Effective 1 January 2026 · Last updated 20 April 2026.
How the MEA Institute for Strategic Studies collects, uses, and protects your personal information.
The Middle East & Africa Institute for Strategic Studies (“the Institute”, “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal information with care, transparency, and respect. This Privacy Policy explains what personal data we collect when you use our website at meainstitute.org, why we collect it, how we use and protect it, and what rights you have under Swiss and European Union data protection law.
Please read this Policy carefully. If you have any questions, our contact details are set out in Section 15.
This Policy should be read alongside our Terms of Use and Cookie Notice.
Governing law: Swiss Federal Act on Data Protection (revFADP, in force 1 September 2023) · EU General Data Protection Regulation (GDPR)
1. Who we are – data controller and representatives
Data controller
The Middle East & Africa Institute for Strategic Studies is domiciled in Switzerland and is registered with the Swiss Federal Data Protection and Information Commissioner (FDPIC) in accordance with the requirements of the revised Federal Act on Data Protection (revFADP, in force 1 September 2023).
The Middle East & Africa Institute for Strategic Studies, Rue de Chantepoulet 1, 1201 Geneva, Switzerland.
privacy@meainstitute.org
Swiss domicile
The Institute is domiciled and legally constituted in Switzerland. Swiss law, in particular the revised Federal Act on Data Protection (revFADP) of 25 September 2020 and the associated Data Protection Ordinance (DPO), is the primary applicable data protection framework governing all processing activities of the Institute.
EU/EEA representative
The Institute’s website is accessible to individuals in the European Union and European Economic Area, and the Institute processes personal data of EU/EEA residents in connection with the offer of its research, events, and network services. Accordingly, the GDPR applies to that processing by virtue of Article 3(2) GDPR (the targeting criterion).
In accordance with Article 27 GDPR, the Institute has designated the following representative in the European Union:
Rayan Hamila, Rue de Chantepoulet 1, 1201 Geneva, Switzerland, contact@meainstitute.org
2. Scope, governing law, and territorial application
Primary framework — Swiss revFADP
As a Switzerland-domiciled institution, the Institute is subject to the revised Federal Act on Data Protection (revFADP) in its entirety. The revFADP applies to the processing of personal data of natural persons that has effects in Switzerland, regardless of where the processing takes place. The accompanying Data Protection Ordinance (DPO) governs implementation details including data security requirements, privacy notices, and records of processing activities.
Secondary framework — EU GDPR
Because the website is accessible to individuals in the EU and EEA and because the Institute offers research services, event registrations, newsletter subscriptions, and network participation to EU/EEA residents, the EU General Data Protection Regulation (Regulation (EU) 2016/679) applies to the processing of those individuals’ personal data by virtue of Article 3(2) GDPR.
Relationship between the two frameworks
Switzerland is recognised by the European Commission as a country providing an adequate level of data protection for the purposes of GDPR Article 45. Personal data may therefore flow freely between the EU/EEA and Switzerland without requiring additional transfer mechanisms in that direction. Transfers from Switzerland to the EU/EEA are similarly unrestricted under the revFADP, as EU and EEA member states appear on the list of countries with adequate data protection recognised by the Swiss Federal Council.
Where both the revFADP and the GDPR apply to the same processing activity, we comply with both. Where the two frameworks differ on a specific requirement, we apply whichever standard affords the greater protection to the individual.
Jurisdiction for disputes
This Policy is governed by Swiss law. Any dispute arising from or in connection with this Policy that cannot be resolved through direct correspondence with us shall be subject to the jurisdiction of the competent courts of Geneva, Switzerland, without prejudice to your right to lodge a complaint with the FDPIC or, for EU/EEA residents, with your local supervisory authority.
3. Definitions
For the purposes of this Policy:
Personal data means any information relating to an identified or identifiable natural person. Under the revFADP this is defined in Article 5(a); under the GDPR it is defined in Article 4(1).
Sensitive personal data (GDPR: “special categories of personal data”) means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, health data, and data concerning a person’s sex life or sexual orientation. Under the revFADP, Article 5(c) defines sensitive personal data to include, in addition, data on administrative or criminal proceedings and sanctions, and data on social welfare measures. We do not intentionally collect sensitive personal data through the website. Where we do so incidentally, for example, in a career application or event registration — we treat it with heightened care and process it only where a specific legal basis applies.
Processing means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
Controller means the entity that determines the purposes and means of processing personal data. The Institute is the sole controller for personal data processed through the website.
Processor means a third party that processes personal data on behalf of and under the instructions of the controller.
Consent means a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them, whether by a statement or by a clear affirmative action.
