Data Protection Declaration

1. General

This data protection declaration provides information on how Bright Light Foundation processes personal data.

Bright Light Foundation is responsible for the processing of personal data. The contact details of Bright Light Foundation are as follows:

Bright Light Foundation

Kirchstrasse 39, 9490 Vaduz, Principality of Liechtenstein

Tel. +423 236 09 09

Email: szta@szta.li

«Personal data» means any information relating to an identified or identifiable natural person. «Processing» means any handling of personal data, irrespective of the means and procedures used, in particular the procurement, storage, use, modification, disclosure, archiving, deletion or destruction of personal data.

For certain data processing, e.g. in the context of concluding contracts with Bright Light Foundation or in connection with the websites of Bright Light Foundation, there may be further regulations (e.g. terms of use). These are available in the relevant contracts or on the relevant websites.

2. Data security

Bright Light Foundation undertakes to protect personal data and privacy in accordance with the applicable laws, in particular through professional secrecy and data protection law. For this purpose, Bright Light Foundation takes various technical and organisational security measures (e.g. access restrictions, firewalls, personalised passwords as well as encryption and authentication technologies, staff training etc.).

3. Categories of personal data

Bright Light Foundation processes the following categories of personal data. We always process as little personal data as possible.

Data of the partners of Bright Light Foundation, such as:

master and inventory data (e.g. name, address, nationality, date of birth, career)
technical data (e.g. business numbers, IP addresses, internal and external identifiers, access records)
marketing data (e.g. preferences, needs)

Visitor and interested party data (e.g. visitors of Bright Light Foundation or of websites of Bright Light Foundation), such as:

master and inventory data (e.g. name, address, date of birth)
technical data (e.g. IP addresses, internal and external identifiers, access records)
marketing data (e.g. preferences, needs)

Supplier data, such as:

master and inventory data (e.g. name, address, date of birth, information on concluded transactions and contracts)
technical data (e.g. IP addresses, internal and external identifiers, access records)

4. Origin of personal data

Bright Light Foundation may collect personal data from the following sources in order to fulfil the purposes set out in Section 5:

personal data provided to Bright Light Foundation, e.g. in connection with the execution of contracts or other relationships or on websites
personal data from third parties, e.g. from authorities or sanction lists of the UN and the EU

5. Purposes of processing

Subject to the rules and regulations of the European General Data Protection Regulation as well as the Liechtenstein Data Protection Act Bright Light Foundation can process personal data for the following purposes and based on the following legal basis:

For the performance of a contract or for taking steps prior to entering into a contract
For compliance with a legal obligation or in the public interest (e.g. monitoring and managing risks, fighting of money laundering, fulfilment of legal or regulatory duties of disclosure, information or reporting to courts and authorities, fulfilment of official orders, automatic exchange of information with foreign tax authorities, fulfilment of orders of the public prosecutor’s offices in connection with money laundering and terrorist financing)
For the protection of the legitimate interests pursued by Bright Light Foundation or by a third party (e.g. development of new technologies, managing of Bright Light Foundation and of potential risks, reporting, statistics and planning, prevention and detection of crime, video-surveillance for the protection of office rules and to ward off dangers, protecting interests and safeguarding rights of Bright Light Foundation in the case of claims against Bright Light Foundation respectively claims of Bright Light Foundation against third parties)

Bright Light Foundation reserves the right to use personal data which has been obtained for one of the above-mentioned purposes also for another of these purposes if this is compatible with the original purpose or allowable or obligatory by legal provisions (e.g. obligatory reporting obligations).

6. Disclosure to third parties, categories of recipients

Bright Light Foundation discloses personal data to the following third parties in the following cases:

for outsourcing in accordance with item 7 to third parties
to fulfil duties based on legal obligations, legal justification or official orders, e.g. to courts, supervisory authorities, tax authorities or other third parties
to the extent necessary to protect the legitimate interests of Bright Light Foundation, e.g. in the event of legal action threatened or initiated against Bright Light Foundation, in the event of public statements, to secure Bright Light Foundation’s claims against third parties, in the collection of claims of Bright Light Foundation, etc.
with the consent of the persons concerned to other third parties

Data will only be transferred to countries outside the EU or EEA (so-called third countries) if:

the person concerned has given us consent to do so (art. 49 para. 1 prov. a),
this is required for the purpose of taking steps prior to entering into a contract or performing a contract (art. 4p para. 1 prov. b),
this is required for the purpose of entering into a contract or performing a contract which has been entered into in the interest of the person concerned (art. 49 para. 1 prov. c),
this is necessary for important reasons of public interest (art. 49 para. 1 prov. d),
this is necessary to claim and enforce legal rights or to defend against such rights (art. 49 para. 1 prov. e),
this is necessary to protect vital interests of the person concerned or of other persons, as long as the person concerned is not in a position to give consent (art. 49 para. 1 prov. f),
it is the result of a registry as per art. 49 para. 1 prov. g).

