Privacy Policy for Our Online Services
In the following, we outline how personal data is processed when using our online services intended for our active volunteers.
Personal data is all data that refers to your person such as your name, address, email address, and your user behavior. We have implemented numerous technical and organizational measures to ensure the protection of your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized third parties. Our security measures are routinely reviewed and updated to incorporate the latest technological advancements.
1 Controller for data processing
The controller pursuant to Art. 4 para. 7 EU General Data Protection Regulation (DSGVO) is:
Höninger Weg 104
50969 Cologne
Phone: 0221/936500
Mail: info@unicef.de
2 Contact details of the data protection officer
You can reach our data protection officer at:
Email: datenschutz@unicef.de or by mail to the address listed above, with the reference “Data Protection Officer”.
3 General Data Processing
We offer our active volunteers (e.g., volunteers, honorary staff, and members) access to our web-based user services. These online services are closed platforms.
In the following sections, we explain how we handle your personal data when you use these services.
3.1 Collection of personal data when accessing our online services
When you access our web-based services, information sent by your browser is automatically stored temporarily in files referred to as log files. The information collected includes:
- Browser type and browser version
- Operating system used
- Requested URL or path and HTTP method
- Referrer URL (previously visited page)
- Host name of the device used to access website
- Date and time of the server request
- IP address (in abbreviated form when possible)
- Transmitted data volume, HTTP status code and processing time for the request
- Language and version of the browser software; language preference transmitted by the browser (Accept-Language)
This data is processed based on Art. 6(1)(f) of the GDPR. Our legitimate interest is to ensure that our platforms are displayed correctly and function properly. This includes maintaining stability, security, and efficient technical operations (such as error analysis, detecting misuse, and load balancing).
The data we collect is typically stored temporarily and is automatically deleted after a specified period, unless we need to retain it for evidence purposes.
3.2 User account and registration of active volunteers in UNICEF TeamPass
Our web-based services for active volunteers are closed systems and are accessible only to employees of UNICEF Germany and registered users.
Active volunteers must first register to create a user account to use these services.
When you register, we collect and store at least the following information:
- Salutation and thus, information relating to gender identity
- First and last name
- Date of birth (to verify your age)
- Email address
- Postal address
- Phone number
- Authentication data (e.g. time, type of login)
Registration is completed in a two-step process: Firstly, you create an account. Then, you verify your email address using the double opt-in consent process. After clicking the link, you will access the Account Activation form: you must fill out the required fields to complete your registration. If your registration is not completed successfully, the information you submitted will be automatically deleted after 14 days.
Once you have successfully registered, you will gain access to a personal, password-protected user area in our ‘UNICEF TeamPass’ management system. Within UNICEF TeamPass, you can view and manage your data at any time. Additionally, you have the option to provide further information voluntarily, such as your preferred name or additional contact details.
Users who are minors
If the person registering is a minor, we will also collect the contact details of a legal guardian/custodian to complete the registration and comply with legal requirements. This legal guardian/custodian will also receive a confirmation email, which is necessary to complete the registration process. Registration cannot be finalized without this confirmation.
Legal basis
The processing of data during the registration and management of user accounts is conducted to provide the user account, pursuant to Art. 6(1)(b) of the GDPR (performance of a contract). We also process information provided voluntarily information based on your consent (Art. 6(1)(a) of the GDPR). For users who are minors, we require the consent of their legal guardian/custodian to process this information.
Storage period
You can delete your user account at any time through your account settings. When you delete your account, all personal data will be removed, except for any information that must be retained due to legal obligations or in accordance with Art. 17(3) of the GDPR.
User accounts belonging to active volunteers who have not logged in for over 12 months will be automatically deactivated. After an additional 14 days of inactivity, these accounts will be permanently deleted. Before your account is deleted, you will receive a reminder email at the address we have on file. This email gives you the opportunity to prevent deletion by logging in again.