4. Personal data we collect and our purposes
4.1 Browsing and usage data
When you visit the website, we and our analytics providers automatically collect:
- IP address, anonymised at the point of collection, where technically possible
- Browser type, version, and operating system
- Pages visited, time on page, and navigation path
- Referring URL and search terms used to find the site
- Device type and screen resolution
Purpose: to understand how our content is used, to improve navigation and performance, and to detect and resolve technical issues. We do not use this data to identify you as an individual. We use privacy-first analytics tools configured to minimise data collection, anonymise IP addresses, and apply the shortest available retention periods.
Legal basis (revFADP): Article 31(1) legitimate interests — our interest in understanding how the website is used and improving it for our audience, balanced against your interest in privacy.
Legal basis (GDPR): Article 6(1)(f) legitimate interests on the same basis. Where analytics are delivered through cookies, your consent is additionally required and obtained through our cookie banner.
4.2 Contact and general enquiry forms
When you complete our contact form we collect: name, email address, organisation (optional), enquiry type, and message content.
Purpose: to respond to your enquiry and route it to the appropriate team. We do not add you to any mailing list on the basis of a contact form submission alone.
Legal basis (revFADP): Article 31(1) legitimate interests — responding to a request you have initiated.
Legal basis (GDPR): Article 6(1)(f) legitimate interests on the same basis; Article 6(1)(b) where the enquiry concerns a potential contractual relationship.
4.3 Newsletter and network sign-ups
When you subscribe to our newsletter or express interest in joining the MEA Institute’s Network we collect: email address, name (optional), and area of interest (optional).
Purpose: to send you publications, event invitations, and updates from the Institute.
Legal basis (revFADP): Article 6(6) consent.
Legal basis (GDPR): Article 6(1)(a) consent.
We use a confirmed double opt-in process for newsletter subscriptions. Your consent is recorded with a timestamp and the method by which it was given. You may withdraw consent at any time by clicking the unsubscribe link in any communication or by writing to privacy@meainstitute.org. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
4.4 Event registration
When you register for an Institute event we collect: name, email address, organisation and role (optional), and — for in-person events — any accessibility or dietary requirements you choose to provide (optional).
Purpose: to administer the event, communicate with attendees, and where relevant provide attendance information to co-hosting partner organisations. We will always disclose at the point of registration if your details will be shared with a co-host.
Dietary and accessibility data may constitute sensitive personal data where it reveals health information. Where it does, we process it on the basis of your explicit consent and for no other purpose.
Legal basis (revFADP): Article 6(1) performance of a contract or steps prior to entering one; Article 6(6) and Article 30 explicit consent for sensitive data.
Legal basis (GDPR): Article 6(1)(b) performance of a contract; Article 9(2)(a) explicit consent for special category data.
4.5 Career and placement applications
When you apply for a role or placement we collect: name, contact details, CV, cover letter, qualifications, work history, and any other materials you provide.
Purpose: to assess your application and, where you give separate consent, to consider you for future opportunities.
Legal basis (revFADP): Article 6(1) steps prior to entering a contract; Article 6(6) consent for retention beyond the recruitment process.
Legal basis (GDPR): Article 6(1)(b) steps prior to entering a contract; Article 6(1)(a) consent for further retention.
Retention: application materials are retained for twelve months from the close of the relevant recruitment process. Where you consent to consideration for future roles, we retain your materials for up to three years from the date of application, or until you withdraw your consent, whichever is earlier.
The Institute does not charge fees of any kind in connection with applications, interviews, or employment. Any communication suggesting otherwise should be treated as fraudulent and reported to us immediately.
4.6 Donation and partnership enquiries
When you enquire about donating to or partnering with the Institute we collect: name, contact details, and organisation where applicable.
Purpose: to respond to your enquiry, administer the relationship, and maintain records required by Swiss financial and accounting law.
Legal basis (revFADP): Article 6(1) performance of a contract or steps prior to entering one; legal obligation for financial record-keeping under Swiss CO Article 958f.
Legal basis (GDPR): Article 6(1)(b) performance of a contract; Article 6(1)(c) legal obligation for financial records.
Payment processing for donations is handled by a third-party payment processor. We do not store payment card details on our systems. The processor’s own privacy notice applies to that transaction. Donation and partnership financial records are retained for ten years in accordance with Article 958f of the Swiss Code of Obligations.
Acceptance of a donation or partnership does not entitle the donor or partner to any editorial influence over the Institute’s research, publications, events, or public positions. The Institute retains full editorial and institutional independence at all times.
