plugins’, they may store cookies and similar technologies on your computer or other device. This means that the social media sites may access this information (including your IP address), may identify that you interacted with our Platform.
- 7. HOW TO UNSUBSCRIBE FROM NEWSLETTERS
We will send you information about your membership, your account and information about our activities as a contractual necessity and based on our legitimate interest. When you agree to receive news about our activities through our newsletters, which is not linked to your subscription nor contract with us, you always have the opportunity to easily unsubscribe, at any time, from our marketing communications. You can achieve this by using the "unsubscribe" link in our communications or by contacting us at email@example.com.
- 8. HOW DO WE PROTECT INFORMATION ABOUT YOU
We have implemented all appropriate technical and organizational measures to protect the personal information in our possession from unauthorized disclosure, use, modification or destruction. In addition, we are committed to protecting to the extent possible all the personal information we process from you from unauthorized access, modification or disclosure and to ensuring confidentiality, integrity and availability of your data. FISU has entered into contracts with providers to build a secure Cloud infrastructure that guarantees industry standards data security measures, including confidentiality.
List of security measures
We have configured our systems to apply industry standard information security measures and used recognized security framework to protect your information, which includes, inter alia:
- TIER IV servers (ISO 27001 and FINMA) where data is hosted exclusively in Swiss data centers with dedicated hardware and on-site security;
- All systems are monitored by approved Swiss third party IT service providers;
- Last generation firewalling;
- HTTPS and SSL encryption, file encryption, Password strenght requirements;
- Access controls via privileges and roles;
- Software built in accordance with privacy by design and by default principles;
- Automated security audits that are scheduled bi-weekly (qualys.com);
- Semi-automated audit systems and services (such as via: immuniweb, sslLabs, webpagetest, Yellow Lab among others) for each new release;
- Periodic penetration tests carried out.
Where we use third party suppliers to help us with information security measures, they have committed to comply with strict data protection requirements to ensure maximum confidentiality, integrity, and availability of your personal data.
- 9. OTHER INFORMATION ABOUT YOUR PRIVACY
A) Automated decision making and/or profiling
We do not conduct any such tasks with user data via our Platform.
B) Links to other websites
Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the privacy notice of every site you visit. We have no control over and assume no responsibility for the content, privacy notice or practices of any third party sites or services.
C) Automated decision making and/or profiling
Our Service does not address anyone under the age of 18 (“Children“). We do not knowingly collect personally identifiable information from anyone under the age of 18 on a voluntary basis. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from children without verification of parental, judicial or guardian’s consent, we take steps to remove that information from our servers.
D) Data breach and incidents
We have procedures and safeguards in place to identify, assess, investigate and report data breaches at the earliest possible time. Our procedures are robust and have been disseminated to our staff who are regularly trained and informed about good IT security practices. We also ensure the confidentiality, integrity and accessibility of your data at all times.
- 10. WHERE DO WE STORE YOUR INFORMATION
Your data remains in Switzerland
Although the Platform is accessible from anywhere in the world, we operate from Switzerland. As a general rule, we do not transmit any information about you outside Switzerland via the Platform other than on a voluntary basis or when you use our features and access, download information from the Platform or exchange information with other institutions and Universities or with third parties, such as with auditors.
The hosting of your data is located on the servers of TiZoo Sàrl, a company located in, and operating from, Switzerland, with redundancy servers located in another geographic area in Switzerland. You can contact AlpHosting - TiZoo Sàrl, if you have any questions about the hosting of your data. In general, our hosting providers have configured their servers so that they cannot access your data without our express authorisation.
- 11. HOW LONG DO WE KEEP YOUR INFORMATION
We will keep personal information we collect about you for as long as necessary for providing the services via the Platform, and to comply with any legal obligations (e.g.: to comply with applicable legal, tax or accounting requirements and for archiving purposes.
Where we have no legitimate business interest to continue to process your personal data or if you ask us for deletion, we will either delete, anonymise it or, if this is not possible (for example, if personal data has been stored in secured archives), we will securely store and isolate your information from any further processing until the deletion becomes possible and delete it as soon as technically possible. We will use any technology or other means to protect your data and mitigate any risks, such as obfuscation, blanking or encryption.
For more details on our data retention policies, please read section 4 of this privacy notice.
For each categories of processing activities and personal data, we apply a strict data retention policy that complies with privacy-by-design and privacy-by-default principles. If you have questions or need further information concerning our data retention schedule and practices, contact us at firstname.lastname@example.org.
- 12. YOUR RIGHTS TO PRIVACY
As a user of our services and a customer on our Platform, and depending on your country of residence, you may have the right to exercise your rights or file a complaint before a competent data protection authority.
Access, Revision, Deletion
Under applicable privacy law, you may have a right to request a copy of information about you held by FISU. You may also have the right to revise, correct, or delete such information. Your rights to such information may be subject to limited legal and regulatory restrictions.
Objection to processing and additional rights
Under applicable privacy law (e.g. European data privacy law), you may formally object to processing of your personal information. In certain circumstances under applicable law, you may have the additional right to restrict aspects of the processing of your information or ask for a copy of your data to be provided to you, or a third party, in a digital format.
Under the California Consumer Privacy Act 2018 (CCPA), California residents have specific rights regarding their personal information held by private companies. The FISU does not sell any personal information from individuals located in California, nor does the FISU share any such personal information with third parties for their own commercial benefits. Californian individuals can exercise their rights by contacting us at email@example.com.
Rights of European Individuals to Complain to Data Protection Authorities
In the event that any individual located in the EEA countries believes that FISU has processed information in a manner that is unlawful or breaches his/her rights, or has infringed the “General Data Protection Regulation”, such individual has the right to complain directly to the applicable Data Protection Authority. The list of those authorities can be found on the EU Commission website.
- 13. CONTACT
We provide easily accessible information via our website or on request. If you have any questions or requests related to data protection, please contact us at the following contact details