Last update: August 10th, 2020

Procedure [GM-09] Data Protection

1. CONTEXT

The European Parliament and the Council adopted a Regulation (EU) on 27 April 2016 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, superseding the Directive 95/46 / EC (General Data Protection Regulation - RGPD) and applicable on the territory of the European Union since May 25th, 2018.

Ensuring the personal data we require for our activities is stored securely is a priority of GEYC and since May 2018 we have implemented several changes in our procedures in order to comply with the GDPR.

2. APPLICABILITY OF THE GDPR

GDPR applies to any organisation operating within the EU, as well as to any organisations outside the EU which offer goods or services to customers or businesses in the EU.

One of the major changes GDPR brings is providing consumers with a right to know when their data has been hacked. Organisations are required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.

Consumers are also promised easier access to their own personal data in terms of how it is processed, with organisations required to detail how they use customer information in a clear and understandable way.

The types of data considered personal under the existing legislation include name, address, and photos. GDPR extends the definition of personal data so that something like an IP address can be personal data. It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.

3. PRINCIPLES OF THE GDPR

During our activities, we:

• Collect the data for specified, explicit, and legitimate purposes and not process them in a manner that is incompatible with those purposes. In other words, the purpose for which the data will be processed is clearly stated in a data protection notification and the participants know how their information will be used;
• Process the data lawfully, fairly and in a transparent manner in relation to the participants;
• Respect the principle of “data minimisation” - we only collect data that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. For each project we brainstorm on what personal information is relevant and make sure we don’t ask for information which will not be used;
• Respect the principle of “accuracy”: personal data has to be accurate and kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. In order to do so, we offer the participants the option to update their data (e.g. through a google form that allows edits after submission);
• Process the data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4. CATEGORIES OF PERSONAL DATA PROCESSED

4.1. Community members/other participants to our projects

Personal data belonging to the members of the GEYC Community and to the people who occasionally  participate in one of our projects is collected in order to process the project applications, manage the account of the Community members and provide them with updates regarding our activity. This personal data includes: name, surname, studies, telephone, e-mail address, signature, CV, professional experience, address, gender, picture, bank account, name, surname of parents/carers if the participant is underage, medical issues.

4.2. Partner organizations

Personal data belonging to the organizations we are working with is collected in order to manage the cooperation with them. This personal data can include: name, surname, telephone, e-mail address, signature, CV,  address, gender of the legal representatives and contact persons, bank account of the organization.

4.3.         GEYC Staff members

This category includes volunteers, collaborators, interns, trainees and employees.

The personal data collected for this category includes: name, surname, studies, telephone, e-mail address, signature, CV, professional experience, address, gender, picture, bank account, name, surname of parents/carers if the staff member is underage, medical issues.

For the employees and whenever required by the law, GEYC also collects an ID or passport copy.

4.4.         Real beneficiary

According to the relevant national legislation in Romania (OG 26/2000 and Law no. 129/2019), GEYC collects the following personal data for the associates, members of the Board of Directors, the General Manager and the Financial Controller (collectively called as the real beneficiary): name, surname, studies, telephone, e-mail address, signature, CV, professional experience, address, gender, picture, bank account, name, surname of parents/carers if the staff member is underage, medical issues.

5. PURPOSES OF PROCESSING DATA

5.1.         Community members/other participants to our projects

The personal data belonging to our Community members and other participants is processed by  GEYC’s executive team in order to manage the projects, manage the profile of the Community members (GEYC-ID) and provide them with updates in accordance with their interests.

The data of the participants for specific projects can be made available to GEYC’s volunteers, only after signing a volunteering contract that clearly states the organizational procedures regarding data protection and that the misuse of the information is punishable by law.

Certain data may also be made available for the partner organizations in the context of mobility projects (name, surname, e-mail, phone number, date of birth, medical issues, etc), in order to ensure the proper management of the activity.

Certain data (name, surname, e-mail, date of birth) may also be recorded in the Youthpass database, in order to generate certificates for the participants.

The personal data will be stored until the participant requests them to be deleted through the GEYC-ID facility.

5.2.         Partner organizations

The personal data belonging to our partner organizations is processed by GEYC’s core team (General Manager, Project Manager, Project Responsible, Mobility Center Responsible) in order to ensure the proper management of the projects.  

The data may be transferred in the European Union’s databases (EU Login) when applying for grants, to evaluators and other partner organizations inside consortiums.

The data retention period will be set according to the instructions of the financier. In our internal database, the data will be stored for future collaboration until the partner organization requests their removal.

5.3.        GEYC Staff members

The personal data is collected in connection with the legal obligations in Romania and it is processed in line with the management of their activity as part of the GEYC team. In our internal database, the data will be stored:

• During the period of the contact(s) as long as they are part of the GEYC team;
• For future collaboration and for future inquiries related to their activity in the GEYC team until the former staff member requests their removal, but not before 2 years since the contract closure.

5.4.         Real beneficiary

The personal data is collected in connection with the legal obligations in Romania and reported periodically to the Ministry of Justice in Romania and other relevant institutions if required.  

6. DATA PROCESSING RIGHTS

• Right of access: You have the right to request from GEYC information about the processing of your personal data;
• Right of rectification: you have the right to request GEYC to update your incorrect data or to do it on your own (updating your GEYC-ID);
• Right of deletion: you have the right to request GEYC to delete your data;
• Right to restrict processing: You have the right to request GEYC the restriction of processing your personal data in certain situations, such as the situation in which processing the personal data is not carried out in accordance with the law;
• Right of portability: you have the right to request GEYC to transmit your personal data to you or to another entity that will process your personal data.

7. MEASURES

At GEYC, data processing is based on consent, which means that the subject has consented to processing of his or her personal data in the context of a written declaration. The request for consent is present in each registration or application form and is presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

It is equally as important to offer the option to the participants at any given time to withdraw the consent.

“By submitting this form, I understand and agree that the personal data I have communicated will be strictly used for the proper conduct of the projects. GEYC collects your data so that we can process your project applications, manage your account, and provide you with updates according to your choices above.”

(Data processing notification in the GEYC Community Registration form)

The most important measure that we have taken is creating the GEYC-ID, a virtual profile of the GEYC Community members where all their data is stored:

• This ID shortens the application process, as it ensures that the participant doesn't have to give their personal data for each application (name, surname, phone, number, date of birth, location, etc.);
• They can always update their GEYC-ID data or request it to be deleted (if they no longer want to take part in GEYC’s activities);
• We reduce the risk of their data being intercepted by an insecure Wi-Fi connection they may be connected to when filling out an application form.

8. DATA PROTECTION OFFICER

You can contact us regarding matters related to data protection to the address alexandra.peca@geyc.ro .