4.7 Research and podcast engagement
Interactions with publications, podcast episodes, and other content are recorded at an aggregated, anonymised level for editorial and programming purposes. We do not build individual profiles from this activity and we do not use it to target you with personalised content.
4.8 General correspondence
If you contact us by email or any other channel, we retain a record of that correspondence — including your contact details and the content of your message — for as long as necessary to respond and for a reasonable institutional record-keeping period thereafter, in line with the retention periods set out in Section 9.
5. Cookies and similar technologies
We use cookies and similar technologies to operate the website, to understand how it is used, and, where you have given prior consent, to embed third-party content.
In summary:
Strictly necessary cookies are essential for the website to function correctly. They do not require consent and cannot be disabled through our cookie banner. They include session management, security, and load-balancing cookies.
Analytics cookies help us understand how visitors use the website. We deploy these only with your prior consent and in a privacy-preserving configuration, including IP anonymisation and the shortest available data retention periods, in order to minimise the personal data processed. Where technically feasible, we use server-side analytics that do not rely on client-side cookies.
Preference cookies remember choices you have made on the website. Deployed only with your prior consent.
Third-party embed cookies including Spotify and YouTube players for our Axis and Arch podcast and any embedded video content, may set their own cookies when you interact with them. We load third-party embeds only after you have consented to third-party cookies, or we present them behind a click-to-activate overlay so that no data is transmitted to the third party until you choose to interact. These embeds are subject to Spotify’s and YouTube’s own privacy notices, respectively.
Under the Swiss Telecommunications Act (FMG/LTC) and the GDPR as given effect through the ePrivacy framework, non-essential cookies require your prior, informed, freely given, and specific consent. You may withdraw consent and update your preferences at any time by clicking the “Cookie settings” link in the footer of any page on the website.
6. Legal bases for processing
All processing of personal data by the Institute rests on one of the legal bases set out in Article 6 revFADP and, where GDPR applies, Article 6 GDPR. The table below provides a consolidated reference.
| Processing activity | revFADP basis | GDPR basis (where applicable) |
|---|---|---|
| Analytics — anonymised browsing data | Art. 31(1) legitimate interests | Art. 6(1)(f) legitimate interests |
| Analytics cookies — non-essential | Art. 6(6) consent | Art. 6(1)(a) consent |
| Contact and enquiry forms | Art. 31(1) legitimate interests | Art. 6(1)(f) legitimate interests |
| Newsletter and network sign-ups | Art. 6(6) consent | Art. 6(1)(a) consent |
| Event registration | Art. 6(1) performance of contract | Art. 6(1)(b) performance of contract |
| Event registration — health or dietary data | Art. 6(6) + Art. 30 explicit consent | Art. 9(2)(a) explicit consent |
| Career applications | Art. 6(1) pre-contractual steps | Art. 6(1)(b) pre-contractual steps |
| Career applications — retention for future roles | Art. 6(6) consent | Art. 6(1)(a) consent |
| Donations and partnership enquiries | Art. 6(1) performance of contract | Art. 6(1)(b) performance of contract |
| Financial record-keeping | Legal obligation — Swiss CO Art. 958f | Art. 6(1)(c) legal obligation |
| Security and fraud prevention | Art. 31(1) legitimate interests | Art. 6(1)(f) legitimate interests |
| Compliance with FDPIC or supervisory requests | Legal obligation — revFADP | Art. 6(1)(c) legal obligation |
Where we rely on legitimate interests as the legal basis, we have carried out a balancing assessment and concluded that our interests are not overridden by your interests, rights, or fundamental freedoms. You may request a summary of any such assessment by writing to privacy@meainstitute.org.
7. Data sharing and recipients
We do not sell, rent, or trade your personal data to any third party for commercial purposes. We share it only in the following circumstances.
7.1 Processors acting on our behalf
We engage trusted third-party service providers as data processors under Article 9 revFADP and Article 28 GDPR. Each processor is bound by a data processing agreement requiring them to act only on our documented instructions, implement appropriate technical and organisational security measures, not engage sub-processors without our prior written authorisation, and return or delete personal data at the end of the engagement. Current categories of processor include:
- Website hosting and content delivery providers
- Privacy-first analytics platforms
- Email delivery and newsletter platforms (when the newsletter service is active)
- Event registration and ticketing platforms
- Contact form handling and CRM tools
- Payment processor for donations
- Anti-spam and bot-protection services, including Google reCAPTCHA (subject to its own privacy notice)
- IT support and security service providers
A current list of processors and their locations is available on request by writing to privacy@meainstitute.org.