3.3 Change history for your account information
Changes made to your user account, (such as to your name or date of birth, granted or revoked consents, and changes in your group membership), are documented in a separate change log. This log includes a comparison of the information before and after the changes, your user ID, and a timestamp. If the change was made by authorized members of your UNICEF group or the UNICEF national office rather than by you personally, a supplementary note will be included, indicating who initiated the change.
This change log aims to protect children (ensuring traceability in the handling of certificates of good conduct and consents), verifying revoked consents, and clarifying potential cases of abuse or requests for support.
The legal basis is Art. 6(1)(c) of the GDPR (Compliance with statutory retention requirements in conjunction with Section 72a VIII of the German Social Code (SGB VIII) and Art. 6(1)(f) of the GDPR. The log information is stored according to the required retention periods and is automatically deleted upon expiration of these periods.
3.4 Login and session token
To log in to UNICEF TeamPass, we utilize a secure authentication token that the server generates after successful login. This token is stored in a cookie in your browser. On the server, we keep track of the creation time for each active session token, as well as the time it was last used. This allows us to automatically log you out after a period of inactivity and to limit the duration of your session for security purposes. When you log out, your token is immediately deleted from the server.
You have the option to enable two-factor authentication. If you choose this option, every time you log in, we will send a time-limited one-time code to your registered email address.
The legal basis is Art. 6(1)(b) of the GDPR (Fulfillment of a contract) and Art. 6(1)(f) of the GDPR (protecting your account and our platform from unauthorized access).
3.5 Processing data for extended certificates of good conduct (EFZ)
An extended certificate of good conduct may be required to perform your tasks in your UNICEF-group according to Section 72a VIII of the German Social Code (SGB VIII). You must submit your extended certificate of good conduct directly to a law firm appointed by UNICEF. UNICEF does not store extended certificates of good conduct.
If your extended certificate of good conduct does not raise any concerns, the UNICEF law firm will forward the results to us. We will record the date of the review and the expiry date in your user account. The status of the extended certificate of good conduct (including the expiry date) will also be transferred to our internal system, 'UNIQ,' where it will be visible to your group leader and relevant internal departments. However, if there are concerns regarding your extended certificate of good conduct, no entry will be recorded in your user account.
The legal basis for processing this data Art. 6(1)(c) of the GDPR in conjunction with Section 72a(5) VIII of the German Social Code (SGB VIII) and Art. 10 GDPR. The status of the extended certificate of good conduct will be stored until the expiry of the relevant extended certificate of good conduct and for as long as it is required for your engagement, unless it must be retained due to legal obligations.
4 UNICEF Campus
After registration, active volunteers can access our learning platform, UFC Campus, to complete training modules. A separate registration for UFC Campus is not necessary; access is granted via your existing user account.
4.1 Data processing when using learning platforms
When using learning platforms, we process, in particular, the following data:
- Data from UNICEF TeamPass (refer to Section 3.2):
- Master data: Name, date of birth/age (age ranges: 14–16 years, 16–18 years, over 18 years), email address, template for extended certificate of good conduct, minimum consents: yes/no
- Personal data relating to the engagement: Group membership (AG, HSG, JT, LT) team, roles, interests, membership activity status (active, check new member, check activity, inactive)
- Participation in seminars, training sessions and courses
- Learning progress (chapters completed, answers submitted, tests completed)
- Results and proof of achievement (e.g. points, certificates, pass/fail of modules)
Legal basis
Your data is processes based on Art. 6(1)(b) of the GDPR for the purpose of fulfilling the user agreement to which you previously consented.
Storage period
Records of your participation in seminars, training sessions and courses will be retained for at least the duration of your user account. After your user account is deleted from UNICEF TeamPass, your data in the UNICEF Campus will be redacted six months later. It will be permanently deleted after an additional six months.
Recipient
We use "Zoom," a service provided by Zoom Communications, Inc., located at 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA, to facilitate our online courses.
Zoom acts as a data processor to handle your data for the purpose of providing and conducting the webinars. Additionally, Zoom also processes certain personal data as a data controller, as needed for the provision, security, and ongoing development of the services. This may include personal data (such as your name and email address), technical connection data (such as IP address and device information) as well as usage data and metadata related to meetings (such as time, duration, and participant information).
