PRIVACY POLICY

We, the Kurt Leimer Foundation, based in Zurich, Switzerland,

• respect the applicable legal data protection regulations,
• collect and process personal data (hereinafter also “data”) in accordance with this privacy policy,
• fundamentally adhere to the principle of data minimization, meaning we only collect and process as much data as necessary to fulfill the purpose.

In the course of our activities, we collect and process data—especially personal data—about persons interested in our activities, related persons, visitors to our websites, participants in events, scholarship applicants, potential recipients of newsletters or other publications, and other third parties (hereinafter also “you”).

In addition to this privacy policy, we may inform you separately about the processing of your data in specific areas (e.g., in forms, scholarship conditions, etc.).

If you provide us with data about other persons, we assume that you are authorized to do so, that the data is accurate, and that you have ensured these persons have been informed about this disclosure wherever legally required (e.g., by providing them with this privacy policy beforehand).

For information on the offers, conditions, and data handling of other services (such as third-party websites and social media), even if linked here, please consult those providers directly.

The data controller responsible for the processing described in this privacy policy is:

Kurt Leimer Stiftung, c/o Büro Corrodi GmbH, Hedwigstrasse 31, CH-8032 Zürich

Our data processing is subject to Swiss data protection law.

For visitors residing in the European Union (“EU”) and the European Economic Area (“EEA”): Switzerland and the EU including the EEA mutually recognize their data protection legislations as equivalent. In certain cross-border cases, the EU law, in particular the EU General Data Protection Regulation (GDPR), may apply additionally.

We do not generally consider the GDPR applicable to our data processing. However, if the GDPR applies exceptionally to certain data processing, the following provisions apply exclusively to those purposes and data processing activities:

3.1 Details on the applicability of the GDPR

When the GDPR applies, we base the processing of your personal data mainly on the following legal grounds:

• Necessity for the acquisition, conclusion, performance, management, and enforcement of contracts (Art. 6(1)(b) GDPR),
• Legitimate interests of ourselves or third parties, e.g., communication with you or others, operation of our websites, improvement of our electronic offerings and services, registration for specific services, security purposes, legal compliance, internal regulations, risk management, corporate governance, training and education, administration, evidence and quality assurance, event management, and other legitimate interests (Art. 6(1)(f) GDPR),
• Legal obligations or permissions under EU, EEA, or member state law or protection of vital interests (Arts. 6(1)(c), 6(1)(d) GDPR),
• Your consent to processing, for example via declarations on our websites (Arts. 6(1)(a) and 9(2)(a) GDPR).

You also have all rights granted by the GDPR alongside the practically equivalent rights under Swiss law. These include the right to:

• Access your personal data (Art. 15 GDPR),
• Rectify incorrect data (Art. 16 GDPR),
• Erase data (Art. 17 GDPR) or restrict processing if deletion is not possible (Art. 18 GDPR), subject to overriding legitimate interests or legal retention requirements,
• Object to the processing of your data, unless there are compelling legitimate grounds or we need the data to assert legal claims,
• Data portability for data you have provided based on your consent (Art. 20 GDPR)

The right to object is particularly relevant for data processing for direct marketing purposes.

If you are dissatisfied with our handling of your data or privacy, please contact us (see contact details above). If you reside in the EEA, you also have the right to lodge a complaint with your local data protection supervisory authority. A list of authorities can be found here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_de#member-de.

Primarily, we process personal data that we receive directly from third parties, including you as users.

Additionally, we may receive, collect, or process data from business partners or other involved persons. Where permitted and necessary, we also obtain data from publicly available sources (e.g., public registers, media, internet) or receive it from our clients, their employees, authorities, and third parties (e.g., business and contractual partners such as project partners).