7.2 Co-hosting partners at events
Where an event is co-organised or co-hosted with a partner institution, attendee names and organisations may be shared with that partner for the sole purpose of administering the event. This will always be disclosed clearly at the point of registration. Where required, your explicit consent will be obtained before sharing takes place.
7.3 Legal and regulatory obligations
We may disclose personal data to courts, the FDPIC, EU supervisory authorities, law enforcement authorities, or other competent public bodies where required by applicable Swiss or EU law, a binding court order, or a legally enforceable official request. Where permitted by law we will notify you before any such disclosure takes place.
7.4 Institutional reorganisation
In the event of a merger, institutional restructuring, or transfer of the Institute’s activities to a successor organisation, personal data may be transferred to the successor subject to equivalent data protection obligations. We will provide advance notice to affected individuals where practicable.
8. International transfers of personal data
Transfers between Switzerland and the EU/EEA
Switzerland is recognised by the European Commission as a country providing an adequate level of data protection (Commission Decision 2000/518/EC, as updated). Transfers of personal data from the EU/EEA to Switzerland therefore take place freely under GDPR Article 45 without the need for additional safeguards. Transfers from Switzerland to the EU/EEA are similarly unrestricted under the revFADP, as EU and EEA member states appear on the Federal Council’s list of countries with adequate data protection.
Transfers to other third countries
Some of our service providers are based in, or may transfer data to, countries outside Switzerland and the EU/EEA that do not benefit from an adequacy decision. In those cases we ensure that appropriate safeguards are in place before any transfer takes place:
- Standard contractual clauses (SCCs) — for transfers subject to GDPR, we rely on the standard contractual clauses adopted by the European Commission (Implementing Decision (EU) 2021/914). For transfers subject to the revFADP, we rely on the standard data protection clauses recognised by the FDPIC, which are substantively aligned with the EU SCCs.
- Adequacy-equivalent certification — where a recipient organisation is certified under a framework recognised as equivalent by the FDPIC or the European Commission (for example, the EU-US Data Privacy Framework), we may rely on that certification.
- Derogations under revFADP Article 17 and GDPR Article 49 — in limited circumstances, where a transfer is necessary for the performance of a contract with you, for the establishment or exercise of legal claims, or where you have given explicit informed consent for a specific transfer, we may rely on the applicable derogation.
You may request information about the specific safeguards in place for any third-country transfer by writing to privacy@meainstitute.org.
9. Data retention
We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable Swiss or EU law. When data is no longer required, it is securely and permanently deleted or rendered irrecoverably anonymous in accordance with the technical standards set out in the DPO.
| Data category | Retention period | Legal reference |
|---|---|---|
| Contact and enquiry form submissions | Up to two years from last communication | revFADP Art. 6(4) purpose limitation |
| Newsletter subscriber data | Duration of subscription plus 30-day suppression period after unsubscription | Consent-based — deleted on withdrawal |
| Event registration data | Up to one year after the event | revFADP Art. 6(4) |
| Career applications — no consent for future roles | Twelve months from close of recruitment | revFADP Art. 6(4) |
| Career applications — consent for future roles given | Up to three years from application, or until consent withdrawn | revFADP Art. 6(6) |
| Donation and partnership financial records | Ten years | Swiss CO Art. 958f |
| Analytics data | Anonymised within 26 months; no individual-level retention beyond that period | revFADP Art. 6(4); GDPR Recital 26 |
| General correspondence | Up to three years from date of last communication | revFADP Art. 6(4) |
| Records of processing activities | Duration of processing activity plus three years | revFADP Art. 12; GDPR Art. 30 |
10. Security
We implement technical and organisational security measures appropriate to the nature and sensitivity of the personal data we process and the risks posed by our processing activities. These measures include:
- TLS encryption (HTTPS) across all pages and form submissions
- Role-based access controls limiting staff access to personal data on a strict need-to-know basis
- Regular security reviews of our hosting environment, third-party plugins, and service provider integrations
- Automated daily backups with tested restore procedures conducted at least once before any major site update
- Invisible anti-spam and bot protection (reCAPTCHA v3) on all public-facing forms
- Staff awareness of their data protection obligations under the revFADP and GDPR
- A documented procedure for identifying, assessing, and where required notifying personal data breaches
In the event of a personal data breach that is likely to pose a risk to your rights and freedoms, we will notify the FDPIC in accordance with Article 24 revFADP and, where the GDPR applies, notify the relevant EU supervisory authority in accordance with Article 33 GDPR, in each case within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
If you discover or suspect a security issue affecting your personal data, please contact us immediately at privacy@meainstitute.org.