You can find further information in Section 4 in the Privacy Policy of UNICEF Germany https://www.unicef.de/datenschutz and in the Privacy Policy at: https://www.zoom.com/de/trust/privacy/privacy-statement/
Zoom Communications, Inc. is certified under the EU-US Data Privacy Framework, which guarantees that data transfers to the company in the US are protected by an adequacy decision from the European Commission. Additionally, we have established a data processing agreement with Zoom that incorporates EU Standard Contractual Clauses.
4.2 Registration for in-person events and online courses
Our active volunteers can register via UNICEF‑Campus for in-person events and online courses.
For this purpose, we process the data listed below:
- Additional contact details: Phone number (optional)
- Mandatory consents (guidance framework, voluntary declaration of commitment, terms of use and consent from legal guardians regarding the engagement of a minor)
- Event details (choice of event, participation options, optional arrival and departure dates)
- Optional information about meals and accommodations (including dietary preferences, room preferences, and any special accommodation requirements)
- Optional additional organizational information (e.g. emergency contact, information on accessibility or special support requirements)
If you voluntarily share information about your allergies, intolerances, or other health-related issues during the event registration process (for instance, related to nutritional or specific support needs), we will process this personal data. This information may be classified as special category data under Art. 9 of the GDPR (health data) and will be used solely for the following purposes:
- Planning and providing suitable meals,
- taking special needs into account (e.g. accessibility, health restrictions) during the event.
Providing of this information is optional. If you do not provide the relevant information, we may not be able to accommodate your needs when planning events.
Legal basis
The processing of data necessary for organizing and executing the event is based on Art. 6(1)(b) of the GDPR, which relates to the performance of a contract or pre-contractual measures.
If you provide health-related data during the registration process, the data processing is based on your consent pursuant to Art. 9(2)(a) and Art. 6(1)(a) of the GDPR. You give this consent by voluntarily submitting the information. You have the right to revoke your consent at any time effective for the future. However, please note that if you do revoke your consent, the relevant information can no longer be used for planning and organizing events.
Storage period
We typically retain event-related data throughout the preparation, implementation, and follow-up phases of the event. This data will be deleted in accordance with the provisions outlined in Section 4.1.
Any health-related data that is provided voluntarily will be deleted as soon as it is no longer needed for planning and implementing the event. This usually occurs once the purpose no longer exists, e.g. the event is over and any necessary invoicing has been completed.
5 AG Intranet
Our AG Intranet is an internal information and communications platform that is intended for use by all UNICEF groups. A separate registration is not necessary for this platform; access is granted via existing user accounts (refer to Section 3.2).
We provide information on the AG Intranet specifically for work within the UNICEF groups (including notes, materials, and organizational information). Additionally, certain interactive functions such as a forum and calendar function are available.
5.1 Forum
We provide our registered active volunteers with a forum to communicate with other volunteers at both regional and cross-regional levels. Participation in this forum is voluntary.
When you use the forum, we process the following information:
- Your real name (first and last name), which will be displayed with your posts and comments.
- The content of your posts and comments.
- The times for when your posts were created and edited.
- Assignment to your AG (work group) or UNICEF group (for example, context of the discussion.
Posts on the forum can be seen by other registered users in the AG Intranet including other groups (both regional and cross-regional).
Any additional information you choose to provide in your user profile (e.g. profile picture, role within the work group) may be displayed alongside your posts. Providing such additional profile information is completely voluntary.
Legal basis
Processing of personal data in conjunction with using such forums is based on Art. 6(1)(b) of the GDPR (provision and use of the user account as part of the user relationship) and Art. 6(1)(f) of the GDPR. Our legitimate interest is to ensure effective internal communication and networking amongst our active volunteers, as well as to document their forum posts.
Any additional information you choose to provide (e.g. profile picture, role information), processing is based on your consent (Art. 6(1)(a) of the GDPR) that you may revoke at any time effective for future use.
