1. Where we get your data
There are two ways in which your personal data may find its way to us – either you give it to us directly or we
obtain it from other, indirect sources.
In most cases when we obtain your personal data directly, it is because you approach us in some capacity through
various points of contact, for instance, if you represent an organization whose project you would like to submit for
our consideration, you are our business partner, a media contact or a contractor, or an applicant interested in
finding a job with us. We also obtain your personal data from you directly in the context of our promotional
activities – during our photoshoots, recording sessions or campaigns that you attend.
Another way in which we might obtain your personal data is indirect. Our operation is aimed primarily at
cooperating with various organizations, and we need certain documents from them in order to be able to evaluate
whether our contributions were used as promised, whether their use was purposeful, and in order to fulfill our
legal obligations concerning maintaining billing records and conducting audits. These materials might contain your
2. What Data we get and How we Process it
If we have your personal data, you are usually one of the following:
(i) An employee or a contractor of an organization, which provides services to the causes or people we help
as part of one of our programs;
(ii) A recipient of funding provided by the Foundation as part of one of its programs;
(iii) A partner (someone we cooperate with in a professional capacity in connection with assessing, evaluating
or carrying out our projects or a guest or a presenter at one of our events) or a media contact; in this case,
because we are linked to the Avast group, we follow the same rules and practices as the broader
operation does, and the information relevant to how we process your data is located here (Flexi Grant
provided by Fluent Technology); or
(iv) Someone who has contacted us in another capacity, such as an applicant interested in working for us.
The type of your data we process is usually your name, date of birth, your address, your email and your telephone
number, although these categories vary depending on the capacity in which you interact with us.
2.1 Project Materials and Contact Information
Parties interested in having their projects supported by the Foundation register in our FlexiGrant Portal , through
which they submit their application. This registration is generally carried out by an employee (or another
representative) of that organization. The information necessary in order for us to create a registration is name, email
address (usually a professional or work email), identification of the organization they represent, contact details of
that organization (physical address), and phone number. Through the FlexiGrant Portal, the registrants can then
submit projects for our consideration, manage the account they have with us and communicate with us. We process
this information, as well as any information which is included in the materials submitted (which may include personal
data) in order to assess the applications and project we receive, document and track the course of the project as it
is being carried out and manage that relationship.
They give us this information on a variety of documents which may contain personal data of employees,
representatives or other persons, such as invoices, but they may also include information about that organization’s
payroll, and their own financial information they provide to us, such as interim and final reports.
This information is absolutely necessary for us to maintain a transparent relationship with that organization
throughout the realization of the project, see how they are using the resources we have provided, whether our
support is utilized efficiently and, more importantly, with the purpose to achieve the goal stated in the project and
to help the causes and people we have chosen to support. In addition to this, we also need to maintain these
overviews in order to fulfill our own legal obligations, in particular, concerning accounting and billing records,
obligations concerning audit (internal and external) and tax, and in order to participate in and present materials in
potential legal proceedings when defending or enforcing our rights and legitimate interests. Without these
documents, we would not be able to carry out any of these activities.
If you are a representative of an organization we have cooperated with, a professional contact or a media contact,
in other words, someone we have interacted with previously in a professional capacity, we will also use your contact
information (your email) in order to periodically inform you about our activities, events or opportunities for further
Some of the information about the projects we have supported, which may potentially include personal data, may
be included in the documents we are legally obligated to maintain and publish, such as our Annual Report, which we
are obligated to submit to the Czech Register of Foundations (a public registry) under applicable law.
2.2 Photos, videos and other personal material
There are several instances in which the Foundation may have audiovisual material (photos, videos or voice
recordings) or other similar material of personal nature (such as written statements or testimonials) concerning your
person. The most common situations in which this could occur are listed below.
If you are a speaker or a host we have contracted at one of our events or events we have participated in, such as
charity activities, fundraising events, award ceremonies, conferences and similar gatherings, more detailed
If you are a beneficiary of one of our projects or you were otherwise involved, we may capture your likeness
(including any information that can be inferred from it) on photos, videos or audio recordings or other material of
personal nature (such as written statements or testimonials) in order to use it in our promotional materials or over
the course of our other promotional activities. Some of these pictures or videos may be used in connection with our
reporting obligations, for instance, they could be included in our annual report, which we are obligated by law to
publish in the Register of Foundations. We may ask for your consent with the photos, videos or recordings where it
We would like to reiterate that in cases where the context of the pictures, videos or recordings might be sensitive,
we will only use this information on the basis of your free and voluntary consent, which you can withdraw at any
time (for more information about how to do this, please refer to the “Your Rights” section below). In the event that
you choose to not give us consent to process this data, or if you choose to withdraw your consent, this will have no
negative impacts on your relationship with us.
As this information will be used for the purposes of promoting the Foundation and our activities, it will be published
in our various promotional materials, newsletters, reports, corporate documents such as annual reports, etc., as well
as on our website and across our social media accounts on Facebook, Twitter and Instagram. Due to the fact that
our accounts are publically accessible, i.e., their visibility is in no way restricted, this means that your personal data
captured on these photographs may be, as a result of such publication, accessible in countries outside of the
European Economic Area where different data protection laws apply. By granting us consent to have your likeness
used in our promotional activities, you are also granting us consent to the above-described publication of your
photos, video footage, voice recordings or other materials of personal nature (written statements or testimonials).