Besides the data we receive directly from you, categories of personal data we receive from third parties include, but are not limited to:

• Master data (e.g., names, addresses, job titles, organizational affiliations),
• Contact data (e.g., email address, phone number),
• Content data (e.g., text, image files, videos),
• Usage data (e.g., access data),
• Meta/communication data (e.g., IP addresses),
• Information you disclose to us through communication or contractual relationships,
• Information related to your professional functions and activities,
• Information from correspondence and meetings between us or with third parties (e.g., telephone, email, or other communication),
• Information from configuration of your user settings, access rights, or other interactions with us,
• Registration or participation in events,
• Completion of surveys or other information request forms.

If you do not provide certain personal data, it may result in our inability to provide the related services. We will indicate which personal data is mandatory.

Data from You

Many of the data we process are provided directly by you (e.g., when using our website, in connection with our services for you, or through communication with us). Some of these data may also be transmitted automatically by your device to us. You are only required to provide your data in exceptional cases. However, if you want to enter into contracts with us or use our services, you must provide us with certain data. Even using our website is not possible without a minimum level of data collection and processing.

Data from Third Parties

We may also obtain data from publicly accessible sources (e.g., media or the internet including social media platforms, public registers, online research, etc.) or receive them from authorities, your employer or client who has a business relationship with us or is otherwise involved, as well as from other third parties (e.g., associations, contractual partners, internet analytics services). This includes, in particular, the data we process in connection with artistic and other projects, as well as data from correspondence and further communication with third parties, but also all other categories of data according to this privacy policy, especially section 4.

Data in Communication with You and for You

If we contact you, this can be through personal meetings, telephone conversations, postal mail, and email. Additionally, we use other means of communication with you, especially virtual online meeting services. Also, for you or for projects in which you may participate, necessary communication internally and with third parties, we use software and tools (SaaS) from third-party providers. Below are the main services we use:

1. Video Calls
• Service: Zoom
Provider: Zoom Video Communications, Inc., 55 Almaden Blvd, San Jose, CA 95113, USA
Privacy: https://www.zoom.com/en/trust/privacy/
Legal basis: Legitimate interest

• Service: Microsoft Teams
Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Privacy: https://www.microsoft.com/de-de/privacy/privacystatement
Legal basis: Legitimate interest

2. Microsoft Office365
Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Privacy: https://www.microsoft.com/de-de/privacy/privacystatement
Legal basis: Legitimate interest

3. Cloud Data Services:
• Service: Google Drive Services
Provider: Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy: https://policies.google.com/privacy?hl=ch-DE
Legal basis: Legitimate interest

• Service: Apple iCloud
Provider: Apple Inc., One Apple Park Way, Cupertino, CA, USA (Headquarters); Apple Distribution International Limited, Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland (European branch, subsidiary)
Privacy: https://www.apple.com/chde/legal/privacy/
Legal basis: Legitimate interest

4. Newsletter: Brevo
Provider: Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, DE
Privacy: https://www.brevo.com/de/legal/privacypolicy/
Legal basis: Legitimate interest including your right to unsubscribe at any time

Within the scope of our operations, we may process various categories of personal data for different purposes. In particular, we process the personal data mentioned in section 4 about you for the following purposes:

Communication

We process personal data so that we can communicate with you and with third parties in any form. This can also be in the form of newsletters and other regular contacts (e.g., electronically, by post, or by phone). You can refuse or withdraw your consent to this communication at any time. In communication, we process especially the content and metadata of the communication as well as your contact details, but also image and audio recordings of (video) calls. In the case of audio or video recordings, we will inform you separately at the beginning, and you are free to tell us if you do not want a recording or to end the communication or leave the call. If we need or want to verify your identity, we may collect additional data.

Activities Related to Contracts

Regarding entering into a contract with you or your client or employer, we may process your name, contact details, consent declarations, information about third parties (e.g., contact persons, third parties, project participants), contract contents, as well as all other data you provide or that we lawfully collect from public sources or third parties.

Contracts, Projects, Concerts, and Events

We process personal data to fulfill our contractual obligations to our contractual partners (e.g., scholarship recipients, service providers, project partners, suppliers) and especially to deliver and enforce the contractually owed services. This includes data processing for project management, contract enforcement, accounting, and public communication. For this purpose, we process data obtained during acquisition and contract conclusion, data created during contractual services, or data collected from public sources or other third parties. These data include, in particular, meeting minutes, notes, internal and external correspondence, contract documents, documents created and received during project implementation, background information about you, counterparties or others, image and audio recordings, as well as other project-related information, documents, service records, invoices, and financial/payment information. In very rare cases, we may collect and process particularly sensitive personal data during these activities.

