Privacy Policy

1. Preamble and consent

We are aware of the importance of Personal Data (defined below) privacy, especially as we use such data to provide relevant services and information to our visitors. The EU General Data Protection Regulation (GDPR), adopted by the European Union, and the Swiss Federal Act on Data Protection (FADP), mandate high standards on how your Personal Data is collected, processed and stored, give you the right to access the Personal Data and request its erasure, and much more. In accordance with the legislation and recognizing the importance of this matter, we have prepared below explanations on the protection of your Personal Data when visiting this website (the “Website”) and the rights you have as data subjects.

Our Website contains two main sections, namely:

  1. A general section with information about ISSAT, available at
  2. A community of practice (hereafter, “Community of Practice”) for registered members, which provides for: 
  • A section dedicated to training and learning, available at, and
  • A section dedicated to collaboration and sharing information, available at 

For sake of clarity, the Website, as defined herein, includes the main and all extensions related to the Community of Practice.

Please read these explanations carefully.

By browsing our Website, you agree to be bound by the terms of this policy.

If you do not consent to these terms, we kindly ask you not to use our Website.

2. What is Personal Data?

Personal Data means any information relating to an identified or identifiable natural person, i.e. an individual, regardless of the form in which it is expressed (hereafter, “Personal Data”). Personal data is information that identifies you as an individual, directly or indirectly, in particular by reference to identifiers such as a name, surname, location data, an online identifier, e-mail address, etc.

3. What Personal Data do we collect?

In addition to Personal Data you provide us with, for instance by filling out a contact form or subscribing to a newsletter, we collect the following Personal Data through cookies, analytics and other similar tools, such as:

  1. IP address of the requesting internet-enabled device,
  2. location of the requesting internet-enabled device based on the IP address,
  3. date and time of access,
  4. accessed resources on the Website,
  5. name and URL of the retrieved file,
  6. Website/application from which the access was made (referrer URL),
  7. browser you use,
  8. if necessary, the operating system of your internet-capable computer as well as the name of your access provider.

The cookies and scripts we use to collect such Personal Data are the following:


Google Analytics

Filter requests from bots

Count and track pageviews

Third party cookie, Statistics

Issat eZplatform CMS

Session cookie

First party cookie, Technical

Community of Practice: In addition, for our Community of Practice members, we collect Personal Information, which you share with us, such as your name, username, sex, organization, job title, email, nationality and country of residence. This information is collected in order to identify you and give access to the restricted Community of Practice. Access is given to ISSAT Governing Board and by them appointed members, as well as SSR practitioners globally. This Community of Practice enables interaction among community members. The Community of Practice is restricted to registered users only. Users are identified to the system via username and password. Website administrator can access username only, but your password is NOT visible to them.

4. Why we collect such Personal Data?

We use cookies and the Personal Data collected:

  1. To operate our Website (session-related information),
  2. To authorize access to our Website,
  3. To make the functionalities of our Website available to you and to offer you additional functionalities,
  4. To monitor and improve the Website or our dedicated pages on social media. Typically, Log files capture users' IP address and an aggregated analysis of these log files is used to monitor website usage. These aggregated analyses may be made available to ISSAT-DCAF staff and system maintenance partners to allow them to measure, for example, overall popularity of the site and typical user paths through the site,
  5. To store information about your preferences, allowing us to customize our Website according to your individual interests,
  6. To speed up your searches,
  7. To compile behavioral and statistical information about uses of our Website or our dedicated pages on social media, in particular to estimate our audience size and usage patterns,
  8. To produce aggregate insights that do not identify you,
  9. To identify you and log your use, recognize you when you return to our Website, track the activity on our Website and hold certain information,
  10. To identify our Community members and allow online interaction.

The purpose for implementing all of the above is to maintain and monitor the performance of our Website and to constantly look to improve the site and the services it offers to our users. The legal basis we rely on to process your Personal Data is article 13(1) FADP and article 6(1)(f) of the GDPR, which allows us to process Personal Data when its necessary for the purposes of our legitimate interests.

In addition, cookies and other functionalities mentioned above which would go beyond the purposes of our legitimate interests (for example: Analytics Cookies), are implemented upon your acceptance through the means of our cookie banner. External services that we use (Google Analytics) might store pseudo-anonymized information about you in your browser’s cookies. However, there is no connection between the information we collect from you and those that external services have about you.

5. Who is the Personal Data Controller?

The controller of Personal Data on this Website is ISSAT, DCAF, Chemin Eugène-Rigot 2E, CH-1211 Geneva, Switzerland,

6. Where do we store Personal Data and for how long?

Your Personal Data is stored on servers located in Amsterdam (Netherlands).

