Preamble

This Privacy Policy explains which types of personal data we process, for what purposes, and to what extent. It applies to all personal data processing carried out by us — in connection with the provision of our services, on our website, and through external online presences such as our social media profiles.

The terms used in this policy are gender-neutral.

Data Controller

Marc Nestele

Email: contact@worldyouthinitiative.org

Website: worldyouthinitiative.org

Legal Bases

The following is an overview of the legal bases under the GDPR on which we process personal data.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent for a specific purpose.
• Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract or to take pre-contractual steps.
• Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary to comply with a legal obligation.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for our legitimate interests, provided these are not overridden by the data subject's interests or fundamental rights.

In addition, national regulations apply — in particular the German Federal Data Protection Act (BDSG).

Security Measures

We implement appropriate technical and organisational measures to ensure a level of protection commensurate with the risk. This includes, in particular, safeguarding the confidentiality, integrity, and availability of data.

Transmission of Personal Data

In the course of our data processing, personal data may be transferred to third parties where necessary for the provision of our services — for example, to IT service providers or embedded service operators. In such cases, we conclude appropriate data processing agreements to protect your data.

International Data Transfers

Where we transfer data to a third country (outside the EU/EEA), this is always done in compliance with applicable legal requirements.

For transfers to the United States, we rely primarily on the EU-U.S. Data Privacy Framework (DPF) (EU Commission adequacy decision of 10 July 2023), supplemented by Standard Contractual Clauses (SCCs). This dual safeguard ensures your data remains adequately protected regardless of political or legal changes.

More information on the DPF: dataprivacyframework.gov

Data Storage and Deletion

We delete personal data once the purpose for processing has ceased or no legal basis remains. Statutory retention obligations are not affected. The following general retention periods apply under German law:

• 10 years – Books, annual accounts, inventories (§ 147 AO, § 257 HGB)
• 8 years – Accounting vouchers, invoices (§ 147 AO)
• 6 years – Other business documents (§ 147 AO, § 257 HGB)
• 3 years – General claims (standard limitation period, §§ 195, 199 BGB)

Your Rights

As a data subject, you have the following rights under the GDPR (Art. 15–21):

• Right of access – You may request confirmation of whether we process your personal data, and obtain a copy of it.
• Right to rectification – You may request the correction of inaccurate or completion of incomplete data.
• Right to erasure – You may request the immediate deletion of your data, unless retention obligations apply.
• Right to restriction of processing – You may request that the processing of your data be restricted.
• Right to data portability – You may receive your data in a structured, commonly used format, or have it transferred to another controller.
• Right to object – You may object at any time to processing based on Art. 6(1)(e) or (f) GDPR.
• Right to withdraw consent – You may withdraw any consent given at any time with effect for the future.
• Right to lodge a complaint – You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence.

To exercise your rights, contact us at: contact@worldyouthinitiative.org

Online Services & Web Hosting

We process users' IP addresses to provide our online services. Access is logged in server log files (page URL, date/time, browser, operating system, referrer URL, IP address). Log files are deleted after a maximum of 30 days.

Use of Cookies

Our website uses technically necessary cookies required for its operation. We do not currently use any cookies that require consent.

Legal basis: Art. 6(1)(f) GDPR (Legitimate interests) for technically necessary cookies.

Contact and Application Forms

When you reach out via our forms or email, we process your details in order to respond to your enquiry. This includes name, email address, and message content. Application forms may additionally include details about your academic or professional background, institution, and motivation.

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR

Web Analytics & Monitoring

We do not currently use any web analytics tool. Should we implement one in the future, we will update this Privacy Policy accordingly and inform you in advance.

Changes and Updates

We will update this Privacy Policy whenever changes to our data processing practices require it. We recommend reviewing it regularly. Where any changes require action on your part, we will notify you separately.

Definitions

• Personal data – Any information relating to an identified or identifiable natural person.
• Processing – Any operation carried out on personal data, such as collection, storage, transmission, or deletion.
• Controller – The person or entity that determines the purposes and means of processing.
• Processor – A person or entity that processes personal data on behalf of the controller (e.g. Formspree, GitHub).
• Consent – A freely given, informed, and unambiguous expression of will by the data subject.
• Legitimate interests – A legal basis under Art. 6(1)(f) GDPR permitting processing without consent, provided the data subject's interests do not override.