Especially for concerts and events, we may create image, audio, and video recordings for documentation and marketing purposes. We or our project partners usually inform attendees at the start of the event and ask people who do not want to appear in recordings to step back.

Operation of Our Websites

To operate our website securely and reliably, we collect technical data such as IP address, information about your device’s operating system and settings, region, time, and type of use. We may also use cookies and similar technologies. Further information can be found in section 7.

Improvement of Our Electronic Services

To continuously improve our website and other electronic services, we collect data on your behavior and preferences by analyzing how you navigate our websites. For the services used for this purpose, see section 7, “Analytics.”

Registration

If we offer concerts, events, or other services requiring registration, you must register. We process the data provided during registration. Furthermore, we may collect personal data about you during the use of the respective service. If necessary, we will provide you with further information on the processing of these data.

Security Purposes and Access Control

We process personal data to ensure and continuously improve the security of our IT and other infrastructure. This includes monitoring and controlling electronic access to our IT systems, system and error checks, and creating backups.

Risk Management and Foundation Administration

We process minimal personal data as part of risk management and foundation administration, including organization and administration (e.g., resource planning, employee data) and foundation development.
Job Applications, Scholarship Applications, Other Applications

If you apply for a job or scholarship with us or submit other applications voluntarily, we process the data you provide to review and assess the application, conduct the selection process, and, in the case of successful applications, prepare and conclude a contract or scholarship. This includes processing your contact data, communication details, data contained in your application documents, and additional data we may obtain about you, e.g., from professional social networks, the internet, media, and references (if you consent to obtaining references). Data processing related to a possible employment relationship is regulated separately.

Other Purposes

Other purposes include training and educational purposes as well as administrative purposes (e.g., accounting). We may also process personal data for organizing, conducting, and following up on events, such as participant lists and contents of concerts, events, lectures, and discussions, including image and audio recordings made during these events. Protecting other legitimate interests also belongs to the additional purposes, which cannot be exhaustively listed.

General Settings and Internal Guidelines

Type and Scope of Data, Links to Service Providers

The terms of use and privacy policies of the services we use may change continuously, as well as the type and scope of data collected by the service providers. For this reason, we do not list in detail the data that may be collected by each service. However, for each referenced service, we provide a link to its privacy policy. We periodically review the links to these services and their privacy policies and strive to keep the links up to date. Nevertheless, it may happen that some links are no longer current when you visit our site. If you encounter such an outdated link, please let us know.

Selection of Service Providers, Server Locations, Data Privacy Framework

As a rule, we use service providers whose data centers are located in Switzerland or the EU, if selectable. Where data are stored in the USA, on CDN servers (and thus globally, optimized depending on the location of access), or in other countries, we select providers from countries with an adequate level of data protection such as Switzerland (for US providers usually those covered by the data privacy framework between Switzerland and the USA [“Swiss-U.S. Data Privacy Framework,” “SDPF,” https://www.dataprivacyframework.gov/]). Compliance of US providers possibly used with the Privacy Framework and thus the data protection level equivalent to Swiss data protection can be checked at any time via the search tool at https://www.dataprivacyframework.gov/list, where details of each listed service can be reviewed.

Processors, DPA, SCC, Level of Protection

In very few cases, we share personal data. If this happens and is necessary, we have a data processing agreement, mostly based on EU Standard Contractual Clauses (Standard Contractual Clauses of the European Commission, “SCC”), or a Data Privacy Addendum (“DPA”) with the external processors (or this is often included as a legally binding contractual part through the third party’s terms & conditions or other contractual clauses) to ensure appropriate security. Providers usually guarantee to process personal data outside Switzerland and the EU in accordance with the requirements and protection levels of Swiss or European data protection laws.

