Starting with the 25th of May 2018, Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“Regulation”) shall be enforced by all EU member states. The Regulation primarily aims at unifying the legislation within the EU and thus removing the need to apply national enforcement measures.

This Data Protection Policy (hereinafter the: “Policy”) was prepared and issued by TEN – The European Network e.V. (TEN) registered office at Dammstrasse 3, D-47119 Duisburg, Germany, registered in the Register of Associations at the local court Duisburg, Germany legally represented by attorney Luiza Iuliana Budusan, in their capacity of controller, in order to comply with the applicable data privacy requirements, including specifically the EU General Data Protection Regulation.

1. Definitions

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‘Supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

TEN, in its capacity of controller, processes data in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against the accidental loss, destruction or alteration, by taking appropriate technical or organisational protection measures.

2. Personal Data

Generally, are personal data the information that relates to a living person:

  • Name and surname
  • ID or Passport number
  • The Numeric Person ID
  • Date of birth
  • Citizenship and / or nationality
  • Income
  • Data on education and training
  • Phone number
  • Email Address
  • Home address and correspondence
  • Photo or video
  • Bank data
  • Family member data
  • Location data

There are categories of special data and can be processed by the operator, the following data:

  • data revealing racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • processing of genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation

Only relevant factual information that the TEN needs to know should be captured. TEN should be clear why it wants the information and how it will be used and this information is captured within the Minimum Data Set.

If the personal data are obtained directly from the Data Subject, the controller has a preliminary obligation to inform the person, prior to any collection, of the processing of the data to be carried out.

The Information must include:

  1. the identity and the contact details of the controller
  2. the contact details of the data protection officer
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing
  4. the legitimate interests pursued by the controller or by a third party, where applicable
  5. the recipients or categories of recipients of the personal data, if any
  6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organization

3. Principles relating to processing of personal data

All processing of personal data must be conducted in accordance with the data protection principles (“Principles”) as set out in the GDPR.

The Principles require that personal information:

Shall be processed fairly and lawfully

This means TEN must have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the Individuals concerned; be transparent about how TEN intends to use the data and give Individuals appropriate fair processing notices when collecting their personal data; handle people’s personal data only in ways they would reasonably expect and make sure TEN does not do anything unlawful with the data.

Shall be obtained only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

This means that the Association must be clear from the outset about why TEN is collecting personal data and what it intends to do with it; comply with the fair processing requirements, including the duty to give clear fair processing notices to Individuals when collecting their personal data.

Shall be adequate, relevant and not excessive in relation to those purpose(s)

TEN holds personal data about an Individual that is sufficient for the purpose it is holding it for in relation to that Individual. TEN does not hold more information than needed for that purpose and has a minimum data set to describe this.

Shall be accurate and, where necessary, kept up to date

TEN take reasonable steps to ensure the accuracy of any personal data it obtains ensure that the source of any personal data is clear carefully consider any challenges to the accuracy of information consider whether it is necessary to update the information.

Should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

This means that TEN should review the length of time it keeps personal data consider the purpose or purposes it holds the information for in deciding whether (and for how long) to retain it securely delete information that is no longer needed for this purpose or these purposes update, archive or securely delete information if it goes out of date.

Shall be kept secure by the Data Controller and any Data Processor

TEN take appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information. TEN make sure it has the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff and volunteers be ready to respond to any breach of security swiftly and effectively.

Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals in relation to the processing of personal information.

4. Grounds for the processing of personal data

Processing shall be lawful only if and to the extent that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • processing is necessary for compliance with a legal obligation to which the controller is subject
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

TEN will ensure that data is collected within the boundaries defined within this policy. This applies to data that is collected in person (face to face or over the telephone), electronically or by completing a form. It applies to any location that is being used by TEN.

5. Purposes of the personal data processing

Personal data are collected only for determined and explicit purposes to be communicated to the data subject.

If the controller wishes to process the personal data afterwards for other purposes, the operator must inform the data subject about this new processing, before it actually occurs, and provide information about the purpose of the secondary processing and any other information that might be considered relevant.

The purposes an operator can justify for the processing of personal data are the following: accomplishment of an operator’s legitimate interests or provision of an operator’s specific services.

6. Storage of personal data

Personal data are stored in a format which allows the identification of the data subjects for a period of time that can’t exceed the one required for the accomplishment of the purposes for which they were processed.

Personal data may be stored for longer periods of time if they will be exclusively processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, as per article 89 (1) of the Regulation, so as to ensure the rights and freedoms of the data subject.

7. Security of personal data

TEN assure you that any data processing is performed in compliance with the principles guaranteed by the Regulation and personal data are processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures, by enforcing appropriate internal policies on data protection.

Personal data will be stored securely and will only be accessible to authorised persons.

Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately in line with the Retention, Archiving and Destruction of Information procedure.

It is TEN’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation which has been passed on/sold to a third party.

In the case of a personal data breach, the controller shall notify the competent supervisory authority not later than 72 hours after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Where the personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the operator shall notify the data subject about such breach without undue delay.

This policy will be updated as often as necessary to reflect the best practice in data management, security and control and to ensure compliance with any changes or amendments of the law.

This policy should be read in conjunction with the following policies, procedures and guidelines:

  • Privacy Policy
  • Cookie Policy
  • Terms and Conditions

Contact person: Luiza Budusan
Telephone: +40 729 019 901