We are sometimes approached by candidates who are interested in working for us. To that end, these candidates
submit, as part of their application, their personal data and any other information which is included on their CVs,
resumes, letters of recommendation and other similar materials.
In the event that we currently have an opening we’re hiring for, we will use this information to evaluate the
candidate and contact them over the course of the interview process and, if they are successful and we do decide
to hire them, through the hiring process up to and including the signature of their employment agreement.
In the event that we are not looking to fill an open spot, we keep this information in our databases, so that in the
event that we do have an opening at a later date, we can consider these candidates for the newly opened position
and contact them with the opportunity to interview with us and commence the interviewing process. Our hiring
practices are being handled by Avast and so, follow the same general rules.
2.4 Our Website
Some of the personal data we get concerns children younger than sixteen years of age. This happens in situations
when we support organizations or projects that are aimed at helping children in various ways. In those cases, where
consent is required (for instance, in case of photos or videos), we never process any of their personal data unless
the children’s parent has granted the consent.
2.6 AN IMPORTANT NOTE ABOUT UNSOLICITED INFORMATION
While we are on the subject, we would also like to note that sometimes we get information, mostly through the
email, from individuals who seek to participate in our programs or seek to approach us in a similar capacity.
Sometimes this communication contains data or materials, which could be considered to be of a personal or even
sensitive nature. We do not accept any project submissions or proposals provided in this way and we will not
accept any sensitive or personal information you provide unprompted and through this channel. Any such
information we receive in this way we immediately delete. If you want to cooperate with us, however, you are always
more than welcome to go through our official channels and submit your projects and their relevant information
following our proper procedure at a time when we are accepting submissions.
3. Storage, Retention and Deletion of your Personal Data
3.1 Storage of Information
We store information that we collect on our servers or on the servers of our subsidiaries, affiliates, contractors,
representatives, contractors, agents, or resellers who are working on our behalf.
The data on our servers can only be accessed from our physical premises, or via an encrypted virtual private network
(“VPN”). Access is limited to authorized personnel only, and company networks are password protected and subject
to additional policies and procedures for security.
3.2 Access by our contractors
We or our contractors, affiliates, representatives, or agents, who are working on our behalf undertake regular
maintenance of your personal data. All third parties must agree to observe the privacy of our users, and to protect
the confidentiality of their personal information. This means your personal data cannot be shared with others, and
there must be no direct marketing by the third parties.
3.3 Retention and Deletion of Your Personal Data
We retain data for limited periods when it needs to be kept for legitimate business or legal purposes. Some of the
each type of data, we set retention timeframes based on the reason for its collection and processing. We do not
delete data that we need for our legitimate or legal purposes, even upon request, until the purposes expire.
We have operational and legal requirements that require we retain certain personal data, for specific purposes, for
an extended period of time. For example, when our financial department processes information concerning the
payments we have made and the necessary supporting documentation contains personal data, this data will be
retained for as long as required for tax or accounting purposes. Reasons we might retain some data for longer periods
of time include:
· Security, fraud & abuse prevention
· Financial record-keeping
· Complying with legal or regulatory obligations, including for investigations, enforcement, or when legally actionable
· Ensuring the continuity of our activities
· Direct communication with you and the organizations we cooperate with, such as for additional reporting, providing
information about our other activities, open projects and opportunities for cooperation.
4. Our Partners
The Foundation does almost all of its processing internally, without the use of processors or involvement of other
third parties. We do closely cooperate with Avast, our founding company, in the matters concerning internal
administration and functions, and our FlexiGrant portal is provided by Fluent Technology, 2 Rowan House, Beechill
In some circumstances we may need to give access to our data, which may include personal data, to other parties,
such as our service providers, partners or Avast, our founding company; even in those instances, however, we make
sure that any personnel that may have access to this data is bound to confidentiality, does not compromise the
security of our data, and that additional appropriate safeguards are put in place to keep the data safe and secure.
5. Across Borders
The Foundation operates locally, and so there is generally no need for us to transfer data outside of the Czech
Republic or, as the case may be, the European Economic Area. These instances only occur on a case-by-case basis
(for instance, when we share media contacts with other entities in our group), but in some of these cases data may
be transferred to other countries, including countries outside of the European Economic Area, where the local law
provides a different level of protection to personal data than the law of the Czech Republic and the European Union.
In all such cases, however, we always make sure to put in place appropriate safeguards to ensure that any data we
send out are protected and that your rights and legitimate interests are protected.
6. Your Rights
As a data subject under European data protection law, you have certain rights. You have the right to information
about whether and how we process your personal data, the right of access to your personal data, and the right to
rectification and erasure of personal data or restriction of processing. You have the right to object to the processing
of your personal data as well as the right to data portability. You also have the right to lodge a complaint with the
supervisory authority. Where the processing of your personal data is based on consent, you have the right to
withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its
You can exercise your rights by sending an email with the words “PRIVACY REQUEST” in its subject line to
firstname.lastname@example.org. You may also send paper mail to Nadační fond AVAST, Pikrtova 1737/1a, 140 00, Prague 4,
Czech Republic. Please write "Attention: PRIVACY" in the address.