Internally, only persons who actually need access to personal data under the principle of necessity have access to such data. All employees who access personal data must comply with internal rules and processes as well as any regulations concerning the processing of personal data to protect and ensure confidentiality.

Security, Encryption (External)

We have taken appropriate technical and organizational security measures to protect your personal data collected when you visit the website from unauthorized, accidental, or unlawful use.
To protect the security of data transmission, we use common encryption technologies (e.g., SSL) via HTTPS.

Administration

The administration of the website on our behalf is handled by Büro Corrodi GmbH, Zurich (https://www.buerocorrodi.ch).

Cookies

When using our websites (and possibly other electronic communication such as newsletters), data are generated and stored in logs (especially technical data). We avoid the use of cookies where possible but reserve the right to implement them later. In particular, we may use cookies and similar technologies (e.g., pixel tags or fingerprints) to recognize website visitors, analyze their behavior, and identify preferences. A cookie is a small file transmitted between your system and the server that enables the recognition of a specific device or browser.

You can usually configure your browser to automatically reject, accept, or delete cookies. You can also disable or delete cookies individually or generally refuse cookies for our website. How to manage cookies in your browser is explained in your browser’s help menu.

Neither the technical data we collect nor cookies usually contain personal data. However, personal data stored by us or third-party providers commissioned by us (e.g., if you have a user account with us or these providers or remain logged into the third-party service during your visit) can be linked with the technical data or the data stored and derived from cookies and thus possibly linked to your person.

Social Networks

We do not use social media plug-ins (small software components) that would connect your visit on our websites to a third party but only link to our profiles on the respective social media platforms and channels. More information about how the operators of social media platforms use your personal data can be found in their respective privacy policies.

Additionally, we use our own tools and third-party services (which may also use cookies) on our websites, especially to improve the functionality or content of our websites (e.g., integration of music players and related files, videos, or maps) or to create statistics.

Personal Data on Our Social Network Pages

We operate online presences on social networks and other third-party platforms. In doing so, we may receive data from you (e.g., if you communicate with us or comment on our content) and from the platforms (e.g., statistics about user interactions). The platform providers may analyze your use and process these data along with other data they have about you. They also process these data for their own purposes (e.g., marketing and market research purposes and platform management) and act as independent controllers. For more information about processing by the platform operators, please refer to the privacy policies of the respective platforms.

Third-Party Services Used When Visiting Our Website

1. Hosting
Provider: cyon GmbH, Brunngässlein 12, 4052 Basel
Privacy Policy: https://www.cyon.ch/legal/datenschutzerklaerung
Legal Basis: Legitimate Interest

2. Hosting & CMS
Provider: WordPress Foundation, 660 4TH St San Francisco, CA, 94107-1618 United States
Privacy Policy: https://wordpress.org/about/privacy/
Legal Basis: Legitimate Interest
Note: Since the privacy policy according to the above link only applies to websites hosted on wordpress.org, it is irrelevant for visitors of our website.

3. Cookies
We have designed and configured our website so that no cookies are set.

4. YouTube
Provider: YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA
Privacy Policy: https://policies.google.com/privacy?hl=ch-DE
Legal Basis: Legitimate Interest

5. Analytics
Service: Cabin
Provider: Normally Ltd., 48-50 Scrutton St, London, EC2A 4HH, UK
Privacy Policy: https://withcabin.com/privacy
Legal Basis: Your consent, which you must give in advance and can later revoke.

6. Social Network Pages
Service: Instagram
Provider: Instagram LLC, 1601 Willow Road, Menlo Park, California 94025 (part of Meta Corporation)
Privacy Information: https://help.instagram.com/155833707900388
Legal Basis: Your consent, which you give in advance by clicking the icon in the footer of our website; only then does the interaction with Instagram occur.

7. Music Providers (Streaming)
Service: Apple Music
Provider: Apple Inc., One Apple Park Way, Cupertino, California, USA
Privacy Information: https://www.apple.com/legal/privacy/data/en/apple-music/
Legal Basis: Your consent, which you give in advance by clicking the icon in the corresponding section of our website; only then does the interaction with Apple occur.