Storage period
Your posts and comments in the forum are saved on the forum as long as the AG‑Intranet is active or until you delete these posts and comments yourself.
Once your user account is deleted, the content of your posts and comments will remain visible, however, the user name that appears will be redacted (e.g. replaced by a neutral label such as “former member” or a similar designation). Other users may still be able to identify you based on the content of your posts.
5.2 Calendar function
The AG‑Intranet contains a calendar function that can be used by members of an AG to coordinate calendar settings. The use of this function is voluntary, however, it is recommended for planning activities and events for the UNICEF group.
Within the scope of the calendar function, we process the following data:
- Title and subject of the event,
- Date, time and duration of the event, if applicable,
- Location of the event (e.g. address), if applicable,
- Name of the person who scheduled the event,
- List of participants and acceptances and declines, if applicable,
- Additional notes or descriptions regarding the event (free text), if applicable,
- Attached documents, if applicable.
Your name and calendar subject and the relevant information on the event is visible to other members of your AG.
Legal basis
Processing of personal data in the scope of using the calendar function is based on Art. 6(1)(b) of the GDPR (organization of collaboration within the framework of the user relationship and/or employment relationship) and Art. 6(1)(f) of the GDPR. Our legitimate interest is to ensure efficient planning, coordination and implementation of events and activities for the UNICEF groups.
Storage period
Personal data processed with the calendar function will be stored as long as the user account exists. Once your user account is deleted, the content of the calendar entries will remain visible, however, the user name that appears will be redacted (e.g.replaced by a neutral label such as “former member” or a similar designation).
6 Recipient
We will not share your personal data with third parties unless required to do so by law, or it is necessary to fulfill our contractual obligations, or if you have provided your explicit prior consent for the data disclosure.
Internal recipients of your data are generally the leader of the work group responsible for you, regional officers, group or team leaders, and other internal departments, provided this is necessary for the performance of the respective tasks. All of our internal recipients are obligated to keep your personal data confidential and will receive this information only when necessary for them to complete their specific tasks.
We use service providers to provide our web-based services.
The user management platform “UNICEF TeamPass” and AG Intranet are provided by:
i-gelb GmbH
Mauritiuswall 24-26
50676 Cologne
The learning platform “UNICEF Campus” is provided by:
ka:media interactive GmbH
Immermannstr. 7
40210 Düsseldorf
The service providers listed above process your data solely on behalf of UNICEF, following its instructions and based on data processing agreements pursuant to Art. 28 of the GDPR.
7 Data Processing outside of the EU
We prioritize processing your data within the European Union or the European Economic Area (EEA). If your data needs to be transferred to countries outside the EU/EEA, we ensure that a sufficient level of data protection is maintained (such as adequacy decisions, EU standard contractual clauses, or binding corporate rules).
8 Storage period
Your personal data will be deleted once the processing purpose is no longer applicable (e.g. end of usage authorization) unless it must be retained due to legal obligations. During the applicable statutory retention periods, data is inactive and deleted once the retention period expires.
Specific storage periods for individual processing procedures can be found in the relevant sections.
9 Your rights
As the data subject, you have the right to be informed, right to rectification, right to erasure, right to restriction of processing, right not be subject to a decision based solely on automated processing. If processing is based on your consent, you may revoke your consent effective for the future. Furthermore, you have the right to lodge a complaint with a supervisory authority.
When processing is based on legitimate interest, you have the right to object to the processing of your personal data based on your particular situation. If you raise an objection, we will refrain processing your personal data unless we can show that there are compelling legitimate reasons for continuing the processing that outweigh your interests, rights, and freedoms. Additionally, we may process your data if it is necessary for establishing, exercising, or defending legal claims.
The processing of technical data when you access our websites is essential for their operation, and therefore, this does not provide grounds for objection.
To exercise your rights, you can contact the data controllers using the contact details provided above or reach out to our Data Protection Officer at: datenschutz@unicef.de
10 Further information
You can find further information on processing of personal data in the General Privacy Policy from UNICEF Germany at www.unicef.de/datenschutz.