11. Your rights under Swiss revFADP and EU GDPR
You have the following rights in relation to your personal data. All requests may be submitted in writing to privacy@meainstitute.org. We will respond without undue delay and in any event within 30 days of receipt. Where a request is complex or we have received multiple concurrent requests, we may extend this period by a further 60 days, in which case we will notify you of the extension and the reason for it within the initial 30-day period. We will not charge a fee for reasonable requests. We may need to verify your identity before processing a request.
Right of access revFADP Article 25 · GDPR Article 15
You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipient, the envisaged retention period, the source of the data where it was not collected directly from you, and the existence of your other rights under this section.
Right to rectification revFADP Article 32(1) · GDPR Article 16
You have the right to request correction of personal data about you that is inaccurate, and to have incomplete personal data completed, including by providing a supplementary statement.
Right to erasure revFADP Article 32(2) · GDPR Article 17
You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent and no other legal basis applies, where you have exercised your right to object and no overriding legitimate interests exist, or where the data has been processed unlawfully. Certain exceptions apply, including where retention is required to comply with a legal obligation under Swiss or EU law, or for the establishment, exercise, or defence of legal claims.
Right to restriction of processing GDPR Article 18
You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while we verify the accuracy of data you have disputed, or pending determination of an objection you have raised. While processing is restricted, we will store your data but not otherwise use it without your consent, except for legal claims or the protection of rights of another person.
The revFADP does not provide an explicit equivalent right, but we apply this standard as the higher protection in all cases.
Right to data portability revFADP Article 28 · GDPR Article 20
You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller without hindrance from us, where processing is based on consent or contract and is carried out by automated means.
Right to object revFADP Article 32(2) · GDPR Article 21
You have the right to object at any time to processing of your personal data that is based on our legitimate interests, including profiling carried out on that basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defence of legal claims. You have an unconditional right to object to processing for direct marketing purposes at any time, and we will always act on such an objection immediately.
Right to withdraw consent revFADP Article 6(6) · GDPR Article 7(3)
Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent for newsletters or network communications, use the unsubscribe link in any communication or write to privacy@meainstitute.org.
Right not to be subject to solely automated decision-making GDPR Article 22
We do not carry out solely automated decision-making, including profiling, that produces legal or similarly significant effects on you.
Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority at any time:
Swiss residents and all users — primary supervisory authority: Swiss Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1, CH-3003 Bern, Switzerland fdpic.ch
EU/EEA residents — local supervisory authority: The data protection authority of your EU member state of habitual residence, place of work, or the place of the alleged infringement. A full directory is available at edpb.europa.eu.
We would always welcome the opportunity to resolve any concern directly before you approach a supervisory authority. Please contact us at privacy@meainstitute.org in the first instance.
12. Children
The website is not directed at children under the age of 16 and we do not knowingly collect personal data from anyone under that age. If you are a parent or guardian and believe we have inadvertently collected data from a child in your care, please contact us at privacy@meainstitute.org and we will delete it promptly and without charge.
13. Social media and external platforms
We maintain accounts on LinkedIn, Instagram, YouTube, and Spotify. Interactions on those platforms are governed by each platform’s own privacy notice, not by this Policy. We receive aggregated, anonymised analytics about the reach of our content on those platforms but we do not receive individually identifiable data from them unless you contact us directly through a platform’s messaging feature, in which case we will handle that correspondence in accordance with this Policy.
We do not use social media tracking pixels, retargeting tools, or cross-site behavioural advertising on the website without your prior consent.
14. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, the service providers we use, applicable Swiss or EU law, or guidance issued by the FDPIC or the European Data Protection Board. When we make a material change we will update the “Last updated” date at the top of this page. Where a change significantly affects your rights or the manner in which we use your personal data, we will provide more prominent notice — for example, a banner on the website or, where we hold your contact details and the change materially affects you, direct communication. Your continued use of the website after an updated Policy has been posted constitutes acknowledgement of the revised terms.
15. How to contact us
For any question, rights request, or concern related to this Policy or the handling of your personal data, please contact us:
Privacy enquiries and all data subject rights requests: privacy@meainstitute.org
General enquiries: contact@meainstitute.org
MEA Institute for Strategic Studies, Rue de Chantepoulet 1, 1201 Geneva, Switzerland.
Primary supervisory authority: Swiss Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1, CH-3003 Bern, Switzerland fdpic.ch
EU supervisory authority (for EU/EEA residents): The data protection authority of your member state of habitual residence or place of work. Full directory: edpb.europa.eu
© 2026 The Middle East & Africa Institute for Strategic Studies. All rights reserved. Domiciled in Switzerland. Compliant with the revised Federal Act on Data Protection (revFADP) and the EU General Data Protection Regulation (GDPR).