Service: Qobuz
Provider: Xandrie SA, 45 rue de Delizy, 93692 Pantin CEDEX, France
Privacy Information: https://www.qobuz.com/us-en/discover/legals/privacy
Legal Basis: Your consent, which you give in advance by clicking the icon in the corresponding section of our website; only then does the interaction with Qobuz occur.

Service: Spotify
Provider: Spotify AB, Regeringsgatan 19, 5tr, 111 53, Stockholm, Sweden
Privacy Information: https://www.spotify.com/ch-de/legal/privacy-policy/
Legal Basis: Your consent, which you give in advance by clicking the icon in the corresponding section of our website; only then does the interaction with Spotify occur.

8. Fonts
Provider: Google Fonts, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy Policy: https://developers.google.com/fonts/faq/privacy?hl=de
Legal Basis: Legitimate Interest. The fonts are hosted locally by our hosting provider.

In the course of our business activities, we may disclose your personal data for the stated purposes and, if appropriate, to third parties (such as suppliers, assistants, other business partners, and other persons) and to service providers who process data on our behalf to provide services for you (e.g., IT providers). We may also be required to disclose your personal data we know in order to comply with legal or official requirements. The recipients may be located in Switzerland, the EU, or any other country worldwide.

If we transfer data to a country without an adequate statutory data protection level, we ensure an adequate level of protection as legally required (especially based on SCC or DPA) or rely on legal exceptions such as consent, contract execution, determination, exercise, or enforcement of project-related claims, or overriding public interests.

The personal data collected by us will only be stored as long as necessary for the processing of the contractual relationship or other purposes pursued with the processing, or if there is a legal retention and documentation obligation, overriding private or public interests, or storage is technically required (e.g., backups). Once the personal data collected by us is no longer required, it will be deleted or anonymized in accordance with our usual procedures and retention obligations and in compliance with applicable law.

General Information on Data Storage Location

Depending on the extent of your interactions with our offerings, your personal data may be stored or accessed in several countries. Whenever we transfer personal data to other countries, we ensure that the data are transferred in accordance with this privacy policy and applicable data protection laws.

For Visitors of Our Website

Your data are stored at the locations of our aforementioned external data processors in accordance with the services used and the configurations applied based on the principle of necessity.

For Business Partners, Third Parties

Your data are partially stored at the locations of our aforementioned external data processors as well as on the devices we use ourselves and the associated cloud storage locations.

According to Swiss law, you have the following rights:

• Right of Access
  To request information whether we have stored personal data about you, copies of this personal data, and information about how they are processed;
• Right to Rectification
  Right to correct inaccurate personal data about you;
• Right to Erasure
  Right to request deletion of personal data about you that are no longer necessary for the purposes of processing and that are processed based on revoked consent or in violation of applicable laws;
• Restriction of Processing
  Right to request that we restrict the processing of your personal data if the processing is inappropriate, and to object to the processing of personal data;
• Right to Data Portability
  Right to request the portability of personal data you have provided to us.
  If you wish, you can contact the contact address communicated by us at any time. It may take up to 30 days before we can respond to your request.

If you have consented to the processing of your personal data for a specific purpose, you may withdraw your consent at any time, and we will stop further processing of your data for that purpose.

Complaints and Supervisory Authority

If you believe that we have not addressed your complaints or concerns, you have the right to file a complaint with the competent data protection authority.

Change Reservation, Copyright

This privacy policy is not part of a contract with you but explains how we handle personal data. Therefore, this privacy policy does not require your consent to be valid. We can amend this privacy policy at any time. The version published on this website is always the current version. This privacy policy is protected by copyright, copyright by Büro Corrodi GmbH, Switzerland, and may not be copied.

Legal Validity, Applicable Language

If we provide privacy policies in languages other than German, these are usually machine-translated; these non-German versions of the privacy policy are provided for information purposes and better understanding only. Only the privacy policy in the German language is legally valid.