We retain the Personal Data you provide to the extent necessary to provide you access to and use of our Website or our dedicated pages on social media and of their functionalities (like for instance our newsletters), as well as to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. The storage period of cookies depends on their purpose and is the same for everyone. We may retain de-personalized (anonymous) information after the deletion of your Personal Data.

Log files of users' IP address older than 30 days are purged. All log information collected by our website is kept secure.

Community of Practice: Every password for our Community of Practice members are encrypted and safely stored to a MySQL database. The database is backed up daily and stored for 14 days. The database server is duly secured and updated regularly. No personal information is stored in web browsers’ cookies. 

7. Sharing, Selling and Transferring Personal Data

With third parties: The Personal Data collected are primarily intended for communicating with you and improving our services. However, we may give certain independent contractors and affiliates access to the Personal Data in order to assist us with the operation of our Website, as well as data management and marketing activities. This is the case for our sub-contractor Netgen, and their system maintenance subtractors and server provider. We have entered in to appropriate contracts with our subcontractor Netgen.

Cross-border data transfer: For some of the third-party service providers, we may transfer your data to one of their databases outside Switzerland or the European Economic Area, potentially including countries which may not have an adequate level of protection for your Personal Data compared with that provided in Switzerland or the European Economic Area. In such event and unless provided otherwise in this Privacy Policy, we enter into agreements with such third-parties ensuring an adequate level of protection for your Personal Data. By providing us with your Personal Data or by accepting analytic cookies, you agree that we may transfer, store and process your Personal Data outside of Switzerland and the European Economic Area – in particular in the USA – and acknowledge that governments in certain countries such as the USA have broad powers to access data for security, crime prevention and detection and law enforcement purposes.

Selling Personal Data: We will not sell your Personal Data to third parties. We will not share or otherwise make available your Personal Data to third parties except as provided in this Privacy Policy.

Sharing with authorities: It is possible that we will need to disclose Personal Data when required by law or if we have a good faith belief that disclosure is necessary to investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies, investigate and defend ourselves against any third-party claims or allegations, protect the security or integrity of our Website or our dedicated pages on social media, or exercise or protect the rights and safety of our users, personnel, or others.

We attempt to notify users about legal demands for their Personal Data when appropriate in our judgment and technically feasible, unless prohibited by law or court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority, but we do not promise to challenge every demand.

8. Withdrawal of consent for processing of Personal Data

At any time, you have the right to withdraw your consent for the processing of Personal Data for a particular purpose or for all purposes with which you have consented.

For the withdrawal of your consent, please send a written request to: ISSAT, DCAF, Chemin Eugène-Rigot 2E, CH-1211 Geneva, Switzerland, In case of withdrawal of your consent, we will delete all collected Personal Data or exclude them from automatic processing in accordance with the specificities of your request.

Please be aware that the withdrawal of your consent will not impact the lawfulness of processing based on your consent before it was withdrawn and the use of Personal Data as needed to comply with our legal obligations.

9. Your rights in the field of Personal Data

  • Right to update, correct and erasure: At any time, you have the right to obtain from us the correction of inaccurate or incomplete Personal Data. At any time, you also have the right to obtain from us access to the Personal Data that we have collected and the right to obtain immediate erasure of your Personal Data.
  • Right to restriction of processing: You have the right to request that we restrict the processing of your Personal Data.
  • Right to data portability: You have the right to be provided with a copy of the Personal Data we have on you in a structured, machine-readable and commonly used format.
  • Right to object: You have the right to object to our processing of your Personal Data.
  • Right of access: At any time, you have the right to obtain from us confirmation as to whether your Personal Data are being processed and, where that is the case, access to the Personal Data.
  • Personal data breach:  In the case of a Personal Data breach, we will without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data breach to the competent supervisory authority.
  • Right to complain to an authority: You have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA) or in Switzerland.

10. Security of your Personal Data

The security of your Personal Data is important to us, but no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use technical and organizational commercially acceptable means to protect your Personal Data against manipulation, partial or complete loss and unauthorized access by third party, we cannot guarantee its absolute security.

Community of Practice: The Community of Practice part of the website is restricted to registered users only (username and password). Passwords are encrypted and safely stored. Proper security measures have been implemented to protect the database server and the other services on the server.

11. Amendment of this Privacy Policy

We may change this Privacy Policy at any time by posting a new version on this page or on a successor page, without prior notification. If we make changes to this Policy, we will notify you through a notice on the Website home page. By continuing to access or use our Website or our dedicated pages on social media after those revisions become effective, you agree to be bound by the revised terms. If you do not agree to the new terms, please stop using the Website and our dedicated pages on social media.


Last updated: January 2021