7. Outsourcing of business areas or services

Bright Light Foundation outsources certain business areas in whole or in part to third parties.

The service providers who process personal data for this purpose on behalf of Bright Light Foundation (so-called other processors) are carefully selected. Wherever possible, Bright Light Foundation uses contractors domiciled in Liechtenstein and Switzerland.

Other processors may be entitled to have certain services (e.g. electronic data processing, etc.) provided by third parties.

The other processors may only process personal data received in the same way as Bright Light Foundation itself and are contractually obliged to guarantee the confidentiality and security of the data.

8. Use of websites and cookie policy

When a person visits websites of Bright Light Foundation, the web server automatically registers details of their visit (e.g. the website from which the visit takes place, the IP address of the visitor, the contents of the website that are accessed, including date and duration of the visit). Such tracking data serve to optimize the websites of Bright Light Foundation and provide information on how visitors inform themselves about and use the products, services and offers of Bright Light Foundation.

However, if the visitor provides personal data, e.g. by filing out a registration form or message field for newsletters etc., Bright Light Foundation may use this data in addition to the purposes mentioned under item 5 in particular for the following purposes:

for customer and user administration
to inform the visitor about services and products
for marketing purposes (e.g. sending newsletters)
technical "hosting" and the further development of the websites of Bright Light Foundation

When visiting the websites of Bright Light Foundation, the visitor's data is transported via the Internet, i.e. an open network accessible to everyone. Data transmitted via electronic media (including e-mail) cannot be effectively protected against access by third parties. Among other things, this involves the risk that the data may be disclosed or the content changed, that the identity of the sender (e.g. e-mail) as well as the content of the message may be simulated or otherwise manipulated by unauthorized persons, that viruses may be released, that technical transmission errors, delays or interruptions may occur, that data may be sent abroad without control, where lower data protection requirements may apply than in Liechtenstein, etc.

Cookies are small files that are stored on the visitor’s computer in order to frack the corresponding website visit and navigation between different pages and/or to save settings (e.g. selected language). Cookies are used to collect statistical data about the frequency and time of visits to individual areas of the website and help to design tailor-made, useful and user-friendly websites. The visitor can decide at any time against the use of cookies by deleting the cookies set by the Bright Light Foundation website. Deletion is possible via the settings in the visitor's Internet browser.

9. Storage duration

The duration of the storage of personal data depends on the purpose of the respective data processing and/or legal storage obligations, which amount to five, ten or more years depending on the applicable legal basis.

10. Rights of persons concerned

Pursuant to the GDPR persons whose personal data are being processed by Bright Light Foundation have the following data protection rights:

Right of information: persons concerned may obtain information from Bright Light Foundation about whether and to what extent person data of theirs are being processed (e.g. categories of personal data being processed, purpose of processing, etc.)
Right to rectification, erasure and restriction of processing: persons concerned have the right to obtain the rectification of inaccurate or incomplete personal data of theirs. In addition, personal data must be erased if the data are no longer necessary in relation to the purposes for which they were collected or processed, if the person concerned has withdrawn consent, or if the data have been unlawfully processed. Persons concerned also have the right to obtain restrictions of processing.
Right to withdraw consent: Persons concerned have the right to withdraw their consent to the processing of personal data of theirs for one or more specific purposes at any time, where the processing is based on the concerned person’s explicit consent. The withdrawal of consent has no effect in relation to data processing undertaken on other legal grounds.
Right to data portability: persons concerned have the right to receive the personal data related to them, which they have provided to Bright Light Foundation, in a structured, commonly used and machine-readable format, and to have transmitted those data to a third party.
Right to object: persons concerned have the right to object, on grounds relating to their particular situation, without any formal requirements, to the processing of personal data of theirs, unless such processing is in the public interest or in pursuit of the legitimate interests of Bright Light Foundation or of a third party. Persons concerned also have the right to object, without any formal requirements, to the use of personal data for direct marketing purposes.
Right to lodge a complaint: persons concerned have the right to lodge a complaint with the relevant Liechtenstein supervisory authority. They may also lodge a complaint with another supervisory authority in an EU or EEA member state, e.g. their place of habitual residence, place of work or the place in which the alleged breach took place.